Advanced Operating Systems   COMP9242 2002/S2

UNSW

Printer-Friendly Version Administration                - Notices - Course Intro - Consultations # On-line Survey (closed) - Survey Results   Work - Lectures - Milestone 0 - Project Admin - Project Spec - Project FAQ - Exam   Documentation - ASysT Lab - L4 source browser - Sulima ISA Simulator - R4x00 ISA Summary  - MIPS R4700 Reference - MIPS R4000 User Manual  - Network Driver - GT64111   Related Info - Aurema OS Prize - OS Hall of Fame   History - 2000 - 1999 - 1998   Staff - Gernot Heiser (LiC)

Discretionary Access Control in Mungi Threads execute inside a protection domain (PD) A protection domain is defined as a set of capabilities Capabilities and protection domains are user-level objects Thread may or may not have control over its PD supports user-controlled confinement Main Mungi abstractions: Unit of protection is the memory object contiguous page range associated with a set of password capabilities Unit of execution is the thread kernel-scheduled execute in an active protection domain (APD) associated with a (user-level) TCB object (UTCB) thread control is via access to UTCB An APD consists of (caps for) an array of Clists A Clist is an object consisting of an array of caps APD itself is in kernel space Caps confer sets of rights, combination of: read, write, execute, delete, enquire, PDX Access validation: Note: All capability presentation is implicit Threads and protection domains A thread can be started in an existing APD or a new one New APD is instantiated from a template called the protection domain object (PDO) system-defined structure consists of an array of clist capabilities, access restricted to trusted management code PDO creation requires special privileges Thread can also change APD temporarily called protection-domain extension, PDX requires PDX cap serves as protected-procedure call mechanism