CS-550 (M.Soneru): Protection and Security - 2 [SaS] 1 Protection and Security - 2.

Slides:



Advertisements
Similar presentations
CMSC 414 Computer (and Network) Security Lecture 13 Jonathan Katz.
Advertisements

File Management Chapter 12. File Management A file is a named entity used to save results from a program or provide data to a program. Access control.
8.2 Discretionary Access Control Models Weiling Li.
Protection. Goals of Protection Operating system consists of a collection of objects, hardware or software Each object has a unique name and can be accessed.
Bilkent University Department of Computer Engineering
Reasons for Protection n Prevent users from accessing information they shouldn’t have access to. n Ensure that each program component uses system resources.
19: Protection1 PROTECTION Protection is the mechanism for controlling access to computer resources. Security concerns the physical integrity of the system.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.
CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.
1 CSE 380 Computer Operating Systems Instructor: Insup Lee and Dianna Xu University of Pennsylvania Fall 2003 Lecture Note: Protection Mechanisms.
Chapter 14: Protection.
Distributed Computer Security 8.2 Discretionary Access Control Models - Liang Zhao.
Lecture 7 Access Control
Dr. Kalpakis CMSC 621, Advanced Operating Systems. Fall 2003 URL: Security & Protection.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
Dr. Kalpakis CMSC 621, Advanced Operating Systems. Security & Protection.
Silberschatz, Galvin and Gagne ©2013 Operating System Concepts – 9 th Edition Chapter 14: Protection.
Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 URL: Protection.
Page 19/4/2015 CSE 30341: Operating Systems Principles Raid storage  Raid – 0: Striping  Good I/O performance if spread across disks (equivalent to n.
CH14 – Protection / Security. Basics Potential Violations – Unauthorized release, modification, DoS External vs Internal Security Policy vs Mechanism.
Protection.
14.1 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts Chapter 14: Protection Goals of Protection Principles of Protection Domain of Protection.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.
Chapter 14: Protection Silberschatz, Galvin and Gagne ©2005 AE4B33OSS Chapter 14: Protection Goals of Protection Principles of Protection Domain.
G53SEC 1 Access Control principals, objects and their operations.
Silberschatz, Galvin and Gagne  Operating System Concepts Chapter 18: Protection Goals of Protection Objects and Domains Access Matrix Implementation.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Protection (Chapter 14)
Cosc 4740 Chapter 13: Protection. Goals of Protection Operating system consists of a collection of objects, hardware or software Each object has a unique.
Protection Nadeem Majeed Choudhary
CE Operating Systems Lecture 21 Operating Systems Protection with examples from Linux & Windows.
14.1/21 Part 5: protection and security Protection mechanisms control access to a system by limiting the types of file access permitted to users. In addition,
Multics CysecLab Graduate School of Information Security KAIST.
Computer Science and Engineering Computer System Security CSE 5339/7339 Lecture 14 October 5, 2004.
Chapter 14: Protection Silberschatz, Galvin and Gagne ©2005 Operating System Concepts – 7 th Edition, Apr 11, 2005 Chapter 14: Protection Goals.
Access Control: Policies and Mechanisms Vinod Ganapathy.
Chapter 14: Protection Silberschatz, Galvin and Gagne ©2005 Operating System Concepts Goals of Protection Operating system consists of a collection.
Computer Security: Principles and Practice
Silberschatz, Galvin and Gagne ©2013 Operating System Concepts – 9 th Edition Chapter 14: Protection.
Protection & Security Greg Bilodeau CS 5204 October 13, 2009.
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 16 October 14, 2004.
CSE Operating System Principles Protection.
Database Security Database System Implementation CSE 507 Some slides adapted from Navathe et. Al.
ACCESS MATRIX IMPLEMENTATION AND COMPARISON By: Rushabh Dharwadkar Roll no: TE COMP.
18.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 18: Protection Goals of Protection Domain of Protection Access Matrix.
Chapter 17: System Protection Silberschatz, Galvin and Gagne ©2005 Operating System Concepts Chapter 17: Protection Goals of Protection Principles.
Saurav Karmakar. Chapter 14: Protection  Goals of Protection  Principles of Protection  Domain of Protection  Access Matrix  Implementation of Access.
Database System Implementation CSE 507
Access Control Model SAM-5.
PROTECTION.
Operating Systems Protection Alok Kumar Jagadev.
Chapter 14: Protection Modified by Dr. Neerja Mhaskar for CS 3SH3.
Chapter 14: System Protection
Chapter 14: Protection.
Chapter 14: Protection Source & Copyright: Operating System Concepts, Silberschatz, Galvin and Gagne.
Chapter 14: Protection.
Chapter 14: Protection.
CE Operating Systems Lecture 21
Chapter 14: Protection.
Chapter 14: Protection.
Chapter 14: Protection.
Chapter 14: Protection.
Chapter 14: Protection.
Chapter 14: Protection.
Chapter 14: Protection.
Chapter 14: Protection.
Chapter 14: Protection.
Chapter 14: Protection.
CS703 - Advanced Operating Systems
Chapter 14: Protection.
Presentation transcript:

CS-550 (M.Soneru): Protection and Security - 2 [SaS] 1 Protection and Security - 2

CS-550 (M.Soneru): Protection and Security - 2 [SaS] 2 (2) The Access Control List Method Each object ‘o’ is assigned a list of pairs (s, P[s,o]), for all subjects ‘s’ that can access the object The access list for an object corresponds to the access rights contained in the column for object ‘o’ in the access matrix Example: Smithread, write, execute Jonesread Lee write

CS-550 (M.Soneru): Protection and Security - 2 [SaS] 3 (2) The Access Control List Method (cont.) Operation: Subject ‘s’ requests access ‘  ’ to object ‘o’ – Search access control list of ‘o’ for entry (s,  ) – If entry exists, check if    – If yes, allow execution. Else, exception raised Advantages of access control lists – Easy revocation of access rights from a subject to an object: remove object’s entry from the object’s access control list – Easy review of access rights of all subjects to a given object – Note: it is, however, difficult to determine for a given subject what objects it has access to

CS-550 (M.Soneru): Protection and Security - 2 [SaS] 4 Issues with Access Control Lists Efficiency of execution – Access control list needs to be searched for every access to an object! – Option: use shadow capability registers u On first access by a subject, copy access rights from access control list to a shadow register with the subject u The access rights in the shadow register acts as a capability u Subsequent accesses by this subject use the shadow register u Potential drawback: – Revocation of access rights becomes more difficult: removing access rights from access control list is not sufficient, some access rights remain in shadow registers

CS-550 (M.Soneru): Protection and Security - 2 [SaS] 5 Issues with Access Control Lists (cont) Efficiency of storage – The list can be very large, containing the access rights of all subjects that can access this object – Note: the aggregate storage requirement is about the same as for capabilities – Option: use protection groups u Subjects (users) divided into protection groups u Access control list contains the names of groups and their access rights u Operation: subject gives its protection group and requested access u Issue: All subjects in a protection group have the same access rights to the object Authority to change an access control list – Issue: who can modify an access control list? – Options: u Self control: owner process (e.g., creator of the object) can modify list u Hierarchical control: – When object created, owner process specifies what other processes can modify access control list – Processes organized in a hierarchy: a process can change the access control list of all processes below it in the hierarchy

CS-550 (M.Soneru): Protection and Security - 2 [SaS] 6 Examples of Systems using Access Control Lists Multics – Access control lists to control access to files – Principle of least privilege Unix – Access control list has three entries: owner, group, and other – Access rights: read, write, execute

CS-550 (M.Soneru): Protection and Security - 2 [SaS] 7 (3) The Lock-Key Method Principles – Hybrid of capability-based method and access control list method – Every subject has a capability list made of tuples (o, k): the subject can access object ‘o’ using key ‘k’ – Every object has an access control list made of tuples (l,  ), called lock entries: any subject that can open lock ‘l’ can access the object with an access right contained in ‘  ’ Operation – Subject ‘s’ makes request for access ‘  ’ to object ‘o’ – The system locates tuple (o, k) in capability list of the subject – If present, search access control list of object ‘o’ for entry (l,  ), where k = l and obtain  – Access allowed if   

CS-550 (M.Soneru): Protection and Security - 2 [SaS] 8 (3) The Lock-Key Method (cont.) Advantages: – Easy revocation of access rights: to revoke the access rights of a subject to an object, delete the lock entry corresponding to the key of the subject – Capability-based addressing can be used Disadvantages: – Access control list must be searched for every access Example – IBM/360 storage keys protection method similar to lock-key method

CS-550 (M.Soneru): Protection and Security - 2 [SaS] 9 Access Matrix Model: Changing The Protection State Access matrix is itself a protected object Commands for changing protection state – Set of commands ‘C’ for changing protection state defined in the form of the following primitive operations enter r into P [s, o] delete r from P [s, o] create subject s create object o destroy subject s destroy object o – Primitive operations: define changes to be made to the access matrix P – Example: Primitive operation delete r from P [s, o] deletes access right r from the position P [s, o] in the access matrix, I.e., access right r of subject s to object o is withdrawn

CS-550 (M.Soneru): Protection and Security - 2 [SaS] 10 Access Matrix Model: Changing The Protection State (cont.) Before the operation is performed (e.g., the delete in previous example), a verification should be made that the process has the right to perform this operation on the access matrix: Command syntax: command ( ) if then end. Command execution – All checks in the condition part are evaluated. The part has checks in the form ‘r in P[s,o]’ – If all checks pass, primitive operations in are executed

CS-550 (M.Soneru): Protection and Security - 2 [SaS] 11 Access Matrix Model: Changing The Protection State (cont.) All accesses are validated by a mechanism called a reference monitor: the reference monitor will reject an access not allowed by the access matrix Each object has an owner – If ‘s’ is the owner of ‘o’, then own  P [ s, o ] – The owner of an object can give (confer) a right to the object to another subject Example: command to create a file and assign ‘own’ and ‘read’ rights to it command create-read (process, file) create object file enter own into P [process, file] enter read into P [process, file] end.

CS-550 (M.Soneru): Protection and Security - 2 [SaS] 12 Access Matrix Model: Changing The Protection State (cont.) Example: command owner of a file gives ‘write’ access rights to another process command confer-write (owner, process, file) if own  P [ owner, file ] then enter write into P [process, file] end.

CS-550 (M.Soneru): Protection and Security - 2 [SaS] 13 Advanced Models of Protection: The Take-Grant Model Principles: – Uses directed graphs to model access control – Protection state of system represented by directed graph – More efficient than (sparsely populated) access matrix Model: – Graph nodes: subjects and objects – An edge from node ‘x’ to node ‘y’ indicates that subject ‘x’ has an access right to the object ‘y’: the edge is tagged with the corresponding access rights – Access rights u Read (r), write (w), execute (e) u Special access rights for propagating access rights to other nodes – Take: If node ‘x’ has access right take to node ‘y’, then subject ‘x’ can take any access right that it has on ‘y’ to another node – Grant: If node ‘x’ has access right grant to node ‘y’, then the entity represented by node ‘y’ can be granted any of the access rights that node ‘x’ has

CS-550 (M.Soneru): Protection and Security - 2 [SaS] 14 Example: take operation – Node ‘x’ has take access to node ‘y’ – Node ‘y’ has read and write access to node ‘z’ – Node ‘x’ can take access right read from ‘y’ and have this access right for object ‘z’ : a directed edge labeled ‘r’ is added from node ‘x’ to node ‘z’ xy z xy z The Take-Grant Model (cont.)

CS-550 (M.Soneru): Protection and Security - 2 [SaS] 15 The Take-Grant Model (cont.) Example: grant operation – Node ‘x’ has grant access to node ‘y’ and also has read and write access to node ‘z’ – Node ‘x’ can grant read access for ‘z’ to node ‘y’ ( a directed edge labeled ‘r’ from ‘y’ to ‘z’ is added in the graph) x z y x z y

CS-550 (M.Soneru): Protection and Security - 2 [SaS] 16 State and state transitions: – The protection state of the system is represented by the directed graph – System changes state (state transition) when the directed graph changes – The directed graph changes with the following operations u Take u Grant u Create: A new node is added to the graph – When node ‘x’ creates a new node ‘y’, a directed edge is added from ‘x’ to ‘y’ u Remove: A node deletes some of its access rights to another node The Take-Grant Model (cont.)

CS-550 (M.Soneru): Protection and Security - 2 [SaS] 17 Bell-LaPadula Model Used to control information flow Model components – Subjects, objects, and access matrix – Several ordered security levels u Each subject has a (maximum) clearance and a current clearance level u Each object has a classification (I.e., belongs to a security level) – Subjects can have the following access rights to objects u Read-only u Append: subject can only write object (no read permitted) u Execute: no read or write u Read-write: both read and write are permitted – Subject that creates an object has control attribute to that object and is the controller of the object u Subject can pass any of the four access rights of the controlled object to another subject

CS-550 (M.Soneru): Protection and Security - 2 [SaS] 18 Bell-LaPadula Model (cont.) Restrictions on information flow and access control (reading down and writing up properties): 1. The simple security property – A subject cannot have read access to an object with classification higher than the clearance level of the subject 2. The  -property (star property) – A subject has append (I.e., write) access only to objects which have classification (I.e., security level) higher than or equal to the current security clearance level of the subject – A subject has read access only to objects which have classification (I.e., security level) lower than or equal to the current security clearance level of the subject – A subject has read-write access only to objects which have classification (I.e., security level) equal to the current security clearance level of the subject

CS-550 (M.Soneru): Protection and Security - 2 [SaS] 19 Level n. Level i+1 Level i-1. Level 1 Bell-LaPadula Model (cont.)

CS-550 (M.Soneru): Protection and Security - 2 [SaS] 20 Case Studies: Unix Subjects: – Each user identified by a a ‘userid’ – A user may belong to a group identified by ‘groupid’ – ‘Userid’ and ‘groupid’ are part of the process descriptor of the process running on behalf of the user and used to verify access rights Protected objects: files and directories – Each file has a unique owner (user who created the file) – Each file has two access fields u ‘userid’ field: file owner u ‘groupid’ field: ‘groupid” of the group to which the file belongs

CS-550 (M.Soneru): Protection and Security - 2 [SaS] 21 Case Studies: Unix (cont.) Protection mechanism for files: access control list with protection groups for access efficiency – Protection groups: owner, group, others – Access rights for each group: read, write, execute u Three fields associated with each file of three bits each u Only the owner of the file and the super user can change these bits (‘chmod’ command) Protection domain – Associated with each user – At login, user starts in a protection domain defining access rights – Domain can be changed with ‘su’ (set userid) command

CS-550 (M.Soneru): Protection and Security - 2 [SaS] 22 The Hydra Kernel Kernel of a multiprocessor OS (Carnegie-Mellon U.) – Provides mechanisms on which a large array of OSs can be built – Supports capability-based protection An object (abstraction of a resource) is the unit of protection Procedure is an abstraction of an operation on an object Protection mechanism controls the invocation of procedures to instances of objects (i.e., resources) Objects – Each object has: name, type, representation, u Representation – Data part: can be accessed by programs with the right capability – Capability part: capabilities for other objects can be changed only by the kernel

CS-550 (M.Soneru): Protection and Security - 2 [SaS] 23 The Hydra Kernel (cont.) Protection: – Elements: objects (abstraction of resources) and capabilities (references to objects) – Operation: u Process/user supplies capability for object u Kernel validates access rights Access rights: – Kernel rights: kernel supports the basic access rights (read, write, copy) – Auxiliary rights: user defined object operations u User defines a new object type and associated operations u Kernel treats these operations as auxiliary rights for the object u For a user to perform these operations on the object, its capability must contain these auxiliary rights – Kernel uses a 24-bit mask to encode access rights: kernel rights have fixed positions

CS-550 (M.Soneru): Protection and Security - 2 [SaS] 24 Amoeba Distributed OS (Tanenbaum) Object-based, client-server model – Client processes request operations on objects by sending requests to server processes via RPCs – Every object is managed by a server process C apabilities-based protection: Capability structure – Server port: identity of server process that manages corresponding object – Object number: identifies specific object – Rights: access allowed – Check: protection against unauthorized changes (cryptographic technique) server portobject numberrightscheck