Hardware Protection
Multi-programming put several programs in memory at the same time; while this
increased system utilization it also increased problems. With sharing, many processes
could be adversely affected by a bug in one program. One erroneous program could also
modify the program or data of another program or even the resident part of the operating
system. A file may overwrite another file or folder on disk. A process may get the CPU
and never relinquish it. So the issues of hardware protection are: I/O protection, memory
protection, and CPU protection. We will discuss them one by one, but first we talk about
the dual-mode operation of a CPU.
a) Dual Mode Operation:
To ensure proper operation, we must protect the operating system and all other programs
and their data from any malfunctioning program. Protection is needed for any shared
resources. The instruction set of a modern CPU has two kinds of instructions, privileged
instructions and non-privileged instructions. Privileged instructions can be used to
perform hardware operations that a normal user process should not be able to perform,
such as communicating with I/O devices. If a user process tries to execute a privileged
instruction, a trap should be generated and the process should be terminated prematurely. At
the same time, a piece of operating system code should be allowed to execute privileged
instructions. In order for the CPU to be able to differentiate between a user process and
an operating system code, we need two separate modes of operation: user mode and
monitor mode (also called supervisor mode, system mode, or privileged mode). A bit,
called the mode bit, is added to the hardware of the computer to indicate the current
mode: monitor mode (0) or user mode (1). With the mode bit we are able to distinguish
between a task that is executed on behalf of the operating system and one that is executed
on behalf of the user.
The concept of privileged instructions also provides us with the means for the user to
interact with the operating system by asking it to perform some designated tasks that only
the operating system should do. A user process can request the operating system to
perform such tasks for it by executing a system call. Whenever a system call is made or
an interrupt, trap, or signal is generated, CPU mode is switched to system mode before
the relevant kernel code executes. The CPU mode is switched back to user mode before
the control is transferred back to the user process.
b) I/O Protection:
A user process may disrupt the normal operation of the system by issuing illegal I/O
instructions, by accessing memory locations within the operating system itself, or by
refusing to relinquish the CPU. We can use various mechanisms to ensure that such
disruptions cannot take place in the system.
To prevent users from performing illegal I/O, we define all I/O instructions to be
privileged instructions. Thus users cannot issue I/O instructions directly; they must do it
through the operating system. For I/O protection to be complete, we must be sure that a
user program can never gain control of the computer in monitor mode. If it could, I/O
protection could be compromised.
Consider a computer executing in user mode. It will switch to monitor mode
whenever an interrupt or trap occurs, jumping to the address determined from the
interrupt from the interrupt vector. If a user program, as part of its execution, stores a new
address in the interrupt vector, this new address could overwrite the previous address
with an address in the user program. Then, when a corresponding trap or interrupt
occurred, the hardware would switch to monitor mode and transfer control through the
modified interrupt vector table to a user program, causing it to gain control of the
computer in monitor mode. Hence we need all I/O instructions and instructions for
changing the contents of the system space in memory to be protected. A user process
could request a privileged operation by executing a system call such as read (for reading
a file).
Memory Protection
The region in the memory that a process is allowed to access is known as process
address space. To ensure the correct operation of a computer system, we need to ensure that
a process cannot access memory outside its address space. If we don’t do this then a
process may, accidentally or deliberately, overwrite the address space of another processor
memory space belonging to the operating system (e.g., for the interrupt vector table).
Using two CPU registers, specifically designed for this purpose, can provide memory
protection. These registered are:
􀂃 Base register – it holds the smallest legal physical memory address for a process
􀂃 Limit register – it contains the size of the process
When a process is loaded into memory, the base register is initialized with the starting
address of the process and the limit register is initialized with its size. Memory outside
the defined range is protected because of the CPU checks that every address generated by
the process falls within the memory range defined by the values stored in the base and
limit registers, as shown in Figure 3.1.
Figure 3.1 Hardware address protection with base and limit registers
In Figure 3.2, we use an example to illustrate how the concept outlined above works. The
base and limit registers are initialized to define the address space of a process. The
process starts at memory location 300040 and its size is 120900 bytes (assuming that
memory is byte addressable). During the execution of this process, the CPU insures (by
using the logic outlined in Figure 3.1) that all the addresses generated by this process are
greater than or equal to 300040 and less than (300040+120900), thereby preventing this
process to access any memory area outside its address space. Loading the base and limit
registers are privileged instructions.
c) CPU Protection:
In addition to protecting I/O and memory, we must ensure that the operating system
maintains control. We must prevent the user program from getting stuck in an infinite
loop or not calling system services and never returning control to the CPU. To
accomplish this we can use a timer, which interrupts the CPU after a specified period to
ensure that the operating system maintains control. The time period may be variable or
fixed. A fixed-rate clock and a counter are used to implement a variable timer. The OS
initializes the counter with a positive value. The counter is decremented every clock tick
by the clock interrupt service routine. When the counter reaches the value 0, a timer
interrupt is generated that transfers control from the current process to the next scheduled
process. Thus we can use the timer to prevent a program from running too long. In the
most straight forward case, the timer could be set to interrupt every N milliseconds,
where N is the time slice that each process is allowed to execute before the next process
gets control of the CPU. The OS is invoked at the end of each time slice to perform
various housekeeping tasks.
Another use of the timer is to compute the current time. A timer interrupt signals the
passage of some period, allowing the OS to compute the current time in reference to
some initial time. Load-timer is a privileged instruction.
0 Comments