Chapter 14 Protection Bernard Chen Spring 2007

14.1 Goal of Protection Protection was originally conceived as an adjunct to multiprogramming operation systems, so that untrustworthy users might safely share a common logical files or memory Modern protection concepts have evolved to increase the reliability of any complex system that makes use of shared resources Protection (Ch.14) deals with internal problem Security (Ch. 15) Deals with external problem

14.2 Principle of Protection A key, time-tested guiding principle for protection is the principle of least privilege. It dictates that programs, users, and even systems be given just enough privileges to perform their tasks Computer implemented in a computing facility under the principle of least privilege can be limited to running specific service, accessing specific remote hosts via specific service during some specific time

14.3 Domain of Protection Domain Structure: Access-right = where rights-set is a subset of all valid operations that can be performed on the object. Domain = set of access-rights

Domain

Each user may be a domain: Domain switching occurs when the user is changed Each process may be a domain: Domain switching occurs when the process sends a message to another process and then waits for a response

14.4 Access Matrix View protection as a matrix (access matrix) Rows represent domains Columns represent objects Access(i, j) is the set of operations that a process executing in Domain i can invoke on Object j

Access Matrix

The users normally decide the contents of the access matrix entries. When a user creates a new object Oj, the column Oj is added to the access matrix When we switch a process from one domain to another, we are executing an operation (switch) on a domain Processes should be able to switch from one domain to another Domain switching from domain Di to Dj is allowed if and only if the access right switch access(i,j)

Access Matrix

Access Table Allowing controlled change in the contents of the access-matrix entries requires three additional operations: Copy, Owner, and Control

Access Table: Copy right The ability to copy an access right from one domain of the access matrix to another is denoted by an * The copy right allows the copying of the access right only within the column for which right is defined

Access Table: Copy right

Three types of copy: 1. Copy 2. Transfer: a right is copied from access(i,j) to access(k,j); it is then removed from access(i,j) 3. Limited copy: only copy the right not the *

Access Table: Owner right We need some mechanism to allow addition of new rights and removal of some rights If access(i,j) includes the owner right then a process executing in domain Di can add and remove any right in any entry in column j

Access Table: Owner right

Access Table: Control right The copy and owner rights allow a process to change the entries in a column, a mechanism is also needed to change the entries in a row The control right is applicable only to domain objects If access(i,j) includes the control right, then a process executing in domain Di can “remove” any access right from row j

Access Table: Control right

Implementation of Access table Global Table Access lists for objects Capability list for domains Lock-Key Mechanism

Global Table Easiest Using Disadvantages: 1. The table is usually too big to fit in memory 2. Virtual memory required 3. No advantage of special groups

Access lists for objects The resulting list for each object consists of ordered pairs

Capability list for domains We can access each row with its domain A capability list for a domain is a list of objects together with operations allowed on those object An object is often represented by its physical name or address, called capability

Lock-Key Mechanism Each object has a list of unique bit patterns, called locks Similarly, each domain has a list of unique bit patterns, called keys A process executing in a domain can access an object only if that domain has a key that matches one of the locks of the object