Silberschatz and Galvin Chapter 19

Similar documents
Module 19: Protection

Chapter 17: System Protection

Module 19: Protection

Chapter 14: System Protection

Chapter 13: Protection. Operating System Concepts Essentials 8 th Edition

Chapter 14: Protection. Operating System Concepts 9 th Edition

Today: Protection. Protection

Protection Goals of Protection Principles of Protection principle of least privilege Domain Structure need to know principle

Today: Protection! Protection!

Today: Protection. Sermons in Computer Science. Domain Structure. Protection

Protection and Security

Module 3: Operating-System Structures

P1L5 Access Control. Controlling Accesses to Resources

CS 392/681 - Computer Security. Module 5 Access Control: Concepts and Mechanisms

CS 392/681 - Computer Security. Module 6 Access Control: Concepts and Mechanisms

Module 1. Introduction:

Chapter 1: Introduction. Operating System Concepts 9 th Edit9on

File-System Structure. Allocation Methods. Free-Space Management. Directory Implementation. Efficiency and Performance. Recovery

OS concepts and structure. q OS components & interconnects q Structuring OSs q Next time: Processes

Week 6: Capabilities Advanced Operating Systems ( L)

Operating Systems Security Access Control

Access Control CSC WAKE FOREST. U N I V E R S I T Y Department of Computer Science. Fall 2014

General Access Control Model for DAC

Table 12.2 Information Elements of a File Directory

CS30002: Operating Systems. Arobinda Gupta Spring 2017

Module: Operating System Security. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

CSE543 - Introduction to Computer and Network Security. Module: Operating System Security

Deadlocks. Operating System Concepts - 7 th Edition, Feb 14, 2005

Comp 204: Computer Systems and Their Implementation. Lecture 9: Deadlock

Chapter 1: Introduction. Operating System Concepts 8 th Edition,

Operating System Architecture. CS3026 Operating Systems Lecture 03

Chapter 2: Operating-System Structures. Operating System Concepts 9 th Edit9on

Chapter 2: Operating-System Structures. Operating System Concepts 8 th Edition

Unit 2 : Computer and Operating System Structure

Operating-System Structures

OPERATING SYSTEM OVERVIEW

Chapter 7: Deadlocks. Operating System Concepts 9 th Edition

Policy vs. Mechanism. Example Reference Monitors. Reference Monitors. CSE 380 Computer Operating Systems

CSC 453 Operating Systems

Chapter 2: System Structures. Operating System Concepts 9 th Edition

Four Components of a Computer System

Chapter 3: Operating-System Structures

Advanced Systems Security: Multics

CSE 380 Computer Operating Systems

EECE.4810/EECE.5730: Operating Systems Spring 2017

OS structure. Process management. Major OS components. CSE 451: Operating Systems Spring Module 3 Operating System Components and Structure

OPERATING SYSTEMS UNIT - 1

Introduction to Operating Systems (Part II)

The Operating System. Chapter 6

Module 3: Operating-System Structures. Common System Components

CS420: Operating Systems

Outline. V Computer Systems Organization II (Honors) (Introductory Operating Systems) Advantages of Multi-level Page Tables

Introduction to Concurrency (Processes, Threads, Interrupts, etc.)

Last class: OS and Architecture. OS and Computer Architecture

Last class: OS and Architecture. Chapter 3: Operating-System Structures. OS and Computer Architecture. Common System Components

CS420: Operating Systems

Fundamentals of Operating Systems (COMP355/L) A Student's Manual for Practice Exercises

Operating-System Structures

UNIT 2. OPERATING SYSTEM STRUCTURES

We ve seen: Protection: ACLs, Capabilities, and More. Access control. Principle of Least Privilege. ? Resource. What makes it hard?

Introduction to Operating Systems

Architectural Support for A More Secure Operating System

OS Design Approaches. Roadmap. OS Design Approaches. Tevfik Koşar. Operating System Design and Implementation

Chapter 2: Operating-System Structures. Operating System Concepts Essentials 8 th Edition

Privilege Escalation

Data Security and Privacy. Unix Discretionary Access Control

Lecture 2: Architectural Support for OSes

Chapter 2: Operating-System

Chapter 10: File-System Interface. Operating System Concepts with Java 8 th Edition

Outlook. File-System Interface Allocation-Methods Free Space Management

Silberschatz and Galvin Chapter 12

OS and Computer Architecture. Chapter 3: Operating-System Structures. Common System Components. Process Management

Ajith s Documentum Security Notes

Operating System Concepts Ch. 2: Operating System Structures

When we start? 10/24/2013 Operating Systems, Beykent University 1

Operating Systems. studykorner.org

Module 1: Introduction

Protection. CSE473 - Spring Professor Jaeger. CSE473 Operating Systems - Spring Professor Jaeger

Syllabus CSCI 405 Operating Systems Fall 2018

Chapter 1: Introduction

Chapter 3: Operating-System Structures

CS420: Operating Systems. Kernel I/O Subsystem

CS370 Operating Systems

Ricardo Rocha. Department of Computer Science Faculty of Sciences University of Porto

Chapter 14: File-System Implementation

Chapter 2: Operating-System Structures

CS 162 Operating Systems and Systems Programming Professor: Anthony D. Joseph Spring Lecture 18: Naming, Directories, and File Caching

Introduction to Deadlocks

OPERATING SYSTEMS OVERVIEW

Four Components of a Computer System. Operating System Concepts 7 th Edition, Jan 12, 2005

CS 162 Operating Systems and Systems Programming Professor: Anthony D. Joseph Spring Lecture 18: Naming, Directories, and File Caching

> 1999?... Protection Nov. 15, 2010

CS370 Operating Systems

Module 1: Introduction. What is an Operating System?

Roadmap. Tevfik Koşar. CSE 421/521 - Operating Systems Fall Lecture - II OS Structures. University at Buffalo. OS Design and Implementation

OS Design Approaches. Roadmap. System Calls. Tevfik Koşar. Operating System Design and Implementation. CSE 421/521 - Operating Systems Fall 2013

Amplifying. Examples

CSC 553 Operating Systems

Module 2: Computer-System Structures. Computer-System Architecture

UNIT-3 DEADLOCKS DEADLOCKS

Transcription:

Silberschatz and Galvin Chapter 19 Protection CPSC 410--Richard Furuta 4/26/99 1 Protection Goals of protection schemes Domain of protection Mechanisms Ð access matrix implementation of access matrix revocation of access rights Ð Capability-based systems Ð Language-based protection CPSC 410--Richard Furuta 4/26/99 2 1

Goals of protection schemes Operating system consists of a collection of hardware and software objects Ð CPU, memory segments, printers, disks, tape drives Ð files, programs, semaphores Each object has a unique name; is accessed through a welldefined set of operations Ð Essentially abstract data types Purpose of protection: to ensure that each object is accessed correctly and only by those processes that are allowed to do so Ð need to know principle CPSC 410--Richard Furuta 4/26/99 3 Goals of protection schemes Why protection? Ð Prevent mischief Ð Make sure that program components use resources in compliance with policies for resources Ð Protect from certain user errors Separation of policy from mechanism Ð Policy: what will be done Ð Mechanism: how it will be done Separating policy from mechanism allows change to policy without requiring changes to underlying mechanism (reconfiguration instead) CPSC 410--Richard Furuta 4/26/99 4 2

Protection domain structure Protection domain--specifies the resources that a process may access. Defines a set of objects and the operations that may be invoked on each object. A domain is a set of access rights Access right--the ability to execute an operation on an object; a subset of all valid operations that can be performed on the object Ð <object-name, rights-set> Domains can share access rights CPSC 410--Richard Furuta 4/26/99 5 Protection domain structure CPSC 410--Richard Furuta 4/26/99 6 3

Protection domain structure Association between a process and a domain may be static or dynamic Ð static: set of resources available to the process is fixed through the processõ lifetime Ð static is easier to implement than dynamic Ð Static association plus need-to-know requires mechanisms to change the content of a domain one phase may require read access but not write access another may require only write access need-to-know implies that we provide only the minimum needed access rights at all times Ð Dynamic association provides these means CPSC 410--Richard Furuta 4/26/99 7 Protection domain structure What defines a domain? Ð Each user is a domain access depends on userõs identity domain switching occurs when users change (login/ logout) Ð Each process is a domain access depends on processõ identity Domain switching occurs when process sends a message to another and then waits for answer Ð Each procedure is a domain set of objects that can be accessed corresponds to local variables Domain switching occurs when procedure call made CPSC 410--Richard Furuta 4/26/99 8 4

Domain implementation examples System consists of 2 domains: Ð User Ð Supervisor CPSC 410--Richard Furuta 4/26/99 9 Domain implementation examples UNIX Ð Domain = user-id Ð Domain switch accomplished via file system. Each file has associated with it a domain bit (setuid bit). When file is executed and setuid = on, then user-id is set to owner of the file being executed. When execution completes user-id is reset. Ð Some other systems do not allow change of user id. Here, user access to protected objects has to use different mechanisms. For example, a daemon process that mediates access to the object. CPSC 410--Richard Furuta 4/26/99 10 5

Domain implementation examples Multics rings (MIT late 1960Õs) Ð Let D i and D j be any two domain rings. Ð If j < i Þ D i Í D j CPSC 410--Richard Furuta 4/26/99 11 Domain implementation examples Multics system Ð Ring D 0 corresponds to monitor mode; has the most privileges Ð each memory segment includes ring number and access bits to control reading, writing, and execution Ð process can only access segments associated with rings with greater than or equal number, restricted according to the access bits Ð Domain switching is procedure oriented--procedure called in a different ring. Further controls on how those switches can occur (see following) CPSC 410--Richard Furuta 4/26/99 12 6

Domain implementation examples Multics domain switching Ð Makes use of the following access bracket: a pair of integers, b1 and b2, such that b1 b2 limit: an integer b3, such that b3 > b2 list of gates: identifies entry points (gates) at which segments may be called Ð Process in ring i calls a procedure (segment) with access bracket (b1,b2) Call allowed if b1 i b2 Current ring number of the process remains i Otherwise, see following CPSC 410--Richard Furuta 4/26/99 13 Domain implementation examples Multics domain switching Ð When the callerõs ring number is not in the calleeõs access bracket i < b1 Ð Call allowed since this is a transfer to a ring with fewer privileges Ð Parameters may need to be copied into an area accessible to the called procedure i > b2 Ð Call permitted only if b3 i (b3 is the limit) and the call has been directed to one of the designated entry points in the list of gates Ð This is a call to a procedure with higher privileges, but in a controlled manner CPSC 410--Richard Furuta 4/26/99 14 7

Domain implementation examples Multics domain model Ð Does not enforce need-to-know (as you have access to all segments in higher numbered rings) Ð More general models (which are also simpler) used in modern computer systems CPSC 410--Richard Furuta 4/26/99 15 Access Matrix Rows: domains Columns: objects Access(i,j) defines the set of operations that a process, executing in domain D i can invoke on object O j Process in Domain D i can execute operation op on Object O j only if there is a corresponding entry in the access matrix CPSC 410--Richard Furuta 4/26/99 16 8

Access matrix O1 O2 O3 O4 D1 read execute read write write D2 write print D3 execute read print CPSC 410--Richard Furuta 4/26/99 17 Access Matrix Allowing processes to switch among domains Ð Can be controlled by including domains in access matrix Ð ÒswitchÓ access right allows switching to the specified domain O1 O2 O3 O4 D1 D2 D3 D1 read execute read switch write write D2 write print D3 execute read print switch switch CPSC 410--Richard Furuta 4/26/99 18 9

Access Matrix Allowing controlled change to the access matrix Ð Operations to add, delete access rights. Ð Special access rights: owner of object O i Ð Can add/remove operations in column i copy op from D i to D j Ð Copy within column (i.e., to additional domains for object for which the right is defined) Ð Variant: transfer of right, not copy Ð Variant: limit propagation (copy cannot be copied) control Ð D i can modify D j s access rights Ð D i can remove access rights from row j CPSC 410--Richard Furuta 4/26/99 19 Access Matrix Access matrix design separates mechanism from policy. Ð Mechanism Operating system provides Access-matrix + rules. It ensures that the matrix is only manipulated by authorized agents and that rules are strictly enforced. Ð Policy User dictates policy. Who can access what object and in what mode. CPSC 410--Richard Furuta 4/26/99 20 10

Access Matrix Implementation Want to implement efficiently but usually matrix is sparse Simple implementation: global table of triples <domain, object, rights set> Ð Problems: large table, hence too big for memory (has to be on secondary storage either explicitly or via virtual memory). Requires added I/O Ð Difficult to take advantage of special groupings of objects--for example if an object allows everyone to read it, it must have separate entry in every domain CPSC 410--Richard Furuta 4/26/99 21 Access Matrix Implementation Object-centric implementation Ð Access list implementation. Columns in access matrix are implemented as an access list, kept by the object (list of <domain, rights-set> pairs) Ð Easy extension also provides default set of access rights (search local list, if operation on object not found check default set) CPSC 410--Richard Furuta 4/26/99 22 11

Access Matrix Implementation Domain-centric implementation Ð each row in the access matrix can be implemented as a capability list kept by the process (<object, accessrights> list) Ð simple possession of capability means that specified rights are granted Ð manipulation and passing of capabilities has to be implemented by OS--capability-based protection assumes that capabilities never migrate into user space. CPSC 410--Richard Furuta 4/26/99 23 Access Matrix Implementation Lock-key mechanism Ð Objects have list of unique bit patterns, called locks Ð Domains have list of unique bit patterns, called keys Ð Process executing in a domain can access an object only if the domain has a key that matches one of the locks of the object Ð As with capabilities, users cannot examine or manipulate locks and keys directly CPSC 410--Richard Furuta 4/26/99 24 12

Revocation of Access Rights Access List Ð Delete access rights from access list. Ð Simple (access list kept in a centralized location) Ð Immediate Capability List Ð Scheme required to locate capability in the system before capability can be revoked (capabilities distributed throughout system). Ð Reacquisition Require reacquisition of capabilities from time to time Ð Back-pointers Keep list of capability holders Ð Indirection DonÕt give out capabilities; give out pointers to capabilities Keys Ð Selectively change locks CPSC 410--Richard Furuta 4/26/99 25 Hydra Capability-Based Systems Ð CMU, ~1981 Ð Fixed set of access rights known to and interpreted by the system. Ð Interpretation of user-defined rights performed solely by userõs program; system provides access protection for the use of these rights. CPSC 410--Richard Furuta 4/26/99 26 13

Capability-Based Systems Cambridge CAP System Ð Cambridge ~1977 Ð Data capability Ð provides standard read, write, execute of individual storage segments associated with object. Ð Software capability Ðinterpretation left to the subsystem, through its protected procedures. CPSC 410--Richard Furuta 4/26/99 27 Language-Based Protection Specification of protection in a programming language allows the high-level description of policies for the allocation and use of resources. Language implementation can provide software for protection enforcement when automatic hardware-supported checking is unavailable. Interpret protection specifications to generate calls on whatever protection system is provided by the hardware and the operating system. CPSC 410--Richard Furuta 4/26/99 28 14

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback