Protection (Chapter 14) Operating System Concepts – 8th Edition, Silberschatz, Galvin and Gagne ©2009 Goals of Protection The role of protection in a computer system is to provide a mechanism for the enforcement of the policies governing resource use. - ensure that each object is accessed correctly and only by those processes that are allowed to do so - policies may change over time: mechanisms should be adaptive or implemented at different levels (e.g., OS and application) Protection vs. Security Security is a measure of confidence that resources are protected Examples of protection in computer systems? Operating System Concepts – 8th Edition 14.2 Silberschatz, Galvin and Gagne ©2009 Principles of Protection Guiding principle – principle of least privilege Programs, users and systems should be given just enough privileges to perform their tasks Examples of benefits: Breaking into one system should not be equivalent to breaking into all Breaking into one user account should not mean getting access to all Overflow of a buffer in a system daemon should only cause the daemon process to fail (but not to allow execution of code from the daemon’s stack that would enable gaining root access) A variant: the need-to-know principle In a procedure have access only to local and global variables, but not to local variables of another procedure Operating System Concepts – 8th Edition 14.3 Silberschatz, Galvin and Gagne ©2009 Protection Domains A process operates within a protection domain - Specifies the resources that the process may access Domain = set of access-rights Access-right = <object-name, rights-set> where rights-set is a subset of all valid operations that can be performed on the object. Association between processes and domains: static or dynamic Static: may need to change the domain content to accommodate the “needto-know” principle Dynamic: mechanism needed for domain switching Domain may be: user, process, procedure - How does domain switching occur in each case? Operating System Concepts – 8th Edition 14.4 Silberschatz, Galvin and Gagne ©2009 Case Scenario: Domain Implementation in UNIX System consists of 2 domains: User Supervisor UNIX Domain = user-id Domain switch accomplished via file system Each file has associated with it a domain bit (setuid bit) When file is executed and setuid = on, then user-id is set to owner of the file being executed. When execution completes user-id is reset. Security problem: create a file with owner root and the setuid bit set Alternative: Place privileged programs in a special directory. The OS changes the user ID of programs who run from that directory No change of user ID: need special mechanism to allow users to get access to privileged facilities. Operating System Concepts – 8th Edition 14.5 Silberschatz, Galvin and Gagne ©2009 Case Scenario: Domain Implementation in MULTICS Let Di and Dj be any two domain rings If j < i Di Dj : more privileges in Dj than in Di Domain switching through procedure calls Each segment is a file; associated with one ring Segment descriptor: ring number, access bracket [b1, b2], limit b3, set of gates Switch: process running in i : if i > b2, then access only through gates iff i < b3 Limitations: hard to implement the “need-to-know” principle; complexity; no limitation between policy and mechanism Operating System Concepts – 8th Edition 14.6 Silberschatz, Galvin and Gagne ©2009 Access Matrix View protection as a matrix (access matrix) Rows represent domains, columns represent objects Access(i, j) is the set of operations that a process executing in Domaini can invoke on Objectj Operating System Concepts – 8th Edition 14.7 Silberschatz, Galvin and Gagne ©2009 Use of Access Matrix Access matrix design separates mechanism from policy Mechanism Operating system provides access-matrix + rules If ensures that the matrix is only manipulated by authorized agents and that rules are strictly enforced Policy User dictates policy: Who can access what object and in what mode Can be expanded to dynamic protection Operations to add, delete access rights Special access rights: owner of Oi copy op from Oi to Oj control – Di can modify Dj access rights transfer – switch from domain Di to Dj Operating System Concepts – 8th Edition 14.8 Silberschatz, Galvin and Gagne ©2009 Access Matrix With Domains as Objects Operating System Concepts – 8th Edition 14.9 Silberschatz, Galvin and Gagne ©2009 Access Matrix with Copy Rights * Means right to copy access rights from one domain to another. Operating System Concepts – 8th Edition 14.10 Silberschatz, Galvin and Gagne ©2009 Access Matrix With Owner Rights Operating System Concepts – 8th Edition 14.11 Silberschatz, Galvin and Gagne ©2009 Control Right: Make Changes in Domains Add “control” Operating System Concepts – 8th Edition 14.12 Silberschatz, Galvin and Gagne ©2009 Implementation of Access Matrix Global table Access-control list for one object: defines who can perform what operation. Domain 1 = Read, Write Domain 2 = Read Domain 3 = Read Capability List: for each domain, what operations are allowed on what objects. Object 1 – Read Object 4 – Read, Write, Execute Object 5 – Read, Write, Delete, Copy Lock-key scheme: each object and each domain has a list of unique bit patterns (called locks, respectively keys) Operating System Concepts – 8th Edition 14.13 Silberschatz, Galvin and Gagne ©2009 Revocation of Access Rights Types of revocations: Immediate vs. delayed Selective vs. general Partial vs. total Temporary vs. permanent Access List – Delete access rights from access list Simple Immediate Can be general or selective, total or partial, permanent or temporary Capability List – Scheme required to locate capability in the system before capability can be revoked Reacquisition Back-pointers Indirection Keys Operating System Concepts – 8th Edition 14.14 Silberschatz, Galvin and Gagne ©2009 Practice Problem Most modern processors and operating systems enforce protection boundaries that prevent programs from interfering with one another or with the operating system, and that allow the operating system to securely mediate and monitor all accesses to shared resources in accordance with a protection policy. Briefly summarize the most important mechanisms underlying OS protection. Operating System Concepts – 8th Edition 14.15 Silberschatz, Galvin and Gagne ©2009