Protection domain: a set of access rights. For example, a user could be an protection domain. In which case all the resources the user can access represent his domain, and changing domains measn logging off and then logging in as a new user. A process could be a domain, in which case we associate with each process a set of access rights. Changing domains means sending a message to a different domain, hoping that message will trigger the operation the original process wanted. A procedure could be a domain, in which case a program that wants to access an object can do so only thru well defined procedures (which works well in OO languages).
Multics:
In Multics, all resources are structured into a set of rings.
Ring zero has the most privleges, and ring 7 the least. Every ring
is a superset of a higher numbered ring (except 7). Every segment
of code has a set of three descriptors, b1, b2, and b3. Every process
has a ring descriptor i.
B1 describes the most privleged process that can call functions in the
segment. If any process even more privledged calls functions in this
segment, the arguments must be copied to an accesseble place, since this
segment cannot even read memory that privledged.
B2 describes the least privledged process that can call anywhere into
the segment
B3 describes the least privledges process that can call into a gate
of this segment.
However, it can be hard to place all resources into an ordered list. The need for order makes this scheme less flexible than others.
Unix:
In Unix, domains are associated with users. Each user has a set
of acces rights, and generally processes get the rights of the user currently
running them. Some programs have the access rights not of the user
running them, but of the user who 'owns' them, These are called set-uid
programs. They are necessary, but widely viewed as a security hole.
One alternative to a set-uid program is to have a deamon running with root privleges. Any process that wants to access forbidden resources must request the operation be done by the deamon.
In Unix, almost everything that needs to be accessed is guarded in one of three ways. Either it is a file, and therefore guarded by file permissions, or it is a pseudo-file, guarded the same way, or it is a system call that only 'root' can use.
Problem: I cannot give my rights to others.
Acess Lists and Capability Lists
These are just the rows and columns of an access matrix.
An access list is a list associated with an object, listing the domains capable of accessing the object. This is good because it gives the object owner a nice summary of who can do what. Revokation of rights is easy. However, it is difficult to determine what a particular domain can do, since searching all objects might be required.
A capabality list is a list associated with each domain, listing the action the domain is capable of performing. This is good, because each domain can see what it is capable of. However, rights to an object can be hard to revoke (might require searching all domains).
The Ameoba Capability System
In Ameoba, you can access a resource if you have a capability
for the resource. A capability is constructed as follows: Take
the id of the resource, and add to that bits coresponding to r/w/x, etc.
Encrypt the whole thing, creating a 128 bit cookie. If a process
wants to access a resource, it must offer the cookie. Given a capabilty,
the system can decrypt and determine if the operation is allowed.
If a process wants to share a resource, it can give the capabilty to others
it trusts.