Lecture 12: Hardware and Operating System protection mechanisms

1
Lecture 12 Hardware and Operating System
protection mechanisms

• We will cover
• computer system hardware and OS low level
  security mechanisms
• CPU, memory, I/O
• Reading - Pfleeger, chapter 4

2
Hardware protection mechanisms

• Can use previously introduced notion of items
  being owned by an owner and owner having the
  right to determine the usage permissions on the
  item - who can use what and how (when and where
  as well possibly)
• items may be hardware items as well as software
  and data i.e. the hardware of the computer system
  itself is owned and the owner has a right to
  determine the usage permissions to the hardware
  components for the users, the software that runs
  on users behalf and data stored by user

3

• so in general computer system needs to be able to
  control usage of various hardware items by users
  software and data
• Operating system may be seen as a manger that
  acts on behalf of the computer system owner to
  try and ensure among other things that the usage
  permissions that the owner wishes to give to
  users are not circumvented i.e. unauthorised
  usage of hardware components.
• hardware protection mechanisms are mechanisms
  that are designed to help OS enforce the usages
  that the hardware owners wish to have.

4

• hardware items that need protecting against
  unauthorised use
• CPU, memory, secondary storage, I/O devices
• I will do a quick tour of hardware and software
  mechanisms relevant, but from a security oriented
  perspective
• Essentially all hardware protection mechanisms
  work by integrating protection mechanism into the
  hardware access/usage mechanism and thus cannot
  be avoided

5
CPU

• CPU needs protection against its usage being
  hi-jacked by some process i.e. some process being
  able to run on CPU whenever it wants or once
  running on the CPU being able to prevent others
  from gaining access to it
• so OS must be able to control which process
  starts to run on CPU and how long the process
  runs for

6

• CPU can be protected from being used at will be
  user processes only if
• user process can only gain access to CPU by
  decision of OS
• OS can interrupt processing at pre-defined times
  - so OS can decide to continue running process or
  to run some other process
• this is facilitated by the use of interrupt
  mechanism
• interrupt - hardware signal that causes CPU to
  halt current instruction execution and switch to
  executing some other set of instructions

7

• the set of instructions to which the CPU switches
  - the Interrupt Service Routines (ISRs) - are
  located at given locations in memory. The
  locations of the ISRs are pointed at by a set of
  pointers called interrupt vectors in an interrupt
  vector table (also in memory) - which ISR is
  executed depends upon type of interrupt
  (interrupt identifies vector in vector table to
  use to deal with interrupt)
• after ISR has executed other code can be executed
  that is responsible for determining which process
  will next get access to CPU - dispatcher or
  scheduler

8

• as well as interrupts from I/O events a timer can
  be used which will generate regular interrupts to
  force currently executing process off the CPU and
  allow OS to run to determine whether to continue
  running that process or another
• now interrupt mechanism can only be used as a
  protection mechanism if
• 1. the interrupts cannot be turned off by user
  program (particularly timer interrupts)
• 2. the ISR code, dispatcher/scheduler code and
  vectors in vector table are only defined by OS
• 3. users cannot alter the code associated with an
  ISR and dispatcher or alter the vector which
  points CPU to code to be executed after an
  interrupt

9
Dual mode CPU operation

• 1. clearly means that at least some instructions
  must not be available to user program code to
  execute
• this leads to notion of dividing CPU instruction
  set into at least 2 sets -
• one set of all the instructions available to
  execute on CPU, including instructions which only
  the OS should be allowed to use (like
  manipulating interrupt settings) - called
  privileged instructions -
• the other set of user instructions which are a
  subset of instruction set of CPU which user code
  is restricted to use

10

• CPU hardware can provide support for this by
  being able to operate in 2 modes - a system mode
  which allows al instructions to be executed and a
  user mode which only allows the user subset of
  instructions to be executed.
• Mode bit added to computer hardware to indicate
  the current mode system (0) or user (1)
• can use interrupt mechanism to OS advantage by
  having CPU always switch to running in system
  mode (able to execute privileged instructions)
  when CPU is interrupted - so only code running
  after an interrupt has occurred can use
  privileged instructions i.e. ISR, scheduler,
  (other parts of OS)

11

• When an interrupt occurs hardware switches to
  system mode - when OS restarts user program it
  switches it to user mode.
• question is how to ensure that only OS can
  execute in system mode and use privileged
  instructions and ensure user programs cannot
• At system start only OS is running - in system
  mode
• just before running a user program OS switches
  CPU to user mode
• user program then runs - in user mode
• changing mode bit is a privileged instruction
• CPU goes into system mode only when an interrupt
  occurs

12
Memory Protection

• ISRs, dispatcher and vector table are all in
  memory - thus it is important to protect parts of
  memory from being accessed by user processes
• this highlights the situation that protection
  mechanisms are not independent but
  interdependent, a weakness in one may undermine
  the security provided by another

13

• One mechanism to provide memory protection - add
  two registers that determine the range of legal
  addresses a program may access
• base register holds the smallest legal physical
  memory address.
• limit register contains the size of the range.
• Attempt to access memory outside range causes an
  error interrupt to O/S to deal with problem

14
Example Memory Protection
15

• When executing in system mode, the operating
  system has unrestricted access to all of memory -
  OS and each users memory.
• The load instructions for the base and limit
  registers need to be privileged instructions.

16

• Although with base limit registers we can
  restrict a programs access to memory it is not
  very flexible - in that it simply divides memory
  into one contiguous lump that a program can
  access and everything else that the program
  cannot
• although different programs can be placed in
  different areas of memory, this contiguous
  allocation of memory space leads to problems of
  external fragmentation of memory space making it
  quite inefficient
• this led to development of more flexible memory
  allocation mechanisms - paging and segmentation

17

• Basic idea for both systems is that a program and
  its data in memory can be broken up into smaller
  pieces (segments if pieces are of variable size
  or pages if the pieces are of a fixed/constant
  size)
• in memory protection terms access to a segment or
  a page is controlled by a translation mechanism -
  which may in part be hardware implemented and
  part OS implemented
• the translation mechanism is similar to
  base/limit registers

18

• translation mechanism uses a table - segment
  table or page table (one segment table or page
  table per process)
• the segment or page table contains the start
  address for each segment or page that is used by
  a program
• addresses generated by the running process
  consist of 2 parts - a segment or page identifier
  and an offset value - ltsegment id, offsetgt or
  ltpage id, offsetgt
• the offset value gives the value of the address
  location within the segment or page

19

• the segment or page identifier provides an index
  into the segment or page table, the entry for the
  corresponding actual start address of the segment
  or page is is then added together with the offset
  to give the actual address to be accessed
• this guarantees that memory accesses cannot be
  before the start of the segment or page -
  negative offsets are not allowed
• accessing beyond the end of a given segment or
  page is prevented by

20

• 1. in segmented systems each entry in segment
  table includes a limit value for size of segment
  as well as start address of segment - thus it is
  easy to check that offset values are lt limit and
  thus fall inside segment allocated to the process
• 2. in paging since all pages are of a fixed size,
  the system is designed so that it is impossible
  to have offsets within pages that are longer than
  a page length

21

• if a user process attempts to access memory
  outside that allocated to it this can generate an
  interrupt which will invoke the OS to terminate
  the program and generate appropriate error
  messages to the user
• Of course this highlights that page and segment
  tables are structures that need to be held as
  part of OS memory outside of the direct access by
  user processes!!

22

• Thus we have seen how in general the CPU and the
  memory can be protected so that user programs
  cannot have uncontrolled usage of either and
  overall control remains with the OS

23
Disk and I/O Protection

• Since the OS software resides on secondary
  storage medium when a computer is turned off,
  then to prevent OS software being compromised the
  next time it is run, it is imperative that direct
  access to the secondary storage medium is
  controlled by OS
• treat disk access and I/O access together because
  to CPU/memory system they are both I/O devices
• Protection is achieved in 2 ways
• 1. direct access is prevented because all I/O
  instructions are privileged instructions
• 2. Access to I/O devices is controlled by device
  drivers

24
Device driver role

• a particular I/O device is controlled by some
  electronic components called the device
  controller - but action device controller tells
  I/O device to do is specified by writing various
  bit patterns into various registers that the
  controller has
• bit patterns can also be read from the registers
  by software to find out information about I/O
  operation, etc.
• to use the device therefore requires code that
  reads bit patterns from and writes bit patterns
  to the various registers in the controller
• the code that does this is called a device driver

25

• device drivers also provide an interface by which
  other code can call the device driver to carry
  out some I/O action
• the device driver translates the I/O requests
  into the actual register manipulations required
  to fulfil that request using a particular piece
  of hardware
• the provision of a system call interface as a
  point of access to device driver provides a well
  defined interface by which programs can access
  resources but which is importantly under the
  control of the OS

26

• and since direct I/O instructions are privileged
  - access to I/O devices only occurs by device
  drivers operating under the overall control of
  the OS
• however, device driver software has to be
  protected as part of the OS in memory and on disk