Operating system And security

8/9/2019 Operating system And security

1/138

Chapter 14: Protection Goals of Protection Principles of Protection

Domain of Protection Access Matrix Implementation of Access Matrix Access Control Revocation of Access Rights Capability-Based Systems Language-Based Protection


2/138

Objectives Discuss the goals and principles of

protection in a modern computer system Explain how protection domains combined

with an access matrix are used to specifythe resources a process may access

Examine capability and language-based protection systems


3/138

Goals of Protection Operating system consists of a collection of

objects, hardware or software

Each object has a unique name and can beaccessed through a well-defined set of operations

Protection problem - ensure that each object isaccessed correctly and only by those processesthat are allowed to do so


4/138


5/138

Domain Structure Access-right = < object-name , rights-set >

where rights-set is a subset of all validoperations that can be performed on theobject.

Domain = set of access-rights


6/138

Domain Implementation (UNIX) System consists of 2 domains:

User Supervisor

UNIX Domain = user-id Domain switch accomplished via file system

Each file has associated with it a domain bit (setuid bit) When file is executed and setuid = on, then user-id is set to

owner of the file being executed. When execution completesuser-id is reset


7/138

Domain Implementation

(MULTICS) Let D i and D j be any two domain rings If j < I D

i D

j


8/138

Access Matrix View protection as a matrix ( access matrix )

Rows represent domains

Columns represent objects

Access(i, j) is the set of operations that a processexecuting in Domain i can invoke on Object j


9/138

Access Matrix


10/138

Use of Access Matrix If a process in Domain D i tries to do op on

object O j, then op must be in the access matrix

Can be expanded to dynamic protection Operations to add, delete access rights Special access rights:

owner of O i copy op from O i to O j control D i can modify D j access rights transfer switch from domain D i to D j


11/138

Use of Access Matrix (Cont) Access matrix design separates mechanism

from policy

Mechanism Operating system provides access-matrix + rules If ensures that the matrix is only manipulated by

authorized agents and that rules are strictly enforced

Policy User dictates policy Who can access what object and in what mode


12/138

Implementation of Access Matrix Each column = Access-control list for one

objectDefines who can perform what operation.

Domain 1 = Read, WriteDomain 2 = ReadDomain 3 = Read

Each Row = Capability List (like a key)Fore each domain, what operations allowedon what objects.

Object 1 Read


13/138

Objects

Figure B


14/138

Access Matrix with Copy Rights


15/138

Access Matrix With Owner

Rights


16/138

Modified Access Matrix of

Figure B


17/138

Access Control Protection can be applied to non-file resources Solaris 10 provides role-based access control

(RBAC ) to implement least privilege Privilege is right to execute system call or use an option

within a system call Can be assigned to processes

Users assigned roles granting access to privileges and programs


18/138

Role-based Access Control in

Solaris 10


19/138

Revocation of Access Rights Access List Delete access rights from access list

Simple Immediate

Capability List Scheme required to locatecapability in the system before capability can berevoked Reacquisition Back-pointers Indirection Keys


20/138

Capability-Based Systems Hydra

Fixed set of access rights known to and interpreted bythe system

Interpretation of user-defined rights performed solely by user's program; system provides access protectionfor use of these rights

Cambridge CAP System Data capability - provides standard read, write, execute

of individual storage segments associated with object Software capability -interpretation left to the

subsystem, through its protected procedures


21/138

Language-Based Protection Specification of protection in a programming

language allows the high-level description of policies for the allocation and use of resources

Language implementation can provide softwarefor protection enforcement when automatichardware-supported checking is unavailable

Interpret protection specifications to generate callson whatever protection system is provided by thehardware and the operating system


22/138

Protection in Java 2 Protection is handled by the Java Virtual Machine

(JVM)

A class is assigned a protection domain when it isloaded by the JVM

The protection domain indicates what operationsthe class can (and cannot) perform

If a library method is invoked that performs a

privileged operation, the stack is inspected toensure the o eration can be erformed b the


23/138

Stack Inspection


24/138

End of Chapter 14


25/138


26/138


27/138


28/138


29/138


30/138


31/138


32/138


33/138


34/138


35/138


36/138


37/138


38/138


39/138


40/138


41/138


42/138


43/138


44/138


45/138


46/138


47/138


48/138


49/138


50/138


51/138


52/138


53/138


54/138


55/138


56/138


57/138


58/138


59/138


60/138


61/138


62/138


63/138


64/138


65/138


66/138


67/138


68/138


69/138


70/138


71/138


72/138


73/138


74/138


75/138


76/138


77/138


78/138


79/138


80/138


81/138


82/138


83/138


84/138


85/138


86/138


87/138


88/138


89/138


90/138


91/138


92/138


93/138


94/138


95/138


96/138


97/138


98/138


99/138


100/138


101/138


102/138


103/138


104/138


105/138


106/138


107/138


108/138


109/138


110/138


111/138


112/138


113/138


114/138


115/138


116/138


117/138


118/138


119/138


120/138


121/138


122/138


123/138


124/138


125/138


126/138


127/138


128/138


129/138


130/138


131/138


132/138


133/138


134/138


135/138


136/138


137/138


138/138

Operating system And security

Documents

Transcript of Operating system And security