At 9:02 AM -0700 4/3/06, Crispin Cowan wrote: > That second question is actually pretty technically deep. What is so > different about paged memory systems that makes them harder to secure > than segmented memory systems? My conjecture: it is the granularity of > the memory blobs. Consider: > > * In a segmented system, you have a small number of fairly large > memory objects (segments). Segments are hefty enough that they can > be of variable size, and also can have security tags describing > their security level at multiple levels. So a given segment can be > tagged as being security level 1, 2, 3, and so forth, and the TCB > need only check the level before granting or denying access. > * In a paged system, in contrast, you have a very large number of > much smaller memory objects (pages). Pages are simple, even having > fixed size. Fixed size wastes memory, but no one cares because the > pages are small enough that it doesn't hurt much. Because pages > are simple, you cannot tag them with a bunch of different security > levels. For that matter, x86 architectures only recently got a > (kind-of) ability to distinguish between read and execute > permissions per page, so asking associate and store security > levels per page in hardware is likely more than the TLB can handle.
I will admit to not knowing much about hardware, but you seem to be discussing a TCB implemented in software. Consider the VAX/Alpha/Itanium on which VMS runs. As a user program I access pages, but I don't think of them in those terms. I think of them as Sections (some are Global) which contain the read-only part of one shareable image, my own DCL symbols, etc. Those sections to which I have access are in my virtual address space protected so I have that access to which I am entitled. What is disturbing about that hardware ? Is it the fact that the operating system is really setting individual page protections rather than a whole segment at a time ? I realize you probably want more levels and compartments, but that does not seem to me to make the task untenable. Educate me. -- Larry Kilgallen _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php