Presentation is loading. Please wait.

Presentation is loading. Please wait.

General OS Security: Memory Protection and Access Control

Published byElisabetta Morini Modified over 6 years ago

Similar presentations

Presentation on theme: "General OS Security: Memory Protection and Access Control"— Presentation transcript:

1 General OS Security: Memory Protection and Access Control
CS461/ECE422

2 Reading Intel Pentium II Software Developer’s Manual: Volume 3. Sections 4.5 through 4.8 uals/ pdf

3 Outline Evolution of OS Memory Protection Intel Architecture
Object Access Control File access in particular

4 In the Beginning... The program owned the machine Executives emerged
Access hardware directly Executives emerged Gather common functionality Multi-user systems required greater separation Multics, the source of much early OS development Protect programs from each other

5 Types of Separation Physical Temporal Logical Cryptographic
Use separate physical resources, e.g. Printers, disk drives Temporal Time slice different users Logical Create virtual environment to make it seem that programs are running independently Cryptographic Hide data and computation from others These were defined in the ‘60s, actually Which is most efficient? Why? Which is most secure? Why? Focus on logical from now on

6 Protected Resources What resources should be protected?
Peripherals (e.g. printers) Network Storage (disk drives, files) Memory Why protect each of them?

7 Memory Protection Protect Core OS/Maintenance routines from user program Kernel space User space Hardware support to ensure isolation Why is hardware needed? Have you heard of COREWARS?

8 Memory Fence Addresses Operating System Two problems: Flexibility n
Operating System Two problems: Flexibility Sharing n X Fence User Program n+1 Can the OS access the user program? Yes, one-way barrier OK high

9 Fence Registers Addresses Addresses Operating System Operating System
v.2 User Program m m+1 Addresses high Operating System v.1 Fence Register Fence Register n+1 n User Program n+1 high

10 Multiprogramming Operating System n+1 m+1 n User Program A n+1 m m+1
Operating System Fence Register in A n+1 in B m+1 n User Program A n+1 m Can we use the fence register to protect A from B? Can we protect B from A? No. m+1 User Program B high

11 Base & Bound Operating System n m+1 base base n+1 User Program A n+1
Operating System B’s registers A’s registers n m+1 base base n+1 User Program A n+1 high bound bound m m m+1 User Program B high

12 Virtual Memory + < <> > Fetch 7 Operating System N+1 base
A’s registers + 7 N+1 base n+1 User Program A < n+8 bound m <> n+8 User Program B Error >

13 Sharing Operating System base User Program bound A Shared User Program
A’s registers B’s registers Shared Operating System User Program A Can A & B share data? Incidentally, why might they want to do this? User Program B

14 Sharing, Cont’d Operating System User Program A User Program B
Can A, B, and C all share some data? User Program C

15 Segments + < <> > Split address into two fields
<seg, offset> Each segment has a base & bound 1 Fetch <1,7> Operating System + 7 User Program A < n+8 <> n+8 Seg Base Bnd a b 1 n+1 m User Program B Error >

16 Segments: Sharing & Protection
Operating System Seg Base Bnd Prot a b rwx 1 n+1 m rw Seg Base Bnd Prot m+1 high rwx 1 n+1 m r { User Program A { Shared } User Program B }

17 Segment problems Accesses off the end of the segment
Can only be checked at runtime Extra check on each memory access Numbers are generally used for segment names to speed up table lookups Potential problems for segment sharing Need to remap segments when they get too big for currently mapped location.

18 Paging Fixed units of memory mapping
Page sizes can range from 512 to 8192 bytes Two part address: <page #, offset> Easier to map fixed units into physical memory Overriding the offset will cause the page # to change Invalid page map should be caught Lose logical unity of segments May want to protect prog1 segment in a particular way

19 Paging

20 Paging Segments Used by the x86 architecture
Gives efficiencies of paging architecture with logical protection continuity of segment architecture

21 Paging Segments

22 Tagged architectures Base/bounds assumes contiguous user program space. Protecting code or data is an all or nothing deal with the base/bounds technique Could add tags to memory units Very privileged operation to change tags Memory unit could be word or a page Used for capability support Used by Lisp machines to encode types RWX bits on pages for Intel architecture

23 Memory Protection Rings
More than 2 protection levels (why?) Originally in Multics In Intel arch since x386

24 Privilege Levels CPU enforces constraints on memory access and changes of control between different privilege levels Similar in spirit to Bell-LaPadula access control restrictions Hardware enforcement of division between user mode and kernel mode in operating systems Simple malicious code cannot jump into kernel space

25 Stack Switching Automatically performed when calling more privileged code Prevents less privileged code from passing in short stack and crashing more privileged code Each task has a stack defined for each privilege level

26 Moving to the Desktop Memory protection & rings were used in MULTICS (‘60s) Intel 8086: segmentation, but no memory protection (1978) Intel 80286: protection rings (1982) Intel 80386: paging (1986) Virtual memory support in Windows Why would desktop software need memory protection?

27 Limiting Memory Access Type
The Pentium architecture supports making pages read/only versus read/write A recent development is the Execute Disable Bit (XD-bit) Added in 2001 but only available in systems recently Supported by Windows XP SP2 Similar functionality in AMD Altheon 64 Called No Execute bit (NX-bit) Actually in machines on the market sooner than Intel

28 Windows Support Enabled in Windows XP SP2 as Data Execution Prevention (DEP) Software version if no hardware support Check to see if you have the bit Control Panel -> System -> Advanced -> DEP tab

29 Delay to widespread deployment
First hardware in 2001 Wait for OS support Wait for vendors willing to sell Generally available in 2005 Break?

30 Protecting objects Desire to protect logical entities Memory
Files or data sets Executing program File directory A particular data structure like a stack Operating system control structures Privileged instructions

31 Access Control Matrix Access Control Matrix (ACM) and related concepts provides very basic abstraction Map different systems to a common form for comparison Enables standard proof techniques Not directly used in implementation

32 Definitions Protection state of system Access control matrix
Describes current settings, values of system relevant to protection Access control matrix Describes protection state precisely Matrix describing rights of subjects State transitions change elements of matrix

33 Description objects (entities) Subjects S = { s1,…,sn }
Objects O = { o1,…,om } Rights R = { r1,…,rk } Entries A[si, oj] R A[si, oj] = { rx, …, ry } means subject si has rights rx, …, ry over object oj objects (entities) subjects s1 s2 sn o1 … om s1 … sn

34 Example 1 Processes p, q Files f, g
Rights r, w, x, a (append), o (owner) f g p q p rwo r rwxo w q a ro r rwxo

35 Example 2 Procedures inc_ctr, dec_ctr, manage Variable counter
Rights +, –, call counter inc_ctr dec_ctr manage inc_ctr + dec_ctr – manage call call

36 State Transitions Change the protection state of system
|– represents transition Xi |–  Xi+1: command  moves system from state Xi to Xi+1 Xi |– * Xi+1: a sequence of commands moves system from state Xi to Xi+1 Commands often called transformation procedures

37 Example Transitions

38 Example Composite Transition

39 Practical object access control
Can slice the logical ACM two ways By row: Store with subject By column: Store with object objects (entities) subjects s1 s2 sn o1 … om s1 … sn

40 Directories to manage access
Slice ACM by user Each user keeps a directory Entry in directory contains reference to object (file) and access rights Problems Large lists Revocation Object aliases

41 Directories

42 Access Control List Slice by Object
Used by Multics and most modern OS's

43 Unix Access Control Three permission octets associated with each file and directory Owner, group, and other Read, write, execute For each file/directory Can specify RWX permissions for one owner, one group, and one other

44 Windows ACL

45 ACL Scaling Groups of users Role-Based Access Control
Users can take on role at a time Directory inheritance Negative rights

46 Capabilities Another attempt to slice by subject
Capability is an unforgeable token granting access How to prevent forging? Memory tagging store in memory inaccessible to users OS proxying Subject presents capability when requesting access Propagating capabilities “Transfer” right passed or not passed with copies of capabilities Capabilities can be easily revoked

47 Capabilities HW Intel iAPX 432 (1981) IBM System/38
Tried to put even more security enforcement in hardware Capabilities and object-oriented Segments referenced through Access Descriptors Implementation too complex and compiler technology not sufficiently smart Too slow and died on the vine IBM System/38 From about the same time period Also had hardware capabilities support

48 Key Points Separation elements evolved in OS for safety as much as security Memory protections Segments and pages and rings HW support Object access control File ACLs Capabilities

Download ppt "General OS Security: Memory Protection and Access Control"

Similar presentations

Chapter 6 User Protections in OS. csci5233 computer security & integrity (Chap. 6) 2 Outline User-level protections 1.Memory protection 2.Control of access.

Chapter 6 User Protections in OS. csci5233 computer security & integrity (Chap. 6) 2 Outline User-level protections 1.Memory protection 2.Control of access.
CSC 405 Introduction to Computer Security

CSC 405 Introduction to Computer Security
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Chapter 3.2 : Virtual Memory

Chapter 3.2 : Virtual Memory
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
Systems Security & Audit Operating Systems security.

Systems Security & Audit Operating Systems security.
14.1 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts Chapter 14: Protection Goals of Protection Principles of Protection Domain of Protection.

14.1 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts Chapter 14: Protection Goals of Protection Principles of Protection Domain of Protection.
1 Chapter 3.2 : Virtual Memory What is virtual memory? What is virtual memory? Virtual memory management schemes Virtual memory management schemes Paging.

1 Chapter 3.2 : Virtual Memory What is virtual memory? What is virtual memory? Virtual memory management schemes Virtual memory management schemes Paging.
Access Control in Practice CS461/ECE422 Fall 2010.

Access Control in Practice CS461/ECE422 Fall 2010.
Operating Systems Security

Operating Systems Security
Lecture 4 Page 1 CS 111 Online Modularity and Memory Clearly, programs must have access to memory We need abstractions that give them the required access.

Lecture 4 Page 1 CS 111 Online Modularity and Memory Clearly, programs must have access to memory We need abstractions that give them the required access.
Computer Security: Chapter 5 Operating Systems Security.

Computer Security: Chapter 5 Operating Systems Security.
Chapter 2 Operating System Overview Dave Bremer Otago Polytechnic, N.Z. ©2008, Prentice Hall Operating Systems: Internals and Design Principles, 6/E William.

Chapter 2 Operating System Overview Dave Bremer Otago Polytechnic, N.Z. ©2008, Prentice Hall Operating Systems: Internals and Design Principles, 6/E William.
Introduction to Operating Systems Concepts

Introduction to Operating Systems Concepts
PROTECTION.

PROTECTION.
Introduction to Operating Systems

Introduction to Operating Systems
Operating System Structure

Operating System Structure
Non Contiguous Memory Allocation

Non Contiguous Memory Allocation
Operating Systems Protection Alok Kumar Jagadev.

Operating Systems Protection Alok Kumar Jagadev.
Chapter 14: Protection Modified by Dr. Neerja Mhaskar for CS 3SH3.

Chapter 14: Protection Modified by Dr. Neerja Mhaskar for CS 3SH3.

Similar presentations

Ads by Google