Chapter 6 User Protections in OS Outline User-level protections 1. Memory protection 2. Control of access to objects 3. File protection 4. User authentication csci5233 computer security & integrity (Chap. 6) 2 User-level protection The general-purpose OS supports multiprogramming (aka multi-tasking), the concurrent use of system resources by more than one user. It is critical to protect one user from interference from another user. What would need to be protected? – Computation – Files – Anything else? csci5233 computer security & integrity (Chap. 6) 3 Protected Objects Memory Shared I/O devices (e.g., disks, printers, tape drives, …) Sharable programs and sub-procedures Sharable data … (See p.242 for a detailed listing) The controlled sharing of these objects is the responsibility of the OS. csci5233 computer security & integrity (Chap. 6) 4 Protection Mechanisms: considerations A. Types of separation B. Levels of protection C. Granularity of protection control Types of separation Separation is the basis of protection. It keeps different users’ objects separate from each other. csci5233 computer security & integrity (Chap. 6) 5 Protection Mechanisms: considerations Types of separation 1. Physical separation 2. Temporal separation 3. Logical separation 4. Cryptographic separation Concerns: resource utilization versus order of the security provided The goal of protection: To allow multi-tasking of processes with different security needs csci5233 computer security & integrity (Chap. 6) 6 Protection Mechanisms: considerations Levels of protection No protection – feasible when ‘temporal separation’ is applied Isolation – confinement, separate addressing space and resources Share all or share nothing – public vs private objects Share via access limitation – ACL (access control list) Share by capabilities – an extension of ACL; dynamic determination of access rights (user + object + context of access) Limit use of an object – finer control over the use of an object (Example: read but no print; aggregate but no individual data items) csci5233 computer security & integrity (Chap. 6) 7 Protection Mechanisms: considerations Granularity of protection control Example: Granularity of data control Bit byte word field record file … Another example: Granularity of access rights What does that mean? Trade-offs: Finer control leads to more complex implementation. Why? Coarse control, on the other hand, results in low order of security. Why? csci5233 computer security & integrity (Chap. 6) 8 Memory Protection Mechanisms Preventing one process from affecting the memory of other processes Built-in hardware protection mechanisms are common. Mechanisms: fence, relocation, base/bounds registers, tagged architecture, segmentation, paging, combined paging with segmentation csci5233 computer security & integrity (Chap. 6) 9 Memory Protection Mechanisms Fence protects the OS from the user processes a predefined address (Fig. 6-1) fence register (Fig. 6-2, p.232) Limitations? csci5233 computer security & integrity (Chap. 6) 10 Memory Protection Mechanisms Relocation A reloadable module can be loaded to a different starting address each time it is loaded. Who is in charge of determining the starting address of a module? Fence register can be used as a hardware relocation device. Any limitation? csci5233 computer security & integrity (Chap. 6) 11 Memory Protection Mechanisms Base/Bounds Registers Base, bound, offset Fig. 6-3 (p.233) Fig. 6-4 (p.234): Two pairs of base/bounds registers The use of base/bounds registers enables context switch of processes. Any limitations? Contiguous address space All-or-nothing sharing (that is, no selective sharing) csci5233 computer security & integrity (Chap. 6) 12 Memory Protection Mechanisms Tagged architecture Every word of memory has extra tag bit(s) to identify its access rights. The bits are tested every time an instruction accesses that location. The bits can only be set by the OS instructions. Fig. 6-5 (p.235) Any problems? Incompatible with the existing OS codes csci5233 computer security & integrity (Chap. 6) 13 Memory Protection Mechanisms Segmentation A program is divided into separate pieces, segments. Each segment is a logical unit, which may contains code or data. A program may be composed of several segments, each of which has different access rights. Fig. 6-6 (p.237) Q: Who’s keeping track of the relationship between logical names and their corresponding physical addresses? Fig. 6-7 (p.238): Segment translation table Addressing (in a program) = segment name + offset within the segment csci5233 computer security & integrity (Chap. 6) 14 Segmentation Segmentation enables the OS to become an intermediary between a process and the physical memory. Benefits 1. Protection of memory addresses: 1. Each address reference is checked for protection. 2. A user cannot generate an address or access to an unpermitted segment. 2. Enabling flexible protection mechanisms: 1. Different levels of protection can be assigned to different classes of data items. 2. A segment may be shared by two or more users, each with different access rights. csci5233 computer security & integrity (Chap. 6) 15 Segmentation Does segmentation present any challenges or problems? – A challenge: A process may access offset beyond the end of a segment. • Solution: run-time verification by the OS Implementation problems: 1. Segment names are inconvenient to encode in instructions, resulting in possibly slow lookup of the STT. Solution? Conversion of names to numbers during program compilation/translation Impact? Difficulty in sharing of the same segment name between two procedures. 2. Segmentation can lead to memory fragmentation. csci5233 computer security & integrity (Chap. 6) 16 Paging A program is divided into equal-sized pages. Memory is divided into the same sized units, called page frames. The page size is typically between 512 and 4096 bytes. (That is, between 9 and 12 address bits.) address = <page, offset> Table lookup is needed to translate a logical address to the physical address location. Fig. 6-8, p.240. csci5233 computer security & integrity (Chap. 6) 17 Paging Advantages: 1. 2. 3. Fragmentation is not a problem (as in segmentation). No problem of addressing beyond the end of a page. The entire mechanism of paging and address translation is hidden from the programmer. Unlike segmentation, there is no logical unity to a page. – – Is this an advantage or disadvantage? From the standpoint of protection, a definite disadvantage. Why? csci5233 computer security & integrity (Chap. 6) 18 Paging + Segmentation (combined) c.f., – – Paging: efficient Segmentation: logical protection characteristics Paged segmentation: two layers of address translation – – – A program is first divided into segments. Each segment is divided into pages. Figure 6-9, p.241. csci5233 computer security & integrity (Chap. 6) 19 Controlled Access to Objects What objects need to be protected? • Memory, files, directories, an executing program, h/w device, data structure in memory, OS tables, instructions, passwords, the user authentication mechanisms, the protection mechanism itself, … Memory protection is a special case of the protection of general objects. In comparison, protection of memory is simple. Why? (p.242) csci5233 computer security & integrity (Chap. 6) 20 Controlled Access to Objects Access to an object is performed by a subject. A subject may be an end user, a programmer, a program, another object, or anything else that seeks to use an object. General goals in protecting objects: 1. 2. 3. Revocability of a user’s privilege to access an object. The least privilege principle Verification of object-specific usages csci5233 computer security & integrity (Chap. 6) 21 Controlled Access to Objects An example of object protection: a simple approach relying on directories of files The objects - files in the directory, the directory itself Sample subjects - users of the system Each file has a unique owner, who controls access to the file. Each user has a file directory, which includes all files the user has access. The file directories must be maintained by the OS. Why? Access rights include read, write, execute, and owner? Fig. 6-10, p.243. Why would the above simple approach not work? 3 problems (p.244) csci5233 computer security & integrity (Chap. 6) 22 Controlled Access to Objects Alternative approaches for access control – – – – ACL (access control list) ACM (access control matrix) capabilities for access control procedure-oriented access control csci5233 computer security & integrity (Chap. 6) 23 Controlled Access to Objects • ACL Each object has an ACL, which includes all subjects that would have access to the object and what their access is. Fig. 6-12 (p.246) In comparison: In the previous approach, each subject has a directory list, which includes all objects that the subject may access and the respective access rights. User designation vs group designation In Multics: user, group, compartment In Unix: owner, group, world In Windows? csci5233 computer security & integrity (Chap. 6) 24 Controlled Access to Objects • ACM Fig. 6-13 (p.247) <subject, object, access rights> Disadvantage: mostly sparse; inefficient searching csci5233 computer security & integrity (Chap. 6) 25 Controlled Access to Objects • Capability A capability is an unforgeable token giving the possessor certain rights to an object. A capability is a ticket giving permission to a subject to perform a certain type of access on an object. To prevent forgery, a capability is usually maintained by the OS. A new access right: the right to transfer a capability Domain: The collection of capabilities defines a domain. (Fig. 6-14, p.248) An executing program or sub-procedure operates in a domain. A sub-procedure in a program may have different domain from the main program. (Fig. 6-15, p.249) Significance: groundwork for subsequent production use in systems such as Kerberos, which is a popular network authentication protocol (Ch. 9) csci5233 computer security & integrity (Chap. 6) 26 Controlled Access to Objects • Procedure-oriented access control Access to an object is controlled by its access-control procedures. The procedures defines a trusted interface through which access to a given object can be made. Purpose: To enable more complex access control beyond read, write, and execute. Benefits: information hiding; flexible Disadvantage: inefficient access csci5233 computer security & integrity (Chap. 6) 27 Summary Next: 6.4 (file protection), 6.5 (user authentication) csci5233 computer security & integrity (Chap. 6) 28