Click for next page ( 292


The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 291
G Some Operating System Security Examples MS-DOS is an operating system designed to operate on single-user personal computers. As a consequence, it provides no identification and authentication mechanisms and neither discretionary nor mandatory ac- cess control mechanisms. Any user has access to all resources on the system. Any access control is provided solely by controlling physical access to the computer itself. If the computer is electronically connected to any other computer, no access control is possible. UNIX is a multi-user operating system originally designed by Ken Thompson and Dennis Ritchie of Bell Laboratories. User identification is supported by password-based authentication. User IDs are associated with processes. UNIX provides a modified version of access control lists for files. For each file, three fields of access permissions are established, one for the file owner, one for the group in which the owner resides, and one for others (or everyone else). In each access field, permission to read, write, and execute the file is granted by the owner. For example, a file with access permissions rw-/rw-/r provides the owner read/write ac- cess, the owner's group read/write access, and all others only read access to the file. UNIX provides another feature that affects access controls. Each program can have the "setuid" attribute set; if set, the program runs with the access rights of the owner of the program, rather than those of the program's invoker. Thus, for practical purposes, the program's in- voker can establish an effective identity other than his or her own that is to be used when determining access permissions. Microsoft's Windows NT operating system is designed for worksta 291

OCR for page 291
292 APPENDIX G lions and servers. User identity is authenticated using passwords. Every active subject in the system has an associated token that includes a unique identifier, a list of group identifiers, and a set of privileges that allows a subject to override restrictions set by the system. Every named object (e.g., files, directories, drivers, devices, and registry keys) in the system has an associated access control list (ACL). ACLs can ascribe generic rights (e.g., read, write, and delete) and specific rights that have semantics only for a specific class of objects. Mediation decisions are made by the Security Reference Monitor based upon the token of the subject, the ACL of the object, and the requested access right. There is provision in the system for "impersonation," that is, using authorization of another sub- ject. Finally, various products have been designed to provide access con- trol mechanisms as add-one for specific operating systems, to augment the basic operating system facilities. For example, RACE, ACF2, and Top Secret are all products designed for use with IBM's MVS (which has al- most no intrinsic security).