Reveal ALL Solution

Worksheet 6: OS Security and Access Control

Worksheets are self-guided activities that reinforce lectures. They are not graded for accuracy, only for completion. Worksheets are due by the end of the Tuesday before the next lecture via Blackboard link as a single pdf document. Be sure to properly label each question.

Questions

1. Let’s do some practice with bytes, bits, octets, and hexadecimal. For each of the numbers below, write them out in the other bases not present.

   • 10110101 (binary)
   • 652 (base 8)
   • 0xa4 (base 16)

   Reveal Solution

   • 10110101
     • To convert to base 8, we split it up into 3 bit chunks - 10 110 101 - and covert to octal numbers 265
     • To convert to base 16, we split into 4 bit chunks - 1011 0101 - and convert to hex bits 0xb5
   • 652
     • To covert to binary, convert each number and merge - 6 110, 5 101, 010 - 11010101
     • To cover to hex, break the binary up into groups of 4 - 1 1010 1010 - 0x1aa
   • 0a4
     • To convert binary, convert each hex number to binary - a 1010 , 4 0100 - 10100100
     • To convert octal, convert that binary to 3 bit chunks - 10 100 100 - 244

2. Consider a memory system with 16-bits of addressable memory as described in Figure 5.1 in the book, how many bits of storage are needed to store the base and bound values in the descriptor register?

   Reveal Solution

   If there is 16-bits of addressable memory system like in Figure 5.1, then we need to store two addresses into memory to check the validity of access. Each address requires 16-bits, so the register needs to store 32-bits of information.

3. The privilege bit must be set in order to update the descriptor register, and only the supervisor can change this bit. Consider again a 16-bit memory system with addressable memory. If 50% of the memory is reserved for the supervisor code, and that 50% is always in the lower half of the address space, what would the descriptor register be set to (in terms of its base and bound) for a new program that the supervisor was loading if that new program used the remainder of the 50% of memory? (You can write your answers in terms of powers of two.)

   Reveal Solution

   The base would be \(2^{15}\) and the bound would be \(2^{16}-1\), as this is the top half of the memory.

4. Still considering the system as described in Figure 5.1, explain how shared libraries are a real challenge with isolation systems with a single descriptor register?

   Reveal Solution

   If the shared library code were loaded into non-continuous segment of memory, the descriptor register would need to be expanded to include that library code — but that may overlap with other code/memory and remnants in memory! That would over privilege one of the processes.

5. Finally, still referring to Figure 5.1, describe another limitation of this system (not from the question above).

   Reveal Solution

   The descriptor register provide complete access to the entire memory region, read/write/execute, and thus lacks fine grain sharing.

   It also doesn’t work for virtual memory, which is crucial for modern systems.

6. A more modern approach to program memory isolation leverages memory segments. For example, a program, when loaded into memory, has multiple segments that are necessary to run the program. This includes the stack, heap, code, and data. Of those, the stack and heap should be read/write, the code segment execute/read, and the data should be read-only.

   Consider the 5 bit field, RWXMF, described on page 128 of the book. What is the bit field for stack, heap, code, and data segments?

   Reveal Solution

   • stack - 11000
   • heap - 11000
   • code - 10100
   • data - 11000 or 10000

7. Of the segments of a program described above, which one can also have an M bit set if the program is designed to run as the supervisor? Explain why.

   Reveal Solution

   Just the code segment because it’s the only one that is executable.

8. Is the relationship between UID and PID one-to-one, many-to-many, one-to-many, or many-to-one. Explain.

   • one-to-one: exactly one UID maps to one PID and that PID only matches to that UID
   • many-to-many: many UIDs can match to many, different PIDs and many, different PIDs can match to many PIDs
   • one-to-many: one UID can match to many, different PIDs
   • many-to-one: Many UIDs can match to the same PID at different execution time

   Reveal Solution

   It is one-to-many, as the UID associates with the user, and they may be running multiple processes, each with different PIDs. However, it is not the case that each of those process can be associated with different users, just the same user running the process.

9. What is a security kernel and what properties should it have? How does it compare to modern OS kernels, like UNIX/Linux?

   Reveal Solution

   A security kernel is a small, minimal piece of software that runs in privilege to perform access control checks. It’s small size, central placement, privilege setting, ensures that it’s tamper-proof, always invoked, and verifiable.

   The security kernel is not implemented in modern systems, instead a monolithic kernel is used, like in UNIX, which handles all the OS tasks (like processing, scheduling, hardware access, and access control) rather than modularizing different tasks into separate kernels, like a security kernel.

10. Consider access control matrices – explain how managing this doesn’t scale, and what the solution would be?

    Reveal Solution

    The access control matrix requires a row for every user/entity and a column for every object. But the matrix is VERY sparse because many users don’t have any access to most objects. Thus storing such a large structure is inefficient.

    Instead, use capability lists or access control lists.

11. Convert the following ACM to ACLs by enumerate the ACE per object.

              foo   bar   baz  bee  bop
    -----------------------------------
    peter  |   RW   X
    paul   |   RW   X     R          R
    mary   |                   RW
    george |        X     RW         R
    ringo  |
    john   |  RWX        RWX
    

    Reveal Solution

    • foo: (peter; RWX = 110), (paul; RWX=110), (john; RWX=111)
    • bar: (peter: RWX = 001), (paul; RWX=001), (george; RWX=001)
    • baz: (paul; RWX = 100), (george; RWX=110), (john; RWX=111)
    • bee: (mary; RWX=110)
    • bop: (paul; RWX=100), (george;RWX=100)

12. Consider the following /etc/password entry.

    aaviv:2212:2302:Adam Aviv:/home/aaviv:/bin/bash
    

    For each item in the entry, label it’s meaning.

    Note that modern /etc/password entries do not store passwords, that’s stored in /etc/shadow

    Reveal Solution

      .- username
      |    .-- uid
      |    |     .-- default gid
      |    |     |             default shell-.
      v    v     v                           v
    aaviv:2212:2302:Adam Aviv:/home/aaviv:/bin/bash
                       ^          ^
                       |          |
      Display Name ----'          '- Home Directory
    
    

13. Provide an example where user groups are useful for controlling access.

    Reveal Solution

    Consider a file that contains sensitive information. We have a set of privileged users in the group doc-readers and we can set the permissions on that file such that only group members (and the owner of the file) can read it. Then membership in the group enforces access control.

14. What is the UID of the root user?

    Reveal Solution

    0

15. The file permission bit field consists of 12 bits. Provide a short description of them.

    Reveal Solution

    There are three bits to express read, write and execute privilege. And there are those three bits across user, group, and other fields. This totals 9 bits. Then there is an additional 3 bits for special protection, totally 12 bits overall.

16. Convert the following octal permission representation to a symbolic display, or vice versa.

    600
    -rw-rw---x
    drwx--xr-x
    574
    

    Reveal Solution

    -rw-------
    661
    715
    -r-xrwxr--
    

17. The umask or (“unset mask”) is way to set a system wide (or user level) default file creation permission setting. What permission would newly created files have if the umask (in octal) were as follows and the initial file creation default is 666

    377
    166
    000
    

    Reveal Solution

    400
    600
    666
    

18. Provide a short description of the setuid and setgid protective bits and what happens when an executable has it set

    Reveal Solution

    If the setuid bit is set, then when the program runs, it runs with the same effective permission of the owner of the program. The same is the case for setgid bit, but runs with the same effective permissions of the group of the program.

19. What is the differences between rUID and eUID of a running process?

    Reveal Solution

    The rUID stands for the real UID of the running process, which is assigned to the user who actually ran the program. The eUID is the effective UID or the effective permission level of the process. These are typically the same value. Exceptions include when setuid bit is set or other special-purpose programs that need to run as a different UID.