CSE221 - lec04: Protection: Multics & Singularity

date
Oct 17, 2024
slug
cse221-lec04
status
Published
tags
System
summary
type
Post

04 - Protection: Multics & Singularity

Protection and the Control of Information Sharing in Multics

Goals

  • an unified protection model
  • file system based + runtime protection

Principles

  • check every access (be careful with caching, since rights may change overtime)
  • least privilege principle
  • permission-based rather than exclusion-based rules (default should be rejection)
  • usability (so user are willing to use the protection mechanism instead of bypassing it)

Multics Virtual Memory

Instead of using paged virtual memory, multics uses a segmented virtual memory model.
the virtual address space is divided into several segments, associated with which a segment descriptor.
below is a pic. showing how segmented virtual memory works.
notion image

Protection in Multics

An important question is how to make protection mechanism efficient, so as not to harm normal program execution.
  • Login: establish principal identifier(user id)
  • File System:
    • access control list is associated with each file, which is static.
    • derive capability list at runtime from access control list, which is fast for checking at runtime. (an example of capability list is file descriptor in unix.)
notion image

Memory Protection

Memory protection is based on descriptor, which is shown in pic. below.
notion image

Protected Subsystem

  • Gates: entry point of subsystem
  • Ring: privilege level, execution domain

Summary & take-away

  • Protection in file system based on ACL
  • Protection of memory based on capability list.

Singularity: Rethinking the Software Stack

Goals

  • build dependable, trustworthy software
  • consider security & vulnerability problems

Approach

  • leverage language features (e.g. bound checking, garbage collection …)
  • leverage program verification tools
to ensure (as possible) the program correctness.

Design

  • Software Isolated Process:
  • Contract-based Channel:
  • Manifest-based Program:
below is an overview pic. of singularity system
notion image

Summary & take-away

  • Software based isolation via PL & verification

© Lifan Sun 2023 - 2024