Screen Version

School of Computer Science & Engineering
University of New South Wales
 Advanced Operating Systems 
 COMP9242 2002/S2 

Discretionary Access Control in Mungi

• Threads execute inside a protection domain (PD)
• A protection domain is defined as a set of capabilities
• Capabilities and protection domains are user-level objects
• Thread may or may not have control over its PD
  • supports user-controlled confinement

Main Mungi abstractions:

• Unit of protection is the memory object
  • contiguous page range
  • associated with a set of password capabilities

• Unit of execution is the thread
  • kernel-scheduled
  • execute in an active protection domain (APD)
  • associated with a (user-level) TCB object (UTCB)
  • thread control is via access to UTCB

• An APD consists of (caps for) an array of Clists
  • A Clist is an object consisting of an array of caps
  • APD itself is in kernel space

• Caps confer sets of rights, combination of:
  • read, write, execute, delete, enquire, PDX

Access validation:

Note: All capability presentation is implicit

Threads and protection domains

• A thread can be started in an existing APD or a new one
• New APD is instantiated from a template
  • called the protection domain object (PDO)
  • system-defined structure
  • consists of an array of clist capabilities,
  • access restricted to trusted management code
  • PDO creation requires special privileges

• Thread can also change APD temporarily
  • called protection-domain extension, PDX
  • requires PDX cap
  • serves as protected-procedure call mechanism