|
|
|
Modern Operating Systems by Herbert Bos and Andrew S. Tanenb...
Modern_Operating_Systems_by_Herbert_Bos_and_Andrew_S._Tanenbaum_4th_Ed.pdf
Showing 633-634 out of 1137
Modern Operating Systems by Herbert Bos and Andrew...
Modern_Operating_Systems_by_Herbert_Bos_and_Andrew_S._Tanenbaum_4th_Ed.pdf-M ODERN O PERATING S YSTEMS
Modern Operating Systems by Herbert...
Modern_Operating_Systems_by_Herbert_Bos_and_Andrew_S._Tanenbaum_4th_Ed.pdf-M ODERN O PERATING S YSTEMS
Page 633
602
SECURITY
CHAP. 9
An important part of the TCB is the reference monitor, as shown in Fig. 9-2.
The reference monitor accepts all system calls involving security, such as opening
files, and decides whether they should be processed or not. The reference monitor
thus allows all the security decisions to be put in one place, with no possibility of
bypassing it. Most operating systems are not designed this way, which is part of the
reason they are so insecure.
User process
All system calls go through the
reference monitor for security checking
Reference monitor
Trusted computing base
Operating system kernel
User
space
Kernel
space
Figure 9-2.
A reference monitor.
One of the goals of some current security research is to reduce the trusted com-
puting base from millions of lines of code to merely tens of thousands of lines of
code. In Fig. 1-26 we saw the structure of the
MINIX 3
operating system, which is
a POSIX-conformant system but with a radically different structure than Linux or
FreeBSD. With
MINIX 3
, only about 10.000 lines of code run in the kernel. Every-
thing else runs as a set of user processes.
Some of these, like the file system and
the process manager, are part of the trusted computing base since they can easily
compromise system security. But other parts, such as the printer driver and the
audio driver, are not part of the trusted computing base and no matter what is
wrong with them (even if they are taken over by a virus), there is nothing they can
do to compromise system security.
By reducing the trusted computing base by two
orders of magnitude, systems like
MINIX 3
can potentially offer much higher secu-
rity than conventional designs.
9.3 CONTROLLING ACCESS TO RESOURCES
Security is easier to achieve if there is a clear model of what is to be protected
and who is allowed to do what. Quite a bit of work has been done in this area, so
we can only scratch the surface in this brief treatment.
We will focus on a few gen-
eral models and the mechanisms for enforcing them.
Page 634
SEC. 9.3
CONTROLLING ACCESS TO RESOURCES
603
9.3.1 Protection Domains
A computer system contains many resources, or ‘‘objects,’’ that need to be pro-
tected. These objects can be hardware (e.g., CPUs, memory pages, disk drives, or
printers) or software (e.g., processes, files, databases, or semaphores).
Each object has a unique name by which it is referenced, and a finite set of op-
erations that processes are allowed to carry out on it. The
read
and
write
operations
are appropriate to a file;
up
and
down
make sense on a semaphore.
It is obvious that a way is needed to prohibit processes from accessing objects
that they are not authorized to access. Furthermore, this mechanism must also
make it possible to restrict processes to a subset of the legal operations when that is
needed. For example, process
A
may be entitled to read, but not write, file
F
.
In order to discuss different protection mechanisms, it is useful to introduce the
concept of a domain.
A
domain
is a set of (object, rights) pairs. Each pair speci-
fies an object and some subset of the operations that can be performed on it.
A
right
in this context means permission to perform one of the operations. Often a
domain corresponds to a single user, telling what the user can do and not do, but a
domain can also be more general than just one user. For example, the members of a
programming team working on some project might all belong to the same domain
so that they can all access the project files.
How objects are allocated to domains depends on the specifics of who needs to
know what. One basic concept, however, is the
POLA
(
Principle of Least Auth-
ority
) or need to know. In general, security works best when each domain has the
minimum objects and privileges to do its work—and no more.
Figure 9-3 shows three domains, showing the objects in each domain and the
rights (Read, Write, eXecute) available on each object. Note that
Printer1
is in two
domains at the same time, with the same rights in each.
File1
is also in two do-
mains, with different rights in each one.
Domain 1
Domain 2
Domain 3
File1[R]
File2[RW]
File1[RW]
File4[RWX]
File5[RW]
Printer1[W]
File6[RWX]
Plotter2[W]
Figure 9-3.
Three protection domains.
At every instant of time, each process runs in some protection domain.
In
other words, there is some collection of objects it can access, and for each object it
has some set of rights. Processes can also switch from domain to domain during
execution. The rules for domain switching are highly system dependent.
Ace your assessments! Get Better Grades
Browse thousands of Study Materials & Solutions from your Favorite Schools
Concordia University
Concordia_University
School:
Operating_Systems
Course:
Great resource for chem class. Had all the past labs and assignments
Leland P.
Santa Clara University
Introducing Study Plan
Using AI Tools to Help you understand and remember your course concepts better and faster than any other resource.
Find the best videos to learn every concept in that course from Youtube and Tiktok without searching.
Save All Relavent Videos & Materials and access anytime and anywhere
Prepare Smart and Guarantee better grades
Know more
Students also viewed documents
lab 18.docx
lab_18.docx
Course
Course
3
Module5QuizSTA2023.d...
Module5QuizSTA2023.docx.docx
Course
Course
10
Week 7 Test Math302....
Week_7_Test_Math302.docx.docx
Course
Course
30
Chapter 1 Assigment ...
Chapter_1_Assigment_Questions.docx.docx
Course
Course
5
Week 4 tests.docx.do...
Week_4_tests.docx.docx
Course
Course
23
Week 6 tests.docx.do...
Week_6_tests.docx.docx
Course
Course
106
