Download Memory Protection

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
page
48
Document related concepts

Library (computing) wikipedia , lookup

Distributed operating system wikipedia , lookup

MTS system architecture wikipedia , lookup

Copland (operating system) wikipedia , lookup

Acorn MOS wikipedia , lookup

Process management (computing) wikipedia , lookup

Spring (operating system) wikipedia , lookup

Security-focused operating system wikipedia , lookup

Burroughs MCP wikipedia , lookup

OS 2200 wikipedia , lookup

RSTS/E wikipedia , lookup

Unix security wikipedia , lookup

CP/M wikipedia , lookup

VS/9 wikipedia , lookup

Paging wikipedia , lookup

Transcript 
General OS Security:
Memory Protection and Access
Control
CS461/ECE422
1
Reading
• Intel Pentium II Software Developer’s
Manual: Volume 3. Sections 4.5 through 4.8
– http://developer.intel.com/design/processor/man
uals/253668.pdf
2
Outline
• Evolution of OS
• Memory Protection
– Intel Architecture
• Object Access Control
– File access in particular
3
In the Beginning...
• The program owned the machine
– Access hardware directly
• Executives emerged
– Gather common functionality
• Multi-user systems required greater
separation
– Multics, the source of much early OS
development
4
Types of Separation
• Physical
– Use separate physical resources, e.g. Printers,
disk drives
• Temporal
– Time slice different users
• Logical
– Create virtual environment to make it seem that
programs are running independently
• Cryptographic
– Hide data and computation from others
5
Protected Resources
• What resources should be protected?
– Peripherals (e.g. printers)
– Network
– Storage (disk drives, files)
– Memory
• Why protect each of them?
Memory Protection
• Protect Core OS/Maintenance routines from
user program
– Kernel space
– User space
• Hardware support to ensure isolation
7
Memory Fence
Addresses
0
Operating
System
Fence
n
n+1
X
OK
Two problems:
• Flexibility
• Sharing
User
Program
high
8
Fence Registers
Fence
Register
Addresses
0
Operating
System
v.1
n+1
n
n+1
User
Program
high
Fence
Register
Addresses
0
Operating
System
v.2
m+1
m
m+1
User
Program
high
Multiprogramming
Fence
Register
in A
n+1
Fence
Register
in B
m+1
0
n
n+1
m
m+1
high
Operating
System
User
Program
A
User
Program
B
Base & Bound
A’s registers
base n+1
bound m
0
n
n+1
m
m+1
high
Operating
System
User
Program
A
User
Program
B
B’s registers
m+1 base
high bound
Virtual Memory
Fetch 7
A’s registers
Operating
System
7
base n+1
bound m
N+1
+
n+8
n+8
<>
>
Error
<
User
Program
A
User
Program
B
Sharing
A’s registers
base
bound
Operating
System
User
Program
A
Shared
User
Program
B
B’s registers
base
bound
Sharing, Cont’d
Operating
System
User
Program
A
User
Program
B
User
Program
C
Segments
1
Fetch <1,7>
Operating
System
7
+
Seg Base
0
a
1
n+1
Bnd
b
m
n+8
n+8
<>
>
Error
<
User
Program
A
User
Program
B
Split address into
two fields
– <seg, offset>
Each segment has a
base & bound
Segments: Sharing & Protection
Operating
System
Seg Base
0
a
1
n+1
Bnd
b
m
Prot
rwx
rw
{
{
Seg Base
0
m+1
1
n+1
User
Program
A
Shared
User
Program
B
}
}
Bnd Prot
high rwx
m
r
Segment problems
• Accesses off the end of the segment
– Can only be checked at runtime
– Extra check on each memory access
• Numbers are generally used for segment
names to speed up table lookups
– Potential problems for segment sharing
• Need to remap segments when they get too
big for currently mapped location.
17
Paging
• Fixed units of memory mapping
– Page sizes can range from 512 to 8192 bytes
• Two part address: <page #, offset>
• Easier to map fixed units into physical
memory
• Overriding the offset will cause the page # to
change
– Invalid page map should be caught
• Lose logical unity of segments
– May want to protect prog1 segment in a
particular way
18
Paging
19
Paging Segments
• Used by the x86 architecture
– Gives efficiencies of paging architecture with
logical protection continuity of segment
architecture
20
Paging Segments
21
Tagged architectures
• Base/bounds assumes contiguous user
program space.
– Protecting code or data is an all or nothing deal
with the base/bounds technique
• Could add tags to memory units
– Very privileged operation to change tags
– Memory unit could be word or a page
– Used for capability support
– Used by Lisp machines to encode types
• RWX bits on pages for Intel architecture
22
Memory Protection Rings
• More than 2
protection
levels
(why?)
• Originally in
Multics
• In Intel arch
since x386
Privilege Levels
• CPU enforces constraints on memory access and
changes of control between different privilege levels
• Similar in spirit to Bell-LaPadula access control
restrictions
• Hardware enforcement of division between user
mode and kernel mode in operating systems
– Simple malicious code cannot jump into kernel space
Stack Switching
• Automatically performed when calling more
privileged code
– Prevents less privileged code from passing in short
stack and crashing more privileged code
– Each task has a stack defined for each privilege
level
Moving to the Desktop
• Memory protection & rings were used in
MULTICS (‘60s)
• Intel 8086: segmentation, but no memory
protection (1978)
• Intel 80286: protection rings (1982)
• Intel 80386: paging (1986)
• Virtual memory support in Windows - 1995
Limiting Memory Access Type
• The Pentium architecture supports making pages
read/only versus read/write
• A recent development is the Execute Disable Bit
(XD-bit)
– Added in 2001 but only available in systems recently
– Supported by Windows XP SP2
• Similar functionality in AMD Altheon 64
– Called No Execute bit (NX-bit)
– Actually in machines on the market sooner than Intel
Windows Support
• Enabled in Windows XP SP2 as Data Execution
Prevention (DEP)
– Software version if no hardware support
• Check to see if you have the bit
– Control Panel -> System -> Advanced -> DEP tab
Delay to widespread deployment
•
•
•
•
First hardware in 2001
Wait for OS support
Wait for vendors willing to sell
Generally available in 2005
Protecting objects
• Desire to protect logical entities
– Memory
– Files or data sets
– Executing program
– File directory
– A particular data structure like a stack
– Operating system control structures
– Privileged instructions
Access Control Matrix
• Access Control Matrix (ACM) and related
concepts provides very basic abstraction
– Map different systems to a common form for
comparison
– Enables standard proof techniques
– Not directly used in implementation
31
Definitions
• Protection state of system
– Describes current settings, values of system
relevant to protection
• Access control matrix
– Describes protection state precisely
– Matrix describing rights of subjects
– State transitions change elements of matrix
32
Description
objects (entities)
subjects
o1 … om s1 … sn
s1
s2
…
sn
• Subjects S = { s1,…,sn }
• Objects O = { o1,…,om }
• Rights R = { r1,…,rk }
• Entries A[si, oj]  R
• A[si, oj] = { rx, …, ry }
means subject si has rights
rx, …, ry over object oj
33
Example 1
• Processes p, q
• Files f, g
• Rights r, w, x, a (append), o (owner)
f
g
p
q
p
rwo
r
rwxo
w
q
a
ro
r
rwxo
34
Example 2
• Procedures inc_ctr, dec_ctr, manage
• Variable counter
• Rights +, –, call
counter inc_ctr dec_ctr manage
inc_ctr
+
dec_ctr
–
manage
call
call
35
State Transitions
• Change the protection state of system
• |– represents transition
– Xi |–  Xi+1: command  moves system from
state Xi to Xi+1
– Xi |– * Xi+1: a sequence of commands moves
system from state Xi to Xi+1
• Commands often called transformation
procedures
36
Example Transitions
37
Example Composite Transition
38
Practical object access control
• Can slice the logical ACM two ways
– By row: Store with subject
– By column: Store with object
objects (entities)
subjects
o1 … om s1 … sn
s1
s2
…
sn
Directories to manage access
• Slice ACM by user
• Each user keeps a directory
– Entry in directory contains reference to object
(file) and access rights
• Problems
– Large lists
– Revocation
– Object aliases
Directories
Access Control List
• Slice by Object
• Used by Multics and most modern OS's
Unix Access Control
• Three permission octets associated with each
file and directory
– Owner, group, and other
– Read, write, execute
• For each file/directory
– Can specify RWX permissions for one owner, one
group, and one other
43
Windows ACL
44
ACL Scaling
• Groups of users
• Role-Based Access Control
– Users can take on role at a time
• Directory inheritance
• Negative rights
45
Capabilities
• Another attempt to slice by subject
• Capability is an unforgeable token granting access
– How to prevent forging?
• Memory tagging
• store in memory inaccessible to users
• OS proxying
• Subject presents capability when requesting access
• Propagating capabilities
– “Transfer” right passed or not passed with copies of
capabilities
• Capabilities can be easily revoked
Capabilities HW
• Intel iAPX 432 (1981)
– Tried to put even more security enforcement in hardware
– Capabilities and object-oriented
– Segments referenced through Access Descriptors
– Implementation too complex and compiler technology not
sufficiently smart
• Too slow and died on the vine
– http://en.wikipedia.org/wiki/Intel_iAPX_432
• IBM System/38
– From about the same time period
– Also had hardware capabilities support
Key Points
• Separation elements evolved in OS for
safety as much as security
• Memory protections
– Segments and pages and rings
– HW support
• Object access control
– File ACLs
– Capabilities
48
Related documents
Laboratories Intel.
Laboratories Intel.
KaizadMistryBio - Purdue College of Engineering
KaizadMistryBio - Purdue College of Engineering
Cell Part Cell Structure and Function Mitochondria Nucleus
Cell Part Cell Structure and Function Mitochondria Nucleus
1.3 Segments and Measures
1.3 Segments and Measures
Tecal XH310 V2 Node Server
Tecal XH310 V2 Node Server
INTEL Architectures
INTEL Architectures
2.3 Operating System Design and Implementation
2.3 Operating System Design and Implementation
Intel Research: Exploring the Future
Intel Research: Exploring the Future
Intel Says Design Innovations Will Aid Chip Performance
Intel Says Design Innovations Will Aid Chip Performance
Caneland Fact Sheet
Caneland Fact Sheet
845GVAD
845GVAD
Slides used by Karthik
Slides used by Karthik
Main Memory
Main Memory
Intel Product News - Multicore, Virtualization
Intel Product News - Multicore, Virtualization
Memory: Paging - Cornell University
Memory: Paging - Cornell University
Now It`s Your Turn to Rate NIS
Now It`s Your Turn to Rate NIS
Operating System
Operating System
Paper E1 - Digital Circuits
Paper E1 - Digital Circuits
Proportional Segments between Parallel Lines
Proportional Segments between Parallel Lines
Spy Mesopotamia
Spy Mesopotamia
Accelerate and Improve Microsoft SQL Server* Database Performance
Accelerate and Improve Microsoft SQL Server* Database Performance
New Intel® Atom™ Processor-Based Platform for
New Intel® Atom™ Processor-Based Platform for