Let’s talk about security in operating system. There are many items in operating system need to be protected such as memory, I/O devices, sharable data, sharable program and others. In security, there are many level of protection involved such as isolating, share all or share nothing, share via access limitation and others. There also have security method that is separation which includes physical, temporal, logical and cryptographic separation.
Memory Protection
What is memory protection should be? Memory protection is a system that prevents one process from corrupting the memory of another process running on the same computer at the same time. There are some methods involved in this protection such as fence, relocation, base/bound register, tagged architecture, segmentation and paging.
Let’s talk about fence.
Fence is introduced in single-user operating systems to prevent a faulty user program from destroying part of the resident portion of the OS. There are two type of fence that is fixed fence and fence register. Fixed fence is a method to confine users to one side of a boundary which enabling the OS to reside on one side and the user to stay on the other. Fence register contain address of the end of the OS which provide means of code relocation. For example, If (address > fence address), instruction was executed, If (address < fence address), error.
Relocation is a process of taking a program written as if it begins at address 0 and changing all addresses to reflect the actual address at which the program is located. It occurs by adding a constant relocation factor to each address of the program. Usually it used in multi user environment.
Base/ bound Register is one of the methods that also known as variable fence register. All addresses are offset from base register and provide a lower bound but not an upper bound. As it is not provide upper bound, it needs to add second register called bound register.
Tagged Architecture is method that can solve problem in base/bound register. Using Tag Architecture, every word of machine memory has one or more extra bits to identify the access rights to that word. However, there are also problem occur here which effect code compatibility and locked into convention despite low cost of memory.
Segmentation involves the simple notion of dividing a program into separate pieces which each piece has a logical unity, showing a relationship among all of its code or data values. It is developed to produce the effect of the equivalent of an unbounded number of base/bounds registers. Segmentation allows a program to be divided into many pieces which having different access rights.
Here are processes involved in segmentation:
1. A program generates an address of a form
2. The OS looks up name in the segment directory and determines its real beginning memory address
3. OS will add offset by giving the true memory address of the code or data item to that address
– This process called translation
Segmentation provides protective benefits for user which each address reference is checked for protection. Many different classes of data items can be assigned different levels of protection. Other than that, there are two or more users can share access to a segment with potentially different access rights and a user cannot generate an address or access to an unpermitted segment.
Paging is a program that divided into equal-sized pieces called pages and memory is divided into equal-sized units called frames. There are some advantages of paging such as each page is the same size thus fragmentation is reduced. Next, addressing beyond a page is not a real problem since a carry just refers to the next page. The disadvantages for paging is it loss of individual access rights since there is not necessarily a relationship between lines of code in a page unlike program segmentation.
By combining the paging and the segmentation there will be some advantages which it retained the logical unity of the segment and permitted differentiated protection for the segments. Unfortunately it is added an additional layer of translation for each address.
Authentication
Authentication is a process used to verify transmitted data in a computing environment. In authentication, the claimants should present some kind of principal identity to prove themselves and it can be divided into two contexts such as Entity authentication (EA) and Data origin authentication (OA).
There are some threat that damages the authentication such as Spoofing which swindling of information by crackers or hackers, eavesdropping which tapping into the communication line to grab information transferred between two computers, modification which altering or changing information and masquerading which having a fake interface of the system to get information from user input such as passwords and user name.
That’s all for today. =)
