Modern Operating Systems by Herbert Bos ...
Modern_Operating_Systems_by_Herbert_Bos_and_Andrew_S._Tanenbaum_4th_Ed.pdf-M ODERN O PERATING S YSTEMS
Showing 640 out of 1137
Modern Operating Systems by Herbert Bos and Andrew...
Modern_Operating_Systems_by_Herbert_Bos_and_Andrew_S._Tanenbaum_4th_Ed.pdf-M ODERN O PERATING S YSTEMS
Modern Operating Systems by Herbert...
Modern_Operating_Systems_by_Herbert_Bos_and_Andrew_S._Tanenbaum_4th_Ed.pdf-M ODERN O PERATING S YSTEMS
Page 640
SEC. 9.3
The second way is to keep the C-list inside the operating system. Capabilities
are then referred to by their position in the capability list.
A process might say:
‘‘Read 1 KB from the file pointed to by capability 2.’’ This form of addressing is
similar to using file descriptors in UNIX.
Hydra (Wulf et al., 1974) worked this
The third way is to keep the C-list in user space, but manage the capabilities
cryptographically so that users cannot tamper with them. This approach is particu-
larly suited to distributed systems and works as follows. When a client process
sends a message to a remote server, for example, a file server, to create an object
for it, the server creates the object and generates a long random number, the check
field, to go with it.
A slot in the server’s file table is reserved for the object and the
check field is stored there along with the addresses of the disk blocks. In UNIX
terms, the check field is stored on the server in the i-node.
It is not sent back to the
user and never put on the network. The server then generates and returns a
capability to the user of the form shown in Fig. 9-9.
f(Objects, Rights, Check)
Figure 9-9.
A cryptographically protected capability.
The capability returned to the user contains the server’s identifier, the object
number (the index into the server’s tables, essentially, the i-node number), and the
rights, stored as a bitmap. For a newly created object, all the rights bits are turned
on, of course, because the owner can do everything. The last field consists of the
concatenation of the object, rights, and check field run through a cryptographically
secure one-way function,
. A cryptographically secure one-way function is a func-
) that has the property that given
it is easy to find
, but given
it is
computationally infeasible to find
. We will discuss them in detail in Section 9.5.
For now, it suffices to know that with a good one-way function, even a determined
attacker will not be able to guess the check field, even if he knows all the other
fields in the capability.
When the user wishes to access the object, she sends the capability to the ser-
ver as part of the request. The server then extracts the object number to index into
its tables to find the object.
It then computes
), taking the
first two parameters from the capability itself and the third from its own tables.
the result agrees with the fourth field in the capability, the request is honored;
otherwise, it is rejected.
If a user tries to access someone else’s object, he will not
be able to fabricate the fourth field correctly since he does not know the check
field, and the request will be rejected.
A user can ask the server to produce a weaker capability, for example, for read-
only access. First the server verifies that the capability is valid. If so, it computes
) and generates a new capability putting this value in

Ace your assessments! Get Better Grades
Browse thousands of Study Materials & Solutions from your Favorite Schools
Concordia University
Great resource for chem class. Had all the past labs and assignments
Leland P.
Santa Clara University
Introducing Study Plan
Using AI Tools to Help you understand and remember your course concepts better and faster than any other resource.
Find the best videos to learn every concept in that course from Youtube and Tiktok without searching.
Save All Relavent Videos & Materials and access anytime and anywhere
Prepare Smart and Guarantee better grades

Students also viewed documents