Ch5 - Operating systems¶
Several aspects of a computing system require protection and can be seen in layers: - Memory - Shareable I/O devices, such as disks - Serially reusable I/O devices, such as printers and tape devices - Sharable programs and sub procedures - Sharable data
The basis of protection is separation. This can be achieved in an operating system through: 1. Physical separation - different processes use different physical devices. 2. Temporal separation - different processes are executed at different times. 3. Logical separation - access control, limiting the process to what it can/can't access. 4. Cryptographic separation - using encryption to prevent other processes from interception.
Memory can be protected through: 1. Fence - users are confined to one side of a boundary and cannot go past that boundary. Normally demarcates OS memory from user memory. 2. Base/bound registers - base = variable fence register and bound = upper fence limit. i.e. one can have multiple fences for different processses. 3. Tagged architecture - rather than using boundaries, each memory location is tagged with access priveleges (read, write, execute). 4. Virtual memory - 5. Segmentation - the hiding of actual memory addresses used by software. Programs are split into segments which are loaded into their own memory locations. Their memory access then starts from 0 - end within that segment. 6. Paging - fixed sized segmentation (more efficient memory management)
Know the following terms: 1. Virtualisation - the user only sees and has access to a limited version of the whole system (in terms of resources). 2. Hypervisor - software that monitors virtual machines/enables multiple operating systems to run at the same time. 3. Trusted computing base (TCB) (Also know the four basic interaction of the TCB monitor and reasons why the security functions should be isolated in the security kernel) 4. Sandbox - an environment with limited or no access to outside the environment. 5. Honeypot - a virtual sandboxed environment with intentional vulnerabilities to lure attackers.