Silberschatz, Galvin and Gagne  Operating System Concepts Chapter 18: Protection Goals of Protection Objects and Domains Access Matrix Implementation of Access Matrix Revocation of Access Rights Capability-Based Systems Language-Based Protection

Silberschatz, Galvin and Gagne  Operating System Concepts Protection Operating system consists of a collection of objects, hardware or software: buffers, registers, memory regions, PCB’s, files, directories, etc. Each object has a unique name and can be accessed through a well-defined set of operations. For files those operations are: read, write, execute. Protection problem - ensure that each object is accessed correctly and only by those processes that are allowed to do so.

Silberschatz, Galvin and Gagne  Operating System Concepts Domain Structure Domains are entities that might want to access the objects: processes, programs, users, roles. Domain granularity  There may be just 2 domains in the system: users and the superuser  There may be a domain for each user  There may be several domains per user: user surfing web, user compiling programs, user changing his password, etc.

Silberschatz, Galvin and Gagne  Operating System Concepts Access Matrix View protection as a matrix (access matrix) Rows represent domains Columns represent objects Access(i, j) is the set of operations that a process executing in Domain i can invoke on Object j

Silberschatz, Galvin and Gagne  Operating System Concepts Access Matrix Figure A

Silberschatz, Galvin and Gagne  Operating System Concepts Use of Access Matrix If a process in Domain D i tries to do “op” on object O j, then “op” must be in the access matrix. Can be expanded to dynamic protection. Domains are objects, also the access matrix itself.  Operations to add, delete access rights.  Special access rights:  owner of O i  copy op on O i to another domain  control – D i can modify D j access rights  transfer – switch from domain D i to D j

Silberschatz, Galvin and Gagne  Operating System Concepts Use of Access Matrix (Cont.) Access matrix design separates mechanism from policy.  Mechanism  Operating system provides access-matrix + rules.  If ensures that the matrix is only manipulated by authorized agents and that rules are strictly enforced.  Policy  User dictates policy.  Who can access what object and in what mode.

Silberschatz, Galvin and Gagne  Operating System Concepts Implementation of Access Matrix Sparse matrix (list of access right/domain pairs) or Access control lists or Capability lists Each column = Access-control list for one object Defines who can perform what operation. Domain 1 = Read, Write Domain 2 = Read Domain 3 = Read Each Row = Capability List (like a key) For each domain, what operations allowed on what objects. Object 1 – Read Object 4 – Read, Write, Execute Object 5 – Read, Write, Delete, Copy

Silberschatz, Galvin and Gagne  Operating System Concepts Access Matrix of Figure A With Domains as Objects Fig B: A process executing in D1 can switch to D2

Silberschatz, Galvin and Gagne  Operating System Concepts Access Matrix with Copy Rights A process in D2 can copy the read op on F2 to another domain

Silberschatz, Galvin and Gagne  Operating System Concepts Access Matrix With Owner Rights D1 owns F1 and controls access rights of other domains on F1

Silberschatz, Galvin and Gagne  Operating System Concepts Modified Access Matrix of Figure B A process in D2 can modify the rights of D4

Silberschatz, Galvin and Gagne  Operating System Concepts Access Control or Capability Lists? Theoretically these implementations are the same: any protection state that can be represented in one can be represented in the other. In practice, some actions are just impractical in one implementation or the other. Removing a user (because he left the company) is more efficient in capability lists. Changing a file to read-only for everyone (“february-sales” is made read-only when February is over) is easier in ACLs.

Silberschatz, Galvin and Gagne  Operating System Concepts Implementation Considerations In a given implementation, new lists can be created or changed easily, whereas the items in the lists must be well-defined and unchanging. Creating a new domain or splitting a current one is easy in capability lists. “domainB as manager” and “domainB as payroll person”. The result is that capability list systems create fine- grained domains. This makes it easy to enforce the principle of least privilege – a fundamental principle in computer security.

Silberschatz, Galvin and Gagne  Operating System Concepts ACL Systems In ACL systems, the password program and many system utilities, like compilers, run as “root” since the available domains are limited. Suppose you discover that the password file is kept in /x/y/z (or the IDS logs showing that you tried to break into the system). You invoke the compiler and specify that it should write the output to /x/y/z !!! This (and many other problems) can be patched in ACL systems, but it never exists as a problem in capability list systems.

Silberschatz, Galvin and Gagne  Operating System Concepts Capability-Based Systems Capability lists  Password-program: /x/y/z, read, write  Compiler: /usr/bin/prog, read  Jholliday: /usrs/faculty/jholliday, read, write, owner A new domain is created:  Compiler-jholliday: /user/bin/prog, read; /usrs/faculty/jholliday, write Note: this domain does not have the capability to write to /x/y/z UNIX, an ACL system, handles this type of problem with the setuid bit but this has lead to many security problems.  Each file has associated with it a domain bit (setuid bit).  When file is executed and setuid = on, then user-id is set to owner of the file being executed. When execution completes user-id is reset.

Silberschatz, Galvin and Gagne  Operating System Concepts Language-Based Protection Specification of protection in a programming language allows the high-level description of policies for the allocation and use of resources. Language implementation can provide software for protection enforcement when automatic hardware- supported checking is unavailable. Interpret protection specifications to generate calls on whatever protection system is provided by the hardware and the operating system.

Silberschatz, Galvin and Gagne  Operating System Concepts Protection in Java 2 Protection is handled by the Java Virtual Machine (JVM) A class is assigned a protection domain when it is loaded by the JVM. The protection domain indicates what operations the class can (and cannot) perform. If a library method is invoked that performs a privileged operation, the stack is inspected to ensure the operation can be performed by the library.