Chapter 4 – Protection in General Purpose Operating Systems Protection features provided by general-purpose operating systems— protecting memory, files, and the execution environment Controlled access to objects User authentication Protected Objects and Methods of Protections 1rst OS were simple utilities – executives Multiprogramming OS required monitors which oversaw each program’s execution Protected objects • • • • • • Memory Sharable I/O devices (disks) Serially reusable devices (printers) Shareable programs & subprocedures Networks Shareable Data Security Methods of Operating Systems Physical Separation (different processes use different objects) Temporal Separation (processes executed at different times) Logical Separation (process appears to be alone) Cryptographic Separation conceal data and computations) (processes Security Methods of Operating Systems Want to be able to share resources without compromising security • Do not protect • Isolate different processes • Share all or nothing • Share via access limitation (granularity) • Share by capabilities • Limit use of an object Memory & Address Protection Fence – confines user to one side of boundary • Use predefined memory addresses • Can protect OS, but not one user from another Relocation Base/Bounds Registers – changes all addresses of program using offset • Uses variable fence register (base register) to provide lower bound • Uses bounds register for upper address Memory & Address Protection Tagged Architecture • Every word of machine memory has extra bits to indicate access rights (expensive) Segmentation (program divided into pieces) • Each segment has name & offset Each address reference is checked for protection Different classes of data can be assigned different levels of protection Users can share access to segments User cannot access an unpermitted segment Paging (program uses equal sized “pages”; memory divided into equal sized page frames) Control of Access to General Objects Memory File/data set Program in memory Directory of files Hardware device Data structure (stack) Operating system table Instructions (privileged) Passwords / user authentication mechanism Protection mechanism Goals in protecting objects Check every access Enforce least privilege Verify acceptable usage Directory mechanism Each user (subject) has a file directory, which lists all files accessible by user List can become too large if many shared objects Cannot revoke rights of everyone to an object File names for different owners may be different Access Control List One list for each object with list showing all subjects & their access rights Can use wildcards to limit size of ACL Access Control Matrix • Rows for subjects • Columns for objects • Sparse matrix of triples <subjects, objects, rights> Capability Unforgeable token that gives possessor rights to an object Predecessor of Kerberos Can propagate capabilities to other subjects Capabilities must be stored in inaccessible memory Procedure-Oriented Access Control Procedure that controls access to objects including what subjects can do to objects