operating system protection
TRANSCRIPT
-
7/29/2019 Operating system Protection
1/22
Protectionv GOALS OF PROTECTION
v DOMAIN OF PROTECTION
v ACCESS MATRIX
v IMPLEMENTATION OF ACCESS MATRIX
-
7/29/2019 Operating system Protection
2/22
Goals of Protection
u Reasons:
u Prevent mischievous or intentional access violation of userprograms
u Protect computer components
u Goal:
u Provide a mechanism for policy enforcement governing resourcuse.
u Give users just enough privileges to perform their tasks.
-
7/29/2019 Operating system Protection
3/22
Goals of Protection
u Operating system manages and controls of a collection of objects
(hardware or software)
u Each object has a unique name and can be accessed through a w
defined set of operation
u Protection problem - ensure that each object is accessed correctly
only by those processes that are allowed to do so
Processes
Objects (hardware / software)
operations
Access righ
UsersSystems
-
7/29/2019 Operating system Protection
4/22
Principles of Protection
u Guiding principle principle of least privilege
u Programs, users and systems should be givenjust enough privileges to perform theirtasks
u Limits damage if entity has a bug, gets abused
u Can be static (during life of system, during life of process)
u Or dynamic (changed by process as needed) domain switching, privilege escalation
u Need to know a similar concept regarding access to data
u Must consider grain aspect
u Rough-grained privilege management easier, simpler, but least privilege now done in
large chunksu For example, traditional Unix processes either have abilities of the associated user
or of root
u Fine-grained management more complex, more overhead, but more protective
u File ACL lists, RBAC
u Domain can be user, process, procedure
-
7/29/2019 Operating system Protection
5/22
Domain of Protection
u Protection requirement:
u 1. a process should be allowed to access only those resources for which it ha
authorization
u 2. a process should be able to access only those resources that it currently
requires to complete its task (need to knowprinciple)
u To do these, a process operates within a protection domain.u A protection domain specifies which resources/objects can be accessed in
which way by the processes operating in that domain.
-
7/29/2019 Operating system Protection
6/22
Domain of Protection
u We need
u Associating processes with domainsu Static association
u Dynamic association
u Defining domains and changing their content.u No change is allowed (static domain)
u Can be changed (dynamic domain)
-
7/29/2019 Operating system Protection
7/22
Domain Structure
u Access-right =
where a_set_of_rightsis a subset of all valid operations that can be
performed on the object.
u Domain = set of access-rights
-
7/29/2019 Operating system Protection
8/22
Domain Implementation (Unix)
u System consists of 2 domains:
u User
u Supervisor
u UNIX
u Domain = user-id (i.e. domain determined from user-id)
u The domain of a process is defined by its UID and GID.
u Files (objects) also have associated UID and GUI.
u Then: we can make a list of files (includes file corresponding to devices) that can be
accessed (and how) by the process.
-
7/29/2019 Operating system Protection
9/22
Domain Implementation (Unix)
u A user loges in. All processes created by that user operate in
the same domain.
u What should happen when a process tries to execute a file which is created b
another user?
u File has user ID as well.
u Which user ID should be used by the running process?
u The creator of the process?
u The owner of the executable file?
-
7/29/2019 Operating system Protection
10/22
u Domain switch accomplished via file system
u Each file has associated with it a domain bit (setuid bit)
u When file is executed and setuid = on, then user-id (domain) is set to owner of the
file being executed. When execution completes user-id is reset
Executable
File
owner: a user ID
setuid bit: 0 or 1
-
7/29/2019 Operating system Protection
11/22
Domain Implementation (Unix)
Executable
FileF
owner: user ID A
setuid bit: 1 (ON)
ProcessX
ProcessY
User A creates User B creates
Started with UID = BHence normally
runs with UID = B
When file F is to be execuUID becomes A (since
setuid is ON).Hence process
runs with UID A
while executing
file F.
Runs with UID = A
-
7/29/2019 Operating system Protection
12/22
Domain Implementation in Multics
Process
Ring i
Procedure
(Library)Allowed anytime
Procedure
(Library)
Procedure
(Library)
parameters copied
GatekeeperAllowed only if process has a permission
n Let Diand
domain ring
n Ifj< ID
n
-
7/29/2019 Operating system Protection
13/22
Access Matrix
u Modeling protection
u View protection as a matrix (access matrix): protection rules are expressedusing a matrix
u Rows represent domains
u Columns represent objects
u Access(i, j)contains the set of operations that a process executing in Domainican invoke oObjectj
u A general method and mechanism
u Can be implemented in various ways.
-
7/29/2019 Operating system Protection
14/22
Access Matrix
-
7/29/2019 Operating system Protection
15/22
Use of Access Matrix
u If a process in Domain Ditries to do op on object Oj, then op must be i
the access matrix
u Can be expanded to dynamic protection
u Operations to add, delete access rights to/from the Matrix
u Special access rights for a domain:
u owner of Oiu copy op from Oi to Oju control Dican modify Djaccess rightsu transfer switch from domain Di to Dj
-
7/29/2019 Operating system Protection
16/22
Use of Access Matrix
u Access matrix design separates mechanism from policy
u Mechanism
u Operating system provides access-matrix + rules
u It ensures that the matrix is only manipulated by authorized agents and that rules a
strictly enforced
u Policy
u User dictates policy
u Who can access what object and in what mode
-
7/29/2019 Operating system Protection
17/22
Access Matrix With Domains as Objects
Switch is applicable to only domain objects. A process can switch to that dom
-
7/29/2019 Operating system Protection
18/22
Access Matrix with CopyRights
If a domain has a copy right, then it can copy the right to another dom
Has copy right for
object F2
copi
access
-
7/29/2019 Operating system Protection
19/22
Access Matrix With OwnerRights
If a domain has owner right for an object, it can
add / remove access right entries for the object
D2 is owner for
F2 and F3
addedaccess rightadded
access right
-
7/29/2019 Operating system Protection
20/22
Modified Access Matrix
Control is applicable to only domain objects. Di can control Dj (any
access right can be removed/added from/to Dj by Di)
-
7/29/2019 Operating system Protection
21/22
Implementation of Access Matrix
u Each Column = Access-Control List for one objectDefines who can perform what operation.
Domain 1 = Read, Write
Domain 2 = Read
Domain 3 = Read
Access Control List
associated with an
object
-
7/29/2019 Operating system Protection
22/22
Implementation of Access Matrix
u Each Row = Capability List (like a key)Fore each domain, what operations allowed on which objects.
Object 1 Read
Object 4 Read, Write, Execute
Object 5 Read, Write, Delete, Copy
Access Rights of a Dom(i.e. capabilities of a
domain: what a
domain can do)