Chapter 14: System

Protection

Chapter 14: System

Protection

Goals of Protection

Principles of Protection

Domain of Protection

Access Matrix

Implementation of Access Matrix

Access Control

Revocation of Access Rights

Capability-Based Systems

Language-Based Protection

Objectives

Discuss the goals and principles of protection in a modern

computer system

Explain how protection domains combined with an access

matrix are used to specify the resources a process may access

Examine capability and language-based protection systems

Introduction

For the year 1974, one source has identified 339 cases
of computer-related crime. lf The average loss in the
339 incidents was $544,000. This average is not
distorted by a few exceptional cases--the median loss
was very close to the average. Most of the incidents
involved simple fraud. by an employee who had access
to computerized financial records. In 85% of the cases,
management did not report the incident to the policeoften because publicity about it would have been
embarrassing.

Goals of Protection

In one protection model, computer consists of a collection of

objects, hardware or software

Each object has a unique name and can be accessed through a

well-defined set of operations

Protection problem - ensure that each object is accessed

correctly and only by those processes that are allowed to do so

Principles of Protection

Guiding principle principle of least privilege

Programs,

users and systems should be given

just enough privileges to perform their tasks

Limits

damage if entity has a bug, gets abused

Can

be static (during life of system, during life of

process)

Or

dynamic (changed by process as needed)

domain switching,Need to know a similar
concept regarding access to data

Domain Structure

Access-right = <object-name, rights-set>

where rights-set is a subset of all valid operations
that can be performed on the object

Domain = set of access-rights

Access Matrix

View protection as a matrix (access matrix)

Rows represent domains

Columns represent objects

Access(i, j) is the set of operations that a

process executing in Domaini can invoke on
Objectj

Access Matrix

Use of Access Matrix

Can

be expanded to dynamic protection

Operations to add, delete access rights

Special access rights:

owner
copy

of Oi

op from Oi to Oj (denoted by *)

control

Di can modify Dj access rights

transfer

switch from domain Di to Dj

Copy and Owner applicable to an object

Control applicable to domain object

Access Matrix With Owner

Rights

Access Matrix with Copy Rights

Access Matrix of Figure A

with Domains as Objects

Modified Access Matrix of Figure

B

Implementation of Access
Matrix

Generally, a sparse matrix

Option 1 Global table

Store ordered triples < domain, object, rights-set > in table

A requested operation M on object O j within domain Di -> search table

for < Di, Oj, Rk >

with M Rk

But table could be large -> wont fit in main memory

Difficult to group objects (consider an object that all domains can read)

Option 2 Access lists for objects

Each column implemented as an access list for one object

Resulting per-object list consists of ordered pairs < domain, rights-set >
defining all domains with non-empty set of access rights for the object

Easily extended to contain default set -> If M default set, also allow
access

Option 3 Capability list for domains

Capability list for domains

A capability is a token, ticket, or key that

gives the possessor permission to access
an entity or object in a computer system.
Intuitive examples
A movie ticket is a capability to watch a
movie.
A key is a capability to enter a house.

Implementation of Access
Matrix (Cont.)

Option 4 Lock-key
Compromise between access lists and
capability lists
Each object has list of unique bit
patterns, called locks
Each domain as list of unique bit
patterns called keys
Process in a domain can only access
object if domain has key that matches
one of the locks

Comparison of
Implementations

Many trade-offs to consider

Global table is simple, but can be large

Access lists correspond to needs of users

Every

access to an object must be checked

Many

Capability lists useful for localizing information for

a given process
But

objects and access rights -> slow

revocation capabilities can be inefficient

Lock-key effective and flexible, keys can be passed

freely from domain to domain, easy revocation

Language-Based Protection

Specification of protection in a programming language allows the

high-level description of policies for the allocation and use of
resources

Language implementation can provide software for protection

enforcement when automatic hardware-supported checking is
unavailable

Interpret protection specifications to generate calls on whatever

protection system is provided by the hardware and the operating
system

In a compiler-based approach to protection enforcement,

programmers directly specify the protection needed for different
resources at the time the resources are declared