System Protection

Chapter 17

Sections 17.1 to 17.7 inclusive

 Objectives

◼ Discuss the goals and principles of protection in a modern computer system

◼ Explain how protection domains combined with an access matrix are used to specify
the resources a process may access

May 1, 2025 OS: Protection 2

 Chapter Outline

◼ Goals of Protection

◼ Principles of Protection

◼ Protection Rings

◼ Domain of Protection

◼ Access Matrix

◼ Implementation of Access Matrix

◼ Revocation of Access Rights

May 1, 2025 OS: Protection 3

 - Goals of Protection

◼ Goals of Protection

◼ Operating system consists of a collection of objects, hardware or software

◼ Each object has a unique name and can be accessed through a well-defined set
of operations.

◼ Protection problem - ensure that each object is accessed correctly and only by
those processes that are allowed to do so.

May 1, 2025 OS: Protection 4

 - Principles of Protection

◼ Guiding principle:

◼ principle of least privilege - Programs, users and systems should be given just
enough privileges to perform their tasks

◼ Compartmentalization - is the process of protecting each individual system

component using specific permissions and access restrictions

◼ Defense in depth - multiple layers of protection should be applied one on top

of the other

◼ Audit trail – recording all protection-orientated activities, important to

understanding what happened, why, and catching things that shouldn’t,

◼ Used to track divergences from allowed accesses

May 1, 2025 OS: Protection 5

 - Protection Rings

◼ The Kernel manages access to system resources and hardware.

◼ The kernel, by definition, is a trusted and privileged component and therefore must
run with a higher level of privileges than user processes.
◼ To carry out this privilege separation, hardware support is required.
◼ Indeed, all modern hardware supports the notion of separate execution levels,
though implementations vary somewhat.
◼ A popular model of privilege separation is that of protection rings.
◼ In protection of rings, execution is defined as a set of concentric rings, with ring i
providing a subset of the functionality of ring j for any j < i.
◼ The innermost ring, ring 0, thus provides the full set of privileges.

May 1, 2025 OS: Protection 6

 - Protection Rings

◼ Domain Implementation of
◼ Let Di and Dj be any two domain rings.
◼ If j < i  Di  Dj

May 1, 2025 OS: Protection 7

 - Domain of Protection …

◼ A process should be allowed to access only those objects for which it has
authorization.
◼ Furthermore, at any time, a process should be able to access only those objects
that it currently requires to complete its task.
◼ This second requirement, the need-to-know principle, is useful in limiting the
amount of damage a faulty process or an attacker can cause in the system.
◼ Rings of protection separate functions into domains and order them
hierarchically.
◼ A generalization of rings is using domains without a hierarchy.
◼ To facilitate this, a process may operate within a protection domain, which
specifies the resources that the process may access.

May 1, 2025 OS: Protection 8

 - Domain of Protection …

◼ A domain defines a set of objects and the types of operations that may be
invoked on each object.
◼ The ability to execute an operation on an object is an access-right
◼ Access-right = <object-name, rights-set>
where rights-set is a subset of all valid operations that can be performed on
the object.
◼ Domain = set of access-rights

May 1, 2025 OS: Protection 9

 - Domain of Protection …

◼ The association between a process and a domain may be either:

◼ Static - if the set of resources available to the process is fixed throughout the
process's lifetime, or
◼ Dynamic:
◼ more complicated
◼ Needs a mechanism that allows domain switching
◼ Needs a mechanism that allows the content of a domain to be changed

May 1, 2025 OS: Protection 10

 - Access Matrix

◼ View protection as a matrix

(access matrix)
◼ Rows represent domains
◼ Columns represent objects
◼ Access(i, j) is the set of
operations that a process
executing in Domaini can invoke
on Objectj
◼ Access matrix design separates
mechanism from policy.

May 1, 2025 OS: Protection 11

 -- Use of Access Matrix

◼ If a process in Domain Di tries to do “op” on object Oj, then “op” must be in the
access matrix.

◼ Can be expanded to dynamic protection

◼ domains can be treated as objects.
◼ Operations to add, delete access rights.
◼ Special access rights that enable dynamic protection:
◼ switch - transfer from domain Di to Dj
◼ control – Di can modify Dj access rights
◼ owner of Oi
◼ copy op from Oi to Oj

May 1, 2025 OS: Protection 12

 -- Access Matrix With Switch Rights

May 1, 2025 OS: Protection 13

 -- Access Matrix With Control Rights

May 1, 2025 OS: Protection 14

 -- Access Matrix with Copy Rights

May 1, 2025 OS: Protection 15

 -- Access Matrix With Owner Rights

May 1, 2025 OS: Protection 16

 - Implementation of Access Matrix …

◼ Global Table
◼ Simple but usually too big to be kept in memory and difficult to take advantage
of special grouping of objects or domains.
◼ Access list for objects
◼ For each object, specify who can perform what operation.
Domain 1 = Read, Write
Domain 2 = Read
Domain 3 = Read

◼ Capability List for domains
◼ Fore each domain, specify what operations allowed on what objects.
Object 1 – Read
Object 4 – Read, Write, Execute
Object 5 – Read, Write, Delete, Copy

May 1, 2025 OS: Protection 17

 - Implementation of Access Matrix …
◼ Choosing a technique for implementing an access matrix involves various trade-offs.
◼ A global table
◼ Pros: simple
◼ Cons:
◼ large
◼ Cannot take advantage of special groupings of objects or domains.
◼ Access lists
◼ Pros: correspond directly to the needs of users. When a user creates an
object, he can specify which domains can access the object, as well as what
operations are allowed.
◼ Cons:
◼ access-right information for a particular domain is not localized.
◼ Every access to the object must be checked, requiring a search of the
access list.

May 1, 2025 OS: Protection 18

 - Implementation of Access Matrix …

◼ Choosing a technique for implementing an access matrix involves various trade-offs.

◼ Capability lists
◼ Pros:
◼ useful for localizing information for a given process
◼ Cons:
◼ do not correspond directly to the needs of users, but they are.
◼ Revocation of capabilities, however, may be inefficient

May 1, 2025 OS: Protection 19

 - Revocation of Access Rights …

◼ In a dynamic protection system, we may sometimes need to revoke access rights to

objects shared by different users.
◼ Various questions about revocation may arise:
◼ Immediate versus delayed - Does revocation occur immediately, or is it
delayed? If revocation is delayed, can we find out when it will take place?
◼ Selective versus general - When an access right to an object is revoked, does it
affect all the users who have an access right to that object, or can we specify a
select group of users whose access rights should be revoked?
◼ Partial versus total - Can a subset of the rights associated with an object be
revoked, or must we revoke all access rights for this object?
◼ Temporary versus permanent - Can access be revoked permanently or can
access be revoked and later be obtained again?

May 1, 2025 OS: Protection 20

 - … Revocation of Access Rights

◼ Access List – Delete access rights from access list.

◼ Simple
◼ Immediate

◼ Capability List – Scheme required to locate capability in the system before

capability can be revoked.
◼ Reacquisition
◼ Back-pointers
◼ Indirection
◼ Keys

May 1, 2025 OS: Protection 21

 Disclaimer

◼ Parts of the lecture slides contain original work of Abraham Silberschatz, Peter B.
Galvin, Greg Gagne, Andrew S. Tanenbaum, and Gary Nutt. The slides are intended
for the sole purpose of instruction of Operating Systems course at KFUPM. All
copyrighted materials belong to their original owner(s).

May 1, 2025 OS: Protection 22