Download presentation
Presentation is loading. Please wait.
1
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Protection (Chapter 14)
2
14.2 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Goals of Protection The role of protection in a computer system is to provide a mechanism for the enforcement of the policies governing resource use. - ensure that each object is accessed correctly and only by those processes that are allowed to do so - policies may change over time: mechanisms should be adaptive or implemented at different levels (e.g., OS and application) Protection vs. Security Security is a measure of confidence that resources are protected Examples of protection in computer systems?
3
14.3 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Principles of Protection Guiding principle – principle of least privilege Programs, users and systems should be given just enough privileges to perform their tasks Examples of benefits: Breaking into one system should not be equivalent to breaking into all Breaking into one user account should not mean getting access to all Overflow of a buffer in a system daemon should only cause the daemon process to fail (but not to allow execution of code from the daemon’s stack that would enable gaining root access) A variant: the need-to-know principle In a procedure have access only to local and global variables, but not to local variables of another procedure
4
14.4 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Protection Domains A process operates within a protection domain - Specifies the resources that the process may access Domain = set of access-rights Access-right = where rights-set is a subset of all valid operations that can be performed on the object. Association between processes and domains: static or dynamic Static: may need to change the domain content to accommodate the “need- to-know” principle Dynamic: mechanism needed for domain switching Domain may be: user, process, procedure - How does domain switching occur in each case?
5
14.5 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Case Scenario: Domain Implementation in UNIX System consists of 2 domains: User Supervisor UNIX Domain = user-id Domain switch accomplished via file system Each file has associated with it a domain bit (setuid bit) When file is executed and setuid = on, then user-id is set to owner of the file being executed. When execution completes user-id is reset. Security problem: create a file with owner root and the setuid bit set Alternative: Place privileged programs in a special directory. The OS changes the user ID of programs who run from that directory No change of user ID: need special mechanism to allow users to get access to privileged facilities.
6
14.6 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Case Scenario: Domain Implementation in MULTICS Let D i and D j be any two domain rings If j < i D i D j : more privileges in D j than in D i Domain switching through procedure calls Each segment is a file; associated with one ring Segment descriptor: ring number, access bracket [b1, b2], limit b3, set of gates Switch: process running in i : if i > b2, then access only through gates iff i < b3 Limitations: hard to implement the “need-to-know” principle; complexity; no limitation between policy and mechanism
![14.6 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Case Scenario: Domain Implementation in MULTICS Let D i and D j be any two domain rings If j < i D i D j : more privileges in D j than in D i Domain switching through procedure calls Each segment is a file; associated with one ring Segment descriptor: ring number, access bracket [b1, b2], limit b3, set of gates Switch: process running in i : if i > b2, then access only through gates iff i < b3 Limitations: hard to implement the need-to-know principle; complexity; no limitation between policy and mechanism](http://images.slideplayer.com/26/8313334/slides/slide_6.jpg "14.6 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Case Scenario: Domain Implementation in MULTICS Let D i and D j be any two domain rings If j < i D i D j : more privileges in D j than in D i Domain switching through procedure calls Each segment is a file; associated with one ring Segment descriptor: ring number, access bracket [b1, b2], limit b3, set of gates Switch: process running in i : if i > b2, then access only through gates iff i < b3 Limitations: hard to implement the need-to-know principle; complexity; no limitation between policy and mechanism")
7
14.7 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Access Matrix View protection as a matrix (access matrix) Rows represent domains, columns represent objects Access(i, j) is the set of operations that a process executing in Domain i can invoke on Object j
8
14.8 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Use of Access Matrix Access matrix design separates mechanism from policy Mechanism Operating system provides access-matrix + rules If ensures that the matrix is only manipulated by authorized agents and that rules are strictly enforced Policy User dictates policy: Who can access what object and in what mode Can be expanded to dynamic protection Operations to add, delete access rights Special access rights: owner of O i copy op from O i to O j control – D i can modify D j access rights transfer – switch from domain D i to D j
9
14.9 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Access Matrix With Domains as Objects
10
14.10 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Access Matrix with Copy Rights * Means right to copy access rights from one domain to another.
11
14.11 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Access Matrix With Owner Rights
12
14.12 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Control Right: Make Changes in Domains Add “control”
13
14.13 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Implementation of Access Matrix Global table Access-control list for one object: defines who can perform what operation. Domain 1 = Read, Write Domain 2 = Read Domain 3 = Read Capability List: for each domain, what operations are allowed on what objects. Object 1 – Read Object 4 – Read, Write, Execute Object 5 – Read, Write, Delete, Copy Lock-key scheme: each object and each domain has a list of unique bit patterns (called locks, respectively keys)
14
14.14 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Revocation of Access Rights Types of revocations: Immediate vs. delayed Selective vs. general Partial vs. total Temporary vs. permanent Access List – Delete access rights from access list Simple Immediate Can be general or selective, total or partial, permanent or temporary Capability List – Scheme required to locate capability in the system before capability can be revoked Reacquisition Back-pointers Indirection Keys
15
14.15 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Practice Problem Most modern processors and operating systems enforce protection boundaries that prevent programs from interfering with one another or with the operating system, and that allow the operating system to securely mediate and monitor all accesses to shared resources in accordance with a protection policy. Briefly summarize the most important mechanisms underlying OS protection.
Similar presentations
