Lecture 4 of Information Technology Security course is about Operating System Security. The lecture starts with En. Mohd zaki briefly explained on security method, separation used in operating systems which can occur in several ways such as physical separation, temporal separation, logical separation and cryptography separation.
Among several protected items in operating system, En. Mohd Zaki focused on memory protection. Memory protection is a way to control memory access right on a computer and prevent a process from accessing memory that has not been allocated to it. This prevents a bug within a process from affecting other processes, or the operating system itself. There is several method uses for memory protection such as fence, relocation, base/bound registers, tagged architecture, segmentation, paging and paging combined with segmentation.
According to En. Mohd Zaki, a fence address can be used for memory protection. A fence is a particular address that users and their processes cannot cross with only the OS can operate on one side of the fence, and users are restricted to the other side. A fence could static in which case there is a fixed fence address that places a strict limit on the size of OS. An alternative is a dynamic fence which can be implemented using a fence register to specify the current fence address. In addition to the fence, base and bounds registers can be used. These register contain the lower and upper address limits of a particular user or process space. Base and bounds register approach implicitly assumes that the user or process space is contiguous in memory.
Relocation is important in a multi-user environment for memory protection. It is a process of taking a program written as if it begins at address 0 and changing all addresses to reflect the actual address at which the program is located. An alternative is tagged architecture, in which every words of machine memory has one or more extra bits to identify the access right to that word. These access bits can be set only by privileged operating system instructions. The bits are tested every time an instruction accesses that location. Tagged architecture to solve problem on contiguous nature, all or nothing situation for sharing on base or bounds register
After that, En. Mohd Zaki proceed to segmentation. En.Mohd Zaki explained to us that segmentation involves the simple notation of dividing a program into separate pieces. Each piece has a logical unity exhibiting a relationship among all of its code or data values. Besides that, segmentation allows a program to be divided into many pieces having different access rights. Segmentation offer several benefits which includes each address reference is checked for protection, many different classes of data items can be assigned different levels of protection, two or more users can share access to a segment which different access right and a user cannot generate an address or access to an unpermitted segment.
Follow by is paging which is one alternative to segmentation. En. Mohd Zaki told us that the difference between segmentation and paging is program is divided into equal sized pieces called pages and memory is divided into equal-sized units called pages frames. Each page is the same size thus fragmentation is reduced and addressing beyond a page is not a real problem since a carry just refers to the next page. Combined paging with segmentation is another memory protection method that is to solve problems by paging method, break each segment into equal sized pages and gain advantage of segment permissions coupled with reduction in fragmentation offered by paging.
As the conclusion, others protecting general object such as directory, access control list, capability, file protection, group protection, single permission, authentication, user authentication, password, encrypted password file and impersonation of login also briefly discusses by En.Mohd Zaki. Goal of protection objects is to check every access, allow least privileges and verify acceptable usage.
No comments:
Post a Comment