e-PG Pathshala Information Technology Information security Module 29: Operating System Memory Protection • An operating system is the multiprogramming system allowing multiple users to use concurrently. • Operating system is designed in such a way that one user's computation cannot be intercepted by malicious user. • For this purpose, operating system has following facilities. 1. Memory protection, 2. File protection, 3. General control on how objects are accessed, e-PG Pathshala Information Technology Information security 4. User authentication Memory and Address Protection • Memory protection in multiprogramming prevents other programs from interfering to user’s program. • Hardware is designed to provide memory protection. Memory and Address Protection – Fixed Fence Addresses Memory 0 Operating system n Hardware address for defining limit n+1 Memory space for User program upper limit • A fence defines a boundary on one side and restricts the user. • The fence address location is fixed. The operating system resides on one side and the user works on the other side of the fence. • This implementation was restrictive – operating system always occupied predefined amount of space, whether it was needed or not. e-PG Pathshala Information Technology Information security Memory and Address Protection – Variable Fence Register Addresses Memory Addresses Memory 0 0 Operating Operating system n system p Hardware register defines limit n+1 n+1 Hardware register defines limit p+1 p+1 Memory space Memory space for User for User program program upper limit upper limit • Operating system defines register part of hardware, termed as a fence register; holds the address indicating the operating system ends at this address. • This scheme differs from fixed fence, as in this scheme change can take place in the location of the fence. • For every data modification request by user program, address referred for data modification, is checked against the address defined as fence. The address used is above the fence address then this address falls in the user area and the instruction gets executed. In case the address is below the fence address then it penetrates in the operating system area which raises a fault. Variable Fence Register – Limitation A fence register derives the boundary between operating system and users. The fence cannot prevent penetration of one user into the area of another user. e-PG Pathshala Information Technology Information security Memory and Address Protection – Relocation • Relocation process takes a program considering address 0 for the first instruction and replaces rest of the addresses with the actual addresses in memory that the program is residing at. • Every time each address adds constant relocation factor to get the address. The first address of the program becomes the value of relocation factor. • The fence register acts as a relocation device defined in hardware. To generate address of the program, the fence register contents are read and added to the address for each instruction of the program. Memory and Address Protection – Base/Bounds Registers • Fence registers mention the beginning not the end of memory meaning specifies the lower bound but does not specify upper limit. • An upper limit can count the available space and checks that overflow does not lead into "forbidden" areas. e-PG Pathshala Information Technology Information security Addersses Memory 0 Operating System n Base register n+1 n+1 Space for programs (User1) x Bound register x x+1 Space for programs (User2) y Bound register y y+1 Space for programs(User3) upper limit • The bounds register marks the upper address limit and a base or fence register marks the lower address limit. • The address generated for program has to be above the base address because addition is performed on the contents of the base register and the address assigned to program. Each address is checked against the bounds address to make sure that it is below the bounds address. This helps in saving the program's addresses from modification by other users. e-PG Pathshala Information Technology Information security • When operating system switches from program of one user to program of other user, the contents of the base and bound registers are changed to reflect the actual address space assigned to the current user. This is called a context switch. The operating system performs context switching means assign control to other user from current user. • A user error occurs in following situations. 1) When an array subscript refers to an element that is out of range 2) An undefined variable is used in executable instruction which refers to an address lying in the user's space. 3) A user accidentally stores data in the memory area of instructions which destroys a user's own program. To solve the problem of overwriting data to instructions, one more pair of base/bounds register is used. Instructions of the program(code) holds one register and data space holds another register. Two pairs of base/bound registers are used. When instructions are to be executed, their relocation address is checked against the first register pair, and check against second register pair is performed for all kinds of data accesses (operands of instructions). Memory Operating System Code(program) space(User1) e-PG Pathshala Information Technology Information security Data base Data Space( User2) Data bound Data Space (User1) Data Space (User 3) Program base Code space (user 2) Program bound Memory and Address Protection – Tagged Architecture • In Tagged architecture, allocated registers are three or more than three pairs: one for code, one for read-only data, and one for data values that can be modified. e-PG Pathshala Information Technology Information security • In some cases - some data values need to be protected but not all. • A programmer allows certain data values to be modified while initializing the program but program is not allowed to modify these data values at later stage, thus ensures integrity. • A programmer invokes a shared subprogram from a common library. • Base/bounds registers create an all-or-nothing environment for sharing: meaning that a program allows access and modification of data or all accesses are prohibited. • There are four resources P,Q,R,S. A procedure wants to share P, Q, and R data items with one module; P, R, and S with a second module, and P, Q, and S with a third module. These sets need to be saved in contiguous space so that they are effectively shared. e-PG Pathshala Information Technology Information security Consider that these data items are either large records or arrays or even structures, then this solution is infeasible. • In case of tagged architecture, one or more extra bits of information are attached to each word of machine memory so that the access rights to that word can be identified. Only operating system can set these access bits. The bits are tested every time to check whether an instruction can access that location. Tag Memory Word Execute only access is given to one memory location, R 0001 while read only data access is RW 0099 given to other while write access is allowed to third. R 3099 Two adjacent locations possess different access rights. X • A tagged architecture makes operating system code prohibitively expensive. Feasibility of implementation of tagged architecture has been proven because of memory becoming cheap. Memory and Address Protection – Segmentation Logical Physical placement of segments arrangement of program Operating system segments MAIN Segment used by other program Function Segment used by other program Data_segment Data_segment Segment used by other program MAIN Function e-PG Pathshala Information Technology Information security • In Segmentation, a program is divided into separate parts. Each part exhibits a code or data values relationship and making a logical unit. • For example, a segment represents a specific module consisting of the code that belongs to a procedure, or an array representing data items, or bunch of all the local data items. • Segmentation divides a program and provides rights for access. • Each segment is identified by a unique name. In a segment, a code or data item is addressed as the pair <name, offset >, where name is the name of the segment holding the data item and offset is its location within the segment ( offset from the start of the segment). • The operating system keeps a table in memory having segment names and their actual addresses. • An address in a program is referred by < name, offset >. The operating system goes through directory holding segment related information and reads the address which is starting memory address. To get actual address of code or data item, the operating system adds offset. • Operating system considers the executing processes and for each executing process keeps a segment address table. The same segment can be shared by two processes. In that case, each process will keep the segment name and address in their segment tables. • A user program is not aware of the actual physical memory addresses referred to access the segment. These hidden physical addresses have proven advantageous to the operating system. 1) The operating system decides the location and places the segment. The operating system can move the segment to other location, even if the program is in execution mode. The operating system takes care of all address references by a segment address table. In case segment is moved, the address in that one table is changed. 2) A segment if not in use can be shifted to auxiliary device from main memory. 3) Every address has to be through the operating system, so the operating system can check each one for protection. e-PG Pathshala Information Technology Information security The segmentation process uses both hardware and software. Benefits of Segmentation Each address reference can be verified for protection. Different levels of protection can be assigned to different classes of data items.