Chapter 14: Protection

Operating System Concepts – 8th Silberschatz, Galvin and Gagne ©2009

Edition,
 Chapter 14: Protection
n Goals of Protection
n Principles of Protection
n Domain of Protection
n Access Matrix
n Implementation of Access Matrix
n Access Control
n Revocation of Access Rights
n Capability-Based Systems
n Language-Based Protection

Operating System Concepts – 8th 14.0 Silberschatz, Galvin and Gagne ©2009
Edition
 Objectives
n Discuss the goals and principles of protection in a modern computer system
n Explain how protection domains combined with an access matrix are used
to specify the resources a process may access
n Examine capability and language-based protection systems

Operating System Concepts – 8th 14.0 Silberschatz, Galvin and Gagne ©2009
Edition
 Goals of Protection
n Operating system consists of a collection of objects, hardware or software
n Each object has a unique name and can be accessed through a well-
defined set of operations
n Protection problem - ensure that each object is accessed correctly and only
by those processes that are allowed to do so

Operating System Concepts – 8th 14.0 Silberschatz, Galvin and Gagne ©2009
Edition
 Principles of Protection
n Guiding principle – principle of least privilege
l Programs, users and systems should be given just enough privileges to
perform their tasks

Operating System Concepts – 8th 14.0 Silberschatz, Galvin and Gagne ©2009
Edition
 Domain Structure
n Access-right = <object-name, rights-set>
where rights-set is a subset of all valid operations that can be performed on
the object.
n Domain = set of access-rights

Operating System Concepts – 8th 14.0 Silberschatz, Galvin and Gagne ©2009
Edition
 Domain Implementation (UNIX)
n System consists of 2 domains:
l User
l Supervisor
n UNIX
l Domain = user-id
l Domain switch accomplished via file system
4 Each file has associated with it a domain bit (setuid bit)
4 When file is executed and setuid = on, then user-id is set to owner of
the file being executed. When execution completes user-id is reset

Operating System Concepts – 8th 14.0 Silberschatz, Galvin and Gagne ©2009
Edition
 Domain Implementation (MULTICS)

n Let Di and Dj be any two domain rings

n If j < I Di Dj

Operating System Concepts – 8th 14.0 Silberschatz, Galvin and Gagne ©2009
Edition
 Access Matrix
n View protection as a matrix (access matrix)

n Rows represent domains

n Columns represent objects

n Access(i, j) is the set of operations that a process executing in Domaini can

invoke on Objectj

Operating System Concepts – 8th 14.0 Silberschatz, Galvin and Gagne ©2009
Edition
 Access Matrix

Operating System Concepts – 8th 14.0 Silberschatz, Galvin and Gagne ©2009
Edition
 Use of Access Matrix
n If a process in Domain Di tries to do “op” on object Oj, then “op” must be in
the access matrix
n Can be expanded to dynamic protection
l Operations to add, delete access rights
l Special access rights:
4 owner of Oi
4 copy op from Oi to Oj
4 control – Di can modify Dj access rights
4 transfer – switch from domain Di to Dj

Operating System Concepts – 8th 14.0 Silberschatz, Galvin and Gagne ©2009
Edition
 Use of Access Matrix (Cont)
n Access matrix design separates mechanism from policy
l Mechanism
4 Operating system provides access-matrix + rules
4 If ensures that the matrix is only manipulated by authorized agents
and that rules are strictly enforced
l Policy
4 User dictates policy
4 Who can access what object and in what mode

Operating System Concepts – 8th 14.0 Silberschatz, Galvin and Gagne ©2009
Edition
 Implementation of Access Matrix
n Each column = Access-control list for one object
Defines who can perform what operation.
Domain 1 = Read, Write
Domain 2 = Read
Domain 3 = Read

n Each Row = Capability List (like a key)

Fore each domain, what operations allowed on what objects.
Object 1 – Read
Object 4 – Read, Write, Execute
Object 5 – Read, Write, Delete, Copy

Operating System Concepts – 8th 14.0 Silberschatz, Galvin and Gagne ©2009
Edition
 Access Matrix of Figure A With Domains as Objects

Figure B

Operating System Concepts – 8th 14.0 Silberschatz, Galvin and Gagne ©2009
Edition
 Access Matrix with Copy Rights

Operating System Concepts – 8th 14.0 Silberschatz, Galvin and Gagne ©2009
Edition
 Access Matrix With Owner Rights

Operating System Concepts – 8th 14.0 Silberschatz, Galvin and Gagne ©2009
Edition
 Modified Access Matrix of Figure B

Operating System Concepts – 8th 14.0 Silberschatz, Galvin and Gagne ©2009
Edition
 Access Control
n Protection can be applied to non-file resources
n Solaris 10 provides role-based access control (RBAC) to implement least
privilege
l Privilege is right to execute system call or use an option within a system
call
l Can be assigned to processes
l Users assigned roles granting access to privileges and programs

Operating System Concepts – 8th 14.0 Silberschatz, Galvin and Gagne ©2009
Edition
 Role-based Access Control in Solaris 10

Operating System Concepts – 8th 14.0 Silberschatz, Galvin and Gagne ©2009
Edition
 Revocation of Access Rights
n Access List – Delete access rights from access list
l Simple
l Immediate
n Capability List – Scheme required to locate capability in the system before
capability can be revoked
l Reacquisition
l Back-pointers
l Indirection
l Keys

Operating System Concepts – 8th 14.0 Silberschatz, Galvin and Gagne ©2009
Edition
 Capability-Based Systems
n Hydra
l Fixed set of access rights known to and interpreted by the system
l Interpretation of user-defined rights performed solely by user's program;
system provides access protection for use of these rights
n Cambridge CAP System
l Data capability - provides standard read, write, execute of individual
storage segments associated with object
l Software capability -interpretation left to the subsystem, through its
protected procedures

Operating System Concepts – 8th 14.0 Silberschatz, Galvin and Gagne ©2009
Edition
 Language-Based Protection
n Specification of protection in a programming language allows the high-level
description of policies for the allocation and use of resources
n Language implementation can provide software for protection enforcement
when automatic hardware-supported checking is unavailable
n Interpret protection specifications to generate calls on whatever protection
system is provided by the hardware and the operating system

Operating System Concepts – 8th 14.0 Silberschatz, Galvin and Gagne ©2009
Edition
 Protection in Java 2
n Protection is handled by the Java Virtual Machine (JVM)
n A class is assigned a protection domain when it is loaded by the JVM
n The protection domain indicates what operations the class can (and cannot)
perform
n If a library method is invoked that performs a privileged operation, the stack
is inspected to ensure the operation can be performed by the library

Operating System Concepts – 8th 14.0 Silberschatz, Galvin and Gagne ©2009
Edition
 Stack Inspection

Operating System Concepts – 8th 14.0 Silberschatz, Galvin and Gagne ©2009
Edition
 End of Chapter 14

Operating System Concepts – 8th Silberschatz, Galvin and Gagne ©2009

Edition,