Memory protection
This article needs additional citations for verification. (September 2012) |
Memory protection is a way to control memory access rights on a computer, and is a part of most modern
Methods
Segmentation
Segmentation refers to dividing a computer's memory into segments. A reference to a memory location includes a value that identifies a segment and an offset within that segment. A segment descriptor may limit access rights, e.g., read only, only from certain rings.
The
Paged virtual memory
In paging the memory address space or segment is divided into equal-sized blocks
Most computer architectures which support paging also use pages as the basis for memory protection.
A page table maps virtual memory to physical memory. There may be a single page table, a page table for each process, a page table for each segment, or a hierarchy of page tables, depending on the architecture and the OS. The page tables are usually invisible to the process. Page tables make it easier to allocate additional memory, as each new page can be allocated from anywhere in physical memory. On some systems a page table entry can also designate a page as read-only.
Some operating systems set up a different address space for each process, which provides hard memory protection boundaries.[2] It is impossible for an unprivileged[c] application to access a page that has not been explicitly allocated to it, because every memory address either points to a page allocated to that application, or generates an interrupt called a page fault. Unallocated pages, and pages allocated to any other application, do not have any addresses from the application point of view.
A page fault may not necessarily indicate an error. Page faults are not only used for memory protection. The operating system may manage the page table in such a way that a reference to a page that has been previously paged out to secondary storage[d] causes a page fault. The operating system intercepts the page fault, loads the required memory page, and the application continues as if no fault had occurred. This scheme, a type of virtual memory, allows in-memory data not currently in use to be moved to secondary storage and back in a way which is transparent to applications, to increase overall memory capacity.
On some systems, a request for virtual storage may allocate a block of virtual addresses for which no page frames have been assigned, and the system will only assign and initialize page frames when page faults occur. On some systems a
On some systems, the page fault mechanism is also used for
Protection keys
A memory protection key (MPK)
The System/360 protection keys described above are associated with physical addresses. This is different from the protection key mechanism used by architectures such as the Hewlett-Packard/Intel IA-64 and Hewlett-Packard PA-RISC, which are associated with virtual addresses, and which allow multiple keys per process.
In the Itanium and PA-RISC architectures, translations (TLB entries) have keys (Itanium) or access ids (PA-RISC) associated with them. A running process has several protection key registers (16 for Itanium,[4] 4 for PA-RISC[5]). A translation selected by the virtual address has its key compared to each of the protection key registers. If any of them match (plus other possible checks), the access is permitted. If none match, a fault or exception is generated. The software fault handler can, if desired, check the missing key against a larger list of keys maintained by software; thus, the protection key registers inside the processor may be treated as a software-managed cache of a larger list of keys associated with a process.
PA-RISC has 15–18 bits of key; Itanium mandates at least 18. Keys are usually associated with protection domains, such as libraries, modules, etc.
In the x86, the protection keys[6] architecture allows tagging virtual addresses for user pages with any of 16 protection keys. All the pages tagged with the same protection key constitute a protection domain. A new register contains the permissions associated with each of the protection domain. Load and store operations are checked against both the page table permissions and the protection key permissions associated with the protection domain of the virtual address, and only allowed if both permissions allow the access. The protection key permissions can be set from user space, allowing applications to directly restrict access to the application data without OS intervention. Since the protection keys are associated with a virtual address, the protection domains are per address space, so processes running in different address spaces can each use all 16 domains.
Protection rings
In Multics and systems derived from it, each segment has a protection ring for reading, writing and execution; an attempt by a process with a higher ring number than the ring number for the segment causes a fault. There is a mechanism for safely calling procedures that run in a lower ring and returning to the higher ring. There are mechanisms for a routine running with a low ring number to access a parameter with the larger of its own ring and the caller's ring.
Simulated segmentation
It is generally not advisable to use this method of memory protection where adequate facilities exist on a CPU, as this takes valuable processing power from the computer. However, it is generally used for debugging and testing purposes to provide an extra fine level of granularity to otherwise generic storage violations and can indicate precisely which instruction is attempting to overwrite the particular section of storage which may have the same storage key as unprotected storage.
Capability-based addressing
Dynamic tainting
Dynamic tainting is a technique for protecting programs from illegal memory accesses. When memory is allocated, at runtime, this technique taints both the memory and the corresponding pointer using the same taint mark. Taint marks are then suitably propagated while the program executes and are checked every time a memory address m is accessed through a pointer p; if the taint marks associated with m and p differ, the execution is stopped and the illegal access is reported.[7][8]
The lowRISC CPU design includes dynamic tainting under the name Tagged Memory.[10]
Measures
The protection level of a particular implementation may be measured by how closely it adheres to the
Memory protection in different operating systems
Different operating systems use different forms of memory protection or separation. Although memory protection was common on most
Some operating systems that do implement memory protection include:
- Plan9 and Inferno, created at Bell Labs as Unix successors (1992, 1995)
- OS/2 (1987)
- RISC OS (1987) (The OS memory protection is not comprehensive.)
- Microware OS-9, as an optional module (since 1992)
- Microsoft Windows family from Windows NT 3.1 (1993)
- MultiTOS(since 1991)
- Pharos[13] (since 2017)
On Unix-like systems, the mprotect
system call is used to control memory protection.[14]
See also
- Storage violation, for violation of memory protection
- Separation of protection and security
- Memory management (operating systems)
References
- ^ a b Intel (July 2008). Intel 64 and IA-32 Architectures Software Developer's Manuals: Volume 3A: System Programming Guide, Part 1 (PDF). Intel. Retrieved 2008-08-21.
- ^ Jeffrey S. Chase; Henry M. Levy; Michael J. Feeley; and Edward D. Lazowska. "Sharing and Protection in a Single Address Space Operating System". 1993. p. 2.
- ^ Memory protection keys, Jonathan Corbet, May 13, 2015, LWN.net
- ^ "Keys in Itanium" (PDF). Archived from the original (PDF) on 2007-11-28.
- ^ "Memory protection in HP PA-RISC" (PDF). February 1994. Archived from the original (PDF) on 2015-09-05. Retrieved 2018-10-29.
- ^ "Intel Software Developer Manual" (PDF). March 2012. Archived from the original (PDF) on 2012-06-01. Retrieved 2018-10-29.
- S2CID 6334541.
- S2CID 15913190.
- ^ Jenkins, Michelle. "Oracle Announces Breakthrough Processor and Systems Design with SPARC M7". www.oracle.com. Retrieved 2016-11-18.
- ^ "Tagged memory support". www.lowrisc.org. Retrieved 2018-05-24.
- ^ Cook, D.J. Measuring memory protection, accepted for 3rd International Conference on Software Engineering, Atlanta, Georgia, May 1978.
- ^ "Windows 9x does not have true memory protection". Everything2. 2000-06-24. Retrieved 2009-04-29.
- ^ "Pharos". 16 December 2020.
- ^ "mprotect". The Open Group Base Specifications Issue 6. The Open Group.
Notes
- ^ Depending on the architecture, that may include, e.g., unallocated pages and segments, pages in a different protection domain, pages requiring a higher privilege level.
- ^ Some systems, e.g., z/OS, support more than one page size.
- ^ On some systems there are privileged instructions for storage access by real address.
- solid state device.
External links
- Intel Developer Manuals – in-depth information on memory protection for Intel-based architectures