11. Resource management and protection

Protection requirements

Computers run multitasking, multiuser operating systems
Tasks/processes must not interfere with nor spy other tasks

• no faulty or consciously destructive behavior of a process may cause other processes or a system as a whole to malfunction
• A process must not access any other process' data if not explicitly authorized
  It is necessary to introduce protection mechanisms protecting the system and other processes against malfunction or destructive behavior of every process.

Resources that must be protecter

Processor

• can't monopolize the processor time - all processes must have a chance to execute

Memory

• process may only access the memory explicitly allocated to it
  data may be shared upon mutual agreement
• process should not reference its own memory in an improper way

Input - Output

• processes must access peripheral devices such that one process does not spoil the others
• in practice - not allowing any process to access physical I/O devices

User and system

We must differ between at least two privilege levels
User processes run at user level must obey the rules established by the operating system via protection mechanisms
OS works at system level, at which the protection mechanisms may be controlled
It is assumed that system software is error-free and may be trusted
User-level software may contain arbitrary error. These must not influence the operation of the whole system.

Privilege levels

Two or three levels appear in simple system

1. Kernel - full control over all resources
2. System services (optional) - limited control with significant capabilities
3. User - access only to the resources explicitly allocated by system, limited capabilities
   Access to resources depends on privilege level
   The information on current privilege level is stored in the processor (system status register)

x86 privilege levels

0. kernel
1. intermediate system levels to be used by parts of OS not directly accessing the hardware
2. -//-
3. user
   Contemporary software uses levels 0 and 3
   The information on current privilege level is stored in code segment descriptor register, invisible to software
   2-bit field CPL (Current Privilege Level)

Processor protection

To control the protection mechanisms, the processor must contain registers storing control information
Access to there registers is possible only at system level
System registers must be protected against user level access

Enforcing the protection rules

Every attempt to violate the protection rules must be detected, prevented and signaled to the operating system as an exception
The attempt fails and the control is immediately transferred to OS
The system may terminate and remove the process trying to violate the protection rules

Protecting the processor time

Multitasking/multithreading system periodically switches between tasks/threads (task sharing)
Single process must not monopolize the processor time
even when executing an infinite loop
Time sharing is implemented via periodically invoking the operating system

• this is achieved via raising the exception by system timer
• the system performs task switch as a result of time exception processing
• system timer frequency depends on OS (50Hz to few kHz)
  When OS takes control, it may remove a task

Peripheral protection

Usually done by complete isolation of user processes from physical I/O devices - attempts are blocked and signaled as errors
Only the OS has access to physical devices
OS presents to application virtual objects with are mapped to physical devices under the system control (STDIN and STDOUT in C lang)
OS may allow a single process to access the device

Memory protection

The most complex aspect of resource protection
balance between the speed of access to the memory and control, security of the connection
Must be implemented in hardware
Should not significantly slow down the program execution

Virtual machines

In some applications it is convenient to have several OSes running concurrently on the same computer
It can be achieved in two ways:

• Introduction of software layer more privileged than system kernel - a hypervisor (contemporary solution, requires hardware support)
• Reduction of the OS privilege level in such way that it does not influence the OS operation (the OS must not know that it doesn't have full OS privilege)
  no hardware support needed, but significant software overhead