Title: CS 414 Review
1CS 414 Review
2Operating System Definition
Definition An Operating System (OS) provides a
virtual machine on top of the real hardware,
whose interface is more convenient than the raw
hardware interface.
Applications
OS interface
Operating System
Physical machine interface
Hardware
Advantages Easy to use, simpler to code, more
reliable, more secure, You can say I want to
write XYZ into file ABC
3What is in an OS?
Quake
Sql Server
Applications
Windowing graphics
Shells
System Utils
OS Interface
Naming
Windowing Gfx
Operating System Services
Virtual Memory
Networking
Access Control
Generic I/O
File System
Process Management
Memory Management
Device Drivers
Physical m/c Intf
Interrupts, Cache, Physical Memory, TLB, Hardware
Devices
Logical OS Structure
4Crossing Protection Boundaries
- User calls OS procedure for privileged
operations - Calling a kernel mode service from user mode
program - Using System Calls
- System Calls switches execution to kernel mode
User Mode Mode bit 1
Resume process
User process
System Call
Trap Mode bit 0
Kernel Mode Mode bit 0
Return Mode bit 1
Save Callers state
Execute system call
Restore state
5What is a process?
- The unit of execution
- The unit of scheduling
- Thread of execution address space
- Is a program in execution
- Sequential, instruction-at-a-time execution of a
program. - The same as job or task or sequential
process
6Process State Transitions
interrupt
New
Exit
admitted
done
Ready
Running
dispatch
I/O or event completion
I/O or event wait
Waiting
- Processes hop across states as a result of
- Actions they perform, e.g. system calls
- Actions performed by OS, e.g. rescheduling
- External actions, e.g. I/O
7Context Switch
- For a running process
- All registers are loaded in CPU and modified
- E.g. Program Counter, Stack Pointer, General
Purpose Registers - When process relinquishes the CPU, the OS
- Saves register values to the PCB of that process
- To execute another process, the OS
- Loads register values from PCB of that process
- Context Switch
- Process of switching CPU from one process to
another - Very machine dependent for types of registers
8Threads and Processes
- Most operating systems therefore support two
entities - the process,
- which defines the address space and general
process attributes - the thread,
- which defines a sequential execution stream
within a process - A thread is bound to a single process.
- For each process, however, there may be many
threads. - Threads are the unit of scheduling
- Processes are containers in which threads execute
9Schedulers
- Process migrates among several queues
- Device queue, job queue, ready queue
- Scheduler selects a process to run from these
queues - Long-term scheduler
- load a job in memory
- Runs infrequently
- Short-term scheduler
- Select ready process to run on CPU
- Should be fast
- Middle-term scheduler
- Reduce multiprogramming or memory consumption
10CPU Scheduling
- FCFS
- LIFO
- SJF
- SRTF
- Priority Scheduling
- Round Robin
- Multi-level Queue
- Multi-level Feedback Queue
11Race conditions
- Definition timing dependent error involving
shared state - Whether it happens depends on how threads
scheduled - Hard to detect
- All possible schedules have to be safe
- Number of possible schedule permutations is huge
- Some bad schedules? Some that will work
sometimes? - they are intermittent
- Timing dependent small changes can hide bug
12The Fundamental Issue Atomicity
- Our atomic operation is not done atomically by
machine - Atomic Unit instruction sequence guaranteed to
execute indivisibly - Also called critical section (CS)
- When 2 processes want to execute their Critical
Section, - One process finishes its CS before other is
allowed to enter
13Critical Section Problem
- Problem Design a protocol for processes to
cooperate, such that only one process is in its
critical section - How to make multiple instructions seem like one?
CS1
Process 1 Process 2
CS2
Time ?
Processes progress with non-zero speed, no
assumption on clock speed Used extensively in
operating systems Queues, shared variables,
interrupt handlers, etc.
14Solution Structure
Shared vars Initialization Process . . . .
. . Entry Section Critical Section Exit
Section
Added to solve the CS problem
15Solution Requirements
- Mutual Exclusion
- Only one process can be in the critical section
at any time - Progress
- Decision on who enters CS cannot be indefinitely
postponed - No deadlock
- Bounded Waiting
- Bound on times others can enter CS, while I am
waiting - No livelock
- Also efficient (no extra resources), fair,
simple,
16Semaphores
- Non-negative integer with atomic increment and
decrement - Integer S that (besides init) can only be
modified by - P(S) or S.wait() decrement or block if already 0
- V(S) or S.signal() increment and wake up process
if any - These operations are atomic
semaphore S P(S) while(S 0)
S--
V(S) S
17Semaphore Types
- Counting Semaphores
- Any integer
- Used for synchronization
- Binary Semaphores
- Value 0 or 1
- Used for mutual exclusion (mutex)
Process i P(S) Critical Section V(S)
Shared semaphore S Init S 1
18Mutexes and Synchronization
semaphore S P(S) while(S 0)
S--
Init S 0
Init S 1
Process i P(S) Code XYZ V(S)
Process j P(S) Code ABC V(S)
V(S) S
19Monitors
- Hoare 1974
- Abstract Data Type for handling/defining shared
resources - Comprises
- Shared Private Data
- The resource
- Cannot be accessed from outside
- Procedures that operate on the data
- Gateway to the resource
- Can only act on data local to the monitor
- Synchronization primitives
- Among threads that access the procedures
20Synchronization Using Monitors
- Defines Condition Variables
- condition x
- Provides a mechanism to wait for events
- Resources available, any writers
- 3 atomic operations on Condition Variables
- x.wait() release monitor lock, sleep until woken
up - ? condition variables have waiting queues too
- x.notify() wake one process waiting on condition
(if there is one) - No history associated with signal
- x.broadcast() wake all processes waiting on
condition - Useful for resource manager
- Condition variables are not Boolean
- If(x) then does not make sense
21Types of Monitors
- What happens on notify()
- Hoare signaler immediately gives lock to waiter
(theory) - Condition definitely holds when waiter returns
- Easy to reason about the program
- Mesa signaler keeps lock and processor
(practice) - Condition might not hold when waiter returns
- Fewer context switches, easy to support broadcast
- Brinch Hansen signaler must immediately exit
monitor - So, notify should be last statement of monitor
procedure
22Deadlocks
- Definition
- Deadlock exists among a set of processes if
- Every process is waiting for an event
- This event can be caused only by another process
in the set - Event is the acquire of release of another
resource
Kansas 20th century law When two trains
approach each other at a crossing, both shall
come to a full stop and neither shall start up
again until the other has gone
23Four Conditions for Deadlock
- Coffman et. al. 1971
- Necessary conditions for deadlock to exist
- Mutual Exclusion
- At least one resource must be held is in
non-sharable mode - Hold and wait
- There exists a process holding a resource, and
waiting for another - No preemption
- Resources cannot be preempted
- Circular wait
- There exists a set of processes P1, P2, PN,
such that - P1 is waiting for P2, P2 for P3, . and PN for P1
- All four conditions must hold for deadlock to
occur
24Dealing with Deadlocks
- Proactive Approaches
- Deadlock Prevention
- Negate one of 4 necessary conditions
- Prevent deadlock from occurring
- Deadlock Avoidance
- Carefully allocate resources based on future
knowledge - Deadlocks are prevented
- Reactive Approach
- Deadlock detection and recovery
- Let deadlock happen, then detect and recover from
it - Ignore the problem
- Pretend deadlocks will never occur
- Ostrich approach
25Safe State
- A state is said to be safe, if it has a process
sequence - P1, P2,, Pn, such that for each Pi,
- the resources that Pi can still request can be
satisfied by the currently available resources
plus the resources held by all Pj, where j lt i - State is safe because OS can definitely avoid
deadlock - by blocking any new requests until safe order is
executed - This avoids circular wait condition
- Process waits until safe state is guaranteed
26Bankers Algorithm
- Decides whether to grant a resource request.
- Data structures
- n integer of processes
- m integer of resources
- available1..m availablei is of avail
resources of type i - max1..n,1..m max demand of each Pi for each Ri
- allocation1..n,1..m current allocation of
resource Rj to Pi - need1..n,1..m max resource Rj that Pi may
still request - let requesti be vector of of resource Rj
Process Pi wants
27Basic Algorithm
- If requesti gt needi then
- error (asked for too much)
- If requesti gt availablei then
- wait (cant supply it now)
- Resources are available to satisfy the request
- Lets assume that we satisfy the request. Then
we would have - available available - requesti
- allocationi allocation i requesti
- needi need i - request i
- Now, check if this would leave us in a safe
state - if yes, grant the request,
- if no, then leave the state as is and cause
process to wait.
28Memory Management Issues
- Protection Errors in process should not affect
others - Transparency Should run despite memory
size/location
Translation box (MMU)
legal addr? Illegal?
Physical address
Load Store
Physical memory
virtual address
CPU
fault
data
How to do this mapping?
29Scheme 1 Load-time Linking
- Link as usual, but keep list of references
- At load time determine the new base address
- Accordingly adjust all references (addition)
- Issues handling multiple segments, moving in
memory
OS
static a.out
0x3000
0x6000
jump 0x2000
jump 0x5000
jump 0x2000
0x4000
0x1000
30Scheme 2 Execution-time Linking
- Use hardware (base limit reg) to solve the
problem - Done for every memory access
- Relocation physical address logical (virtual)
address base - Protection is virtual address lt limit?
- When process runs, base register 0x3000, bounds
register 0x2000. Jump addr 0x2000 0x3000
0x5000
OS
a.out
0x6000
0x3000
MMU
a.out
Base 0x3000 Limit 0x2000
jump 0x2000
jump 0x2000
0x4000
0x1000
31Segmentation
- Processes have multiple base limit registers
- Processes address space has multiple segments
- Each segment has its own base limit registers
- Add protection bits to every segment
Real memory
gcc
0x1000 0x3000 0x5000 0x6000
0x2000 0x8000 0x6000
Text seg r/o
BaseLimit?
Stack seg r/w
How to do the mapping?
32Mapping Segments
- Segment Table
- An entry for each segment
- Is a tuple ltbase, limit, protectiongt
- Each memory reference indicates segment and offset
33Fragmentation
- The inability to use free memory
- External Fragmentation
- Variable sized pieces ? many small holes over
time - Internal Fragmentation
- Fixed sized pieces ? internal waste if entire
piece is not used
External fragmentation
gcc
Word
??
emacs
Unused (internal fragmentation)
allocated
stack
doom
34Paging
- Divide memory into fixed size pieces
- Called frames or pages
- Pros easy, no external fragmentation
Pages typical 4k-8k
gcc
emacs
internal frag
35Mapping Pages
- If 2m virtual address space, 2n page size
- (m - n) bits to denote page number, n for offset
within page - Translation done using a Page Table
Virtual addr
mem
((1ltlt12)128)
3 128 (12bits)
0x1000
VPN page offset
128
page table
seg
Prot VPN PPN
?
PPN
invalid
r 3 1
36Paging Segmentation
- Paged segmentation
- Handles very long segments
- The segments are paged
- Segmented Paging
- When the page table is very big
- Segment the page table
- Lets consider System 370 (24-bit address space)
37What is virtual memory?
- Each process has illusion of large address space
- 232 for 32-bit addressing
- However, physical memory is much smaller
- How do we give this illusion to multiple
processes? - Virtual Memory some addresses reside in disk
38Virtual Memory
- Load entire process in memory (swapping), run it,
exit - Is slow (for big processes)
- Wasteful (might not require everything)
- Solutions partial residency
- Paging only bring in pages, not all pages of
process - Demand paging bring only pages that are required
- Where to fetch page from?
- Have a contiguous space in disk swap file
(pagefile.sys)
39Page Faults
- On a page fault
- OS finds a free frame, or evicts one from memory
(which one?) - Want knowledge of the future?
- Issues disk request to fetch data for page (what
to fetch?) - Just the requested page, or more?
- Block current process, context switch to new
process (how?) - Process might be executing an instruction
- When disk completes, set present bit to 1, and
current process in ready queue
40Page Replacement Algorithms
- Random Pick any page to eject at random
- Used mainly for comparison
- FIFO The page brought in earliest is evicted
- Ignores usage
- Suffers from Beladys Anomaly
- Fault rate could increase on increasing number of
pages - E.g. 0 1 2 3 0 1 4 0 1 2 3 4 with frame sizes 3
and 4 - OPT Beladys algorithm
- Select page not used for longest time
- LRU Evict page that hasnt been used the longest
- Past could be a good predictor of the future
41Thrashing
- Processes in system require more memory than is
there - Keep throwing out page that will be referenced
soon - So, they keep accessing memory that is not there
- Why does it occur?
- No good reuse, past ! future
- There is reuse, but process does not fit
- Too many processes in the system
42Approach 1 Working Set
- Peter Denning, 1968
- Defines the locality of a program
- pages referenced by process in last T seconds of
execution considered to comprise its working set - T the working set parameter
- Uses
- Caching size of cache is size of WS
- Scheduling schedule process only if WS in memory
- Page replacement replace non-WS pages
43Working Sets
- The working set size is num pages in the working
set - the number of pages touched in the interval (t,
t-?). - The working set size changes with program
locality. - during periods of poor locality, you reference
more pages. - Within that period of time, you will have a
larger working set size. - Dont run process unless working set is in memory.
44Approach 2 Page Fault Frequency
- thrashing viewed as poor ratio of fetch to work
- PFF page faults / instructions executed
- if PFF rises above threshold, process needs more
memory - not enough memory on the system? Swap out.
- if PFF sinks below threshold, memory can be taken
away
45Allocation and deallocation
- What happens when you call
- int p (int )malloc(2500sizeof(int))
- Allocator slices a chunk of the heap and gives it
to the program - free(p)
- Deallocator will put back the allocated space to
a free list - Simplest implementation
- Allocation increment pointer on every allocation
- Deallocation no-op
- Problems lots of fragmentation
heap (free memory)
allocation
current free position
46Memory Allocator
- What allocator has to do
- Maintain free list, and grant memory to requests
- Ideal no fragmentation and no wasted time
- What allocator cannot do
- Control order of memory requests and frees
- A bad placement cannot be revoked
- Main challenge avoid fragmentation
a
b
malloc(20)?
47What happens on free?
- Identify size of chunk returned by user
- Change sign on both signatures (make ve)
- Combine free adjacent chunks into bigger chunk
- Worst case when there is one free chunk before
and after - Recalculate size of new free chunk
- Update the signatures
- Dont really need to erase old signatures
48Design features
- Which free chunks should service request
- Ideally avoid fragmentation requires future
knowledge - Split free chunks to satisfy smaller requests
- Avoids internal fragmentation
- Coalesce free blocks to form larger chunks
- Avoids external fragmentation
49Malloc OS memory management
- Relocation
- OS allows easy relocation (change page table)
- Placement decisions permanent at user level
- Size and distribution
- OS small number of large objects
- Malloc huge number of small objects
heap
stack
data
code
50What does the disk look like?
51Disk overheads
- To read from disk, we must specify
- cylinder , surface , sector , transfer size,
memory address - Transfer time includes
- Seek time to get to the track
- Latency time to get to the sector and
- Transfer time get bits off the disk
Track
Sector
Rotation Delay
Seek Time
52Disk Scheduling
- FCFS
- SSTF
- SCAN
- C-SCAN
- LOOK
- C-LOOK
53RAID Levels
- 0 Striping
- 1 Mirroring
- 2 Hamming Codes
- 3 Parity Bit
- 4 Block Striping
- 5 Spread parity blocks across all disks
- 01 and 10
54Stable Storage Algo
- Use 2 identical disks
- corresponding blocks on both drives are the same
- 3 operations
- Stable write retry on 1st until successful, then
try 2nd disk - Stable read read from 1st. If ECC error, then
try 2nd - Crash recovery scan corresponding blocks on both
disks - If one block is bad, replace with good one
- If both are good, replace block in 2nd with the
one in 1st
55File System Layout
- File System is stored on disks
- Disk is divided into 1 or more partitions
- Sector 0 of disk called Master Boot Record
- End of MBR has partition table (start end
address of partitions) - First block of each partition has boot block
- Loaded by MBR and executed on boot
56Implementing Files
- Contiguous Allocation allocate files
contiguously on disk
57Linked List Allocation
- Each file is stored as linked list of blocks
- First word of each block points to next block
- Rest of disk block is file data
58Using an in-memory table
- Implement a linked list allocation using a table
- Called File Allocation Table (FAT)
- Take pointer away from blocks, store in this
table
59I-nodes
- Index-node (I-node) is a per-file data structure
- Lists attributes and disk addresses of files
blocks - Pros Space (max open files size per I-node)
- Cons what if file expands beyond I-node address
space?
60Implementing Directories
- When a file is opened, OS uses path name to find
dir - Directory has information about the files disk
blocks - Whole file (contiguous), first block
(linked-list) or I-node - Directory also has attributes of each file
- Directory map ASCII file name to file attributes
location - 2 options entries have all attributes, or point
to file I-node
61Implementing Directories
- What if files have large, variable-length names?
- Solution
- Limit file name length, say 255 chars, and use
previous scheme - Pros Simple Cons wastes space
- Directory entry comprises fixed and variable
portion - Fixed part starts with entry size, followed by
attributes - Variable part has the file name
- Pros saves space
- Cons holes on removal, page fault on file read,
word boundaries - Directory entries are fixed in length, pointer to
file name in heap - Pros easy removal, no space wasted for word
boundaries - Cons manage heap, page faults on file names
62Managing Free Disk Space
- 2 approaches to keep track of free disk blocks
- Linked list and bitmap approach
63File System Consistency
- System crash before modified files written back
- Leads to inconsistency in FS
- fsck (UNIX) scandisk (Windows) check FS
consistency - Algorithm
- Build 2 tables, each containing counter for all
blocks (init to 0) - 1st table checks how many times a block is in a
file - 2nd table records how often block is present in
the free list - gt1 not possible if using a bitmap
- Read all i-nodes, and modify table 1
- Read free-list and modify table 2
- Consistent state if block is either in table 1 or
2, but not both
64FS Performance
- Access to disk is much slower than access to
memory - Optimizations needed to get best performance
- 3 possible approaches caching, prefetching, disk
layout - Block or buffer cache
- Read/write from and to the cache.
65Block Cache Replacement
- Which cache block to replace?
- Could use any page replacement algorithm
- Possible to implement perfect LRU
- Since much lesser frequency of cache access
- Move block to front of queue
- Perfect LRU is undesirable. We should also
answer - Is the block essential to consistency of system?
- Will this block be needed again soon?
- When to write back other blocks?
- Update daemon in UNIX calls sync system call
every 30 s - MS-DOS uses write-through caches
66LFS Basic Idea
- Structure the disk a log
- Periodically, all pending writes buffered in
memory are collected in a single segment - The entire segment is written contiguously at end
of the log - Segment may contain i-nodes, directory entries,
data - Start of each segment has a summary
- If segment around 1 MB, then full disk bandwidth
can be utilized - Note, i-nodes are now scattered on disk
- Maintain i-node map (entry i points to i-node i
on disk) - Part of it is cached, reducing the delay in
accessing i-node - This description works great for disks of
infinite size
67LFS Cleaning
- Finite disk space implies that the disk is
eventually full - Fortunately, some segments have stale information
- A file overwrite causes i-node to point to new
blocks - Old ones still occupy space
- Solution LFS Cleaner thread compacts the log
- Read segment summary, and see if contents are
current - File blocks, i-nodes, etc.
- If not, the segment is marked free, and cleaner
moves forward - Else, cleaner writes content into new segment at
end of the log - The segment is marked as free!
- Disk is a circular buffer, writer adds contents
to the front, cleaner cleans content from the back
68FS Examples
- DOS
- Win98
- WinXP
- UNIX FS
- Linux ext2FS
- NFS, AFS, LFS
- P2P FSes
69Network Stack Layering
Node A
Application
Node B
Application
Presentation
Presentation
Transport
Transport
Network
Network
Data Link
Data Link
Physical
Physical
Network
70End-to-End Argument
- What function to implement in each layer?
- Saltzer, Reed, Clarke 1984
- A function can be correctly and completely
implemented only with the knowledge and help of
applications standing at the communication
endpoints - Argues for moving function upward in a layered
architecture - Should the network guarantee packet delivery ?
- Think about a file transfer program
- Read file from disk, send it, the receiver reads
packets and writes them to the disk
71Packet vs. Circuit Switching
- Reliability no congestion, in-order data in
circuit-switch - Packet switching better bandwidth use
- State, resources packet switching has less state
- Good less control plane processing resources
along the way - More data plane (address lookup) processing
- Failure modes (routers/links down)
- Packet switch reconfigures sub-second timescale
- Circuit switching more complicated
- Involves all switches in the path
72Link level Issues
- Encoding map bits to analog signals
- Framing Group bits into frames (packets)
- Arbitration multiple senders, one resource
- Addressing multiple receivers, one wire
73Repeaters and Bridges
- Both connect LAN segments
- Usually do not originate data
- Repeaters (Hubs) physical layer devices
- forward packets on all LAN segments
- Useful for increasing range
- Increases contention
- Bridges link layer devices
- Forward packets only if meant on that segment
- Isolates congestion
- More expensive
74Network Layer
- Two important functions
- routing determine path from source to dest.
- forwarding move packets from routers input to
output
T3
T1 T3
Sts-1
T1
75Two connection models
- Connectionless (or datagram)
- each packet contains enough information that
routers can decide how to get it to its final
destination - Connection-oriented (or virtual circuit)
- first set up a connection between two nodes
- label it (called a virtual circuit identifier
(VCI)) - all packets carry label
1
A
76DNS name servers
- Name server process running on a host that
processes DNS requests - local name servers
- each ISP, company has local (default) name server
- host DNS query first goes to local name server
- authoritative name server
- can perform name/address translation for a
specific domain or zone
- How could we provide this service? Why not
centralize DNS? - single point of failure
- traffic volume
- distant centralized database
- maintenance
- doesnt scale!
- no server has all name-to-IP address mappings
77Purpose of Transport layer
- Interface end-to-end applications and protocols
- Turn best-effort IP into a usable interface
- Data transfer b/w processes
- Compared to end-to-end IP
- We will look at 2
- TCP
- UDP
78UDP
- Unreliable Datagram Protocol
- Best effort data delivery between processes
- No frills, bare bones transport protocol
- Packet may be lost, out of order
- Connectionless protocol
- No handshaking between sender and receiver
- Each UDP datagram handled independently
79UDP Functionality
- Multiplexing/Demultiplexing
- Using ports
- Checksums (optional)
- Check for corruption
P3
P4
application-layer data
segment header
P1
P2
segment
H
t
M
segment
receiver
80TCP
- Transmission Control Protocol
- Reliable, in-order, process-to-process, two-way
byte stream - Different from UDP
- Connection-oriented
- Error recovery Packet loss, duplication,
corruption, reordering - A number of applications require this guarantee
- Web browsers use TCP
81TCP Summary
- Reliable ordered message delivery
- Connection oriented, 3-way handshake
- Transmission window for better throughput
- Timeouts based on link parameters
- Congestion control
- Linear increase, exponential backoff
- Fast adaptation
- Exponential increase in the initial phase
82Security in Computer Systems
- In computer systems, this translates to
- Authorization
- Authentication
- Audit
- This is the Gold Standard for Security (Lampson)
- Some security goals
- Data confidentiality secret data remains secret
- Data integrity no tampering of data
- System availability unable to make system
unusable - Privacy protecting from misuse of users
information
83Cryptography Overview
- Encrypt data so it only makes sense to authorized
users - Input data is a message or file called plaintext
- Encrypted data is called ciphertext
- Encryption and decryption functions should be
public - Security by obscurity is not a good idea!
84Secret-Key Cryptography
- Also called symmetric cryptography
- Encryption algorithm is publicly known
- E(message, key) ciphertext D(ciphertext,
key) message - Naïve scheme monoalphabetic substitution
- Plaintext ABCDEFGHIJKLMNOPQRSTUVWXYZ
- Ciphertext QWERTYUIOPASDFGHJKLZXCVBNM
- So, attack is encrypted to qzzqea
- 26! possible keys 4x1026 possibilities
- 1 µs per permutation ? 10 trillion years to break
- easy to break this scheme! How?
- e occurs 14, t 9.85, q 0.26
85Public Key Cryptography
- Diffie and Hellman, 1976
- All users get a public key and a private key
- Public key is published
- Private key is not known to anyone else
- If Alice has a packet to send to Bob,
- She encrypts the packet with Bobs public key
- Bob uses his private key to decrypt Alices
packet - Private key linked mathematically to public key
- Difficult to derive by making it computationally
infeasible (RSA) - Pros more security, convenient, digital
signatures - Cons slower
86Digital Signatures
- Hashing function hard to invert, e.g. MD5, SHA
- Apply private key to hash (decrypt hash)
- Called signature block
- Receiver uses senders public key on signature
block - E(D(x)) x should work (works for RSA)
87Authentication
- Establish the identity of user/machine by
- Something you know (password, secret)
- Something you have (credit card, smart card)
- Something you are (retinal scan, fingerprint)
- In the case of an OS this is done during login
- OS wants to know who the user is
- Passwords secret known only to the subject
- Simplest OS implementation keeps (login,
password) pair - Authenticates user on login by checking the
password - Try to make this scheme as secure as possible!
- Display the password when being typed? (Windows,
UNIX)
88Salting Example
- If the hacker guesses Dog, he has to try Dog0001,
- UNIX adds 12-bit of salt
- Passwords should be made secure
- Length, case, digits, not from dictionary
- Can be imposed by the OS! This has its own
tradeoffs
89One time passwords
- Password lasts only once
- User gets book with passwords
- Each login uses next password in list
- Much easier approach (Lamport 1981)
- Uses one-way hash functions
- User stores Server stores
- uid, passwd uid, n, m, H hm(passwd)
-
- nn-1
- S hn(password)
- if(hm-n(S) H)
- then mnHSaccept
- else reject
uid
n
S
90Security Attacks Defenses
- Attacks
- Trojan Horses
- Login spoofing
- Logic bombs
- Trapdoors
- Buffer overflows
- Viruses, worms
- Denial of Service
- Defenses
- Virus Scanners
- Lures
- Intrusion Detection
91Mobile Code Protection
- Can we place extension code in the same address
space as the base system, yet remain secure ? - Many techniques have been proposed
- SFI
- Safe interpreters
- Language-based protection
- PCC
92Encoding Security
- Depends on how a system represents the Matrix
- Not much sense in storing entire matrix!
- ACL column for each object stored as a list for
the object - Capabilities row for each subject stored as list
for the subject
93Protecting Capabilities
- Prevent users from tampering with capabilities
- Tagged Architecture
- Each memory word has extra bit indicating that it
is a capability - These bits can only be modified in kernel mode
- Cannot be used for arithmetic, etc.
- Sparse name space implementation
- Kernel stores capability as objectrightsrandom
number - Give copy of capability to the user user can
transfer rights - Relies on inability of user to guess the random
number - Need a good random number generator
94Protecting Capabilities
- Kernel capabilities per-process capability
information - Store the C-list in kernel memory
- Process access capabilities by offset into the
C-list - Indirection used to make capabilities unforgeable
- Meta instructions to add/delete/modify
capabilities
95Protecting Capabilities
- Cryptographically protected capabilities
- Store capabilities in user space useful for
distributed systems - Store ltserver, object, rights, f(object, rights,
check)gt tuple - The check is a nonce,
- unique number generated when capability is
created - kept with object on the server never sent on the
network - Language-protected capabilities
- SPIN operating system (Mesa, Java, etc.)
96Capability Revocation
- Kernel based implementation
- Kernel keeps track of all capabilities
invalidates on revocation - Object keeps track of revocation list
- Difficult to implement
- Timeout the capabilities
- How long should the expiration timer be?
- Revocation by indirection
- Grant access to object by creating alias give
capability to alias - Difficult to review all capabilities
- Revocation with conditional capabilities
- Object has state called big bag
- Access only if capabilitys little bag has sth.
in objects big bag
97Why Distributed Systems?
- Resource sharing
- Computational speedup
- Reliability
98Happens-Before
- Define a Happens-before relation (denoted by ?).
- 1) If A and B are events in the same process, and
A was executed before B, then A ? B. - 2) If A is the event of sending a message by one
process and B is the event of receiving that
message by another process, then A ? B. - 3) If A ? B and B ? C then A ? C.
99Partial Ordering
Pi -gtPi1 Qi -gt Qi1 Ri -gt Ri1
R0-gtQ4 Q3-gtR4 Q1-gtP4 P1-gtQ2
100Impossibility of Consensus
- Network characteristics
- Synchronous - some upper bound on
network/processing delay. - Asynchronous - no upper bound on
network/processing delay. - Fischer Lynch and Paterson showed
- With even just one failure possible, you cannot
guarantee consensus. - Essence of proof Just before a decision is
reached, we can delay a node slightly too long to
reach a decision. - Real world solutions
- Paxos, Randomized Consensus (P1 is good enough)
101Good luck!