Early OS security Overview by: Greg Morrisett Cornell University, Edited (by permission) for CSUS CSc250 by Bill Mitchell.

Slides:



Advertisements
Similar presentations
More on Processes Chapter 3. Process image _the physical representation of a process in the OS _an address space consisting of code, data and stack segments.
Advertisements

Chorus and other Microkernels Presented by: Jonathan Tanner and Brian Doyle Articles By: Jon Udell Peter D. Varhol Dick Pountain.
Chapter 6 Limited Direct Execution
Architectural Support for OS March 29, 2000 Instructor: Gary Kimura Slides courtesy of Hank Levy.
Dawson R. Engler, M. Frans Kaashoek, and James O'Tool Jr.
1 CS 333 Introduction to Operating Systems Class 2 – OS-Related Hardware & Software The Process Concept Jonathan Walpole Computer Science Portland State.
Home: Phones OFF Please Unix Kernel Parminder Singh Kang Home:
Improving IPC by Kernel Design Jochen Liedtke Shane Matthews Portland State University.
Translation Buffers (TLB’s)
CS711: Reference Monitors Part 1: OS & SFI Greg Morrisett Cornell University.
1 Process Description and Control Chapter 3 = Why process? = What is a process? = How to represent processes? = How to control processes?
Introduction Operating Systems’ Concepts and Structure Lecture 1 ~ Spring, 2008 ~ Spring, 2008TUCN. Operating Systems. Lecture 1.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Chapter 2: Operating-System Structures Modified from the text book.
Virtual Machine Monitors CSE451 Andrew Whitaker. Hardware Virtualization Running multiple operating systems on a single physical machine Examples:  VMWare,
Basics of Operating Systems March 4, 2001 Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard.
CSE 451: Operating Systems Autumn 2013 Module 6 Review of Processes, Kernel Threads, User-Level Threads Ed Lazowska 570 Allen.
System Calls 1.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 2: System Structures.
CS533 Concepts of Operating Systems Jonathan Walpole.
1 Micro-kernel. 2 Key points Microkernel provides minimal abstractions –Address space, threads, IPC Abstractions –… are machine independent –But implementation.
Chapter 2: Operating-System Structures. 2.2 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts – 7 th Edition, Jan 14, 2005 Operating System.
Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.
Architecture Support for OS CSCI 444/544 Operating Systems Fall 2008.
Operating Systems ECE344 Ashvin Goel ECE University of Toronto OS-Related Hardware.
Operating Systems ECE344 Ding Yuan Paging Lecture 8: Paging.
Lecture 3 Process Concepts. What is a Process? A process is the dynamic execution context of an executing program. Several processes may run concurrently,
Virtual Memory Expanding Memory Multiple Concurrent Processes.
Background: Operating Systems Brad Karp UCL Computer Science CS GZ03 / M th November, 2008.
Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3.
Caltech CS184b Winter DeHon 1 CS184b: Computer Architecture [Single Threaded Architecture: abstractions, quantification, and optimizations] Day14:
 Virtual machine systems: simulators for multiple copies of a machine on itself.  Virtual machine (VM): the simulated machine.  Virtual machine monitor.
Operating Systems Lecture November 2015© Copyright Virtual University of Pakistan 2 Agenda for Today Review of previous lecture Hardware (I/O, memory,
1 CSE451 Architectural Supports for Operating Systems Autumn 2002 Gary Kimura Lecture #2 October 2, 2002.
Lecture Topics: 10/29 Architectural support for operating systems –timers –kernel mode –system calls –protected instructions.
We will focus on operating system concepts What does it do? How is it implemented? Apply to Windows, Linux, Unix, Solaris, Mac OS X. Will discuss differences.
Operating Systems 1 K. Salah Module 1.2: Fundamental Concepts Interrupts System Calls.
Operating Systems Engineering Based on MIT (2012, lec3) Recitation 2: OS Organization.
Operating Systems CSE 411 CPU Management Sept Lecture 10 Instructor: Bhuvan Urgaonkar.
Lecture 26 Virtual Machine Monitors. Virtual Machines Goal: run an guest OS over an host OS Who has done this? Why might it be useful? Examples: Vmware,
Lecture 5 Rootkits Hoglund/Butler (Chapters 1-3).
Chapter 6 Limited Direct Execution Chien-Chung Shen CIS/UD
1 Chapter 2: Operating-System Structures Services Interface provided to users & programmers –System calls (programmer access) –User level access to system.
Translation Lookaside Buffer
Virtual Machine Monitors
MODERN OPERATING SYSTEMS Third Edition ANDREW S
Kernel Design & Implementation
CS 6560: Operating Systems Design
CS 3305 System Calls Lecture 7.
CSE 153 Design of Operating Systems Winter 2018
Page Replacement.
CSE 451: Operating Systems Spring 2012 Module 6 Review of Processes, Kernel Threads, User-Level Threads Ed Lazowska 570 Allen.
Translation Lookaside Buffer
Lecture Topics: 11/1 General Operating System Concepts Processes
Architectural Support for OS
Translation Buffers (TLB’s)
Virtual Memory Overcoming main memory size limitation
CSE 451: Operating Systems Autumn 2003 Lecture 10 Paging & TLBs
CSE 451: Operating Systems Autumn 2003 Lecture 2 Architectural Support for Operating Systems Hank Levy 596 Allen Center 1.
CSE 451: Operating Systems Autumn 2001 Lecture 2 Architectural Support for Operating Systems Brian Bershad 310 Sieg Hall 1.
Operating Systems: A Modern Perspective, Chapter 3
Translation Buffers (TLB’s)
CSE 451: Operating Systems Autumn 2003 Lecture 10 Paging & TLBs
CSE 451: Operating Systems Winter 2003 Lecture 2 Architectural Support for Operating Systems Hank Levy 412 Sieg Hall 1.
Architectural Support for OS
Operating Systems Structure
CSE 153 Design of Operating Systems Winter 2019
Translation Buffers (TLBs)
CS703 – Advanced Operating Systems
Virtual Memory Use main memory as a “cache” for secondary (disk) storage Managed jointly by CPU hardware and the operating system (OS) Programs share main.
Review What are the advantages/disadvantages of pages versus segments?
Presentation transcript:

Early OS security Overview by: Greg Morrisett Cornell University, Edited (by permission) for CSUS CSc250 by Bill Mitchell

June 2001Lang. Based Security2 Operating Systems circa ‘75 Simple Model: system is a collection of running processes and files. –processes perform actions on behalf of a user. open, read, write files read, write, execute memory, etc. –files have access control lists dictating which users can read/write/execute/etc. the file. (Some) High-Level Policy Goals: –Integrity: one user’s processes shouldn’t be able to corrupt the code, data, or files of another user. –Availability: processes should eventually gain access to resources such as the CPU or disk. –Secrecy? Confidentiality? Access control?

June 2001Lang. Based Security3 What Can go Wrong? –read/write/execute or change ACL of a file for which process doesn’t have proper access. check file access against ACL –process writes into memory of another process isolate memory of each process (& the OS!) –process pretends it is the OS and execute its code maintain process ID and keep certain operations privileged --- need some way to transition. –process never gives up the CPU force process to yield in some finite time –process uses up all the memory or disk enforce quotas –OS or hardware is buggy...

June 2001Lang. Based Security4 Key Mechanisms in Hardware –Translation Lookaside Buffer (TLB) provides an inexpensive check for each memory access. maps virtual address to physical address –small, fully associative cache (8-10 entries) –cache miss triggers a trap (see below) –granularity of map is a page (4-8KB) –Distinct user and supervisor modes certain operations (e.g., reload TLB, device access) require supervisor bit is set. –Invalid operations cause a trap set supervisor bit and transfer control to OS routine. –Timer triggers a trap for preemption.

June 2001Lang. Based Security5 Steps in a System Call Time calls f=fopen(“foo”) User Process library executes “break” Kernel – notice how expensive a trap is trap saves context, flushes TLB, etc. checks UID against ACL, sets up IO buffers & file context, pushes ptr to context on user’s stack, etc. restores context, clears supervisor bit calls fread(f,n,&buf) library executes “break” saves context, flushes TLB, etc. checks f is a valid file context, does disk access into local buffer, copies results into user’s buffer, etc. restores context, clears supervisor bit

June 2001Lang. Based Security6 Hardware Trends The functionality provided by the hardware hasn’t changed much over the years. Clearly, the raw performance in terms of throughput has. Certain trends are clear: –small => large # of registers: 8 16-bit => bit –small => large pages: 4 KB => 16 KB –flushing TLB, caches is increasingly expensive –computed jumps are increasingly expensive –copying data to/from memory is increasingly expensive So a trap into a kernel is costing more over time.

June 2001Lang. Based Security7 OS Trends In the 1980’s, a big push for microkernels: –Mach, Spring, etc. –Only put the bare minimum into the kernel. context switching code, TLB management trap and interrupt handling device access –Run everything else as a process. file system(s) networking protocols page replacement algorithm –Sub-systems communicate via remote procedure call (RPC) –Reasons: Increase Flexibility, Minimize the TCB

June 2001Lang. Based Security8 A System Call in Mach Time f=fopen(“foo”) User Process “break” Kernel saves context checks capabilities, copies arguments switches to Unix server context Unix Server checks ACL, sets up buffers, etc. “returns” to user. saves context checks capabilities, copies results restores user’s context

June 2001Lang. Based Security9 Microkernels Claim was that flexibility and increased assurance would win out. –But performance overheads were non-trivial –Many PhD’s on minimizing overheads of communication –Even highly optimized implementations of RPC cost 2-3 orders of magnitude more than a procedure call. Result: a backlash against the approach. –Windows, Linux, Solaris continue the monolithic tradition. and continue to grow for performance reasons (e.g., GUI) and for functionality gains (e.g., specialized file systems.) –Mac OS X, some embedded or specialized kernels (e.g., Exokernel) are exceptions. VMware achieves multiple personalities but has monolithic personalities sitting on top.

June 2001Lang. Based Security10 Performance Matters The hit of crossing the kernel boundary: –Original Apache forked a process to run each CGI: could attenuate file access for sub-process protected memory/data of server from rogue script i.e., closer to least privilege –Too expensive for a small script: fork, exec, copy data to/from the server, etc. –So current push is to run the scripts in the server. i.e., throw out least privilege Similar situation with databases, web browsers, file systems, etc.

June 2001Lang. Based Security11 The Big Question? From a least privilege perspective, many systems should be decomposed into separate processes. But if the overheads of communication (i.e., traps, copying, flushing TLB) are too great, programmers won’t do it. Can we achieve isolation and cheap communication?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.