1 / 11

Protection

Protection. Fred Kuhns fredk@cse.wustl.edu Applied Research Laboratory, Department of Computer Science and Engineering, Washington University in St. Louis. Protection and Security. “Protect each secure entity from all unauthorized access”[1]. This is implemented in two parts:

gates
Download Presentation

Protection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Protection Fred Kuhns fredk@cse.wustl.edu Applied Research Laboratory, Department of Computer Science and Engineering, Washington University in St. Louis

  2. Protection and Security • “Protect each secure entity from all unauthorized access”[1]. This is implemented in two parts: • Authentication: verify identity • Authorization: resource access rights • Additional concern when information is transferred over a network where unauthorized entities may have access. • Cryptography is used to protect sensitive information • Types of attack to gain access to computer system: • masquerading; guessing login and password; snooping for login and password (eavesdropping); alternate entrances. • Once on a system: • confinement and allocating rights; trojan horse; denial-of-service Nutt, Gary, Operating Systems, 3rd edition, Addison Wesley, 2004 CSE522– Advanced Operating Systems

  3. Protection • Goal: provide mechanisms to ensure only authorized access to system resource are permitted, i.e. consistent with stated policies – Policy enforcement. • Improves system reliability by detecting and containing program errors (user of system) • Policies: • hard coded in system design • defined by user such as setting file permissions • dynamically set by system managers • defined by application developers • “Principle of least privilege” is a time tested principle used when designing systems. • Implies fine grained protection and an ability to modify access rights over time. • Use audit trails to log privileged operations • “Need to Know Principle” • Two different Resource access types: • instruction-level access • System-level access: high-level abstract entities (objects). CSE522– Advanced Operating Systems

  4. Domains • Computer System is a collection of passive and active entities. • Passive entities: correspond to resources and other secure entities. Known as objects or protection objects. • identified by a unique name • represent hardware and software entities • accessed through a well defined interface • instances of abstract data types • Active entities: processes and threads acting on the behalf of users. • Access right: object, operation(s) ordered pair <object,ops>, for example <fileX,{read,write}> • Processes access objects according to its access rights: • Process only permitted to access objects for which it has an immediate need (need-to-know principle) • A process can also be considered an object and thus have access rights associated with it (just as any other object would have) • all objects in a system include both passive and active objects • A particular set of access rights held by a process at any point in time is known as its “Protection Domain” • subject := a process executing in a specific protection domain. • specify objects that may be accessed (authorized objects) • specify operations that may be performed on the authorized objects CSE522– Advanced Operating Systems

  5. Protection Domains • Protection domain is a set of access rights • Domains may overlap • May want to permit a domain’s set of access rights to change dynamically • Process-Domain associations may be static or dynamic • if dynamic then must support domain switching • Defining domains: • per user domain; per process domain; per procedure domain Domain1 Domain2 <obj1,{write}> <obj1,{read,write}> <obj4,{read,write}> <obj2,{read,write}> Domain3 <obj1,{read}> <obj2,{execute}> <obj3,{read,write}> CSE522– Advanced Operating Systems

  6. The Model • Protection system: composed of a set of objects and set of subjects, and a set of rules specifying the protection policy. • Protection state: defines the accessibility of objects by subjects • System guarantees protection state is checked for each access of an object O by a subject S. • Internal protection state can be changed only according to a set of rules that implement the external security policy. CSE522– Advanced Operating Systems

  7. Using the access matrix • Protection state may be represented by an access matrix A. • It has one row for every subject and one column for each object • each access to A[S,O] is a set of access rights. Subject S requests operation x on object O. • The protection system authenticates S and generates the 3-tuple <S,x,O>. • Monitor for object O checks entry A[S,O]. if x A[S,O]then access is permitted otherwise it is denied. CSE522– Advanced Operating Systems

  8. Access Matrix Domain1 Domain2 <obj1,{write}> <obj1,{read,write}> <obj4,{read,write}> <obj2,{read,write}> Domain3 <obj1,{read}> <obj2,{execute}> <obj3,{read,write}> CSE522– Advanced Operating Systems

  9. Domain Switching • can switch from domain Si to Sj if and only if switch  access(i,j) CSE522– Advanced Operating Systems

  10. Example Policy Rules to govern state changes • Copy right, denoted by an ‘*’, three variations: • Copy: copy right R* from access(i,j) to access(k,j). • Transfer: a right is copied from access(i,j) to access(k,j) then removed from access(i,j) • Limited copy: only the right R (not R*) is copied from access(i,j) to access(k,j). • Owner right: If access(i,j) includes the owner right then a process executing in domain Si may add or remove any right in any entry in column j. • Control right (applies only to domain objects): if access(i,j) includes a control right then a process executing in Si can modify row j. CSE522– Advanced Operating Systems

  11. Access and Capability Lists • an access list is a large sparse matrix so implementations keep track of only the non-empty entries. • All nonempty entries in a column form a list associated with the corresponding object. This is the access list of the object. • for each object there is a list of <domain, rights> • All nonempty entries for a row with the corresponding domain, the is a capabilities list. • for each domain there is a list of <object, rights> • An object may be represented by its name or address, called a capability. A process can execute operation M on object Oj simply by passing the capability as a parameter. • capability is associated with domain and is not directly accessible by a process. • Can protect capabilities using HW tags, store in OS kernel or keep in user space but use cryptography to protect them. CSE522– Advanced Operating Systems

More Related