Protection, Security, and its mechanism in an Operating System

Protection, Security, and its mechanism in an Operating System

Wednesday, April 01, 2015

Introduction


In this modern era of time, all the data is now storing digitally in storage devices using computerized systems. Files are stored on a computer's storage devices, which are space-multiplex shared among all the users of the system. This means there is a potential for a file owned by one user to be read from or written to by a different user. Sometimes we are willing to share our information with other users of the system. At other times, a user wants information to be private. How can operating system establish an environment in which user feel that, now information is secure and private or not share with other users? That is the task of the protection and security mechanism of the operating system. Making any data/information private is sometimes very difficult for operating system when system connected to the other network of the computer and sharing information with each other. It is the responsibility of the OS that, information should be secure and protected while it is being transmitted over a network as well as when it rests on a storage device.

The Problem


Protection and security are ever-increasing in importance in modern computer systems. As more and more information about our personal lives is encoded and save on computers, our very identities potentially become accessible to any person who is able to obtain access to this information. In addition to personal information, the core of businesses and government is in information stored in computers. The information is must be available so that it can be used by organizations, yet it can be access by the unauthorized organization or people. In the context of protection and security of information, OS also ensure that the resources used by the systems can't be access by any unauthorized person or process. 

We can think of problems of providing protection and security in a highly simplified model. Think of any information and resources (ie. your personal information or record) that are to be protected as "secure entities". The challenge is to protect "secure entities" from any unauthorized access. And the goal is that the computer's physical security should allow access only to authorized "subjects" (subjects would be any authorized or unauthorized people or processes at real time). Unauthorized subjects must not allow to access the secure entity. See blow fig. to understand more about the given scenario.

Security Protocol in Operating System

The Goal


If the computer system has multiple users and allows the concurrent execution of multiple processes, then access to the data must be regulated. For this purpose, the mechanism should ensure that files, memory segment, CPU, and other resources can be operated on by only those processes that have gained proper authorization from the operating system. Protection,  then is a mechanism for controlling access to processes or users to the resources defined by a computer system. This mechanism must provide means to specify the control to be imposed and means to enforce the control. 

Protection and security require the system to be able to distinguish among all its users. Most of the operating systems maintain a list of usernames and associated user ID's (UID). In windows or Vista, it is security ID (SID). When any UID want to access any data/information from the system or wants any OS service, then first OS identify the rights of data and act accordingly. Access is permitted or denied depends on the several factors, on of which is the type of access requested. Several different type of operations may be controlled:
  • Read. Read from the file
  • Write. Write or rewrite the file
  • Execute. Load the file into memory and execute it
  • Append. Write new information at the end of the file
  • Delete. Delete the file and free its space for possible reuse
  • List. List the name and attributes of the file
Other functions, such as remaining, copying, and editing the file, may also be controlled.However, many protection mechanisms have been proposed. Each have advantage and disadvantage and must be appropriate for its intended applications.

The most common approach to the protection problem is to make access depends on the identity of the user. The different user may need the different type of access to  a file or directory. The most general scheme to implement the identity-dependent access is to associate each file and directory an access control list (ACL). The condensed length of the ACL, may systems recognize three classification of users in connection with each file:

  • Owner. The user who created the file is the owner
  • Group. A set of user who are sharing the file and have some rights of data
  • Universe. All users in the system constitute the universe
For example, Jamil is a writer. He is writing a book and hire a person (named Ahmad) for review of the book for the grammar correction. Jamil only wants that Ahmed can be able to read and write data in the book. Ahmed is unable to share data, delete data, copy data or print data. In this case, Jamil defines a right of Ahmed to access data and give details to the operating system. The Writer also wants that his book also be able for guests for feedback (guests only have read access to give feedback). The blow fig. elaborate the above scenario.

Administrator control on system

In this case, OS give a User ID to each user and define access to data and directory for all users according to the administrator of system or superuser. For example, the UNIX system defines three fields of three bits each; rwx, where r controls read access, w controls write access and x controls execution access of data for the different users of the system. In an above case, for Ahmed only r and w bit is set while for guest only r bit is set. As we know Jamil is the super user so all the three bits r, w and x are set.

In Windows user typically manage access-control list via GUI as shown blow.

Adding new users to the system

Administrator user defines rights for all the users to access data or give control to the other users. After assigning rights, it is the responsibility of the operating system to manage users as defined by the superuser or administrator.

Next
« Prev Post
Previous
Next Post »
Subscribe to: Post Comments (Atom)