Slide 1Slide 2Slide 3Slide 4Slide 5Slide 6Slide 7Slide 8Slide 9Slide 10Slide 11Slide 12Slide 13Slide 14Slide 15Slide 16Slide 17Slide 18Slide 19Slide 20Slide 21Slide 22Slide 23Slide 24Slide 25Slide 26Slide 27Slide 28Slide 29Slide 30Slide 31Slide 32Slide 33Slide 34Slide 35Slide 36Slide 37Slide 38Slide 39Slide 40Slide 41Slide 42Slide 43Slide 44Slide 45Slide 46Slide 47Slide 48Slide 49Slide 50Slide 51Slide 52Slide 53Slide 54Slide 55Slide 5615-410, F’04- 1 -ProtectionNov. 22, 2004Dave EckhardtDave EckhardtBruce MaggsBruce MaggsL31_Protection15-410“...1969 > 1999?...”15-410, F’04- 1 -SynchronizationPlease fill out P3/P4 registration form by midnight+Please fill out P3/P4 registration form by midnight+On the “Projects” web pageWe need to know whom to grade when...Some of you need a p3extra hand-in directory...Debugging is a skill....Debugging is a skill....15-41215-412If this was fun...If you want to see how it's done “in real life”,If you want to write real OS code used by real people,Consider 15-412 (Spring '05)15-410, F’04- 1 -SynchronizationProject 4 optionsProject 4 optionsVirtual consolesN virtual screens/keyboards“Hot-key” switch among themPipespipe(), read(), write(), ...Integration with readline(), print()See writeup on Projects page15-410, F’04- 1 -SynchronizationIntel Labs Iternet Suspend/Resume positionIntel Labs Iternet Suspend/Resume positionIntel is seeking a “full-time intern”Position available DecemberSolid OS backgroundPerl, C, Red Hat Linux, ApacheDistributed file systemsMulti-activity positionSystem deployment, development, maintenanceMay turn into a full-time developer positionLast occupant didhttp://www.cs.cmu.edu/~davide/intel-intern.htmlRésumé to: [email protected], F’04- 1 -OutlineProtection (Chapter 18)Protection (Chapter 18)Protection vs. SecurityDomains (Unix, Multics)Access MatrixConcept, ImplementationRevocation – not really covered today (see text)Mentioning EROSMentioning EROS15-410, F’04- 1 -Protection vs. SecurityTextbook's distinctionTextbook's distinctionProtection happens inside a computerWhich parts may access which other parts (how)?Security considers external threatsIs the system's model intact or compromised?15-410, F’04- 1 -ProtectionGoalsGoalsPrevent intentional attacks“Prove” access policies are always obeyedDetect bugs“Wild pointer” examplePolicy specificationsPolicy specificationsSystem administratorsUsers - May want to add new privileges to system15-410, F’04- 1 -ObjectsHardwareHardwareSingle-use: printer, serial port, CD writer, ...Aggregates: CPU, memory, disks, screenLogicalLogical objects objectsFilesProcessesTCP port 25Database tables15-410, F’04- 1 -OperationsDepend on objectDepend on objectCPU: execute(...)CD-ROM: read(...)Disk: read_sector(), write_sector()15-410, F’04- 1 -Access ControlBasicBasicYour processes should access only “your stuff”Implemented by many systemsPrinciple of least privilegePrinciple of least privilege(text: “need-to-know”)cc -c foo.cshould read foo.c, stdio.h, ...should write foo.oshould not write ~/.cshrcThis is harder15-410, F’04- 1 -Who Can Do What?access right = (object, operations)access right = (object, operations)/etc/passwd, r/etc/passwd, r/wprocess process protection domainprotection domainP0 de0u, P1 bmm, ...protection domain protection domain list of access rights list of access rightsde0u (/etc/passwd, r), (/afs/andrew/usr/de0u/.cshrc, w)15-410, F’04- 1 -Protection Domain ExampleDomain 1Domain 1/dev/null, read/write/usr/davide/.cshrc, read/write/usr/smuckle/.cshrc, readDomain 2Domain 2/dev/null, read/write/usr/smuckle/.cshrc, read/write/usr/davide/.cshrc, read15-410, F’04- 1 -Protection Domain UsageLeast privilege requires Least privilege requires domain changesdomain changesDoing different jobs requires different privilegesOne printer daemon, N usersPrint each user's file with minimum necessary privileges...Two general approachesTwo general approaches“process domain” mapping constantRequires domains to add and drop privilegesUser “printer” gets, releases permission to read your fileDomain privileges constantProcesses domain-switch between high-privilege, low-privilege domainsPrinter process opens file as you, opens printer as “printer”15-410, F’04- 1 -Protection Domain ModelsThree modelsThree modelsDomain = userDomain = processDomain = procedure15-410, F’04- 1 -Domain = UserObject permissions depend on Object permissions depend on who you arewho you areAll processes you are running share privilegesAll processes you are running share privilegesDomain switch = Log off, log onDomain switch = Log off, log on15-410, F’04- 1 -Domain = ProcessResources managed by special processesResources managed by special processesPrinter daemon, file server process, ...Domain switchDomain switchObjects cross domain boundaries via IPC“Please send these bytes to the printer” (pieces missing) s = socket(AF_UNIX, SOCK_STREAM, 0); connect(s, pserver, sizeof pserver); mh->cmsg_type = SCM_RIGHTS; mh->cmsg_len[0] = open(“/my/file”, 0, 0); sendmsg(s, &mh, 0);15-410, F’04- 1 -Domain = ProcedureProcessor limits access at fine grainProcessor limits access at fine grainHardware protection on a per-variable basis!Domain switch – Domain switch – Inter-domain procedure callInter-domain procedure callnr = print(strlen(buf), buf);“The correct domain” for print()Access to OS's data structuresPermission to call OS's internal putbytes()Permission to read user's bufIdeally, correct domain automatically created by hardwareCommon case: “user mode” vs. “kernel mode”15-410, F’04- 1 -Unix “setuid” conceptAssume Unix domain = numeric user idAssume Unix domain = numeric user idNot the whole story! This overlooks:Group id, group vectorProcess group, controlling terminalSuperuserBut let's pretendDomain switch via Domain switch via setuid executablesetuid executableSpecial permission bit set with chmodMeaning: exec() changes uid to executable file's ownerGatekeeper programs“lpr” run by anybody can access printer's queue files15-410, F’04- 1 -Access Matrix
View Full Document