x86 memory protec on and transla on
play

x86 Memory Protec.on and Transla.on Don Porter 1 CSE 506: Opera.ng - PowerPoint PPT Presentation

Aug 08, 2023 •110 likes •616 views

CSE 506: Opera.ng Systems x86 Memory Protec.on and Transla.on Don Porter 1 CSE 506: Opera.ng Systems Logical Diagram Binary Memory Threads Formats Allocators User System Calls Kernel RCU File System Networking Sync Memory CPU

  1. CSE 506: Opera.ng Systems x86 Memory Protec.on and Transla.on Don Porter 1

  2. CSE 506: Opera.ng Systems Logical Diagram Binary Memory Threads Formats Allocators User System Calls Kernel RCU File System Networking Sync Memory CPU Device Today’s Management Scheduler Drivers Lecture Hardware Interrupts Disk Net Consistency Today’s Lecture: Focus on Hardware ABI 2

  3. CSE 506: Opera.ng Systems Lecture Goal • Understand the hardware tools available on a modern x86 processor for manipula.ng and protec.ng memory • Lab 2: You will program this hardware • Apologies: Material can be a bit dry, but important – Plus, slides will be good reference • But, cool tech tricks: – How does thread-local storage (TLS) work? – An actual (and tough) MicrosoW interview ques.on 3

  4. CSE 506: Opera.ng Systems Undergrad Review • What is: – Virtual memory? – Segmenta.on? – Paging? 4

  5. CSE 506: Opera.ng Systems Memory Mapping Process 1 Process 2 Virtual Memory Virtual Memory // Program expects (*x) Only one physical 0x1000 0x1000 // to always be at address 0x1000!! // address 0x1000 int *x = 0x1000; 0x1000 Physical Memory 5

  6. CSE 506: Opera.ng Systems Two System Goals 1) Provide an abstrac.on of con.guous, isolated virtual memory to a program 2) Prevent illegal opera.ons – Prevent access to other applica.on or OS memory – Detect failures early (e.g., segfault on address 0) – More recently, prevent exploits that try to execute program data 6

  7. CSE 506: Opera.ng Systems Outline • x86 processor modes • x86 segmenta.on • x86 page tables • Advanced Features • Interes.ng applica.ons/problems 7

  8. CSE 506: Opera.ng Systems x86 Processor Modes • Real mode – walks and talks like a really old x86 chip – State at boot – 20-bit address space, direct physical memory access • 1 MB of usable memory – Segmenta.on available (no paging) • Protected mode – Standard 32-bit x86 mode – Segmenta.on and paging – Privilege levels (separate user and kernel) 8

  9. CSE 506: Opera.ng Systems x86 Processor Modes • Long mode – 64-bit mode (aka amd64, x86_64, etc.) – Very similar to 32-bit mode (protected mode), but bigger – Restrict segmenta.on use – Garbage collect deprecated instruc.ons • Chips can s.ll run in protected mode with old instruc.ons • Even more obscure modes we won’t discuss today 9

  10. CSE 506: Opera.ng Systems Transla.on Overview Segmenta.on 0xdeadbeef 0x 0 eadbeef 0x 6 eadbeef Paging Virtual Address Linear Address Physical Address Protected/Long mode only • Segmenta.on cannot be disabled! – But can be a no-op (aka flat mode) 10

  11. CSE 506: Opera.ng Systems x86 Segmenta.on • A segment has: – Base address (linear address) – Length – Type (code, data, etc). 11

  12. CSE 506: Opera.ng Systems Programming model • Segments for: code, data, stack, “extra” – A program can have up to 6 total segments – Segments iden.fied by registers: cs, ds, ss, es, fs, gs • Prefix all memory accesses with desired segment: – mov eax, ds:0x80 (load offset 0x80 from data into eax) – jmp cs:0xab8 (jump execu.on to code offset 0xab8) – mov ss:0x40, ecx (move ecx to stack offset 0x40) 12

  13. CSE 506: Opera.ng Systems Segmented Programming Pseudo-example ds:x = 1; // data // global int x = 1 ss:y; // stack int y; // stack if (ds:x) { if (x) { y = 1; ss:y = 1; printf (“Boo”); cs:printf (ds:“Boo”); } else } else y = 0; ss:y = 0; Segments would be used in assembly, not C 13

  14. CSE 506: Opera.ng Systems Programming, cont. • This is cumbersome, so infer code, data and stack segments by instruc.on type: – Control-flow instruc.ons use code segment (jump, call) – Stack management (push/pop) uses stack – Most loads/stores use data segment • Extra segments (es, fs, gs) must be used explicitly 14

  15. CSE 506: Opera.ng Systems Segment management • For safety (without paging), only the OS should define segments. Why? • Two segment tables the OS creates in memory: – Global – any process can use these segments – Local – segment defini.ons for a specific process • How does the hardware know where they are? – Dedicated registers: gdtr and ldtr – Privileged instruc.ons: lgdt, lldt 15

  16. CSE 506: Opera.ng Systems Segment registers Global or Local Table Index (13 bits) Ring (2 bits) Table? (1 bit) • Set by the OS on fork, context switch, etc. 16

  17. CSE 506: Opera.ng Systems Segments Illustrated Low 3 bits 0 Index 1 (4 th bit) cs: 0x8 ds: 0xf 0, 0x123000, 0x423000, gdtr … 0B 1MB 1MB call cs:0xf150 0x123000 + 0xf150 
 = 0x123150 17

  18. CSE 506: Opera.ng Systems Sample Problem: (Old) JOS Bootloader • Suppose my kernel is compiled to be in upper 256 MB of a 32-bit address space (i.e., 0xf0100000) – Common to put OS kernel at top of address space • Bootloader starts in real mode (only 1MB of addressable physical memory) • Bootloader loads kernel at 0x00100000 – Can’t address 0xf0100000 18

  19. CSE 506: Opera.ng Systems Boo.ng problem • Kernel needs to set up and manage its own page tables – Paging can translate 0xf0100000 to 0x00100000 • But what to do between the bootloader and kernel code that sets up paging? 19

  20. CSE 506: Opera.ng Systems Segmenta.on to the Rescue! • kern/entry.S: – What is this code doing? mygdt: SEG_NULL # null seg SEG(STA_X|STA_R, -KERNBASE, 0xffffffff) # code seg SEG(STA_W, -KERNBASE, 0xffffffff) # data seg 20

  21. CSE 506: Opera.ng Systems JOS ex 1, cont. SEG(STA_X|STA_R, -KERNBASE, 0xffffffff) # code seg Execute and Offset Segment Length Read -0xf0000000 (4 GB) permission jmp 0xf01000db8 # virtual addr. (implicit cs seg) jmp (0xf01000db8 + -0xf0000000) jmp 0x001000db8 # linear addr. 21

  22. CSE 506: Opera.ng Systems Flat segmenta.on • The above trick is used for boo.ng. We eventually want to use paging. • How can we make segmenta.on a no-op? • From kern/pmap.c: // 0x8 - kernel code segment [GD_KT >> 3] = SEG(STA_X | STA_R, 0x0, 0xffffffff, 0), Execute and Offset Segment Length Read Ring 0 0x00000000 (4 GB) permission 22

  23. CSE 506: Opera.ng Systems Outline • x86 processor modes • x86 segmenta.on • x86 page tables • Advanced Features • Interes.ng applica.ons/problems 23

  24. CSE 506: Opera.ng Systems Paging Model • 32 (or 64) bit address space. • Arbitrary mapping of linear to physical pages • Pages are most commonly 4 KB – Newer processors also support page sizes of 2 MB and 1 GB 24

  25. CSE 506: Opera.ng Systems How it works • OS creates a page table – Any old page with entries formaqed properly – Hardware interprets entries • cr3 register points to the current page table – Only ring0 can change cr3 25

  26. CSE 506: Opera.ng Systems Transla.on Overview From Intel 80386 Reference Programmer’s Manual 26

  27. CSE 506: Opera.ng Systems Example 0xf1084150 0x3b4 0x84 0x150 Page Dir Offset Page Table Offset Physical Page Offset (Top 10 addr bits: (Next 10 addr bits) (Low 12 addr bits) 0xf10 >> 2) cr3 Entry at cr3+0x3b4 * Entry at 0x84 * Data we want at sizeof(PTE) sizeof(PTE) offset 0x150 27

  28. CSE 506: Opera.ng Systems Page Table Entries cr3 Physical Address Flags (12 bits) Upper (20 bits) 0x00384 PTE_W|PTE_P|PTE_U 0 0 0x28370 PTE_W|PTE_P 0 0 0 0 0 0 0 0 0 0 28

  29. CSE 506: Opera.ng Systems Page Table Entries • Top 20 bits are the physical address of the mapped page – Why 20 bits? – 4k page size == 12 bits of offset • Lower 12 bits for flags 29

  30. CSE 506: Opera.ng Systems Page flags • 3 for OS to use however it likes • 4 reserved by Intel, just in case • 3 for OS to CPU metadata – User/vs kernel page, – Write permission, – Present bit (so we can swap out pages) • 2 for CPU to OS metadata – Dirty (page was wriqen), Accessed (page was read) 30

  31. CSE 506: Opera.ng Systems Page Table Entries User, writable, present cr3 Physical Address Flags (12 bits) Upper (20 bits) No mapping 0x00384 PTE_W|PTE_P|PTE_U 0 0 0x28370 PTE_W|PTE_P|PTE_DIRTY … … Writeable, kernel-only, present, and dirty (Dirty set by CPU on write) 31

  32. CSE 506: Opera.ng Systems Back of the envelope • If a page is 4K and an entry is 4 bytes, how many entries per page? – 1k • How large of an address space can 1 page represent? – 1k entries * 1page/entry * 4K/page = 4MB • How large can we get with a second level of transla.on? – 1k tables/dir * 1k entries/table * 4k/page = 4 GB – Nice that it works out that way! 32

  33. CSE 506: Opera.ng Systems Challenge ques.ons • What is the space overhead of paging? – I.e., how much memory goes to page tables for a 4 GB address space? • What is the op.mal number of levels for a 64 bit page table? • When would you use a 2 MB or 1 GB page size? 33

  34. CSE 506: Opera.ng Systems TLB Entries • The CPU caches address transla.ons in the TLB – Transla.on Lookaside Buffer cr3 Virt Phys 0xf0231000 0x1000 0x00b31000 0x1f000 0xb0002000 0xc1000 - - Page Traversal is Slow Table Lookup is Fast 34

  35. CSE 506: Opera.ng Systems TLB Entries • The CPU caches address transla.ons in the TLB • Transla.on Lookaside BufferThe TLB is not coherent with memory, meaning: – If you change a PTE, you need to manually invalidate cached values – See the tlb_invalidate() func.on in JOS 35

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Address Transla+on Main Points Address Transla+on Concept

Address Transla+on Main Points Address Transla+on Concept

Address Transla+on Main Points Address Transla+on Concept How do we convert a virtual address to a physical address? Flexible Address Transla+on

979 views • 65 slides
Address Transla+on Main Points Address Transla+on Concept

Address Transla+on Main Points Address Transla+on Concept

Address Transla+on Main Points Address Transla+on Concept How do we convert a virtual address to a physical address? Flexible Address Transla+on

1.04k views • 60 slides
Simultaneous Transla/on for Hiero Simon Fraser University

Simultaneous Transla/on for Hiero Simon Fraser University

Simultaneous Transla/on for Hiero Simon Fraser University Maryam Siahbani, Anoop Sarkar Hierarchical Phrase-based Transla/on (Hiero) Synchronous Context-Free Grammar

505 views • 46 slides
Cheap transla,on Automated ques,on answering Visualizing

Cheap transla,on Automated ques,on answering Visualizing

Cheap transla,on Automated ques,on answering Visualizing communi,es Cheap Transla,on Its the dirty li>le secret of foreign correspondents. We wouldnt

428 views • 15 slides
Competence-based Curriculum Learning for Neural Machine Transla:on Anthony Platanios

Competence-based Curriculum Learning for Neural Machine Transla:on Anthony Platanios

Competence-based Curriculum Learning for Neural Machine Transla:on Anthony Platanios e.a.platanios@cs.cmu.edu Joint work with O,lia Stretcu, Graham Neubig, Barnabas Poczos, and Tom Mitchell Neural Machine Transla/on (NMT) NMT represents the

582 views • 36 slides
The Big Picture KNOW THE DIFFERENCES Cour r t t-Or Order dered ed Protec ective e Men

The Big Picture KNOW THE DIFFERENCES Cour r t t-Or Order dered ed Protec ective e Men

Cour r t t-Or Order dered ed Protec ective e Men ental H Heal ealth Emer er gen ency Custody dy Dete tenti tion on Ser Ser vi vices The Big Picture KNOW THE DIFFERENCES Cour r t t-Or Order dered ed Protec ective

501 views • 35 slides
Ac#ve Learning and Crowd- Sourcing for Machine Transla#on

Ac#ve Learning and Crowd- Sourcing for Machine Transla#on

Ac#ve Learning and Crowd- Sourcing for Machine Transla#on Vamshi Amba#, Stephan Vogel, & Jamie Carbonell Pramod Thammaiah ScoC Brinker November 17,

623 views • 45 slides
PROMT FlexibleandEfficientManagementof Transla:onQuality PROMT,LLC

PROMT FlexibleandEfficientManagementof Transla:onQuality PROMT,LLC

PROMT FlexibleandEfficientManagementof Transla:onQuality PROMT,LLC AboutPROMT Experienced. Foundedin1991 Interna:onal. Over180employeesinUS,Germany,Russiaplus

874 views • 27 slides
Informa(on Retrieval as Sta(s(cal Transla(on Presented by: Lin

Informa(on Retrieval as Sta(s(cal Transla(on Presented by: Lin

Informa(on Retrieval as Sta(s(cal Transla(on Presented by: Lin Gong Introduc(on How do people search a query? Ideal Informa(on

1.02k views • 15 slides
Module'8:'Evalua-ng'Immune'Correlates'of' Protec-on''

Module'8:'Evalua-ng'Immune'Correlates'of' Protec-on''

Module'8:'Evalua-ng'Immune'Correlates'of' Protec-on'' Instructors:!Peter!Gilbert,!Ivan!Chan,!Paul!T.!Edlefsen,!Ying!Huang ' Talk'6:'Introduc-on'to'Sieve'Analysis'of' ! Pathogen'Sequences' ! !

373 views • 15 slides
Click to add title Speakers: Thomas Roth , Global Data Protec.on Officer, Boehringer Ingelheim

Click to add title Speakers: Thomas Roth , Global Data Protec.on Officer, Boehringer Ingelheim

Data overload? Data protec.on - GDPR and beyond Click to add title Speakers: Thomas Roth , Global Data Protec.on Officer, Boehringer Ingelheim Click to add subtitle Sara Fernndez , Privacy Strategy Director, Liberty Global Eric van Dam ,

128 views • 11 slides
Protec'on, iden'ty, and trust Illustrated with Unix setuid

Protec'on, iden'ty, and trust Illustrated with Unix setuid

Protec'on, iden'ty, and trust Illustrated with Unix setuid Jeff Chase Duke University The need for access control Processes run programs on behalf of users. ( subjects )

1.02k views • 70 slides
Memory II. Memory improvement III. Problems with memory 3 systems/stages of Memory: memory

Memory II. Memory improvement III. Problems with memory 3 systems/stages of Memory: memory

Main Focus I. Memory as a process Memory II. Memory improvement III. Problems with memory 3 systems/stages of Memory: memory the process by which I. Sensory Memory information is - acquired, II. Short -Term Memory - stored,

169 views • 5 slides
EP EPA Measur Measures t es to Pr Protec ect t Pollinators from m Pesticides Michael

EP EPA Measur Measures t es to Pr Protec ect t Pollinators from m Pesticides Michael

EP EPA Measur Measures t es to Pr Protec ect t Pollinators from m Pesticides Michael Goodis Director, Registration Division Office of Pesticide Programs AAPCOs 71 st Annual Meeting March 5, 2018 EPAs Final Acute Mitigation Policy

356 views • 12 slides
Vi Visual G Gro rounding i in Vi Video eo fo for r Un Unsup upervised Word Transla

Vi Visual G Gro rounding i in Vi Video eo fo for r Un Unsup upervised Word Transla

Vi Visual G Gro rounding i in Vi Video eo fo for r Un Unsup upervised Word Transla lation G. Sigurdsson, J-B. Alayrac, A. Nematzadeh, L. Smaira, M. Malinowski, J. Carreira, P. Blunsom, A. Zisserman 6/15/20 Video

494 views • 17 slides
Towards European Transla/on Cloud: Development of public MT services in the Bal/c countries

Towards European Transla/on Cloud: Development of public MT services in the Bal/c countries

Towards European Transla/on Cloud: Development of public MT services in the Bal/c countries META-FORUM 2016 | Lisabon | July 5, 2016 Andrejs Vasijevs Rihards Kalni /lde.com A T A Translation anslation Cl Cloud oud Sc Scenario

928 views • 46 slides
General Session NYSLRS Retirement Online Employer Workshop Presented by: New York State &

General Session NYSLRS Retirement Online Employer Workshop Presented by: New York State &

General Session NYSLRS Retirement Online Employer Workshop Presented by: New York State & Local Retirement System Office of the New York State Comptroller Thomas P. DiNapoli Workshop Agenda Start Time End Time Topic 10:00am 12:00pm

831 views • 49 slides
Hidden Markov Models Matt Gormley Lecture 19 Nov. 5, 2018 1 Reminders Homework 6: PAC

Hidden Markov Models Matt Gormley Lecture 19 Nov. 5, 2018 1 Reminders Homework 6: PAC

10-601 Introduction to Machine Learning Machine Learning Department School of Computer Science Carnegie Mellon University Hidden Markov Models Matt Gormley Lecture 19 Nov. 5, 2018 1 Reminders Homework 6: PAC Learning / Generative

867 views • 48 slides
RESTRICTED BOLTZMANN MACHINES DANIEL KOHLSDORF LAST LECTURE: DEEP AUTO ENCODERS Directed Model

RESTRICTED BOLTZMANN MACHINES DANIEL KOHLSDORF LAST LECTURE: DEEP AUTO ENCODERS Directed Model

RESTRICTED BOLTZMANN MACHINES DANIEL KOHLSDORF LAST LECTURE: DEEP AUTO ENCODERS Directed Model Reconstructs the input Back propagation Today: Probabilistic Interpretation Undirected Model DIRECTED VS UNDIRECTED MODELS VS PROBABILISTIC

378 views • 24 slides
Dimensionality Reduc1on Lecture 23 David Sontag New York

Dimensionality Reduc1on Lecture 23 David Sontag New York

Dimensionality Reduc1on Lecture 23 David Sontag New York University Slides adapted from Carlos Guestrin and Luke Zettlemoyer Assignments Last homework assignment released tonight,

191 views • 17 slides
Pre-Submi*al Workshop Project Partners Introduc/on In a crea7ve city known for its art and

Pre-Submi*al Workshop Project Partners Introduc/on In a crea7ve city known for its art and

Pre-Submi*al Workshop Project Partners Introduc/on In a crea7ve city known for its art and up-and-coming bike culture, stylish and func7onal bike racks are both a natural fit, and a necessity. These eye-catching racks will be important ameni7es

379 views • 21 slides
Linux kernel synchroniza2on Don Porter CSE 506 1 CSE 506: Opera.ng Systems Logical Diagram

Linux kernel synchroniza2on Don Porter CSE 506 1 CSE 506: Opera.ng Systems Logical Diagram

CSE 506: Opera.ng Systems Linux kernel synchroniza2on Don Porter CSE 506 1 CSE 506: Opera.ng Systems Logical Diagram Binary Memory Threads Formats Allocators User Todays Lecture System Calls Synchroniza2on in Kernel the kernel

572 views • 45 slides
Lockout: Efficient Tes0ng for Deadlock Bugs Ali Kheradmand,

Lockout: Efficient Tes0ng for Deadlock Bugs Ali Kheradmand,

Lockout: Efficient Tes0ng for Deadlock Bugs Ali Kheradmand, Baris Kasikci, George Candea 1 Deadlock Set of threads Each holding a lock

642 views • 20 slides
Introduc)on to the Applica)ons Area within the IETF Murray

Introduc)on to the Applica)ons Area within the IETF Murray

Introduc)on to the Applica)ons Area within the IETF Murray Kucherawy <superuser@gmail.com> Alexey Melnikov <alexey.melnikov@isode.com> Overview Whats the

491 views • 29 slides

More recommend