memory
sharable I/O devices
serially reusable I/O devices, such as printers and tape drives
sharable programs and subprocedures
networks
sharable data
Separation is the basis of protection, which means to keep one user's objects separate from each other users. There are four types of separation process:
Physical separation – different processes use different physical objects.
Temporal separation – processes have different security requirements executed at different times.
Logical separation – users operate under the illusion that no other processes exist, as when an OS constrains a program's accesses so that the program cannot access objects outside permitted domain.
Cryptographic separation – processes conceal their data and computations in a way that they are unintelligible to outside processes.
A security mechanism can offer different levels of protection, such as:
No protection at all
Isolation
Share all or share nothing
Share via access limitation
Share by capabilities
Limit use of an object
The main concern of multiprogramming is preventing a program from affecting data and programs in other users' memory space. Aside from using system software to do all that, protection can also be built using hardware which controls efficient use of memory. Thus, solid protection can be provided at essentially no additional cost.
Methods used for memory protection include:
fence
relocation
base/bound registers
tagged architecture
segmentation
paging
paging + segmentation
The fence is the simplest form of memory protection introduced in single-user operating systems to prevent a faulty user program from destroying part of the resident portion of the operating system. Two implementations of fence are the fixed fence which its memory address was predefined, and the fence register which uses a hardware register.
Relocation is the process of taking a program written as if it began at address 0 and changing all addresses to reflect the actual address at which the program is located in memory.
The variable fence register has the ability to relocate. This fence register has two kinds of registers namely base register which has the addresses offset from the base address in a program (the lower address limit), and the bound register is the upper address limit. With a pair of base/bound registers, a user is perfectly protected from outside users, or you should say that outside users are protected from errors in any other user's programs. However this is not quite effective because erronous addresses inside a user's address space can still affect a program. This problem is solved by adding another pair of base/bounds registers, one for instructions the second for the data space.
Due to the contiguous nature and the all-for-nothing sharing solution of base/bounds registers, the tagged architecture serves as an alternative, where in every word of machine memory has one or more access rights to that word. Operating system instructions has the privilege to set these access bits.
Another protection method is the segmentation, which involves the simple notion of dividing a program into separate parts that has logical unity – exhibits a relationship among all of its code. Segments can be separately relocated, allowing any segment to be placed in any available memoy locations. The security benefits of segmentation are:
each address reference is checkec for protection
many different classes of data items can be assigned different levels of protection
two or more users can share access to a segment, with potentially different access rights
a user cannot generate an address or access to an unpermitted segment
The paging method of protection divides programs into equal-sized "pages", and memory divided into equal-sized units called "page frames". In paging, all pages in the paging approach are of the same size, which makes fragmentation an ease, but the pages have no logical unity. A certain change to a program pushes all subsequent instructions to lower addresses andd moves a few bytes from the end of each page to the start of the next.
We see the benefits of paging and segmentation. By combining the two approaches, desirable features are utilized. This approach retains the logical unity of a segment and permitted differentiated protection for the segments, but it adds an additional layer of translation for each address. Plus, additional hardware improves the efficiency of the implementation.
In multiprogramming environments, there are a number of general objects that are necessary to be protected:
memory
a file or dataset on an auxiliary storage device
a directory of files
a hardware device
a data structure, such as a stack
a table of the operating system
instructions, especially privileged instructions
passwords and the user authentication mechanism
the protection mechanism itself
Several goals in protecting objects would be:
to check every user access to an object
to enforce least privilege, meaning that a subject should have access to the least number of objects necessary to perform tasks.
Verify acceptable usage, meaning that it is necessary to check that activities performed on objects are appropriate.
The simplest method of protecting objects is to use the file directory mechanism. With that, no user can be allowed to write in other user's file directory. Access rights for users can be set in file directories, such as allowing or restricting the read, write and execute command of users. This method is easy to implement because it uses one list per user. However the drawback of this method is that the list can become too large, eg many shared objects are accessible to all users.
Another method that can be used to protect objects is using the access control matrix, which uses a table where each row represents a subject, each column represents an object, and each entry is the set of access rights for the particular subject to the object. The example of access control matrix is shown below:
Access Control Matrix
Another protection method is using the access control list, in which there is one access control list assigned to the object.
Object1: {{A: OWR}, {B: R}, {C: R}, {D: R}}
Object2: {{A: R}, {B: OWR}, {C: R}, {E: R}}
Object3: {{A: OWR}}
Object4: {{B: OWR}, {*: WR}}
Object5: {{B: OWR}, {E: R}}
Access Control List
Basic forms of file protection mechanism are as follows:
Allnone protection which assumes that all users can be trusted
Group protection which separate all users into groups
We did see the drawbacks of the above file protection mechanisms, individual permissions can be set, such as passwords to protect individual files, shortfalls, and temporary acquired permission.
The authentication method of protection can take many forms, such as using passwords, identity badges, and the biometrics.
0 comments:
Post a Comment