Đang chuẩn bị liên kết để tải về tài liệu:
modern operating systems 2nd edition phần 8

Ứng dụng sao lưu nội dung của hòm thư hay những hòm thư đã được lựa chọn một thư mục cá nhân (PST) tập tin có thể được truy cập bằng cách sử dụng Microsoft Outlook bất cứ lúc nào | 656 SECURITY CHAP 9 also be a command to allow the owner to grant permission to read the file to everyone in the system in effect inserting the read right in the new file s entry in every domain. At any instant the matrix determines what a process in any domain can do not what it is authorized to do. The matrix is what is enforced hy the system authorization has to do with management policy. As an example of this distinction. let us consider the simple system of Fig. 9-30 in which domains correspond to users tn Fig. 9-30 ai we see the intended protection policy Henry can read and write mailbox Robert can read and write secret and all three users can read and execute compiler. Objects Objects Compiler Mailbox 7 Secret Compiler Mailbox 7 Secret Eric Read Execute Eric Read Execute Henry Read Execute Read Write Henry Read Execute Read Write Robert Read Execute Read Write Robert Read Execute Read Read Write a b Figure 9-30. a An authorized stale b An unauthorized stale. Now imagine that Robert is very clever and has found a way to issue commands to have the matrix changed to Fig 9-30 b . He has now gained access to mailbox something he is not authorized to have f he tries to read it. the operating system will carry out his request because it does not know that the state of Fig 9-30 b is unauthorized. It should now be clear that the set of all possible matrices can be partitioned into two disjoint sets the set of all authorized states and the set of all unauthorized states. A question around which much theoretical research has revolved is this Given an initial authorized state and a set of commands can Ú be proven that the system can never reach an unauthorized state 1 In effect we are asking if the available mechanism the protection commands is adequate to enforce some protection policy. Given this policy some initial state of the matrix and the set of commands for modifying the matrix what we would like is a way to prove that the system is secure. Such a proof turns .