Information Technology Reference
In-Depth Information
configure the hardware so that each application process can read and write
only its own memory and not the memory of the operating system or any other
application. If an application could modify the operating system kernel's code or
data, it could potentially do so in a way that would give the application complete
control over the machine. For example, it could change the login program to
give the attacker full system administrator privileges. While it might seem that
read-only access to memory is harmless, recall that we want to provide both
security and privacy. Kernel data structures | such as the le system buer |
may contain data that is private to one user and not permitted to be seen by
another. Likewise, user passwords may be stored in kernel memory while they
are being verified.
How does the operating system prevent a user program from accessing parts
of physical memory? We will discuss a wide variety of different approaches in
a later chapter, but early computers pioneered a very simple mechanism that
was sucient for providing protection. We describe it as an illustration of the
general principle.
In these systems, a processor has two extra registers, called base and bounds.
Denition: base and
bounds
The base species the start of the process's memory region, while the bound
gives its length. This is illustrated in Figure 2.5. These registers can only be
changed by privileged instructions, that is, by the operating system executing
in kernel-mode. User-level code cannot change their values.
Every time the processor fetches an instruction, the address of the program
counter is checked to see if it lies between the base and the bound registers. If
so, the instruction fetch is allowed to proceed; otherwise, the hardware raises an
exception, the program is halted, and control is transferred back to the operating
system kernel. Although it might seem extravagant to do two extra comparisons
for each instruction, the value of memory protection makes it worth the cost. In
fact, we will see much more sophisticated and \extravagant" memory protection
schemes later.
Likewise, for instructions that read or write data to memory, each memory
reference is also checked against the base and bounds registers, and an exception
generated if the boundaries are violated. Complex instructions, such as the x86
block copy instruction, must check every location touched by the instruction,
to ensure that the application does not inadvertently or maliciously read or
write to a buer that starts in its own region but that extends into the kernel's
region. Doing so might enable the application to read or overwrite key parts
of the operating system code or data and thereby gain control of the physical
hardware.
The operating system kernel executes without the base and bounds registers,
allowing it to access any memory on the system | the kernel's memory or the
memory of any application process running on the system. Because applications
can only touch their own memory, the kernel must explicitly copy any input or
output into or out of the application's memory region. For example, a simple
