CMSC 421 test 5 lecture 17

What is the main goal of protection in an operating system

To ensure that each object (hardware or software) is accessed correctly and only by allowed processes.

What is the principle of least privilege

Programs, users, and systems should be given only the minimum privileges necessary to perform their tasks

What are static privileges?

do not change during system or process lifetime

What are dynamic privileges

can change as needed (e.g., via domain switching)

What is compartmentalization in protection?

Limiting access to data by dividing it into compartments, so access to one doesn't imply access to al

What is meant by rough-grained privilege management?

fewer, larger access groups (simpler)

What is meant by fine-grained privilege management?

highly specific permissions (more secure, but complex)

: What is a protection ring

A model where system components are organized in concentric rings based on privilege level (e.g., kernel in inner ring, applications in outer ring)

What hardware mechanisms support protection rings

Gates, traps, interrupts, and secure instructions (e.g., Intel syscall, ARM TrustZone Secure Monitor Call).

ARM TrustZone?

: An ARM processor feature that adds an extra ring to isolate and protect sensitive crypto operations and keys from the OS.

domain of protection

A set of objects and access rights a process can operate on; the resources a process may access at a given time

How are access rights represented in a domain?

As pairs: , specifying operations allowed on the object.

UNIX implementation of domains

Using user IDs (UIDs); domain switching occurs via setuid bit, su, or sudo commands.

: How does Android use domains for protection?

Each app gets a unique UID/GID and private data directory; some GIDs allow special access (e.g., AID_INET for networking)

access matrix

A conceptual table where rows = domains, columns = objects, and cells specify permitted operations.

What operations does an access matrix control

: It determines what actions a process in a domain can perform on an object

What are special access rights in an access matrix?

Owner, copy, control, and transfer rights allow management of access permissions and domain switching.

How does access matrix design separate policy from mechanism

Mechanism = OS provides matrix + rules; Policy = User defines who can access what under what conditions.

What are the 4 implementation methods of an access matrix

1) Global table

2) Access lists (per object)

3) Capability lists (per domain)

4) Lock-key system.

capability list

A list of objects and rights associated with a domain, held securely by the OS, not directly accessible.

How does the lock-key system work?

Objects have 'locks' (bit patterns); domains have 'keys'. Access is allowed if a key matches a lock.

What are the pros and cons of access matrix implementations?

Global table = simple but large

Access lists = user-friendly but slower

Capabilities = fast but difficult revocation

Lock-key = flexible, easy revocation.

What are the types of revocation of access rights?

Immediate/delayed, selective/general, partial/total, and temporary/permanent

How does revocation work for capability lists

Using reacquisition (periodic deletion), back-pointers (track all capabilities), indirection (via a global table), or master key changes.

Role-Based Access Control (RBAC)

Assigning permissions to roles rather than users; users are granted roles (used in Oracle Solaris 10 and others)

Mandatory Access Control (MAC)

A stricter access control model where access is determined by system-enforced policies based on labels, not user discretion (e.g., SELinux, TrustedBSD)

How does MAC differ from DAC (Discretionary Access Control)

DAC relies on users/admins to set permissions; MAC enforces security at the system level, even against root

capability-based systems

Systems like Hydra and CAP that divide root powers into capabilities (bitmaps) for fine-grained privilege control. Used today in Linux & Android (POSIX.1e capabilities)

System Integrity Protection (SIP) in macOS

A security feature in macOS 10.11+ that restricts system file access, limits kernel extension loading, and blocks debugging of protected files

sandboxing

: Running a process in a restricted environment to limit what resources it can access (used by Java, .NET, macOS seatbelt, SECCOMP-BPF in Linux

code signing

A developer cryptographically signs a program; if code is modified, the signature becomes invalid and the system refuses to run it.

language-based protection

Using programming languages to define access rules, allowing the compiler or interpreter to enforce security (e.g., type safety checks in Java).

How does Java 2 provide protection?

Classes are assigned protection domains; privileged operations inspect the stack to ensure permission; strong type safety and encapsulation.

What is the purpose of stack inspection in Java

To check the call stack for permission to perform privileged operations when a library method is invoked