程序代写代做代考 data structure flex Memory Protection and Security

Memory Protection and Security

11. Protection in the OS

Systems and Networks 11: Protection 2

Segments
• It really makes no difference whether a bug that destroys somebody else’s data

is an accidental mistake or malicious.
– a faulty process may also try to execute data or perform operations on machine code

• Solution is to ensure that physical memory areas used for different purposes are
protected from each other. This is the primary function of the MMU.

• Paged virtual memory makes such protection easy to implement but:
– Pages are fixed size to fit into page frames
– Areas we want to protect are often different sizes determined by process logic

• Introduce idea of segments which are contiguous regions of memory in a
process address space of any size determined by the process logic:

• In virtual memory systems, a segment must be an integral number of pages.
• When a process is executing, it is not allowed to modify any word in memory

that isn’t within a segment owned by the process
• MMU protection operates at segment level, physical placement at page level.

Systems and Networks 11: Protection 3

Violations of Memory Protection
• All memory accesses must be checked to see if a segment violation has

occurred.
– If so a memory fault is signalled.
– In a virtual memory system the handler will check if a page fault has occurred, but

if there is no page on disk for this access, process is aborted before damage is done.
• Since this must be done every memory cycle it must be done by the MMU.
• The MMU maintains for each supported segment a base address and a size. If

an effective address is not in the range supported by the currently active
segment, the MMU generates a memory fault.

• The MMU is a device with its own registers, addressable by the CPU.
– What if a faulty or malicious program accesses the MMU?
– The MMU must be especially protected…
– Only the OS should be allowed to modify the MMU.
– How do we stop other programs from doing so?

Systems and Networks 11: Protection 4

User and System Mode
• Hardware support is needed to control access to the MMU

– At all times, the processor is either in user mode or in system mode
– The instructions that access the MMU are called privileged instructions
– Privileged instructions can only be executed in system mode

• To implement this, the CPU contains a flip flop (called the CPU mode bit)
which indicates the current mode. This is often in the status register.

• The hardware executes a privileged instruction as follows:
– If system mode, perform the instruction
– If user mode, cause an exception which transfers control immediately to the OS

• It is essential to ensure that the OS can execute its key portions in system mode.
• User processes must not be able to change the CPU to system mode without

passing control back to the OS. (To do otherwise would be a hacker’s dream!)
• On every exception the CPU automatically flips to system mode. The OS

controls the location and content of all handler routines.
• A privileged instruction is used to set user mode before a user process is run.

Systems and Networks 11: Protection 5

More on System Mode
• Every operation that might be dangerous must be executed in system mode

– Only the Operating System is allowed to perform these operations
– The user program can only request such an operation to be performed

• Every I/O operation is potentially dangerous
– I/O is complicated, so bugs are likely if users do it themselves
– Users don’t want to write I/O code anyway, since it’s so complicated
– Incorrect I/O could result in reading confidential data, or destroying data

• When your program performs an I/O operation, what it really does is build a
request: a data structure that describes what operation it wants to perform.

– Then your program executes a TRAP.
– The OS takes control from your program and examines the request you made.
– If a legitimate request (e.g. read a line from my own file) OS then executes privileged

instructions to perform the action
– If not legitimate (e.g. read data from somebody else’s file) OS refuses the action!

Systems and Networks 11: Protection 6

Levels of Protection
• We have examined the low level basis of protection

– Implementation requires cooperation between hardware and OS.
– But there are many higher levels of protection which an OS uses to

determine whether a requested operation is legitimate (protection policy).
• We want to have both

– Security so that illegitimate access to information is prevented
– Flexibility so that we can share data and use it with convenience

• When an OS supports multiple users, each non-OS process belongs to a
specific user and each user has a level of privilege that determines what
his/her processes are allowed to do

– Administrator (root) can do almost anything
– Ordinary users can modify only their own data and read data of other users

who permit it.

Systems and Networks 11: Protection 7

Files
• Data in secondary memory is stored in files.

– A file is a set of logically associated sectors.
• The MMU and system/user modes give protection to information in

memory while a program is running
• Data that is stored permanently in files needs file protection, which is

enforced by the operating system
• File access is essentially a specialised form of I/O

– User programs are absolutely prohibited from performing any I/O.
– To do I/O, a user program sends a request to the operating system.
– The OS checks the request, to determine whether the user is the owner of

the file; if the request is OK, the OS performs the actual machine language
instructions to do the I/O

11. Protection in the OS
Segments
Violations of Memory Protection
User and System Mode
More on System Mode
Levels of Protection
Files