operating system protection

7/29/2019 Operating system Protection

1/22

Protectionv GOALS OF PROTECTION

v DOMAIN OF PROTECTION

v ACCESS MATRIX

v IMPLEMENTATION OF ACCESS MATRIX


2/22

Goals of Protection

u Reasons:

u Prevent mischievous or intentional access violation of userprograms

u Protect computer components

u Goal:

u Provide a mechanism for policy enforcement governing resourcuse.

u Give users just enough privileges to perform their tasks.


3/22

Goals of Protection

u Operating system manages and controls of a collection of objects

(hardware or software)

u Each object has a unique name and can be accessed through a w

defined set of operation

u Protection problem - ensure that each object is accessed correctly

only by those processes that are allowed to do so

Processes

Objects (hardware / software)

operations

Access righ

UsersSystems


4/22

Principles of Protection

u Guiding principle principle of least privilege

u Programs, users and systems should be givenjust enough privileges to perform theirtasks

u Limits damage if entity has a bug, gets abused

u Can be static (during life of system, during life of process)

u Or dynamic (changed by process as needed) domain switching, privilege escalation

u Need to know a similar concept regarding access to data

u Must consider grain aspect

u Rough-grained privilege management easier, simpler, but least privilege now done in

large chunksu For example, traditional Unix processes either have abilities of the associated user

or of root

u Fine-grained management more complex, more overhead, but more protective

u File ACL lists, RBAC

u Domain can be user, process, procedure


5/22

Domain of Protection

u Protection requirement:

u 1. a process should be allowed to access only those resources for which it ha

authorization

u 2. a process should be able to access only those resources that it currently

requires to complete its task (need to knowprinciple)

u To do these, a process operates within a protection domain.u A protection domain specifies which resources/objects can be accessed in

which way by the processes operating in that domain.


6/22

Domain of Protection

u We need

u Associating processes with domainsu Static association

u Dynamic association

u Defining domains and changing their content.u No change is allowed (static domain)

u Can be changed (dynamic domain)


7/22

Domain Structure

u Access-right =

where a_set_of_rightsis a subset of all valid operations that can be

performed on the object.

u Domain = set of access-rights


8/22

Domain Implementation (Unix)

u System consists of 2 domains:

u User

u Supervisor

u UNIX

u Domain = user-id (i.e. domain determined from user-id)

u The domain of a process is defined by its UID and GID.

u Files (objects) also have associated UID and GUI.

u Then: we can make a list of files (includes file corresponding to devices) that can be

accessed (and how) by the process.


9/22


u A user loges in. All processes created by that user operate in

the same domain.

u What should happen when a process tries to execute a file which is created b

another user?

u File has user ID as well.

u Which user ID should be used by the running process?

u The creator of the process?

u The owner of the executable file?


10/22

u Domain switch accomplished via file system

u Each file has associated with it a domain bit (setuid bit)

u When file is executed and setuid = on, then user-id (domain) is set to owner of the

file being executed. When execution completes user-id is reset

Executable

File

owner: a user ID

setuid bit: 0 or 1


11/22


Executable

FileF

owner: user ID A

setuid bit: 1 (ON)

ProcessX

ProcessY

User A creates User B creates

Started with UID = BHence normally

runs with UID = B

When file F is to be execuUID becomes A (since

setuid is ON).Hence process

runs with UID A

while executing

file F.

Runs with UID = A


12/22

Domain Implementation in Multics

Process

Ring i

Procedure

(Library)Allowed anytime

Procedure

(Library)

Procedure

(Library)

parameters copied

GatekeeperAllowed only if process has a permission

n Let Diand

domain ring

n Ifj< ID

n


13/22

Access Matrix

u Modeling protection

u View protection as a matrix (access matrix): protection rules are expressedusing a matrix

u Rows represent domains

u Columns represent objects

u Access(i, j)contains the set of operations that a process executing in Domainican invoke oObjectj

u A general method and mechanism

u Can be implemented in various ways.


14/22

Access Matrix


15/22

Use of Access Matrix

u If a process in Domain Ditries to do op on object Oj, then op must be i

the access matrix

u Can be expanded to dynamic protection

u Operations to add, delete access rights to/from the Matrix

u Special access rights for a domain:

u owner of Oiu copy op from Oi to Oju control Dican modify Djaccess rightsu transfer switch from domain Di to Dj


16/22

Use of Access Matrix

u Access matrix design separates mechanism from policy

u Mechanism

u Operating system provides access-matrix + rules

u It ensures that the matrix is only manipulated by authorized agents and that rules a

strictly enforced

u Policy

u User dictates policy

u Who can access what object and in what mode


17/22

Access Matrix With Domains as Objects

Switch is applicable to only domain objects. A process can switch to that dom


18/22

Access Matrix with CopyRights

If a domain has a copy right, then it can copy the right to another dom

Has copy right for

object F2

copi

access


19/22

Access Matrix With OwnerRights

If a domain has owner right for an object, it can

add / remove access right entries for the object

D2 is owner for

F2 and F3

addedaccess rightadded

access right


20/22

Modified Access Matrix

Control is applicable to only domain objects. Di can control Dj (any

access right can be removed/added from/to Dj by Di)


21/22

Implementation of Access Matrix

u Each Column = Access-Control List for one objectDefines who can perform what operation.

Domain 1 = Read, Write

Domain 2 = Read

Domain 3 = Read

Access Control List

associated with an

object


22/22

Implementation of Access Matrix

u Each Row = Capability List (like a key)Fore each domain, what operations allowed on which objects.

Object 1 Read

Object 4 Read, Write, Execute

Object 5 Read, Write, Delete, Copy

Access Rights of a Dom(i.e. capabilities of a

domain: what a

domain can do)

operating system protection

Documents