Chapter 14: Protection Chapter 14: Protection 14.2 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts – 7 th Edition, Apr 11, 2005 Chapter 14: Protection Chapter 14: Protection ■ Goals of Protection ■ Principles of Protection ■ Domain of Protection ■ Access Matrix ■ Implementation of Access Matrix ■ Access Control ■ Revocation of Access Rights ■ Capability-Based Systems ■ Language-Based Protection 14.3 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts – 7 th Edition, Apr 11, 2005 Objectives Objectives ■ Discuss the goals and principles of protection in a modern computer system ■ Explain how protection domains combined with an access matrix are used to specify the resources a process may access ■ Examine capability and language-based protection systems 14.4 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts – 7 th Edition, Apr 11, 2005 Goals of Protection Goals of Protection ■ Operating system consists of a collection of objects, hardware or software ■ Each object has a unique name and can be accessed through a well-defined set of operations. ■ Protection problem - ensure that each object is accessed correctly and only by those processes that are allowed to do so. 14.5 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts – 7 th Edition, Apr 11, 2005 Principles of Protection Principles of Protection ■ Guiding principle – principle of least privilege ● Programs, users and systems should be given just enough privileges to perform their tasks 14.6 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts – 7 th Edition, Apr 11, 2005 Domain Structure Domain Structure ■ Access-right = <object-name, rights-set> where rights-set is a subset of all valid operations that can be performed on the object. ■ Domain = set of access-rights 14.7 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts – 7 th Edition, Apr 11, 2005 Domain Implementation (UNIX) Domain Implementation (UNIX) ■ System consists of 2 domains: ● User ● Supervisor ■ UNIX ● Domain = user-id ● Domain switch accomplished via file system. Each file has associated with it a domain bit (setuid bit). When file is executed and setuid = on, then user-id is set to owner of the file being executed. When execution completes user-id is reset. 14.8 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts – 7 th Edition, Apr 11, 2005 Domain Implementation (MULTICS) Domain Implementation (MULTICS) ■ Let D i and D j be any two domain rings. ■ If j < I ⇒ D i ⊆ D j 14.9 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts – 7 th Edition, Apr 11, 2005 Access Matrix Access Matrix ■ View protection as a matrix (access matrix) ■ Rows represent domains ■ Columns represent objects ■ Access(i, j) is the set of operations that a process executing in Domain i can invoke on Object j 14.10 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts – 7 th Edition, Apr 11, 2005 Access Matrix Access Matrix [...]... specifications to generate calls on whatever protection system is provided by the hardware and the operating system Operating System Concepts – 7th Edition, Apr 11, 2005 14. 22 Silberschatz, Galvin and Gagne ©2005 Protection in Java 2 s Protection is handled by the Java Virtual Machine (JVM) s A class is assigned a protection domain when it is loaded by the JVM s The protection domain indicates what operations... 7th Edition, Apr 11, 2005 14. 21 Silberschatz, Galvin and Gagne ©2005 Language-Based Protection s Specification of protection in a programming language allows the high-level description of policies for the allocation and use of resources s Language implementation can provide software for protection enforcement when automatic hardware-supported checking is unavailable s Interpret protection specifications... Copy Operating System Concepts – 7th Edition, Apr 11, 2005 14. 13 Silberschatz, Galvin and Gagne ©2005 Access Matrix of Figure A With Domains as Objects Figure B Operating System Concepts – 7th Edition, Apr 11, 2005 14. 14 Silberschatz, Galvin and Gagne ©2005 Access Matrix with Copy Rights Operating System Concepts – 7th Edition, Apr 11, 2005 14. 15 Silberschatz, Galvin and Gagne ©2005 Access Matrix With... inspected to ensure the operation can be performed by the library Operating System Concepts – 7th Edition, Apr 11, 2005 14. 23 Silberschatz, Galvin and Gagne ©2005 Stack Inspection Operating System Concepts – 7th Edition, Apr 11, 2005 14. 24 Silberschatz, Galvin and Gagne ©2005 End of Chapter 14 ... Galvin and Gagne ©2005 Access Matrix With Owner Rights Operating System Concepts – 7th Edition, Apr 11, 2005 14. 16 Silberschatz, Galvin and Gagne ©2005 Modified Access Matrix of Figure B Operating System Concepts – 7th Edition, Apr 11, 2005 14. 17 Silberschatz, Galvin and Gagne ©2005 Access Control s Protection can be applied to non-file resources s Solaris 10 provides role-based access control to implement... object Oj, then “op” must be in the access matrix s Can be expanded to dynamic protection q Operations to add, delete access rights q Special access rights: owner of Oi copy op from Oi to Oj control – Di can modify Dj access rights transfer – switch from domain Di to Dj Operating System Concepts – 7th Edition, Apr 11, 2005 14. 11 Silberschatz, Galvin and Gagne ©2005 Use of Access Matrix (Cont.) s... to processes q Users assigned roles granting access to privileges and programs Operating System Concepts – 7th Edition, Apr 11, 2005 14. 18 Silberschatz, Galvin and Gagne ©2005 Role-based Access Control in Solaris 10 Operating System Concepts – 7th Edition, Apr 11, 2005 14. 19 Silberschatz, Galvin and Gagne ©2005 Revocation of Access Rights s Access List – Delete access rights from access list q Simple... Back-pointers q Indirection q Keys Operating System Concepts – 7th Edition, Apr 11, 2005 14. 20 Silberschatz, Galvin and Gagne ©2005 Capability-Based Systems s Hydra q Fixed set of access rights known to and interpreted by the system q Interpretation of user-defined rights performed solely by user's program; system provides access protection for use of these rights s Cambridge CAP System q Data capability - provides... manipulated by authorized agents and that rules are strictly enforced Policy User dictates policy Who can access what object and in what mode Operating System Concepts – 7th Edition, Apr 11, 2005 14. 12 Silberschatz, Galvin and Gagne ©2005 Implementation of Access Matrix s Each column = Access-control list for one object Defines who can perform what operation Domain 1 = Read, Write Domain 2 = Read . Chapter 14: Protection Chapter 14: Protection 14. 2 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts – 7 th Edition, Apr 11, 2005 Chapter 14: Protection Chapter 14: Protection ■ Goals. Apr 11, 2005 Chapter 14: Protection Chapter 14: Protection ■ Goals of Protection ■ Principles of Protection ■ Domain of Protection ■ Access Matrix ■ Implementation of Access Matrix ■ Access. ■ Language-Based Protection 14. 3 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts – 7 th Edition, Apr 11, 2005 Objectives Objectives ■ Discuss the goals and principles of protection