Secure Coding mailing list archives
Segments, eh Smithers?
From: ljknews at mac.com (ljknews)
Date: Tue, 4 Apr 2006 12:41:28 -0400
At 9:02 AM -0700 4/3/06, Crispin Cowan wrote:
That second question is actually pretty technically deep. What is so different about paged memory systems that makes them harder to secure than segmented memory systems? My conjecture: it is the granularity of the memory blobs. Consider: * In a segmented system, you have a small number of fairly large memory objects (segments). Segments are hefty enough that they can be of variable size, and also can have security tags describing their security level at multiple levels. So a given segment can be tagged as being security level 1, 2, 3, and so forth, and the TCB need only check the level before granting or denying access. * In a paged system, in contrast, you have a very large number of much smaller memory objects (pages). Pages are simple, even having fixed size. Fixed size wastes memory, but no one cares because the pages are small enough that it doesn't hurt much. Because pages are simple, you cannot tag them with a bunch of different security levels. For that matter, x86 architectures only recently got a (kind-of) ability to distinguish between read and execute permissions per page, so asking associate and store security levels per page in hardware is likely more than the TLB can handle.
I will admit to not knowing much about hardware, but you seem to be discussing a TCB implemented in software. Consider the VAX/Alpha/Itanium on which VMS runs. As a user program I access pages, but I don't think of them in those terms. I think of them as Sections (some are Global) which contain the read-only part of one shareable image, my own DCL symbols, etc. Those sections to which I have access are in my virtual address space protected so I have that access to which I am entitled. What is disturbing about that hardware ? Is it the fact that the operating system is really setting individual page protections rather than a whole segment at a time ? I realize you probably want more levels and compartments, but that does not seem to me to make the task untenable. Educate me. -- Larry Kilgallen
Current thread:
- Segments, eh Smithers? Crispin Cowan (Apr 03)
- Segments, eh Smithers? ljknews (Apr 04)
- Segments, eh Smithers? Michael S Hines (Apr 04)
- Segments, eh Smithers? der Mouse (Apr 04)
- Segments, eh Smithers? Blue Boar (Apr 04)
- Segments, eh Smithers? Steven M. Bellovin (Apr 04)
- Segments, eh Smithers? Aleksander P. Czarnowski (Apr 04)
- <Possible follow-ups>
- Segments, eh Smithers? karger at watson.ibm.com (Apr 04)
- Segments, eh Smithers? ljknews (Apr 04)