Hardware Reference
In-Depth Information
cannot control user processes if users can give themselves supervisor privileges, disable
exceptions, or change memory protection.
3. Provide mechanisms whereby the processor can go from user mode to supervisor mode
and vice versa. The first direction is typically accomplished by a
system call
, implemented
as a special instruction that transfers control to a dedicated location in supervisor code
space. The PC is saved from the point of the system call, and the processor is placed in
supervisor mode. The return to user mode is like a subroutine return that restores the pre-
vious user/supervisor mode.
4. Provide mechanisms to limit memory accesses to protect the memory state of a process
without having to swap the process to disk on a context switch.
Appendix A
describes several memory protection schemes, but by far the most popular is
adding protection restrictions to each page of virtual memory. Fixed-sized pages, typically 4
KB or 8 KB long, are mapped from the virtual address space into physical address space via
a page table. The protection restrictions are included in each page table entry. The protection
restrictions might determine whether a user process can read this page, whether a user pro-
cess can write to this page, and whether code can be executed from this page. In addition, a
process can neither read nor write a page if it is not in the page table. Since only the OS can
update the page table, the paging mechanism provides total access protection.
Paged virtual memory means that every memory access logically takes at least twice as long,
with one memory access to obtain the physical address and a second access to get the data.
This cost would be far too dear. The solution is to rely on the principle of locality; if the ac-
cesses have locality, then the
address translations
for the accesses must also have locality. By
keeping these address translations in a special cache, a memory access rarely requires a second
access to translate the address. This special address translation cache is referred to as a
trans-
lation lookaside buffer
(TLB).
A TLB entry is like a cache entry where the tag holds portions of the virtual address and
the data portion holds a physical page address, protection field, valid bit, and usually a use
bit and a dirty bit. The operating system changes these bits by changing the value in the page
table and then invalidating the corresponding TLB entry. When the entry is reloaded from the
page table, the TLB gets an accurate copy of the bits.
Assuming the computer faithfully obeys the restrictions on pages and maps virtual ad-
dresses to physical addresses, it would seem that we are done. Newspaper headlines suggest
otherwise.
The reason we're not done is that we depend on the accuracy of the operating system as
well as the hardware. Today's operating systems consist of tens of millions of lines of code.
Since bugs are measured in number per thousand lines of code, there are thousands of bugs
in production operating systems. Flaws in the OS have led to vulnerabilities that are routinely
exploited.
This problem and the possibility that not enforcing protection could be much more costly
than in the past have led some to look for a protection model with a much smaller code base
than the full OS, such as Virtual Machines.
Protection Via Virtual Machines
An idea related to virtual memory that is almost as old are Virtual Machines (VMs). They were
irst developed in the late 1960s, and they have remained an important part of mainframe com-
puting over the years. Although largely ignored in the domain of single-user computers in the
1980s and 1990s, they have recently gained popularity due to
Search WWH ::
Custom Search