Chapter 14 - Protection
WayneJonesJnr
14,938 views
25 slides
Apr 20, 2009
Slide 1 of 25
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
About This Presentation
Goals of Protection
Principles of Protection
Domain of Protection
Access Matrix
Implementation of Access Matrix
Access Control
Revocation of Access Rights
Capability-Based Systems
Language-Based Protection
Slide Content
Chapter 14: ProtectionChapter 14: Protection
14.2 Silberschatz, Galvin and Gagne
©2005
Operating System Concepts – 7
th
Edition, Apr 11, 2005
Chapter 14: ProtectionChapter 14: Protection
nGoals of Protection
nPrinciples of Protection
nDomain of Protection
nAccess Matrix
nImplementation of Access Matrix
nAccess Control
nRevocation of Access Rights
nCapability-Based Systems
nLanguage-Based Protection
©2005
Operating System Concepts – 7
th
Edition, Apr 11, 2005
Chapter 14: ProtectionChapter 14: Protection
nGoals of Protection
nPrinciples of Protection
nDomain of Protection
nAccess Matrix
nImplementation of Access Matrix
nAccess Control
nRevocation of Access Rights
nCapability-Based Systems
nLanguage-Based Protection
14.3 Silberschatz, Galvin and Gagne
©2005
Operating System Concepts – 7
th
Edition, Apr 11, 2005
ObjectivesObjectives
nDiscuss the goals and principles of protection in a modern
computer system
nExplain how protection domains combined with an access matrix
are used to specify the resources a process may access
nExamine capability and language-based protection systems
©2005
Operating System Concepts – 7
th
Edition, Apr 11, 2005
ObjectivesObjectives
nDiscuss the goals and principles of protection in a modern
computer system
nExplain how protection domains combined with an access matrix
are used to specify the resources a process may access
nExamine capability and language-based protection systems
14.4 Silberschatz, Galvin and Gagne
©2005
Operating System Concepts – 7
th
Edition, Apr 11, 2005
Goals of ProtectionGoals of Protection
nOperating system consists of a collection of objects, hardware or
software
nEach object has a unique name and can be accessed through a
well-defined set of operations.
nProtection problem - ensure that each object is accessed correctly
and only by those processes that are allowed to do so.
©2005
Operating System Concepts – 7
th
Edition, Apr 11, 2005
Goals of ProtectionGoals of Protection
nOperating system consists of a collection of objects, hardware or
software
nEach object has a unique name and can be accessed through a
well-defined set of operations.
nProtection problem - ensure that each object is accessed correctly
and only by those processes that are allowed to do so.
14.5 Silberschatz, Galvin and Gagne
©2005
Operating System Concepts – 7
th
Edition, Apr 11, 2005
Principles of ProtectionPrinciples of Protection
nGuiding principle – principle of least privilege
lPrograms, users and systems should be given just enough
privileges to perform their tasks
©2005
Operating System Concepts – 7
th
Edition, Apr 11, 2005
Principles of ProtectionPrinciples of Protection
nGuiding principle – principle of least privilege
lPrograms, users and systems should be given just enough
privileges to perform their tasks
14.6 Silberschatz, Galvin and Gagne
©2005
Operating System Concepts – 7
th
Edition, Apr 11, 2005
Domain StructureDomain Structure
nAccess-right = <object-name, rights-set>
where rights-set is a subset of all valid operations that can be
performed on the object.
nDomain = set of access-rights
©2005
Operating System Concepts – 7
th
Edition, Apr 11, 2005
Domain StructureDomain Structure
nAccess-right = <object-name, rights-set>
where rights-set is a subset of all valid operations that can be
performed on the object.
nDomain = set of access-rights
14.7 Silberschatz, Galvin and Gagne
©2005
Operating System Concepts – 7
th
Edition, Apr 11, 2005
Domain Implementation (UNIX)Domain Implementation (UNIX)
nSystem consists of 2 domains:
lUser
lSupervisor
nUNIX
lDomain = user-id
lDomain switch accomplished via file system.
Each file has associated with it a domain bit (setuid bit).
When file is executed and setuid = on, then user-id is set to
owner of the file being executed. When execution
completes user-id is reset.
©2005
Operating System Concepts – 7
th
Edition, Apr 11, 2005
Domain Implementation (UNIX)Domain Implementation (UNIX)
nSystem consists of 2 domains:
lUser
lSupervisor
nUNIX
lDomain = user-id
lDomain switch accomplished via file system.
Each file has associated with it a domain bit (setuid bit).
When file is executed and setuid = on, then user-id is set to
owner of the file being executed. When execution
completes user-id is reset.
14.8 Silberschatz, Galvin and Gagne
©2005
Operating System Concepts – 7
th
Edition, Apr 11, 2005
Domain Implementation (MULTICS)Domain Implementation (MULTICS)
nLet D
i
and D
j
be any two domain rings.
nIf j < I Þ D
i Í D
j
©2005
Operating System Concepts – 7
th
Edition, Apr 11, 2005
Domain Implementation (MULTICS)Domain Implementation (MULTICS)
nLet D
i
and D
j
be any two domain rings.
nIf j < I Þ D
i Í D
j
14.9 Silberschatz, Galvin and Gagne
©2005
Operating System Concepts – 7
th
Edition, Apr 11, 2005
Access MatrixAccess Matrix
nView protection as a matrix (access matrix)
nRows represent domains
nColumns represent objects
nAccess(i, j) is the set of operations that a process executing in
Domain
i
can invoke on Object
j
©2005
Operating System Concepts – 7
th
Edition, Apr 11, 2005
Access MatrixAccess Matrix
nView protection as a matrix (access matrix)
nRows represent domains
nColumns represent objects
nAccess(i, j) is the set of operations that a process executing in
Domain
i
can invoke on Object
j
14.10 Silberschatz, Galvin and Gagne
©2005
Operating System Concepts – 7
th
Edition, Apr 11, 2005
Access MatrixAccess Matrix
©2005
Operating System Concepts – 7
th
Edition, Apr 11, 2005
Access MatrixAccess Matrix
14.11 Silberschatz, Galvin and Gagne
©2005
Operating System Concepts – 7
th
Edition, Apr 11, 2005
Use of Access MatrixUse of Access Matrix
nIf a process in Domain D
i
tries to do “op” on object O
j
, then “op”
must be in the access matrix.
nCan be expanded to dynamic protection.
lOperations to add, delete access rights.
lSpecial access rights:
owner of O
i
copy op from O
i
to O
j
control – D
i
can modify D
j
access rights
transfer – switch from domain D
i
to D
j
©2005
Operating System Concepts – 7
th
Edition, Apr 11, 2005
Use of Access MatrixUse of Access Matrix
nIf a process in Domain D
i
tries to do “op” on object O
j
, then “op”
must be in the access matrix.
nCan be expanded to dynamic protection.
lOperations to add, delete access rights.
lSpecial access rights:
owner of O
i
copy op from O
i
to O
j
control – D
i
can modify D
j
access rights
transfer – switch from domain D
i
to D
j
14.12 Silberschatz, Galvin and Gagne
©2005
Operating System Concepts – 7
th
Edition, Apr 11, 2005
Use of Access Matrix (Cont.)Use of Access Matrix (Cont.)
nAccess matrix design separates mechanism from policy.
lMechanism
Operating system provides access-matrix + rules.
If ensures that the matrix is only manipulated by authorized
agents and that rules are strictly enforced.
lPolicy
User dictates policy.
Who can access what object and in what mode.
©2005
Operating System Concepts – 7
th
Edition, Apr 11, 2005
Use of Access Matrix (Cont.)Use of Access Matrix (Cont.)
nAccess matrix design separates mechanism from policy.
lMechanism
Operating system provides access-matrix + rules.
If ensures that the matrix is only manipulated by authorized
agents and that rules are strictly enforced.
lPolicy
User dictates policy.
Who can access what object and in what mode.
14.13 Silberschatz, Galvin and Gagne
©2005
Operating System Concepts – 7
th
Edition, Apr 11, 2005
Implementation of Access MatrixImplementation of Access Matrix
nEach column = Access-control list for one object
Defines who can perform what operation.
Domain 1 = Read, Write
Domain 2 = Read
Domain 3 = Read
nEach Row = Capability List (like a key)
Fore each domain, what operations allowed on what
objects.
Object 1 – Read
Object 4 – Read, Write, Execute
Object 5 – Read, Write, Delete, Copy
©2005
Operating System Concepts – 7
th
Edition, Apr 11, 2005
Implementation of Access MatrixImplementation of Access Matrix
nEach column = Access-control list for one object
Defines who can perform what operation.
Domain 1 = Read, Write
Domain 2 = Read
Domain 3 = Read
nEach Row = Capability List (like a key)
Fore each domain, what operations allowed on what
objects.
Object 1 – Read
Object 4 – Read, Write, Execute
Object 5 – Read, Write, Delete, Copy
14.14 Silberschatz, Galvin and Gagne
©2005
Operating System Concepts – 7
th
Edition, Apr 11, 2005
Access Matrix of Figure A With Domains as ObjectsAccess Matrix of Figure A With Domains as Objects
Figure B
©2005
Operating System Concepts – 7
th
Edition, Apr 11, 2005
Access Matrix of Figure A With Domains as ObjectsAccess Matrix of Figure A With Domains as Objects
Figure B
14.15 Silberschatz, Galvin and Gagne
©2005
Operating System Concepts – 7
th
Edition, Apr 11, 2005
Access Matrix with Access Matrix with CopyCopy Rights Rights
©2005
Operating System Concepts – 7
th
Edition, Apr 11, 2005
Access Matrix with Access Matrix with CopyCopy Rights Rights
14.16 Silberschatz, Galvin and Gagne
©2005
Operating System Concepts – 7
th
Edition, Apr 11, 2005
Access Matrix With Access Matrix With OwnerOwner Rights Rights
©2005
Operating System Concepts – 7
th
Edition, Apr 11, 2005
Access Matrix With Access Matrix With OwnerOwner Rights Rights
14.17 Silberschatz, Galvin and Gagne
©2005
Operating System Concepts – 7
th
Edition, Apr 11, 2005
Modified Access Matrix of Figure BModified Access Matrix of Figure B
©2005
Operating System Concepts – 7
th
Edition, Apr 11, 2005
Modified Access Matrix of Figure BModified Access Matrix of Figure B
14.18 Silberschatz, Galvin and Gagne
©2005
Operating System Concepts – 7
th
Edition, Apr 11, 2005
Access ControlAccess Control
nProtection can be applied to non-file resources
nSolaris 10 provides role-based access control to implement
least privilege
lPrivilege is right to execute system call or use an option within
a system call
lCan be assigned to processes
lUsers assigned roles granting access to privileges and
programs
©2005
Operating System Concepts – 7
th
Edition, Apr 11, 2005
Access ControlAccess Control
nProtection can be applied to non-file resources
nSolaris 10 provides role-based access control to implement
least privilege
lPrivilege is right to execute system call or use an option within
a system call
lCan be assigned to processes
lUsers assigned roles granting access to privileges and
programs
14.19 Silberschatz, Galvin and Gagne
©2005
Operating System Concepts – 7
th
Edition, Apr 11, 2005
Role-based Access Control in Role-based Access Control in
Solaris 10Solaris 10
©2005
Operating System Concepts – 7
th
Edition, Apr 11, 2005
Role-based Access Control in Role-based Access Control in
Solaris 10Solaris 10
14.20 Silberschatz, Galvin and Gagne
©2005
Operating System Concepts – 7
th
Edition, Apr 11, 2005
Revocation of Access RightsRevocation of Access Rights
nAccess List – Delete access rights from access list.
lSimple
lImmediate
nCapability List – Scheme required to locate capability in the system
before capability can be revoked.
lReacquisition
lBack-pointers
lIndirection
lKeys
©2005
Operating System Concepts – 7
th
Edition, Apr 11, 2005
Revocation of Access RightsRevocation of Access Rights
nAccess List – Delete access rights from access list.
lSimple
lImmediate
nCapability List – Scheme required to locate capability in the system
before capability can be revoked.
lReacquisition
lBack-pointers
lIndirection
lKeys
14.21 Silberschatz, Galvin and Gagne
©2005
Operating System Concepts – 7
th
Edition, Apr 11, 2005
Capability-Based Systems Capability-Based Systems
nHydra
lFixed set of access rights known to and interpreted by the
system.
lInterpretation of user-defined rights performed solely by user's
program; system provides access protection for use of these
rights.
nCambridge CAP System
lData capability - provides standard read, write, execute of
individual storage segments associated with object.
lSoftware capability -interpretation left to the subsystem,
through its protected procedures.
©2005
Operating System Concepts – 7
th
Edition, Apr 11, 2005
Capability-Based Systems Capability-Based Systems
nHydra
lFixed set of access rights known to and interpreted by the
system.
lInterpretation of user-defined rights performed solely by user's
program; system provides access protection for use of these
rights.
nCambridge CAP System
lData capability - provides standard read, write, execute of
individual storage segments associated with object.
lSoftware capability -interpretation left to the subsystem,
through its protected procedures.
14.22 Silberschatz, Galvin and Gagne
©2005
Operating System Concepts – 7
th
Edition, Apr 11, 2005
Language-Based ProtectionLanguage-Based Protection
nSpecification of protection in a programming language allows the
high-level description of policies for the allocation and use of
resources.
nLanguage implementation can provide software for protection
enforcement when automatic hardware-supported checking is
unavailable.
nInterpret protection specifications to generate calls on whatever
protection system is provided by the hardware and the operating
system.
©2005
Operating System Concepts – 7
th
Edition, Apr 11, 2005
Language-Based ProtectionLanguage-Based Protection
nSpecification of protection in a programming language allows the
high-level description of policies for the allocation and use of
resources.
nLanguage implementation can provide software for protection
enforcement when automatic hardware-supported checking is
unavailable.
nInterpret protection specifications to generate calls on whatever
protection system is provided by the hardware and the operating
system.
14.23 Silberschatz, Galvin and Gagne
©2005
Operating System Concepts – 7
th
Edition, Apr 11, 2005
Protection in Java 2Protection in Java 2
nProtection is handled by the Java Virtual Machine (JVM)
nA class is assigned a protection domain when it is loaded by the
JVM.
nThe protection domain indicates what operations the class can (and
cannot) perform.
nIf a library method is invoked that performs a privileged operation,
the stack is inspected to ensure the operation can be performed by
the library.
©2005
Operating System Concepts – 7
th
Edition, Apr 11, 2005
Protection in Java 2Protection in Java 2
nProtection is handled by the Java Virtual Machine (JVM)
nA class is assigned a protection domain when it is loaded by the
JVM.
nThe protection domain indicates what operations the class can (and
cannot) perform.
nIf a library method is invoked that performs a privileged operation,
the stack is inspected to ensure the operation can be performed by
the library.
14.24 Silberschatz, Galvin and Gagne
©2005
Operating System Concepts – 7
th
Edition, Apr 11, 2005
Stack InspectionStack Inspection
©2005
Operating System Concepts – 7
th
Edition, Apr 11, 2005
Stack InspectionStack Inspection
End of Chapter 14End of Chapter 14
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 14,938
- Slides 25
- Favorites 14
- Age 6073 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
33 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
36 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
33 views
14
Fertility awareness methods for women in the society
Isaiah47
30 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
29 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
30 views