Secure Coding mailing list archives
Segments, eh Smithers?
From: ljknews at mac.com (ljknews)
Date: Tue, 4 Apr 2006 12:41:28 -0400
At 9:02 AM -0700 4/3/06, Crispin Cowan wrote:
That second question is actually pretty technically deep. What is so
different about paged memory systems that makes them harder to secure
than segmented memory systems? My conjecture: it is the granularity of
the memory blobs. Consider:
* In a segmented system, you have a small number of fairly large
memory objects (segments). Segments are hefty enough that they can
be of variable size, and also can have security tags describing
their security level at multiple levels. So a given segment can be
tagged as being security level 1, 2, 3, and so forth, and the TCB
need only check the level before granting or denying access.
* In a paged system, in contrast, you have a very large number of
much smaller memory objects (pages). Pages are simple, even having
fixed size. Fixed size wastes memory, but no one cares because the
pages are small enough that it doesn't hurt much. Because pages
are simple, you cannot tag them with a bunch of different security
levels. For that matter, x86 architectures only recently got a
(kind-of) ability to distinguish between read and execute
permissions per page, so asking associate and store security
levels per page in hardware is likely more than the TLB can handle.
I will admit to not knowing much about hardware, but you seem to be discussing a TCB implemented in software. Consider the VAX/Alpha/Itanium on which VMS runs. As a user program I access pages, but I don't think of them in those terms. I think of them as Sections (some are Global) which contain the read-only part of one shareable image, my own DCL symbols, etc. Those sections to which I have access are in my virtual address space protected so I have that access to which I am entitled. What is disturbing about that hardware ? Is it the fact that the operating system is really setting individual page protections rather than a whole segment at a time ? I realize you probably want more levels and compartments, but that does not seem to me to make the task untenable. Educate me. -- Larry Kilgallen
Current thread:
- Segments, eh Smithers? Crispin Cowan (Apr 03)
- Segments, eh Smithers? ljknews (Apr 04)
- Segments, eh Smithers? Michael S Hines (Apr 04)
- Segments, eh Smithers? der Mouse (Apr 04)
- Segments, eh Smithers? Blue Boar (Apr 04)
- Segments, eh Smithers? Steven M. Bellovin (Apr 04)
- Segments, eh Smithers? Aleksander P. Czarnowski (Apr 04)
- <Possible follow-ups>
- Segments, eh Smithers? karger at watson.ibm.com (Apr 04)
- Segments, eh Smithers? ljknews (Apr 04)