Information Technology Reference
In-Depth Information
instruction is executed, the interpreter could check to see if the process had
permission to do the operation in question: is it referencing part of its own
memory, or someone else's? Is it trying to branch into someone else's code? Is
it directly accessing the disk, or is it using the correct routines in the operating
system to do so? The interpreter could allow all legal operations while halting
any application that overstepped its bounds.
Now suppose we want to speed up our hypothetical simulator. Most instruc-
tions are perfectly safe, such as adding two registers together and storing the
result into a third register. Can we modify the processor in some way to allow
safe instructions to execute directly on the hardware?
To accomplish this, we can implement the same checks as in our hypothetical
interpreter, but we do so in hardware rather than software. This is called dual-
mode operation, represented by a single bit in the processor status register
Denition: dual-mode
operation
to signify which mode the processor is currently executing in. In user-mode-
, the processor checks each instruction before executing it to verify that the
Denition: user-mode
instruction is permitted to be performed by that process. (We will describe
the specific checks next.) In kernel-mode, the operating system executes with
Denition: kernel-mode
protection checks turned off.
Figure 2.4 shows the operation of a processor with a mode bit; the program
counter and the mode control the operation of the processor. In turn, the mode
bit is modified by some instructions, in the same way that the program counter
is modified by some instructions.
What hardware is needed to allow the operating system kernel to protect
applications and users from one another, yet also allow user code to run directly
on the processor? At a minimum, the hardware must support three things:
Privileged instructions. All potentially unsafe instructions are prohib-
ited when executing in user-mode.
Memory protection. All memory accesses outside of a process's valid
memory region are prohibited when executing in user-mode.
Timer interrupts. Regardless of what the process does, the kernel must
have a way to periodically regain control from the current process.
In addition, the hardware must also provide a way to safely transfer control
from user-mode to kernel-mode and back. As the mechanisms to do this are
relatively involved, we defer the discussion of that topic to the following section
of this chapter.
2.2.1
Privileged instructions
Process isolation is only possible if there is a way to limit programs running
in user-mode from directly changing their privilege level.
We will see later
