160 likes | 523 Views
Protection (Chapter 14). Goals of Protection. The role of protection in a computer system is to provide a mechanism for the enforcement of the policies governing resource use. - ensure that each object is accessed correctly and only by those processes that are allowed to do so
E N D
Goals of Protection • The role of protection in a computer system is to provide a mechanism for the enforcement of the policies governing resource use. - ensure that each object is accessed correctly and only by those processes that are allowed to do so - policies may change over time: mechanisms should be adaptive or implemented at different levels (e.g., OS and application) • Protection vs. Security • Security is a measure of confidence that resources are protected • Examples of protection in computer systems?
Principles of Protection • Guiding principle – principle of least privilege • Programs, users and systems should be given just enough privileges to perform their tasks • Examples of benefits: • Breaking into one system should not be equivalent to breaking into all • Breaking into one user account should not mean getting access to all • Overflow of a buffer in a system daemon should only cause the daemon process to fail (but not to allow execution of code from the daemon’s stack that would enable gaining root access) • A variant: the need-to-know principle • In a procedure have access only to local and global variables, but not to local variables of another procedure
Protection Domains • A process operates within a protection domain - Specifies the resources that the process may access • Domain = set of access-rights • Access-right = <object-name, rights-set>where rights-set is a subset of all valid operations that can be performed on the object. • Association between processes and domains: static or dynamic • Static: may need to change the domain content to accommodate the “need-to-know” principle • Dynamic: mechanism needed for domain switching • Domain may be: user, process, procedure - How does domain switching occur in each case?
Case Scenario: Domain Implementation in UNIX • System consists of 2 domains: • User • Supervisor • UNIX • Domain = user-id • Domain switch accomplished via file system • Each file has associated with it a domain bit (setuid bit) • When file is executed and setuid = on, then user-id is set to owner of the file being executed. When execution completes user-id is reset. • Security problem: create a file with owner root and the setuid bit set • Alternative: • Place privileged programs in a special directory. The OS changes the user ID of programs who run from that directory • No change of user ID: need special mechanism to allow users to get access to privileged facilities.
Case Scenario: Domain Implementation in MULTICS • Let Di and Djbe any two domain rings • If j < i Di Dj : more privileges in Dj than in Di • Domain switching through procedure calls • Each segment is a file; associated with one ring • Segment descriptor: ring number, access bracket [b1, b2], limit b3, set of gates • Switch: process running in i : if i > b2, then access only through gates iff i < b3 • Limitations: hard to implement the “need-to-know” principle; complexity; no limitation between policy and mechanism
Access Matrix • View protection as a matrix (access matrix) • Rows represent domains, columns represent objects • Access(i, j) is the set of operations that a process executing in Domaini can invoke on Objectj
Use of Access Matrix • Access matrix design separates mechanism from policy • Mechanism • Operating system provides access-matrix + rules • If ensures that the matrix is only manipulated by authorized agents and that rules are strictly enforced • Policy • User dictates policy: Who can access what object and in what mode • Can be expanded to dynamic protection • Operations to add, delete access rights • Special access rights: • owner of Oi • copy op from Oi to Oj • control – Di can modify Dj access rights • transfer – switch from domain Di to Dj
Access Matrix with Copy Rights * Means right to copy access rights from one domain to another.
Control Right: Make Changes in Domains Add “control”
Implementation of Access Matrix • Global table • Access-control list for one object: defines who can perform what operation. Domain 1 = Read, Write Domain 2 = Read Domain 3 = Read • Capability List: for each domain, what operations are allowed on what objects. Object 1 – Read Object 4 – Read, Write, Execute Object 5 – Read, Write, Delete, Copy • Lock-key scheme: each object and each domain has a list of unique bit patterns (called locks, respectively keys)
Revocation of Access Rights • Types of revocations: • Immediate vs. delayed • Selective vs. general • Partial vs. total • Temporary vs. permanent • Access List – Delete access rights from access list • Simple • Immediate • Can be general or selective, total or partial, permanent or temporary • Capability List – Scheme required to locate capability in the system before capability can be revoked • Reacquisition • Back-pointers • Indirection • Keys
Practice Problem Most modern processors and operating systems enforce protection boundaries that prevent programs from interfering with one another or with the operating system, and that allow the operating system to securely mediate and monitor all accesses to shared resources in accordance with a protection policy. Briefly summarize the most important mechanisms underlying OS protection.