Chapter 14: Protection: Silberschatz, Galvin and Gagne ©2013 Operating System Concepts - 9 Edition

Chapter 14: Protection
Operating System Concepts – 9th Edition Silberschatz, Galvin and Gagne ©2013
Chapter 14: Protection
 Goals of Protection
 Principles of Protection
 Domain of Protection
 Access Matrix
 Implementation of Access Matrix
 Access Control
 Revocation of Access Rights
 Capability-Based Systems
 Language-Based Protection
Operating System Concepts – 9th Edition 14.2 Silberschatz, Galvin and Gagne ©2013
Objectives
 Discuss the goals and principles of protection in a modern

computer system
 Explain how protection domains combined with an access
matrix are used to specify the resources a process may
access
 Examine capability and language-based protection systems
Goals of Protection
 In one protection model, computer consists of a collection of

objects, hardware or software
 Each object has a unique name and can be accessed through
a well-defined set of operations
 Protection problem - ensure that each object is accessed
correctly and only by those processes that are allowed to do so
Principles of Protection
 Guiding principle – principle of least privilege
 Programs, users and systems should be given just
enough privileges to perform their tasks
 Limits damage if entity has a bug, gets abused
 Can be static (during life of system, during life of
process)
 Or dynamic (changed by process as needed) – domain
switching, privilege escalation
 “Need to know” a similar concept regarding access to
data
Principles of Protection (Cont.)
 Must consider “grain” aspect
 Rough-grained privilege management easier, simpler,
but least privilege now done in large chunks
 For example, traditional Unix processes either have
abilities of the associated user, or of root
 Fine-grained management more complex, more
overhead, but more protective
 File ACL lists, RBAC
 Domain can be user, process, procedure
Domain Structure
 Access-right = <object-name, rights-set>

where rights-set is a subset of all valid operations that can
be performed on the object
 Domain = set of access-rights
Domain Implementation (UNIX)
 Domain = user-id
 Domain switch accomplished via file system
 Each file has associated with it a domain bit (setuid bit)
 When file is executed and setuid = on, then user-id is
set to owner of the file being executed
 When execution completes user-id is reset
 Domain switch accomplished via passwords
 su command temporarily switches to another user’s
domain when other domain’s password provided
 Domain switching via commands
 sudo command prefix executes specified command in
another domain (if original domain has privilege or
password given)
Domain Implementation (MULTICS)
 Let Di and Dj be any two domain rings
 If j < I  Di  Dj
Multics Benefits and Limits
 Ring / hierarchical structure provided more than the basic

kernel / user or root / normal user design
 Fairly complex -> more overhead
 But does not allow strict need-to-know
 Object accessible in Dj but not in Di, then j must be < i
 But then every segment accessible in Di also
accessible in Dj
Access Matrix
 View protection as a matrix (access matrix)
 Rows represent domains
 Columns represent objects
 Access(i, j) is the set of operations that a process
executing in Domaini can invoke on Objectj
Use of Access Matrix
 If a process in Domain Di tries to do “op” on object Oj, then
“op” must be in the access matrix
 User who creates object can define access column for that
object
 Can be expanded to dynamic protection
 Operations to add, delete access rights
 Special access rights:
 owner of Oi
 copy op from Oi to Oj (denoted by “*”)
 control – Di can modify Dj access rights
 transfer – switch from domain Di to Dj
 Copy and Owner applicable to an object
 Control applicable to domain object
Use of Access Matrix (Cont.)
 Access matrix design separates mechanism from policy

 Mechanism
 Operating system provides access-matrix + rules
 If ensures that the matrix is only manipulated by
authorized agents and that rules are strictly enforced
 Policy
 User dictates policy
 Who can access what object and in what mode
 But doesn’t solve the general confinement problem
Access Matrix of Figure A with Domains as Objects
Access Matrix with Copy Rights
Access Matrix With Owner Rights
Modified Access Matrix of Figure B
Implementation of Access Matrix
 Generally, a sparse matrix

 Option 1 – Global table
 Store ordered triples <domain, object,
rights-set> in table
 A requested operation M on object Oj within domain
Di -> search table for < Di, Oj, Rk >
 with M ∈ Rk
 But table could be large -> won’t fit in main memory
 Difficult to group objects (consider an object that all
domains can read)
Implementation of Access Matrix (Cont.)
 Option 2 – Access lists for objects

 Each column implemented as an access list for one
object
 Resulting per-object list consists of ordered pairs
<domain, rights-set> defining all domains with
non-empty set of access rights for the object
 Easily extended to contain default set -> If M ∈ default
set, also allow access
Implementation of Access Matrix (Cont.)
 Each column = Access-control list for one object

Defines who can perform what operation
Domain 1 = Read, Write
Domain 2 = Read
Domain 3 = Read
 Each Row = Capability List (like a key)

For each domain, what operations allowed on what objects
Object F1 – Read
Object F4 – Read, Write, Execute
Object F5 – Read, Write, Delete, Copy
Protection in Java 2
 Protection is handled by the Java Virtual Machine (JVM)

 A class is assigned a protection domain when it is loaded by
the JVM
 The protection domain indicates what operations the class
can (and cannot) perform
 If a library method is invoked that performs a privileged
operation, the stack is inspected to ensure the operation can
be performed by the library
 Generally, Java’s load-time and run-time checks enforce type
safety
 Classes effectively encapsulate and protect data and
methods from other classes
Access Control
 Protection can be applied to non-file
resources
 Oracle Solaris 10 provides role-
based access control (RBAC) to
implement least privilege
 Privilege is right to execute
system call or use an option
within a system call
 Can be assigned to processes
 Users assigned roles granting
access to privileges and
programs
 Enable role via password to
gain its privileges
 Similar to access matrix
End of Chapter 14
Operating System Concepts – 9th Edition Silberschatz, Galvin and Gagne ©2013

Chapter 14: Protection: Silberschatz, Galvin and Gagne ©2013 Operating System Concepts - 9 Edition

Uploaded by

Copyright:

Available Formats

Chapter 14: Protection: Silberschatz, Galvin and Gagne ©2013 Operating System Concepts - 9 Edition

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chapter 14: Protection: Silberschatz, Galvin and Gagne ©2013 Operating System Concepts - 9 Edition

Uploaded by

Copyright:

Available Formats

Chapter 14: Protection

 Discuss the goals and principles of protection in a modern

 In one protection model, computer consists of a collection of

 Access-right = <object-name, rights-set>

 Ring / hierarchical structure provided more than the basic

 Access matrix design separates mechanism from policy

 Generally, a sparse matrix

 Option 2 – Access lists for objects

 Each column = Access-control list for one object

 Each Row = Capability List (like a key)

 Protection is handled by the Java Virtual Machine (JVM)

You might also like