Lecture 34OutlineProtection vs. SecurityProtectionProtection Domains 1Protection Domains 2Protection Domains 3Protection Domains 4Access Matrix 1Access Matrix 2Access Matrix 3Implementing PDsAccess ListsCapability ListsUnix Protection 1Unix Protection 2Unix Protection 3Other SchemesLanguage-Based Protection 1Language-Based Protection 2Language-Based Protection 3Wednesday, April 6 CS 470 Operating Systems - Lecture 34 1Lecture 34Reminder: no class on FridayQuestions?Wednesday, April 6 CS 470 Operating Systems - Lecture 34 2OutlineProtection vs. securityProtection domainsAccess matrixImplementationsAccess lists, capability listsUnixLanguage-based protectionWednesday, April 6 CS 470 Operating Systems - Lecture 34 3Protection vs. SecurityThe last topics for this class. Definition of each is somewhat arbitrary:Protection (Chapter 14): making sure that accesses by users, program, and subsystems are authorized, and do not cause inconsistencies. I.e., make a reliable system. This is an internal OS issue.Security (Chapter 15): dealing with the external environment. Making sure that only authorized users gain access; prevent malicious destruction or alteration of data; prevent denial of service.Wednesday, April 6 CS 470 Operating Systems - Lecture 34 4ProtectionThere are two parts to protection schemesPolicy: the rules that govern how resources are to be usedMechanism: OS support for enforcing the policyWe will focus on mechanism. Looking for general mechanisms that can be used to enforce any policy. Want it to be efficient in space and time.Wednesday, April 6 CS 470 Operating Systems - Lecture 34 5Protection DomainsConsider computer system as a collection of processes and objects (both hardware and software). Each object has a name and operations that may be performed on it.Processes should be allowed to access only those objects and operations for which it is authorized, and that is needed to complete the current task.Wednesday, April 6 CS 470 Operating Systems - Lecture 34 6Protection DomainsEach process is given a protection domain (PD). A PD is a set of access rights (written <obj, {ops}>) that specify what objects may be accessed and the operations that may be invoked by processes with that PD.D1D2D3< O3, {read, write} >< O2, {write} > < O1, {execute} >< O1, {read, write} >< O4, {print} > < O3, {read} >< O2, {execute} > < O4, {print} >Wednesday, April 6 CS 470 Operating Systems - Lecture 34 7Protection DomainsPDs may be disjoint (e.g., D1) or may have shared access rights (e.g., D2 and D3 share <O4, {print}>)Association of process to PD can be static or dynamic. If static, the domain will need to be alterable to enforce any need-to-know policy. E.g., read-only phase followed by a write-only phase. Usually, association is dynamic and a process can switch between domains.Wednesday, April 6 CS 470 Operating Systems - Lecture 34 8Protection DomainsPDs can be defined in different waysBased on user identity. E.g. Unix. Switch PDs by logging in as a different user.Based on process identity. E.g. TOPS-20. Switch PDs by asking another process to do task. Simple example: a single-tasking OS has 2 modes - kernel and user - which are also the PDs. OS in kernel domain; user in user domain. Some operations can be done only in kernel mode, so ask OS to do them.Wednesday, April 6 CS 470 Operating Systems - Lecture 34 9Access MatrixMost general model of PDs is as an access matrix.objectdomF1F2F3Printer D1D2D3D4D1read read switchD2print switch switchD3read execD4read, writeswitchWednesday, April 6 CS 470 Operating Systems - Lecture 34 10Access MatrixDefine access(i,j) to be the set of operations on Oj that a process in PD Di can invoke.Policy decides what entries are put into the matrix. Users usually set entries for their own objects.Also used in domain switching. If "switch" is a member of access(i,j), the process in PD Di can switch to PD Dj.Wednesday, April 6 CS 470 Operating Systems - Lecture 34 11Access MatrixThe access matrix is an object itself. Need to control changes to the contents. Added rights:copy: allows process in Di to copy the right to any other entry in the same column. This can be a full copy, a transfer, or a limited copy (cannot copy the copy right).owner: allow a process in Di to add to and remove objects from Djcontrol: allow changes to entries in a domain (i.e., row). Allows process in Di to change entries in Dj.Wednesday, April 6 CS 470 Operating Systems - Lecture 34 12Implementing PDsImplementing PDs has many issues. The access matrix is sparse, but standard techniques do not work well.Could have a global table of <domain, object, rights set> entries. When operation M is executed on object Oj in PD Di, look for entry <Di,Oj,Rk> where M  Rk.Generally too large for main memory and cannot do groupings. E.g., everyone has read right means an entry in every PD.Wednesday, April 6 CS 470 Operating Systems - Lecture 34 13Access ListsA common implementation is an access list. There is one list per object of <domain, rights set> entries.Extend idea with default set of rights. When M is executed is executed on object Oj in PD Di, search Oj's access list for <Di, Rk> and M  Rk. If not found, look in default list (or vice versa). Basically, each list is a column in the matrix.Wednesday, April 6 CS 470 Operating Systems - Lecture 34 14Capability ListsCan also implement PDs by making each row of the access matrix into a list of capabilities of the form <object, {operations}>.Often can use a capability as a kind of secure pointer. Possession of the capability immediately implies the right to perform the listed operations. No need to check. Of course, this makes capability manipulation a kernel mode operation that can only be done by the OS.Wednesday, April 6 CS 470 Operating Systems - Lecture 34 15Unix ProtectionUnfortunately, capability-based systems, and even access-list systems, are too slow. Most OS's use something similar to the Unix protection scheme.In Unix, a PD is defined on the file system only, and is based on user identity. There are 3 PDs: owner, group, world. There are 3 operations: "read", "write", "execute". The rights to perform these operations is a bit vector represented as the familiar: rwxrwxrwxWednesday, April 6 CS 470 Operating Systems - Lecture 34 16Unix ProtectionUsually, a process runs in the