Memory Protection: Kernel and User Address Spaces
description
Transcript of Memory Protection: Kernel and User Address Spaces
Memory Protection: Kernel Memory Protection: Kernel and User Address Spacesand User Address Spaces
Andy WangAndy WangOperating SystemsOperating Systems
COP 4610 / CGS 5765COP 4610 / CGS 5765
Up to This PointUp to This Point
Threads provide the illusion of an infinite Threads provide the illusion of an infinite number of CPUs number of CPUs On a single processor machineOn a single processor machine
Memory management provides a different Memory management provides a different set of illusionsset of illusions Protected memoryProtected memory Infinite amount of memoryInfinite amount of memory Transparent sharing Transparent sharing
Physical vs. Virtual MemoryPhysical vs. Virtual Memory
Physical memoryPhysical memory Virtual memoryVirtual memory
No protectionNo protection Each process isolated Each process isolated from all others and from from all others and from the OSthe OS
Limited sizeLimited size Illusion of infinite Illusion of infinite memorymemory
Sharing visible to Sharing visible to processesprocesses
Each process cannot tell Each process cannot tell if memory is sharedif memory is shared
Memory OrganizationsMemory Organizations
Simplest: Simplest: uniprogramming without uniprogramming without memory protectionmemory protection Each application runs within a hardwired Each application runs within a hardwired
range of physical memory addressesrange of physical memory addresses One application runs at a timeOne application runs at a time
Application can use the same physical Application can use the same physical addresses every time, across rebootsaddresses every time, across reboots
Uniprogramming Without Memory Uniprogramming Without Memory ProtectionProtection
Applications typically use the lower Applications typically use the lower memory addresses memory addresses
An OS uses the higher memory addressesAn OS uses the higher memory addresses An application can address any physical An application can address any physical
memory locationmemory location
000000 ffffff
Physical memory
Application Operating system
Multiprogramming Without Multiprogramming Without Memory ProtectionMemory Protection
When a program is copied into memory, a When a program is copied into memory, a linker-loader linker-loader alters the code of the alters the code of the program (e.g., loads, stores, and jumps)program (e.g., loads, stores, and jumps) To use the address of where the program To use the address of where the program
lands in memorylands in memory
Multiprogramming Without Memory Multiprogramming Without Memory ProtectionProtection
Bugs in any program can cause other Bugs in any program can cause other programs to crash, even the OSprograms to crash, even the OS
000000 ffffff
Physical memory
Application 1 Operating systemApplication 2
Multiprogrammed OS With Multiprogrammed OS With Memory ProtectionMemory Protection
Memory protectionMemory protection keeps user programs keeps user programs from crashing one another and the OSfrom crashing one another and the OS
Two hardware-supported mechanismsTwo hardware-supported mechanisms Address translationAddress translation Dual-mode operationDual-mode operation
Address TranslationAddress Translation Recall that each process is associated Recall that each process is associated
with an with an address spaceaddress space, or all the , or all the physicalphysical addresses a process can touchaddresses a process can touch
However, each process believes that it However, each process believes that it owns the entire memory, starting with the owns the entire memory, starting with the virtualvirtual address 0 address 0
The missing piece is a translation table to The missing piece is a translation table to translate every memory reference from translate every memory reference from virtual to physical addressesvirtual to physical addresses
Address Translation VisualizedAddress Translation Visualized
Virtual addresses
Physicaladdresses
Translation table
Data reads or writes(untranslated)
More on Address TranslationsMore on Address Translations
Translation provides protectionTranslation provides protection Processes cannot talk about other processes’ Processes cannot talk about other processes’
addresses, nor about the OS addressesaddresses, nor about the OS addresses OS uses physical addresses directlyOS uses physical addresses directly
No translationsNo translations
Dual-Mode Operation RevisitedDual-Mode Operation Revisited
Translation tables offer protection if they Translation tables offer protection if they cannot be altered by applicationscannot be altered by applications
An application can only touch its address An application can only touch its address space under the user modespace under the user mode
Hardware requires the CPU to be in the Hardware requires the CPU to be in the kernel mode to modify the address kernel mode to modify the address translation tablestranslation tables
Details of Dual-Mode OperationsDetails of Dual-Mode Operations
How the CPU is shared between the How the CPU is shared between the kernel and user processeskernel and user processes
How processes interact among How processes interact among themselvesthemselves
Switching from the Kernel to User Switching from the Kernel to User ModeMode
To run a user program, the kernelTo run a user program, the kernel Creates a process and initialize the address Creates a process and initialize the address
spacespace Loads the program into the memoryLoads the program into the memory Initializes translation tablesInitializes translation tables Sets the hardware pointer to the translation Sets the hardware pointer to the translation
tabletable Sets the CPU to user modeSets the CPU to user mode Jumps to the entry point of the programJumps to the entry point of the program
To Run a ProgramTo Run a Program
User level
Kernel level
Translation tableHardware pointer
user mode
PC
Switching from User Mode to Switching from User Mode to Kernel ModeKernel Mode
VoluntaryVoluntary System callsSystem calls: a user process asks the OS to : a user process asks the OS to
do something on the process’s behalfdo something on the process’s behalf InvoluntaryInvoluntary
Hardware interrupts (e.g., I/O)Hardware interrupts (e.g., I/O) Program exceptions (e.g., segmentation fault)Program exceptions (e.g., segmentation fault)
Switching from User Mode to Switching from User Mode to Kernel ModeKernel Mode
For all cases, hardware atomically For all cases, hardware atomically performs the following stepsperforms the following steps Sets the CPU to kernel modeSets the CPU to kernel mode Saves the current program counterSaves the current program counter Jumps to the handler in the kernel Jumps to the handler in the kernel
The handler saves old register valuesThe handler saves old register values
Switching from User Mode to Switching from User Mode to Kernel ModeKernel Mode
Unlike context switching among threads, Unlike context switching among threads, to switch among processesto switch among processes Need to save and restore pointers to Need to save and restore pointers to
translation tablestranslation tables To resume process executionTo resume process execution
Kernel reloads old register valuesKernel reloads old register values Sets CPU to user modeSets CPU to user mode Jumps to the old program counter Jumps to the old program counter
User User Kernel Kernel
User level
Kernel level
set kernel modePC
PC
handler trusted code
register values translation tables(for processes)
Kernel Kernel User User
User level
Kernel level
set kernel modePC
PC
handler trusted code
register values translation tables(for processes)
Kernel Kernel User User
User level
Kernel level
PC
PC
handler trusted code
register values translation tables(for processes)
user mode
Communication Between Address Communication Between Address SpacesSpaces
Processes communicate among address Processes communicate among address spaces via spaces via interprocess communication interprocess communication (IPC)(IPC) Byte stream (e.g., Byte stream (e.g., pipepipe)) Message passing (send/receive)Message passing (send/receive) File system (e.g., read and write files)File system (e.g., read and write files) Shared memoryShared memory
Bugs can propagate from one process to Bugs can propagate from one process to anotheranother
Interprocess CommunicationInterprocess Communication Direct Direct
send(Psend(P11, message);, message); receive(Preceive(P22, message);, message); One-to-one communicationOne-to-one communication
IndirectIndirect Mailboxes or portsMailboxes or ports send(mailbox_A, message);send(mailbox_A, message); receive(mailbox_A, message);receive(mailbox_A, message); Many-to-many communicationMany-to-many communication
Protection Without Hardware Protection Without Hardware SupportSupport
Hardware-supported protection can be Hardware-supported protection can be slowslow Requires applications be separated into Requires applications be separated into
address spaces to achieve fault isolationaddress spaces to achieve fault isolation What if your applications are built by What if your applications are built by
multiple vendors? (e.g., Netscape plug-multiple vendors? (e.g., Netscape plug-ins)ins) Can we run two programs in the same Can we run two programs in the same
address space, with safety guarantees?address space, with safety guarantees?
Protection via Strong TypingProtection via Strong Typing
Programming languages may disallow the Programming languages may disallow the misuse of data structures (casting)misuse of data structures (casting) e.g., LISP and Javae.g., LISP and Java
Java has its own virtual machinesJava has its own virtual machines A Java program can run on different hardware A Java program can run on different hardware
and OSesand OSes- Need to learn a new language- Need to learn a new language
Protection via Software Fault Protection via Software Fault IsolationIsolation
Compilers generate code that is provably Compilers generate code that is provably safesafe e.g., a pointer cannot reference illegal e.g., a pointer cannot reference illegal
addressesaddresses With aggressive optimizations, the With aggressive optimizations, the
overhead can be as low as 5%overhead can be as low as 5%
A malicious user cannot jump to the last line A malicious user cannot jump to the last line and do damage, since and do damage, since safesafe is a legal address is a legal address
Protection via Software Fault Protection via Software Fault IsolationIsolation
Original instructionOriginal instruction Compiler-modified versionCompiler-modified versionst r2, (r1)st r2, (r1) safesafe = a legal address = a legal address
safe = r1safe = r1Check Check safesafe is still legal is still legalst r2, (safe)st r2, (safe)