Separation of protection and security
Encyclopedia
In computer sciences
the separation of protection
and security
is a design choice. Wulf et al. identified protection as a mechanism and security as a policy
, therefore making the protection-security distinction a particular case of the separation of mechanism and policy
principle.
, usually means that protection is provided as a fault tolerance mechanism by hardware
/firmware
and kernel, whereas the operating system
and applications
implement their security policies. In this design, security policies rely therefore on the protection mechanisms and on additional cryptography
techniques.
The major hardware approach for security or protection is the use of hierarchical protection domains. Prominent example of this approach is ring
architecture with "supervisor mode" and "user mode"). Such approach adopts a policy already at the lower levels (hardware/firmware/kernel), restricting the rest of the system to rely on it. Therefore, the choice to distinguish between protection and security in the overall architecture design implies rejection of the hierarchical approach in favour of another one, the capability-based addressing
.
, strong dependency and constraints.
Computer Sciences
Computer Sciences can refer to:*The general field of computer science*Computer Sciences Corporation, the Fortune 500 Information Technology company...
the separation of protection
Protection mechanism
In computer science, protection mechanisms are built into a computer architecture to support the enforcement of security policies. A simple definition of a security policy is "to set who may use what information in a computer system"....
and security
Computer security
Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
is a design choice. Wulf et al. identified protection as a mechanism and security as a policy
Policy
A policy is typically described as a principle or rule to guide decisions and achieve rational outcome. The term is not normally used to denote what is actually done, this is normally referred to as either procedure or protocol...
, therefore making the protection-security distinction a particular case of the separation of mechanism and policy
Separation of mechanism and policy
The separation of mechanism and policy is a design principle in computer science. It states that mechanisms should not dictate the policies according to which decisions are made about which operations to authorize, and which resources to...
principle.
Overview
The adoption of this distinction in a computer architectureComputer architecture
In computer science and engineering, computer architecture is the practical art of selecting and interconnecting hardware components to create computers that meet functional, performance and cost goals and the formal modelling of those systems....
, usually means that protection is provided as a fault tolerance mechanism by hardware
Hardware
Hardware is a general term for equipment such as keys, locks, hinges, latches, handles, wire, chains, plumbing supplies, tools, utensils, cutlery and machine parts. Household hardware is typically sold in hardware stores....
/firmware
Firmware
In electronic systems and computing, firmware is a term often used to denote the fixed, usually rather small, programs and/or data structures that internally control various electronic devices...
and kernel, whereas the operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
and applications
Process (computing)
In computing, a process is an instance of a computer program that is being executed. It contains the program code and its current activity. Depending on the operating system , a process may be made up of multiple threads of execution that execute instructions concurrently.A computer program is a...
implement their security policies. In this design, security policies rely therefore on the protection mechanisms and on additional cryptography
Cryptography
Cryptography is the practice and study of techniques for secure communication in the presence of third parties...
techniques.
The major hardware approach for security or protection is the use of hierarchical protection domains. Prominent example of this approach is ring
Ring (computer security)
In computer science, hierarchical protection domains, often called protection rings, are a mechanism to protect data and functionality from faults and malicious behaviour . This approach is diametrically opposite to that of capability-based security.Computer operating systems provide different...
architecture with "supervisor mode" and "user mode"). Such approach adopts a policy already at the lower levels (hardware/firmware/kernel), restricting the rest of the system to rely on it. Therefore, the choice to distinguish between protection and security in the overall architecture design implies rejection of the hierarchical approach in favour of another one, the capability-based addressing
Capability-based addressing
In computer science, capability-based addressing is a scheme used by some computers to control access to memory. Under a capability-based addressing scheme, pointers are replaced by protected objects that can only be created through the use of privileged instructions which may only be executed by...
.
Design models with the separation
The models with the protection and security separation are: access matrix, UCLA Data Secure Unix, take-grant and filter.Design models without the separation
The models without such separation are: high-water mark, Bell–LaPadula (original and revisited), information flowInformation flow (information theory)
Information flow in an information theoretical context is the transfer of information from a variable x to a variable y in a given process.Not all flows may be desirable. For example, a system shouldn't leak any secret to public observers....
, strong dependency and constraints.