Presentation is loading. Please wait.

Presentation is loading. Please wait.

Early OS security Overview by: Greg Morrisett Cornell University, Edited (by permission) for CSUS CSc250 by Bill Mitchell.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Early OS security Overview by: Greg Morrisett Cornell University, Edited (by permission) for CSUS CSc250 by Bill Mitchell."— Presentation transcript:

1 Early OS security Overview by: Greg Morrisett Cornell University, Edited (by permission) for CSUS CSc250 by Bill Mitchell

2 June 2001Lang. Based Security2 Operating Systems circa ‘75 Simple Model: system is a collection of running processes and files. –processes perform actions on behalf of a user. open, read, write files read, write, execute memory, etc. –files have access control lists dictating which users can read/write/execute/etc. the file. (Some) High-Level Policy Goals: –Integrity: one user’s processes shouldn’t be able to corrupt the code, data, or files of another user. –Availability: processes should eventually gain access to resources such as the CPU or disk. –Secrecy? Confidentiality? Access control?

3 June 2001Lang. Based Security3 What Can go Wrong? –read/write/execute or change ACL of a file for which process doesn’t have proper access. check file access against ACL –process writes into memory of another process isolate memory of each process (& the OS!) –process pretends it is the OS and execute its code maintain process ID and keep certain operations privileged --- need some way to transition. –process never gives up the CPU force process to yield in some finite time –process uses up all the memory or disk enforce quotas –OS or hardware is buggy...

4 June 2001Lang. Based Security4 Key Mechanisms in Hardware –Translation Lookaside Buffer (TLB) provides an inexpensive check for each memory access. maps virtual address to physical address –small, fully associative cache (8-10 entries) –cache miss triggers a trap (see below) –granularity of map is a page (4-8KB) –Distinct user and supervisor modes certain operations (e.g., reload TLB, device access) require supervisor bit is set. –Invalid operations cause a trap set supervisor bit and transfer control to OS routine. –Timer triggers a trap for preemption.

5 June 2001Lang. Based Security5 Steps in a System Call Time calls f=fopen(“foo”) User Process library executes “break” Kernel – notice how expensive a trap is trap saves context, flushes TLB, etc. checks UID against ACL, sets up IO buffers & file context, pushes ptr to context on user’s stack, etc. restores context, clears supervisor bit calls fread(f,n,&buf) library executes “break” saves context, flushes TLB, etc. checks f is a valid file context, does disk access into local buffer, copies results into user’s buffer, etc. restores context, clears supervisor bit

6 June 2001Lang. Based Security6 Hardware Trends The functionality provided by the hardware hasn’t changed much over the years. Clearly, the raw performance in terms of throughput has. Certain trends are clear: –small => large # of registers: 8 16-bit =>128 64-bit –small => large pages: 4 KB => 16 KB –flushing TLB, caches is increasingly expensive –computed jumps are increasingly expensive –copying data to/from memory is increasingly expensive So a trap into a kernel is costing more over time.

7 June 2001Lang. Based Security7 OS Trends In the 1980’s, a big push for microkernels: –Mach, Spring, etc. –Only put the bare minimum into the kernel. context switching code, TLB management trap and interrupt handling device access –Run everything else as a process. file system(s) networking protocols page replacement algorithm –Sub-systems communicate via remote procedure call (RPC) –Reasons: Increase Flexibility, Minimize the TCB

8 June 2001Lang. Based Security8 A System Call in Mach Time f=fopen(“foo”) User Process “break” Kernel saves context checks capabilities, copies arguments switches to Unix server context Unix Server checks ACL, sets up buffers, etc. “returns” to user. saves context checks capabilities, copies results restores user’s context

9 June 2001Lang. Based Security9 Microkernels Claim was that flexibility and increased assurance would win out. –But performance overheads were non-trivial –Many PhD’s on minimizing overheads of communication –Even highly optimized implementations of RPC cost 2-3 orders of magnitude more than a procedure call. Result: a backlash against the approach. –Windows, Linux, Solaris continue the monolithic tradition. and continue to grow for performance reasons (e.g., GUI) and for functionality gains (e.g., specialized file systems.) –Mac OS X, some embedded or specialized kernels (e.g., Exokernel) are exceptions. VMware achieves multiple personalities but has monolithic personalities sitting on top.

10 June 2001Lang. Based Security10 Performance Matters The hit of crossing the kernel boundary: –Original Apache forked a process to run each CGI: could attenuate file access for sub-process protected memory/data of server from rogue script i.e., closer to least privilege –Too expensive for a small script: fork, exec, copy data to/from the server, etc. –So current push is to run the scripts in the server. i.e., throw out least privilege Similar situation with databases, web browsers, file systems, etc.

11 June 2001Lang. Based Security11 The Big Question? From a least privilege perspective, many systems should be decomposed into separate processes. But if the overheads of communication (i.e., traps, copying, flushing TLB) are too great, programmers won’t do it. Can we achieve isolation and cheap communication?

Download ppt "Early OS security Overview by: Greg Morrisett Cornell University, Edited (by permission) for CSUS CSc250 by Bill Mitchell."

Similar presentations

More on Processes Chapter 3. Process image _the physical representation of a process in the OS _an address space consisting of code, data and stack segments.

More on Processes Chapter 3. Process image _the physical representation of a process in the OS _an address space consisting of code, data and stack segments.
Chorus and other Microkernels Presented by: Jonathan Tanner and Brian Doyle Articles By: Jon Udell Peter D. Varhol Dick Pountain.

Chorus and other Microkernels Presented by: Jonathan Tanner and Brian Doyle Articles By: Jon Udell Peter D. Varhol Dick Pountain.
Chapter 6 Limited Direct Execution

Chapter 6 Limited Direct Execution
Architectural Support for OS March 29, 2000 Instructor: Gary Kimura Slides courtesy of Hank Levy.

Architectural Support for OS March 29, 2000 Instructor: Gary Kimura Slides courtesy of Hank Levy.
Dawson R. Engler, M. Frans Kaashoek, and James O'Tool Jr.

Dawson R. Engler, M. Frans Kaashoek, and James O'Tool Jr.
1 CS 333 Introduction to Operating Systems Class 2 – OS-Related Hardware & Software The Process Concept Jonathan Walpole Computer Science Portland State.

1 CS 333 Introduction to Operating Systems Class 2 – OS-Related Hardware & Software The Process Concept Jonathan Walpole Computer Science Portland State.
Home: www.cse.dmu.ac.uk/~pkang Phones OFF Please Unix Kernel Parminder Singh Kang Home: www.cse.dmu.ac.uk/~pkang Email: pkang@dmu.ac.uk.

Home: Phones OFF Please Unix Kernel Parminder Singh Kang Home:
Improving IPC by Kernel Design Jochen Liedtke Shane Matthews Portland State University.

Improving IPC by Kernel Design Jochen Liedtke Shane Matthews Portland State University.
Translation Buffers (TLB’s)

Translation Buffers (TLB’s)
CS711: Reference Monitors Part 1: OS & SFI Greg Morrisett Cornell University.

CS711: Reference Monitors Part 1: OS & SFI Greg Morrisett Cornell University.
1 Process Description and Control Chapter 3 = Why process? = What is a process? = How to represent processes? = How to control processes?

1 Process Description and Control Chapter 3 = Why process? = What is a process? = How to represent processes? = How to control processes?
Introduction Operating Systems’ Concepts and Structure Lecture 1 ~ Spring, 2008 ~ Spring, 2008TUCN. Operating Systems. Lecture 1.

Introduction Operating Systems’ Concepts and Structure Lecture 1 ~ Spring, 2008 ~ Spring, 2008TUCN. Operating Systems. Lecture 1.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Chapter 2: Operating-System Structures Modified from the text book.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Chapter 2: Operating-System Structures Modified from the text book.
Virtual Machine Monitors CSE451 Andrew Whitaker. Hardware Virtualization Running multiple operating systems on a single physical machine Examples:  VMWare,

Virtual Machine Monitors CSE451 Andrew Whitaker. Hardware Virtualization Running multiple operating systems on a single physical machine Examples:  VMWare,
Basics of Operating Systems March 4, 2001 Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard.

Basics of Operating Systems March 4, 2001 Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard.
CSE 451: Operating Systems Autumn 2013 Module 6 Review of Processes, Kernel Threads, User-Level Threads Ed Lazowska 570 Allen.

CSE 451: Operating Systems Autumn 2013 Module 6 Review of Processes, Kernel Threads, User-Level Threads Ed Lazowska 570 Allen.
System Calls 1.

System Calls 1.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 2: System Structures.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 2: System Structures.
CS533 Concepts of Operating Systems Jonathan Walpole.

CS533 Concepts of Operating Systems Jonathan Walpole.
1 Micro-kernel. 2 Key points Microkernel provides minimal abstractions –Address space, threads, IPC Abstractions –… are machine independent –But implementation.

1 Micro-kernel. 2 Key points Microkernel provides minimal abstractions –Address space, threads, IPC Abstractions –… are machine independent –But implementation.

Similar presentations

Ads by Google