Protection Issues • I/O protection Protection and System Calls – Prevent users from performing illegal I/O’s • Memory protection Otto J. Anshus – Prevent users from modifying kernel code and data (including slides from Kai Li, Princeton structures University) • CPU protection University of Oslo With adaptions by Tore Larsen, University of – Prevent a user from using the CPU for too long Oslo and University of Tromsø Kai Li Support in Modern Processors Protection mechanisms in HW • User mode – Regular Instructions • Two (or more) privilege levels – Access user-mode memory – Highest privilege level – Illegal attempts will result in User- •Interrupt, • ”Anything is allowed” faults/exceptions mode Return – Lowest privilege level •User to user- system call, • Kernel (supervisor, privileged) mode • Only what can be safely let for anyone is available mode Kernel- •User- • Memory protection mode – Regular instructions mode trap – Provided by a ”memory management unit (MMU),” – I/O instructions conceptually a level of logic between the processor and – Access both user- and kernel-mode •Interrupt, memory. Privileged instructions set restrictions on how regions in memory address space may be accessed. MMU •Kernel system call memory traps when instructions attempt to break the restrictions – •Kernel-mode trap – An instruction to change to user mode The trap invokes the operating system 1
2^16=0-FFFFh I/O 8-bit ports 2*8=16 bit port 4*16=32 bit port • I/O ports: Protection checks Intel Pentium • created in system HW for com. w/peripheral devices • Examples – connects to a serial device When violation: Exception! – connects to control registers of a disk controller • I/O address space Will look at this and • I/O instructions memory mapped I/O later – in, out: between ports and registers – ins, outs: between ports and memory locations • I/O protection mechanism – I/O Privilege Level (IOPL): I/O instr. only from Ring Level 0 or 1 (typical) – I/O permission bit map: Gives selective control of individual ports Intel Vol 3 System Programming Guide 2
Intel Privilege Levels System Call Mechanism The privileged instructions • User code can be arbitrary Checks not done by OS, can only be executed when User User but the levels can be used current privilege level (CPL) in the design • User code cannot modify kernel is 0 program program memory return call • Makes a system call with parameters entry • The call mechanism switches code to kernel mode Kernel in protected memory • Execute system call • Return with results But HOW in a secure way? Kai Li/OJA OS Kernel: Trap Handler System Call Implementation • Use an “interrupt” Interrupt service • Hardware devices (keyboard, serial port, timer, disk,…) HW Device Sys_call_table routines Interrupt and software can request service using interrupts System service System Service Call • The CPU is interrupted dispatcher System • ...and a service handler routine is run HW exceptions services SW exceptions • …when finished the CPU resumes from where it was Exception interrupted (or somewhere else determined by the OS dispatcher Virtual address Exception kernel) exceptions handlers VM manager’s pager HW implementation of the boundary 3
The Stack Passing Parameters •Many stacks possible, but only one is “current”: the one in the segment referenced by the SS Kernel has access to callers • Passing in registers register address space, but not vice •Max size 4 gigabytes versa • Simplest but limited •PUSH: write (--ESP); • Passing in a vector •POP: read(ESP++); •When setting up a stack • A register holds the remember to align the stack Top address of the vector pointer on 16 bit word or 32 bit double-word boundaries • Passing on the stack frame • Push: library frame • Pop: System Kai Li Issues in System Call Mechanism Library Stubs for System Calls • read( fd, buf, size) • Use caller’s stack or a special stack? User int read( int fd, char * buf, int size) – Use a special stack User memory { stack • Use a single entry or multiple entries move READ to R 0 Registers move fd, buf, size to R 1 , R 2 , R 3 32-255 available – A single entry is simpler to user int $0x80 Registers • System calls with 1, 2, 3, … N arguments load result code from R result Kernel } – Group system calls by # of args Kernel stack Return when memory • Can kernel code call system calls? work is done Could be an error – Yes and should avoid the entry code Win NT: 2E Linux: 80 Kai Li Kai L/OJA 4
int 0x80 int 0x80 System Call Entry Point System Call Entry Point • Assume passing parameters in • Assume passing parameters in User User registers registers User User memory memory EntryPoint: EntryPoint: Kernel stack Kernel stack SW SW switch to kernel stack; Mode: switch to kernel stack; Mode: Registers Registers interrupt Total interrupt Total save all registers; save all registers; control. control. if legal(R 0 ) call sys_call_table[R 0 ]; All if legal(R 0 ) call sys_call_table[R 0 ]; All Registers Registers interrupts interrupts restore user registers; restore user registers; are are Kernel Kernel switch to user stack; disabled switch to user stack; disabled Kernel Kernel stack stack iret; iret; memory memory Change to user mode Or: User stack Put results into buf and return Or: some register Kai Li/OJA Kai Li/OJA int 0x80 System Call Entry Point Polling instead of Interrupt? • Assume passing parameters in • OS kernel could check a request queue instead registers of using an interrupt? EntryPoint: Save/Restore Context? SW switch to kernel stack; • Waste CPU cycles checking interrupt save all registers; • All have to wait while the checks are being done if legal(R 0 ) call sys_call_table[R 0 ]; If this code takes a long time: should • When to check? ENABLE interrupts restore user registers; – Non-predictable switch to user stack; But used for Servers – Pulse every 10-100ms? READ returns with result and iret; handler must return them to user » too long time • Same valid for HW Interrupts vs. Polling Or SCHEDULE to run another Kai Li/OJA 5
System Calls Interrupts and Exceptions • Process management • end, abort , load, execute, create, terminate, set, wait Due to bugs in current • Memory management • Processor exceptions running process • mmap & munmap, mprotect, mremap, msync, swapon & • MMU address faults, divide by zero, etc off, • 386: the first 32 “interrupt descriptor table” entries are • File management special descriptors, trap gates, mapping exceptions to handler code • create, delete, open, close, R, W, seek • Interrupts from hardware • Device management • slow: int ON, usual, timer • res, rel, R, W, seek, get & set atrib., mount, unmount • fast: int OFF, less complex, keyboard • Communication • Interrupts from software: sys calls • get ID’s, open, close, send, receive Kai Li 6
Recommend
More recommend
