Mondrian memory protection
read more
Citations
Secure program execution via dynamic information flow tracking
Improving the reliability of commodity operating systems
Minos: Control Data Attack Prevention Orthogonal to Memory Model
XFI: software guards for system address spaces
Enhancing server availability and security through failure-oblivious computing
References
The protection of information in computer systems
Proof-carrying code
Simultaneous multithreading: maximizing on-chip parallelism
Efficient software-based fault isolation
Extensibility safety and performance in the SPIN operating system
Related Papers (5)
Frequently Asked Questions (13)
Q2. What is the advantage of the protection domain approach?
An advantage of the protection domain approach is that conventional pointers can be used, and permissions can be easily revoked by modifying the per-process permissions tables.
Q3. How much time does a zero copying implementation save?
If the authors charge 2 cycles for the unaligned loads that cross cache line boundaries, 10 cycles for the seamed loads and discount all other instructions, the translation implementation still saves 46% of the reference time of a copying implementation.
Q4. What is the natural solution to the protected sharing problem?
The implementors of early architectures and operating systems [5, 26] believed the most natural solution to the protected sharing problem was to place each allocated region in a segment, which has the protection information.
Q5. What is the purpose of a permissions lookaside buffer?
A permissions lookaside buffer (PLB) caches entries from the permissions table to avoid long walks through the memory resident table.
Q6. Why have the architects rejected the native OS support for a separate address space?
The architects of these systems have rejected designs using the native OS support for a separate address space per module because of the complexity and run-time overhead of managing multiple address contexts.
Q7. How does the implementation measure the increase in miss rate caused by the table lookups?
In addition to counting additional memory references, the authors also fed address traces containing the table accesses to a cache simulator to measure the increase in miss rate caused by the table lookups.
Q8. What is the reason why a sidecar is invalidated?
If they are modified, any processor which might be caching the data must be notified so it can invalidate its sidecar registers and invalidate the necessary section of the PLB.
Q9. How can the authors make a segment of memory appear to reside in a different address range?
The authors can make a segment of memory appear to reside in a different address range by storing a translation offset in the table segment descriptor.
Q10. What is the permission vector for the entry?
If a region contains more than four abutting segments, the authors represent the permissions using a permission vector held in a separate word of storage, and pointed to by the entry.
Q11. What is the way to make the supervisor use its data?
The supervisor can keep protection information for its text, stack, and data in these entries so they do not need to be faulted in on every supervisor call.
Q12. How many read ports do sidecars need?
The sidecar registers can be physically located by the load/store unit and only need as many read ports as the number of simultaneous load and store instructions supported.
Q13. What is the format for permission vectors?
Although permission vectors are a simple format for MLPT entries, they do not take advantage of the fact that most user segments are longer than a single word.