Transcript Chapter 14

Chapter 14: Protection
 Goals of Protection
 Principles of Protection
 Domain of Protection
 Access Matrix
 Implementation of Access Matrix
 Capability-Based Systems
 Language-Based Protection
Operating System Concepts
14.1
Silberschatz, Galvin and Gagne ©2005
Objectives
 Discuss the goals and principles of protection in a modern
computer system
 Explain how protection domains combined with an access matrix
are used to specify the resources a process may access
 Examine capability and language-based protection systems
Operating System Concepts
14.2
Silberschatz, Galvin and Gagne ©2005
Goals of Protection
 Operating system controls access to a collection of objects,
hardware or software
 Each object has a unique name and can be accessed through a
well-defined set of operations.
 The focus of this chapter is to describe the protection mechanisms
the OS must provide so that the application programmers can use
them in designing software that protects the resources created by
an application subsystem
 Protection problem : ensure that each object is accessed
correctly and only by those processes that are allowed to do so.

Policies for accessing a resource can change over time
Operating System Concepts
14.3
Silberschatz, Galvin and Gagne ©2005
Principles of Protection
 Guiding principle – principle of least privilege

Programs, users and systems should be given just enough
privileges to perform their tasks

Operating System Concepts
For example, users should be given accounts with just the
privileges the user needs
14.4
Silberschatz, Galvin and Gagne ©2005
Domain of Protection
 Objects: mean both hardware (CPU, printers, memory, disks, …)
and software objects (files, programs, semaphores, etc)
 Each object has a unique name and can only be accessed though
well defined operations, the operations depending on the object

For example, CPU can only be executed on, memory
segments can be only read and written, files can be …..
 Need to know principle: A process should be allowed to access
only those resources that it currently requires to complete the task.
Operating System Concepts
14.5
Silberschatz, Galvin and Gagne ©2005
Domain Structure
 Access-right = <object-name, rights-set>
where rights-set is a subset of all valid operations that can be
performed on the object.
 Domain = set of access-rights
A domain can be realized in many ways: For example,

Each user may be a domain. In this case the set of objects that
can be accessed depends on the identity of the user.

Each process may be a domain. The set of objects that can
be accessed depends on the id of the process.

Association between a process and a domain may be dynamic
or static.
Operating System Concepts
14.6
Silberschatz, Galvin and Gagne ©2005
An Example:UNIX
 In UNIX, a domain is associated with a user.
 Switching domain corresponds to changing the user ID temporarily.

Domain switching is accomplished via file system.
 Each file has associated with it a owner identity and a domain bit
(setuid bit).
 When the setuid bit is on, and a user executes that file, the user
ID is set to that of the owner of the file; when the bit is off,
however, the user ID does not change.
– For example, when a user process with user-id = A starts
executing a file owned by B, whose associated domain bit is
off, the user-id of the process remains A. When setuid bit
is on, the user-id is set to that of the owner of the file,
namely B. When execution completes, this temporary user
ID change ends.
 Domain switching is used when an otherwise privileged facility needs to
be made available to a general user. For example, it might be desirable
to allow users to access a network without letting them write their own
networking programs.
Operating System Concepts
14.7
Silberschatz, Galvin and Gagne ©2005
Domain Implementation (Multics)



Protection domains are organized hierarchically in to a ring structure. Each
ring corresponds to a single domain. Rings are numbered from 0 to 7.
Let Di and Dj be any two domain rings.
j < i  Di  Dj
 i.e., a process executing in domain Dj has more privileges than a
process executing in domain Di .
Multics Rings
Operating System Concepts
14.8
Silberschatz, Galvin and Gagne ©2005
Access Matrix
 View protection as a matrix (access matrix)
 Rows represent domains
 Columns represent objects
 Access(i, j) is the set of operations that a process executing in
Domaini can invoke on Objectj
Operating System Concepts
14.9
Silberschatz, Galvin and Gagne ©2005
Access Matrix
Figure A
Operating System Concepts
14.10
Silberschatz, Galvin and Gagne ©2005
Use of Access Matrix
 If a process in Domain Di tries to do “op” on object Oj, then “op”
must be in the access matrix.

Can be expanded to dynamic protection.

Operations to add, delete access rights.

Special access rights:
Operating System Concepts
–
owner of Oi
–
copy op from Oi to Oj
–
control – Di can modify Dj’s access rights
–
transfer – switch from domain Di to Dj
14.11
Silberschatz, Galvin and Gagne ©2005
Use of Access Matrix (Cont.)
 Access matrix design separates mechanism from policy.


Mechanism

Operating system provides access-matrix + rules.

It ensures that the matrix is only manipulated by authorized
agents and that rules are strictly enforced.
Policy

User dictates policy.

Who can access what object and in what mode.
Operating System Concepts
14.12
Silberschatz, Galvin and Gagne ©2005
Implementation of Access Matrix

Implementing access Matrix as a matrix is very expensive in terms of
space consumed because it is sparse, i.e., most of the entries in the
matrix are null. So the following two approaches are used for
implementing Access Matrix

Each column = Access-control list for one object
Defines who can perform what operation.
Domain 1 = Read, Write
Domain 2 = Read
Domain 3 = Read


Each Row = Capability List (like a key)
Fore each domain, what operations allowed on what objects.
Object 1 – Read
Object 4 – Read, Write, Execute
Object 5 – Read, Write, Delete, Copy
Operating System Concepts
14.13
Silberschatz, Galvin and Gagne ©2005
Access Matrix of Figure A With Domains as Objects
Figure B
Operating System Concepts
14.14
Silberschatz, Galvin and Gagne ©2005
Capability-Based Systems
 Hydra

Fixed set of access rights known to and interpreted by the
system.

Interpretation of user-defined rights performed solely by user's
program; system provides access protection for use of these
rights as well as for the use of system-defined rights.
 Cambridge CAP System provides support for two kinds of
capabilities

Data capability – It can be used to provide access rights to
objects, but the only rights provided are standard read, write,
execute of individual storage segments associated with the
object.

Software capability -interpretation left to the subsystem,
through its protected procedures.
Operating System Concepts
14.15
Silberschatz, Galvin and Gagne ©2005
Language-Based Protection
 Specification of protection in a programming language allows the
high-level description of policies for the allocation and use of
resources.
 Language implementation can provide software for protection
enforcement when automatic hardware-supported checking is
unavailable.
 Interpret protection specifications to generate calls on whatever
protection system is provided by the hardware and the operating
system.
Operating System Concepts
14.16
Silberschatz, Galvin and Gagne ©2005
Protection in Java 2
 Protection is handled by the Java Virtual Machine (JVM)
 A class is assigned a protection domain when it is loaded by the
JVM. (probably from an URL)
 The protection domain indicates what operations the class can
(and cannot) perform.
 If a library method is invoked that performs a privileged operation,
the stack is inspected to ensure the operation can be performed by
the class.
Operating System Concepts
14.17
Silberschatz, Galvin and Gagne ©2005