Lecture 34OutlineProtection vs. SecurityProtectionProtection Domains 1Protection Domains 2Protection Domains 3Protection Domains 4Access Matrix 1Access Matrix 2Access Matrix 3Implementing PDsAccess ListsCapability ListsUnix Protection 1Unix Protection 2Unix Protection 3Other SchemesLanguage-Based Protection 1Language-Based Protection 2Language-Based Protection 3Wednesday, April 6 CS 470 Operating Systems - Lecture 34 1Lecture 34Reminder: no class on FridayQuestions?Wednesday, April 6 CS 470 Operating Systems - Lecture 34 2OutlineProtection vs. securityProtection domainsAccess matrixImplementationsAccess lists, capability listsUnixLanguage-based protectionWednesday, April 6 CS 470 Operating Systems - Lecture 34 3Protection vs. SecurityThe last topics for this class. Definition of each is somewhat arbitrary:Protection (Chapter 14): making sure that accesses by users, program, and subsystems are authorized, and do not cause inconsistencies. I.e., make a reliable system. This is an internal OS issue.Security (Chapter 15): dealing with the external environment. Making sure that only authorized users gain access; prevent malicious destruction or alteration of data; prevent denial of service.Wednesday, April 6 CS 470 Operating Systems - Lecture 34 4ProtectionThere are two parts to protection schemesPolicy: the rules that govern how resources are to be usedMechanism: OS support for enforcing the policyWe will focus on mechanism. Looking for general mechanisms that can be used to enforce any policy. Want it to be efficient in space and time.Wednesday, April 6 CS 470 Operating Systems - Lecture 34 5Protection DomainsConsider computer system as a collection of processes and objects (both hardware and software). Each object has a name and operations that may be performed on it.Processes should be allowed to access only those objects and operations for which it is authorized, and that is needed to complete the current task.Wednesday, April 6 CS 470 Operating Systems - Lecture 34 6Protection DomainsEach process is given a protection domain (PD). A PD is a set of access rights (written <obj, {ops}>) that specify what objects may be accessed and the operations that may be invoked by processes with that PD.D1D2D3< O3, {read, write} >< O2, {write} > < O1, {execute} >< O1, {read, write} >< O4, {print} > < O3, {read} >< O2, {execute} > < O4, {print} >Wednesday, April 6 CS 470 Operating Systems - Lecture 34 7Protection DomainsPDs may be disjoint (e.g., D1) or may have shared access rights (e.g., D2 and D3 share <O4, {print}>)Association of process to PD can be static or dynamic. If static, the domain will need to be alterable to enforce any need-to-know policy. E.g., read-only phase followed by a write-only phase. Usually, association is dynamic and a process can switch between domains.Wednesday, April 6 CS 470 Operating Systems - Lecture 34 8Protection DomainsPDs can be defined in different waysBased on user identity. E.g. Unix. Switch PDs by logging in as a different user.Based on process identity. E.g. TOPS-20. Switch PDs by asking another process to do task. Simple example: a single-tasking OS has 2 modes - kernel and user - which are also the PDs. OS in kernel domain; user in user domain. Some operations can be done only in kernel mode, so ask OS to do them.Wednesday, April 6 CS 470 Operating Systems - Lecture 34 9Access MatrixMost general model of PDs is as an access matrix.objectdomF1F2F3Printer D1D2D3D4D1read read switchD2print switch switchD3read execD4read, writeswitchWednesday, April 6 CS 470 Operating Systems - Lecture 34 10Access MatrixDefine access(i,j) to be the set of operations on Oj that a process in PD Di can invoke.Policy decides what entries are put into the matrix. Users usually set entries for their own objects.Also used in domain switching. If "switch" is a member of access(i,j), the process in PD Di can switch to PD Dj.Wednesday, April 6 CS 470 Operating Systems - Lecture 34 11Access MatrixThe access matrix is an object itself. Need to control changes to the contents. Added rights:copy: allows process in Di to copy the right to any other entry in the same column. This can be a full copy, a transfer, or a limited copy (cannot copy the copy right).owner: allow a process in Di to add to and remove objects from Djcontrol: allow changes to entries in a domain (i.e., row). Allows process in Di to change entries in Dj.Wednesday, April 6 CS 470 Operating Systems - Lecture 34 12Implementing PDsImplementing PDs has many issues. The access matrix is sparse, but standard techniques do not work well.Could have a global table of <domain, object, rights set> entries. When operation M is executed on object Oj in PD Di, look for entry <Di,Oj,Rk> where M Rk.Generally too large for main memory and cannot do groupings. E.g., everyone has read right means an entry in every PD.Wednesday, April 6 CS 470 Operating Systems - Lecture 34 13Access ListsA common implementation is an access list. There is one list per object of <domain, rights set> entries.Extend idea with default set of rights. When M is executed is executed on object Oj in PD Di, search Oj's access list for <Di, Rk> and M Rk. If not found, look in default list (or vice versa). Basically, each list is a column in the matrix.Wednesday, April 6 CS 470 Operating Systems - Lecture 34 14Capability ListsCan also implement PDs by making each row of the access matrix into a list of capabilities of the form <object, {operations}>.Often can use a capability as a kind of secure pointer. Possession of the capability immediately implies the right to perform the listed operations. No need to check. Of course, this makes capability manipulation a kernel mode operation that can only be done by the OS.Wednesday, April 6 CS 470 Operating Systems - Lecture 34 15Unix ProtectionUnfortunately, capability-based systems, and even access-list systems, are too slow. Most OS's use something similar to the Unix protection scheme.In Unix, a PD is defined on the file system only, and is based on user identity. There are 3 PDs: owner, group, world. There are 3 operations: "read", "write", "execute". The rights to perform these operations is a bit vector represented as the familiar: rwxrwxrwxWednesday, April 6 CS 470 Operating Systems - Lecture 34 16Unix ProtectionUsually, a process runs in the
View Full Document