Weekly Notes for Week 21

In Week 21 there are no lectures.

Tutorial Session Week 21

Please prepare for week 21 the following exercises:

Chapter 17

1. (very important) What are the main differences between capability lists and access lists?

2. A Burroughs B7000/B6000 MCP file can be tagged as sensitive data. When such a file is deleted, its storage area is overwritten by some random bits. For what purpose would such a scheme be useful?

3. (important, repetition)In a ring-protection system, level 0 has the greatest access to objects, and level n (where n > 0) has fewer access rights. The access rights of a program at a particular level in the ring structure are considered a set of capabilities. What is the relationship between the capabilities of a domain at level j and a domain at level i to an object (for j > i)?

4. The RC 4000 system, among others, has defined a tree of processes (called a process tree) such that all the descendants of a process can be given resources (objects) and access rights by their ancestors only. Thus, a descendant can never have the ability to do anything that its ancestors cannot do. The root of the tree is the operating system, which has the ability to do anything. Assume that the set of access rights is represented by an access matrix, A. A(x,y) defines the access rights of process x to object y. If x is a descendant of z, what is the relationship between A(x,y) and A(z,y) for an arbitrary object y?

5. What protection problems may arise if a shared stack is used for parameter passing?

6. Consider a computing environment where a unique number is associated with each process and each object in the system. Suppose that we allow a process with number n to access an object with number m only if n > m. What type of protection structure do we have?

7. Consider a computing environment where a process is given the privilege of accessing an object only n times. Suggest a scheme for implementing this policy.

8. If all the access rights to an object are deleted, the object can no longer be accessed. At this point, the object should also be deleted, and the space it occupies should be returned to the system. Suggest an efficient implementation of this scheme.

9. (important) Why is it difficult to protect a system in which users are allowed to do their own I/O?

10. (important) Capability lists are usually kept within the address space of the user. How does the system ensure that the user cannot modify the contents of the list?

11. The access-control matrix can be used to determine whether a process can switch from, say, domain A to domain B and enjoy the access privileges of domain B. Is this approach equivalent to including the access privileges of domain B in those of domain A?

12. What hardware features does a computer system need for efficient capability manipulation? Can these features be used for memory protection?

13. Discuss the strengths and weaknesses of implementing an access matrix using capabilities that are associated with domains.

14. (important) What is the need-to-know principle? Why is it important for a protection system to adhere to this principle?

15. Describe how the Java protection model would be compromised if a Java program were allowed to directly alter the annotations of its stack frame.

16. (important) How does the principle of least privilege aid in the creation of protection systems?

Chapter 18

1. (important) Describe the three types of traditional hypervisors.

2. (important) Describe four virtualization-like execution environments, and explain how they differ from “true” virtualization.

3. (important) Why are VMMs unable to implement trap-and-emulate-based virtualization on some CPUs? Lacking the ability to trap and emulate, what method can a VMM use to implement virtualization?

4. (important) What hardware assistance for virtualization can be provided by modern CPUs?

5. (important) What is docker? What is a docker image? What is a docker container?

6. (important) What is a unikernel?