P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L...
Transcript of P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L...
![Page 1: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/1.jpg)
CHAPTER 17 - SYSTEMCHAPTER 17 - SYSTEMPROTECTIONPROTECTION
1
![Page 2: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/2.jpg)
OBJECTIVESOBJECTIVESDiscuss the goals and principles of protection in a moderncomputer system
Explain how protection domains combined with an access matrixare used to specify the resources a process may access
Examine capability and language-based protection systems
Protection to mitigate attacks
2
![Page 3: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/3.jpg)
GOALS OF PROTECTIONGOALS OF PROTECTION
3 . 1
![Page 4: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/4.jpg)
GOALS OF PROTECTIONGOALS OF PROTECTIONIn one protection model, computer consists of a collection ofobjects, hardware or software
Each object has a unique name and can be accessed through a well-de�ned set of operations
Protection problem - ensure that each object is accessed correctlyand only by those processes that are allowed to do so
3 . 2
![Page 5: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/5.jpg)
MECHANISM VS POLICYMECHANISM VS POLICYmechanisms are distinct from policies.
Mechanisms determine how something will bedone
Policies decide what will be done.
The separation of policy and mechanism is important for �exibility.
3 . 3
![Page 6: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/6.jpg)
PRINCIPLES OF PROTECTIONPRINCIPLES OF PROTECTION
4 . 1
![Page 7: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/7.jpg)
PRINCIPLES OF PROTECTIONPRINCIPLES OF PROTECTIONGuiding principle – principle of least privilege
Programs, users and systems should be given just enoughprivileges to perform their tasks
Limits damage if entity has a bug, gets abused
Can be static (during life of system, during life of process)
Or dynamic (changed by process as needed) – domain switching,privilege escalation
“Need to know” similar concept with access to data
4 . 2
![Page 8: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/8.jpg)
PRINCIPLES OF PROTECTIONPRINCIPLES OF PROTECTIONMust consider “grain” aspect
Rough-grained privilege management easier, simpler, but leastprivilege now done in large chunks
For example, traditional Unix processes either have abilities ofthe associated user, or of root
Fine-grained management more complex, more overhead, butmore protective
File ACL lists, RBAC
Domain can be user, process, procedure
4 . 3
![Page 9: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/9.jpg)
PROTECTION RINGSPROTECTION RINGS
5 . 1
![Page 10: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/10.jpg)
PRIVILEGE SEPARATIONPRIVILEGE SEPARATIONKernel manages access to system resources and hardware
By de�nition: must run with a higher level of privileges than userprocesses.
To carry out this privilege separation, hardware support isrequired.
5 . 2
![Page 11: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/11.jpg)
PRIVILEGE SEPARATIONPRIVILEGE SEPARATIONPopular model: Protection Rings
5 . 3
![Page 12: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/12.jpg)
INTEL ARCHITECHTUREINTEL ARCHITECHTUREIntel architectures follow this model, placing user mode code in ring 3
and kernel mode code in ring 0.
Distinction is made by two bits in the special EFLAGS register.
5 . 4
![Page 13: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/13.jpg)
ARM V7 ARCHITECHTUREARM V7 ARCHITECHTUREInitially allowed only USR and SVC mode
In ARM v7 processors, TrustZone (TZ) was introduced providing anadditional ring.
Highly restricted access - even the kernel itself has no access to theon-chip crypto key
Access through Secure Monitor Call (SMC), which is onlyusable from kernel mode.
5 . 5
![Page 14: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/14.jpg)
ARM TRUSTED ZONESARM TRUSTED ZONES
5 . 6
![Page 15: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/15.jpg)
ARM V8 ARCHITECTUREARM V8 ARCHITECTURENow 4 levels called “exception levels,” numbered EL0 through EL3.
User mode runs in EL0
kernel mode in EL1
EL2 is reserved for hypervisors
EL3 (the most privileged) is reserved for the secure monitor (theTrustZone layer)
5 . 7
![Page 16: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/16.jpg)
ARM V8 ARCHITECTUREARM V8 ARCHITECTURE
5 . 8
![Page 17: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/17.jpg)
DOMAIN OF PROTECTIONDOMAIN OF PROTECTION
6 . 1
![Page 18: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/18.jpg)
PROCESSES AND OBJECTSPROCESSES AND OBJECTSProcesses
Objects
Hardware objects (CPU, Memory segments, printers, disk,etc)
Software objects (�les, programs, semaphores)
Operations depends on object (Fx CPU can only execute, mem wordswrite or read)
6 . 2
![Page 19: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/19.jpg)
RULE OF THUMBRULE OF THUMBA process should be allowed to access only those resources forwhich it has authorization
Need to know principle: At any time, a process should be ableto access only those resources that is currently required tocomplete its task
6 . 3
![Page 20: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/20.jpg)
NEED TO KNOW PRINCIPLE - EXAMPLENEED TO KNOW PRINCIPLE - EXAMPLEWhen process p invokes procedure A() it should be allowed to
access only
its own variables and the formal parameters passed toit
Not allowed to access:
all the variables of processp.
6 . 4
![Page 21: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/21.jpg)
NEED TO KNOW PRINCIPLE - EXAMPLENEED TO KNOW PRINCIPLE - EXAMPLEWhen process p invokes a compiler to compile a particular �le. It
should be able to access:
Only a well-de�ned subset of �les (such as the source �le, outputobject �le, and so on)
Not allowed to access:
Arbitrarily�les
6 . 5
![Page 22: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/22.jpg)
DOMAIN STRUCTUREDOMAIN STRUCTUREAccess-right = <object-name, rights-set> where rights-set is asubset of all valid operations that can be performed on the object
Domain = set of access-rights
6 . 6
![Page 23: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/23.jpg)
DOMAIN IMPLEMENTATION (UNIX)DOMAIN IMPLEMENTATION (UNIX)Domain = user-id
Domain switch accomplished via �le system
Each �le has associated with it a domain bit (setuid bit)
When �le is executed and setuid = on, then user-id is set toowner of the �le being executed
When execution completes user-id is reset
6 . 7
![Page 24: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/24.jpg)
DOMAIN IMPLEMENTATION (UNIX)DOMAIN IMPLEMENTATION (UNIX)Domain switch accomplished via passwords
su command temporarily switches to another user’s domainwhen other domain’s password provided
Domain switching via commands
sudo command pre�x executes speci�ed command in anotherdomain (if original domain has privilege or password given)
6 . 8
![Page 25: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/25.jpg)
ANDROID APPLICATION IDSANDROID APPLICATION IDSDistinct user ID s are provided on a per-application basis.
On installation, the installd daemon assigns app
a distinct user ID (UID) and group ID ( GID )
a private data directory (/data/data/<app-name> ) whoseownership is granted to this UID / GID combination alone.
Applications on the device enjoy the same level of protectionprovided by UNIX systems to separate users.
6 . 9
![Page 26: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/26.jpg)
ACCESS MATRIXACCESS MATRIX
7 . 1
![Page 27: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/27.jpg)
ACCESS MATRIXACCESS MATRIXView protection as a matrix (access matrix)
Rows represent domains
Columns represent objects
Access(i, j) is the set of operations that a process executing inDomaini can invoke on Objectj
7 . 2
![Page 28: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/28.jpg)
ACCESS MATRIXACCESS MATRIX
7 . 3
![Page 29: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/29.jpg)
USE OF ACCESS MATRIXUSE OF ACCESS MATRIXIf a process in Domain Di tries to do “op” on object Oj, then “op”
must be in the access matrix
User who creates object can de�ne access column for that object
7 . 4
![Page 30: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/30.jpg)
USE OF ACCESS MATRIXUSE OF ACCESS MATRIXCan be expanded to dynamic protection
Operations to add, delete access rights
Special access rights:
owner of Oi
copy op from Oi to Oj (denoted by “*”)
control – Di can modify Dj access
rights
transfer – switch from domain Di to Dj
7 . 5
![Page 31: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/31.jpg)
ACCESS MATRIX WITH DOMAINS AS OBJECTSACCESS MATRIX WITH DOMAINS AS OBJECTS
7 . 6
![Page 32: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/32.jpg)
USE OF ACCESS MATRIXUSE OF ACCESS MATRIXCopy and Owner applicable to anobject
Control applicable to domain object
7 . 7
![Page 33: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/33.jpg)
ACCESS MATRIX W. COPY RIGHTSACCESS MATRIX W. COPY RIGHTS
7 . 8
![Page 34: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/34.jpg)
ACCESS MATRIX W. OWNER RIGHTSACCESS MATRIX W. OWNER RIGHTS
![Page 35: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/35.jpg)
7 . 9
![Page 36: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/36.jpg)
ACCESS MATRIX W. CONTROLACCESS MATRIX W. CONTROL
7 . 10
![Page 37: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/37.jpg)
USE OF ACCESS MATRIXUSE OF ACCESS MATRIXAccess matrix design separates mechanism from policy
Mechanism
Operating system provides access-matrix + rules
If ensures that the matrix is only manipulated by authorizedagents and that rules are strictly enforced
Policy
User dictates policy
Who can access what object and in what mode
7 . 11
![Page 38: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/38.jpg)
GENERAL CONFINEMENT PROBLEMGENERAL CONFINEMENT PROBLEMGeneral con�nement problem: Guaranteeing that that noinformation initially held by an object can migrate outside of itsexecution environment
General unsolvable
7 . 12
![Page 39: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/39.jpg)
IMPLEMENTATION OF THE ACCESS MATRIXIMPLEMENTATION OF THE ACCESS MATRIX
8 . 1
![Page 40: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/40.jpg)
IMPLEMENTATION OF AMIMPLEMENTATION OF AMGenerally, a sparse matrix
We will consider 4 ways
Global table
Access lists for objects
Capability list fordomains
Lock-key
8 . 2
![Page 41: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/41.jpg)
GLOBAL TABLEGLOBAL TABLEStore ordered triples < domain, object, rights-set > in table
A requested operation M on object Oj within domain Di → search
table for <Di,Oj,Rk>
with M ∈ Rk
But table could be large → won’t �t in main memory
Dif�cult to group objects (consider an object that all domains canread)
8 . 3
![Page 42: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/42.jpg)
ACCESS LISTS FOR OBJECTSACCESS LISTS FOR OBJECTSEach column implemented as an access list for one object
Resulting per-object list consists of ordered pairs<domain,rights-set> de�ning all domains with non-empty setof access rights for the object
Easily extended to contain default set → If M ∈ default set, alsoallow access
8 . 4
![Page 43: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/43.jpg)
ACCESS LISTS FOR OBJECTSACCESS LISTS FOR OBJECTSEach column = Access-control list for one object De�nes who can
perform what operation
Each Row = Capability List (like a key)
For each domain, what operations allowed on whatobjects
Domain 1 = Read, Write
Domain 2 = Read
Domain 3 = Read
Object F1 – Read
Object F4 – Read, Write, Execute
Object F5 – Read, Write, Delete, Copy
8 . 5
![Page 44: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/44.jpg)
CAPABILITY LIST FOR DOMAINSCAPABILITY LIST FOR DOMAINSInstead of object-based, list is domain based
Capability list for domain is list of objects together with operationsallows on them
Object represented by its name or address, called a capability
Execute operation M on object Oj, process requests operation and
speci�es capability as parameter
Possession of capability means access is allowed
8 . 6
![Page 45: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/45.jpg)
CAPABILITY LIST FOR DOMAINSCAPABILITY LIST FOR DOMAINSCapability list associated with domain but never directly accessibleby domain
Rather, protected object, maintained by OS and accessedindirectly
Like a “secure pointer”
Idea can be extended up to applications
8 . 7
![Page 46: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/46.jpg)
LOCK-KEYLOCK-KEYCompromise between access lists and capability lists
Each object has list of unique bit patterns, called locks
Each domain as list of unique bit patterns called keys
Process in a domain can only access object if domain has key thatmatches one of the locks
8 . 8
![Page 47: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/47.jpg)
COMPARISON OF IMPLEMENTATIONSCOMPARISON OF IMPLEMENTATIONSMany trade-offs to consider
Global table is simple, but can be large
Access lists correspond to needs of users
Determining set of access rights for domain non-localized sodif�cult
Every access to an object must be checked
Many objects and access rights → slow
8 . 9
![Page 48: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/48.jpg)
COMPARISON OF IMPLEMENTATIONSCOMPARISON OF IMPLEMENTATIONSCapability lists useful for localizing information for a given process
But revocation capabilities can be inef�cient
Lock-key effective and �exible, keys can be passed freely fromdomain to domain, easy revocation
8 . 10
![Page 49: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/49.jpg)
COMPARISON OF IMPLEMENTATIONSCOMPARISON OF IMPLEMENTATIONSMost systems use combination of access lists andcapabilities
First access to an object → access list searched
If allowed, capability created and attached to process
Additional accesses need not be checked
After last access, capability destroyed
8 . 11
![Page 50: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/50.jpg)
REVOCATION OF ACCESS RIGHTSREVOCATION OF ACCESS RIGHTS
9 . 1
![Page 51: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/51.jpg)
REVOCATION OF ACCESS RIGHTSREVOCATION OF ACCESS RIGHTSVarious options to remove the access right of a domain to anobject
Immediate vs. delayed
Selective vs. general
Partial vs. total
Temporary vs. permanent
9 . 2
![Page 52: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/52.jpg)
REVOCATION OF ACCESS RIGHTSREVOCATION OF ACCESS RIGHTSAccess List – Delete access rights from access list
Simple – search access list and remove entry
Immediate, general or selective, total or partial, permanent ortemporary
9 . 3
![Page 53: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/53.jpg)
REVOCATION OF ACCESS RIGHTSREVOCATION OF ACCESS RIGHTSCapability List – Scheme required to locate capability in the systembefore capability can be revoked
Reacquisition – periodic delete, with require and denial ifrevoked
Back-pointers – set of pointers from each object to allcapabilities of that object
Indirection – capability points to global table entry which pointsto object – delete entry from global table, not selective
9 . 4
![Page 54: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/54.jpg)
REVOCATION OF ACCESS RIGHTSREVOCATION OF ACCESS RIGHTSKeys – unique bits associated with capability, generated whencapability created
Master key associated with object, key matches master key foraccess
Revocation – create new master key
Policy decision of who can create and modify keys – objectowner or others?
9 . 5
![Page 55: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/55.jpg)
ACCESS CONTROLACCESS CONTROL
10 . 1
![Page 56: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/56.jpg)
ACCESS CONTROLACCESS CONTROLProtection can be applied to non-�le resources
Solaris 10 provides role-based access control (RBAC) to implementleast privilege
Privilege is right to execute system call or use an option within asystem call
Can be assigned to processes
Users assigned roles granting access to privileges and programs
Enable role via password to gain its privileges
Similar to access matrix
10 . 2
![Page 57: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/57.jpg)
RBAC IN SOLARIS 10RBAC IN SOLARIS 10
10 . 3
![Page 58: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/58.jpg)
MANDATORY ACCESS CONTROL (MAC)MANDATORY ACCESS CONTROL (MAC)
11 . 1
![Page 59: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/59.jpg)
TRADITIONALLYTRADITIONALLYOS’s traditionally used discretionary access control (DAC)
Access is controlled based on the identities of individual users orgroups
Example: File permissions in Unix
Key weaknesses
Allows the owner of a resource to set or modify itspermissions
Unlimited access allowed for the administrator or root user.11 . 2
![Page 60: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/60.jpg)
MANDATORY ACCESS CONTROLMANDATORY ACCESS CONTROLMAC is enforced as a system policy that even the root user cannot
modify
The restrictions imposed by MAC policy rules are more powerfulthan the capabilities of the root user and can be used to makeresources inaccessible to anyone but their intended owners.
11 . 3
![Page 61: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/61.jpg)
MANDATORY ACCESS CONTROLMANDATORY ACCESS CONTROLBase idea: Labels
A label is an identi�er (usually a string) assigned to an object (�les,devices, and the like).
May also be applied to subjects (actors, such as processes).
When a subject request to perform operations on the objects:
OS checks requests de�ned in a policy, which dictates whether ornot a given label holding subject is allowed to perform theoperation on the labeled object.
11 . 4
![Page 62: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/62.jpg)
MAC EXAMPLEMAC EXAMPLELabels: "unclassi�ed", "secret", and "top secret".
A user with "secret" clearance will be able to create similarly labeledprocesses, which will then have access to "unclassi�ed" and "secret"
�les, but not to "top secret" �les.
"top secret" �les the operating system would �lter out of all �leoperations
11 . 5
![Page 63: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/63.jpg)
CAPABILITY-BASED SYSTEMSCAPABILITY-BASED SYSTEMS
12 . 1
![Page 64: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/64.jpg)
CAPABILITY-BASED SYSTEMSCAPABILITY-BASED SYSTEMSIntroduced in 1970, in Hydra and CAP (reseach systems)
Here, two more modern approaches
12 . 2
![Page 65: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/65.jpg)
LINUX CAPABILITIESLINUX CAPABILITIESLinux uses capabilities to address the limitations of the UNIXmodel
Adopted POSIX standard
Linux’s capabilities “slice up” the powers of root into distinct areas,each represented by a bit in a bitmask
In practice, three bitmasks are used—denoting the capabilitiespermitted, effective, and inheritable.
Bitmasks can apply on a per-process or a per-thread basis.
12 . 3
![Page 66: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/66.jpg)
LINUX CAPABILITIESLINUX CAPABILITIES
12 . 4
![Page 67: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/67.jpg)
DARWIN ENTITLEMENTSDARWIN ENTITLEMENTSApple’s system protection takes the form of entitlements.
Entitlements are declaratory permissions—XML property liststating which permissions are claimed as necessary by the program
To prevent programs from arbitrarily claiming an entitlement,Apple embeds the entitlements in the code signature
Once loaded, a process has no way of accessing its code signature.
Verifying an entitlement is a simple string-matching operation.
12 . 5
![Page 68: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/68.jpg)
OTHER PROTECTION IMPROVEMENT METHODSOTHER PROTECTION IMPROVEMENT METHODS
13 . 1
![Page 69: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/69.jpg)
SYSTEM INTEGRITY PROTECTIONSYSTEM INTEGRITY PROTECTIONApple introduced in macOS 10.11 a new protection mechanism
called System Integrity Protection (SIP).
Darwin-based OSs use SIP to restrict access to system �les andresources - even the root user cannot tamper with them.
SIP uses extended attributes on �les to mark them as restricted andfurther protects system binaries so that they cannot be
debugged/scrutinized/tampered with.
Root user can still manage other users' �les, install and removeprograms, but not in any way that would replace or modify operating-
system components.
13 . 2
![Page 70: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/70.jpg)
SYSTEM-CALL FILTERINGSYSTEM-CALL FILTERINGAdd code to the kernel to perform an inspection at the system-callgate, restricting a caller to a subset of system calls deemed safe or
required for that caller’s function.
Alternative: inspects the arguments of each system call
challenge encountered with both approaches is keeping them as�exible as possible while at the same time avoiding the need to
rebuild the kernel when changes or new �lters are required
⇒ decouple the �lter implementation from the kernel itself.
The kernel need only contain a set of callouts, which can then beimplemented in a specialized driver (Windows), kernel module
(Linux), or extension (Darwin).
13 . 3
![Page 71: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/71.jpg)
SANDBOXINGSANDBOXINGSandboxing involves running processes in environments that limit
what they can do.
Rather than give that process the full set of system calls its privilegeswould allow, we impose an irremovable set of restrictions on the
process in the early stages of its startup.
The process is then rendered unable to perform any operationsoutside its allowed set.
13 . 4
![Page 72: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/72.jpg)
CODE SIGNINGCODE SIGNINGAt a fundamental level, how can a system “trust” a program or script?
Code signing is the digital signing of programs and executables tocon�rm that they have not been changed since the author created
them.
It uses a cryptographic hash to test for integrity and authenticity.Code signing is used for operating-system distributions, patches, and
third-party tools alike.
13 . 5
![Page 73: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/73.jpg)
LANGUAGE-BASED PROTECTIONLANGUAGE-BASED PROTECTION
14 . 1
![Page 74: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/74.jpg)
COMPILER-BASED ENFORCEMENTCOMPILER-BASED ENFORCEMENTSpecifying the desired control of access to a shared resource in a
system is making a declarative statement about the resource.
This kind of statement can be integrated into a language by anextension of its typing facility.
14 . 2
![Page 75: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/75.jpg)
COMPILER-BASED ENFORCEMENTCOMPILER-BASED ENFORCEMENT1. Protection needs are simply declared, rather than programmed as
a sequence of calls on procedures of an operating system.
2. Protection requirements can be stated independently of thefacilities provided by a particular operating system.
3. The means for enforcement need not be provided by the designerof a subsystem.
4. A declarative notation is natural because access privileges areclosely related to the linguistic concept of data type.
14 . 3
![Page 76: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/76.jpg)
RUN-TIME-BASED ENFORCEMENT - PROTECTION INRUN-TIME-BASED ENFORCEMENT - PROTECTION INJAVAJAVA
14 . 4
![Page 77: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/77.jpg)
STACK INSPECTIONSTACK INSPECTION
14 . 5
![Page 78: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/78.jpg)
QUESTIONSQUESTIONS
15 . 1
![Page 79: P R OT E C T I O N C H A P T E R 1 7 - S Y S T E Mjamik/dm510-19/material/lecture-10.pdf · G O A L S O F P R OT E C T I O N In one protection model, computer consists of a collection](https://reader034.fdocuments.in/reader034/viewer/2022050215/5f616ec32520a2190915bfb0/html5/thumbnails/79.jpg)
BONUSBONUSExam question number 10: Protection
15 . 2