UNIT V

 UNITV
 Protection and Security: Goals of Protection, Principles
of Protection, Domain of protection , Access Matrix , Implementation
of Access Matrix, Access control , Revocation of access rights ,
Capability-based Systems , Language-based protection.
 System Security : The security problem, program Threats ,
System and System Network Threats , Cryptography as a Security
tool, User Authentication , Implementing Security Defenses ,
firewalling to protect Systems and Networks , Computer Security
Classification, Case Studies- LinuxSystem.

Operating System Concepts – 9th Edition 14.1 Silberschatz, Galvin and Gagne ©2013
 Protection
 Goals of Protection
 Principles of Protection
 Domain of Protection
 Access Matrix
 Implementation of Access Matrix
 Access Control
 Revocation of Access Rights
 Capability-Based Systems
 Language-Based Protection

Operating System Concepts – 9th Edition 14.2 Silberschatz, Galvin and Gagne ©2013
 
Goals of Protection
The processes in operating system must be protected from one another
activities.
 Protection provides various mechanisms to ensure that only processes that
have gained proper authorization from operating system can operate on
files , memory segments ,CPU and other resources of the system.
 Protection refers to a mechanism for controlling the access of
programs,processes or user resources defined by a computer system.
 Reasons to provide Protection :
 1. Prevent mischievous , intentional violation of access restriction by a user.
 2.To ensure each program component active in a system uses system
resources in a consistent manner as stated in policies.
 3.Protection oriented system provides means to distinguish authorized usage
and unauthorized usage.
 4.Provides mechanisms for enforcement of policies for governing usage of
resources.

Operating System Concepts – 9th Edition 14.3 Silberschatz, Galvin and Gagne ©2013
 Goals of protection(cont..)

 5.Protection is not sole concern of operating system designer ,application

programmer also need to use protection mechanisms for the resources
created by the application subsystem to guard against their misuse.
 6.Mechanisms are different from policies.
Mechanisms determines how something will be done.
Policies decide what will be done
 Protection problem - ensure that each object is accessed correctly and only
by those processes that are allowed to do so.

Operating System Concepts – 9th Edition 14.4 Silberschatz, Galvin and Gagne ©2013
 Principles of Protection
 Guiding principle – principle of least privilege
 Programs, users and systems should be given just enough privileges
to perform their tasks
 Limits damage if entity has a bug, gets abused
 An operating system following the principle of least privilege
implements its programs ,system calls and data structures so that
failure or compromise of a component does minimal damage to the
system.
 Managing users : with principle of least privilege create separate
accounts for each user with just the privileges that user needs. Some
systems use role based access control (RBAC) to provide this
functionality.
 Computing facility of computer under this principle can be limited to
running specific services , accessing specific remote hosts during
specific times.

Operating System Concepts – 9th Edition 14.5 Silberschatz, Galvin and Gagne ©2013
 Principles of Protection (Cont.)
• The principle of least privilege can help produce a more
secure computing environment.
• Windows 2000 has complex protection scheme at its core
and yet has many security holes.
• Solaris is considered relatively secure,even though it is
designed with little protection in mind.
• One reason for this difference may be Windows has more
lines of code and services than Solaris and thus has more
to secure and protect.
• Another reason protection scheme in Windows is
incomplete or protects wrong aspects of operating system,
leaving other areas vulnerable.

Operating System Concepts – 9th Edition 14.6 Silberschatz, Galvin and Gagne ©2013
 Domain of Protection
 A computer system is collection of processes and objects.
 Objects : hardware objects(CPU , memory segments , printers,
disks and tape drives)
software objects(Files,programs and semaphores)
Each object has a unique name and each can be accessed only through well
defined and meaningful operations.
A process should be allowed to access only those resources for which it has
authorization.
At any time process should be able to access only those resources that it
currently requires to complete its task. This requirement is referred to as need
to know principle.
Need to know principle, is useful in limiting the amount of damage a faulty
process can cause in the system.

Operating System Concepts – 9th Edition 14.7 Silberschatz, Galvin and Gagne ©2013
 Domain Structure
 A process operates within a Protection domain, which specifies the
resources the process may access.
 Each domain defines a set of objects and types of operations that may be
invoked on each object. Ability to execute an operation on an object is an
Access right.
 Access-right = <object-name, rights-set>
where rights-set is a subset of all valid operations that can be performed
on the object
 Domain = set of access-rights . Domains may share access rights.

Operating System Concepts – 9th Edition 14.8 Silberschatz, Galvin and Gagne ©2013
 
Domain structure(cont..)
The association between a process and domain may be static or dynamic.
 Static-set of resources available to a process is fixed throughout the
process’s life time .
 Dynamic-set of resources available to a process is not fixed.
 Mechanism available to change content of a domain domain switching.
 Example: A process might execute in two phases ,one phase it might want to
read,another phase it may want to write
If the domain is static ,we must define domain to include both read and write
access.This arrangement provides more rights than are needed in each of
the phase.Thus need to know principle is violated.
We must allow domain contents to be modified so that domain always reflects
minimum necessary access writes.
In dynamic association ,domain switching enables the process to switch from
one domain to another

Operating System Concepts – 9th Edition 14.9 Silberschatz, Galvin and Gagne ©2013
 Domain Implementation (UNIX)
 Domain = user-id
 Domain switch accomplished via file system
 Each file has associated with it a domain bit (setuid bit)
 When file is executed and setuid = on, then user-id is set to
owner of the file being executed.
 When execution completes user-id is reset
 Domain switch accomplished via passwords
 su command temporarily switches to another user’s domain when
other domain’s password provided. This method starts a new login
shell as another username specified
 Domain switching via commands
 sudo command prefix executes specified command in another
domain (if original domain has privilege or password given)

Operating System Concepts – 9th Edition 14.10 Silberschatz, Galvin and Gagne ©2013
  To secure the Linux kernel from unauthorized access, the operating
system provides the option of creating different users with different
privileges. You can easily switch users
 The su command, which stands for switch user, is a powerful tool to
switch from one user account to another. The syntax to switch users
using the su command in the Linux Terminal is:
 su <options> <username> in Linux using commands.
 1. Switch to a Regular User
 To switch to regular users using the su command in Linux, use the
following syntax:
 su <options> <username>
 2. Switch to the Root User
 root user account for some administrative tasks. To switch to the root
user or the Super User in Linux, use the su command like:
 su -

Operating System Concepts – 9th Edition 14.11 Silberschatz, Galvin and Gagne ©2013
  The sudo command stands for “Super User Do”. This command is
generally used to execute various commands as a root or super
user.
 sudo -u test1 /bin/bash
 Once you execute the above command, you will be prompted for the
root user’s password. Type the root password and hit enter. The
prompt will now show the switched username.

Operating System Concepts – 9th Edition 14.12 Silberschatz, Galvin and Gagne ©2013
 Domain Implementation (MULTICS)
 In MULTICS protection domains are organized hierarchically into a ring
structure.Each ring corresponds to a single domain.
 Rings are numbered 0 to 7, Let Di and Dj be any two domain rings
 If j < I  Di  Dj

Operating System Concepts – 9th Edition 14.13 Silberschatz, Galvin and Gagne ©2013
 Multics Benefits and Limits

If only two rings exists,this scheme is similar to monitor mode-

user mode.
In monitor mode, the CPU can use all instructions and access
all areas of memory. In user mode, the CPU is restricted to
unprivileged instructions and a specified area of memory.
Multics protection system is generally more complex and less
efficient than those used in current operating system.

Operating System Concepts – 9th Edition 14.14 Silberschatz, Galvin and Gagne ©2013
 Access Matrix
 Protection model can be viewed abstractly as a matrix
(access matrix)
 Rows represent domains
 Columns represent objects
 Access(i, j) is the set of operations that a process
executing in Domaini can invoke on Objectj

Operating System Concepts – 9th Edition 14.15 Silberschatz, Galvin and Gagne ©2013
 Use of Access Matrix
 If a process in Domain Di tries to do “op” on object Oj, then
“op” must be in the access matrix
 User who creates object can define access column for that
object
 Access matrix provides an mechanisms for defining and
implementing strict control for both static and dynamic
association between processes and domains.
 Each entry in the access matrix can be modified individually ,
each entry in access matrix is an object to be protected.
 We consider only the operations possible on these new
objects and decide how we want processes to be able to
execute these operations.

Operating System Concepts – 9th Edition 14.16 Silberschatz, Galvin and Gagne ©2013
 Use of Access Matrix (Cont.)
 Access matrix design separates mechanism from policy
 Mechanism
 Operating system provides access-matrix + rules
 If ensures that the matrix is only manipulated by
authorized agents and that rules are strictly enforced
 Policy
 User dictates policy
 Who can access what object and in what mode

Operating System Concepts – 9th Edition 14.17 Silberschatz, Galvin and Gagne ©2013
 Access Matrix of Figure A with Domains as Objects
Processes should be able to switch from one domain to
another.Switching is allowed if and only if access right switch belongs
to access(i,j)

Operating System Concepts – 9th Edition 14.18 Silberschatz, Galvin and Gagne ©2013
  Allowing dynamic process and domains association 3 additional
operations are required in Access matrix entries.
copy,owner and control
Ability to copy access right from one domain to another is denoted
by(*)appended to access right.
Copy right allows the access right to be copied only within the
column(i.e for the object)
A process running in domain d2 can copy read operation into any entry
associated with f2.
This scheme has two variants:
1.Transfer of right rather than copy .A right is copied from acess(I,j) to
access(k,j) original is removed access(I,j).
2.Propogation of the copy right may be limited.

Operating System Concepts – 9th Edition 14.19 Silberschatz, Galvin and Gagne ©2013
 Access Matrix with Copy Rights

Operating System Concepts – 9th Edition 14.20 Silberschatz, Galvin and Gagne ©2013
 Access Matrix With Owner Rights
 We also need mechanisms to addition of new rights and removal of
some rights.
 The owner right controls these operations.
 Access(i,j) includes ownner right,then a process executing in
domain Di can add or remove any right in any entry in column j.
 Example:
 domain D1 owner of F1 and thus can add or remove any right in
column F1.
 Thus access matrix of figure (a) can be modified to access matrix in
fig(b)

Operating System Concepts – 9th Edition 14.21 Silberschatz, Galvin and Gagne ©2013
 Access Matrix With Owner Rights

Operating System Concepts – 9th Edition 14.22 Silberschatz, Galvin and Gagne ©2013
 Access matrix with control right
 Mechanism is needed to change entries in the row.
 Control right is applicable only to domain objects.
 If access(i,j) includes control right,then a process executing in
domain Di can remove any access right from row j.
 For example: We include control right in access(d2,d4),then process
running in d2 could modify domain d4

Operating System Concepts – 9th Edition 14.23 Silberschatz, Galvin and Gagne ©2013
 Modified Access Matrix of Figure A
with Domains as Objects

Operating System Concepts – 9th Edition 14.24 Silberschatz, Galvin and Gagne ©2013
 Implementation of Access Matrix
 How access matrix can be implemented effectively?
 Generally, access matrix will be sparse matrix most of the entries will
be empty, several methods of implementing access matrix.
 Option 1 – Global table
 Store ordered triples <domain, object, rights-set> in table
 A requested operation M on object Oj within domain Di -> search
table for < Di, Oj, Rk >
 with M ∈ Rk
Drawbacks:
 But table is usually large -> won’t fit in main memory
 Difficult to group objects (consider an object that all domains can
read)or domains.
 Ex:If every one can read a particular object,that object must have a
separate entry in every domain.

Operating System Concepts – 9th Edition 14.25 Silberschatz, Galvin and Gagne ©2013
 Implementation of Access Matrix (Cont.)
 Option 2 – Access lists for objects
 Each column in an access matrix is implemented as an access list for
one object.
 Obviously empty entries can be discardd.
 Resulting per-object list consists of ordered pairs <domain,
rights-set> defining all domains with non-empty set of access
rights for the object
 This approach can be extended easily to define a list plus a default set
-> set of access rights.
 When an operation M on an object Oj is attempted in domain Di, we
search the access list for Oj looking for entry <Di , Rk>
 If M ∈ Rk access is allowed; If it is not , If M ∈ default set, we allow
the access.Otherwise , access id denied and an exception condition
occurs.
 For efficiency we check default list first and then search the access
list.

Operating System Concepts – 9th Edition 14.26 Silberschatz, Galvin and Gagne ©2013
 Implementation of Access Matrix (Cont.)

 Each column = Access-control list for one object

Defines who can perform what operation
Domain 1 = Read, Write
Domain 2 = Read
Domain 3 = Read

 Each Row = Capability List (like a key)

For each domain, what operations allowed on what objects
Object F1 – Read
Object F4 – Read, Write, Execute
Object F5 – Read, Write, Delete, Copy

Operating System Concepts – 9th Edition 14.27 Silberschatz, Galvin and Gagne ©2013
 Implementation of Access Matrix (Cont.)

 Option 3 – Capability list for domains

 Instead of object-based, list is domain based
 Capability list for domain is list of objects together with operations allows
on them
 Object represented by its name or address, called a capability
 Execute operation M on object Oj, process requests operation and specifies
capability as parameter
 Possession of capability means access is allowed
 Capability list associated with domain but it is never directly accessible to
a process executing in that domain.
 Rather, protected object, maintained by OS and accessed indirectly
 Like a “secure pointer”

Operating System Concepts – 9th Edition 14.28 Silberschatz, Galvin and Gagne ©2013
 3.Capability Lists for Domains(cont..)
 To Provide inherent protection we must distinguish capabilities from other
types of objects . They are distinguished from other data in one of the two
ways.
 1.Each object has a tag to denote whether it is a capability or accessible
data .Tags themselves must not be directly accessible by an application
program . Hardware or firmware support may be used to enforce this
restriction.
 2.Alternatively the address space associated with a program can be split into
two parts . One part is accessible to the program and contains program’s
normal data and instructions . The other part containing capability list , is
accessible only by the operating system.
 Several capability- based protection systems have been developed;
 Examples : Hydra, Cambridge CAP System

Operating System Concepts – 9th Edition 14.29 Silberschatz, Galvin and Gagne ©2013
 Implementation of Access Matrix (Cont.)
 Option 4 – Lock-key Mechanism
 Compromise between access lists and capability lists
 Each object has list of unique bit patterns, called locks
 Each domain as list of unique bit patterns called keys
 Process in a domain can access object only if that
domain has key that matches one of the locks of the
object.
 As with capability lists , the list of keys for a domain
must be managed by the operating system on behalf of
the domain . Users are not allowed to examine or
modify the list of keys directly.

Operating System Concepts – 9th Edition 14.30 Silberschatz, Galvin and Gagne ©2013
 Comparison of Implementations

 Many trade-offs to consider

 Global table is simple, but can be large and cannot take advantage
of special groupings of objects or domains.
 Access lists correspond directly to the needs of users, when user
creates an object he can specify which domains can access the
object as well as what operations are allowed , but information for a
particular domain is not localized, determining set of access rights
for each domain is difficult.
 Every access to an object must be checked, requiring search of
access list . In a large system with long access lists , this search can
be time consuming.
 Capability lists do not correspond directly to the needs of users, but
they are useful for localizing information for a given process.
 The process attempting access must present capability for that
access . Then the protection system needs to verify that capability is
valid.But revocation capabilities can be inefficient.
 Lock-key effective and flexible, keys can be passed freely from
domain to domain, easy revocation
Operating System Concepts – 9th Edition 14.31 Silberschatz, Galvin and Gagne ©2013
 Comparison of Implementations (Cont.)
 Most systems use combination of access lists and
capabilities
 First access to an object -> access list searched
 If allowed, capability created and attached to
process , Additional accesses need not be checked.
 If access is denied, an exception condition occurs.
 After last access, capability destroyed
This strategy is used in MULTICS system and in the
CAL system.

Operating System Concepts – 9th Edition 14.32 Silberschatz, Galvin and Gagne ©2013
 Access Control
 Each file and directory is assigned an owner, a group a list of users,
for each of those entities access-control information is assigned.
 Solaris 10 advances the protection available in the operating system
by explicitly adding the principle of least privilege via Role-based
Access control(RBAC).
 A Privilege is the right to execute a system call(opening a file with
write access)

Operating System Concepts – 9th Edition 14.33 Silberschatz, Galvin and Gagne ©2013
 Access Control
 Oracle Solaris 10 provides role-
based access control (RBAC) to
implement least privilege
 Privilege is right to execute
system call or use an option
within a system call
 Can be assigned to processes ,
limiting them to exactly the
access they need to perform a
task.
 Privileges and programs can also
be assigned to roles.
 Users assigned roles granting
access to privileges and
programs

Operating System Concepts – 9th Edition 14.34 Silberschatz, Galvin and Gagne ©2013
 Access Control(cont..)
 Users are assigned roles or can take roles based on passwords to
the roles.
 User taking a role can use the privileges and programs
assigned to that role.
In this way, a user can take a role that enables a privilege ,
allowing user to run a program to accomplish a specific task.

Operating System Concepts – 9th Edition 14.35 Silberschatz, Galvin and Gagne ©2013
 Revocation of Access Rights
 In dynamic protection system, we may sometimes need to revoke
access rights to objects shared by different users.
 Various options to remove the access right of a domain to an object
 Immediate vs. delayed-Does revocation occur immediately or
delayed? if it is delayed when will it occur?
 Selective vs. general-When an access right to an object is
revoked , does it affect all the users who have access right to
that object, or can we specify a selected group of users whose
access rights should be revoked?
 Partial vs. total-Can a subset of rights associated with an
object be revoked or we must revoke all access rights for this
objects.
 Temporary vs. permanent-Can access be revoked
permanently , or can access be revoked and later be obtained
again?

Operating System Concepts – 9th Edition 14.36 Silberschatz, Galvin and Gagne ©2013
 Access list revocation

With Access List scheme revocation is easy–

Search access list any access rights to be revoked, they are deleted from the
list.Simple – search access list and remove entry
Revocation can be Immediate, general or selective, total or partial,
permanent or temporary
Capabilities lists , present much more revocation problem ,since
capabilities are distributed throughout the system ,we must find them
before we revoke them.

Operating System Concepts – 9th Edition 14.37 Silberschatz, Galvin and Gagne ©2013
 Revocation of Access Rights (Cont.)
 Capability List – Scheme required to locate capability in the system
before capability can be revoked
 Schemes that implement revocation for capabilities
 Reacquisition – periodically capabilities are deleted from
domains, a process who wants to use a capability may find that
capability has been deleted . The process may then try to
reacquire the capability .If the access is revoked the process will
not be able to reacquire capability.
 Back-pointers – A list of pointers is maintained for each object ,
pointing to all capabilities of that object .When revocation is
required ,follow these pointers change the capabilities as
necessary . This scheme was adopted in MULTICS system.
 Indirection –Capabilities point indirectly ,not directly to objects.
capability points to global table entry which points to object – We
implement revocation by searching global table for desired entry
delete entry from global table,This scheme was adopted in (CAL)

Operating System Concepts – 9th Edition 14.38 Silberschatz, Galvin and Gagne ©2013
  Keys – unique bits associated with capability, generated when
capability created , it can neither be modified nor inspected by the
process that owns the capability.
 Master key associated with object , it can be defined or replaced by
set-key .
 When a capability is created ,the current value of the master key is
associated with the capability.
 When capability is exercised its key value is compared with master
key if it matches access is allowed or exception condition is raised.
 Revocation –replaces the master key with a new value via set-key
operation , invalidating all previous capabilities for that object.

Operating System Concepts – 9th Edition 14.39 Silberschatz, Galvin and Gagne ©2013
 Capability-Based Systems
 Hydra
 Fixed set of access rights known to and interpreted by the system
 i.e. read, write, or execute each memory segment
 User can declare other auxiliary rights and register those with
protection system
 Accessing process must hold capability and know name of
operation
 Rights amplification allowed by trustworthy procedures for a
specific type
 Interpretation of user-defined rights performed solely by user's
program; system provides access protection for use of these rights
 Operations on objects defined procedurally – procedures are
objects accessed indirectly by capabilities
 Solves the problem of mutually suspicious subsystems
 Includes library of prewritten security routines

Operating System Concepts – 9th Edition 14.40 Silberschatz, Galvin and Gagne ©2013
 Capability-Based Systems (Cont.)

 Cambridge CAP System

 Simpler but powerful
 Data capability - provides standard read, write, execute
of individual storage segments associated with object –
implemented in microcode
 Software capability -interpretation left to the
subsystem, through its protected procedures
 Only has access to its own subsystem
 Programmers must learn principles and techniques
of protection

Operating System Concepts – 9th Edition 14.41 Silberschatz, Galvin and Gagne ©2013
 Language-Based Protection
 Specification of protection in a programming language
allows the high-level description of policies for the
allocation and use of resources
 Language implementation can provide software for
protection enforcement when automatic hardware-
supported checking is unavailable
 Interpret protection specifications to generate calls on
whatever protection system is provided by the hardware
and the operating system

Operating System Concepts – 9th Edition 14.42 Silberschatz, Galvin and Gagne ©2013
 Protection in Java 2
 Protection is handled by the Java Virtual Machine (JVM)
 A class is assigned a protection domain when it is loaded by
the JVM
 The protection domain indicates what operations the class
can (and cannot) perform
 If a library method is invoked that performs a privileged
operation, the stack is inspected to ensure the operation can
be performed by the library
 Generally, Java’s load-time and run-time checks enforce type
safety
 Classes effectively encapsulate and protect data and
methods from other classes

Operating System Concepts – 9th Edition 14.43 Silberschatz, Galvin and Gagne ©2013
 Stack Inspection

Operating System Concepts – 9th Edition 14.44 Silberschatz, Galvin and Gagne ©2013