1CSE 380Computer Operating SystemsInstructor: Insup Lee and Dianna XuUniversity of PennsylvaniaFall 2003Lecture Note: Protection Mechanisms2Policy vs. Mechanismq Access control policy is a specificationß Given in terms of a model of the systemß Subjects: do things (i.e. a process writes to files)ß Objects: are passive (i.e. the file itself)ß Actions: what the subjects do (i.e. read a string from a file)ß Rights: describe authority (i.e. read or write permission)q Mechanisms are used to implement a policyß Example: access control bits in Unix file system & OSchecksß Mechanism should be general; ideally should not constrainthe possible policies.ß Complete mediation: every access must be checked3Reference MonitorsSubjectMonitor(Action, Object)RequestGrantedDenied?4Example Reference Monitorsq Operating Systemsß File systemß Memory (virtual memory, separate address spaces)q Firewallsß Regulate network accessq Java Virtual Machineß Regulates Java programs’ resource usage5Access Control Matrix{r,w,x}…{r,w,x}{x}SubjM…………………{}{w,x}Subj2{}…{r,w}{r,w,x}Subj1ObjN…Obj2Obj1A[s][o]Each entrycontainsa set ofrights.6Access Control Checksq Suppose subject s wants to perform action thatrequires right r on object o:q If (r ∈ A[s][o]) then perform actionelse access is denied7Model for resource Protectionq A Protection System is composed ofß set of subjects: processes executingin a specific protection domainß set of objects: all the passiveelements of the system plus all thesubjectsß set of rules specifying theprotection policyq Protection Domain: Set of rights aprocess has at any given timeq Protection state is checked for eachaccess of an object, X, by a subject,Sq Protection state can beconceptualized as an access matrix.q A[S,X] is a set that describes theaccess rights held by subject S toobject X.8Rights and Actionsq Besides read, write, execute actions there are many others:q Ownershipq Creationß New subjects (i.e. in Unix add a user)ß New objects (i.e. create a new file)ß New rights: Grant right r to subject s with respect to object o (sometimescalled delegation)q Deletion ofß Subjectsß Objectsß Rights (sometimes called revocation)9Protecting the Reference Monitorq It must not be possible to circumvent the reference monitorby corrupting itq Mechanismsß Type checkingß Software fault isolation: rewrite memory access instructions toperform bounds checkingß User/Kernel modesß Segmentation of memory (OS resources aren’t part of virtualmemory system)10Storing the Access Control Matrixq Subjects >> # usersß A row can correspond to a protection domainß Each subject runs within a protection domainß Example: User-ID and Group-ID in Unix determine domainq Objects >> # filesß Potentially could have permissions on any resourceq The matrix is typically sparseß Store only non-empty entries11Access Control Lists{r,w,x}…{r,w,x}{x}SubjM……………{r}…{}{w,x}Subj2{}…{r,w}{r,w,x}Subj1ObjN…Obj2Obj1A[s][o]For each object, store a list of (Subject , Rights) pairs.12Access Control Listsq Resolving queries is linear in length of the listq Revocation w.r.t. a single object is easyq “Who can access this object?” is easyß Useful for auditingq Lists could be longß Factor into groups (lists of subjects)ß Give permissions based on groupß Introduces consistency question w.r.t. groupsq Authentication criticalß When does it take place? Every access would be expensive.13Capabilities Lists{r,w,x}…{r,w,x}{x}SubjM……………{r}…{}{w,x}Subj2{}…{r,w}{r,w,x}Subj1ObjN…Obj2Obj1A[s][o]For each subject, store a list of (Object, Rights) pairs.14Capabilitiesq A capability is a (Object, Rights) pairq Must be protected from tamperingß Otherwise, subjects could get illegal accessq Authentication takes place when the capabilities aregranted (not needed at use)q Harder to carry out revocation (must find all entrieswhere the object appears)q Easy to audit a subject, hard to audit an object15Storing Capabilities Securelyq Special hardware: tagged words in memoryß Can’t copy/modify tagged wordsq Store the capabilities in protected address spaceq Could use static scoping mechanism of safeprogramming languages.ß Java’s “private” fieldsq Could use cryptographic techniquesß OS kernel could sign (Object, Rights) pairs using aprivate keyß Any process can verify the capability16Unix Securityq Each user has a unique 16-bit UIDß UID of root/superuser is 0q Each user can belong to a group, each group has a unique16-bit GIDq Protection domain of a process is determined by the(UID,GID) of the user that owns the processq Every file hasß UID and GID of the ownerß Protection bits that can be set/changed by the ownerß Devices handled as files (e.g. /dev/tty, /dev/lp)q 9 bits specifying allowed read(r)/write(w)/execute(x) accessfor the owner, group, and everyone elseß E.g. rw-r----- means owner can read/write and group can read17SETUIDq How to give temporary access to privileged resources?q E.g. /dev/lp is owned by printer daemon (or by root), otherprocesses need to write to it to send jobs to printer, but youdo not want to set permission to rwxrwxrwxq Solution: Each file/device has a SETUID bitq When an executable program P with SETUID bit set to 1 isexecuted by a process Q, the protection domain of Q ischanged to (UID,GID) of P (i.e. the owner of P)ß If P’s SETUID bit is 0, then protection domain of Q does notchange18Sample Scenarioq /dev/lp is owned by root with protection rw-------ß This is used to access the printerq /bin/lp is owned by root with --x--x--x with SETUID=1q User A issues a print commandq Shell (running with A’s UID and GID) interprets thecommand and forks off a child process, say, Pq Process P has the same UID/GID as user Aq Child process P executes exec(“/bin/lp”,…)q Now P’s domain changes to root’s UIDq Consequently, /dev/lp can be accessed to printq When /bin/lp terminates so does Pq Parent shell never got the access to