At 9:02 AM -0700 4/3/06, Crispin Cowan wrote:

> That second question is actually pretty technically deep. What is so
> different about paged memory systems that makes them harder to secure
> than segmented memory systems? My conjecture: it is the granularity of
> the memory blobs. Consider:
>     * In a segmented system, you have a small number of fairly large
>       memory objects (segments). Segments are hefty enough that they can
>       be of variable size, and also can have security tags describing
>       their security level at multiple levels. So a given segment can be
>       tagged as being security level 1, 2, 3, and so forth, and the TCB
>       need only check the level before granting or denying access.
>     * In a paged system, in contrast, you have a very large number of
>       much smaller memory objects (pages). Pages are simple, even having
>       fixed size. Fixed size wastes memory, but no one cares because the
>       pages are small enough that it doesn't hurt much. Because pages
>       are simple, you cannot tag them with a bunch of different security
>       levels. For that matter, x86 architectures only recently got a
>       (kind-of) ability to distinguish between read and execute
>       permissions per page, so asking associate and store security
>       levels per page in hardware is likely more than the TLB can handle.

I will admit to not knowing much about hardware, but you seem to be
discussing a TCB implemented in software.

Consider the VAX/Alpha/Itanium on which VMS runs.  As a user program
I access pages, but I don't think of them in those terms.  I think of
them as Sections (some are Global) which contain the read-only part
of one shareable image, my own DCL symbols, etc.  Those sections to
which I have access are in my virtual address space protected so I
have that access to which I am entitled.

What is disturbing about that hardware ?  Is it the fact that the
operating system is really setting individual page protections rather
than a whole segment at a time ?

I realize you probably want more levels and compartments, but that
does not seem to me to make the task untenable.  Educate me.
Larry Kilgallen
Secure Coding mailing list (SC-L)
List information, subscriptions, etc -
List charter available at -

Reply via email to