CSE221 - lec03: Protection: HYDRA & Protection

03 - Protection: HYDRA & Protection

HYDRA: The Kernel of a Multi-processor Operating System

Design Philosophy

• design for multi-processor

• separation of mechanism and policy (mechanism is how to do, policy is what to do) (important point)

• rejection of hierarchical structure (important point)

• reliability

• protection (important point)

Goals

• decompose the OS to subsystems
• protection between subsystems
• allow user-defined subsystems

Key Terms

• protection domain: execution mode or context (e.g. kernel v.s. user in Linux)

• protected control transfer: the process of tranfering control to a different protection domain (e.g. system call)

• right augmentation: an expansion of rights after tranfering to a different protection domain, which will end after this control is transferred back.

Key Abstractions in HYDRA Protection Mechanism

• Object: an abstraction of resources

• Capability: a reference to an object with access right bits

• Procedure: an abstraction of operations

Summary & take-away

• capability-based protection mechanism

• Neclues-based OS: provide primitives for building OS

Protection

Goal

• provide an abstract model for protection mechanism

• unify discussion of protection concept

Abstraction Model

• resources to be protected: such as file, memory, cpu …

• execution context (such as user/kernel in UNIX, LNS in HYDRA)

• things that are allowed to do with the resources

• access rights

• a matrix that specifies the access right to an object in a domain

Summary & take-away

• a unified model of protection
• object, domain, attributes, access matrix
• capability list, access control list (which will show again in Multics paper)