Skip to main content

Operating System Security and Access Control

  • 1093 Accesses

Part of the Information Security and Cryptography book series (ISC)

Abstract

Initially, protection meant limiting memory addresses accessible to processes, in conjunction with early virtual memory address translation, and access control lists were developed to enable resource sharing. These remain protection fundamentals. Learning about such protection in operating systems provides a solid basis for understanding computer security. Aside from Unix, we base our discussion in large part on Multics; its segmented virtual addressing, access control, and protection rings heavily influenced later systems. Providing security-related details of all major operating systems is not our goal—rather, considering features of a few specific, real systems allows a coherent coverage highlighting principles and exposing core issues important in any system design. Unix of course has many flavors and cousins including Linux, making it a good choice.

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-83411-1_5
  • Chapter length: 30 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   59.99
Price excludes VAT (USA)
  • ISBN: 978-3-030-83411-1
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Hardcover Book
USD   79.99
Price excludes VAT (USA)

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. J. P. Anderson. Computer Security Technology Planning Study (Vol. I and II, “Anderson report”). James P. Anderson and Co., Fort Washington, PA, USA, Oct 1972.

    Google Scholar 

  2. S. M. Bellovin. Thinking Security: Stopping Next Year’s Hackers. Addison-Wesley, 2016.

    Google Scholar 

  3. H. Chen, D. Wagner, and D. Dean. Setuid demystified. In USENIX Security, 2002.

    Google Scholar 

  4. D. A. Curry. UNIX System Security: A Guide for Users and System Administrators. Addison-Wesley, 1992.

    Google Scholar 

  5. R. C. Daley and P. G. Neumann. A general-purpose file system for secondary storage. In AFIPS Fall Joint Computer Conference, pages 213–229, Nov 1965.

    Google Scholar 

  6. J. B. Dennis. Segmentation and the design of multiprogrammed computer systems. Journal of the ACM, 12(4):589–602, 1965.

    Google Scholar 

  7. M. S. Dittmer and M. V. Tripunitara. The UNIX process identity crisis: A standards-driven approach to setuid. In ACM Comp. & Comm. Security (CCS), pages 1391–1402, 2014.

    Google Scholar 

  8. M. Dowd, J. McDonald, and J. Schuh. The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities. Addison-Wesley, 2006.

    Google Scholar 

  9. D. Ferraiolo and R. Kuhn. Role-based access controls. In National Computer Security Conf. (NCSC), pages 554–563, Oct. 1992.

    Google Scholar 

  10. D. F. Ferraiolo, R. S. Sandhu, S. I. Gavrila, D. R. Kuhn, and R. Chandramouli. Proposed NIST standard for role-based access control. ACM Trans. Inf. Systems and Security, 4(3):224–274, 2001.

    Google Scholar 

  11. W. Ford and M. J. Wiener. A key distribution method for object-based protection. In ACM Comp. & Comm. Security (CCS), pages 193–197, 1994.

    Google Scholar 

  12. M. Gasser. Building a Secure Computer System. Van Nostrand Reinhold, 1988. PDF available online.

    Google Scholar 

  13. G. S. Graham and P. J. Denning. Protection—principles and practice. In AFIPS Spring Joint Computer Conference, pages 417–429, May 1972.

    Google Scholar 

  14. R. M. Graham. Protection in an information processing utility. Comm. ACM, 11(5):365–369, 1968. Appeared as the first paper, pp. 1–5, first ACM Symposium on Operating System Principles, 1967.

    Google Scholar 

  15. A. Gruenbacher. POSIX access control lists on LINUX. In USENIX Annual Technical Conf., pages 259–272, 2003.

    Google Scholar 

  16. T. Jaeger. Operating System Security. Morgan and Claypool, 2008.

    Google Scholar 

  17. P.-H. Kamp and R. N. M. Watson. Jails: Confining the omnipotent root. In System Admin. and Networking Conf. (SANE), 2000. Cf. “Building systems to be shared, securely”, ACM Queue, Aug 2004.

    Google Scholar 

  18. B. W. Lampson. A note on the confinement problem. Comm. ACM, 16(10):613–615, 1973.

    Google Scholar 

  19. B. W. Lampson. Protection. ACM Operating Sys. Review, 8(1):18–24, 1974. Originally published in Proc. 5th Princeton Conf. on Information Sciences and Systems, 1971.

    Google Scholar 

  20. H. Lee, C. Song, and B. B. Kang. Lord of the x86 rings: A portable user mode privilege separation architecture on x86. In ACM Comp. & Comm. Security (CCS), pages 1441–1454, 2018.

    Google Scholar 

  21. T. Linden. Security Analysis and Enhancements of Computer Operating Systems (“RISOS report”), Apr 1976. NBSIR 76-1041, The RISOS Project, Lawrence Livermore Laboratory, Livermore, CA.

    Google Scholar 

  22. P. Loscocco and S. Smalley. Integrating flexible support for security policies into the Linux operating system. In USENIX Annual Technical Conf., pages 29–42, 2001. FREENIX Track. Full technical report, 62 pages, available online.

    Google Scholar 

  23. P. A. Loscocco, S. D. Smalley, P. A. Muckelbauer, R. C. Taylor, S. J. Turner, and J. F. Farrell. The inevitability of failure: The flawed assumption of security in modern computing environments. In National Info. Systems Security Conf. (NISSC), pages 303–314, 1998.

    Google Scholar 

  24. B. McCarty. SELinux: NSA’s Open Source Security Enhanced Linux. O’Reilly Media, 2004.

    Google Scholar 

  25. E. I. Organick. The Multics System: An Examination of Its Structure. MIT Press (5th printing, 1985), 1972.

    Google Scholar 

  26. D. M. Ritchie and K. Thompson. The UNIX time-sharing system. Comm. ACM, 17(7):365–375, 1974.

    Google Scholar 

  27. J. H. Saltzer. Protection and the control of information sharing in Multics. Comm. ACM, 17(7):388–402, 1974.

    Google Scholar 

  28. J. H. Saltzer and M. F. Kaashoek. Principles of Computer System Design. Morgan Kaufmann, 2010.

    Google Scholar 

  29. J. H. Saltzer and M. D. Schroeder. The protection of information in computer systems. Proceedings of the IEEE, 63(9):1278–1308, September 1975.

    Google Scholar 

  30. R. S. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman. Role-based access control models. IEEE Computer, 29(2):38–47, 1996.

    Google Scholar 

  31. M. D. Schroeder and J. H. Saltzer. A hardware architecture for implementing protection rings. Comm. ACM, 15(3):157–170, 1972. Earlier version in ACM SOSP, pages 42–54, 1971.

    Google Scholar 

  32. A. Silberschatz, P. B. Galvin, and G. Gagne. Operating System Concepts (seventh edition). John Wiley and Sons, 2005.

    Google Scholar 

  33. S. Smalley and R. Craig. Security Enhanced (SE) Android: Bringing Flexible MAC to Android. In Netw. Dist. Sys. Security (NDSS), 2013.

    Google Scholar 

  34. R. Spencer, S. Smalley, P. Loscocco, M. Hibler, D. Andersen, and J. Lepreau. The Flask security architecture: System support for diverse security policies. In USENIX Security, 1999.

    Google Scholar 

  35. A. S. Tanenbaum. Modern Operating Systems (3rd edition). Pearson Prentice Hall, 2008.

    Google Scholar 

  36. K. Thompson. Reflections on trusting trust. Comm. ACM, 27(8):761–763, 1984.

    Google Scholar 

  37. W. H. Ware (Chair). Security Controls for Computer Systems: Report of Defense Science Board Task Force on Computer Security. RAND Report R-609-1 (“Ware report”), 11 Feb 1970. Office of Director of Defense Research and Engineering, Wash., D.C. Confidential; declassified 10 Oct 1975.

    Google Scholar 

  38. R. N. M. Watson and 14 others. CHERI: A hybrid capability-system architecture for scalable software compartmentalization. In IEEE Symp. Security and Privacy, pages 20–37, 2015.

    Google Scholar 

  39. R. N. M. Watson, J. Anderson, B. Laurie, and K. Kennaway. Capsicum: Practical capabilities for UNIX. In USENIX Security, pages 29–46, 2010.

    Google Scholar 

  40. C. Wright, C. Cowan, S. Smalley, J. Morris, and G. Kroah-Hartman. Linux security modules: General security support for the Linux kernel. In USENIX Security, pages 17–31, 2002.

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Rights and permissions

Reprints and Permissions

Copyright information

© 2021 The Author(s)

About this chapter

Verify currency and authenticity via CrossMark

Cite this chapter

van Oorschot, P.C. (2021). Operating System Security and Access Control. In: Computer Security and the Internet. Information Security and Cryptography. Springer, Cham. https://doi.org/10.1007/978-3-030-83411-1_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-83411-1_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-83410-4

  • Online ISBN: 978-3-030-83411-1

  • eBook Packages: Computer ScienceComputer Science (R0)