Professional Documents
Culture Documents
Unit 5
Unit 5
Unit 5
Operating System Concepts – 8th Edition 7.2 Silberschatz, Galvin and Gagne
Chapter Objectives
To develop a description of deadlocks, which prevent
sets of concurrent processes from completing their
tasks
Operating System Concepts – 8th Edition 7.3 Silberschatz, Galvin and Gagne
The Deadlock Problem
A set of blocked processes each holding a resource and
waiting to acquire a resource held by another process in
the set
Example
System has 2 disk drives
P1 and P2 each hold one disk drive and each needs
another one
Example
semaphores A and B, initialized to 1 P0 P1
wait (A); wait(B) wait (B);
wait(A)
Operating System Concepts – 8th Edition 7.4 Silberschatz, Galvin and Gagne
Bridge Crossing Example
Operating System Concepts – 8th Edition 7.6 Silberschatz, Galvin and Gagne
Deadlock Characterization
Deadlock can arise if four conditions hold
simultaneously.
Mutual exclusion: only one process at a time can
use a resource
Operating System Concepts – 8th Edition 7.8 Silberschatz, Galvin and Gagne
Resource-Allocation Graph (Cont.)
Process
Pi requests instance of Rj
Pi
Pi is holding an instance of RR
j j
Pi
Rj
Operating System Concepts – 8th Edition 7.9 Silberschatz, Galvin and Gagne
Example of a Resource Allocation Graph
Operating System Concepts – 8th Edition 7.10 Silberschatz, Galvin and Gagne
Resource Allocation Graph With A Deadlock
Operating System Concepts – 8th Edition 7.11 Silberschatz, Galvin and Gagne
Graph With A Cycle But No Deadlock
Operating System Concepts – 8th Edition 7.12 Silberschatz, Galvin and Gagne
Basic Facts
Operating System Concepts – 8th Edition 7.13 Silberschatz, Galvin and Gagne
Methods for Handling Deadlocks
Operating System Concepts – 8th Edition 7.14 Silberschatz, Galvin and Gagne
Deadlock Prevention
Operating System Concepts – 8th Edition 7.15 Silberschatz, Galvin and Gagne
Deadlock Prevention (Cont.)
No Preemption –
If a process that is holding some resources requests
another resource that cannot be immediately
allocated to it, then all resources currently being
held are released
Preempted resources are added to the list of
resources for which the process is waiting
Process will be restarted only when it can regain its
old resources, as well as the new ones that it is
requesting
Operating System Concepts – 8th Edition 7.16 Silberschatz, Galvin and Gagne
Deadlock Avoidance
Requires that the system has some additional a priori
information
available
Simplest and most useful model requires that each
process declare the maximum number of resources of
each type that it may need
Operating System Concepts – 8th Edition 7.17 Silberschatz, Galvin and Gagne
Safe State
When a process requests an available resource, system
must decide if immediate allocation leaves the system
in a safe state
That is:
If Pi resource needs are not immediately available,
then Pi can wait until all Pj have finished
When Pj is finished, Pi can obtain needed resources,
execute, return allocated resources, and terminate
When Pi terminates, Pi +1 can obtain its needed
resources,
Operating System Concepts
th
– 8 Edition and so on 7.18 Silberschatz, Galvin and Gagne
Basic Facts
Operating System Concepts – 8th Edition 7.19 Silberschatz, Galvin and Gagne
Safe, Unsafe, Deadlock State
Operating System Concepts – 8th Edition 7.20 Silberschatz, Galvin and Gagne
Avoidance algorithms
Operating System Concepts – 8th Edition 7.21 Silberschatz, Galvin and Gagne
Resource-Allocation Graph Scheme
Operating System Concepts – 8th Edition 7.22 Silberschatz, Galvin and Gagne
Resource-Allocation Graph
Operating System Concepts – 8th Edition 7.23 Silberschatz, Galvin and Gagne
Unsafe State In Resource-Allocation Graph
Operating System Concepts – 8th Edition 7.24 Silberschatz, Galvin and Gagne
Resource-Allocation Graph Algorithm
Operating System Concepts – 8th Edition 7.25 Silberschatz, Galvin and Gagne
Banker’s Algorithm
Multiple instances
Operating System Concepts – 8th Edition 7.26 Silberschatz, Galvin and Gagne
Data Structures for the Banker’s Algorithm
Operating System Concepts – 8th Edition 7.27 Silberschatz, Galvin and Gagne
Safety Algorithm
1. Let Work and Finish be vectors of length m and n,
respectively. Initialize:
Work = Available
Finish [i] = false for i = 0, 1, …, n- 1
2. Find an i such that both:
(a) Finish [i] = false
(b) Needi Work
If no such i exists, go to step 4
Operating System Concepts – 8th Edition 7.28 Silberschatz, Galvin and Gagne
Resource-Request Algorithm for Process Pi
Request = request vector for process Pi. If Requesti [j] =
k then process Pi wants k instances of resource type Rj
5 processes P0 through P4
3 resource types:
A (10 instances), B (5instances), and C (7 instances)
Operating System Concepts – 8th Edition 7.30 Silberschatz, Galvin and Gagne
Example (Cont.)
The content of the matrix Need is defined to be Max –
Allocation
Need
ABC
P0 743
P1 122
P2 600
P3 011
P4 431
The system is in a safe state since the sequence < P1, P3,
P4, P2, P0> satisfies safety criteria
Operating System Concepts – 8th Edition 7.31 Silberschatz, Galvin and Gagne
Example: P1 Request (1,0,2)
Detection algorithm
Recovery scheme
Operating System Concepts – 8th Edition 7.33 Silberschatz, Galvin and Gagne
Single Instance of Each Resource Type
Operating System Concepts – 8th Edition 7.34 Silberschatz, Galvin and Gagne
Resource-Allocation Graph and
Wait-for Graph
Resource-Allocation Graph
Corresponding wait-for graph
Operating System Concepts – 8th Edition 7.35 Silberschatz, Galvin and Gagne
Several Instances of a Resource Type
Operating System Concepts – 8th Edition 7.36 Silberschatz, Galvin and Gagne
Detection Algorithm
1. Let Work and Finish be vectors of length m and n,
respectively Initialize:
(a) Work = Available
(b) For i = 1,2, …, n, if Allocationi 0, then
Finish[i] = false; otherwise, Finish[i] = true
Operating System Concepts – 8th Edition 7.37 Silberschatz, Galvin and Gagne
Detection Algorithm (Cont.)
Operating System Concepts – 8th Edition 7.38 Silberschatz, Galvin and Gagne
Example of Detection Algorithm
Five processes P0 through P4; three resource types
A (7 instances), B (2 instances), and C (6 instances)
Sequence <P0, P2, P3, P1, P4> will result in Finish[i] = true for
all i
Operating System Concepts – 8th Edition 7.39 Silberschatz, Galvin and Gagne
Example (Cont.)
P2 requests an additional instance of type C
Request
ABC
P0 000
P1 202
P2 001
P3 100
P4 002
State of system?
Can reclaim resources held by process P0, but
insufficient resources to fulfill other processes;
requests
Deadlock exists, consisting of processes P1, P2, P3,
and P4
Operating System Concepts – 8th Edition 7.40 Silberschatz, Galvin and Gagne
Detection-Algorithm Usage
When, and how often, to invoke depends on:
How often a deadlock is likely to occur?
How many processes will need to be rolled back?
one for each disjoint cycle
Operating System Concepts – 8th Edition 7.41 Silberschatz, Galvin and Gagne
Recovery from Deadlock:
Process Termination
Abort all deadlocked processes
Operating System Concepts – 8th Edition 7.42 Silberschatz, Galvin and Gagne
Recovery from Deadlock:
Resource Preemption
Operating System Concepts – 8th Edition 7.43 Silberschatz, Galvin and Gagne
Protection
Goals of Protection
Principles of Protection
Domain of Protection
Access Matrix
Implementation of Access Matrix
Access Control
Revocation of Access Rights
Capability-Based Systems
Language-Based Protection
Operating System Concepts – 8th Edition 7.44 Silberschatz, Galvin and Gagne
Objectives
Operating System Concepts – 8th Edition 7.45 Silberschatz, Galvin and Gagne
Goals of Protection
Operating System Concepts – 8th Edition 7.46 Silberschatz, Galvin and Gagne
Principles of Protection
Guiding principle – principle of least privilege
Programs, users and systems should be given
just enough privileges to perform their tasks
Limits damage if entity has a bug, gets
abused
Can be static (during life of system, during life
of process)
Or dynamic (changed by process as needed) –
domain switching, privilege escalation
“Need to know” a similar concept regarding
access to data
Operating System Concepts – 8th Edition 7.47 Silberschatz, Galvin and Gagne
Principles of Protection (Cont.)
Must consider “grain” aspect
Rough-grained privilege management easier,
simpler, but least privilege now done in large
chunks
For example, traditional Unix processes
either have abilities of the associated
user, or of root
Fine-grained management more complex,
more overhead, but more protective
File ACL lists, RBAC
Domain can be user, process, procedure
Operating System Concepts – 8th Edition 7.48 Silberschatz, Galvin and Gagne
Domain Structure
Operating System Concepts – 8th Edition 7.49 Silberschatz, Galvin and Gagne
Domain Implementation (UNIX)
Domain = user-id
Domain switch accomplished via file system
Each file has associated with it a domain bit
(setuid bit)
When file is executed and setuid = on, then
user-id is set to owner of the file being
executed
When execution completes user-id is reset
Domain switch accomplished via passwords
su command temporarily switches to another
user’s domain when other domain’s password
provided
Domain switching via commands
sudo command prefix executes specified
command in another domain (if original domain
has privilege or password given)
Operating System Concepts – 8th Edition 7.50 Silberschatz, Galvin and Gagne
Domain Implementation (MULTICS)
Let Di and Dj be any two domain rings
If j < I Di Dj
Operating System Concepts – 8th Edition 7.51 Silberschatz, Galvin and Gagne
Multics Benefits and Limits
also accessible in Dj
Operating System Concepts – 8th Edition 7.52 Silberschatz, Galvin and Gagne
Access Matrix
View protection as a matrix (access matrix)
Rows represent domains
Columns represent objects
Access(i, j) is the set of operations that a
process executing in Domaini can invoke on
Objectj
Operating System Concepts – 8th Edition 7.53 Silberschatz, Galvin and Gagne
Use of Access Matrix
If a process in Domain Di tries to do “op” on
object Oj, then “op” must be in the access matrix
User who creates object can define access
column for that object
Can be expanded to dynamic protection
Operations to add, delete access rights
Special access rights:
owner of Oi
copy op from Oi to Oj (denoted by “*”)
control – Di can modify Dj access rights
transfer – switch from domain Di to Dj
Copy and Owner applicable to an object
Control applicable to domain object
Operating System Concepts – 8th Edition 7.54 Silberschatz, Galvin and Gagne
Use of Access Matrix (Cont.)
Access matrix design separates mechanism from
policy
Mechanism
Operating system provides access-matrix +
rules
If ensures that the matrix is only
manipulated by authorized agents and that
rules are strictly enforced
Policy
User dictates policy
Who can access what object and in what
mode
But doesn’t solve the general confinement problem
Operating System Concepts – 8th Edition 7.55 Silberschatz, Galvin and Gagne
Access Matrix of Figure A with Domains as Objects
Operating System Concepts – 8th Edition 7.56 Silberschatz, Galvin and Gagne
Access Matrix with Copy Rights
Operating System Concepts – 8th Edition 7.57 Silberschatz, Galvin and Gagne
Access Matrix With Owner Rights
Operating System Concepts – 8th Edition 7.58 Silberschatz, Galvin and Gagne
Modified Access Matrix of Figure B
Operating System Concepts – 8th Edition 7.59 Silberschatz, Galvin and Gagne
Implementation of Access Matrix
Oj , R k >
with M ∈ Rk
Operating System Concepts – 8th Edition 7.61 Silberschatz, Galvin and Gagne
Implementation of Access Matrix (Cont.)
Operating System Concepts – 8th Edition 7.63 Silberschatz, Galvin and Gagne
Implementation of Access Matrix (Cont.)
Option 4 – Lock-key
Compromise between access lists and
capability lists
Each object has list of unique bit patterns,
called locks
Each domain as list of unique bit patterns
called keys
Process in a domain can only access object
if domain has key that matches one of the
locks
Operating System Concepts – 8th Edition 7.64 Silberschatz, Galvin and Gagne
Comparison of Implementations
Operating System Concepts – 8th Edition 7.65 Silberschatz, Galvin and Gagne
Comparison of Implementations (Cont.)
Operating System Concepts – 8th Edition 7.66 Silberschatz, Galvin and Gagne
Access Control
Protection can be applied to
non-file resources
Oracle Solaris 10 provides
role-based access control
(RBAC) to implement least
privilege
Privilege is right to
execute system call or use
an option within a system
call
Can be assigned to
processes
Users assigned roles
granting access to
privileges and programs
Enable role via
password to gain its
privileges
Operating System Similar to access matrix
Concepts – 8th Edition 7.67 Silberschatz, Galvin and Gagne
Revocation of Access Rights
Various options to remove the access right of a
domain to an object
Immediate vs. delayed
Selective vs. general
Partial vs. total
Temporary vs. permanent
Access List – Delete access rights from access list
Simple – search access list and remove entry
Immediate, general or selective, total or partial,
permanent or temporary
Operating System Concepts – 8th Edition 7.68 Silberschatz, Galvin and Gagne
Revocation of Access Rights (Cont.)
Capability List – Scheme required to locate capability
in the system before capability can be revoked
Reacquisition – periodic delete, with require and
denial if revoked
Back-pointers – set of pointers from each object to
all capabilities of that object (Multics)
Indirection – capability points to global table entry
which points to object – delete entry from global
table, not selective (CAL)
Keys – unique bits associated with capability,
generated when capability created
Master key associated with object, key matches
master key for access
Revocation – create new master key
Policy decision of who can create and modify
keys – object owner or others?
Operating System Concepts – 8th Edition 7.69 Silberschatz, Galvin and Gagne
Capability-Based Systems
Hydra
Fixed set of access rights known to and interpreted by
the system
i.e. read, write, or execute each memory segment
User can declare other auxiliary rights and register
those with protection system
Accessing process must hold capability and know
name of operation
Rights amplification allowed by trustworthy
procedures for a specific type
Interpretation of user-defined rights performed solely
by user's program; system provides access protection
for use of these rights
Operations on objects defined procedurally –
procedures are objects accessed indirectly by
capabilities
Solves the problem of mutually suspicious subsystems
Includes library of prewritten security routines
Operating System Concepts – 8th Edition 7.70 Silberschatz, Galvin and Gagne
Capability-Based Systems (Cont.)
Operating System Concepts – 8th Edition 7.71 Silberschatz, Galvin and Gagne
Language-Based Protection
Specification of protection in a programming
language allows the high-level description of
policies for the allocation and use of resources
Language implementation can provide
software for protection enforcement when
automatic hardware-supported checking is
unavailable
Interpret protection specifications to generate
calls on whatever protection system is
provided by the hardware and the operating
system
Operating System Concepts – 8th Edition 7.72 Silberschatz, Galvin and Gagne
Protection in Java 2
Protection is handled by the Java Virtual Machine
(JVM)
A class is assigned a protection domain when it
is loaded by the JVM
The protection domain indicates what operations
the class can (and cannot) perform
If a library method is invoked that performs a
privileged operation, the stack is inspected to
ensure the operation can be performed by the
library
Generally, Java’s load-time and run-time checks
enforce type safety
Classes effectively encapsulate and protect data
and methods from other classes
Operating System Concepts – 8th Edition 7.73 Silberschatz, Galvin and Gagne
Stack Inspection
Operating System Concepts – 8th Edition 7.74 Silberschatz, Galvin and Gagne
End