Os MD 2
Os MD 2
20MCAT172
Module II
1
Distributed Mutual Exclusion
•The problem of mutual exclusion arises in distributed systems whenever concurrent
access to shared resources by several sites/process is involved.
•It is necessary that the shared resource be accessed by a single site at a time
(atomic) for correctness.
•Example: Directory Management
• Update to a directory must be done atomically.
2
Distributed Mutual Exclusion
• It is necessary that the shared resource be accessed by a single site (or process) at a
time.
•In single-computer systems, the status of a shared resource and the status of users is
readily available in the shared memory, and solutions to the mutual exclusion problem
can be easily implemented using shared variables(semaphores).
•In distributes systems, the shared resources and the users may be distributed and shared
memory does not exist. So approaches based on shared variables are not applicable to
distributed systems and approaches based on message passing must be used.
•This problem is more complex because of lack of both shared memory and a common
physical clock and because of unpredictable message delays.
3
Classification of mutual exclusion algorithms
• Algorithms differ in their communication topology and in the amount of information
maintained by each site about other sites.
• Algorithms grouped into two classes.
1. Nontoken-based: these algorithms require two or more successive rounds of
message exchanges among sites. These are assertion based because a site can
enter its critical section (CS) when an assertion defined on its local variables
becomes true. Mutual exclusion is enforced because the assertion becomes true
only at one site at any given time.
2. Token-based :a unique token (also known as PRIVILEGE based) is shared among
the sites. A site is allowed to enter its CS if it possesses the token and it continues
to hold the token until the execution of the CS is over.
4
System model
• At any instant, a site may have several requests for CS.
• In the token-based algorithms, a site can also be in a state where a site holding the
token is executing outside the CS. Such a state is referred to as an idle token stage.
5
Requirements for mutual exclusion
• The primary objective of mutual exclusion algorithm is to guarantee that only one
request accesses the CS at a time. In addition the following characteristics are
important.
1. Freedom from Deadlocks – two or more site should not endlessly wait for
messages that will never arrive.
2. Freedom from starvation – a site should not be forced to wait indefinitely to
execute CS while other sites are repeatedly executing CS. That is every requesting
site should get an opportunity to execute CS in a finite time.
3. Fairness – requests must be executed in the order they are made ( or the order in
which they arrive in the system)
4. Fault tolerance – a mutual exclusion algorithm is fault-tolerant if in the wake of
failure, it can reorganize itself so that it continues to function without any
disruptions.
6
Measuring Performance
• The performance of the mutual exclusion algorithms is measured by four metrics:
7
8
Low and high load performance
• Performance of mutual exclusion algorithms depends on loading conditions of the
system., low load and high load.
• Low load – there is rarely more that one request for mutual exclusion
simultaneously.
• High load – always a pending request for mutual exclusion at a time, site is in an
idle state.
• After having executed a request, a site immediately initiates next site to execute
its CS.
• A site is rarely in an idle state.
9
Best and Worst case performance
• Best case –prevailing conditions are such that a performance metric attains the best
possible value, best value for response time is achieved when the load is low.
• Worst case – worst value for response time is achieved when the load is high
10
Non-token based algorithms
• A site communicates with a set of other sites to arbitrate who should execute the CS
next.
• For a site Si, request set Ri contains ids of all those sites from which site Si must
acquire permission before entering the CS.
• These algorithms use timestamps to order requests for the CS and to resolve
conflicts between simultaneous requests for the CS.
• In these algorithms, logical clocks are maintained and updated according to
Lamport’s scheme.
• Each request for the CS gets a timestamp, and smaller the timestamp requests have
priority over larger timestamp requests.
Examples
• Lamport’s Algorithm
• Rickart-Agrawala Algorithm
11
Lamport’s Algorithm for Mutual Exclusion in Distributed System
12
Lamport’s Algorithm for Mutual Exclusion in Distributed System
• In this algorithm:
• Three type of messages ( REQUEST, REPLY and RELEASE) are used and
communication channels are assumed to follow FIFO order.
• A site send a REQUEST message to all other site to get their permission to enter
critical section.
• A site send a REPLY message to requesting site to give its permission to enter
the critical section.
• A site send a RELEASE message to all other site upon exiting the critical section.
• Every site Si, keeps a queue to store critical section requests ordered by their
timestamps.
request_queuei denotes the queue of site Si
13
Lamport’s Algorithm for Mutual Exclusion in Distributed System
• In this algorithm:
• Three type of messages ( REQUEST, REPLY and RELEASE) are used and
communication channels are assumed to follow FIFO order.
• A site send a REQUEST message to all other site to get their permission to enter
critical section.
• A site send a REPLY message to requesting site to give its permission to enter
the critical section.
• A site send a RELEASE message to all other site upon exiting the critical section.
• Every site Si, keeps a queue to store critical section requests ordered by their
timestamps.
request_queuei denotes the queue of site Si
14
Lamport’s Algorithm for Mutual Exclusion in Distributed System
Algorithm:
• Requesting the Critical section:
• When a site Si wants to enter the critical section, it sends a request
message Request(tsi, i) to all other sites and places the request
on request_queuei. Here, Tsi denotes the timestamp of Site Si
• When a site Sj receives the request message REQUEST(tsi, i) from site Si, it
returns a timestamped REPLY message to site Si and places the request of site
Si on request_queuej.
• Executing the critical section:
• A site Si can enter the critical section if it has received the message with
timestamp larger than (tsi, i) from all other sites and its own request is at the
top of request_queuei
15
Lamport’s Algorithm for Mutual Exclusion in Distributed System
• When a site removes a request from its request queue, its own request may come
at the top of the queue, enabling it to enter the CS.
• The algorithm executes CS requests in the increasing order of timestamps.
16
Ricart–Agrawala Algorithm for
17
Ricart–Agrawala Algorithm for Mutual Exclusion in Distributed System
Algorithm:
• Requesting the Critical section:
• When a site Si wants to enter the critical section, it send a
timestamped REQUEST message to all other sites.
• When a site Sj receives a REQUEST message from site Si, It sends
a REPLY message to site Si if and only if
• Site Sj is neither requesting nor currently executing the critical section.
• Incase Site Sj is requesting, the timestamp of Site Si‘s request is smaller than
its own request. Otherwise the request is deferred by site Sj.
18
Ricart–Agrawala Algorithm for Mutual Exclusion in Distributed System
• Executing the critical section:
• Site Si enters the critical section if it has received the REPLY message from all
other sites.
19
Token-based algorithms
• A unique token is shared among all sites.
• A site is allowed to enter its CS if it possesses the token.
• Token-based algorithms use sequence numbers instead of timestamps.
• Every request for the token contains a sequence number and the sequence
numbers of sites advance independently.
• A site increments its sequence number counter every time it makes a request for
the token.
• A primary function of the sequence number is to distinguish between old and
current requests.
Example
• SUZUKI-KASAMI’S BROADCAST ALGORITHM
20
Suzuki–Kasami Algorithm for Mutual Exclusion in Distributed System
• Non-token based algorithms uses timestamp to order requests for the critical
section where as sequence number is used in token based algorithms.
21
Suzuki–Kasami Algorithm for Mutual Exclusion in Distributed System
22
Suzuki–Kasami Algorithm for Mutual Exclusion in Distributed System
Algorithm:
• Requesting the Critical section:
• When a site Si wants to enter the critical section and it does not have the token
then it increments its sequence number RNi[i] and sends a request
message REQUEST(i, sn) to all other sites in order to request the token.
Here sn is update value of RNi[i]
• When a site Sj receives the request message REQUEST(i, sn) from site Si, it
sets RNj[i] to maximum of RNj[i] and sn i.e RNj[i] = max(RNj[i], sn).
• After updating RNj[i], Site Sj sends the token to site Si if it has token
and RNj[i] = LN[i] + 1
23
Suzuki–Kasami Algorithm for Mutual Exclusion in Distributed System
• Executing the critical section:
• Site Si executes the critical section if it has acquired the token.
• Releasing the critical section:
After finishing the execution Site Si exits the critical section and does following:
• sets LN[i] = RNi[i] to indicate that its critical section request RNi[i] has been
executed.
• For every site Sj, whose ID is not present in the token queue Q, it appends its ID
to Q if RNi[j] = LN[j] + 1 to indicate that site Sj has an outstanding request.
• After above updation, if the Queue Q is non-empty, it pops a site ID from
the Q and sends the token to site indicated by popped ID.
• If the queue Q is empty, it keeps the token.
24
RESOURCE SECURITY AND PROTECTION
25
Security & Protection
• Security and protection deals with the control of unauthorized use and access to
hardware and software resources of a computer system.
• Protection is a mechanism and security is a policy.
• Protection deals with mechanisms to build secure systems and security deals with
policy issues that use protection mechanisms to build secure systems.
• Policies refer to what should be done and mechanisms refer to how it should be
done.
• Protection in an operating system refers to mechanisms that control user access to
system resources, whereas policies decide which user can have access to what
resources.
• Policies can change with time and applications.
• A protection scheme must be amenable to a wide variety of policies to ensure
security in computer systems
26
Potential Security Violations
27
Potential Security Violations
- This occurs when an unauthorized person is able to alter the information stored in a computer.
- Eg: Changing student grades in a university database or changing account balance in a bank
database.
- An unauthorized person need not read the information before changing it.
28
Potential Security Violations
29
Design principles for secure systems
30
Design principles for secure systems
The principles for designing a secure computer system are:
1. Economy
2. Complete Mediation
3. Open Design
4. Separation of Privileges
5. Least Privilege
6. Least Common Mechanism
7. Acceptability
8. Fail-Safe Defaults
31
Design principles for secure systems...
1. Economy:
- A protection mechanism should be economical to develop and use.
- Its inclusion in a system should not result in substantial cost or overhead to the system.
- One easy method to achieve economy is to keep the design as simple and small as
possible.
2. Complete Mediation:
- The design of a completely secure system requires that every request to access an object
be checked for the authority to do so.
-
3. Open Design:
- A protection mechanism should work even if its underlying principles are known to
an attacker.
32
Design principles for secure systems...
4. Separation of Privileges
- A protection mechanism requires two keys to unlock a lock or gain access
to a protected object is more robust and flexible than one that allows a
single key to unlock a lock.
- In computer systems, the presence of two keys mean satisfying two
independent conditions before an access is allowed.
5. Least Privilege:
- A user should be given the minimum access rights that are sufficient for it
to complete its task.
- If the requirement of a user changes, the user should acquire it by
switching the domain.
33
Design principles for secure systems...
35
Access Matrix Model
• Access Matrix is a security model of protection state in computer system.
• It is represented as a matrix.
• A protection system consists of mechanisms to control user access to system
resources or to control information flow in the system.
• The most fundamental model of protection is the access matrix model in computer
systems.
• The original model is called access matrix since the authorization state, meaning
the authorizations holding at a given time in the system, is represented as a matrix.
• The matrix therefore gives an abstract representation of protection systems.
• Access matrix is used to define the rights of each process executing in the domain
with respect to each object.
• It is used to describe which users have access to what objects.
36
Access Matrix Model
1. Current Objects
2. Current Subjects
3. Generic Rights
1. Current Objects
•Current objects are a finite set of entities to which access is to be controlled.
•The set is denoted by ‘O’.
•Example : File
37
Access Matrix Model
2. Current Subjects
• Current subjects are a finite set of entities that access current objects.
• The set is denotes by ‘S’.
• Example : Process
3. Generic Rights
• A finite set of generic rights, R = {r1, r2, r3, .... , rm}, gives various access
rights that subjects can have to objects.
• Example : read, write, own, delete etc.
38
The Protection State of a System
• The protection state of a system is represented by a triplet ( S, O, P), where
• S is the set of current subjects.
• O is the set of current objects.
• P is a matrix called Access Matrix with a row for every current subject and
a column for every current object.
39
The Protection State of a System
• The protection state of a system is represented by a triplet ( S, O, P), where
• S is the set of current subjects.
• O is the set of current objects.
• P is a matrix called Access Matrix with a row for every current subject and
a column for every current object.
40
The Protection State of a System
• The Access matrix model of a protection system is very popular because of its
41
Implementation of the Access Matrix
• The Access matrix is very sparse and takes up a large chunk of memory.
• So, any direct implementation of the access matrix for access control is likely to be
very storage inefficient.
1. Capabilities
42
1. Capabilities
44
2. Access Control List
• This method refers to column wise decomposition of the access matrix .
• Each object o has a list containing tuples like (s, P[s, o]) for all subjects s which can access the
object.
• P[s, o] denotes the rights of the subject s on the object o.
• when a subject s request to access to the object o it is executed in the following manner.
• The system searches the access control list of o to find out if an entry (s, ) exist for
subject s
• If and entry (s, ₼) exists for subject s then the system checks to see if the requested
access is permitted or not.(i.e., α belong to ₼ )
• If the requested access is permitted then the request is executed else an appropriate
exception is raised.
45
Access Control List
A schematic of an access control list
• Features:
• Easy Revocation
• Easy Review of an Access
• Implementation Considerations:
• Efficiency of Execution
• Efficiency of Storage
46
3. The Lock – Key Method
• The lock and key method is an hybrid of the access control list and capabilities
method.
• This method has both the features of both previous methods.
• In the lock and key method, every subject has a capability list that contains tuples
of the form (o, key), indicating the subject can access object o using key k.
• Every object has an access control list that contains tuples of the form (l, ₼),
called a lock entry indicating that any subject which can open the lock l can access
this object in modes contained in the set ₼.
47
3. The Lock – Key Method
• When the subject makes the request to access object o in mode α , the system
executes in the following manner.
• The system locates the tuple (o, k) in the capability list of the subject. If no such
tuple is found, the access is not permitted.
• Otherwise the access is permitted only if there exists a lock entry (l, ₼) in the
access control list of object o such that k=l and α belongs to ₼.
48
Thank You
49