File Name: protection and security in distributed operating systems .zip
In computer science , hierarchical protection domains ,   often called protection rings , are mechanisms to protect data and functionality from faults by improving fault tolerance and malicious behavior by providing computer security. This approach is diametrically opposite to that of capability-based security. Computer operating systems provide different levels of access to resources. A protection ring is one of two or more hierarchical levels or layers of privilege within the architecture of a computer system.
In computer science , hierarchical protection domains ,   often called protection rings , are mechanisms to protect data and functionality from faults by improving fault tolerance and malicious behavior by providing computer security. This approach is diametrically opposite to that of capability-based security.
Computer operating systems provide different levels of access to resources. A protection ring is one of two or more hierarchical levels or layers of privilege within the architecture of a computer system. This is generally hardware-enforced by some CPU architectures that provide different CPU modes at the hardware or microcode level. Rings are arranged in a hierarchy from most privileged most trusted, usually numbered zero to least privileged least trusted, usually with the highest ring number.
On most operating systems, Ring 0 is the level with the most privileges and interacts most directly with the physical hardware such as the CPU and memory. Special call gates between rings are provided to allow an outer ring to access an inner ring's resources in a predefined manner, as opposed to allowing arbitrary usage. Correctly gating access between rings can improve security by preventing programs from one ring or privilege level from misusing resources intended for programs in another.
For example, spyware running as a user program in Ring 3 should be prevented from turning on a web camera without informing the user, since hardware access should be a Ring 1 function reserved for device drivers. Programs such as web browsers running in higher numbered rings must request access to the network, a resource restricted to a lower numbered ring.
Multiple rings of protection were among the most revolutionary concepts introduced by the Multics operating system, a highly secure predecessor of today's Unix family of operating systems. The GE mainframe computer did have some hardware access control, but that was not sufficient to provide full support for rings in hardware, so Multics supported them by trapping ring transitions in software;  its successor, the Honeywell , implemented them in hardware, with support for eight rings.
For example, Windows 7 and Windows Server and their predecessors use only two rings, with ring 0 corresponding to kernel mode and ring 3 to user mode ,  because earlier versions of Windows ran on processors that supported only two protection levels.
Many modern CPU architectures including the popular Intel x86 architecture include some form of ring protection, although the Windows NT operating system, like Unix, does not fully utilize this feature. A renewed interest in this design structure came with the proliferation of the Xen VMM software, ongoing discussion on monolithic vs.
The original Multics system had eight rings, but many modern systems have fewer. The hardware remains aware of the current ring of the executing instruction thread at all times, with the help of a special machine register.
In some systems, areas of virtual memory are instead assigned ring numbers in hardware. Thus code executing with the virtual PC set to 0xE, for example, would automatically be in ring 7, and calling a subroutine in a different section of memory would automatically cause a ring transfer.
The hardware severely restricts the ways in which control can be passed from one ring to another, and also enforces restrictions on the types of memory access that can be performed across rings. Using x86 as an example, there is a special [ clarification needed ] gate structure which is referenced by the call instruction that transfers control in a secure way [ clarification needed ] towards predefined entry points in lower-level more trusted rings; this functions as a supervisor call in many operating systems that use the ring architecture.
The hardware restrictions are designed to limit opportunities for accidental or malicious breaches of security. In addition, the most privileged ring may be given special capabilities, such as real memory addressing that bypasses the virtual memory hardware. Operating systems running on hardware supporting both may use both forms of protection or only one. Effective use of ring architecture requires close cooperation between hardware and the operating system [ why?
Operating systems designed to work on multiple hardware platforms may make only limited use of rings if they are not present on every supported platform. Often the security model is simplified to "kernel" and "user" even if hardware provides finer granularity through rings. In computer terms, supervisor mode is a hardware-mediated flag which can be changed by code running in system-level software.
System-level tasks or threads will have this flag set while they are running, whereas userspace applications will not. This flag determines whether it would be possible to execute machine code operations such as modifying registers for various descriptor tables, or performing operations such as disabling interrupts.
Supervisor mode is "an execution mode on some processors which enables execution of all instructions, including privileged instructions. It may also give access to a different address space, to memory management hardware and to other peripherals. This is the mode in which the operating system usually runs. In a monolithic kernel , the operating system runs in supervisor mode and the applications run in user mode.
Other types of operating systems , like those with an exokernel or microkernel , do not necessarily share this behavior. Most processors have at least two different modes. The x86 -processors have four different modes divided into four different rings.
Programs that run in Ring 0 can do anything with the system, and code that runs in Ring 3 should be able to fail at any time without impact to the rest of the computer system. Ring 1 and Ring 2 are rarely used, but could be configured with different levels of access.
In most existing systems, switching from user mode to kernel mode has an associated high cost in performance. It has been measured, on the basic request getpid , to cost — cycles on most machines. Of these just around are for the actual switch 70 from user to kernel space, and 40 back , the rest is "kernel overhead".
Maurice Wilkes wrote: . Rings of protection lent themselves to efficient implementation in hardware, but there was little else to be said for them. This again proved a blind alley To gain performance and determinism, some systems place functions that would likely be viewed as application logic, rather than as device drivers, in kernel mode; security applications access control , firewalls , etc. At least one embedded database management system, e X treme DB Kernel Mode , has been developed specifically for kernel mode deployment, to provide a local database for kernel-based application functions, and to eliminate the context switches that would otherwise occur when kernel functions interact with a database system running in user mode.
Functions are also sometimes moved across rings in the other direction. The Linux kernel, for instance, injects a vDSO section in processes which contains functions that would normally require a system call, i.
But instead of doing a syscall, these functions use static data provided by the kernel which prevents the need for a ring transition which is more lightweight than a syscall. The function gettimeofday can be provided this way. Although they are mutually incompatible, both Intel VT-x codenamed "Vanderpool" and AMD-V codenamed "Pacifica" create a new "Ring -1" so that a guest operating system can run Ring 0 operations natively without affecting other guests or the host OS.
There are 4 privilege levels ranging from 0 which is the most privileged, to 3 which is least privileged. Any resource available to level n is also available to levels 0 to n, so the privilege levels are rings.
When a lesser privileged process tries to access a higher privileged process, a general protection fault exception is reported to the OS. It is not necessary to use all four privilege levels. Windows NT uses the two-level system.
Potential future uses for the multiple privilege levels supported by the x86 ISA family include containerization and virtual machines. A host operating system kernel could use instructions with full privilege access kernel mode , whereas applications running on the guest OS in a virtual machine or container could use the lowest level of privileges in user mode. The virtual machine and guest OS kernel could themselves use an intermediate level of instruction privilege to invoke and virtualize kernel-mode operations such as system calls from the point of view of the guest operating system.
In x86 systems, the x86 hardware virtualization VT-x and SVM is referred as "ring -1", the System Management Mode is referred as "ring -2", the Intel Management Engine is sometimes referred as "ring -3". Many CPU hardware architectures provide far more flexibility than is exploited by the operating systems that they normally run.
When the OS and the CPU are specifically designed for each other, this is not a problem although some hardware features may still be left unexploited , but when the OS is designed to be compatible with multiple, different CPU architectures, a large part of the CPU mode features may be ignored by the OS.
For example, the reason Windows uses only two levels ring 0 and ring 3 is that some hardware architectures that were supported in the past such as PowerPC or MIPS implemented only two privilege levels. Multics was an operating system designed specifically for a special CPU architecture which in turn was designed specifically for Multics , and it took full advantage of the CPU modes available to it. However, it was an exception to the rule.
Today, this high degree of interoperation between the OS and the hardware is not often cost-effective, despite the potential advantages for security and stability. Ultimately, the purpose of distinct operating modes for the CPU is to provide hardware protection against accidental or deliberate corruption of the system environment and corresponding breaches of system security by software.
Only "trusted" portions of system software are allowed to execute in the unrestricted environment of kernel mode, and then, in paradigmatic designs, only when absolutely necessary. All other software executes in one or more user modes.
If a processor generates a fault or exception condition in a user mode, in most cases system stability is unaffected; if a processor generates a fault or exception condition in kernel mode, most operating systems will halt the system with an unrecoverable error.
When a hierarchy of modes exists ring-based security , faults and exceptions at one privilege level may destabilize only the higher-numbered privilege levels. Thus, a fault in Ring 0 the kernel mode with the highest privilege will crash the entire system, but a fault in Ring 2 will only affect Rings 3 and beyond and Ring 2 itself, at most.
Transitions between modes are at the discretion of the executing thread when the transition is from a level of high privilege to one of low privilege as from kernel to user modes , but transitions from lower to higher levels of privilege can take place only through secure, hardware-controlled "gates" that are traversed by executing special instructions or when external interrupts are received.
Microkernel operating systems attempt to minimize the amount of code running in privileged mode, for purposes of security and elegance , but ultimately sacrificing performance. From Wikipedia, the free encyclopedia. Layer of protection in computer systems. For other uses, see Ring.
For the Japanese horror film prequel, see Ring 0: Birthday. For the manga, see The Ring Volume 0: Birthday. This article includes a list of general references , but it remains largely unverified because it lacks sufficient corresponding inline citations.
Please help to improve this article by introducing more precise citations. February Learn how and when to remove this template message. Main article: privilege computing. Proceedings Symposium on Applications and the Internet. Retrieved 27 September Solomon Microsoft Press. Windows Internals Part 1. Redmond, Washington: Microsoft Press. The reason Windows uses only two levels is that some hardware architectures that were supported in the past such as Compaq Alpha and Silicon Graphics MIPS implemented only two privilege levels.
Archived from the original on 15 June Retrieved 13 June Why aren't operating systems getting faster as fast as hardware? Dobb's Journal , May AMD Pacifica". Archived from the original on 30 May Retrieved 11 November
Protection and security requires that computer resources such as CPU, softwares, memory etc. This extends to the operating system as well as the data in the system. This can be done by ensuring integrity, confidentiality and availability in the operating system. The system must be protect against unauthorized access, viruses, worms etc. A threat is a program that is malicious in nature and leads to harmful effects for the system. Viruses are generally small snippets of code embedded in a system.
Distributed computing systems impose new requirements on the security of the operating systems and hardware structures of the computers participating in a distributed data network environment. It is proposed that multiple level greater than two security hardware, with associated full support for that hardware at the operating system level, is required to meet the needs of this emerging environment. The security functions of individual nodes participating in a distributed computing environment, and their associated evaluation level, appear critical to the development of overall security architectures for the protection of distributed computing systems.
A distributed operating system is system software over a collection of independent, networked , communicating , and physically separate computational nodes. They handle jobs which are serviced by multiple CPUs. Each subset is a composite of two distinct service provisioners. Second is a higher-level collection of system management components that coordinate the node's individual and collaborative activities. These components abstract microkernel functions and support user applications. The microkernel and the management components collection work together.
Skip to search form Skip to main content You are currently offline. Some features of the site may not work correctly. DOI: Mullender and A. Mullender , A. Tanenbaum Published Computer Science Comput. Local networks often consist of a cable snaking through a building with sockets in each room into which users can plug their personal computers.
Memory protection is a way to control memory access rights on a computer, and is a part of most modern instruction set architectures and operating systems. The main purpose of memory protection is to prevent a process from accessing memory that has not been allocated to it. This prevents a bug or malware within a process from affecting other processes, or the operating system itself. Protection may encompass all accesses to a specified area of memory, write accesses, or attempts to execute the contents of the area. An attempt to access unauthorized [a] memory results in a hardware fault , e. Memory protection for computer security includes additional techniques such as address space layout randomization and executable space protection. Segmentation refers to dividing a computer's memory into segments.
Джабба повернул голову к экрану ВР.
PDF | This chapter contains sections titled: Introduction to Security and Distributed Systems Relevant Terminology Types of External Attacks.Reply
Request PDF | Distributed Operating System Security and Protection: A Short Survey | In this paper, we investigate several modern distributed operating systems.Reply
The innovations in semiconductor technology in the past decade have brought down the computing hardware cost to such a low level that the system planners of today are more inclined to have distributed systems installed wherever possible and interconnect them through communication networks.Reply
If a computer system has multiple users and allows the concurrent execution of multiple processes, then access to data must be regulated.Reply