Protected Objects and Methods of Protection
We begin by reviewing the history of protection
in operating systems. This background helps us understand what kinds of things
operating systems can protect and what methods are available for protecting
them.
A Bit of History
Once upon a time, there were
no operating systems: Users entered their programs directly into the machine in
binary by means of switches. In many cases, program entry was done by physical
manipulation of a toggle switch; in other cases, the entry was performed with a
more complex electronic method, by means of an input device such as a keyboard.
Because each user had exclusive use of the computing system, users were
required to schedule blocks of time for running the machine. These users were
responsible for loading their own libraries of support routinesassemblers,
compilers, shared subprogramsand "cleaning up" after use by removing
any sensitive code or data.
The first operating systems
were simple utilities, called executives,
designed to assist individual programmers and to smooth the transition from one
user to another. The early executives provided linkers and loaders for
relocation, easy access to compilers and assemblers, and automatic loading of
subprograms from libraries. The executives handled the tedious aspects of
programmer support, focusing on a single programmer during execution.
Operating systems took on a
much broader role (and a different name) as the notion of multiprogramming was
implemented. Realizing that two users could interleave access to the resources
of a single computing system, researchers developed concepts such as
scheduling, sharing, and parallel use. Multiprogrammed
operating systems, also known as monitors,
oversaw each program's execution. Monitors took an active role, whereas
executives were passive. That is, an executive stayed in the background,
waiting to be called into service by a requesting user. But a monitor actively
asserted control of the computing system and gave resources to the user only
when the request was consistent with general good use of the system. Similarly,
the executive waited for a request and provided service on demand; the monitor
maintained control over all resources, permitting or denying all computing and
loaning resources to users as they needed them.
Multiprogramming brought
another important change to computing. When a single person was using a system,
the only force to be protected against was the user himself or herself. A user
making an error may have felt foolish, but one user could not adversely affect
the computation of any other user. However, multiple users introduced more
complexity and risk. User A might rightly be angry if User B's programs or data
had a negative effect on A's program's execution. Thus, protecting one user's
programs and data from other users' programs became an important issue in
multiprogrammed operating systems.
Protected Objects
In fact, the rise of
multiprogramming meant that several aspects of a computing system required protection:
·
memory
·
sharable I/O devices, such as disks
·
serially reusable I/O devices, such as printers and tape drives
·
sharable programs and subprocedures
·
networks
·
sharable data
As it assumed responsibility
for controlled sharing, the operating system had to protect these objects. In
the following sections, we look at some of the mechanisms with which operating
systems have enforced these objects' protection. Many operating system
protection mechanisms have been supported by hardware. But, as noted in Sidebar 4-1, that approach is not always
possible.
Security Methods of Operating Systems
The basis of protection is
separation: keeping one user's objects separate from other users. Rushby and
Randell [RUS83] note that separation in
an operating system can occur in several ways:
Sidebar
4-1: Hardware-Enforced Protection
From the 1960s to the 1980s, vendors
produced both hardware and the software to run on it. The major mainframe
operating systemssuch as IBM's MVS, Digital Equipment's VAX, and Burroughs's
and GE's operating systems, as well as research systems such as KSOS, PSOS,
KVM, Multics, and SCOMPwere designed to run on one family of hardware. The VAX
family, for example, used a hardware design that implemented four distinct
protection levels: Two were reserved for the operating system, a third for
system utilities, and the last went to users' applications. This structure put
essentially three distinct walls around the most critical functions, including
those that implemented security. Anything that allowed the user to compromise
the wall between user state and utility state still did not give the user
access to the most sensitive protection features. A BiiN operating system from
the late 1980s offered an amazing 64,000 different levels of protection (or
separation) enforced by the hardware.
Two factors changed this situation.
First, the U.S. government sued IBM in 1969, claiming that IBM had exercised
unlawful monopolistic practices. As a consequence, during the 1970s IBM made
its hardware available to run with other vendors' operating systems (thereby
opening its specifications to competitors). This relaxation encouraged more
openness in operating system selection: Users were finally able to buy hardware
from one manufacturer and go elsewhere for some or all of the operating system.
Second, the Unix operating system, begun in the early 1970s, was designed to be
largely independent of the hardware on which it ran. A small kernel had to be
recoded for each different kind of hardware platform, but the bulk of the
operating system, running on top of that kernel, could be ported without
change.
These two situations together meant that
the operating system could no longer depend on hardware support for all its
critical functionality. So, although an operating system might still be
structured to reach several states, the underlying hardware might enforce
separation between only two of those states, with the remainder being enforced
in software.
Today
three of the most prevalent families of operating systemsthe Windows NT/2000/XP
series, Unix, and Linuxrun on many different kinds of hardware. (Only Apple's
Mac OS is strongly integrated with its hardware base.) The default expectation
is one level of hardwareenforced separation (two states). This situation means
that an attacker is only one step away from complete system compromise through
a "get_root" exploit. (See this chapter's "Where the Field Is
Headed" section to read of a recent Microsoft initiative to
reintroduce hardware-enforced separation for security-critical code and data.)
·
physical separation, in which different
processes use different physical objects, such as separate printers for output
requiring different levels of
security
·
temporal separation, in which processes having
different security requirements are executed at different times
·
logical separation, in which users operate
under the illusion that no other processes exist, as when an operating system
constrains a program's accesses so
that the program cannot access objects outside its permitted domain
·
cryptographic separation, in which processes conceal
their data and computations in such a way that they are unintelligible to outside processes
Of course, combinations of
two or more of these forms of separation are also possible.
The categories of separation
are listed roughly in increasing order of complexity to implement, and, for the
first three, in decreasing order of the security provided. However, the first
two approaches are very stringent and can lead to poor resource utilization.
Therefore, we would like to shift the burden of protection to the operating
system to allow concurrent execution of processes having different security
needs.
But separation is only half
the answer. We want to separate users and their objects, but we also want to be
able to provide sharing for some of those objects. For example, two users with
different security levels may want to invoke the same search algorithm or
function call. We would like the users to be able to share the algorithms and
functions without compromising their individual security needs. An operating
system can support separation and sharing in several ways, offering protection
at any of several levels.
Do not protect. Operating
systems with no protection are appropriate when sensitive procedures are being
run at separate times.
Isolate. When an operating system provides isolation, different processes
running concurrently are unaware of the presence of each other. Each process has its own address space, files, and other
objects. The operating system must confine each process somehow so that the
objects of the other processes are completely concealed.
Share all or share nothing.
With this form of protection, the owner of an object declares it to be public
or private. A public object is available to all users, whereas a private object
is available only to its owner.
Share via access limitation. With protection by access limitation,
the operating system checks the allowability of each user's potential access to
an object. That is, access control is implemented for a specific user and a
specific object. Lists of acceptable actions guide the operating system in
determining whether a particular user should have access to a particular
object. In some sense, the operating system acts as a guard between users and
objects, ensuring that only authorized accesses occur.
Share by capabilities. An
extension of limited access sharing, this form of protection allows dynamic
creation of sharing rights for objects. The degree of sharing can depend on the
owner or the subject, on the context of the computation, or on the object
itself.
Limit use of an object. This
form of protection limits not just the access to an object but the use made of
that object after it has been accessed. For example, a user may be allowed to
view a sensitive document, but not to print a copy of it. More powerfully, a
user may be allowed access to data in a database to derive statistical
summaries (such as average salary at a particular grade level), but not to
determine specific data values (salaries of individuals).
Again, these modes of sharing
are arranged in increasing order of difficulty to implement, but also in
increasing order of fineness of protection they provide. A given operating
system may provide different levels of protection for different objects, users,
or situations.
When we think about data, we
realize that access can be controlled at various levels: the bit, the byte, the
element or word, the field, the record, the file, or the volume. Thus, the
granularity of control concerns us. The larger the level of object controlled,
the easier it is to implement access control. However, sometimes the operating
system must allow access to more than the user needs. For example, with large
objects, a user needing access only to part of an object (such as a single
record in a file) must be given access to the entire object (the whole file).
Let us examine in more detail several different
kinds of objects and their specific kinds of protection.
Related Topics
Privacy Policy, Terms and Conditions, DMCA Policy and Compliant
Copyright © 2018-2023 BrainKart.com; All Rights Reserved. Developed by Therithal info, Chennai.