Professional Documents
Culture Documents
COM
nDiscussthe goals and principlesof protectionin a moderncomputersystem nExplainhowprotectiondomainscombinedwith an accessmatrix are usedto specify the resourcesa processmayaccess nExaminecapability and languagebasedprotectionsystems n
Goals of Protection
nOperatingsystemconsists of a collectionof objects, hardwareor software nEachobject has a uniquenameand can be accessedthrougha well-definedset of operations nProtectionproblem- ensurethat eachobject is accessedcorrectly and only by thoseprocessesthat are allowedto do so n
Principles of Protection
nGuidingprinciple principleof least privilege
lPrograms,users and systemsshouldbe givenjust enoughprivilegesto performtheir tasks
Domain Structure
nAccessright = <object-name, rights-set>
whererights-set is a subsetof all valid operationsthat can be performedon the object. nDomain= set of accessrights
nSystemconsistsof 2 domains:
lUser lSupervisor
nUNIX
lDomain= user-id lDomainswitchaccomplishedvia file system Eachfile has associatedwith it a domainbit (setuidbit) Whenfile is executedand setuid = on, then user-id is set to ownerof the file beingexecuted.Whenexecutioncompletesuser-id is
reset
Access Matrix
nViewprotectionas a matrix (access matrix) n nRowsrepresentdomains n nColumnsrepresentobjects n nAccess(i, j) is the set of operationsthat a processexecutingin Domain i can invokeon Object j
of Oi op from Oi to Oj control Di can modify Dj access rights transfer switch from domain Di to Dj
nAccessmatrix designseparatesmechanismfrompolicy
lMechanism
Operatingsystemprovidesaccessmatrix + rules If ensuresthat the matrix is only manipulatedby authorizedagentsand that rules are strictly enforced lPolicy User dictatespolicy Whocan accesswhat object and in what mode
Access Control
nProtectioncan be appliedto non-file resources nSolaris 10 providesrole-basedaccesscontrol (RBAC ) to implementleast privilege
lPrivilegeis right to executesystemcall or use an optionwithin a systemcall lCan be assignedto processes lUsersassignedroles grantingaccessto privilegesand programs
Capability-Based Systems
nHydra
lFixedset of accessrights knownto and interpretedby the system lInterpretationof user-definedrights performedsolely by user's program;systemprovidesaccessprotectionfor use of theserights
nCambridgeCAPSystem
lData capability - providesstandardread, write, executeof individualstoragesegmentsassociatedwith object lSoftwarecapability -interpretationleft to the subsystem,throughits protectedprocedures
Language-Based Protection
nSpecificationof protectionin a programminglanguageallowsthe high-level descriptionof policiesfor the allocationand use of
resources nLanguageimplementationcan providesoftwarefor protectionenforcementwhenautomatichardwaresupportedcheckingis unavailable nInterpret protectionspecificationsto generatecalls on whateverprotectionsystemis providedby the hardwareand the operating system
Protection in Java 2
nProtectionis handledby the Java Virtual Machine(JVM) nA classis assigneda protectiondomainwhenit is loadedby the JVM nThe protectiondomainindicateswhat operationsthe class can (and cannot) perform nIf a library methodis invokedthat performsa privilegedoperation,the stackis inspectedto ensurethe operationcan be performed
by the library
Stack Inspection