Protection in General-Purpose Operating Systems
In this chapter:
Protection features provided by general-purpose operating systems ”protecting memory,
files, and the execution environment
Controlled access to objects
User authentication
perating systems and databases offer security challenges beyond those in more general programs; these
programs offer different access to different items by different kinds of users, so the program designers
must pay careful attention to defining access, granting access, and controlling intentional and
unintentional corruption of data and relationships
An operating system supports multiprogramming (that is, the concurrent use of a system by more than
one user), so operating system designers have developed ways to protect one user's computation from
inadvertent or malicious interference by another user. Among those facilities provided for this purpose
are memory protection, file protection, general control of access to objects, and user authentication.
Protected Objects
In fact, the rise of multiprogramming meant that several aspects of a computing system required
protection.
memory
sharable I/O devices, such as disks
serially reusable I/O devices, such as printers and tape drives
sharable programs and subprocedures
networks
sharable data
Security Methods of Operating Systems
The basis of protection is separation: keeping one user's objects separate from other users.
Rushby and Randell [RUS83] note that separation in an operating system can occur in several
ways.
Physical separation , in which different processes use different physical objects, such as
separate printers for output requiring different levels of security
Temporal separation , in which processes having different security requirements are
executed at different times
Logical separation , in which users operate under the illusion that no other processes
exist, as when an operating system constrains a program's accesses so that the program
cannot access objects outside its permitted domain
1
� Cryptographic separation , in which processes conceal their data and computations in
such a way that they are unintelligible to outside processes
There are several ways an operating system can assist, offering protection at any of several
levels.
Do not protect . Operating systems with no protection are appropriate when sensitive
procedures are being run at separate times.
Isolate . When an operating system provides isolation, different processes running
concurrently are unaware of the presence of each other. Each process has its own address
space, files, and other objects. The operating system must confine each process somehow,
so that the objects of the other processes are completely concealed.
Share all or share nothing . With this form of protection, the owner of an object
declares it to be public or private. A public object is available to all users, whereas a
private object is available only to its owner.
Share via access limitation . With protection by access limitation, the operating system
checks the allow ability of each user's potential access to an object. That is, access control
is implemented for a specific user and a specific object. Lists of acceptable actions guide
the operating system in determining whether a particular user should have access to a
particular object. In some sense, the operating system acts as a guard between users and
objects, ensuring that only authorized accesses occur.
Share by capabilities . An extension of limited access sharing, this form of protection
allows dynamic creation of sharing rights for objects. The degree of sharing can depend
on the owner or the subject, on the context of the computation, or on the object itself.
Limit use of an object . This form of protection limits not just the access to an object
but the use made of that object after it has been accessed. For example, a user may be
allowed to view a sensitive document, but not to print a copy of it.
Want to be able to share resources without compromising security
Security Methods of Operating Systems
o Do not protect
o Isolate different processes
o Share all or nothing
o Share via access limitation (granularity)
o Share by capabilities
o Limit use of an object
Memory & Address Protection
2
� Fence – confines user to one side of boundary
• Use predefined memory addresses
• Can protect OS, but not one user from another
Relocation – changes all addresses of program using offset
Base/Bounds Registers
• Uses variable fence register (base register) to provide lower bound
• Uses bounds register for upper address
Tagged Architecture
• Every word of machine memory has extra bits to indicate access rights (expensive)
Segmentation (program divided into pieces)
• Each segment has name & offset
Each address reference is checked for protection
Different classes of data can be assigned different levels of protection
Users can share access to segments
User cannot access an unpermitted segment
Paging (program uses equal sized “pages”; memory divided into equal sized page frames)
Control of Access to General Objects
Memory
File/data set
Program in memory
Directory of files
Hardware device
Data structure (stack)
Operating system table
3
� Instructions (privileged)
Passwords / user authentication mechanism
Protection mechanism
Goals in protecting objects
Check every access
Enforce least privilege
Verify acceptable usage
File Protection Mechanisms
All-None Protection
• Lack of trust
• All or nothing
• Timesharing issues
• Complexity
File listings
Group Protection
• User cannot belong to two groups
• Forces one person to be multiple users
• Forces user to be put into all groups
Files can only be shared within groups
Single Permissions
• Password/Token for each file
Can be lost
Inconvenient
Must be protected (if changed, must notify all users)
• Temporary Acquired Permission
4
� UNIX’s set userid (suid)
User Authentication
Something the user knows (password, PIN, passphrase, mother’s maiden name)
Something the user has (ID, key, driver’s license, uniform)
Something the user is (biometrics)
Use of Passwords
Mutually agreed-upon code words, assumed known only to user and system
First line of defense
Loose-Lipped Systems
• WELCOME TO XYZ COMPUTING
• ENTER USER ID: summers
• INVALID USER NAME
• ENTER USER ID:
Password Selection Criteria
Use characters other than A-Z
Choose long passwords
Avoid names and words
Choose unlikely password
Change password regularly (don’t reuse)
Don’t write it down
Don’t tell anyone
http://www.mit.edu/afs/sipb/project/doc/passwords/passwords.html
One-time passwords
