Protection() WWW.JNTUWORLD.

COM
nDiscussthe goals and principlesof protectionin a moderncomputersystem nExplainhowprotectiondomainscombinedwith an accessmatrix are usedto specify the resourcesa processmayaccess nExaminecapability and languagebasedprotectionsystems n

Goals of Protection

nOperatingsystemconsists of a collectionof objects, hardwareor software nEachobject has a uniquenameand can be accessedthrougha well-definedset of operations nProtectionproblem- ensurethat eachobject is accessedcorrectly and only by thoseprocessesthat are allowedto do so n

Principles of Protection
nGuidingprinciple principleof least privilege
lPrograms,users and systemsshouldbe givenjust enoughprivilegesto performtheir tasks

Domain Structure
nAccessright = <object-name, rights-set>

whererights-set is a subsetof all valid operationsthat can be performedon the object. nDomain= set of accessrights

nSystemconsistsof 2 domains:
lUser lSupervisor

nUNIX
lDomain= user-id lDomainswitchaccomplishedvia file system Eachfile has associatedwith it a domainbit (setuidbit) Whenfile is executedand setuid = on, then user-id is set to ownerof the file beingexecuted.Whenexecutioncompletesuser-id is

reset

Domain Implementation (MULTICS)

nLet Di and Dj be any two domainrings nIf j < I Di Dj

Access Matrix
nViewprotectionas a matrix (access matrix) n nRowsrepresentdomains n nColumnsrepresentobjects n nAccess(i, j) is the set of operationsthat a processexecutingin Domain i can invokeon Object j

Use of Access Matrix

nIf a processin DomainDi tries to do op on object Oj, then op must be in the accessmatrix nCan be expandedto dynamicprotection
lOperationsto add, delete accessrights lSpecial accessrights: owner copy

of Oi op from Oi to Oj control Di can modify Dj access rights transfer switch from domain Di to Dj
nAccessmatrix designseparatesmechanismfrompolicy
lMechanism

Operatingsystemprovidesaccessmatrix + rules If ensuresthat the matrix is only manipulatedby authorizedagentsand that rules are strictly enforced lPolicy User dictatespolicy Whocan accesswhat object and in what mode

Implementation of Access Matrix

nEachcolumn= Accesscontrol list for one object

Defineswho can performwhat operation.

Domain1 = Read,Write Domain2 = Read Domain3 = Read M nEachRow= Capability List (like a key)

Fore eachdomain,what operationsallowedon what objects.

Object 1 Read Object 4 Read,Write, Execute Object 5 Read,Write, Delete, Copy

Access Matrix of Figure A With Domains as Objects

Access Matrix with Copy Rights

Access Matrix With Owner Rights

Modified Access Matrix of Figure B

Access Control
nProtectioncan be appliedto non-file resources nSolaris 10 providesrole-basedaccesscontrol (RBAC ) to implementleast privilege
lPrivilegeis right to executesystemcall or use an optionwithin a systemcall lCan be assignedto processes lUsersassignedroles grantingaccessto privilegesand programs

Role-based Access Control in Solaris 10

Revocation of Access Rights

nAccessList Deleteaccessrights fromaccesslist
lSimple lImmediate

nCapability List Schemerequiredto locatecapability in the systembeforecapability can be revoked

lReacquisition lBack-pointers lIndirection lKeys

Capability-Based Systems
nHydra
lFixedset of accessrights knownto and interpretedby the system lInterpretationof user-definedrights performedsolely by user's program;systemprovidesaccessprotectionfor use of theserights

nCambridgeCAPSystem
lData capability - providesstandardread, write, executeof individualstoragesegmentsassociatedwith object lSoftwarecapability -interpretationleft to the subsystem,throughits protectedprocedures

Language-Based Protection
nSpecificationof protectionin a programminglanguageallowsthe high-level descriptionof policiesfor the allocationand use of

resources nLanguageimplementationcan providesoftwarefor protectionenforcementwhenautomatichardwaresupportedcheckingis unavailable nInterpret protectionspecificationsto generatecalls on whateverprotectionsystemis providedby the hardwareand the operating system

Protection in Java 2
nProtectionis handledby the Java Virtual Machine(JVM) nA classis assigneda protectiondomainwhenit is loadedby the JVM nThe protectiondomainindicateswhat operationsthe class can (and cannot) perform nIf a library methodis invokedthat performsa privilegedoperation,the stackis inspectedto ensurethe operationcan be performed

by the library

Stack Inspection