1.8 Protection and security

A sampling of protection mechanisms

The idea of protection domains originated with Multics and is a key one for understanding computer security. Imagine a matrixof all protection domains on one axis and all system resources (files) on another. The contents of each cell in the matrix are the operations permitted bya process (or thread) in that domain on that process.

Notice that once domains are defined, the ability to change domains becomes another part of the domain system. Processes in givendomains are allowed to enter other domains. A process's initial domain is a function of the user who starts the process and the process itself.

While the pure domain model makes protection easy to understand, it is almost never implemented. Holding the domains as a matrixdoesn't scale.

Some domains and rings

UNIX divides processes into 2 parts, a user part and a kernel part. When running as a user the process has limited abilities, andto access hardware, it has to tap into the kernel. The kernel can access all OS and hardware, and decides what it will do on a user's behalf based oncredentials stored in the PCB.

This is a simplification of the MULTICS system of protection rings. Rather than 2 levels, MULTICS had a 64 ring system where eachring was more privileged than the ones surrounding it, and checked similar credentials before using its increased powers.

Security improvements, encryption

Security improvements

Solutions: nothing works perfectly, but here are some possibilities:

• Logging: record all important actions and uses of privilege in an indelible file. Can be used to catch imposters during their initial attemptsand failures. E.g. record all attempts to specify an incorrect password, all super-user logins. Even better is to get humans involved at key steps (this isone of the solutions for EFT).
• Principle of minimum privilege ("need-to-know" principle): each piece of the system has access to the minimum amount of information, for theminimum possible amount of time. E.g. file system cannot touch memory map, memory manager cannot touch disk allocation tables. This reduces the chances ofaccidental or intentional damage. Note that capabilities are an implementation of this idea. It is very hard to provide fool-proof information containment:e.g. a trojan horse could write characters to a tty, or take page faults, in Morse code, as a signal to another process.
• Correctness proofs. These are very hard to do. Even so, this only proves that the system works according to spec. It does not mean that thespec. is necessarily right, and it does not deal with Trojan Horses.

Encryption

Key technology: encryption. Store and transmit information in an encoded form that does not make any sense.

The basic mechanism:

• Start with text to be protected. Initial readable text is called clear text.
• Encrypt the clear text so that it does not make any sense at all. The nonsense text is called cipher text. The encryption is controlled by asecret password or number; this is called the encryption key.