Chapter 14 Protection Chapter 14 Protection Chapter 14 1 Goals of Protection Principles of Protection Domain of Protection Access Matrix Chapter 14 2 Implementation of Access Matrix Access Control Revocation of Access Rights Capability Based Systems Language Based Protection Operating System Concepts 14 2 Silberschatz Galvin and Gagne 2005 Objectives Discuss the goals and principles of protection in a modern computer system Explain how protection domains combined with an access matrix are used to specify the resources a process may access Examine language based protection systems Operating System Concepts 14 3 Silberschatz Galvin and Gagne 2005 Background Protection and Security are related yet very different topics We will devote a chapter to each Protection requires two things A Policy what it is we want and Implementation mechanisms how we are going to do it Protection is a measure of confidence that the integrity of a system and its data will be preserved Security assurance is a much broader topic and we will cover it next chapter One may view Protection as some kind of mechanism for controlling access of programs processes or users to resources defined by a computer system perhaps system resources perhaps user resources The mechanism for implementing these controls must be specified And there must also be a means of enforcement and not simply policy Operating System Concepts 14 4 Silberschatz Galvin and Gagne 2005 Goals of Protection We know that operating systems consist of large collections of objects hardware and software All users of such a computer system share these same resources Clearly we need to protect these shared resources from intentional or accidental activities which may prove to be disastrous Since all these resources are shared we definitely need policies to govern and control appropriate access Specifically policies need to define authorized and unauthorized access Operating System Concepts 14 5 Silberschatz Galvin and Gagne 2005 Policy and Implementation 1 Policies may be fixed in the design of the computing system Other policies may be developed by management of the computing system Still other policies may be implemented by users themselves to protect their own files and programs Thus a protection system must include the ability to enforce a number of different policies Operating system designers can implement protection mechanisms as integral parts of the OS a protection kernel perhaps Application develops may also develop protection mechanism and in some cases these desires are supported by their choice of programming language While these will clearly differ in scope and extent both are needed We now define an object as a unique name that can be accessed through a welldefined set of operations So the protection problem is to ensure that each object is accessed correctly and only by those processes allowed to do so Operating System Concepts 14 6 Silberschatz Galvin and Gagne 2005 Policy and Implementation 2 In this chapter we will emphasize what an operating system can should provide Using these facilities an application developer may then select some of his her own protection approaches as mentioned Note that having mechanisms how something will be done differs markedly from policies which address what will be done Policies can change from time to time Conceivably policy changes may result in changes to underlying mechanisms This is always the way things are done The what followed by the how Clearly related but vastly different Operating System Concepts 14 7 Silberschatz Galvin and Gagne 2005 Principles of Protection The criterion that is used to guide design and implementation issues for protection is the principle of least privilege Basically this principle says that one should have enough privileges to do what one needs to do but nothing more One of the advantages of this approach is that if a system program user etc fails the results of this failure should not propagate into other areas or at least cause minimal damage to others As a user if my process fails due to an attempt say to execute privileged instructions or access areas not allowed the results should be localized to this process and this user nothing else At the user level users are given permission privileges users need and users are given access to those commands that a user needs That s it Computers running under the principle of least privilege may be limited to running only certain devices being able to access only specific remote services etc and may be constrained to these devices or services at othr times Operating System Concepts 14 8 Silberschatz Galvin and Gagne 2005 Principles of Protection 2 While such a philosophy might appear noble and should work for the benefit of all at least in principle no pun intended this principle is implemented in significantly different ways to vastly different degrees as found in very different operating systems Let s now look at the Domain of Protection Operating System Concepts 14 9 Silberschatz Galvin and Gagne 2005 Domain of Protection In order to attempt to implement a protection scheme let s first look at what we are protecting First of all we have hardware objects CPU memory segments printers disks etc We have software objects file programs software switches Some measures that may be implemented on some of these objects clearly may not be implementable on others Some of these devices may only be read Now an adjunct to the principle of least privilege is the need to know principle Does a process need to have access to everything it needs during its entire execution Perhaps only part of the time Again we are attempting to minimize the risk of security violations Operating System Concepts 14 10 Silberschatz Galvin and Gagne 2005 Domain Structure Fact Processes need to run within some kind of protection domain The domain indicates what processes can and do not have access to within that domain The domain is typically accompanied with a set of operations that can be executed on a set of objects access rights We define access rights as Access right object name rights set where rights set is a subset of all valid operations that can be performed on the object So we have an object names and a set of operations that can be performed on each object within this domain within which the process belongs at this time All these need not be disjoint Let s look more closely at domain structure Operating System Concepts 14 11 Silberschatz Galvin and Gagne