Chapter 14: Protection

Operating System Concepts with Java – 8th Edition 14.1 Silberschatz, Galvin and Gagne ©2009
 Chapter 14: Protection

„ Goals of Protection
„ Principles of Protection
„ Domain of Protection
„ Access Matrix
„ Implementation of Access Matrix
„ Access Control
„ Revocation of Access Rights
„ Capability-Based Systems
„ Language-Based Protection

Operating System Concepts with Java – 8th Edition 14.2 Silberschatz, Galvin and Gagne ©2009
 Objectives

„ Discuss the goals and principles of protection in a modern computer

system

„ Explain how protection domains combined with an access matrix are

used to specify the resources a process may access

„ Examine capability and language-based protection systems

Operating System Concepts with Java – 8th Edition 14.3 Silberschatz, Galvin and Gagne ©2009
 Goals of Protection

„ Operating system consists of a collection of objects, hardware or

software

„ Each object has a unique name and can be accessed through a well-
defined set of operations

„ Protection problem - ensure that each object is accessed correctly and

only by those processes that are allowed to do so

Operating System Concepts with Java – 8th Edition 14.4 Silberschatz, Galvin and Gagne ©2009
 Principles of Protection

„ Guiding principle – principle of least privilege

z Programs, users and systems should be given just enough
privileges to perform their tasks

Operating System Concepts with Java – 8th Edition 14.5 Silberschatz, Galvin and Gagne ©2009
 Domain Structure

„ Access-right = <object-name, rights-set>

where rights-set is a subset of all valid operations that can be
performed on the object.

„ Domain = set of access-rights

Operating System Concepts with Java – 8th Edition 14.6 Silberschatz, Galvin and Gagne ©2009
 Domain Implementation (UNIX)

„ System consists of 2 domains:

z User
z Supervisor

„ UNIX
z Domain = user-id
z Domain switch accomplished via file system
 Each file has associated with it a domain bit (setuid bit)
 When file is executed and setuid = on, then user-id is set to
owner of the file being executed. When execution completes
user-id is reset

Operating System Concepts with Java – 8th Edition 14.7 Silberschatz, Galvin and Gagne ©2009
 Domain Implementation (MULTICS)

„ Let Di and Dj be any two domain rings

„ If j < I ⇒ Di ⊆ Dj

Operating System Concepts with Java – 8th Edition 14.8 Silberschatz, Galvin and Gagne ©2009
 Access Matrix

„ View protection as a matrix (access matrix)

„ Rows represent domains

„ Columns represent objects

„ Access(i, j) is the set of operations that a process executing in Domaini

can invoke on Objectj

Operating System Concepts with Java – 8th Edition 14.9 Silberschatz, Galvin and Gagne ©2009
 Access Matrix

Operating System Concepts with Java – 8th Edition 14.10 Silberschatz, Galvin and Gagne ©2009
 Use of Access Matrix

„ If a process in Domain Di tries to do “op” on object Oj, then “op” must

be in the access matrix

„ Can be expanded to dynamic protection

z Operations to add, delete access rights
z Special access rights:
 owner of Oi
 copy op from Oi to Oj
 control – Di can modify Dj access rights
 transfer – switch from domain Di to Dj

Operating System Concepts with Java – 8th Edition 14.11 Silberschatz, Galvin and Gagne ©2009
 Use of Access Matrix (Cont.)

„ Access matrix design separates mechanism from policy

z Mechanism
 Operating system provides access-matrix + rules
 If ensures that the matrix is only manipulated by authorized
agents and that rules are strictly enforced
z Policy
 User dictates policy
 Who can access what object and in what mode

Operating System Concepts with Java – 8th Edition 14.12 Silberschatz, Galvin and Gagne ©2009
 Implementation of Access Matrix
„ Each column = Access-control list for one object
Defines who can perform what operation.
Domain 1 = Read, Write
Domain 2 = Read
Domain 3 = Read

„ Each Row = Capability List (like a key)

Fore each domain, what operations allowed on what objects.
Object 1 – Read
Object 4 – Read, Write, Execute
Object 5 – Read, Write, Delete, Copy

Operating System Concepts with Java – 8th Edition 14.13 Silberschatz, Galvin and Gagne ©2009
 Access Matrix of Figure A
With Domains as Objects

Figure B

Operating System Concepts with Java – 8th Edition 14.14 Silberschatz, Galvin and Gagne ©2009
 Access Matrix with Copy Rights

Operating System Concepts with Java – 8th Edition 14.15 Silberschatz, Galvin and Gagne ©2009
 Access Matrix With Owner Rights

Operating System Concepts with Java – 8th Edition 14.16 Silberschatz, Galvin and Gagne ©2009
 Modified Access Matrix of Figure B

Operating System Concepts with Java – 8th Edition 14.17 Silberschatz, Galvin and Gagne ©2009
 Access Control

„ Protection can be applied to non-file resources.

„ Solaris 10 provides role-based access control (RBAC) to implement

least privilege
z Privilege is right to execute system call or use an option within a
system call
z Can be assigned to processes
z Users assigned roles granting access to privileges and programs

Operating System Concepts with Java – 8th Edition 14.18 Silberschatz, Galvin and Gagne ©2009
 Role-based Access Control in Solaris 10

Operating System Concepts with Java – 8th Edition 14.19 Silberschatz, Galvin and Gagne ©2009
 Revocation of Access Rights

„ Access List – Delete access rights from access list

z Simple
z Immediate

„ Capability List – Scheme required to locate capability in the system

before capability can be revoked
z Reacquisition
z Back-pointers
z Indirection
z Keys

Operating System Concepts with Java – 8th Edition 14.20 Silberschatz, Galvin and Gagne ©2009
 Capability-Based Systems

„ Hydra
z Fixed set of access rights known to and interpreted by the system
z Interpretation of user-defined rights performed solely by user's
program; system provides access protection for use of these rights

„ Cambridge CAP System

z Data capability - provides standard read, write, execute of
individual storage segments associated with object
z Software capability -interpretation left to the subsystem, through its
protected procedures

Operating System Concepts with Java – 8th Edition 14.21 Silberschatz, Galvin and Gagne ©2009
 Language-Based Protection

„ Specification of protection in a programming language allows the high-

level description of policies for the allocation and use of resources.

„ Language implementation can provide software for protection

enforcement when automatic hardware-supported checking is
unavailable.

„ Interpret protection specifications to generate calls on whatever

protection system is provided by the hardware and the operating
system.

Operating System Concepts with Java – 8th Edition 14.22 Silberschatz, Galvin and Gagne ©2009
 Protection in Java 2

„ Protection is handled by the Java Virtual Machine (JVM).

„ A class is assigned a protection domain when it is loaded by the JVM.

„ The protection domain indicates what operations the class can (and
cannot) perform.

„ If a library method is invoked that performs a privileged operation, the

stack is inspected to ensure the operation can be performed by the
library.

Operating System Concepts with Java – 8th Edition 14.23 Silberschatz, Galvin and Gagne ©2009
 Stack Inspection

Operating System Concepts with Java – 8th Edition 14.24 Silberschatz, Galvin and Gagne ©2009
 End of Chapter 14

Operating System Concepts with Java – 8th Edition 14.25 Silberschatz, Galvin and Gagne ©2009