Memory Protection

Information about Memory Protection

Memory protection is a way for controlling memory usage on a computer, and is core to virtually every OS. The main purpose of memory protection is to prevent processes on an operating system from accessing the memory of other processes. This prevents

bug in one process affecting another process.
malicious software gaining unwanted access to the system.

Methods

There are different ways to achieve memory protection. These include: [1]

Segmentation

Segmentation refers to dividing a computer's memory into segments.

The x86 architecture has multiple segmentation features, which are useful for those who wish to use protected memory on this architecture. [2] On the x86 architecture, the Global Descriptor Table and Local Descriptor Tables can be used to reference segments in the computer's memory. Pointers to memory segments on x86 processors can also be stored in the processor's segment registers. Initially x86 processors had 4 segment registers, CS, SS, DS and ES; later another two segment registers were added – FS and GS. [3]

Paging

In paging, the memory address space is divided into equal, small pieces, called pages. Using a virtual memory mechanism, each page can be made to reside in any location of the physical memory, or be flagged as being protected. Paging makes it possible to have a linear virtual memory address space access pieces out of a fragmented physical memory space. It also can used to implement a system whereby memory not currently in used can be stored on disk stoage. On x86 based architectures, paging can also be used for memory protection.

A page table is used for mapping virtual memory to physical memory. The page table is usually invisible to the process. Page tables make it easier to allocate new memory, as each new page can be allocated from anywhere in physical memory.

When paging is used to store memory than is not currently in use onto disk, the OS copies pages onto disk, and sets a bit in the pages entry in the page table to signify that a given page is not currently available in the physical memory. Then when an application attempts to access memory that is not present, a page fault (#PF) is triggered. The OS will then catch the page fault (#PF), copy the page back to physical memory, possibly putting another page back onto disk in the process. The os can then mark the page as present, and return control to the application requesting the page.

Protection keys

A protection key mechanism divides physical memory up into blocks of a particular size (e.g. 2KB), each of which has an associated numerical value called a protection key. Each process also has a protection key value associated with it. On a memory access the hardware checks that the current process's protection key matches the value associated with the memory block being accessed; if not, an exception occurs. This mechanism was used in the System/360 architecture.

Simulated segmentation

Simulation is use of a monitoring program to interpret the machine code instructions of some computer. Such a simulator can provide memory protection by using a segmentation-like scheme and validating the target address and length of each instruction in real time before actually executing them. The simulator must calculate the target address and length and compare this against a list of valid address ranges that it holds concerning the thread's environment, such as any dynamic memory blocks acquired since the thread's inception plus any ("valid") shared static memory slots. The meaning of valid may change throughout the thread's life depending upon context. In other words, it may sometimes be allowed to alter a static block of storage, and sometimes not, depending upon the current mode of execution which may or may not depend on a storage key or supervisor state.

It is generally not advisable to use this method of memory protection where adequate facilities exist on a CPU, as this takes valuable processing power from the computer and could be compared to "reinventing the wheel".

Measures

A useful estimation of the protection level of a particular implementation, is to measure how closely it adheres to the principle of minimum privilege.^[1]

Memory protection in different operating systems

There are very few operating systems that do not use some form of memory protection. CP/M and all variants of MS-DOS lacked it. Even then, early versions of Microsoft Windows implemented memory protection on top of DOS.

Some operating systems that do implement memory protection include

Microsoft(R) Windows family
Linux
BSD
Mac OS X (Pre-OS X Mac OS had limited memory protection. Modern versions of Mac OS are based on the XNU Kernel)
Other versions of UNIX

IA-32 & IA 64 Memory protection

On IA (Intel Architecture) 32 and 64 bit, memory is split into rings, from level 0 to level 3. Code in each ring can only access memory in the same ring and in rings of a higher number. An OS kernel always runs in ring 0, and in a standard design applications run in ring 3.

Refs

1. ^ Cook, D.J. Measuring memory protection, accepted for 3rd International Conference on Software Engineering, Atlanta, Georgia, May 1978.

External links

http://www.intel.com/products/processor/manuals/index.htm - Intel Developer Manuals. These contain a lot more in depth information on memory protection, on the Intel based architectures.

Segmentation is one of the most common ways to achieve memory protection; another common one is paging. Segmentation means that a part or parts of the memory will be sealed off from the currently running process, through the use of hardware registers.
..... Click the link for more information.

The generic term x86 refers to the "CISC" type instruction set of the most commercially successful CPU architecture^[1] in the history of personal computing, used in processors from Intel, AMD, VIA, and others.
..... Click the link for more information.

In a context of computer virtual memory, a page, memory page, or virtual page is a fixed-length block of main memory, that is contiguous in both physical memory addressing and virtual memory addressing.
..... Click the link for more information.

This article is about the computer term. For the TBN game show, see Virtual Memory (game show).

Virtual memory is an abstraction implemented in a computer that gives an application program the impression it has contiguous working memory, while in fact it is
..... Click the link for more information.

page table is the data structure used by a virtual memory system in a computer operating system to store the mapping between virtual addresses and physical addresses. Virtual addresses are those unique to the accessing process. Physical addresses are those unique to the CPU, i.e.
..... Click the link for more information.

System/360 Model 65 operator's console, with register value lamps and toggle switches (middle of picture) and "emergency pull" switch (upper right).]] The IBM System/360 (S/360) is a mainframe computer system family announced by IBM on April 7, 1964.
..... Click the link for more information.

simulation is an imitation of some real thing, state of affairs, or process. The act of simulating something generally entails representing certain key characteristics or behaviours of a selected physical or abstract system.
..... Click the link for more information.

To monitor or monitoring generally means to be aware of the state of a system. Below are a couple of specific examples:

to observe a situation for any changes which may occur over time, using a monitor or measuring device

..... Click the link for more information.

A computer program is one or more instructions that are intended for execution by a computer. Specifically, it is a symbol or combination of symbols forming an algorithm that may or may not terminate, and that algorithm is written in a programming language.
..... Click the link for more information.

thread in computer science is short for a thread of execution. Threads are a way for a program to fork (or split) itself into two or more simultaneously (or pseudo-simultaneously) running tasks.
..... Click the link for more information.

In psychology, memory is an organism's ability to store, retain, and subsequently retrieve information. Traditional studies of memory began in the realms of philosophy, including techniques of artificially enhancing the memory.
..... Click the link for more information.

In computer science and other fields the principle of minimal privilege, also known as the principle of least privilege or just least privilege, requires that in a particular abstraction layer of a computing environment every module (such as a process, a user or a
..... Click the link for more information.

CP/M is an operating system originally created for Intel 8080/85 based microcomputers by Gary Kildall of Digital Research, Inc. Initially confined to single tasking on 8-bit processors and no more than 64 kilobytes of memory, later versions of CP/M added multi-user variations, and
..... Click the link for more information.

MS-DOS (short for Microsoft Disk Operating System) is an operating system commercialized by Microsoft. It was the most commonly used member of the DOS family of operating systems and was the dominant operating system for the PC compatible
..... Click the link for more information.

Microsoft Corporation

Public (NASDAQ: MSFT )
Founded Albuquerque, New Mexico, USA (April 4 1975)^[1]
Headquarters Redmond, Washington, United States

Key people Bill Gates, Co-founder and Executive Chairman ;
Paul Allen, Co-founder ;
..... Click the link for more information.

Microsoft Windows

Screenshot of Windows Vista Ultimate, the latest version of Microsoft Windows.
Company/developer: Microsoft Corporation
OS family: MS-DOS/9x-based, Windows CE, Windows NT
Source model: Closed source

..... Click the link for more information.

Linux (pronunciation: IPA: /ˈlɪnʊks/, lin-uks) is a Unix-like computer operating system. Linux is one of the most prominent examples of free software and open source development; its underlying source code can be
..... Click the link for more information.

Berkeley Software Distribution (BSD, sometimes called Berkeley Unix) is the UNIX derivative distributed by the University of California, Berkeley, starting in the 1970s.
..... Click the link for more information.

Mac OS X (IPA: /mæk.oʊ.ɛs.tɛn/) is a line of graphical operating systems developed, marketed, and sold by Apple Inc., the latest of which is pre-loaded on all currently shipping Macintosh computers.
..... Click the link for more information.

XNU is the computer operating system kernel that Apple Inc. acquired and developed for use in the Mac OS X operating system and released as free and open source software as part of the Darwin operating system.
..... Click the link for more information.

Unix (officially trademarked as UNIX®) is a computer operating system originally developed in 1969 by a group of AT&T employees at Bell Labs including Ken Thompson, Dennis Ritchie and Douglas McIlroy.
..... Click the link for more information.

OLIVER (CICS interactive test/debug) was a proprietary testing and debugging toolkit for interactively testing programs designed to run on IBM's Customer Information Control System (CICS) on IBM's System/360/370/390 architecture.
..... Click the link for more information.

CICS (Customer Information Control System) is a transaction server that runs primarily on IBM mainframe systems under z/OS or z/VSE. CICS on distributed platforms is called TXSeries and it is available on AIX, Windows, Solaris and HP-UX.
..... Click the link for more information.

This article is copied from an article on Wikipedia.org - the free encyclopedia created and edited by online user community. The text was not checked or edited by anyone on our staff. Although the vast majority of the wikipedia encyclopedia articles provide accurate and timely information please do not assume the accuracy of any particular article. This article is distributed under the terms of GNU Free Documentation License.

Herod_Archelaus

iPedia Free Information Center