Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 6 User Protections in OS. csci5233 computer security & integrity (Chap. 6) 2 Outline User-level protections 1.Memory protection 2.Control of access.

Published byAbraham Dale Goodwin Modified over 9 years ago

Similar presentations

Presentation on theme: "Chapter 6 User Protections in OS. csci5233 computer security & integrity (Chap. 6) 2 Outline User-level protections 1.Memory protection 2.Control of access."— Presentation transcript:

1 Chapter 6 User Protections in OS

2 csci5233 computer security & integrity (Chap. 6) 2 Outline User-level protections 1.Memory protection 2.Control of access to objects 3.File protection 4.User authentication

3 csci5233 computer security & integrity (Chap. 6) 3 User-level protection The general-purpose OS supports multiprogramming (aka multi-tasking), the concurrent use of system resources by more than one user. It is critical to protect one user from interference from another user. What would need to be protected? –Computation –Files –Anything else?

4 csci5233 computer security & integrity (Chap. 6) 4 Protected Objects Memory Shared I/O devices (e.g., disks, printers, tape drives, …) Sharable programs and sub-procedures Sharable data … (See p.242 for a detailed listing)  The controlled sharing of these objects is the responsibility of the OS.

5 csci5233 computer security & integrity (Chap. 6) 5 Protection Mechanisms: considerations A. Types of separation B. Levels of protection C. Granularity of protection control Types of separation Separation is the basis of protection. It keeps different users’ objects separate from each other.

6 csci5233 computer security & integrity (Chap. 6) 6 Protection Mechanisms: considerations Types of separation 1.Physical separation 2.Temporal separation 3.Logical separation 4.Cryptographic separation  Concerns: resource utilization versus order of the security provided  The goal of protection: To allow multi-tasking of processes with different security needs

7 csci5233 computer security & integrity (Chap. 6) 7 Protection Mechanisms: considerations Levels of protection  No protection – feasible when ‘temporal separation’ is applied  Isolation – confinement, separate addressing space and resources  Share all or share nothing – public vs private objects  Share via access limitation – ACL (access control list)  Share by capabilities – an extension of ACL; dynamic determination of access rights (user + object + context of access)  Limit use of an object – finer control over the use of an object (Example: read but no print; aggregate but no individual data items)

8 csci5233 computer security & integrity (Chap. 6) 8 Protection Mechanisms: considerations Granularity of protection control Example: Granularity of data control Bit  byte  word  field  record  file  … Another example: Granularity of access rights What does that mean? Trade-offs: Finer control leads to more complex implementation. Why? Coarse control, on the other hand, results in low order of security. Why?

9 csci5233 computer security & integrity (Chap. 6) 9 Memory Protection Mechanisms Preventing one process from affecting the memory of other processes Built-in hardware protection mechanisms are common. Mechanisms: fence, relocation, base/bounds registers, tagged architecture, segmentation, paging, combined paging with segmentation

10 csci5233 computer security & integrity (Chap. 6) 10 Memory Protection Mechanisms Fence protects the OS from the user processes a predefined address (Fig. 6-1) fence register (Fig. 6-2, p.232) Limitations?

11 csci5233 computer security & integrity (Chap. 6) 11 Memory Protection Mechanisms Relocation A reloadable module can be loaded to a different starting address each time it is loaded. Who is in charge of determining the starting address of a module? Fence register can be used as a hardware relocation device. Any limitation?

12 csci5233 computer security & integrity (Chap. 6) 12 Memory Protection Mechanisms Base/Bounds Registers Base, bound, offset Fig. 6-3 (p.233) Fig. 6-4 (p.234): Two pairs of base/bounds registers The use of base/bounds registers enables context switch of processes. Any limitations? Contiguous address space All-or-nothing sharing (that is, no selective sharing)

13 csci5233 computer security & integrity (Chap. 6) 13 Memory Protection Mechanisms Tagged architecture Every word of memory has extra tag bit(s) to identify its access rights. The bits are tested every time an instruction accesses that location. The bits can only be set by the OS instructions. Fig. 6-5 (p.235) Any problems? Incompatible with the existing OS codes

14 csci5233 computer security & integrity (Chap. 6) 14 Memory Protection Mechanisms Segmentation A program is divided into separate pieces, segments. Each segment is a logical unit, which may contains code or data. A program may be composed of several segments, each of which has different access rights. Fig. 6-6 (p.237) Q: Who’s keeping track of the relationship between logical names and their corresponding physical addresses? Fig. 6-7 (p.238): Segment translation table Addressing (in a program) = segment name + offset within the segment

15 csci5233 computer security & integrity (Chap. 6) 15 Segmentation Segmentation enables the OS to become an intermediary between a process and the physical memory. Benefits 1.Protection of memory addresses: 1.Each address reference is checked for protection. 2.A user cannot generate an address or access to an unpermitted segment. 2.Enabling flexible protection mechanisms: 1.Different levels of protection can be assigned to different classes of data items. 2.A segment may be shared by two or more users, each with different access rights.

16 csci5233 computer security & integrity (Chap. 6) 16 Segmentation Does segmentation present any challenges or problems? –A challenge: A process may access offset beyond the end of a segment. Solution: run-time verification by the OS Implementation problems: 1.Segment names are inconvenient to encode in instructions, resulting in possibly slow lookup of the STT. Solution? Conversion of names to numbers during program compilation/translation Impact? Difficulty in sharing of the same segment name between two procedures. 2.Segmentation can lead to memory fragmentation.

17 csci5233 computer security & integrity (Chap. 6) 17 Paging A program is divided into equal-sized pages. Memory is divided into the same sized units, called page frames. The page size is typically between 512 and 4096 bytes. (That is, between 9 and 12 address bits.) address = Table lookup is needed to translate a logical address to the physical address location. Fig. 6-8, p.240.

18 csci5233 computer security & integrity (Chap. 6) 18 Paging Advantages: 1.Fragmentation is not a problem (as in segmentation). 2.No problem of addressing beyond the end of a page. 3.The entire mechanism of paging and address translation is hidden from the programmer. Unlike segmentation, there is no logical unity to a page. –Is this an advantage or disadvantage? –From the standpoint of protection, a definite disadvantage. Why?

19 csci5233 computer security & integrity (Chap. 6) 19 Paging + Segmentation (combined) c.f., –Paging: efficient –Segmentation: logical protection characteristics Paged segmentation: two layers of address translation –A program is first divided into segments. –Each segment is divided into pages. –Figure 6-9, p.241.

20 csci5233 computer security & integrity (Chap. 6) 20 Controlled Access to Objects What objects need to be protected? Memory, files, directories, an executing program, h/w device, data structure in memory, OS tables, instructions, passwords, the user authentication mechanisms, the protection mechanism itself, … Memory protection is a special case of the protection of general objects. In comparison, protection of memory is simple. Why? (p.242)

21 csci5233 computer security & integrity (Chap. 6) 21 Controlled Access to Objects Access to an object is performed by a subject. A subject may be an end user, a programmer, a program, another object, or anything else that seeks to use an object. General goals in protecting objects: 1.Revocability of a user’s privilege to access an object. 2.The least privilege principle 3.Verification of object-specific usages

22 csci5233 computer security & integrity (Chap. 6) 22 Controlled Access to Objects An example of object protection: a simple approach relying on directories of files The objects - files in the directory, the directory itself Sample subjects - users of the system Each file has a unique owner, who controls access to the file. Each user has a file directory, which includes all files the user has access. The file directories must be maintained by the OS. Why? Access rights include read, write, execute, and owner? Fig. 6-10, p.243. Why would the above simple approach not work? 3 problems (p.244)

23 csci5233 computer security & integrity (Chap. 6) 23 Controlled Access to Objects Alternative approaches for access control –ACL (access control list) –ACM (access control matrix) –capabilities for access control –procedure-oriented access control

24 csci5233 computer security & integrity (Chap. 6) 24 Controlled Access to Objects ACL Each object has an ACL, which includes all subjects that would have access to the object and what their access is. Fig. 6-12 (p.246) In comparison: In the previous approach, each subject has a directory list, which includes all objects that the subject may access and the respective access rights. User designation vs group designation In Multics: user, group, compartment In Unix: owner, group, world In Windows?

25 csci5233 computer security & integrity (Chap. 6) 25 Controlled Access to Objects ACM Fig. 6-13 (p.247) Disadvantage: mostly sparse; inefficient searching

26 csci5233 computer security & integrity (Chap. 6) 26 Controlled Access to Objects Capability A capability is an unforgeable token giving the possessor certain rights to an object. A capability is a ticket giving permission to a subject to perform a certain type of access on an object. To prevent forgery, a capability is usually maintained by the OS. A new access right: the right to transfer a capability Domain: The collection of capabilities defines a domain. (Fig. 6-14, p.248) An executing program or sub-procedure operates in a domain. A sub-procedure in a program may have different domain from the main program. (Fig. 6-15, p.249) Significance: groundwork for subsequent production use in systems such as Kerberos, which is a popular network authentication protocol (Ch. 9)

27 csci5233 computer security & integrity (Chap. 6) 27 Controlled Access to Objects Procedure-oriented access control Access to an object is controlled by its access-control procedures. The procedures defines a trusted interface through which access to a given object can be made. Purpose: To enable more complex access control beyond read, write, and execute. Benefits: information hiding; flexible Disadvantage: inefficient access

28 csci5233 computer security & integrity (Chap. 6) 28 Summary Next: 6.4 (file protection), 6.5 (user authentication)

Download ppt "Chapter 6 User Protections in OS. csci5233 computer security & integrity (Chap. 6) 2 Outline User-level protections 1.Memory protection 2.Control of access."

Similar presentations

Part IV: Memory Management

Part IV: Memory Management
Silberschatz, Galvin and Gagne  2002 Modified for CSCI 399, Royden, 2005 7.1 Operating System Concepts Operating Systems Lecture 36 Virtual Memory Read.

Silberschatz, Galvin and Gagne  2002 Modified for CSCI 399, Royden, Operating System Concepts Operating Systems Lecture 36 Virtual Memory Read.
OS Fall’02 Virtual Memory Operating Systems Fall 2002.

OS Fall’02 Virtual Memory Operating Systems Fall 2002.
Virtual Memory Chapter 18 S. Dandamudi. 2003 To be used with S. Dandamudi, “Fundamentals of Computer Organization and Design,” Springer, 2003.  S. Dandamudi.

Virtual Memory Chapter 18 S. Dandamudi To be used with S. Dandamudi, “Fundamentals of Computer Organization and Design,” Springer,  S. Dandamudi.
CSC 405 Introduction to Computer Security

CSC 405 Introduction to Computer Security
Network Security Philadelphia UniversitylAhmad Al-Ghoul 2010-20111 Module 6 Module 6 Security in Operating Systems  MModified by :Ahmad Al Ghoul  PPhiladelphia.

Network Security Philadelphia UniversitylAhmad Al-Ghoul Module 6 Module 6 Security in Operating Systems  MModified by :Ahmad Al Ghoul  PPhiladelphia.
CMPT 300: Final Review Chapters 8 – 12. 2 Memory Management: Ch. 8, 9 Address spaces Logical (virtual): generated by the CPU Physical: seen by the memory.

CMPT 300: Final Review Chapters 8 – Memory Management: Ch. 8, 9 Address spaces Logical (virtual): generated by the CPU Physical: seen by the memory.
CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 28 Fall 2002.
File Management Systems

File Management Systems
Operating System Support Focus on Architecture

Operating System Support Focus on Architecture
Memory Management and Paging CSCI 3753 Operating Systems Spring 2005 Prof. Rick Han.

Memory Management and Paging CSCI 3753 Operating Systems Spring 2005 Prof. Rick Han.
CSI 400/500 Operating Systems Spring 2009 Lecture #20 – Security Measures Wednesday, April 29 th.

CSI 400/500 Operating Systems Spring 2009 Lecture #20 – Security Measures Wednesday, April 29 th.
CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.

CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.
Paging and Virtual Memory. Memory management: Review  Fixed partitioning, dynamic partitioning  Problems Internal/external fragmentation A process can.

Paging and Virtual Memory. Memory management: Review  Fixed partitioning, dynamic partitioning  Problems Internal/external fragmentation A process can.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
CMPT 300: Final Review Chapters 8 – 14. 2 Memory Management: Ch. 8, 9 Address spaces Logical (virtual): generated by the CPU Physical: seen by the memory.

CMPT 300: Final Review Chapters 8 – Memory Management: Ch. 8, 9 Address spaces Logical (virtual): generated by the CPU Physical: seen by the memory.
Memory Management 1 CS502 Spring 2006 Memory Management CS-502 Spring 2006.

Memory Management 1 CS502 Spring 2006 Memory Management CS-502 Spring 2006.
1 Chapter 8 Virtual Memory Virtual memory is a storage allocation scheme in which secondary memory can be addressed as though it were part of main memory.

1 Chapter 8 Virtual Memory Virtual memory is a storage allocation scheme in which secondary memory can be addressed as though it were part of main memory.
CS-3013 & CS-502, Summer 2006 Memory Management1 CS-3013 & CS-502 Summer 2006.

CS-3013 & CS-502, Summer 2006 Memory Management1 CS-3013 & CS-502 Summer 2006.
1 CSE 380 Computer Operating Systems Instructor: Insup Lee and Dianna Xu University of Pennsylvania Fall 2003 Lecture Note: Protection Mechanisms.

1 CSE 380 Computer Operating Systems Instructor: Insup Lee and Dianna Xu University of Pennsylvania Fall 2003 Lecture Note: Protection Mechanisms.

Similar presentations

Ads by Google