Chapter 14 2 Protection Chapter 14 2 Protection Chapter 14 1 Goals of Protection Principles of Protection Domain of Protection Access Matrix Chapter 14 2 Implementation of Access Matrix Access Control Revocation of Access Rights Language Based Protection Operating System Concepts 14 2 Silberschatz Galvin and Gagne 2005 Objectives Discuss the Implementation of Access Matrix approach Discuss Revocation of Access Rights Consider Language based protection Compiler based and Protection in Java Operating System Concepts 14 3 Silberschatz Galvin and Gagne 2005 Implementation of Access Matrix Operating System Concepts 14 4 Silberschatz Galvin and Gagne 2005 Implementation of Access Matrix So we know about these access matrices but how can we actually use them to implement and enforce protection We will consider four approaches A Global Table Access Lists for Objects Capability Lists for Domains and Locks and Key Mechanisms Operating System Concepts 14 5 Silberschatz Galvin and Gagne 2005 Global Table Simplest approach but not in widespread use due to some inherent limitations Idea is to have sets of ordered triples domain object rights set When some Operation M is executed on an Object O with Domain D the global table is searched for this triple such that M R where R is the rights set If found the operation may continue If not found an exception is raised There is a real downslides to this simplicity Size of Global Table Specifically as one can imagine the Global Table can be very large Consequently it usually cannot be kept in primary memory If we have processes with many input output operations for example we will have seriously degraded overall system performance There are other issues here too but this is the primary one Operating System Concepts 14 6 Silberschatz Galvin and Gagne 2005 Access Lists for Objects This approach is often used as a component of a solution Here we have a list of ordered pairs that is associated with each object For each object we have a pair domain rights set This list for each object cites domains and their appropriate rights set of course the rights set set may vary from domain to domain Importantly if we use this approach the list of ordered pairs is accompanied by a default set of access rights As it turns out it is the default set that is usually checked first If some process M is found in the default set access is allowed If not then the larger more involved access list consisting of sets of ordered pairs is searched Operating System Concepts 14 7 Silberschatz Galvin and Gagne 2005 Capability Lists for Domains A capability list for a specific domain is simply a list of objects coupled with the operations allowed on those objects A capability itself simply refers to some kind of object This object capability is represented by a physical name or an address The notion of a capability is used a lot in protection schemes So operationally when we have some kind of operation M that needs to take place on some object Access to Capability List It is important to note here that the capability list for a domain is never accessed nor is it permitted to be accessed by the process executing in this domain Thus the capability list for a domain is a protected object and it is maintained by the OS The capability list is accessed only indirectly by the user So a user may never have direct access to a capability list and thus has no opportunity to modify the capability list Also please note that capabilities are special objects and are not to be considered data Both hardware and or firmware ensure that these objects are safeguarded from being migrated into an address space of a user process Most systems use some kind of combination of access lists and capabilities Operating System Concepts 14 8 Silberschatz Galvin and Gagne 2005 Lock and Key Mechanisms Compromise The Lock and Key Mechanism approach is another approach that finds itself as a compromise between access lists and capability lists In this scheme each object is given a unique bit pattern called a lock and each domain has a list of unique bit patterns called keys So an executing process in a specific domain may only have access to an object for which its key matches a lock of an object in that domain Again most systems use a combination of access lists and capability lists Operating System Concepts 14 9 Silberschatz Galvin and Gagne 2005 Revocation of Access Rights Operating System Concepts 14 10 Silberschatz Galvin and Gagne 2005 Revocation of Access Rights Access Rights can be revoked Differences in Revocation There are differences in revoking access rights when comparing implementation using Access Lists and Capability Lists Access List Rights can be deleted right from access list These are pretty simple Simple Immediate Capability List Here there is a scheme required to locate capability in the system before capability can be revoked This approach is much more involved and you might consider reading through these issues I won t pursue this further Operating System Concepts 14 11 Silberschatz Galvin and Gagne 2005 Language Based Protection Operating System Concepts 14 12 Silberschatz Galvin and Gagne 2005 Language Based Protection Protection implementation given the data structures ordered triples ordered pairs lists of access rights etc is often accommodated via kernel software But some languages such as Java provide additional often more flexible levels of protection Kernel Protection If we are considering protection via the kernel recognize that comprehensive access validation is potentially a source of considerable overhead as one can readily realize Yes it will be reliable and comprehensive but the overhead can be significant Great care must be exercised in providing this capability so as not to make the protection capability itself projection kernel too large and too comprehensive to ensure the level of protection desired As it turns out protection mechanisms are no longer only concerned with the identity of the desired resource but also with the functional nature of that access This means that there the concern is no longer limited to protection of system defined functions that we commonly invoked such as many system calls and other key services associated with accessing sacred kernel data structures or files for example but this protection now extends to user defined functions too While this can be good it ushers in complexity as well So nowadays protection not only falls under the purview of the