objects

advertisement
Chapter 6
User Protections in
OS
Outline

User-level protections
1.
Memory protection
2.
Control of access to objects
3.
File protection
4.
User authentication
csci5233 computer security &
integrity (Chap. 6)
2
User-level protection

The general-purpose OS supports
multiprogramming (aka multi-tasking), the
concurrent use of system resources by more than
one user.

It is critical to protect one user from interference
from another user.

What would need to be protected?
–
Computation
–
Files
–
Anything else?
csci5233 computer security &
integrity (Chap. 6)
3
Protected Objects

Memory

Shared I/O devices (e.g., disks, printers, tape
drives, …)

Sharable programs and sub-procedures

Sharable data

… (See p.242 for a detailed listing)

The controlled sharing of these objects is the
responsibility of the OS.
csci5233 computer security &
integrity (Chap. 6)
4
Protection Mechanisms: considerations
A.
Types of separation
B.
Levels of protection
C.
Granularity of protection control

Types of separation

Separation is the basis of protection. It keeps different
users’ objects separate from each other.
csci5233 computer security &
integrity (Chap. 6)
5
Protection Mechanisms: considerations

Types of separation
1.
Physical separation
2.
Temporal separation
3.
Logical separation
4.
Cryptographic separation

Concerns: resource utilization versus order of the
security provided

The goal of protection: To allow multi-tasking of
processes with different security needs
csci5233 computer security &
integrity (Chap. 6)
6
Protection Mechanisms: considerations

Levels of protection

No protection – feasible when ‘temporal separation’ is
applied

Isolation – confinement, separate addressing space and
resources

Share all or share nothing – public vs private objects

Share via access limitation – ACL (access control list)

Share by capabilities – an extension of ACL; dynamic
determination of access rights (user + object + context of
access)

Limit use of an object – finer control over the use of an
object (Example: read but no print; aggregate but no
individual data items)
csci5233 computer security &
integrity (Chap. 6)
7
Protection Mechanisms: considerations

Granularity of protection control
Example: Granularity of data control
Bit  byte  word  field  record  file  …
Another example: Granularity of access rights
What does that mean?
Trade-offs:
Finer control leads to more complex implementation.
Why?
Coarse control, on the other hand, results in low order of
security. Why?
csci5233 computer security &
integrity (Chap. 6)
8
Memory Protection Mechanisms

Preventing one process from affecting the memory
of other processes

Built-in hardware protection mechanisms are
common.

Mechanisms:

fence, relocation, base/bounds registers, tagged
architecture, segmentation, paging, combined paging with
segmentation
csci5233 computer security &
integrity (Chap. 6)
9
Memory Protection Mechanisms

Fence
protects the OS from the user processes
a predefined address (Fig. 6-1)
fence register (Fig. 6-2, p.232)
Limitations?
csci5233 computer security &
integrity (Chap. 6)
10
Memory Protection Mechanisms

Relocation
A reloadable module can be loaded to a different starting
address each time it is loaded.
Who is in charge of determining the starting address of a
module?
Fence register can be used as a hardware relocation device.
Any limitation?
csci5233 computer security &
integrity (Chap. 6)
11
Memory Protection Mechanisms

Base/Bounds Registers
Base, bound, offset
Fig. 6-3 (p.233)
Fig. 6-4 (p.234): Two pairs of base/bounds registers
The use of base/bounds registers enables context switch of
processes.
Any limitations?
Contiguous address space
All-or-nothing sharing (that is, no selective sharing)
csci5233 computer security &
integrity (Chap. 6)
12
Memory Protection Mechanisms

Tagged architecture
Every word of memory has extra tag bit(s) to identify its access
rights.
The bits are tested every time an instruction accesses that
location.
The bits can only be set by the OS instructions.
Fig. 6-5 (p.235)
Any problems?
Incompatible with the existing OS codes
csci5233 computer security &
integrity (Chap. 6)
13
Memory Protection Mechanisms

Segmentation
A program is divided into separate pieces, segments.
Each segment is a logical unit, which may contains code or
data.
A program may be composed of several segments, each of
which has different access rights.
Fig. 6-6 (p.237)
Q: Who’s keeping track of the relationship between logical
names and their corresponding physical addresses?
Fig. 6-7 (p.238): Segment translation table
Addressing (in a program) = segment name + offset within
the segment
csci5233 computer security &
integrity (Chap. 6)
14
Segmentation

Segmentation enables the OS to become an
intermediary between a process and the physical
memory.
Benefits
1. Protection of memory addresses:
1. Each address reference is checked for protection.
2. A user cannot generate an address or access to an
unpermitted segment.
2. Enabling flexible protection mechanisms:
1. Different levels of protection can be assigned to
different classes of data items.
2. A segment may be shared by two or more users, each
with different access rights.
csci5233 computer security &
integrity (Chap. 6)
15
Segmentation

Does segmentation present any challenges or
problems?
–
A challenge: A process may access offset beyond the end
of a segment.
•

Solution: run-time verification by the OS
Implementation problems:
1.
Segment names are inconvenient to encode in
instructions, resulting in possibly slow lookup of the STT.
Solution? Conversion of names to numbers during
program compilation/translation
Impact? Difficulty in sharing of the same segment name
between two procedures.
2.
Segmentation can lead to memory fragmentation.
csci5233 computer security &
integrity (Chap. 6)
16
Paging

A program is divided into equal-sized pages.
 Memory is divided into the same sized units, called
page frames.
 The page size is typically between 512 and 4096
bytes. (That is, between 9 and 12 address bits.)
 address = <page, offset>
 Table lookup is needed to translate a logical address
to the physical address location. Fig. 6-8, p.240.
csci5233 computer security &
integrity (Chap. 6)
17
Paging

Advantages:
1.
2.
3.

Fragmentation is not a problem (as in segmentation).
No problem of addressing beyond the end of a page.
The entire mechanism of paging and address translation is
hidden from the programmer.
Unlike segmentation, there is no logical unity to a
page.
–
–
Is this an advantage or disadvantage?
From the standpoint of protection, a definite disadvantage.
Why?
csci5233 computer security &
integrity (Chap. 6)
18
Paging + Segmentation (combined)

c.f.,
–
–

Paging: efficient
Segmentation: logical protection characteristics
Paged segmentation: two layers of address
translation
–
–
–
A program is first divided into segments.
Each segment is divided into pages.
Figure 6-9, p.241.
csci5233 computer security &
integrity (Chap. 6)
19
Controlled Access to Objects

What objects need to be protected?
• Memory, files, directories, an executing program, h/w device,
data structure in memory, OS tables, instructions,
passwords, the user authentication mechanisms, the
protection mechanism itself, …


Memory protection is a special case of the protection
of general objects.
In comparison, protection of memory is simple.
Why? (p.242)
csci5233 computer security &
integrity (Chap. 6)
20
Controlled Access to Objects



Access to an object is performed by a subject.
A subject may be an end user, a programmer, a
program, another object, or anything else that
seeks to use an object.
General goals in protecting objects:
1.
2.
3.
Revocability of a user’s privilege to access an object.
The least privilege principle
Verification of object-specific usages
csci5233 computer security &
integrity (Chap. 6)
21
Controlled Access to Objects

An example of object protection: a simple approach
relying on directories of files
The objects - files in the directory, the directory itself
Sample subjects - users of the system
Each file has a unique owner, who controls access to the file.
Each user has a file directory, which includes all files the user
has access.
The file directories must be maintained by the OS. Why?
Access rights include read, write, execute, and owner?
Fig. 6-10, p.243.
Why would the above simple approach not work?
3 problems (p.244)
csci5233 computer security &
integrity (Chap. 6)
22
Controlled Access to Objects

Alternative approaches for access control
–
–
–
–
ACL (access control list)
ACM (access control matrix)
capabilities for access control
procedure-oriented access control
csci5233 computer security &
integrity (Chap. 6)
23
Controlled Access to Objects
•
ACL
Each object has an ACL, which includes all subjects that would
have access to the object and what their access is.
Fig. 6-12 (p.246)
In comparison: In the previous approach, each subject has a
directory list, which includes all objects that the subject
may access and the respective access rights.
User designation vs group designation
In Multics: user, group, compartment
In Unix: owner, group, world
In Windows?
csci5233 computer security &
integrity (Chap. 6)
24
Controlled Access to Objects
•
ACM
Fig. 6-13 (p.247)
<subject, object, access rights>
Disadvantage: mostly sparse; inefficient searching
csci5233 computer security &
integrity (Chap. 6)
25
Controlled Access to Objects
•
Capability
A capability is an unforgeable token giving the possessor
certain rights to an object.
A capability is a ticket giving permission to a subject to perform
a certain type of access on an object.
To prevent forgery, a capability is usually maintained by the
OS.
A new access right: the right to transfer a capability
Domain: The collection of capabilities defines a domain. (Fig.
6-14, p.248)
An executing program or sub-procedure operates in a domain.
A sub-procedure in a program may have different domain from
the main program. (Fig. 6-15, p.249)
Significance: groundwork for subsequent production use in
systems such as Kerberos, which is a popular network
authentication protocol (Ch. 9)
csci5233 computer security &
integrity (Chap. 6)
26
Controlled Access to Objects
•
Procedure-oriented access control
Access to an object is controlled by its access-control
procedures.
The procedures defines a trusted interface through which
access to a given object can be made.
Purpose: To enable more complex access control beyond read,
write, and execute.
Benefits: information hiding; flexible
Disadvantage: inefficient access
csci5233 computer security &
integrity (Chap. 6)
27
Summary

Next: 6.4 (file protection), 6.5 (user authentication)
csci5233 computer security &
integrity (Chap. 6)
28
Download