Protection

 

Goals of Protection

 

·       Operating system consists of a collection of objects: hardware or software

·       Each object has a unique name and can be accessed through a well-defined set of operations

·       Protection problem - ensure that each object is accessed correctly and

only by those processes that are allowed to do so

 

ü Protection guiding principle – principle of least privilege:

Programs, users and systems should be given just enough privileges to perform their tasks

 

 

Domain Structure

 

·       Access-right = <object-name, rights-set>
where rights-set is a subset of all valid operations that can be performed on the object.

·       Domain = set of access-rights

 

 

 

Domain Implementation  in UNIX

 

§  Domain = user-id

§  Domain switch accomplished via file system

ü Each file has associated with it a domain bit (setuid bit)

ü When file is executed and setuid is on, then user-id is set to owner of the file being executed.

ü When execution completes user-id is reset

 

Examples:

 

setuid (set user id):

 

Allows a user to be another user during the execution of a program.

 

For example:

 [antares] ~> cd  /usr/bin

[antares] /usr/bin> ls -l passwd

 

-r-sr-sr-x   1 root     sys        27228 Aug 16  2007 passwd

 

[antares] /usr/bin> ls -l  |  grep  sr

 

-r-sr-xr-x   1 root     bin        31408 Jan 22  2005 login

-r-sr-sr-x   1 root     sys        27228 Aug 16  2007 passwd

.........

 

Run passwd in one window:

 [antares] ~> passwd

 

Run in another window:

 [antares] ~> ps -a -o user,ruser,comm

 

     USER  RUSER  COMMAND

     root  cs471w passwd

 

How to setuid of a program:

 [antares] ~>  chmod  u+s  program

 

Example:

 

% cd /home/cs471w/public_html/code/final-src/chap14

% setuidf

 

Access Matrix

 

·       View protection as a matrix (access matrix)

·       Rows represent domains

·       Columns represent objects

·       Access(i, j) is the set of operations that a process executing in Domain_i can invoke on Object_j

 

 

 

 

Use of Access Matrix

 

·       If a process in Domain D_i tries to do “op” on object O_j then “op” must be in the access matrix

·       Access matrix design: separate Mechanism from Policy:

Mechanism

It ensures that the matrix is only manipulated by authorized agents and rules are strictly enforced

Policy

User dictates policy:

Who can access what object and in what mode

 

 

Implementation of Access Matrix

 

·        Each column = Access-control list for one object
Defines who can perform what operation.

     Domain 1 = Read, Write
     Domain 2 = Read
     Domain 3 = Read

                                                       M

·        Each Row = Capability List (like a key)
Fore each domain, what operations allowed on what objects.

 

         Object 1 – Read

         Object 4 – Read, Write, Execute

         Object 5 – Read, Write, Delete, Copy

 

Access Matrix With Domains as Objects

 

transfer – switch from domain D_i to D_j