TRON: Process-specific File Protection for the UNIX Operating System Andrew Berman, Virgil Bourassa and Erik Selberg Presented by Virgil Bourassa Department of Computer Science and Engineering University of Washington Seattle, Washington What Is TRON? · A layer of file protection on top of UNIX access control lists · A user tool, available at the user's discretion · Restricts file access by a process or set of processes Outline · What Is TRON? · Motivation · Design · Implementation · Contributions · Conclusion Motivation · Increasing pressure and opportunity to use publicly available software · Processes are the agents of destruction · All of your processes have all of your rights The Malcontent Homepage Goals · Complement existing UNIX user-specific file protection · Work with existing programs · Security based on explicit user intent · Flexible, expressive, easy to use · Facilitate protected remote procedure calls (RPCs) Design · Access rights specified by a set of capabilities · Provides protected domains in which to execute processes · Enforced by the kernel · Capabilities can be "loaned" Capabilities · Associates a set of rights with a file or directory, represented by a character string · File Rights: read, write, execute, delete, and modify UNIX permissions · Directory rights specify access for both the directory and its files · Additional Directory Rights: create, subtree Domains Enforcement Enforcement · Kernel traps are vectored to TRON wrappers first · An attempt to access without an appropriate domain capability results in site-specific violation handling · Possible violation responses: set process' errno value to EACCES, kill process with a specific exit value, log the violation, request user intervention Granting Capabilities Implementation · Prototype TRON service implemented in ULTRIX V4.2A on a DECstation 5000/200 · User Commands · System Calls · Kernel Modifications User Commands tron -p -c tron_loan -p -c tron Examples Execute a shell that allows deletion and writing in the current directory and /tmp only: % tron -p rxcs / -p wd\x11. /tmp Run an emacs session to edit files only in the current directory: % alias stdtron `tron -p rx $path ~ / -p rs /etc \!*' % stdtron -p rwcds /usr/local/emacs -p rw\x11. -c emacs myfile & tron_loan Example To have .plan and .project files accessible to the finger daemon only when users are logged in: # tron -p rx /usr/ucb/finger /usr/etc/fingerd -p rw /usr/adm daemon.log -c fingerd & % ps -ax | egrep fingerd | egrep -v egrep 20960\x11?\x11\x11I\x11\x11\x11\x11\x11\x110:04\x11fingerd % tron_loan 20960 -p r ~/.{plan,project} System Calls tron_fork(\x11cap_list, num_caps\x11); tron_grant(\x11pid, cap_list, num_caps\x11); tron_revoke(\x11pid\x11); tron_get_cap_list(\x11cap_list_buffer, buf_size, num_caps\x11); Kernel Modifications · Introduce TRON domain index to the process structure · Minor modifications to init_main.c, fork, and exit. · Vector system calls to the corresponding TRON wrappers. Contributions · Maintains UNIX standards of flexibility and openness · Users protected against harmful activities by their processes · Enforces users' explicit intentions · Flexible, expressive, easy to use · Minimal overhead · Facilitates protected process transactions Conclusion · A process-specific, expressive, and easy-to-use capability service is an effective means of providing protection from Trojan Horses, computer viruses, etc. · TRON is an extension to the UNIX operating system that provides such a service in a safe, transparent and flexible manner. · We have successfully integrated this service into an existing UNIX implementation and demonstrated its usefulness. TRON-The Movie In 1982, Walt Disney Studios released the movie, TRON, in which anthropomorphized programs in a large industrial computer are subject to tyrannical oppression by the "Master Control Program," an evil self-aware artificial intelligence chess-playing program gone awry. The Master Control Program (MCP) indentures the more useful programs, while savagely destroying the less valuable ones. Just before the MCP successfully shuts down all I/O, a valiant programmer manages to install our hero, TRON, a program designed to protect and defend all programs within "the grid." With the help of another brilliant programmer (unwittingly turned into a program and sucked into the grid by the MCP), TRON overcomes desperate odds to destroy the evil MCP and restore peace and serenity to the grid. We named our system after the intrepid hero of this incredible film. Client Server STOP ? capabilities processes TRON Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Top Secret Click here to delete all of your files Click here to install viruses in your programs Click here to e-mail all private text files to a public bulletin board Click here to invite the Internet Worm in for lunch