To complete this week’s interactive assignment, you will continue building the OS Theory Concept Map by...

Given:

1) Outline the goals and principles of domain- and language-based protection in a modern computer system

2) describe how an access matrix is used to protect specific resources a process can access. (Consider using a matrix representation to illustrate concepts.)

3) Describe how security is used to protect programs, systems, and networks from threats.

Solution:

1) Goals of Protection

• Obviously to prevent malicious misuse of the system by users or programs.
• To ensure that each shared resource is used only in accordance with system policies, which may be set either by system designers or by system administrators.
• To ensure that errant programs cause the minimal amount of damage possible.
• Note that protection systems only provide the mechanisms for enforcing policies and ensuring reliable systems. It is up to administrators and users to implement those mechanisms effectively.

Principles of Protection

• The principle of least privilege dictates that programs, users, and systems be given just enough privileges to perform their tasks.
• This ensures that failures do the least amount of harm and allow the least of harm to be done.
• For example, if a program needs special privileges to perform a task, it is better to make it a SGID program with group ownership of "network" or "backup" or some other pseudo group, rather than SUID with root ownership. This limits the amount of damage that can occur if something goes wrong.
• Typically each user is given their own account, and has only enough privilege to modify their own files.
• The root account should not be used for normal day to day activities - The System Administrator should also have an ordinary account, and reserve use of the root account for only those tasks which need the root privileges

Domain of Protection

• A computer can be viewed as a collection of processes and objects ( both HW & SW ).
• The need to know principle states that a process should only have access to those objects it needs to accomplish its task, and furthermore only in the modes for which it needs access and only during the time frame when it needs access.
• The modes available for a particular object may depend upon its type.

Domain Structure

• A protection domain specifies the resources that a process may access.
• Each domain defines a set of objects and the types of operations that may be invoked on each object.
• An access right is the ability to execute an operation on an object.
• A domain is defined as a set of < object, { access right set } > pairs, as shown below. Note that some domains may be disjoint while others overlap.

• The association between a process and a domain may be static or dynamic.
  • If the association is static, then the need-to-know principle requires a way of changing the contents of the domain dynamically.
  • If the association is dynamic, then there needs to be a mechanism for domain switching.
• Domains may be realized in different fashions - as users, or as processes, or as procedures. E.g. if each user corresponds to a domain, then that domain defines the access of that user, and changing domains involves changing user ID.

Language-Based Protection

• As systems have developed, protection systems have become more powerful, and also more specific and specialized.
• To refine protection even further requires putting protection capabilities into the hands of individual programmers, so that protection policies can be implemented on the application level, i.e. to protect resources in ways that are known to the specific applications but not to the more general operating system

Compiler-Based Enforcement

• In a compiler-based approach to protection enforcement, programmers directly specify the protection needed for different resources at the time the resources are declared.
• This approach has several advantages:
  1. Protection needs are simply declared, as opposed to a complex series of procedure calls.
  2. Protection requirements can be stated independently of the support provided by a particular OS.
  3. The means of enforcement need not be provided directly by the developer.
  4. Declarative notation is natural, because access privileges are closely related to the concept of data types.
• Regardless of the means of implementation, compiler-based protection relies upon the underlying protection mechanisms provided by the underlying OS, such as the Cambridge CAP or Hydra systems.
• Even if the underlying OS does not provide advanced protection mechanisms, the compiler can still offer some protection, such as treating memory accesses differently in code versus data segments. ( E.g. code segments cant be modified, data segments can't be executed. )
• There are several areas in which compiler-based protection can be compared to kernel-enforced protection:
  • Security. Security provided by the kernel offers better protection than that provided by a compiler. The security of the compiler-based enforcement is dependent upon the integrity of the compiler itself, as well as requiring that files not be modified after they are compiled. The kernel is in a better position to protect itself from modification, as well as protecting access to specific files. Where hardware support of individual memory accesses is available, the protection is stronger still.
  • Flexibility. A kernel-based protection system is not as flexible to provide the specific protection needed by an individual programmer, though it may provide support which the programmer may make use of. Compilers are more easily changed and updated when necessary to change the protection services offered or their implementation.
  • Efficiency. The most efficient protection mechanism is one supported by hardware and microcode. Insofar as software based protection is concerned, compiler-based systems have the advantage that many checks can be made off-line, at compile time, rather that during execution.
• The concept of incorporating protection mechanisms into programming languages is in its infancy, and still remains to be fully developed. However the general goal is to provide mechanisms for three functions:
  1. Distributing capabilities safely and efficiently among customer processes. In particular a user process should only be able to access resources for which it was issued capabilities.
  2. Specifying the type of operations a process may execute on a resource, such as reading or writing.
  3. Specifying the order in which operations are performed on the resource, such as opening before reading.

2) Access Matrix

• The model of protection that we have been discussing can be viewed as an access matrix, in which columns represent different system resources and rows represent different protection domains. Entries within the matrix indicate what access that domain has to that resource.

Implementation of Access Matri

1 Global Table

• The simplest approach is one big global table with < domain, object, rights > entries.
• Unfortunately this table is very large ( even if sparse ) and so cannot be kept in memory ( without invoking virtual memory techniques. )
• There is also no good way to specify groupings - If everyone has access to some resource, then it still needs a separate entry for every domain.

2 Access Lists for Objects

• Each column of the table can be kept as a list of the access rights for that particular object, discarding blank entries.
• For efficiency a separate list of default access rights can also be kept, and checked first.

3 Capability Lists for Domains

• In a similar fashion, each row of the table can be kept as a list of the capabilities of that domain.
• Capability lists are associated with each domain, but not directly accessible by the domain or any user process.
• Capability lists are themselves protected resources, distinguished from other data in one of two ways:
  • A tag, possibly hardware implemented, distinguishing this special type of data. ( other types may be floats, pointers, booleans, etc. )
  • The address space for a program may be split into multiple segments, at least one of which is inaccessible by the program itself, and used by the operating system for maintaining the process's access right capability list.

4 A Lock-Key Mechanism

• Each resource has a list of unique bit patterns, termed locks.
• Each domain has its own list of unique bit patterns, termed keys.
• Access is granted if one of the domain's keys fits one of the resource's locks.
• Again, a process is not allowed to modify its own keys.

5 Comparison

• Each of the methods here has certain advantages or disadvantages, depending on the particular situation and task at hand.
• Many systems employ some combination of the listed methods.

3) System Security

Security of a computer system is a crucial task. It is a process of ensuring confidentiality and integrity of the OS.
A system is said to be secure if its resources are used and accessed as intended under all the circumstances, but no system can guarantee absolute security from several of the various malicious threats and unauthorized access.

Security System Goals –
Henceforth, based on the above breaches, the following security goals are aimed:

1. Integrity:
   The objects in the system mustn’t be accessed by any unauthorized user & any user not having sufficient rights should not be allowed to modify the important system files and resources.
2. Secrecy:
   The objects of the system must be accessible only to a limited number of authorized users. Not everyone should be able to view the system files.
3. Availability:
   All the resources of the system must be accessible to all the authorized users i.e only one user/process should not have the right to hog all the system resources. If such kind of situation occurs, denial of service could happen. In this kind of situation, a malware might hog the resources for itself & thus preventing the legitimate processes from accessing the system resources.

Threats can be classified into the following two categories:

1. Program Threats:
   A program written by a cracker to hijack the security or to change the behaviour of a normal process.
2. System Threats:
   These threats involve the abuse of system services. They strive to create a situation in which operating-system resources and user files are misused. They are also used as a medium to launch program threats.

Security Measures Taken –
To protect the system, Security measures can be taken at the following levels:

• Physical:
  The sites containing computer systems must be physically secured against armed and malicious intruders. The workstations must be carefully protected.
• Human:
  Only appropriate users must have the authorization to access the system. Phishing(collecting confidential information) and Dumpster Diving(collecting basic information so as to gain unauthorized access) must be avoided.
• Operating system:
  The system must protect itself from accidental or purposeful security breaches.
• Networking System:
  Almost all of the information is shared between different systems via a network. Intercepting these data could be just as harmful as breaking into a computer. Henceforth, Network should be properly secured against such attacks.