DOCSLIB.ORG

Automated Verification of RISC-V Kernel Code

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Automated Verification of RISC-V Kernel Code Automated Verification of RISC-V Kernel Code Project Report Antoine Kaufmann June 10, 2016 1 Introduction 2. yield syscall: stores current state in kernel’s state for the process, switches to next application, and re- The longer term goal for this project is to investigate au- stores next application’s state. tomated verification of an exokernel[1]/microkernel. As- suming hardware virtualization support on the CPU as 3. sbrk syscall: if possible allocate additional memory well as I/O devices, very few operations actually need to to the application else return correct error code. be mediated by the kernel [3]. And the parts that do need 4. memory isolation: after boot and every system call, to be executed as privileged kernel code perform simple all application’s memory remains isolated. operations. Most of those operations will interact closely with hardware, be it to modify CPU control registers, or We chose the RISC-V architecture for this project be- to program an IOMMU. Because of this there is only cause it provides the required functionality but as a clean very little code where a high-level language would pro- slate approach also has a relatively compact specification. vide any benefits for implementation or verification. Thus Also useful for this project in particular is that it provides we choose to verify the kernel at the machine code level simpler mechanisms for memory access control that are for this project, and for reasons of simplicity we selected suited for embedded systems. In addition to regular vir- the RISC-V instruction set architecture [4] as our target. tual memory based on page tables, RISC-V provides sim- Code paths through our kernel are generally simple con- plified segmentation where just a single base address and sisting of few conditionals and no unbounded loops. This limit are specified for the memory accessible to the appli- makes our kernel code a good candidate for automated cation. To verify the kernel at a machine code level, we verification techniques, and SMT solvers in particular. built a Z3 model for all required instructions, their encod- For this class project we will limit ourselves to a sim- ing, and also control registers influencing execution. plified kernel as follows: All applications are already as- The rest of this report is structured as follows: Section 2 sumed to be loaded into memory prior to kernel initial- presents the RISC-V CPU model. Then section 3 de- ization, and a kernel configuration describing where they scribes our kernel including its specification, implemen- are located is passed to the kernel in memory. The kernel tation, and our verification effort and results. Finally sec- only implements two system calls: yield for switching tion 4 discusses some possible future work. between processes, and sbrk for allocating and freeing memory. One important property that an operating sys- tem needs to provide to enable reasoning about end-to-end 2 RISC-V CPU Model correctness of applications running on top of it is memory isolation. If an application cannot depend on its code and In order to be able to reason about kernel code at the data remaining unchanged at run time, any verification of machine code level, we need a model that captures how it’s properties will become impossible or at least much to execute those instructions. This section presents our more challenging. For the class project we aim to prove CPU model in Z3, discusses how we validated it, and the the following properties about the kernel: model’s current limitations. RISC-V is a modular ISA, that consists of a base in- 1. Initialization: if a valid configuration is provided the struction set to which various extensions can be added, kernel will boot to user space and start executing e.g. multiplication/division, floating point, or atomic the first application. At this point the kernel’s in- memory operations. We specify the RV64-I instructions, memory state corresponds to the configuration. which are the 64 bit core instructions. These consist of 1 control flow instructions, memory operations, linear arith- def split(self , cond, then f , e l s e f , metic, and bit operations. In addition we also implement ∗ a r g s ) : parts of the RISC-V privileged architecture, that provides assert self.split c o n d i s None the necessary mechanisms, for running a kernel with mul- tiple applications, including control transfers and memory # Check i f we know which branch to protection. Our model currently only implements a sub- t a k e set of the privileged architecture. In particular we only cc, sc = check cond(cond, self.s) implement the machine and user privilege levels and sim- s = s e l f . s ple base and bounds memory protection, that can restrict i f cc == True : user code to a contiguous segment of physical memory. t h e n f ( s e l f , ∗ a r g s ) This simpler memory protection scheme only requires two elif cc == False: CPU registers and does not require parsing of page tables. e l s e f ( s e l f , ∗ a r g s ) e l s e : 2.1 SMT Model t ms = s e l f . copy ( ) e ms = s e l f . copy ( ) Below we describe our SMT model that captures the full machine state and how it is modified by instruction. s e l f . s p l i t c o n d = sc s e l f . s p l i t t h e n = t ms s e l f . s p l i t e l s e = e ms 2.1.1 Symbolic Execution s e l f . mem = None For our first try we started out building a pure Z3 expres- s e l f . cpu = None sion that, given the initial machine state, captures the full process of fetching an instruction, decoding it, executing s . push ( ) it, represents the modified machine state. We then chained s . add ( sc ) those expressions together to execute multiple instruc- t h e n f ( t ms , ∗ a r g s ) tions, while using Z3’s simplify tactic to cut down the ex- s . pop ( ) pressions to only reachable parts for scenarios where most of the state was concrete. For executing simple sequences s . push ( ) of instructions without conditional branches from a fully s.add(Not(sc)) concrete state this approach worked reasonably well, be- e l s e f ( e ms , ∗ a r g s ) cause Z3 can basically just evaluate the expression. How- s . pop ( ) ever we quickly found for slightly more complicated in- structions sequences that this approach often leads to huge Figure 1: Method in our state class for generating condi- expressions because simplify is not always able to decide tional expressions. It takes a condition, the two functions conditionals in the expressions, even when Z3 itself actu- that operate on the respective branches, as well as a set of ally has sufficient information to choose a branch. If this arguments to pass to the branches. happens for the program counter, then building up the next step of instructions is then generally not able to simplify at d e f condbranch(ms, instr , cond): all, leading to a huge expression catching all possible in- pc = ms.cpu.read p c ( ) structions, even if in fact only one instruction is possible. d e f t h e n f ( ms t, instr, pc): This results in huge performance problems, and in prac- ms t.cpu.write pc(pc + instr. tice lead to Z3 no longer being able to prove even simple imm sextx ( ) ) things about such concrete sequences of instructions. d e f e l s e f ( ms f, instr, pc): Therefor we adapted our model to use a symbolic exe- ms f.cpu.write p c ( pc + 4) cution approach. So for all conditionals in the expression ms.split(cond, then f , e l s e f , we use Z3 to determine which branches are reachable, and i n s t r , pc ) then only generating separate expressions for the reach- able branches remembering the path condition for each. With this we basically build up expressions top down, Figure 2: Function that implements handling for condi- and only actually build parts of the expression that will tional jump instructions based on our state split mecha- be needed for evaluation. This basically means that we nism. 2 are now no longer operating on a single expression repre- senting the current state, but on a set of expressions cap- mem sort = ArraySort(mach b v s or t , turing possible state, and then potentially splitting indi- b y t e b v s o r t ) vidual expressions whenever a non-decidable conditional c p u s t a t e sort = Datatype(’CPUState’) occurs. Figure 1 shows the code in our state class for han- c p u s t a t e sort.declare(’cpu s t a t e ’ , dling this splitting of the state based on which branches ( ’ pc ’ , m a c h b v s o r t ) , are reachable Unfortunately this splitting of expressions (’regs’, ArraySort(regidx s o r t makes code somewhat harder to write, because separate , m a c h b v s o r t ) ) , functions for generating the individual branches need to # trap setup csrs be provided, and after splitting, the state can no longer ( ’ c s r mstatus’, mach b v s o r t ) , be directly modified, but we provide a do with method ( ’ c s r mtvec’, BitVecSort(xlen that applies a function to each child state recursively.
Load more

Recommended publications
  • Security and Performance Analysis of Custom Memory Allocators Tiffany
    Security and Performance Analysis of Custom Memory Allocators by Tiffany Tang Submitted to the Department of Electrical Engineering and Computer Science in partial fulfillment of the requirements for the degree of Master of Engineering in Electrical Engineering and Computer Science at the MASSACHUSETTS INSTITUTE OF TECHNOLOGY September 2019 c Massachusetts Institute of Technology 2019. All rights reserved. Author.............................................................. Department of Electrical Engineering and Computer Science June 10, 2019 Certified by. Howard E. Shrobe Principal Research Scientist and Associate Director of Security, CSAIL Thesis Supervisor Certified by. Hamed Okhravi Senior Technical Staff, MIT Lincoln Laboratory Thesis Supervisor Accepted by . Katrina LaCurts, Chair, Masters of Engineering Thesis Committee 2 DISTRIBUTION STATEMENT A. Approved for public release. Distribution is unlimited. This material is based upon work supported by the Assistant Secretary of Defense for Research and Engineering under Air Force Contract No. FA8702-15-D-0001. Any opinions, findings, conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the Assistant Secre- tary of Defense for Research and Engineering. 3 Security and Performance Analysis of Custom Memory Allocators by Tiffany Tang Submitted to the Department of Electrical Engineering and Computer Science on June 10, 2019, in partial fulfillment of the requirements for the degree of Master of Engineering in Electrical Engineering and Computer Science Abstract Computer programmers use custom memory allocators as an alternative to built- in or general-purpose memory allocators with the intent to improve performance and minimize human error. However, it is difficult to achieve both memory safety and performance gains on custom memory allocators.
    [Show full text]
  • CSE421 Midterm Solutions —SOLUTION SET— 09 Mar 2012
    CSE421 Midterm Solutions —SOLUTION SET— 09 Mar 2012 This midterm exam consists of three types of questions: 1. 10 multiple choice questions worth 1 point each. These are drawn directly from lecture slides and intended to be easy. 2. 6 short answer questions worth 5 points each. You can answer as many as you want, but we will give you credit for your best four answers for a total of up to 20 points. You should be able to answer the short answer questions in four or five sentences. 3. 2 long answer questions worth 20 points each. Please answer only one long answer question. If you answer both, we will only grade one. Your answer to the long answer should span a page or two. Please answer each question as clearly and succinctly as possible. Feel free to draw pic- tures or diagrams if they help you to do so. No aids of any kind are permitted. The point value assigned to each question is intended to suggest how to allocate your time. So you should work on a 5 point question for roughly 5 minutes. CSE421 Midterm Solutions 09 Mar 2012 Multiple Choice 1. (10 points) Answer all ten of the following questions. Each is worth one point. (a) In the story that GWA (Geoff) began class with on Monday, March 4th, why was the Harvard student concerned about his grade? p He never attended class. He never arrived at class on time. He usually fell asleep in class. He was using drugs. (b) All of the following are inter-process (IPC) communication mechanisms except p shared files.
    [Show full text]
  • Paging: Smaller Tables
    20 Paging: Smaller Tables We now tackle the second problem that paging introduces: page tables are too big and thus consume too much memory. Let’s start out with a linear page table. As you might recall1, linear page tables get pretty 32 12 big. Assume again a 32-bit address space (2 bytes), with 4KB (2 byte) pages and a 4-byte page-table entry. An address space thus has roughly 232 one million virtual pages in it ( 212 ); multiply by the page-table entry size and you see that our page table is 4MB in size. Recall also: we usually have one page table for every process in the system! With a hundred active processes (not uncommon on a modern system), we will be allocating hundreds of megabytes of memory just for page tables! As a result, we are in search of some techniques to reduce this heavy burden. There are a lot of them, so let’s get going. But not before our crux: CRUX: HOW TO MAKE PAGE TABLES SMALLER? Simple array-based page tables (usually called linear page tables) are too big, taking up far too much memory on typical systems. How can we make page tables smaller? What are the key ideas? What inefficiencies arise as a result of these new data structures? 20.1 Simple Solution: Bigger Pages We could reduce the size of the page table in one simple way: use bigger pages. Take our 32-bit address space again, but this time assume 16KB pages. We would thus have an 18-bit VPN plus a 14-bit offset.
    [Show full text]
  • Virtual Memory Basics
    Operating Systems Virtual Memory Basics Peter Lipp, Daniel Gruss 2021-03-04 Table of contents 1. Address Translation First Idea: Base and Bound Segmentation Simple Paging Multi-level Paging 2. Address Translation on x86 processors Address Translation pointers point to objects etc. transparent: it is not necessary to know how memory reference is converted to data enables number of advanced features programmers perspective: Address Translation OS in control of address translation pointers point to objects etc. transparent: it is not necessary to know how memory reference is converted to data programmers perspective: Address Translation OS in control of address translation enables number of advanced features pointers point to objects etc. transparent: it is not necessary to know how memory reference is converted to data Address Translation OS in control of address translation enables number of advanced features programmers perspective: transparent: it is not necessary to know how memory reference is converted to data Address Translation OS in control of address translation enables number of advanced features programmers perspective: pointers point to objects etc. Address Translation OS in control of address translation enables number of advanced features programmers perspective: pointers point to objects etc. transparent: it is not necessary to know how memory reference is converted to data Address Translation - Idea / Overview Shared libraries, interprocess communication Multiple regions for dynamic allocation
    [Show full text]
  • The RISC-V Instruction Set Manual, Volume II: Privileged Architecture, Version 1.10”, Editors Andrew Waterman and Krste Asanovi´C,RISC-V Foundation, May 2017
    The RISC-V Instruction Set Manual Volume II: Privileged Architecture Privileged Architecture Version 1.10 Document Version 1.10 Warning! This draft specification may change before being accepted as standard by the RISC-V Foundation. While the editors intend future changes to this specification to be forward compatible, it remains possible that implementations made to this draft specification will not conform to the future standard. Editors: Andrew Waterman1, Krste Asanovi´c1;2 1SiFive Inc., 2CS Division, EECS Department, University of California, Berkeley [email protected], [email protected] May 7, 2017 Contributors to all versions of the spec in alphabetical order (please contact editors to suggest corrections): Krste Asanovi´c,Rimas Aviˇzienis,Jacob Bachmeyer, Allen J. Baum, Paolo Bonzini, Ruslan Bukin, Christopher Celio, David Chisnall, Anthony Coulter, Palmer Dabbelt, Monte Dal- rymple, Dennis Ferguson, Mike Frysinger, John Hauser, David Horner, Olof Johansson, Yunsup Lee, Andrew Lutomirski, Jonathan Neusch¨afer,Rishiyur Nikhil, Stefan O'Rear, Albert Ou, John Ousterhout, David Patterson, Colin Schmidt, Wesley Terpstra, Matt Thomas, Tommy Thorn, Ray VanDeWalker, Megan Wachs, Andrew Waterman, and Reinoud Zandijk. This document is released under a Creative Commons Attribution 4.0 International License. This document is a derivative of the RISC-V privileged specification version 1.9.1 released under following license: c 2010{2017 Andrew Waterman, Yunsup Lee, Rimas Aviˇzienis,David Patterson, Krste Asanovi´c.Creative Commons Attribution 4.0 International License. Please cite as: \The RISC-V Instruction Set Manual, Volume II: Privileged Architecture, Version 1.10", Editors Andrew Waterman and Krste Asanovi´c,RISC-V Foundation, May 2017. Preface This is version 1.10 of the RISC-V privileged architecture proposal.
    [Show full text]
  • • Programs • Processes • Context Switching • Protected Mode Execution • Inter-Process Communication • Threads
    • Programs • Processes • Context Switching • Protected Mode Execution • Inter-process Communication • Threads 1 Running Dynamic Code • One basic function of an OS is to execute and manage code dynamically, e.g.: – A command issued at a command line terminal – An icon double clicked from the desktop – Jobs/tasks run as part of a batch system (MapReduce) • A process is the basic unit of a program in execution 2 How to Run a Program? • When you double-click on an .exe, how does the OS turn the file on disk into a process? • What information must the .exe file contain in order to run as a program? 3 Program Formats • Programs obey specific file formats – CP/M and DOS: COM executables (*.com) – DOS: MZ executables (*.exe) • Named after Mark Zbikowski, a DOS developer – Windows Portable Executable (PE, PE32+) (*.exe) • Modified version of Unix COFF executable format • PE files start with an MZ header. Why? – Unix/Linux: Executable and Linkable Format (ELF) – Mac OSX: Mach object file format (Mach-O) 4 test.c #include <stdio.h> int big_big_array[10 * 1024 * 1024]; char *a_string = "Hello, World!"; int a_var_with_value = 100; int main(void) { big_big_array[0] = 100; printf("%s\n", a_string); a_var_with_value += 20; printf("main is : %p\n", &main); return 0; } 5 ELF File Format • ELF Header – Contains compatibility info – Entry point of the executable code • Program header table – Lists all the segments in the file – Used to load and execute the program • Section header table – Used by the linker 6 ELF Header Format• Entry point of typedef struct
    [Show full text]
  • EECS 482 Introduction to Operating Systems
    EECS 482 Introduction to Operating Systems Fall 2019 Baris Kasikci Slides by: Harsha V. Madhyastha Base and bounds ● Load each process into contiguous region of physical memory • Prevent process from accessing data outside its region • Base register: starting physical address physical • Bound register: size of region memory base + bound virtual bound memory base 0 0 February 20, 2019 EECS 482 – Lecture 12 2 Base and bounds ● Pros? • Fast • Simple hardware support ● Cons? • Virtual address space limited by physical memory • No controlled sharing • External fragmentation February 20, 2019 EECS 482 – Lecture 12 3 Base and bounds ● Can’t share part of an address space between processes physical memory data (P2) virtual virtual address address space 1 data (P1) space 2 data code data code code February 20, 2019 EECS 482 – Lecture 12 4 External fragmentation ● Processes come and go, leaving a mishmash of available memory regions • Wasted memory between allocated regions P1 P2 P5 P3 P4 February 20, 2019 EECS 482 – Lecture 12 5 Growing address space physical memory base + bound virtual bound memory base Stack 0 Heap 0 How can stack and heap grow independently? February 20, 2019 EECS 482 – Lecture 12 6 Segmentation ● Divide address space into segments ● Segment: region of memory contiguous in both physical memory and in virtual address space • Multiple segments of memory with different base and bounds. February 20, 2019 EECS 482 – Lecture 12 7 Segmentation virtual physical memory memory segment 3 fff 46ff code stack 4000 0 virtual memory 2fff
    [Show full text]
  • CS5460: Operating Systems
    CS5460: Operating Systems Lecture 13: Memory Management (Chapter 8) CS 5460: Operating Systems Where are we? Basic OS structure,• HW/SW interface, interrupts, scheduling • •Concurrency • Memory management Storage management Other topics CS 5460: Operating Systems Example Virtual Address Space 0xFFFFFFFF Typical address space has 4 parts User stack segment SP – Code: binary image of program – Data: static variables (globals) HP – Heap : explicitly allocated data (malloc) User heap – Stack: implicitly allocated data User Kernel mapped into all processes User data segment MMU hardware: PC User code segment – Remaps virtual addresses to physical 0x80000000 – Supports read-only, supervisor-only Kernel heap – Detects accesses to unmapped regions How can we load two processes Kernel data segment into memory at same time? – Assume each has similar layout Kernel Kernel code segment 0x00000000 CS 5460: Operating Systems Mapping Addresses How can process (virtual) addresses be mapped to physical addresses? – Compile time: Compiler generates physical addresses directly » Advantages: No MMU hardware, no runtime translation overhead » Disadvantages: Inflexible, hard to multiprogram, inefficient use of DRAM – Load time: OS loader “fixes” addresses when it loads program » Advantages: Can support static multiprogramming » Disadvantages: MMU hardware, inflexible, hard to share data, … – Dynamic: Compiler generates address, but OS/HW reinterpret » Advantages: Very flexible, can use memory efficiently » Disadvantages: MMU hardware req’d, runtime
    [Show full text]
  • Automated Verification of RISC-V Kernel Code
    Automated Verification of RISC-V Kernel Code Antoine Kaufmann Big Picture ● Micro/exokernels can be viewed as event-driven ○ Initialize, enter application, get interrupt/syscall, repeat ● Interrupt/syscall handlers are bounded ● Most of the code fiddles with low-level details in some way ○ -> messy, high level language does not help Idea: ● Use SMT solver on instructions and spec ○ (And see how far we get) Overview 1. RISC-V Z3 model 2. Kernel + Proof RISC-V ● Free modular ISA from Berkeley ● Clean slate, compact, and no legacy features ○ 100 pages of spec for user instructions (including extensions) ○ 60 pages for kernel features ● 62 Core RV64-I instructions ○ Basic register operations, branches, linear arithmetic, bit ops ● Supports full blown virtual memory, or base+bounds RISC-V SMT Model Status ● Only 8 RV64-I instructions still missing: ○ fence(i), rdcycle(h), rdtime(h), rdinstrret(h) ● Supported kernel features: ○ Transfers between protection levels: syscall/traps ○ Base and bounds virtual memory ● Missing kernel features: ○ Modelling interrupt causes ○ More than 2 privilege levels ○ Full page table based virtual memory ● Runs (and passes) provided riscv-tests for instructions ○ -> Demo Model: The first attempt ● Pure Z3 expressions for fetch and exec of instructions ○ fetch_and_exec :: machine state -> machine state ● Having pure Z3 expressions everywhere is convenient ● Use simplify after every step to keep compact ● But: Non-trivial Conditional branches cause blow-up ○ Simplify won’t be able to cut down much in next step ○ Expressions
    [Show full text]
  • Operating Systems Principles and Practice, Volume 3: Memory
    Operating Systems Principles & Practice Volume III: Memory Management Second Edition Thomas Anderson University of Washington Mike Dahlin University of Texas and Google Recursive Books recursivebooks.com Operating Systems: Principles and Practice (Second Edition) Volume III: Memory Management by Thomas Anderson and Michael Dahlin Copyright ©Thomas Anderson and Michael Dahlin, 2011-2015. ISBN 978-0-9856735-5-0 Publisher: Recursive Books, Ltd., http://recursivebooks.com/ Cover: Reflection Lake, Mt. Rainier Cover design: Cameron Neat Illustrations: Cameron Neat Copy editors: Sandy Kaplan, Whitney Schmidt Ebook design: Robin Briggs Web design: Adam Anderson SUGGESTIONS, COMMENTS, and ERRORS. We welcome suggestions, comments and error reports, by email to [email protected] Notice of rights. All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form by any means — electronic, mechanical, photocopying, recording, or otherwise — without the prior written permission of the publisher. For information on getting permissions for reprints and excerpts, contact [email protected] Notice of liability. The information in this book is distributed on an “As Is" basis, without warranty. Neither the authors nor Recursive Books shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information or instructions contained in this book or by the computer software and hardware products described in it. Trademarks: Throughout this book trademarked names are used. Rather than put a trademark symbol in every occurrence of a trademarked name, we state we are using the names only in an editorial fashion and to the benefit of the trademark owner with no intention of infringement of the trademark.
    [Show full text]
  • Virtual Memory
    Fall 2017 :: CSE 306 Introduction to Virtual Memory Nima Honarmand (Based on slides by Prof. Andrea Arpaci-Dusseau) Fall 2017 :: CSE 306 Motivating Virtual Memory • (Very) old days: Uniprogramming — only one process existed at a time • “OS” was little more than a library occupying the beginning of the memory 0 OS Code Physical Memory Heap User Process Stack 2n-1 • Advantage: • Simplicity — No virtualization needed • Disadvantages: • Only one process runs at a time • Process can destroy OS Fall 2017 :: CSE 306 Goals for Multiprogramming • Transparency • Processes are not aware that memory is shared • Works regardless of number and/or location of processes • Protection • Cannot corrupt OS or other processes • Privacy: Cannot read data of other processes • Efficiency • Low run-time overhead • Do not waste memory resources • Sharing • Cooperating processes should be able to share portions of address space Fall 2017 :: CSE 306 Abstraction: Address Space • Address space: Each process’ view of its own memory range • Set of addresses that map to bytes 0 Code • Problem: how can OS provide Heap illusion of private address space to each process? Stack • Address space has static and 2n-1 dynamic components • Static: Code and some global variables • Dynamic: Stack and Heap Fall 2017 :: CSE 306 How to Virtualize Memory? • Problem: How to run multiple processes concurrently? • Addresses are “hard-coded” into program binaries • How to avoid collisions? Fall 2017 :: CSE 306 How to Virtualize Memory? • Possible Solutions for Mechanisms: 1) Time Sharing
    [Show full text]
  • The Abstraction: Address Space
    Memory Management CMPU 334 – Operating Systems Jason Waterman Memory Virtualization • What is memory virtualization? • OS virtualizes its physical memory • OS provides an illusion of memory space per each process • It is as if each process can access the entire memory space • Benefits • Ease of use in programming • Memory efficiency in terms of time and space • The guarantee of isolation for processes as well as OS • Protection from errant accesses of other processes 9/16/21 CMPU 335 -- Operating Systems 2 Early OSes 0KB • Load only one process in memory Operating System (code, data, etc.) • Poor utilization and efficiency 64KB Current Program (code, data, etc.) max Physical Memory 9/16/21 CMPU 335 -- Operating Systems 3 Multiprogramming and Time Sharing 0KB • Load multiple processes in memory Operating System (code, data, etc.) • Execute one for a short while 64KB Free • Switch processes between them in memory 128KB Process C • Increase utilization and efficiency (code, data, etc.) 192KB Process B (code, data, etc.) 256KB • Causes an important protection issue Free • 320KB Errant memory accesses from other processes Process A (code, data, etc.) 384KB Free 448KB Free 512KB Physical Memory 9/16/21 CMPU 335 -- Operating Systems 4 Address Space • The OS creates an abstraction of physical 0KB Program Code memory 1KB • The address space contains all the information Heap about a running process 2KB • program code, heap, stack and etc. (free) 15KB Stack 16KB Address Space 9/16/21 CMPU 335 -- Operating Systems 5 Address Space(Cont.) • Code 0KB
    [Show full text]