Transcript Win32 Programming

Secure Operating Systems
Lesson 5: Shared Objects
Where are we?


We have got more of the fundamental security
structures of our OS in our heads
But now we have to face a real challenge:
shared objects
The OS doesn’t HAVE TO…



I’ve used that heading before, but it’s true
There’s no requirement for our OS to support
sharing between users and processes… but it
sure comes in handy
Once again, we have a tension between
performance and security
Two Parts of the Problem


Sharing actual information
Synchronizing between threads and/or
processes
Peterson’s Solution

Two shared variables:


int turn;
boolean flag[2]
Code:

flag[i] = TRUE;
turn = j;
while (flag[j] && turn == j);
// Do Critical Section
flag[i] = FALSE;
Peterson’s Solution II
PROCESS 0
 flag[0] = TRUE;
turn = 1;
while(flag[1] &&
turn == 1);
// Critical Section
flag[0] = FALSE;
PROCESS 1
 flag[1] = TRUE;
turn = 0;
while(flag[0] &&
turn == 0);
// Critical Section
flag[1] = FALSE;
Hardware Support



The challenge of disabling interrupts is that it’s
expensive
Many OS provide a hardware “test and set”
instruction, which allows atomic access to a
chunk of memory
Swap:
void Swap(boolean *a, boolean *b) {
boolean temp = *a;
*a = *b;
*b = temp;
}
Implemented as…


do {
key = TRUE;
while (key == TRUE)
swap(&lock, &key);
// Critical Section
lock = FALSE;
} while (TRUE);
Mutual-exclusion with Swap…
Semaphores



wait(S) {
while (S <= 0); //nop
S--;
}
signal(S) {
S++;
}
This really looks like a spinlock…
Semaphores

wait(semaphore *S) {
S->value--;
if (S->value < 0) {
add this proc to S->list;
block(); // SLEEP
}
} // This will halt until we own the semaphore
Deadlocks

P0


wait(S);
wait(Q);
…
signal(S);
signal(Q);
P1

wait(Q);
wait(S);
…
signal(Q);
signal(S);
Priority Inversion




Imagine we have three procii , L, M and H,
where L is Low Priority, M, medium, and H,
High
L is holding a resource which is blocking H, but
gets swapped out for M
This is known as Priority Inversion… and it’s a
real problem!
Probably we should talk about different
scheduling approaches
Mars Sojourner





Long running, medium priority Comms task
Low priority weather task
High priority information bus thread
Low priority wx task acquires a mutex for the
bus… gets interrupted by the Comms task (long
running), blocking the high priority bus thread…
tada! Priority Inversion
Can be a security issue too!

Can be solved by priority inheritance
Atomicity




Making sure something is atomic is pretty easy
on a single core system
On a more complex system it can get REALLY
hard
One approach is transactional memory – move
the problem to the memory not the programmer
None of this has even touched on how we
SHARE information between processes…
Race Conditions


Poor synchronization can lead to race
conditions – a subset of which is called
TOCTOU
Race conditions arise from interdependence
that is unrealized or incorrectly implemented
Things to Do

Read “An Investigation of the Therac-25
Accidents”, Nancy Leveson, Clark S. Turner
Questions & Comments

What do you want to know?