Chapter 17: Protection

Operating System Concepts – 10h Edition Silberschatz, Galvin and Gagne ©2018
 Outline
 Goals of Protection
 Principles of Protection
 Protection Rings
 Domain of Protection
 Access Matrix
 Implementation of Access Matrix
 Revocation of Access Rights
 Role-based Access Control
 Mandatory Access Control (MAC)
 Capability-Based Systems
 Other Protection Implementation Methods
 Language-based Protection

Operating System Concepts – 10th Edition 17.2 Silberschatz, Galvin and Gagne ©2018
 Objectives
 Discuss the goals and principles of protection in a modern
computer system
 Explain how protection domains combined with an access matrix
are used to specify the resources a process may access
 Examine capability and language-based protection systems
 Describe how protection mechanisms can mitigate system attacks

Operating System Concepts – 10th Edition 17.3 Silberschatz, Galvin and Gagne ©2018
 The Protection Problem
 A computer system consists of a collection of objects:
• Hardware
• Software
 Each object has a unique name and can be accessed through
a well-defined set of operations
 Goal - ensure that each object is accessed correctly and only
by those processes that are allowed to do so

Operating System Concepts – 10th Edition 17.4 Silberschatz, Galvin and Gagne ©2018
 The Security Problem
 System is secure if resources used and accessed as intended
under all circumstances
• Unachievable
 Intruders (crackers) attempt to breach security
 Threat is potential security violation
 Attack is attempt to breach security
 Attack can be accidental or malicious
 Easier to protect against accidental than malicious misuse

Operating System Concepts – 10th Edition 17.5 Silberschatz, Galvin and Gagne ©2018
 The Security/Protection Problem
 Both protection and security are vital to computer systems. We
distinguish between these two concepts in the following way:
 Security is a measure of confidence that the integrity of a
system and its data will be preserved.
 Protection is the set of mechanisms that control the access of
processes and users to the resources defined by a computer
system. We focus on protection in this chapter and address
security in chapter 16.

Operating System Concepts – 10th Edition 17.6 Silberschatz, Galvin and Gagne ©2018
 Goals of Protection
 A computer system consists of a collection of objects,
hardware or software
 Each object has a unique name and can be accessed through
a well-defined set of operations
 Protection problem - ensure that each object is accessed
correctly and only by those processes that are allowed to do
so

Operating System Concepts – 10th Edition 17.7 Silberschatz, Galvin and Gagne ©2018
 Principles of least privilege
 Programs, users and systems should be given just enough
privileges to perform their tasks
 Limits damage if entity has a bug, gets abused
 Can be static (during life of system, during life of process)
 Or dynamic (changed by process as needed) – domain
switching, privilege escalation
 “Need to know” a similar concept regarding access to data

Operating System Concepts – 10th Edition 17.8 Silberschatz, Galvin and Gagne ©2018
 Principles of Protection
 Must consider “grain” aspect
• Rough-grained privilege management easier, simpler,
but least privilege now done in large chunks
 For example, traditional Unix processes either have
abilities of the associated user, or of root
• Fine-grained management more complex, more
overhead, but more protective
 Access Control List (ACL) lists,
 Role Based Access Control (RBAC)
 Domain can be user, process, procedure

Operating System Concepts – 10th Edition 17.9 Silberschatz, Galvin and Gagne ©2018
 Domain Structure
 Access-right = <object-name, rights-set>
• rights-set is a subset of all valid operations that can
be performed on the object
 Domain = set of access-rights
 Domains can overlap
 Example

 Domain implementation:
• UNIX
• Multics: ("Multiplexed Information and Computing
Service")

Operating System Concepts – 10th Edition 17.10 Silberschatz, Galvin and Gagne ©2018
 UXIX Domain Implementation
 Domain = user-id
 Domain switch accomplished via file system
 Each file has associated with it a domain bit (setuid bit)
 When file is executed and setuid = on, then user-id is set to
owner of the file being executed
 When execution completes user-id is reset
 Domain switch accomplished via passwords
• su command temporarily switches to another user’s domain
when other domain’s password provided
 Domain switching via commands
• sudo command prefix executes specified command in another
domain (if original domain has privilege or password given)

Operating System Concepts – 10th Edition 17.11 Silberschatz, Galvin and Gagne ©2018
 Multics Domain Implementation
 Let Di and Dj be any two domain rings
 If j < I  Di  Dj
 Illustration

Operating System Concepts – 10th Edition 17.12 Silberschatz, Galvin and Gagne ©2018
 Multics Benefits and Limits
 Ring / hierarchical structure provided more than the basic
design:
• kernel / user or
• root / normal user
 Fairly complex  more overhead
 But does not allow strict need-to-know
• Object accessible in Dj but not in Di, then j must be < i
• But then every object accessible in Di also accessible in Dj

Operating System Concepts – 10th Edition 17.13 Silberschatz, Galvin and Gagne ©2018
 Access Matrix
 View protection as a matrix (access matrix)
 Rows represent domains
 Columns represent objects
 Access(i, j) is the set of operations that a process executing
in Domaini can invoke on Objectj
 Example

Operating System Concepts – 10th Edition 17.14 Silberschatz, Galvin and Gagne ©2018
 Use of Access Matrix
 If a process in Domain Di tries to do “op” on object Oj, then “op”
must be in the access matrix
 User who creates object can define the access column for that
object
 Example

Operating System Concepts – 10th Edition 17.15 Silberschatz, Galvin and Gagne ©2018
 Access Matrix with Dynamic Protection

 Operations to add, delete access rights

 Special access rights:
• copy – ability to copy access-rights from domain Di to
domain Dj (denoted by “*”)
• owner – ability to add/remove access-rights
• control – Di can modify Dj access rights
• switch – switch from domain Di to Dj
 Copy and Owner applicable to an object
 Control applicable to domain object

Operating System Concepts – 10th Edition 17.16 Silberschatz, Galvin and Gagne ©2018
 Access Matrix with Copy Rights
 A process executing in Domain D2 can copy the read access to
file object F2 to domain D3

Operating System Concepts – 10th Edition 17.17 Silberschatz, Galvin and Gagne ©2018
 Access Matrix with owner Rights
 A process executing in Domain D2 can create the write access-
right to file F2 to domain D2 and D3

Operating System Concepts – 10th Edition 17.18 Silberschatz, Galvin and Gagne ©2018
 Access Matrix with Domains as Objects
 A process executing in Domain D2 can switch to domain D3

Operating System Concepts – 10th Edition 17.19 Silberschatz, Galvin and Gagne ©2018
 Mechanism and Policy
 Access matrix provides a scheme to separates mechanism from
policy
• Mechanism
 Operating system provides access-matrix + rules
 It ensures that the matrix is only manipulated by authorized
agents and that rules are strictly enforced
• Policy
 User dictates policy
– Who can access what object and in what mode

Operating System Concepts – 10th Edition 17.20 Silberschatz, Galvin and Gagne ©2018
 Implementation of Access Matrix
 Generally, a sparse matrix
 Option 1 – Global table
 Option 2 – Access lists for objects
 Option 3 – Capability list
 Option 4 – Lock-key

Operating System Concepts – 10th Edition 17.21 Silberschatz, Galvin and Gagne ©2018
 Option 1: Global Table
 Store ordered triples
<domain, object, rights-set>
in a global table
 A requested operation M on object Oj within domain Di  search
table for < Di, Oj, Rk >
• With M ∈ Rk
 But table could be large  will not fit in main memory
 Difficult to group objects (consider an object that all domains can
read)

Operating System Concepts – 10th Edition 17.22 Silberschatz, Galvin and Gagne ©2018
 Option 2: Access lists for objects
 Each column implemented as an access list for one object
 Resulting per-object list consists of ordered pairs
<domain, rights-set>
defining all domains with non-empty set of access
rights for the object
 Easily extended to contain default set  If M ∈ default set,
also allow access

Operating System Concepts – 10th Edition 17.23 Silberschatz, Galvin and Gagne ©2018
 Option 2 (Cont.)
 Each column = Access-control list for one object
• Defines who can perform what operation
Domain 1 = Read, Write
Domain 2 = Read
Domain 3 = Read

 Each Row = Capability List (like a key)

• For each domain, what operations allowed on what objects
Object F1 – Read
Object F4 – Read, Write, Execute
Object F5 – Read, Write, Delete, Copy

Operating System Concepts – 10th Edition 17.24 Silberschatz, Galvin and Gagne ©2018
 Option 3: Capability list
 Instead of list being object based, list is domain based
 Capability list for domain is list of objects together with operations
allows on them
 Object represented by its name or address, called a capability
 Execute operation M on object Oj, process requests operation and
specifies capability as parameter
• Possession of capability means access is allowed
 Capability list associated with domain but never directly accessible by
domain
• Rather, protected object, maintained by OS and accessed
indirectly
• Like a “secure pointer”
• Idea can be extended up to applications

Operating System Concepts – 10th Edition 17.25 Silberschatz, Galvin and Gagne ©2018
 Option 4: Lock-Key
 Compromise between access lists and capability lists
 Each object has list of unique bit patterns, called locks
 Each domain as list of unique bit patterns called keys
 Process in a domain can only access object if domain has key
that matches one of the locks

Operating System Concepts – 10th Edition 17.26 Silberschatz, Galvin and Gagne ©2018
 Revocation of Access Rights
 Need a mechanism to allow the owner of an object to revoke
access rights to that object.
 Various options to remove the access right of a domain to an object
• Immediate vs. delayed
• Selective vs. general
• Partial vs. total
• Temporary vs. permanent
 Revocation to:
• Access list
• Capability list

Operating System Concepts – 10th Edition 17.27 Silberschatz, Galvin and Gagne ©2018
 Revocation: Access List
 Delete access rights from access list
 Simple – search access list and remove entry
 Options:
• Immediate,
• general or selective,
• total or partial,
• permanent or temporary

Operating System Concepts – 10th Edition 17.28 Silberschatz, Galvin and Gagne ©2018
 Revocation: Capability List
 Need a scheme to locate a capability in the system before the capability
can be revoked. Not simple since the capabilities are not directly
accessible to the users.
• Reacquisition – periodically delete the capability from the domain. If
a user need access it must request again.
• Back-pointers – set of pointers from each object to all capabilities of
that object (Multics)
• Indirection – capability points to global table entry which points to
object – delete entry from global table, not selective.
• Keys – unique bits associated with capability, generated when
capability created
 Master key associated with object, key matches master key for
access
 Revocation – create new master key
 Policy decision of who can create and modify keys – object owner
or others?

Operating System Concepts – 10th Edition 17.29 Silberschatz, Galvin and Gagne ©2018
 Comparison of Implementations
 Many trade-offs to consider
• Global table is simple, but table can be large and not fit in
memory
• Access lists correspond to the direct needs of users
 Every access to an object must be checked
– Many objects and access rights  slow
• Capability lists useful for localizing information for a given
process
 But revocation capabilities can be inefficient (more later)
• Lock-key effective and flexible, keys can be passed freely from
domain to domain, easy revocation

Operating System Concepts – 10th Edition 17.30 Silberschatz, Galvin and Gagne ©2018
 Comparison of Implementations (Cont.)

 Most systems use combination of access lists and capabilities

• First access to an object  access list searched
 If allowed, capability created and attached to process
– Additional accesses need not be checked
 After last access, capability destroyed
 Consider file system with ACLs per file

Operating System Concepts – 10th Edition 17.31 Silberschatz, Galvin and Gagne ©2018
 Access Control
 Protection can be applied to non-file
resources
 Oracle Solaris 10 provides role-based
access control (RBAC) to implement
least privilege
• Privilege is a right to execute
system call or use an option within
a system call
• Can be assigned to processes
• Users assigned roles granting
access to privileges and programs
 Enable role via password to
gain its privileges
• Similar to access matrix

Operating System Concepts – 10th Edition 17.32 Silberschatz, Galvin and Gagne ©2018
 Capability-Based Systems
 Hydra. Developed in CMU in the 70s
 Cambridge CAP System
 Language-Based Protection

Operating System Concepts – 10th Edition 17.33 Silberschatz, Galvin and Gagne ©2018
 Hydra
 Fixed set of access rights known to and interpreted by the system
• For example, read, write, or execute each memory segment
• User can declare other auxiliary rights and register those with
protection system
• Accessing process must hold capability and know name of
operation
• Rights amplification allowed by trustworthy procedures for a
specific type
 Interpretation of user-defined rights performed solely by user's program;
system provides access protection for use of these rights
 Operations on objects defined procedurally – procedures are objects
accessed indirectly by capabilities
 Solves the problem of mutually suspicious subsystems
 Includes library of prewritten security routines

Operating System Concepts – 10th Edition 17.34 Silberschatz, Galvin and Gagne ©2018
 Cambridge CAP System

 Simpler but powerful

 Data capability - provides standard read, write, execute of
individual storage segments associated with object –
implemented in microcode
 Software capability -interpretation left to the subsystem,
through its protected procedures
• Only has access to its own subsystem
• Programmers must learn principles and techniques of
protection

Operating System Concepts – 10th Edition 17.35 Silberschatz, Galvin and Gagne ©2018
 Language-Based Protection
 Specification of protection in a programming language allows
the high-level description of policies for the allocation and use
of resources
 Language implementation can provide software for protection
enforcement when automatic hardware-supported checking is
unavailable
 Interpret protection specifications to generate calls on
whatever protection system is provided by the hardware and
the operating system

Operating System Concepts – 10th Edition 17.36 Silberschatz, Galvin and Gagne ©2018
 Protection in Java 2
 Protection is handled by the Java Virtual Machine (JVM)
 A class is assigned a protection domain when it is loaded by the
JVM
 The protection domain indicates what operations the class can
(and cannot) perform
 If a library method is invoked that performs a privileged
operation, the stack is inspected to ensure the operation can be
performed by the library
 Generally, Java’s load-time and run-time checks enforce type
safety
 Classes effectively encapsulate and protect data and methods
from other classes

Operating System Concepts – 10th Edition 17.37 Silberschatz, Galvin and Gagne ©2018
 Stack Inspection

Operating System Concepts – 10th Edition 17.38 Silberschatz, Galvin and Gagne ©2018
 End of Chapter 17

Operating System Concepts – 10h Edition Silberschatz, Galvin and Gagne ©2018
 Comparison of Implementations
 Many trade-offs to consider
• Global table is simple, but can be large
• Access lists correspond to needs of users
 Determining set of access rights for domain non-localized
so difficult
 Every access to an object must be checked
– Many objects and access rights -> slow
• Capability lists useful for localizing information for a given
process
 But revocation capabilities can be inefficient
• Lock-key effective and flexible, keys can be passed freely from
domain to domain, easy revocation

Operating System Concepts – 10th Edition 17.40 Silberschatz, Galvin and Gagne ©2018
 Access Matrix with Domains as Objects

Operating System Concepts – 10th Edition 17.41 Silberschatz, Galvin and Gagne ©2018
 Use of Access Matrix
 Can be expanded to dynamic protection
• Operations to add, delete access rights
• Special access rights:
 owner of Oi
 copy op from Oi to Oj (denoted by “*”)
 control – Di can modify Dj access rights
 transfer – switch from domain Di to Dj
• Copy and Owner applicable to an object
• Control applicable to domain object

Operating System Concepts – 10th Edition 17.42 Silberschatz, Galvin and Gagne ©2018