Presentation is loading. Please wait.

Presentation is loading. Please wait.

Isolation Enforced by the Operating System

Published byErlin Wibowo Modified over 5 years ago

Similar presentations

Presentation on theme: "Isolation Enforced by the Operating System"— Presentation transcript:

1 Isolation Enforced by the Operating System
Based on slides provided by Landon Cox

2 Isolation of resources
Process memory Meltdown / Spectre Files (Virtual) Machines

3 Memory Isolation Each process works in its own virtual address space
All accesses to physical memory go through the memory management system The memory management system isolates one process’s memory from the others The virtual address space allocated to the kernel is shared by all processes, but can’t be accessed directly by a user process

4 Accessing virtual memory
User process Physical memory Page table CPU PTBR Page table base register for current process (PTBR) OS

5 Accessing virtual memory
User process Physical memory Access virtual address Physical pages Page table CPU PTBR OS

6 Accessing virtual memory
User process Physical memory Access virtual address Determine if access is pre-allowed Physical pages Page table CPU PTBR OS

7 Accessing virtual memory
User process Physical memory Access virtual address Physical pages Page table CPU PTBR If OK, retrieve data, execute instruction OS

8 Accessing virtual memory
User process Physical memory Access virtual address Physical pages Page table CPU PTBR If not OK, trap to OS OS

9 Accessing virtual memory
User process Physical memory Access virtual address Physical pages Page table CPU PTBR If not OK, trap to OS Determine if access is valid OS

10 Accessing virtual memory
User process If not valid, kill process Physical memory Access virtual address Physical pages Page table CPU PTBR If not OK, trap to OS OS

11 Accessing virtual memory
User process Physical memory Access virtual address Physical pages Page table CPU PTBR If not OK, trap to OS If not resident, load non-resident page OS

12 Accessing virtual memory
User process Physical memory Access virtual address Physical pages Page table CPU PTBR If not OK, trap to OS If not resident, load non-resident page, update page table OS

13 Accessing virtual memory
User process Retry faulting instruction Physical memory Access virtual address Physical pages Page table CPU PTBR If not OK, trap to OS If not resident, load non-resident page, update page table OS

14 User/kernel translation data
4GB Kernel data (same for all page tables) 3GB (0xc ) User data (different for every process) 0GB Virtual memory

15 Kernel vs. user mode Who sets up the data used by the memory management unit (MMU)? Can’t be the user process Otherwise could access anything Only kernel is allowed to modify any memory Processor must know to allow kernel To update the translator (e.g., set PTBR) To execute privileged instructions (halt, do I/O)

16 Kernel vs. user mode How does machine know kernel is running? Mode bit
This requires hardware support CPU supports different modes, kernel and user Mode is indicated by a hardware register Mode bit

17 Protection recap All memory accesses go through a translator
GBs of protected data All memory accesses go through a translator Who can modify translator’s data? Only kernel can modify translator’s data How do we know if kernel is running? Mode bit indicates if kernel is running Who can modify the mode bit? One bit of protected data Making progress: the amount of protected data is down to a bit

18 Protecting the mode bit
Can kernel change the mode bit? Yes. Kernel is completely trusted. Can user process change the mode bit? Not directly User programs need to invoke the kernel Must be able to initiate a change

19 When to transition from user to kernel?
Exceptions (interrupts, traps) Access something out of your valid address space (e.g., segmentation fault) Disk I/O finishes, causes interrupt Timer pre-emption, causes interrupt Page faults System calls Similar in purpose to a function call Kernel as software library

20 Example system calls Process management Signals Memory management
Fork/exec (start a new process), exit, getpid Signals Kill (send a signal), sigaction (set up handler) Memory management Brk (extend the valid address space), mmap File I/O Open, close, read, write Network I/O Accept, send, receive System management Reboot

21 System call implementation
Syscalls are like functions, but different Implemented by special instruction Software trap syscall Execution of syscall traps to kernel Processor safely transfers control to kernel Hardware invokes kernel’s syscall trap handler

22 Kernel trap details Hardware must atomically
Set processor mode bit to “kernel” Save current registers (SP, PC, general purpose) Change execution stack to kernel (SP) Jump to exception handler in kernel (PC)

23 Meltdown Processor Flaw
Modern “superscalar” processors execute multiple instructions simultaneously “Branch prediction” used to decide what to execute next when necessary When a branch is incorrectly predicted, effects of instructions that should not have been executed are undone … or are they? the code may have caused something to be brought into cache, and this can be detected by timing the cache

24 Meltdown char *scratchpad = malloc(256 * 4096); \\ 256 pages of size 4096 bytes each ... evict scratchpad from the CPU cache ... unsigned char *p = SOME_KERNEL_ADDRESS; int x = rand() % 100; unsigned char a; unsigned char b; if (x == 4){ // suppose CPU branch prediction speculates that this condition will be true a = *p; // unauthorized read of kernel memory // indirect access to scratchpad based on value a read from kernel memory // brings page a into cache b = *(scratchpad * a ); }

25 Detect Byte Value by Timing Cache Access
long long smallest_time = ; unsigned char leaked_a = 0; for (int c = 0; c < 256; ++c) { long long tsc0 = tsc(); char b = *(scratchpad * c); long long tsc1 = tsc(); long long tottime = tsc1 - tsc0; if (tottime < smallest_time) { // the smallest tottime is consequence of speculation // made by CPU with "a" value, that brought a related // memory page into the cache. smallest_time = tottime; leaked_a = c; } printf("Kernel byte %p = %02x", SOME_KERNEL_ADDRESS, leaked_a);

26 Mitigation Redesign processor
Move kernel memory out of user process virtual address space

27 Access control Where is most trusted code located?
In the operating system kernel What are the primary responsibilities of a UNIX kernel? Managing the file system Launching/scheduling processes Managing memory How do processes invoke the kernel? Via system calls Hardware shepherds transition from user process to kernel Processor knows when it is running kernel code Represents this through protection rings or mode bit

28 Access control How does kernel know if system call is allowed?
Looks at user id (uid) of process making the call Looks at resources accessed by call (e.g., file or pipe) Checks access-control policy associated with resource Decides if policy allows uid to access resources How is a uid normally assigned to a process? On fork, child inherits parent’s uid

29 MOO accounting problem
Multi-player game called Moo Want to maintain high score in a file Should players be able to update score? Yes Do we trust users to write file directly? No, they could lie about their score Game client (uid x) “x’s score = 10” High score “y’s score = 11” Game client (uid y)

30 MOO accounting problem
Multi-player game called Moo Want to maintain high score in a file Could have a trusted process update scores Is this good enough? Game client (uid x) “x’s score = 10” Game server High score “x:10 y:11” “y’s score = 11” Game client (uid y)

31 MOO accounting problem
Multi-player game called Moo Want to maintain high score in a file Could have a trusted process update scores Is this good enough? Can’t be sure that reported score is genuine Need to ensure score was computed correctly Game client (uid x) “x’s score = 100” Game server High score “x:100 y:11” “y’s score = 11” Game client (uid y)

32 Access control Insight: sometimes simple inheritance of uids is insufficient Tasks involving management of “user id” state Logging in (login) Changing passwords (passwd) Why isn’t this code just inside the kernel? This functionality doesn’t really require interaction w/ hardware Would like to keep kernel as small as possible How are “trusted” user-space processes identified? Run as super user or root (uid 0) Like a software kernel mode If a process runs under uid 0, then it has more privileges

33 Access control Why does login need to run as root?
Needs to check username/password correctness Needs to fork/exec process under another uid Why does passwd need to run as root? Needs to modify password database (file) Database is shared by all users What makes passwd particularly tricky? Easy to allow process to shed privileges (e.g., login) passwd requires an escalation of privileges How does UNIX handle this? Executable files can have their setuid bit set If setuid bit is set, process inherits uid of image file’s owner on exec

34 MOO accounting problem
Multi-player game called Moo Want to maintain high score in a file How does setuid solve our problem? Game executable is owned by trusted entity Game cannot be modified by normal users Users can run executable though High-score is also owned by trusted entity This is a form of trustworthy computing Only trusted code can update score Root ownership ensures code integrity Untrusted users can invoke trusted code Shell (uid x) Game client (uid moo) “fork/exec game” “x’s score = 10” High score (uid moo) “y’s score = 11” Shell (uid y) Game client (uid moo) “fork/exec game”

35 Coarser abstraction: virtual machine
We’ve already seen a kind of virtual machine OS gives processes virtual memory Each process runs on a virtualized CPU Virtual machine An execution environment May or may not correspond to physical reality

36 How do we virtualize? Key technique: “trap and emulate”
Untrusted/user code tries to do something it can’t Transfer control to something that can do it Evaluate whether thing is allowed If so, do it and return control. Else, kill process or throw exception. Where have we seen trap and emulate? Virtual memory Process tries to access non-resident memory Trap to OS OS makes virtual page resident Retry instruction that caused fault Generally useful technique, crucial for virtual machines Ways to do this? Rely on HW Rewrite code

37 Virtual-machine options
Approaches to implementing VMs Interpreted virtual machines Translate every VM instruction Kind of like on-the-fly compilation VM instruction  HW instruction(s) Direct execution Execute instructions directly Emulate the hard ones

38 Interpreted virtual machines
Implement the machine in software Must translate emulated to physical Java: byte codes  x86, PPC, ARM, etc Software fetches/executes instructions Program (foo.class) Interpreter (java) Byte code x86 Looks a lot like a dynamic virtual memory translator

39 Java virtual machine What is the (low-level) interface to the JVM?
Java byte-code instructions What abstraction does the JVM provide? JVM: Stack-machine architecture Dalvik (Android): Register-based architecture The Java programming language High-level language compiled into byte code Library of services (kind of like a kernel) Like PHP, Python, C++/STL, C#

40 Direct execution What is the interface? What is the abstraction?
Hardware ISA (e.g., x86 instructions) What is the abstraction? Physical machine (e.g., x86 processor) x86 Program (Linux kernel) x86 Monitor (VMware) x86

41 Different techniques Emulation Full virtualization Paravirtualization
Bochs, QEMU Full virtualization VMware Paravirtualization Xen Dynamic recompilation Virtual PC

42 Views of the CPU How is a user process’s view of the CPU different than the OS’s? Kernel mode Access to physical memory Manipulation of page tables Other “privileged instructions” Turn off interrupts Traps Keep these in mind when thinking about virtual machines

43

44 Traditional OS structure
App App App App Ring 3 Operating System Ring 0 Host Machine

45 Virtual-machine structure
Guest App Guest App Guest App Ring 3 Guest OS Guest OS Guest OS Ring 3? Virtual Machine Monitor (Hypervisor) Ring 0 Host Machine

46 Virtual-machine structure
Guest App Guest App Guest App Ring 3 Guest OS Guest OS Guest OS Ring 1 Virtual Machine Monitor (Hypervisor) Ring 0 Host Machine

Download ppt "Isolation Enforced by the Operating System"

Similar presentations

More on Processes Chapter 3. Process image _the physical representation of a process in the OS _an address space consisting of code, data and stack segments.

More on Processes Chapter 3. Process image _the physical representation of a process in the OS _an address space consisting of code, data and stack segments.
Slide 2-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 2 Using the Operating System 2.

Slide 2-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 2 Using the Operating System 2.
Architectural Support for OS March 29, 2000 Instructor: Gary Kimura Slides courtesy of Hank Levy.

Architectural Support for OS March 29, 2000 Instructor: Gary Kimura Slides courtesy of Hank Levy.
1 OS & Computer Architecture Modern OS Functionality (brief review) Architecture Basics Hardware Support for OS Features.

1 OS & Computer Architecture Modern OS Functionality (brief review) Architecture Basics Hardware Support for OS Features.
Virtual Machine Monitors CSE451 Andrew Whitaker. Hardware Virtualization Running multiple operating systems on a single physical machine Examples:  VMWare,

Virtual Machine Monitors CSE451 Andrew Whitaker. Hardware Virtualization Running multiple operating systems on a single physical machine Examples:  VMWare,
CSE 451: Operating Systems Autumn 2013 Module 6 Review of Processes, Kernel Threads, User-Level Threads Ed Lazowska 570 Allen.

CSE 451: Operating Systems Autumn 2013 Module 6 Review of Processes, Kernel Threads, User-Level Threads Ed Lazowska 570 Allen.
Tanenbaum 8.3 See references

Tanenbaum 8.3 See references
Microkernels, virtualization, exokernels Tutorial 1 – CSC469.

Microkernels, virtualization, exokernels Tutorial 1 – CSC469.
UNIX! Landon Cox September 3, 2012. Dealing with complexity How do you reduce the complexity of large programs? Break functionality into modules Goal.

UNIX! Landon Cox September 3, Dealing with complexity How do you reduce the complexity of large programs? Break functionality into modules Goal.
Operating System Support for Virtual Machines Samuel T. King, George W. Dunlap,Peter M.Chen Presented By, Rajesh 1 References [1] Virtual Machines: Supporting.

Operating System Support for Virtual Machines Samuel T. King, George W. Dunlap,Peter M.Chen Presented By, Rajesh 1 References [1] Virtual Machines: Supporting.
Operating Systems ECE344 Ashvin Goel ECE University of Toronto OS-Related Hardware.

Operating Systems ECE344 Ashvin Goel ECE University of Toronto OS-Related Hardware.
Lecture 3 Process Concepts. What is a Process? A process is the dynamic execution context of an executing program. Several processes may run concurrently,

Lecture 3 Process Concepts. What is a Process? A process is the dynamic execution context of an executing program. Several processes may run concurrently,
1 CSE 451 Section 2: Interrupts, Syscalls, Virtual Machines, and Project 1.

1 CSE 451 Section 2: Interrupts, Syscalls, Virtual Machines, and Project 1.
Background: Operating Systems Brad Karp UCL Computer Science CS GZ03 / M030 30 th November, 2008.

Background: Operating Systems Brad Karp UCL Computer Science CS GZ03 / M th November, 2008.
CPS110: Wrapping up memory Landon Cox March 6, 2008.

CPS110: Wrapping up memory Landon Cox March 6, 2008.
1 CSE451 Architectural Supports for Operating Systems Autumn 2002 Gary Kimura Lecture #2 October 2, 2002.

1 CSE451 Architectural Supports for Operating Systems Autumn 2002 Gary Kimura Lecture #2 October 2, 2002.
Operating Systems Security

Operating Systems Security
Lecture 26 Virtual Machine Monitors. Virtual Machines Goal: run an guest OS over an host OS Who has done this? Why might it be useful? Examples: Vmware,

Lecture 26 Virtual Machine Monitors. Virtual Machines Goal: run an guest OS over an host OS Who has done this? Why might it be useful? Examples: Vmware,
Protection of Processes Security and privacy of data is challenging currently. Protecting information – Not limited to hardware. – Depends on innovation.

Protection of Processes Security and privacy of data is challenging currently. Protecting information – Not limited to hardware. – Depends on innovation.
CSE 451: Operating Systems Winter 2015 Module 25 Virtual Machine Monitors Mark Zbikowski Allen Center 476 © 2013 Gribble, Lazowska,

CSE 451: Operating Systems Winter 2015 Module 25 Virtual Machine Monitors Mark Zbikowski Allen Center 476 © 2013 Gribble, Lazowska,

Similar presentations

Ads by Google