페이지

2022년 4월 23일 토요일

1.6 Security and Protection

 If a computer system has multiple users and allows the concurrent execution of multiple processes, then access to data must be regulated. For that purpose, mechanisms ensure that files, memory segments, CPU, and other resources can be operated on by only those processes that have gained proper authorization from the operating system. For example, memory-addressing hardware ensure that a process can execute only within its own address space. The timer ensures that no process can gain control of the CPU without eventually relinquishing control. Device-control registers are not accessible to suers, so the integrity of the various peripheral devices is protected.

Protection, then, is any mechanism for controlling the access or processes or users to the resources defined by a computer system. This mechanism must provide means to specify the controls to be imposed and to enforce the contorls.

Protection can improve reliablity by detecting latent errors at the interfaces between componet subsystems. Early detection fo interface errors can oftern prevent ocntamination of a healthy subsystem by another subsystem that is malfunctioning. Furthermore, an upprotected resource cannot defend against use(or misuse) by an unauthorized or incompetent suer. A protection-oriented system provides a means to distinguish hetween authorized and unauthorized usage, as we discuss in Chapter 17.

A system can have adequate porotection but still be prone to failure and allow inappropriate access. Consider a user whose authentication information (her means of identifying herself to the system) is stolen. Her data could be copied or deleted, even though file and memory proction are working. It is the job of security to defend a system from external and interanl attacks. Such attacks spread across a huge range and include virusers and worms, denial-of-service attacks (which use all of  a system's resources and so keep legitimate user out of the system). identity theeft, and theft of service (unauthorized use of a system). Prevention of some of these attacks is considered an operating-system function on some systems, whuile other systems leave it to policy or additional software. Due to the alarming rise in security incidenits, operaing-system security features are a fast0growing area of research and implementation. We discuss security in Chapter 16.

Protection and security require the system to be able to distinguish among all its users. Most operating systems maintain a list of user anmes and associated user identifier (user IDs). InWindows parlance, this is a security ID(SID). These numerical IDs are unique,  one per user. When a user logs in to the system, the authentication stage determines the appropriate userID for the user. That user ID is associated with all of the user';s processes and threads. When an ID needs to be readable by a user, it is translated back to the user name via the user name list.

In some circumstances, we wish to distinguish among sets of users rather than individual users. For example, the owner of a file on a UNIX system may be allowed to issue all operations on that file, whereas a selected set of users may be allowed only to read the file. To accomplish this, we need to define a group name and the set of users belonging to that group. Group functionality can be implemented as a system-wide list of group names and group identifier. A user can be in one or more groups, depending on operating-system design decisions. The user's group IDs are also included in every associated process and thread.

In the conurse of normal system sue, the user ID and group ID for a suer are sufficient. However, a user sometimes needs to escalate privilieges to gain extra permissions for an activity. The user may need access to a device that is restricted, for example. Operating systems provide various methods to allow privilege escalation. On UNIZ, for instance, the sctuid attribute on a program causes that program to run with the user ID of the owner of the file, rather than the current user's ID of the owner of the file, rather than the current user' ID. The process runs with this effective UID until it turns off the extra privileges or terminates.


댓글 없음: