1 / 55

General OS Security: Memory Protection and Access Control

CS461/ECE422 Spring 2008. General OS Security: Memory Protection and Access Control. Reading. Security in Computing – 4.1-4.4 Intel Pentium II Software Developer’s Manual: Volume 3. Sections 4.5 through 4.8 http://developer.intel.com/design/processor/manuals/253668.pdf. Outline.

nerice
Download Presentation

General OS Security: Memory Protection and Access Control

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CS461/ECE422 Spring 2008 General OS Security:Memory Protection and Access Control

  2. Reading • Security in Computing – 4.1-4.4 • Intel Pentium II Software Developer’s Manual: Volume 3. Sections 4.5 through 4.8 • http://developer.intel.com/design/processor/manuals/253668.pdf

  3. Outline • Evolution of OS • Memory Protection • Intel Architecture • Object Access Control • File access in particular

  4. In the Beginning... • The program owned the machine • Access hardware directly • Executives emerged • Gather common functionality • Multi-user systems required greater separation • Multics, the source of much early OS development

  5. Types of Separation • Physical • Use separate physical resources, e.g. Printers, disk drives • Temporal • Time slice different users • Logical • Create virtual environment to make it seem that programs are running independently • Cryptographic • Hide data and computation from others

  6. Protected Resources • What resources should be protected? • Peripherals (e.g. printers) • Network • Storage (disk drives, files) • Memory • Why protect each of them?

  7. Memory Protection • Protect Core OS/Maintenance routines from user program • Kernel space • User space • Hardware support to ensure isolation

  8. X OK Memory Fence Addresses 0 Operating System • Two problems: • Flexibility • Sharing n Fence User Program n+1 high

  9. Addresses 0 Operating System v.2 m+1 m User Program m+1 high Fence Registers Addresses 0 Operating System v.1 Fence Register Fence Register n+1 n User Program n+1 high

  10. Fence Register in A n+1 Fence Register in B m+1 Multiprogramming 0 Operating System n User Program A n+1 m m+1 User Program B high

  11. Base & Bound 0 Operating System B’s registers A’s registers n m+1 base base n+1 User Program A n+1 high bound bound m m m+1 User Program B high

  12. 7 + n+8 n+8 < <> > Error Virtual Memory Fetch 7 Operating System A’s registers N+1 base n+1 User Program A bound m User Program B

  13. B’s registers A’s registers base base bound bound Shared Sharing Operating System User Program A User Program B

  14. Sharing, Cont’d Operating System User Program A User Program B User Program C

  15. 1 7 + n+8 n+8 < <> > Error Segments Split address into two fields • <seg, offset> Each segment has a base & bound Fetch <1,7> Operating System User Program A User Program B

  16. Segments: Sharing & Protection Operating System { User Program A { Shared } User Program B }

  17. Segment problems • Accesses off the end of the segment • Can only be checked at runtime • Extra check on each memory access • Numbers are generally used for segment names to speed up table lookups • Potential problems for segment sharing • Need to remap segments when they get too big for currently mapped location.

  18. Paging • Fixed units of memory mapping • Page sizes can range from 512 to 8192 bytes • Two part address: <page #, offset> • Easier to map fixed units into physical memory • Overriding the offset will cause the page # to change • Invalid page map should be caught • Lose logical unity of segments • May want to protect prog1 segment in a particular way

  19. Paging

  20. Paging Segments • Used by the x86 architecture • Gives efficiencies of paging architecture with logical protection continuity of segment architecture

  21. Paging Segments

  22. Tagged architectures • Base/bounds assumes contiguous user program space. • Protecting code or data is an all or nothing deal with the base/bounds technique • Could add tags to memory units • Very privileged operation to change tags • Memory unit could be word or a page • Used for capability support • Used by Lisp machines to encode types • RWX bits on pages for Intel architecture

  23. Memory Protection Rings • More than 2 protection levels (why?) • Originally in Multics • In Intel arch since x386

  24. Privilege Levels • CPU enforces constraints on memory access and changes of control between different privilege levels • Similar in spirit to Bell-LaPadula access control restrictions • Hardware enforcement of division between user mode and kernel mode in operating systems • Simple malicious code cannot jump into kernel space

  25. Data Access Rules • Three players • Code segment has a current privilege level CPL • Operand segment selector has a requested privilege level RPL • Data Segment Descriptor for each memory includes a data privilege level DPL • Segment is loaded if CPL <= DPL and RPL <= DPL • i.e. both CPL and RPL are from more privileged rings

  26. Data Access Rules • Access allowed if • CPL <= DPL and RPL <= DPL

  27. Data Access Examples

  28. Direct Control Transfers • For non-conforming code (the common case) • RPL <= DPL && CPL == DPL • Can only directly jump to code at same privilege level

  29. Calling Through Gates DLP

  30. Call Gate Access Rules • For Call • CPL <= CG DPL • RPL <= CG DPL • Dst CS DPL <= CPL • Same for JMP but • Dst CS DPL == CPL

  31. Call Gate Examples

  32. Stack Switching • Automatically performed when calling more privileged code • Prevents less privileged code from passing in short stack and crashing more privileged code • Each task has a stack defined for each privilege level

  33. Moving to the Desktop • Memory protection & rings were used in MULTICS (‘60s) • Intel 8086: segmentation, but no memory protection (1978) • Intel 80286: protection rings (1982) • Intel 80386: paging (1986) • Virtual memory support in Windows - 1995

  34. Limiting Memory Access Type • The Pentium architecture supports making pages read/only versus read/write • A recent development is the Execute Disable Bit (XD-bit) • Added in 2001 but only available in systems recently • Supported by Windows XP SP2 • Similar functionality in AMD Altheon 64 • Called No Execute bit (NX-bit) • Actually in machines on the market sooner than Intel

  35. Windows Support • Enabled in Windows XP SP2 as Data Execution Prevention (DEP) • Software version if no hardware support • Check to see if you have the bit • Control Panel -> System -> Advanced -> DEP tab

  36. Delay to widespread deployment • First hardware in 2001 • Wait for OS support • Wait for vendors willing to sell • Generally available in 2005

  37. Protecting objects • Desire to protect logical entities • Memory • Files or data sets • Executing program • File directory • A particular data structure like a stack • Operating system control structures • Privileged instructions

  38. Access Control Matrix • Access Control Matrix (ACM) and related concepts provides very basic abstraction • Map different systems to a common form for comparison • Enables standard proof techniques • Not directly used in implementation

  39. Definitions • Protection state of system • Describes current settings, values of system relevant to protection • Access control matrix • Describes protection state precisely • Matrix describing rights of subjects • State transitions change elements of matrix

  40. objects (entities) o1 … oms1 … sn s1 s2 … sn subjects Description • Subjects S = { s1,…,sn } • Objects O = { o1,…,om } • Rights R = { r1,…,rk } • Entries A[si, oj] R • A[si, oj] = { rx, …, ry } means subject si has rights rx, …, ry over object oj

  41. Example 1 • Processes p, q • Files f, g • Rights r, w, x, a (append), o (owner) f g p q p rwo r rwxo w q a ro r rwxo

  42. Example 2 • Procedures inc_ctr, dec_ctr, manage • Variable counter • Rights +, –, call counterinc_ctr dec_ctr manage inc_ctr + dec_ctr – manage call call call

  43. State Transitions • Change the protection state of system • |– represents transition • Xi |– Xi+1: command  moves system from state Xi to Xi+1 • Xi |– *Xi+1: a sequence of commands moves system from state Xi to Xi+1 • Commands often called transformation procedures

  44. Example Transitions

  45. Example Composite Transition

  46. objects (entities) o1 … oms1 … sn s1 s2 … sn subjects Practical object access control • Can slice the logical ACM two ways • By row: Store with subject • By column: Store with object

  47. Directories to manage access • Slice ACM by user • Each user keeps a directory • Entry in directory contains reference to object (file) and access rights • Problems • Large lists • Revocation • Object aliases

  48. Directories

  49. Access Control List • Slice by Object • Used by Multics and most modern OS's

  50. Unix Access Control • Three permission octets associated with each file and directory • Owner, group, and other • Read, write, execute • For each file/directory • Can specify RWX permissions for one owner, one group, and one other

More Related