Protection: mechanism for controlling access to system resources by processes.
This includes a means of specifying controls and a means of enforcing the controls.
This is an internal problem.
Security: assuring the integrity of system resources and data.
Protection is the enforcement aspect of security.
Security must also consider the external environment in which the system operates.
Protection
Protection provides the mechanism for enforcing security policies.
Protection must be flexible, to support a variety of security policies
Follow principle of least privilege: user should have just enough privileges
to complete desired task
This is related to need-to-know principle, from military. You should be told only
what you need to know to complete your task, and no more.
privilege level should be dynamically adjusted according to needs of task as it proceeds
Following these principles serves to minimize extent of damage from misuse
System resources need protection
resources include both hardware and software
examples of software resources: files, programs, buffers, semaphores
think of each resource as an object accessible only through associated
operations
Protection Domain
a protection domain is a set of ordered pairs
each ordered pair consists of an object and a set of access rights (permitted operations)
a process has an associated protection domain
this association can be fixed (static) or can change as process executed (dynamic)
change association dynamically by either (1) modifying the domain, or (2) switching to a different domain
process affiliation with user or procedure can determine a process-domain association
example: user-kernel mode of operation. If process is affiliated with OS kernel it gets different
access rights than process affiliated with ordinary user.
example: Unix setuid bit. Each Unix user is a domain;
switching domains means switching OS view of who you are. Properties of executable
file include a "setuid" bit which, if set by the file owner (using chmod), gives the user running
it the same rights as the user owning it. If "root" (the
superuser) owns an executable file and setuid is on, then any associated process
runs as if root is running it.
Access Matrix
an access matrix is a general (abstract) way of relating objects to domains
it is a table representing system objects and domains
each object is a column, each domain is a row
each cell contain the rights (allowable operations) of that domain on that object
this is pretty fine grained!
domains can be columns as well! The cell at a domain-domain intersection determines if domain switch allowed
this data structure is referenced at runtime when a process requests to perform a specific operation
on a system resource
Example: visualizing access matrix for Unix system
-rwxr-xr-x 1 sandy students 14839 May 14 07:15 chatter
-rw-r----- 1 sandy students 998 May 14 08:27 guru.c
drwxr-xr-- 2 sandy students 4096 May 17 11:59 data
object → domain
chatter
guru.c
data
owner
read, write, execute
read, write
read, write, traverse
group
read, execute
read
read, traverse
world
read, execute
read
Access matrix implementation alternatives
System has global table of ordered triples. Each triple contains: domain, object, rights set
Each object has access list of ordered pairs. Each pair contains: domain, rights set
Each domain as capability list of ordered pairs. Each pair contains: object, rights set
If capability list is used, do not allow the list to be placed in the process address space, where it
can be modified.
Global table is not feasible due to size. Most systems use combination of access lists and capability lists.
Unix Example of combined access/capability:
Access List : When process opens a file, its access rights to the file, which are associated
with the file, are checked. If valid, an entry is added to per-process open-file table and its
index (the descriptor) is returned.
Capability List : The open-file table entry created above includes the capability list. This
is the list of rights, e.g. permitted operations. If the file was opened for reading,
then reading is the only permitted operation (capability). As each file system call is executed,
its operation is validated against the capability list before being carried out. So a write()
to that file would not be permitted if opened for reading only. A process running in user mode does not
have access to the capability list so cannot change it. The system call dips into kernel mode to work
with the capability list.
Protection provided by compilers and languages
Protection-based programming language design, particularly OOP, has influenced designers
and design of OS protection systems.
In addition, compilers and languages can supplement OS protection systems by providing
tailored protection, finer-grained protection, and abstract protection.
Both are desirable as applications and resources become more complex, and the ways in which
they interact also become more complex
Compiler-based protection
protection (access control) provided through language-based declarations
Example: Java protection levels private and protected
Protection is declared along with resource typing
Protection can be intrinsic to the language. For example Java program statements cannot
explicitly access memory (unlike C and C++ with their pointers).
Protection can be OS-independent
Is compiler-provided protection as good as OS kernel-provided protection?
It can be more flexible and extendible, because it is in software
It may not be as secure, since it can be compromised after compilation and because it may be buggy
It will not be as time-efficient, because it is a pure software solution as opposed to hardware or hardware-supported
The Java Virtual Machine (JVM) was designed with protection and security in mind
JVM may load classes from variety of sources, trusted and untrusted, and must provided protection to system resources
Class loader assigns protection domain and permissions to each loaded class depending on its source.
Example: Applets are bytecode (.java) files coming in from a foreign machine on the Internet, and are
given few permissions. An applet is not allowed to access disk files for instance.
JVM protection policies can be reconfigured and thus are adaptable
Dynamic determination of access rights by JVM is not trivial!
The request can come from a trusted library
method that has been delegated that responsibility by an untrusted client.
The JVM must inspect the current thread's runtime stack (each method invocation pushes a stack frame, which is popped upon method return)
The top stack frame is the currently executing method, the others are suspended method calls
Upon access request to protected resource occurs, the java.security.AccessController invokes
its checkPermissions() method to accept or deny access. It traverses the thead's
runtime stack in search of the necessary credentials.
This process is called stack inspection. Read the AccessController API documentation for more details.
Note that JVM protection is provided at runtime because Java programs run under managed execution. The
trend in language implementation is definitely running in this direction (as opposed to pure compilation
into executable code). Microsoft's .NET framework embodies this, as do the scripting languages used
for much Web programming.