IS 820: Computer Security

OS Security
Protection in General-Purpose OS
 Overview
• Protected Objects and Levels of Protection
– History of Protection in OSs
• Memory and Address Protection Techniques
– Fence
– Relocation
– Base/Bounds Registers
– Tagged Architecture
– Segmentation
– Paging
– Combined Paging with Segmentation
– Intel’s Software Guard Extensions®

• Control of Access to General Objects

• User Authentication Already covered
 Protected Objects in OS
• Multiprogramming necessitates protecting
OS objects:
– Memory
– I/O Devices (e.g., disks, biometric devices, printers)
– Sharable programs and subroutines
– Sharable data
– Networks
 History of Protection in OSs
• No system software
• User entered programs in binary
– Via switches or via keyboard
• Single user had full control of computer
– Scheduled time for exclusive computer use
– Prepare before use
» Load assembler, compiler, shared
subroutines, etc.
– Clean up after use
 History of Protection in OSs
• Executive
• Simple utility to assist single user with
preparation and cleanup
• Entirely passive:
– Waited for user’s request
– Provided service on demand
 History of Protection in OSs
• Monitor
• Assisted multiple users in
multiprogramming systems
• Actively controlled system resources
– Provided service if consistent with system
policies, denying otherwise
• Protect one user from interference
(malicious or accidental) by another
 History of Protection in OSs
• Multiprogramming — sharing computer
by multiple users
• Impact of multiprogramming on
security:
• Before multiprogramming - no need to
protect one user from another
• With multiprogramming - need to
 Security in OS
• Basis of security in OS
– Separation
• keeping one user’s objects secure from interference by
other users

• Kinds of Separation?
 Security in OS
• Kinds of separation:
– Physical separation
• Different processes use different physical objects
– Temporal separation
• Processes executed at different times
– Logical separation
• Illusion that OS executes processes only for single user
– Cryptographic separation
• Processes conceal their data and computations from
other processes
– Combinations of the above
 Security in OS
• Strength of security via separation (least to
most secure):
– Logical separation
Increasing
– Temporal separation
Level of
– Physical separation security
• Where would you put cryptographic
separation?
 Security in OS
• Complexity of implementation of separation
(least to most complex):
– Physical separation
Increasing
– Temporal separation
Complexity of
– Logical separation implementation
– Cryptographic separation
 Security in OS
• Resource utilization in different kinds of
separation:
– Poor: physical separation / temporal separation
– Good: logical separation / cryptographic
separation

• Separation is half the job – we also need to

provide sharing of objects, but securely
 Levels of Protection in OS
• No protection
– User can still protect self, e.g., by temporal
separation
• Isolation
– Concurrently running processes hidden from each
other.
• unaware of each other
• Own address space, files, objects for each process
 Levels of Protection in OS
• Full sharing or no sharing
– Object/resource owner declares it as:
• public (can be shared by all)
or
• private (not shared)
• Sharing via access limitation
– Access to each object by each user determined by
access rights
– Rights remain fixed
 Levels of Protection in OS
• Sharing by capabilities
– Extension to ‘Sharing via access limitation’
• dynamic access rights
– Can be changed by owner, subject, computation
context
• Limited object use
– Limits not only object access — limit the type of
object use after it has been accessed
• E.g., can view a doc but can’t copy it
• E.g., can view statistical summary of data but can’t view
individual data records (e.g., can see average salary but
not John Smith’s salary)
 Levels of Protection in OS
• Complexity of implementation and
granularity of protection:
– No protection
Increasing
– Isolation
Complexity of
– Full sharing or no sharing implementation
and
– Sharing via access limitation
Fineness/granularity
– Sharing by capabilities of protection
– Limited object use
 Memory and Address Protection Techniques

• Protect program memory from being affected

by other programs
• Outline of techniques
– Fence
– Relocation
– Base/Bounds Registers
– Tagged Architecture
– Segmentation
– Paging
– Combined Paging with Segmentation
 Memory and Address Protection
• Fence
– Introduced for single-user OSs
– Confining user to one side of a boundary
– E.g., predefined memory address in between OS
and user
– User program instruction at address ≤ n (OS’s side
of the fence) not allowed to execute
– Fixed or Variable fence
– Fence register used to compare addresses only.
 Memory and Address Protection
• Fixed fence
– (wastes space
if unused by
OS or blocks
OS from
growing)
 Memory and Address Protection
• Variable fence
– Using fence
register —
hardware
register
– The fence
cannot
protect one
user from
another user
 Memory and Address Protection
• Relocation as a feature of Variable fence
– Programs written as if starting at location 0 in
memory
– Actually, starting at location n — determined by OS
– Before user instruction executed, each address
relocated by adding relocation factor n to it
– Fence register plays role of relocation register as well
• Because adding n to program addresses prevents it from
accessing addresses below n
 Memory and Address Protection
• Base/Bounds Registers (for multi-user sys)
– Base register = variable fence register
• Determines starting address, i.e., lower limit, for user
program addresses
– Bounds register
• Determines upper limit for user program addresses
– Each program address forced to be above base
address
• Because base register contents added to it
– Each program address checked to be below bounds
address
 Memory and Address Protection
• One Pair of Base/ Bounds Registers

• The pair of registers contains the addresses for current user

 Memory and Address Protection
• To protect user’s instructions from user’s own
data address errors – use two pairs of registers:
– Register pair for data
– Register pair for instructions
 Memory and Address Protection
• Two Pairs
of Base/
Bounds
Registers

User B
Program Space

advantage: the ability to split a program into two pieces that can be relocated separately.
 Memory and Address Protection
• Tagged Architecture
– Problem with base/bounds registers:
• Lesser granularity of access rights (ARs)
– Can allow another module to access all or none of its
data, within limits of data base-bounds registers
– Solution: tagged architecture (gives more granularity
of access rights)
– Every word of machine memory has ≥1 tag bits
defining access rights to this word (a h/w solution!)
 Memory and Address Protection
• Tagged Architecture
– Access bits set by OS
– Tested every time
instruction accesses
its location
– # of bits ~ # of
different access rights
 Memory and Address Protection
• Benefit of tagged architecture
– More granularity of memory access control
• at memory word level
• Problems with tagged architecture:
– Requires special hardware
– Incompatible with code of most OSs
– Computation cost
• Accommodate tags in each memory word
• Test each memory word accessed
– Higher memory costs (extra bits per word)
 Memory and Address Protection
• Segmentation
– Benefits addressing + enhances memory
protection for free
– Effect of an unbounded number of base/bounds
registers
– Program segmentation:
• Program divided into logical pieces (called segments)
– E.g., Pieces are: code for single procedure/ data of an array
– Consecutive program segments can be easily
stored in nonconsecutive memory locations
– Allows a program to be divided into many pieces
having different access rights
 Memory and Address Protection
• Logical and Physical Representation of Segments
 Memory and Address Protection
• Addressing with segmentation
– Data item D addressed as:
• (segment_name_of_D, offset_of_D_within_segment)
– Instructions addressed analogously
– For each process, OS keeps a separate
• Segment Translation Table (STT)
– Rows in STT: (segment_name, segment_offset)
• segment_name – name of segment containg data item
• segment_offset – starting location for named segment
Memory and Address Protection

OS translates each data or instruction address using STT

 Memory and Address Protection
• Security-related benefits of segmentation
– Strong segment protection
• Because.: STT under exclusive OS control
• each address requires STT access to get segment_offset
for segment S
– Different protection levels for different segments
(approximates tagging at higher granularity)
• E.g., segments with: R-only data / X-only code / W data
– Different protection levels for different processes
accessing the same segment
– Each address reference is checked – for protection
 Memory and Address Protection
• Special considerations with segmentation
– Programmer must be aware of segment names
– Efficiency
• OS lookup of STT due to symbolic segment names
– Fragmentation of main memory
– Because of variable-size segments, offsets can
have any value and segment bounds can be
violated
 Memory and Address Protection
• Paging
– Principle:
• Programs divided into equal-sized pages
• Memory divided into equal-sized page frames
– Size is usually 2n, from 512 B to 4096 B
– Address format for item (data or instruction) I:
• (page_#_of_I, offset_of_I_within_page)
– OS maintains Page Translation Table (PTT)
• maps pages into page frames
 Memory and Address Protection
• Paging
– Efficiency
– Address translation similar as for segmentation
But guaranteed that offset falls within page limit
• E.g., for page size of 1024 = 210, 10 bits are allocated for
page_offset
 Memory and Address Protection

• Page Address Translation

 Memory and Address Protection
• Special Considerations of paging
– Programmer can be oblivious to page boundaries
(automatic). Paging completely hidden from
programmer
– No fragmentation of main memory, any page of
program can fit in any page frame in memory
– Can’t associate access rights with pages
• Pages are not ‘access rights’ units (logical units) to be
protected at the same level i.e., no difference between
instructions and data
 Memory and Address Protection
• Combined paging with segmentation
– Principle:
• Paging offers efficiency
– Hidden from programmer
– No fragmentation
• Segmentation offers ‘logical protection’
– Grouping items with similar protection needs within the same
segment
 Memory and Address Protection
• Paged segmentation:
– Programmer defines segments
– Segments broken into pages automatically
• Benefits of paging and segmentation but
extra layer of address translation
– Additional hardware deals with this overhead
 Memory and Address Protection

• Paged
Segmentation
Intel’s Software Guard Extensions (SGX)
• SGX is a combination of an instruction set
and an API
• Meant to provide secure software ‘enclaves’
• Data and code can reside/execute without
inspection or modification
• Provides a root of trust even in an untrusted
environment e.g., cloud computing
• Threat model: the enclave is trusted but no
process outside it can be trusted (including
the OS itself and any hypervisor
Intel’s Software Guard Extensions (SGX)

An enclave within the application’s virtual address space.

(source: Intel Software Guard Extensions Programming Reference.)

Intel’s Software Guard Extensions (SGX)
• The enclave is an encrypted region of memory for
code and data
• Decrypted only inside the processor, so it is safe
from the memory being read directly by a privileged
user/process
• The OS creates an enclave for a user application
through an API
– Only if the program has appropriate privileges
• Key management done by the OS within enclave
• Not immune to side channel attacks
 References
• Security in Computing, by Pfleeger & Pfleeger