Screen Version
School of Computer Science & Engineering
University of New South Wales
Advanced Operating Systems
COMP9242 2002/S2
Next:
Protected Procedure Calls
Up:
12-mungi
Previous:
Mungi Security
Subsections
Main Mungi abstractions:
Access validation:
Threads and protection domains
Discretionary Access Control in Mungi
Threads execute inside a
protection domain
(PD)
A protection domain is defined as a set of
capabilities
Capabilities and protection domains are user-level objects
Thread may or may not have control over its PD
supports user-controlled confinement
Main Mungi abstractions:
Unit of protection is the
memory object
contiguous page range
associated with a set of
password capabilities
Unit of execution is the
thread
kernel-scheduled
execute in an
active protection domain
(APD)
associated with a (user-level)
TCB object
(UTCB)
thread control is via access to UTCB
An APD consists of (caps for) an array of
Clists
A Clist is an object consisting of an array of caps
APD itself is in kernel space
Caps confer sets of rights, combination of:
read
,
write
,
execute
,
delete
,
enquire
,
PDX
Access validation:
Note:
All capability presentation is
implicit
Threads and protection domains
A thread can be started in an existing APD or a new one
New APD is instantiated from a template
called the
protection domain object
(PDO)
system-defined structure
consists of an array of
clist
capabilities,
access restricted to trusted management code
PDO creation requires special privileges
Thread can also change APD temporarily
called
protection-domain extension
, PDX
requires PDX cap
serves as protected-procedure call mechanism
Next:
Protected Procedure Calls
Up:
12-mungi
Previous:
Mungi Security
Gernot Heiser 2002-10-24