Protection

Q: What are the concepts in HYDRA that correspond to Lampson's definitions of "Domain", "Object", and "Access Matrix"? What about Multics?

3 Parts

Domains

Power of rights, e.g., "LNS" in Hydra.

A User Domain means access rights to a certain set of objects. Domain asks another domain for permissions.

Some examples

Two-context system with supervisor + user
OS/360 with 15 user contexts
Multi-access system with as many protection contexts as there are users

A message system = Processes (Domains) + Message passing

Each process is a separate domain. Protection is done by callee checking the identity of the caller, and caller check the return.

The identification is supplied by the system, which cannot be forged.

Some deficiencies

Impossible to retain control over a runaway process.
Processes must agree on the interpretation of messages.

Objects

Anything, depends on the system.

"Object" in Hydra
"Segment" in Mutex
"File" in Unix

Access Matrix

Systematic way of controlling access to objects.

The access domain has exclusive access to its own objects and none to any others.

+-------+-----------------------------+
|       |   OBJECTS                   |
|       |                             |
+-------------------------------------+
|DOMAIN |                             |
|       |                             |
|       |                             |
|       |                             |
|       |              +-+ +-+ +-+    |
|       |       ACCESS +-+ +-+ +-+    |
|       |                             |
|       |                             |
|       |                             |
|       |                             |
|       |                             |
+-------+-----------------------------+

The implementation of "Access Matrix" in Mutex is still prevalent today.

2 Rights

Control -> Domain
Owner -> Objects

In debugging, compiler has full control over the program being debugged.

Copy Rights - If give you read access to the file, can you give that right to another domain.

Implementation

The access matrix is sparse, it is not practical to store the entire matrix.

Two approaches

Capability method - Attach the d'th row of access matrix A to the domain d. Domain is defined by capability list, C-list.
Access Control List method - Attach the protection information to the object rather than the domain. Easier to revoke access. Likely to be more expensive.
A hybrid version, an object can be accessed by access key to obtain a capability, which is then used for subsequent accesses. This process when applied to files is open a file -> file descriptor.

                        +--------------------+
                        |                    |
                        |       Object       |
                        |                    |
                        +-------+------+-----+
                                ^      ^
  +----+                +-------+------+-----+
  |    |                |                    |
  |    +-----------+    |  Procedure Ax(d)   |
  |    +-----------+    |                    |
  +----+                |                    |
                        +--------------------+
Access Key

This shows how the protection is attached on each object. An access control procedure $A_x(d)$ is provided for each object by the owner of the object. The procedure gets the domain's name as argument and this cannot be forged.

Capabilities can be used as identification. We will call a capability used for identification as an access key.