Hardware Reference
In-Depth Information
most trusted to access anything, the second most trusted to access everything except the inner-
most level, and so on. The “civilian” programs are the least trusted and, hence, have the most
limited range of accesses. There may also be restrictions on what pieces of memory can contain
code—execute protection—and even on the entrance point between the levels. The Intel 80×86
protection structure, which uses rings, is described later in this section. It is not clear whether
rings are an improvement in practice over the simple system of user and kernel modes.
As the designer's apprehension escalates to trepidation, these simple rings may not suice.
Restricting the freedom given a program in the inner sanctum requires a new classiication
system. Instead of a military model, the analogy of this system is to keys and locks: A program
can't unlock access to the data unless it has the key. For these keys, or
capabilities
, to be useful,
the hardware and operating system must be able to explicitly pass them from one program to
another without allowing a program itself to forge them. Such checking requires a great deal
of hardware support if time for checking keys is to be kept low.
The 80×86 architecture has tried several of these alternatives over the years. Since backwards
compatibility is one of the guidelines of this architecture, the most recent versions of the archi-
tecture include all of its experiments in virtual memory. We'll go over two of the options There
irst the older segmented address space and then the newer flat, 64-bit address space.
A Segmented Virtual Memory Example: Protection In The Intel
Pentium
The second system is the most dangerous system a man ever designs. … The general tendency is
to over-design the second system, using all the ideas and frills that were cautiously sidetracked on
the first one.
F. P. Brooks, Jr
.
The Mythical Man-Month (1975)
The original 8086 used segments for addressing, yet it provided nothing for virtual memory
for for protection. Segments had base registers but no bound registers and no access checks,
and before a segment register could be loaded the corresponding segment had to be in phys-
ical memory. Intel's dedication to virtual memory and protection is evident in the successors
to the 8086, with a few fields extended to support larger addresses. This protection scheme is
elaborate, with many details carefully designed to try to avoid security loopholes. We'll refer
to it as IA-32. The next few pages highlight a few of the Intel safeguards; if you find the read-
ing difficult, imagine the difficulty of implementing them!
The first enhancement is to double the traditional two-level protection model: The IA-32 has
four levels of protection. The innermost level (0) corresponds to the traditional kernel mode,
and the outermost level (3) is the least privileged mode. The IA-32 has separate stacks for each
level to avoid security breaches between the levels. There are also data structures analogous
to traditional page tables that contain the physical addresses for segments, as well as a list of
checks to be made on translated addresses.
The Intel designers did not stop there. The IA-32 divides the address space, allowing both
the operating system and the user access to the full space. The IA-32 user can call an operat-
ing system routine in this space and even pass parameters to it while retaining full protection.
This safe call is not a trivial action, since the stack for the operating system is different from
the user's stack. Moreover, the IA-32 allows the operating system to maintain the protection
Search WWH ::
Custom Search