Presentation is loading. Please wait.

Presentation is loading. Please wait.

CE01000-3 Operating Systems Lecture 21 Operating Systems Protection with examples from Linux & Windows.

Published byBonnie Sparks Modified over 8 years ago

Similar presentations

Presentation on theme: "CE01000-3 Operating Systems Lecture 21 Operating Systems Protection with examples from Linux & Windows."— Presentation transcript:

1 CE01000-3 Operating Systems Lecture 21 Operating Systems Protection with examples from Linux & Windows

2 Overview of lecture In this lecture we will look at: Goals of Protection Domains of Protection Access Control Matrix Implementation of Access Matrix Access Control Lists & Capability Lists Windows approach Unix/Linux approach

3 Protection Computer system consists of a collection of components - hardware or software We want each component to be accessed through a well-defined set of operations. Protection problem - ensure that each component is accessed correctly and only by those processes that are allowed to do so. Protection is the mechanism for controlling access to computer resources.

4 Goals of protection Goals of Protection are: Increase reliability of systems that use shared resources Prevent mischievous activity Detect malfunctions before they contaminate the system.

5 Domains of protection An access rights grants the authority to perform an operation on some object. A domain is a set of objects and access rights within which a process operates. Domains can share access rights; multiple domains can have some access to the same object.

6 Domain Structure Access-right = set-of-rights is a subset of all valid operations that can be performed on the object.

7 Example Domain Implementations Unix consists of 2 types of domain: User Superuser/root Domain determined by user-id Domain switch accomplished via file system. Each file has associated with it a domain bit (setuid bit). When file is executed and setuid = on, then user-id is set to owner of the file being executed. When execution completes user-id is reset.

8 Access Control Matrix (ACM)  For each domain list all objects and access rights to them  Represented as a matrix (Access Control Matrix) with entry i,j representing access rights within domain i to object j  Normally conceived of as access rights of user i to object j

9 Access Control Matrix (ACM) Figure 1

10 Use of ACM If a process in Domain D i tries to do “op” on object O j, then “op” must be in the access matrix. Can be expanded to include changes to protections themselves Operations to add, delete access rights. Special access rights: owner of O i- - can change any access right for object in any domain copy access right from O i to O j control – D i can modify D j s access rights transfer – switch from domain D i to D j

11 Access Control Matrix With Domains as Objects Use of domains as objects allows us to encode in ACM the special operation of switching between domains

12 Policy/Mechanism Access Control Matrix design separates mechanism from policy. Mechanism Operating system defines ACM + rules. It ensures that the matrix is only manipulated by authorized agents and that rules are strictly enforced. Policy Administrator/User dictates policy. Who can access what object and in what mode.

13 Problem with matrix implementation of ACM Could use simple matrix, but this leaves a lot of waste space as most entries are empty (no access rights to object)

14 Access Control List (ACL) implementations of ACM Access Control List (ACL) = for each object list set of Equivalent to column of ACM without null entries. Defines who can perform what operation on the object Domain 1 = Read, Write Domain 2 = Read Domain 3 = Read 

15 ACL implementations of ACM When process wishes to access some object, it makes a request to OS and the OS checks the ACL to see if the domain the process belongs to has the access rights requested

16 Capability implementation of ACM Capability List = for each Domain list set of Equivalent to row of ACM without null entries Capability List defines for each domain, what operations are allowed on what objects. Object 1 – Read Object 4 – Read, Write, Execute Object 5 – Read, Write, Delete, Copy

17 Capability implementation of ACM Individual capability can be seen as a token or key that grants/authorises access to an object in the appropriate mode When process wishes to access some object it presents the Capability to OS Simple possession of capability means access is permitted

18 Comparison ACL v. Capability List Advantage of ACL is that it is easy to control access rights to given objects – simple direct manipulation of ACL associated with object BUT – difficult to modify access rights that belong to a given domain (users) – this would need OS to search through all ACLs of all objects on system to find and change access rights for specific domain Every access request must be checked – involving search through ACL

19 Comparison ACL v. Capability List (Cont.) Advantage of Capability list – easy to control access rights of given domains (users) in system – direct manipulation of capabilities in Capability list BUT – difficult to modify access rights that belong to a given object – this would need OS to search through Capability list of all domains (users) in system to find and change all the capabilities for a given object Overhead of creating capability tokens

20 Combined systems Most systems use a combination of ACL and capability based approaches When a process first references an object, an ACL is checked. If successful, a capability is given to the domain so that the process can use it thereafter.

21 Windows approach Windows uses a variation on the above combined approach. It uses an ACL associated with each object with an Access token which is, however, generated at logon

22 Access Control List Windows objects have a security descriptor (a default security descriptor is used if one is not provided) The security descriptor contains a list of entries in an Access Control List (ACL) The entries in the ACL specify whether members of a given security group can or cannot carry out given operations on the object

23 Access Token When a user logons to system as part of the authentication of the user, an Access token is created by the Security Reference Monitor The Access Token specifies the access permissions, etc. that the user or applications run by that user have within the operating system

24 Access Token (Cont.) whenever a user attempts to access anything in the operating system, the access token is passed to the security monitor in the NT Executive to check whether the user has the appropriate permissions, has gone over quota, etc. The Access Token contains a Security ID. The Security ID. contains information about various security groups that the user belongs to

25 Access Token (Cont.) Object Type Object Body Attributes Services Security ID Group IDs Privileges Default owner Primary group Default ACL Create token Open token Query info Access Token

26 Security reference monitor Security reference monitor provides a uniform mechanism for ensuring security throughout the operating system When a process calls the object manager to open a handle to an object, the process stipulates the types of operation it wants to perform on the object (known as the desired access rights) e.g. opening a file object as read only

27 Security reference monitor (Cont.) When a process opens a handle to an object the object manager calls the security reference monitor The security reference monitor checks the Access Token of the process to determine the process’ Security ID. i.e. what security groups it belongs to.

28 Security reference monitor (Cont.) Then it checks the object's Access Control List to determine whether members of a given security group can or cannot carry out the relevant operation requested If the access required is ok, then the security reference monitor returns a set of granted access rights that the process is allowed These access rights are then stored in the object handle for the object

29 Security reference monitor (Cont.) Subsequently whenever a process attempts to use the handle to perform some operation on an object, the object manager checks the granted access rights to see if the operation to be performed is allowed

30 Unix/Linux protection Resources are represented by files and have permission bits associated with them Permissions can be specified for 3 types of user Owner; Group; Others Permissions are Read; Write; Execute

31 Unix/Linux protection (Cont.) Example: -rwxr-xr-x 1 user1 grp1 10152 Sep 21 17:04 fs -rw-r----- 1 user1 grp1 329 Sep 21 17:04 fs.c The fs file may be executed by anyone on the system, but the source file may only be read by the owner or by people in the group grp1. Both files may only be modified by the user user1.

32 Unix/Linux protection (Cont.) For a directory, “read” means being able to list its contents, “execute” means being able to access files within the directory Can use chmod to add or remove permissions (rwx) for user, group, and others (ugo): chmod ugo+x Let anyone execute chmod go-w Prevent non-owner form writing

33 Unix/Linux protection (Cont.) Or, specify absolute permissions in octal 4=r, 2=w, 1=x e.g. 755=rwxr-xr-x, 640=rw-r----- e.g. chmod 755 filename

34 References Operating System Concepts. Chapter 14.

Download ppt "CE01000-3 Operating Systems Lecture 21 Operating Systems Protection with examples from Linux & Windows."

Similar presentations

Protection Goals of Protection Domain of Protection Access Matrix

Protection Goals of Protection Domain of Protection Access Matrix
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.
CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
Protection. Goals of Protection Operating system consists of a collection of objects, hardware or software Each object has a unique name and can be accessed.

Protection. Goals of Protection Operating system consists of a collection of objects, hardware or software Each object has a unique name and can be accessed.
Bilkent University Department of Computer Engineering

Bilkent University Department of Computer Engineering
1999 Chapter 8-Protection Goals of Protection Domain of Protection Access Matrix Implementation of Access Matrix Revocation of Access Rights Capability-Based.

1999 Chapter 8-Protection Goals of Protection Domain of Protection Access Matrix Implementation of Access Matrix Revocation of Access Rights Capability-Based.
Reasons for Protection n Prevent users from accessing information they shouldn’t have access to. n Ensure that each program component uses system resources.

Reasons for Protection n Prevent users from accessing information they shouldn’t have access to. n Ensure that each program component uses system resources.
19: Protection1 PROTECTION Protection is the mechanism for controlling access to computer resources. Security concerns the physical integrity of the system.

19: Protection1 PROTECTION Protection is the mechanism for controlling access to computer resources. Security concerns the physical integrity of the system.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.
CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.

CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.
Chapter 14: Protection.

Chapter 14: Protection.
Chapter 14: Protection.

Chapter 14: Protection.
Chapter 14: Protection.

Chapter 14: Protection.
Lecture 7 Access Control

Lecture 7 Access Control
Silberschatz, Galvin and Gagne ©2013 Operating System Concepts – 9 th Edition Chapter 14: Protection.

Silberschatz, Galvin and Gagne ©2013 Operating System Concepts – 9 th Edition Chapter 14: Protection.
Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 URL: Protection.

Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 URL: Protection.
Page 19/4/2015 CSE 30341: Operating Systems Principles Raid storage  Raid – 0: Striping  Good I/O performance if spread across disks (equivalent to n.

Page 19/4/2015 CSE 30341: Operating Systems Principles Raid storage  Raid – 0: Striping  Good I/O performance if spread across disks (equivalent to n.
Operating Systems Protection & Security.

Operating Systems Protection & Security.
14.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Chapter 14: Protection.

14.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Chapter 14: Protection.
Protection.

Protection.

Similar presentations

Ads by Google