Chapter 14Protection

Bernard ChenSpring 2007

14.1 Goal of Protection Protection was originally conceived as an

adjunct to multiprogramming operation systems, so that untrustworthy users might safely share a common logical files or memory

Modern protection concepts have evolved to increase the reliability of any complex system that makes use of shared resources

Protection (Ch.14) deals with internal problem Security (Ch. 15) Deals with external problem

14.2 Principle of Protection A key, time-tested guiding principle for

protection is the principle of least privilege.

It dictates that programs, users, and even systems be given just enough privileges to perform their tasks

Computer implemented in a computing facility under the principle of least privilege can be limited to running specific service, accessing specific remote hosts via specific service during some specific time

14.3 Domain of Protection Domain Structure:Access-right = <object-name, rights-set>where rights-set is a subset of all valid operations that can be performed on the object.

Domain = set of access-rights

Domain

Domain Each user may be a domain:

Domain switching occurs when the user is changed

Each process may be a domain: Domain switching occurs when the process sends a message to another process and then waits for a response

14.4 Access Matrix

View protection as a matrix (access matrix) Rows represent domains Columns represent objects Access(i, j) is the set of operations

that a process executing in Domain i can invoke on Object j

Access Matrix

Access Matrix The users normally decide the contents of the

access matrix entries. When a user creates a new object Oj, the

column Oj is added to the access matrix When we switch a process from one domain to

another, we are executing an operation (switch) on a domain

Processes should be able to switch from one domain to another

Domain switching from domain Di to Dj is allowed if and only if the access right switch access(i,j)

Access Matrix

Access Table

Allowing controlled change in the contents of the access-matrix entries requires three additional operations: Copy, Owner, and Control

Access Table: Copy right

The ability to copy an access right from one domain of the access matrix to another is denoted by an *

The copy right allows the copying of the access right only within the column for which right is defined

Access Table: Copy right

Access Table: Copy right

Three types of copy:1. Copy2. Transfer: a right is copied from

access(i,j) to access(k,j); it is then removed from access(i,j)

3. Limited copy: only copy the right not the *

Access Table: Owner right We need some mechanism to allow

addition of new rights and removal of some rights

If access(i,j) includes the owner right then a process executing in domain Di can add and remove any right in any entry in column j

Access Table: Owner right

Access Table: Control right The copy and owner rights allow a

process to change the entries in a column, a mechanism is also needed to change the entries in a row

The control right is applicable only to domain objects

If access(i,j) includes the control right, then a process executing in domain Di can “remove” any access right from row j

Access Table: Control right

Implementation of Access table

Global Table Access lists for objects Capability list for domains Lock-Key Mechanism

Global Table Easiest Using<domain,object,rights-set>

Disadvantages:1. The table is usually too big to fit in

memory2. Virtual memory required3. No advantage of special groups

Access lists for objects

The resulting list for each object consists of ordered pairs

<domain, right-set>

Capability list for domains We can access each row with its

domain A capability list for a domain is a

list of objects together with operations allowed on those object

An object is often represented by its physical name or address, called capability

Lock-Key Mechanism Each object has a list of unique bit

patterns, called locks Similarly, each domain has a list of

unique bit patterns, called keys A process executing in a domain

can access an object only if that domain has a key that matches one of the locks of the object