27 Operating System Memory Protection
Hiteishi Diwanji
Operating System Memory Protection
- An operating system is the multiprogramming system allowing multiple users to use concurrently.
- Operating system is designed in such a way that one user’s computation cannot be intercepted by malicious user.
- For this purpose, operating system has following facilities.
- Memory protection,
- File protection,
- General control on how objects are accessed,
- User authentication
Memory and Address Protection
- Memory protection in multiprogramming prevents other programs from interfering to user’s program.
- Hardware is designed to provide memory protection.
Memory and Address Protection – Fixed Fence
- A fence defines a boundary on one side and restricts the user.
- The fence address location is fixed. The operating system resides on one side and the user works on the other side of the fence.
- This implementation was restrictive – operating system always occupied predefined amount of space, whether it was needed or not.
- Operating system defines register part of hardware, termed as a fence register; holds the address indicating the operating system ends at this address.
- This scheme differs from fixed fence, as in this scheme change can take place in the location of the fence.
- For every data modification request by user program, address referred for data modification, is checked against the address defined as fence. The address used is above the fence address then this address falls in the user area and the instruction gets executed. In case the address is below the fence address then it penetrates in the operating system area which raises a fault.Variable Fence Register – Limitation A fence register derives the boundary between operating system and users. The fence cannot prevent penetration of one user into the area of another user. Memory and Address Protection – Relocation
- Relocation process takes a program considering address 0 for the first instruction and replaces rest of the addresses with the actual addresses in memory that the program is residing at.
- Every time each address adds constant relocation factor to get the address. The first address of the program becomes the value of relocation factor.
- The fence register acts as a relocation device defined in hardware. To generate address of the program, the fence register contents are read and added to the address for each instruction of the program.
Memory and Address Protection – Base/Bounds Registers
- Fence registers mention the beginning not the end of memory meaning specifies the lower bound but does not specify upper limit.
- An upper limit can count the available space and checks that overflow does not lead into “forbidden” areas.
- The bounds register marks the upper address limit and a base or fence register marks the lower address limit.
- The address generated for program has to be above the base address because addition is performed on the contents of the base register and the address assigned to program. Each address is checked against the bounds address to make sure that it is below the bounds address. This helps in saving the program’s addresses from modification by other users.
- When operating system switches from program of one user to program of other user, the contents of the base and bound registers are changed to reflect the actual address space assigned to the current user. This is called a context switch. The operating system performs context switching means assign control to other user from current user.
- A user error occurs in following situations.
- 1) When an array subscript refers to an element that is out of range
- 2) An undefined variable is used in executable instruction which refers to an address lying in the user’s space.
- 3) A user accidentally stores data in the memory area of instructions which destroys a user’s own program.
- To solve the problem of overwriting data to instructions, one more pair of base/bounds register is used. Instructions of the program(code) holds one register and data space holds another register.
- Two pairs of base/bound registers are used. When instructions are to be executed, their relocation address is checked against the first register pair, and check against second register pair is performed for all kinds of data accesses (operands of instructions).
Memory and Address Protection – Tagged Architecture
• In Tagged architecture, allocated registers are three or more than three pairs: one for code, one for read-only data, and one for data values that can be modified.
- In some cases – some data values need to be protected but not all.
- A programmer allows certain data values to be modified while initializing the program but program is not allowed to modify these data values at later stage, thus ensures integrity.
- A programmer invokes a shared subprogram from a common library.
- Base/bounds registers create an all-or-nothing environment for sharing: meaning that a program allows access and modification of data or all accesses are prohibited.
- There are four resources P,Q,R,S. A procedure wants to share P, Q, and R data items with one module; P, R, and S with a second module, and P, Q, and S with a third module. These sets need to be saved in contiguous space so that they are effectively shared.
Consider that these data items are either large records or arrays or even structures, then this solution is infeasible.
- In case of tagged architecture, one or more extra bits of information are attached to each word of machine memory so that the access rights to that word can be identified. Only operating system can set these access bits. The bits are tested every time to check whether an instruction can access that location.
- In Segmentation, a program is divided into separate parts. Each part exhibits a code or data values relationship and making a logical unit.
- For example, a segment represents a specific module consisting of the code that belongs to a procedure, or an array representing data items, or bunch of all the local data items.
- Segmentation divides a program and provides rights for access.
- Each segment is identified by a unique name. In a segment, a code or data item is addressed as the pair <name, offset >, where name is the name of the segment holding the data item and offset is its location within the segment ( offset from the start of the segment).
- The operating system keeps a table in memory having segment names and their actual addresses.
- An address in a program is referred by < name, offset >. The operating system goes through directory holding segment related information and reads the address which is starting memory address. To get actual address of code or data item, the operating system adds offset.
- Operating system considers the executing processes and for each executing process keeps a segment address table. The same segment can be shared by two processes. In that case, each process will keep the segment name and address in their segment tables.
- A user program is not aware of the actual physical memory addresses referred to access the segment.
These hidden physical addresses have proven advantageous to the operating system.
1) The operating system decides the location and places the segment. The operating system can move the segment to other location, even if the program is in execution mode. The operating system takes care of all address references by a segment address table. In case segment is moved, the address in that one table is changed.
2) A segment if not in use can be shifted to auxiliary device from main memory.
3) Every address has to be through the operating system, so the operating system can check each one for protection.
- The segmentation process uses both hardware and software.
Benefits of Segmentation
Each address reference can be verified for protection.Different levels of protection can be assigned to different classes of data items.Single segment can be shared by two or more users and each user can possess different access rights.Operating system maps true address so a user cannot generate an address to an unpermitted segment.
Problems of Segmentation
Segment size is fixed but protection is difficult. A program refers to a valid segment name, but the indicated offset is beyond the end of the segment. For example, reference < A ,1111> is valid, but in fact segment A is only 250 bytes long. If security is not implemented properly, a program can access any memory address beyond the end of a segment by providing large values of offset in an address. Segmentation is effective if segments are allowed to grow in size during execution. A segment may be implemented using dynamic data structure such as a stack.
Secure implementation of segmentation requires checking a generated address to verify that it does not cross the current end of the segment reference. This checking costs extra in terms of time and resources.
Efficient implementation of segmentation presents two problems:
- 1) Names are inconvenient to encode in instructions,
- 2) The operating system may prove slow while searching the name in a table.
To solve the problem, segment names are converted to numbers by the compiler when a program gets translated; the compiler also appends a linkage table that consist matching numbers to true segment names. This scheme has an implementation difficulty when two procedures need to share the same segment, then the assigned segment numbers of data accessed by that segment must be the same.
Segments cause fragmentation of main memory as each segment is of different size. Unused fragments of space causes poor memory utilization after certain time period. A solution to fragmentation is the periodic update to clean up memory by collecting unused part of memory and then updating the table but this process is time consuming. Memory and Address Protection – Paging
Fetch<2,12> will fetch 12th byte from memory address g.
- Paging provides alternative to segmentation.
- Pages divide the program into equal-sized pieces called pages, and memory is divided into equal-sized units, called page frames. For simplicity in implementation, the page size is kept as power of two. Usually in the range of 512 and 4096 bytes.
- Any address reference consists of < page, offset >.The address translation is same as in segmentation:A table is maintained by the operating system keeping track of user page numbers and their physical addresses occupied in memory. The pair
- < page, offset > gives page frame address referred by page portion by looking up a table. To get the actual physical address of the object, the offset portion is added to the page frame address.
- Fragmentation does not occur since all pages are of the same fixed size. Page in consideration fits in page those are available in memory. The address reference does not cross the boundary of a page.
- The number of bits in binary form of address indicated by < page, offset > is as per the address range. For 512 bytes range 8 bits are used. An offset beyond the end of a particular page results in a carry into the page portion of the address. This carry results in new address.
- Assume, a page has 1024 bytes size (1024 = 2 10 ). To address this size, each address needs 10 for the offset of each address. If 10 bits are used then address higher than 1023 is not generated. The immediate next memory word < x ,1023> causes a carry into the page portion, which causes translation of the address to the next page. The paging process verifies that a < page, offset > reference does not go out of the bound of maximum limit in terms of number of pages that a process is assigned.
Memory and Address Protection – Combined Paging with Segmentation
- The Multics operating system (implemented on a GE-645 machine) applied paging after performing segmentation. In this scheme, the programmer divides a program into logical segments. Every segment is partitioned into pages of fixed-size.
- In Multics, 18 bits are assigned to address of the segment name portion and offset is of 16-bits. Given these addresses, 1024-byte partitions are created.
- Paging proves to be efficient in implementation and segmentation provides mechanism for protection logically.
- The two approaches paging and segmentation have been combined.
- Paged segmentation is used in the IBM 390 family of mainframe systems.
you can view video on Operating System Memory Protection |
Suggested Reading:
- Cryptography and Network Security Principles and Practice by William Stallings, sixth Edition, PEARSON.
- Security in Computing by Charles Pfleeger & Shari Lawrence Pfleeger, fourth Edition, PEARSON.
- Network Security by Charlie Kaufman, Radia Perlman, Mike Speciner, second Edition, PHI.
- The Complete Reference – Network Security by Roberta Bragg, Mark Rhodes-Ousley & Keith Strassberg, Tata McGraw Hill
- Network Security Bible by Eric Cole, Ronald Krutz, James Conley, Wiley
- Hacking 6 Exposed by Stuart McClure, Joel Scambray & George Kurtz , Tata McGraw Hill .
- www.snort.org
- https://nmap.org