Architectural Support for System Protection

Tom Kelliher, CS42

Sept. 9, 1996

The Need for System Protection

Why?

What needs protection:

• The OS itself.
• Threads.
• Devices.

What developments made this protection necessary?

Protection Mechanisms

1. Dual mode operation.
2. Privileged I/O instructions.
3. Memory protection mechanisms.
4. Interval timers.

Dual Mode Operation

CPU operates in two or more states:

1. Supervisor mode
   • All instructions may be executed.
   • This is a privileged mode.
   • Only parts of the OS run in this mode.
   • User threads never run directly in this mode.
2. User mode
   • Some instructions are ``privileged.''
   • Attempt to execute a privileged instruction results in a trap.
   • User threads execute in this mode.

Examples of privileged instructions:

1. I/O instructions.
2. Halt.
3. Reset.
4. Mask interrupts.
5. Set interval timer.
6. Set status. Read status?
7. Modify page table registers.

Differences, similarities between interrupts, traps, system calls?

Schema of System operation:

1. System powered on; in supervisor mode.
2. System boots, kernel initializes, still in supervisor mode.
3. System enters user mode to run user threads.

Should there be a user mode instruction to enter supervisor mode?

How can supervisor mode be re-entered?

Memory Protection

Prevent thread from scribbling on arbitrary memory locations.

Mechanisms:

1. Bounds registers:
   • Base, limit registers.
   • Base, length registers.
   How does it work?

   

   • Thread 2 running.
   • All generated addresses checked against base, limit.
   • ``Out-of-bounds'' addresses generate traps.

   What needs to be done on a context switch?

2. Virtual memory --- threads run in individual ``virtual'' address spaces.

   Virtual address space mapped onto subset of physical address space:

   

Interval Timers

What prevents a thread from grabbing the CPU and not relinquishing it?

Interval timer, interrupt. On context switch:

1. Set interval time.
2. Run user thread.
3. Timer interrupt generated on timer expiration.
4. Run timer interrupt handler.

Used to:

• Enforce timesharing quantum. Typical quantum: 100 ms.
• Keep time (?!?).

Syscall Mechanism

How does a process perform I/O if it's a privileged operation?

Question:

Unix has an abstraction of the interrupt, called a signal. A user program can install its own signal handler. Interrupt handlers always run in supervisor mode. Should a signal handler run in supervisor mode? (Consider the consequences.)