Protection (Chapter 14)
Operating System Concepts – 8th Edition,
Silberschatz, Galvin and Gagne ©2009
Goals of Protection
 The role of protection in a computer system is to provide a mechanism
for the enforcement of the policies governing resource use.
- ensure that each object is accessed correctly and only by those
processes that are allowed to do so
- policies may change over time: mechanisms should be adaptive or
implemented at different levels (e.g., OS and application)
 Protection vs. Security

Security is a measure of confidence that resources are protected
 Examples of protection in computer systems?
Operating System Concepts – 8th Edition
14.2
Silberschatz, Galvin and Gagne ©2009
Principles of Protection
 Guiding principle – principle of least privilege

Programs, users and systems should be given just enough privileges
to perform their tasks
 Examples of benefits:

Breaking into one system should not be equivalent to breaking into all

Breaking into one user account should not mean getting access to all

Overflow of a buffer in a system daemon should only cause the
daemon process to fail (but not to allow execution of code from the
daemon’s stack that would enable gaining root access)
 A variant: the need-to-know principle

In a procedure have access only to local and global variables, but not
to local variables of another procedure
Operating System Concepts – 8th Edition
14.3
Silberschatz, Galvin and Gagne ©2009
Protection Domains
 A process operates within a protection domain






- Specifies the resources that the process may access
Domain = set of access-rights
Access-right = <object-name, rights-set>
where rights-set is a subset of all valid operations that can be performed on
the object.
Association between processes and domains: static or dynamic
Static: may need to change the domain content to accommodate the “needto-know” principle
Dynamic: mechanism needed for domain switching
Domain may be: user, process, procedure
- How does domain switching occur in each case?
Operating System Concepts – 8th Edition
14.4
Silberschatz, Galvin and Gagne ©2009
Case Scenario: Domain Implementation in UNIX

System consists of 2 domains:
 User
 Supervisor

UNIX
 Domain = user-id
 Domain switch accomplished via file system
 Each file has associated with it a domain bit (setuid bit)
 When file is executed and setuid = on, then user-id is set to owner of
the file being executed. When execution completes user-id is reset.
 Security problem: create a file with owner root and the setuid bit set
Alternative:
 Place privileged programs in a special directory. The OS changes the user
ID of programs who run from that directory
 No change of user ID: need special mechanism to allow users to get
access to privileged facilities.

Operating System Concepts – 8th Edition
14.5
Silberschatz, Galvin and Gagne ©2009
Case Scenario: Domain Implementation in MULTICS
 Let Di and Dj be any two domain rings
 If j < i  Di  Dj : more privileges in Dj than in Di
 Domain switching through procedure calls

Each segment is a file; associated with one ring
 Segment descriptor: ring number, access bracket [b1, b2], limit b3, set
of gates
 Switch: process running in i : if i > b2, then access only through gates
iff i < b3
 Limitations: hard to implement the “need-to-know” principle; complexity; no
limitation between policy and mechanism
Operating System Concepts – 8th Edition
14.6
Silberschatz, Galvin and Gagne ©2009
Access Matrix
 View protection as a matrix (access matrix)
 Rows represent domains, columns represent objects
 Access(i, j) is the set of operations that a process executing in Domaini
can invoke on Objectj
Operating System Concepts – 8th Edition
14.7
Silberschatz, Galvin and Gagne ©2009
Use of Access Matrix

Access matrix design separates mechanism from policy


Mechanism

Operating system provides access-matrix + rules

If ensures that the matrix is only manipulated by authorized agents and that
rules are strictly enforced
Policy


User dictates policy: Who can access what object and in what mode
Can be expanded to dynamic protection

Operations to add, delete access rights

Special access rights:

owner of Oi

copy op from Oi to Oj

control – Di can modify Dj access rights

transfer – switch from domain Di to Dj
Operating System Concepts – 8th Edition
14.8
Silberschatz, Galvin and Gagne ©2009
Access Matrix With Domains as Objects
Operating System Concepts – 8th Edition
14.9
Silberschatz, Galvin and Gagne ©2009
Access Matrix with Copy Rights
* Means right to copy access rights from one domain to another.
Operating System Concepts – 8th Edition
14.10
Silberschatz, Galvin and Gagne ©2009
Access Matrix With Owner Rights
Operating System Concepts – 8th Edition
14.11
Silberschatz, Galvin and Gagne ©2009
Control Right: Make Changes in Domains
Add “control”
Operating System Concepts – 8th Edition
14.12
Silberschatz, Galvin and Gagne ©2009
Implementation of Access Matrix
 Global table
 Access-control list for one object: defines who can perform what operation.
Domain 1 = Read, Write
Domain 2 = Read
Domain 3 = Read

 Capability List: for each domain, what operations are allowed on what
objects.
Object 1 – Read
Object 4 – Read, Write, Execute
Object 5 – Read, Write, Delete, Copy
 Lock-key scheme: each object and each domain has a list of unique bit
patterns (called locks, respectively keys)
Operating System Concepts – 8th Edition
14.13
Silberschatz, Galvin and Gagne ©2009
Revocation of Access Rights



Types of revocations:

Immediate vs. delayed

Selective vs. general

Partial vs. total

Temporary vs. permanent
Access List – Delete access rights from access list

Simple

Immediate

Can be general or selective, total or partial, permanent or temporary
Capability List – Scheme required to locate capability in the system before capability
can be revoked

Reacquisition

Back-pointers

Indirection

Keys
Operating System Concepts – 8th Edition
14.14
Silberschatz, Galvin and Gagne ©2009
Practice Problem
Most modern processors and operating systems enforce protection
boundaries that prevent programs from interfering with one another
or with the operating system, and that allow the operating system to
securely mediate and monitor all accesses to shared resources in
accordance with a protection policy. Briefly summarize the most
important mechanisms underlying OS protection.
Operating System Concepts – 8th Edition
14.15
Silberschatz, Galvin and Gagne ©2009