Privilege transfer and revocation in a port-based system

摘要

Gutenberg is a port-based operating system being designed to study protection issues in distributed systems. In the Gutenberg system, all shared resources are viewed as protected objects and hence can be accessed only via specific operations defined on them. Processes communicate and access objects through the use of ports. Each port is associated with an abstract data type operation and can be created by a process only if the process has the capability to execute the operation on the type. Thus, a port represents the privilege of the port's client process to request a service (an abstract data type operation) provided by the port's server process (the type's manager). Capabilities to create ports for requesting operations are contained in a capability directory, which is navigated by processes to gain these capabilities. Privilege transfer is a means of providing servers access to the resources they need to perform their services. In Gutenberg, privilege transfer is accomplished by allowing access to subdirectories of the capability directory and by passing capabilities, including port access capabilities, to processes via ports. It should be possible to revoke transferred privileges when breaches of trust are detected or suspected, when a period of time has passed beyond which the distributor of a privilege does not want the privilege shared, or when an error has been detected. Transfer and revocation of privileges in Gutenberg is the subject of this paper. In particular, we describe the types of privileges in Gutenberg, discuss the mechanisms provided for the transfer and revocation of different types of privileges, and sketch the means for handling exceptions during privilege transfer.