Outline for 3/2/98
Last time: Disk scheduling, layout, RAID
Administrative:
Objective: Protection, Control of access to files.
Protection Overview
Authentication - determining that a user really is who they claim to be
Authorization - determining what each process (acting on behalf of a user) is allowed (or forbidden) to do.
Enforcement - mechanism to ensure that access is checked and not bypassed.
Authentication
Something only the real user should know
-
Passwords (by far the most common)
-
Challenge / Response
e.g. User knows formula 3x - 12
For this time, system provides x=42
User should respond 114
Something only the real user should have
-
Badge, card
-
Physical Characteristics - retinal scan, fingerprints
Representation of Authorization
Access Control Model
Objects - to which access may be restricted
Subjects - active entities attempting access
Operations -> Rights -
privileges to perform specified operations
Access Control Matrix
Two Representations
ACL - Access Control Lists
-
Columns of previous matrix
-
Permissions attached to Objects
-
ACL for file hotgossip: Terry, rw; Lynn, rw
Capabilities
-
Rows of previous matrix
-
Permissions associated with Subject
-
Tickets, Namespace (what it is that one can name)
-
Capabilities held by Lynn: luvltr, rw; hotgossip,rw
Dynamics of Protection Schemes
How to revoke privileges?
What about adding new subjects or new objects?
How to dynamically change the set of objects accessible (or vulnerable) to different processes run by the same user?
Need-to-know principle / Principle of minimal privilege
Protection Domains
Processes execute in a protection domain, initially inherited from subject
Goal: to be able to change protection domains
Introduce a level of indirection
Domains become protected objects with operations defined on them.
Trojan Horse
Untrusted program (say, downloaded off the net) which you let in (to your protection domain) but then it unleashes bad accesses upon your stuff.
Want to run it in a much more
restricted protection domain than the user's default domain to limit damage potential.
Enforcement Mechanisms
User/System modes to restrict instructions that can be executed.
Forces access to resources to go through a system call - only the OS can
really touch resources and the data structures representing them.
No back doors that circumvent well-defined access points