Secure operating systems
1 / 17

Secure Operating Systems - PowerPoint PPT Presentation

  • Uploaded on

Secure Operating Systems. Lesson 5: Shared Objects. Where are we?. We have got more of the fundamental security structures of our OS in our heads But now we have to face a real challenge: shared objects. The OS doesn’t HAVE TO…. I’ve used that heading before, but it’s true

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Secure Operating Systems' - diella

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Secure operating systems

Secure Operating Systems

Lesson 5: Shared Objects

Where are we
Where are we?

  • We have got more of the fundamental security structures of our OS in our heads

  • But now we have to face a real challenge: shared objects

The os doesn t have to
The OS doesn’t HAVE TO…

  • I’ve used that heading before, but it’s true

  • There’s no requirement for our OS to support sharing between users and processes… but it sure comes in handy

  • Once again, we have a tension between performance and security

Two parts of the problem
Two Parts of the Problem

  • Sharing actual information

  • Synchronizing between threads and/or processes

Peterson s solution
Peterson’s Solution

  • Two shared variables:

    • int turn;boolean flag[2]

  • Code:

    • flag[i] = TRUE;turn = j;while (flag[j] && turn == j); // Do Critical Sectionflag[i] = FALSE;

Peterson s solution ii
Peterson’s Solution II



flag[1] = TRUE;turn = 0;while(flag[0] && turn == 0); // Critical Sectionflag[1] = FALSE;

  • flag[0] = TRUE;turn = 1;while(flag[1] && turn == 1); // Critical Sectionflag[0] = FALSE;

Hardware support
Hardware Support

  • The challenge of disabling interrupts is that it’s expensive

  • Many OS provide a hardware “test and set” instruction, which allows atomic access to a chunk of memory

  • Swap: void Swap(boolean *a, boolean *b) {boolean temp = *a; *a = *b; *b = temp; }

Implemented as
Implemented as…

  • do { key = TRUE; while (key == TRUE) swap(&lock, &key); // Critical Section lock = FALSE;} while (TRUE);

  • Mutual-exclusion with Swap…


  • wait(S) { while (S <= 0); //nop S--;}

  • signal(S) { S++;}

  • This really looks like a spinlock…


  • wait(semaphore *S) { S->value--; if (S->value < 0) { add this proc to S->list; block(); // SLEEP }} // This will halt until we own the semaphore


  • P0

    • wait(S);wait(Q);…signal(S);signal(Q);

  • P1

    • wait(Q);wait(S);…signal(Q);signal(S);

Priority inversion
Priority Inversion

  • Imagine we have three procii, L, M and H, where L is Low Priority, M, medium, and H, High

  • L is holding a resource which is blocking H, but gets swapped out for M

  • This is known as Priority Inversion… and it’s a real problem!

  • Probably we should talk about different scheduling approaches

Mars sojourner
Mars Sojourner

  • Long running, medium priority Comms task

  • Low priority weather task

  • High priority information bus thread

  • Low priority wx task acquires a mutex for the bus… gets interrupted by the Comms task (long running), blocking the high priority bus thread… tada! Priority Inversion

  • Can be a security issue too!

    • Can be solved by priority inheritance


  • Making sure something is atomic is pretty easy on a single core system

  • On a more complex system it can get REALLY hard

  • One approach is transactional memory – move the problem to the memory not the programmer

  • None of this has even touched on how we SHARE information between processes…

Race conditions
Race Conditions

  • Poor synchronization can lead to race conditions – a subset of which is called TOCTOU

  • Race conditions arise from interdependence that is unrealized or incorrectly implemented

Things to do
Things to Do

  • Read “An Investigation of the Therac-25 Accidents”, Nancy Leveson, Clark S. Turner

Questions comments
Questions & Comments

  • What do you want to know?