CS 161 Computer SecurityFall 2005 Joseph/Tygar/Vazirani/WagnerNotes 291 Operating System SecurityGoals:• Protecting different applications running on the same machine at the same time from each other– Keep malicious/buggy user programs from crashing OS– Keep malicious/buggy user programs from crashing each other• Control over what applications run on a platform– Need a secure environment from HW to OS levelsToday’s topics:• Hardware support for protection• Creating secure systems2 Hardware s upport for protectionHardware provides two things to help isolate a program’s effects to within just that program:• Address translation– Non-executable regions• Dual mode operation2.1 Address translationWhat is an Address Space?• Literally, all the memory addresses a program can touch.• All the state that a program can affect or be affected by.Achieve protection by restricting what a program can touch!Hardware translates every memory reference from virtual addresses to physical addresses; software sets upand manages the mapping in the translation box (see Figure 1).CS 161, Fall 2005, Notes 29 1CPUTranslation Box (MMU)Physical MemoryVirtual AddressPhysical AddressData read or write (untranslated)Figure 1: Address Translation in Modern Architectures.Two views of memory:• View from the CPU — what program sees, virtual memory• View from memory — physical memoryTranslation box (also called a memory management unit) converts between the two views.Translation helps implement protection because there is no way for a program to even talk about otherprogram’s addresses; no way for it to touch operating system code or data (see Figure 2).Translation also helps with the issue of how to stuff multiple programs into memory.Translation is implemented using some form of table lookup. Separate table for each user address space.2.2 Dual m ode operationCan an application modify its own translation tables? If it could, then it could get access to all of physicalmemory. Has to be restricted somehow.Dual-mode operation• When in the OS, can do anything (called “kernel mode”, “supervisor mode”, or “protected mode”)• When in a user program, restricted to only touching that program’s memory (user-mode)Implemented by setting a hardware-provided bit. Restricted operations can only be performed when the“kernel-mode” bit is set. Only the operating system itself can set and clear this bit.HW requires CPU to be in kernel-mode to modify address translation tables.Isolate each address space so its behavior can’t do any harm, except to itself.Several issues:CS 161, Fall 2005, Notes 29 2codedataheapstackcodedataheapstackprog 1prog2code1code2data1data2stack1stack2heap1heap2virtualaddressspacevirtualaddressspacephysicalmemoryOS codeOS dataOS heap& stacksFigure 2: Example of Address Translation. Hardware Machine-dependent OS layer Portable OS layer Application Standard library User mode Kernel mode Figure 3: Typical UNIX Operating System Structure.CS 161, Fall 2005, Notes 29 31. Do we need the kernel–application boundary if system is dedicated to a single application?2. How to share CPU between kernel and user programs?3. How do programs interact?4. How does one switch between kernel and user modes when the CPU gets shared between the OS anda user program?•OS→ user (kernel → user mode)• User → OS (user mode → kernel mode)2.2.1 Kernel → UserTo run a user program, create a thread to:• Allocate and initialize address space control block• Read program off disk and store in memory• Allocate and initialize translation table (point to program memory)• Run program (or to return to user level after calling the OS with a system call):– Set machine registers– Set hardware pointer to translation table– Set processor status word (from kernel mode to user mode)– Jump to start of program2.2.2 User → KernelHow does the user program get back into the kernel, or switch to another user program?Voluntarily user→kernel System call — special instruction to jump to a specific operating system handler.Just like doing a procedure call into the operating system kernel — program asks OS kernel, pleasedo something on procedure’s behalf.Can the user program call any routine in the OS?No. Just specific ones the OS says are OK. Always start running handler at same place, otherwise,problems!How does OS know that system call arguments are as expected?It can’t — OS kernel has to check all arguments (registers and memory) — otherwise, bug in userprogram can crash kernel.TOCTOU vulnerabilities are common: Time of Check, Time of Useopen(filename, mode)check permissions for filename and modecreate filehandle for filenamereturn filehandleCS 161, Fall 2005, Notes 29 4Race condition between check and create steps, and malicious user.Involuntarily user→kernel Hardware interrupt, also program exceptionExamples of program exceptions:• Bus error (bad address e.g., unaligned access)• Segmentation fault (out of range address)• Page fault (important for providing illusion of infinite memory)On system call, interrupt, or exception: hardware atomically• Sets processor status to kernel mode• Changes execution stack to an OS kernel stack• Saves current program counter• Jumps to handler routine in OS kernel• Handler saves previous state of any registers it usesContext switching between programs Same as with threads, except now also save and restore pointer totranslation table. To resume a program, re-load registers, change hardware pointer to translation table,and jump to old PC.2.3 Communication between address spacesHow do two address spaces communicate? Can’t do it directly if address spaces don’t share memory.Instead, all inter-address space (in UNIX, inter-process) communication has to go through kernel, via systemcalls.Models of inter-address space communication:• Byte stream producer/consumer. For example, communicate through pipes connecting stdin/stdout.• Message passing (send/receive). We can use this to build remote procedure call (RPC) abstraction, sothat you can have one program call a procedure in another.• File system (read and write files). File system is shared state! (Even though it exists outside of anyaddress space.)• “Shared Memory” — Alternately, on most UNIXes, can ask kernel to set up address spaces to sharea region of memory, but that violates the whole notion of why we have address spaces — to
View Full Document
Unlocking...