Kernel 2: Virtual memory

Overview

In lecture, we discuss virtual memory.

Goals: Kernel isolation and process isolation
- Kernel always retains full privilege over machine operations
- Process interactions restricted by operating system policy
Why does kernel isolation require an instruction like syscall?

Must prevent processes from jumping to arbitrary locations in the kernel
Must prevent processes from accessing or modifying kernel memory
- Modification would allow controlling kernel code
- Access could be used to steal secrets

How would you implement a processor feature that hid some memory from unprivileged processes?
Assume the processor has a register that indicates privilege
- On x86-64, the lower 2 bits of %cs represent privilege: 0 means privileged, 3 means unprivileged

Processor accesses memory through a layer of indirection called virtual memory
Virtual memory mapping function \mathscr{P} : \textit{VA} \times \textit{Priv} \mapsto \textit{PA} + \textit{Fault}
- The addresses used by instructions are virtual addresses in VA
- The contents of memory chips are addressed by physical addresses in PA
- When an instruction accesses virtual address a, the processor accesses physical address \mathscr{P}(a, \textit{curpriv}())

Start with an identity mapping
- \forall a: \mathscr{P}(a, \textit{priv}) = a
Change it to fault if an unprivileged process accesses kernel memory
- \forall a \in \textit{Kernel}: \mathscr{P}(a, \text{UNPRIV}) = \text{FAULT}

How would you represent a mapping function?
Constraint: Every memory access uses the mapping function
- Performance sensitive!
Speed up lookups by through caching
- The results of one lookup should apply to nearby addresses too

Divide virtual and physical memory into aligned pages
- x86-64: size 2¹² = 0x1000 = 4096
Every address within a page is looked up the same way
Let p be a page address (a multiple of 2¹²), and 0 \leq o < 2^{12}
Then \mathscr{P}(p + o, \textit{priv}) = \mathscr{P}(p, \textit{priv}) + o
- If fault, then both fault the same way