Slide 1Slide 2Slide 3Slide 4Slide 5Slide 6Slide 7Slide 8Slide 9Slide 10Slide 11Slide 12Slide 13Slide 14Slide 15Slide 16Slide 17Slide 18Slide 19Slide 20Slide 21Slide 22Slide 23Slide 24Slide 25Slide 26Slide 27Slide 28Slide 29Slide 30Slide 31Slide 32Slide 33Slide 34Slide 35Slide 36Slide 37Slide 38Slide 39Slide 40Slide 41Slide 42Slide 43Slide 44Slide 45Slide 46Slide 47Slide 48Slide 49Slide 50Slide 5115-410, S’04- 1 -ProtectionApr. 12, 2004Dave EckhardtDave EckhardtBruce MaggsBruce MaggsL31_Protection15-410“...1969 > 1999?...”15-410, S’04- 1 -SynchronizationPlease fill out P3/P4 registration form by midnightPlease fill out P3/P4 registration form by midnightOn the “Projects” web pageWe need to know whom to grade when...Debugging is a skill....Debugging is a skill....15-41215-412If this was fun...If you want to see how it's done “in real life”,If you want to write real OS code used by real people,Consider 15-412 (Spring '05)15-410, S’04- 1 -OutlineProtection (Chapter 18)Protection (Chapter 18)Protection vs. SecurityDomains (Unix, Multics)Access MatrixConcept, ImplementationRevocation – not really covered today (see text)Mentioning EROSMentioning EROS15-410, S’04- 1 -Protection vs. SecurityTextbook's distinctionTextbook's distinctionProtection happens inside a computerWhich parts may access which other parts (how)?Security considers external threatsIs the system's model intact or compromised?15-410, S’04- 1 -ProtectionGoalsGoalsPrevent intentional attacks“Prove” access policies are always obeyedDetect bugs“Wild pointer” examplePolicy specificationsPolicy specificationsSystem administratorsUsers - May want to add new privileges to system15-410, S’04- 1 -ObjectsHardwareHardwareSingle-use: printer, serial port, CD writer, ...Aggregates: CPU, memory, disks, screenLogicalLogical objects objectsFilesProcessesTCP port 25Database tables15-410, S’04- 1 -OperationsDepend on objectDepend on objectCPU: execute(...)CD-ROM: read(...)Disk: read_sector(), write_sector()15-410, S’04- 1 -Access ControlBasicBasicYour processes should access only “your stuff”Implemented by many systemsPrinciple of least privilegePrinciple of least privilege(text: “need-to-know”)cc -c foo.cshould read foo.c, stdio.h, ...should write foo.oshould not write ~/.cshrcThis is harder15-410, S’04- 1 -Who Can Do What?access right = (object, operations)access right = (object, operations)/etc/passwd, r/etc/passwd, r/wprocess process protection domainprotection domainP0 de0u, P1 bmm, ...protection domain protection domain list of access rights list of access rightsde0u (/etc/passwd, r), (/afs/andrew/usr/de0u/.cshrc, w)15-410, S’04- 1 -Protection Domain ExampleDomain 1Domain 1/dev/null, read/write/usr/davide/.cshrc, read/write/usr/smuckle/.cshrc, readDomain 2Domain 2/dev/null, read/write/usr/smuckle/.cshrc, read/write/usr/davide/.cshrc, read15-410, S’04- 1 -Protection Domain UsageLeast privilege requires Least privilege requires domain changesdomain changesDoing different jobs requires different privilegesOne printer daemon, N usersPrint each user's file with minimum necessary privileges...Two general approachesTwo general approaches“process domain” mapping constantRequires domains to add and drop privilegesUser “printer” gets, releases permission to read your fileDomain privileges constantProcesses domain-switch between high-privilege, low-privilege domainsPrinter process opens file as you, opens printer as “printer”15-410, S’04- 1 -Protection Domain ModelsThree modelsThree modelsDomain = userDomain = processDomain = procedure15-410, S’04- 1 -Domain = UserObject permissions depend on Object permissions depend on who you arewho you areAll processes you are running share privilegesAll processes you are running share privilegesDomain switch = Log off, log onDomain switch = Log off, log on15-410, S’04- 1 -Domain = ProcessResources managed by special processesResources managed by special processesPrinter daemon, file server process, ...Domain switchDomain switchObjects cross domain boundaries via IPC“Please send these bytes to the printer” (pieces missing) s = socket(AF_UNIX, SOCK_STREAM, 0); connect(s, pserver, sizeof pserver); mh->cmsg_type = SCM_RIGHTS; mh->cmsg_len[0] = open(“/my/file”, 0, 0); sendmsg(s, &mh, 0);15-410, S’04- 1 -Domain = ProcedureProcessor limits access at fine grainProcessor limits access at fine grainHardware protection on a per-variable basis!Domain switch – Domain switch – Inter-domain procedure callInter-domain procedure callnr = print(strlen(buf), buf);“The correct domain” for print()Access to OS's data structuresPermission to call OS's internal putbytes()Permission to read user's bufIdeally, correct domain automatically created by hardwareCommon case: “user mode” vs. “kernel mode”15-410, S’04- 1 -Unix “setuid” conceptAssume Unix domain = numeric user idAssume Unix domain = numeric user idNot the whole story! This overlooks:Group id, group vectorProcess group, controlling terminalSuperuserBut let's pretendDomain switch via Domain switch via setuid executablesetuid executableSpecial permission bit set with chmodMeaning: exec() changes uid to executable file's ownerGatekeeper programs“lpr” run by anybody can access printer's queue files15-410, S’04- 1 -Access Matrix ConceptConceptConceptFormalization of “who can do what”Basic ideaBasic ideaStore all permissions in a matrixOne dimension is protection domainsOther dimension is objectsEntries are access rights15-410, S’04- 1 -Access Matrix ConceptFile1 File2 File3 Printerrwxd rD1r rwxd wD2rwxd rwxd rwxd wD3r r rD415-410, S’04- 1 -Access Matrix DetailsOS must still define process OS must still define process domain mapping domain mappingOS must enforce domain-switching rulesOS must enforce domain-switching rulesAd-hoc approachSpecial domain-switch rules (e.g., log off/on)Can encode domain-switch in access matrix!Switching domains is a privilege like any other...Add domain columns (domains are objects)Add switch-to rights to domain objects»“D2 processes can switch to D1 at will”Subtle (dangerous)15-410, S’04- 1 -Adding
View Full Document