Protection domain: a set of access
rights. For example, a user could be an protection
domain. In which case all the resources the user can access
represent his domain, and changing domains measn logging off and then
logging in as a new user. A process could be a domain, in
which case we associate with each process a set of access rights.
Changing domains means sending a message to a different domain, hoping
that message will trigger the operation the original process
wanted. A procedure could be a domain, in which case a
program that wants to access an object can do so only thru well defined
procedures (which works well in OO languages).
Questions to ask about a mechanism.
Multics:
In Multics, all resources are structured into a set of rings.
Ring zero has the most privleges, and ring 7 the least. Every ring
is a superset of a higher numbered ring (except 7). Every segment
of code has a set of three descriptors, b1, b2, and b3. Every
process has a ring descriptor i.
B1 describes the most privleged process that can call functions in
the segment. If any process even more privledged calls functions
in this segment, the arguments must be copied to an accesseble place,
since this segment cannot even read memory that privledged.
B2 describes the least privledged process that can call anywhere into
the segment
B3 describes the least privledges process that can call into a gate
of this segment.
However, it can be hard to place all resources into an ordered list. The need for order makes this scheme less flexible than others.
Unix:
In Unix, domains are associated with users. Each user has a set
of acces rights, and generally processes get the rights of the user
currently running them. Some programs have the access rights not
of the user running them, but of the user who 'owns' them, These
are called set-uid programs. They are necessary, but widely viewed
as a security hole.
One alternative to a set-uid program is to have a deamon running with root privleges. Any process that wants to access forbidden resources must request the operation be done by the deamon.
In Unix, almost everything that needs to be accessed is guarded in
one of three ways. Either it is a file, and therefore guarded by
file permissions, or it is a pseudo-file, guarded the same way, or it is
a system call that only 'root' can use.
You can read a summary here
(complete with comparision to NT).
Problem: I cannot give my rights to others.
Windows NT
The
domain is the user, not the process. Users can be combined into
'groups'. Each object has an 'owner' and a 'group' to which
it belongs. All protection is done by access control lists.
You can read a summary of windows NT security here,
and here.
A guide to Windows NT permissions including pictures and the default
values is here.
Acess Lists and Capability Lists
These are just the rows and columns of an access matrix.
An access list is a list associated with an object, listing the domains capable of accessing the object. This is good because it gives the object owner a nice summary of who can do what. Revokation of rights is easy. However, it is difficult to determine what a particular domain can do, since searching all objects might be required.
A capabality list is a list associated with each domain, listing the action the domain is capable of performing. This is good, because each domain can see what it is capable of. However, rights to an object can be hard to revoke (might require searching all domains).
The Ameoba Capability System
In Ameoba, you can access a resource if you have a capability
for the resource. A capability is constructed as follows:
Take the id of the resource, and add to that bits coresponding to r/w/x,
etc. Encrypt the whole thing, creating a 128 bit cookie. If
a process wants to access a resource, it must offer the cookie.
Given a capabilty, the system can decrypt and determine if the
operation is allowed. If a process wants to share a resource, it
can give the capabilty to others it trusts.