Modern Operating Systems by Herbert Bos ...
Modern_Operating_Systems_by_Herbert_Bos_and_Andrew_S._Tanenbaum_4th_Ed.pdf-M ODERN O PERATING S YSTEMS
Showing 642 out of 1137
Modern Operating Systems by Herbert Bos and Andrew...
Modern_Operating_Systems_by_Herbert_Bos_and_Andrew_S._Tanenbaum_4th_Ed.pdf-M ODERN O PERATING S YSTEMS
Modern Operating Systems by Herbert...
Modern_Operating_Systems_by_Herbert_Bos_and_Andrew_S._Tanenbaum_4th_Ed.pdf-M ODERN O PERATING S YSTEMS
Page 642
SEC. 9.3
other hand, ACLs allow selective revocation of rights, which capabilities do not.
Finally, if an object is removed and the capabilities are not or vice versa, problems
arise. ACLs do not suffer from this problem.
Most users are familiar with ACLs, because they are common in operating sys-
tems like Windows and UNIX.
However, capabilities are not that uncommon ei-
ther. For instance, the L4 kernel that runs on many smartphones from many manu-
facturers (typically alongside or underneath other operating systems like Android),
is capability based. Likewise, the FreeBSD has embraced Capsicum, bringing
capabilities to a popular member of the UNIX family.
Protection matrices, such as that of Fig. 9-4, are not static. They frequently
change as new objects are created, old objects are destroyed, and owners decide to
increase or restrict the set of users for their objects.
A considerable amount of
attention has been paid to modeling protection systems in which the protection ma-
trix is constantly changing.
We will now touch briefly upon some of this work.
Decades ago, Harrison et al. (1976) identified six primitive operations on the
protection matrix that can be used as a base to model any protection system. These
primitive operations are
create object
delete object
create domain
delete domain
insert right
, and
remove right
The two latter primitives insert and remove rights
from specific matrix elements, such as granting domain 1 permission to read
These six primitives can be combined into
protection commands
. It is these
protection commands that user programs can execute to change the matrix. They
may not execute the primitives directly.
For example, the system might have a
command to create a new file, which would test to see if the file already existed,
and if not, create a new object and give the owner all rights to it. There might also
be a command to allow the owner to grant permission to read the file to everyone
in the system, in effect, inserting the ‘‘read’’ right in the new file’s entry in every
At any instant, the matrix determines what a process in any domain can do, not
what it is authorized to do. The matrix is what is enforced by the system; autho-
rization has to do with management policy. As an example of this distinction, let
us consider the simple system of Fig. 9-10 in which domains correspond to users.
In Fig. 9-10(a) we see the intended protection policy:
can read and write
can read and write
, and all three users can read and ex-
Now imagine that
is very clever and has found a way to issue com-
mands to have the matrix changed to Fig. 9-10(b). He has now gained access to
, something he is not authorized to have.
If he tries to read it, the operat-
ing system will carry out his request because it does not know that the state of
Fig. 9-10(b) is unauthorized.

Ace your assessments! Get Better Grades
Browse thousands of Study Materials & Solutions from your Favorite Schools
Concordia University
Great resource for chem class. Had all the past labs and assignments
Leland P.
Santa Clara University
Introducing Study Plan
Using AI Tools to Help you understand and remember your course concepts better and faster than any other resource.
Find the best videos to learn every concept in that course from Youtube and Tiktok without searching.
Save All Relavent Videos & Materials and access anytime and anywhere
Prepare Smart and Guarantee better grades

Students also viewed documents