14.1/21 part 5: protection and security protection mechanisms control access to a system by limiting...
TRANSCRIPT
14.1/21
Part 5: protection and securityPart 5: protection and security
Protection mechanisms control access to a system by limiting the types of file access permitted to users. In addition, protection must ensure that only processes that have gained proper authorization from the operating system can operate on memory segments, the CPU, and other resources.
Security ensures the authentication of system users to protect the integrity of the information stored in the system (both data and code), as well as the physical resources of the computer system. The security system prevents unauthorized access, malicious destruction or alteration of data, and accidental introduction of inconsistency.
Chapter 14: ProtectionChapter 14: Protection
14.3/21
Chapter 14: ProtectionChapter 14: Protection
Goals of Protection
Principles of Protection
Domain of Protection
Access Matrix
Implementation of Access Matrix
14.4/21
ObjectivesObjectives
Discuss the goals and principles of protection in a modern computer system
Explain how protection domains combined with an access matrix are used to specify the resources a process may access
Examine capability and language-based protection systems
14.5/21
Goals of ProtectionGoals of Protection
Modern protection concepts have evolved to increase the reliability of any complex system that makes use of shared resources.
need to provide protection for several reasons
the need to prevent mischievous, intentional violation of an access restriction by a user.
the need to ensure that each program component active in a system uses system resources only in the ways consistent with stated policies.
Protection can improve reliability by detecting latent errors at the interfaces between component subsystems.
P531
14.6/21
Principles of ProtectionPrinciples of Protection
Guiding principle – principle of least privilege Programs, users and systems should be given just
enough privileges to perform their tasks
Consider the analogy of a security guard with a passkey. If this key allows the guard into just the public areas that she guards, then misuse of the key will result in minimal damage. If, however, the passkey allows access to all areas, then damage from its being lost, stolen, misused, copied or otherwise compromised will be much greater.
P532
14.7/21
Principles of ProtectionPrinciples of Protection
Managing users with the principle of least privilege entails creating a separate account for each user, with just the privileges that the user needs.
Computers implemented in a computing facility under the principle of least privilege can be limited to running specific services, accessing specific remote hosts via specific services, and doing so during specific times.
The principle of least privilege can help produce a more secure computing environment. Unfortunately, it frequently does not. For example, Windows 2000 has a complex protection scheme at its core and yet has many security hole.
14.8/21
Domain of ProtectionDomain of Protection
Operating system consists of a collection of objects, hardware objects or software objects
Each object has a unique name and can be accessed through a well-defined set of operations.
A process should be allowed to access only those resources for which it has authorization.
Furthermore, at any time, a process should be able to access only those resources that it currently requires to complete its task. This requirement, commonly referred to as the need to know principle, is useful in limiting the amount of damage a faulty process can cause in the system.
P533
14.9/21
Domain StructureDomain Structure
Each protection domain defines a set of objects and the types of operations that may be invoked on each object.
The ability to execute an operation on an object is an access right.
Access-right = <object-name, rights-set>where rights-set is a subset of all valid operations that can be performed on the object.
Domain = set of access-rights
if domain D has the access right < file F, {read, write } >, then a process executing in domain D can both read and write file F.
P534
14.10/21
Domain StructureDomain Structure
Domains do not need to be disjoint; they may share access rights.
14.11/21
Domain StructureDomain Structure
The association between a process and a domain may be either static, if the set of resources available to the process is fixed throughout the process's lifetime, or dynamic.
If the association between processes and domains is fixed, and we want to adhere to the need-to-know principle, then a mechanism must be available to change the content of a domain.
If the association is dynamic, a mechanism is available to allow domain switching, enabling the process to switch from one domain to another.
P534
14.12/21
Domain RealizationDomain Realization
Each user may be a domain. In this case, the set of objects that can be accessed depends on the identity of the user. Domain switching occurs when the user is changed-generally when one user logs out and another user logs in.
Each process may be a domain. In this case, the set of objects that can be accessed depends on the identity of the process. Domain switching occurs when one process sends a message to another process and then waits for a response.
Each procedure may be a domain. in this case, the set of objects that can be accessed corresponds to the local variables defined within the procedure. Domain switching occurs when a procedure call is made.
P535
14.13/21
Access MatrixAccess Matrix
View protection as a matrix (access matrix)
Rows represent domains
Columns represent objects
Access(i, j) is the set of operations that a process executing in Domaini can invoke on Objectj
P538
14.14/21
Access MatrixAccess Matrix
14.15/21
Access Matrix of Figure A With Domains as ObjectsAccess Matrix of Figure A With Domains as Objects
Figure B
14.16/21
Implementation of Access MatrixImplementation of Access Matrix
Global Table
Consisting of a set of ordered triples <domain, object, rights-set>.
drawbacks
The table is usually large and thus cannot be kept in main memory, so additional I/O is needed.
if everyone can read a particular object, it must have a separate entry in every domain.
P542
14.17/21
Implementation of Access MatrixImplementation of Access Matrix
Each column = Access-control list for one object The resulting list for each object consists of ordered
pairs <domain, rights-set>, which define all domains with a nonempty set of access rights for that object.
Defines who can perform what operation.
Domain 1 = Read, WriteDomain 2 = ReadDomain 3 = Read
14.18/21
Implementation of Access MatrixImplementation of Access Matrix
Each Row = Capability List (like a key)Fore each domain, what operations allowed on what objects.
Object 1 – Read
Object 4 – Read, Write, Execute
Object 5 – Read, Write, Delete, Copy
P543
14.19/21
Lock-key schemeLock-key scheme
Compromise between access lists and capability lists.
Each object has a list of unique bit patterns, called locks.
Similarly, each domain has a list of unique bit patterns, called keys.
A process executing in a domain can access an object only if that domain has a key that matches one of the locks of the object.
Users are not allowed to examine or modify the list of keys (or locks) directly.
P544
14.20/21
ComparisonComparison
Using a global table is simple; however, the table can be quite large and often cannot take advantage of special groupings of objects or domains.
Access lists correspond directly to the needs of users. determining the set of access rights for each domain is difficult. in addition, every access to the object must be checked, requiring a search of the access list.
Capability lists do not correspond directly to the needs of users; they are useful, however, for localizing information for a given process. The process attempting access must present a capability for that access.
The lock-key mechanism can be both effective and flexible.
P544
End of Chapter 14End of Chapter 14