Protection and Security

Wikipedia · Computer security · CC BY-SA 4.0

Protection controls which processes can access which resources. Security defends the system against external threats. The access control matrix is the theoretical foundation. Authentication, encryption, and auditing are the practical tools.

Access control

The OS must answer: can subject S perform operation O on object X? The access control matrix maps every (subject, object) pair to a set of allowed operations. In practice, the matrix is sparse, so it is stored as either access control lists (columns) or capability lists (rows).

Capabilities vs ACLs

An access control list (ACL) is stored with the object: "File A allows Alice to read and write, Bob to read." A capability is a token held by the subject: "Alice holds a read-write capability for File A." ACLs are easier to revoke (change the list on the object). Capabilities are easier to delegate (hand over the token).

Scheme

; Access control matrix simulation

(define matrix
  '((alice ((fileA r w) (fileB r) (printer print)))
    (bob   ((fileA r) (printer print)))
    (carol ((fileB r w x)))))

(define (can-access? subject object operation)
  (let ((row (assoc subject matrix)))
    (if (not row)
        #f
        (let ((entry (assoc object (cadr row))))
          (if (not entry)
              #f
              (if (member operation (cdr entry)) #t #f))))))

(display "Alice read fileA? ") (display (can-access? 'alice 'fileA 'r)) (newline)
(display "Alice write fileB? ") (display (can-access? 'alice 'fileB 'w)) (newline)
(display "Bob read fileB? ") (display (can-access? 'bob 'fileB 'r)) (newline)
(display "Carol exec fileB? ") (display (can-access? 'carol 'fileB 'x)) (newline)
(display "Carol print? ") (display (can-access? 'carol 'printer 'print))

Authentication

Before access control can work, the system must verify identity. Passwords, tokens, biometrics, and multi-factor authentication all serve this purpose. The OS trusts its authentication mechanism completely, which is why its weaknesses are critical vulnerabilities.

Encryption at rest

Even with good access control, a stolen disk bypasses the OS. Encryption at rest protects data on the physical medium. The OS decrypts transparently when the correct key is provided. Without the key, the data is indistinguishable from noise.

Neighbors

🔐 Symmetric Encryption — the primitives that make encryption at rest possible
🔐 Crypto Ch.9 — zero-knowledge proofs: OS capability systems use the same principle of proving authorization without revealing secrets
🔢 Discrete Math Ch.4 — graph theory: access control matrices and capability graphs are directed graphs from subjects to objects
♟ Game Theory Ch.11 — mechanism design: security policies are mechanism design problems where the goal is preventing adversarial equilibria

Foundations (Wikipedia)

← I/O Systems by june.kim