chapter 6 user protections in os. csci5233 computer security & integrity (chap. 6) 2 outline...

Chapter 6

User Protections in OS

csci5233 computer security & integrity (Chap. 6)

2

Outline

User-level protections

1. Memory protection

2. Control of access to objects

3. File protection

4. User authentication


3

User-level protection The general-purpose OS supports

multiprogramming (aka multi-tasking), the concurrent use of system resources by more than one user.

It is critical to protect one user from interference from another user.

What would need to be protected?

– Computation

– Files

– Anything else?


4

Protected Objects Memory

Shared I/O devices (e.g., disks, printers, tape drives, …)

Sharable programs and sub-procedures

Sharable data

… (See p.242 for a detailed listing)

The controlled sharing of these objects is the responsibility of the OS.


5

Protection Mechanisms: considerations

A. Types of separation

B. Levels of protection

C. Granularity of protection control

Types of separation Separation is the basis of protection. It keeps different

users’ objects separate from each other.


6

Protection Mechanisms: considerations Types of separation

1. Physical separation

2. Temporal separation

3. Logical separation

4. Cryptographic separation

Concerns: resource utilization versus order of the security provided

The goal of protection: To allow multi-tasking of processes with different security needs


7

Protection Mechanisms: considerations Levels of protection

No protection – feasible when ‘temporal separation’ is applied

Isolation – confinement, separate addressing space and resources

Share all or share nothing – public vs private objects

Share via access limitation – ACL (access control list)

Share by capabilities – an extension of ACL; dynamic determination of access rights (user + object + context of access)

Limit use of an object – finer control over the use of an object (Example: read but no print; aggregate but no individual data items)


8

Protection Mechanisms: considerations Granularity of protection control

Example: Granularity of data control

Bit byte word field record file …

Another example: Granularity of access rights

What does that mean?

Trade-offs:

Finer control leads to more complex implementation. Why?

Coarse control, on the other hand, results in low order of security. Why?


9

Memory Protection Mechanisms Preventing one process from affecting the memory

of other processes

Built-in hardware protection mechanisms are common.

Mechanisms: fence, relocation, base/bounds registers, tagged

architecture, segmentation, paging, combined paging with segmentation


10

Memory Protection Mechanisms Fence

protects the OS from the user processes

a predefined address (Fig. 6-1)

fence register (Fig. 6-2, p.232)

Limitations?


11

Memory Protection Mechanisms Relocation

A reloadable module can be loaded to a different starting address each time it is loaded.

Who is in charge of determining the starting address of a module?

Fence register can be used as a hardware relocation device. Any limitation?


12

Memory Protection Mechanisms Base/Bounds Registers

Base, bound, offset

Fig. 6-3 (p.233)

Fig. 6-4 (p.234): Two pairs of base/bounds registers

The use of base/bounds registers enables context switch of processes.

Any limitations?

Contiguous address space

All-or-nothing sharing (that is, no selective sharing)


13

Memory Protection Mechanisms Tagged architecture

Every word of memory has extra tag bit(s) to identify its access rights.

The bits are tested every time an instruction accesses that location.

The bits can only be set by the OS instructions.

Fig. 6-5 (p.235)

Any problems?

Incompatible with the existing OS codes


14

Memory Protection Mechanisms Segmentation

A program is divided into separate pieces, segments.

Each segment is a logical unit, which may contains code or data.

A program may be composed of several segments, each of which has different access rights.

Fig. 6-6 (p.237)

Q: Who’s keeping track of the relationship between logical names and their corresponding physical addresses?

Fig. 6-7 (p.238): Segment translation table

Addressing (in a program) = segment name + offset within the segment


15

Segmentation Segmentation enables the OS to become an

intermediary between a process and the physical memory.

Benefits

1. Protection of memory addresses:1. Each address reference is checked for protection.

2. A user cannot generate an address or access to an unpermitted segment.

2. Enabling flexible protection mechanisms:1. Different levels of protection can be assigned to

different classes of data items.

2. A segment may be shared by two or more users, each with different access rights.


16

Segmentation Does segmentation present any challenges or

problems?

– A challenge: A process may access offset beyond the end of a segment.

• Solution: run-time verification by the OS

Implementation problems:

1. Segment names are inconvenient to encode in instructions, resulting in possibly slow lookup of the STT.

Solution? Conversion of names to numbers during program compilation/translation

Impact? Difficulty in sharing of the same segment name between two procedures.

2. Segmentation can lead to memory fragmentation.


17

Paging A program is divided into equal-sized pages. Memory is divided into the same sized units, called

page frames. The page size is typically between 512 and 4096

bytes. (That is, between 9 and 12 address bits.) address = <page, offset> Table lookup is needed to translate a logical address

to the physical address location. Fig. 6-8, p.240.


18

Paging Advantages:

1. Fragmentation is not a problem (as in segmentation).

2. No problem of addressing beyond the end of a page.

3. The entire mechanism of paging and address translation is hidden from the programmer.

Unlike segmentation, there is no logical unity to a page.

– Is this an advantage or disadvantage?– From the standpoint of protection, a definite disadvantage.

Why?


19

Paging + Segmentation (combined) c.f.,

– Paging: efficient– Segmentation: logical protection characteristics

Paged segmentation: two layers of address translation

– A program is first divided into segments.– Each segment is divided into pages.– Figure 6-9, p.241.


20

Controlled Access to Objects What objects need to be protected?

• Memory, files, directories, an executing program, h/w device, data structure in memory, OS tables, instructions, passwords, the user authentication mechanisms, the protection mechanism itself, …

Memory protection is a special case of the protection of general objects.

In comparison, protection of memory is simple. Why? (p.242)


21

Controlled Access to Objects Access to an object is performed by a subject. A subject may be an end user, a programmer, a

program, another object, or anything else that seeks to use an object.

General goals in protecting objects:1. Revocability of a user’s privilege to access an object.

2. The least privilege principle

3. Verification of object-specific usages


22

Controlled Access to Objects An example of object protection: a simple approach

relying on directories of files

The objects - files in the directory, the directory itself

Sample subjects - users of the system

Each file has a unique owner, who controls access to the file.

Each user has a file directory, which includes all files the user has access.

The file directories must be maintained by the OS. Why?

Access rights include read, write, execute, and owner?

Fig. 6-10, p.243.

Why would the above simple approach not work?3 problems (p.244)


23

Controlled Access to Objects Alternative approaches for access control

– ACL (access control list) – ACM (access control matrix)– capabilities for access control– procedure-oriented access control


24

Controlled Access to Objects• ACL

Each object has an ACL, which includes all subjects that would have access to the object and what their access is.

Fig. 6-12 (p.246)

In comparison: In the previous approach, each subject has a directory list, which includes all objects that the subject may access and the respective access rights.

User designation vs group designationIn Multics: user, group, compartment

In Unix: owner, group, worldIn Windows?


25

Controlled Access to Objects• ACM

Fig. 6-13 (p.247)

<subject, object, access rights>

Disadvantage: mostly sparse; inefficient searching


26

Controlled Access to Objects• Capability

A capability is an unforgeable token giving the possessor certain rights to an object.

A capability is a ticket giving permission to a subject to perform a certain type of access on an object.

To prevent forgery, a capability is usually maintained by the OS.

A new access right: the right to transfer a capability

Domain: The collection of capabilities defines a domain. (Fig. 6-14, p.248)

An executing program or sub-procedure operates in a domain.A sub-procedure in a program may have different domain from

the main program. (Fig. 6-15, p.249)

Significance: groundwork for subsequent production use in systems such as Kerberos, which is a popular network authentication protocol (Ch. 9)


27

Controlled Access to Objects• Procedure-oriented access control

Access to an object is controlled by its access-control procedures.

The procedures defines a trusted interface through which access to a given object can be made.

Purpose: To enable more complex access control beyond read, write, and execute.

Benefits: information hiding; flexible

Disadvantage: inefficient access


28

Summary

Next: 6.4 (file protection), 6.5 (user authentication)

chapter 6 user protections in os. csci5233 computer security & integrity (chap. 6) 2 outline...

Documents

file protection

protection feasible

goal of protection

basis of protection

os slide

control of access

different security needs

user authentication