Memory Protection from the CPU: How Does It Work?

The programs do not stop making requests to memory continuously, since it sends the hardware not only to process data, change it, create new data, delete existing ones, and so on. But, there are sections of memory that if a program accesses then it can end up messing up the general functioning of the system. We call this memory protection.

At a certain point in their evolution, CPUs began to implement memory protection systems that separated the addressing to RAM into several sections. To understand it, you only have to imagine that there is a neighborhood for exclusive use in a city and a police force that prevents access to said neighborhood to those who cannot use it, the citizens being privileged to use all the processes of the operating system.

Memory Protection from the CPU

Why is memory protection necessary?

Memory protection became necessary in PC CPUs as soon as it became necessary to create multitasking environments in which several programs shared access to memory in different shifts. The early years of computing were with single-task programs that also performed the task of operating systems themselves at the same time, especially on 8- and 16-bit home computers based on the MOS 6502 and Z80A.

Proteccion Memoria Guru Meditation

A famous case for the lack of memory protection in the CPU we have it in the classic Commodore Amiga, whose versions based on the standard 68K used to have continuous crashes due to running a multitasking OS on a CPU without memory protection, as happened with the Apple Macintosh under the same processor.

Today all CPUs incorporate memory protection, having to run highly complex multitasking operating systems where the number of simultaneous processes is in the thousands.

How does memory protection work?

Page Table

In contemporary CPUs, memory protection is carried out by the same processor, in order to save developers headaches. Every CPU has stored in a series of registers the so-called Page Table, which is what informs it how the system memory is organized. The Page Table is not only used to translate virtual to physical memory addresses, but also which part of the memory is accessible by applications and which is not.

When an application accesses a part of memory that it is not allowed to do, the CPU then generates an interrupt that gives control to the operating system. From there it depends on how the solution has been implemented at the software level. The operating system may decide to completely shut down the program and all its processes unilaterally.

It must be taken into account that the Page Table not only has the information on the memory organization, as well as its privileged access parts, but also the RAM situation at all times. Its management is carried out by a kernel thread of the operating system, which is in charge of assigning the different resources to the active programs, either in the form of CPU execution time or memory access.

Vetoing programs

Sistema binario

RAM under the vision of all current CPU is divided into pages and not memory addresses. Which are translated into physical memory addresses by the memory management unit. But what happens when a part of a program executes an illegal access to memory? We have explained the process before, but to avoid that the CPU can enter an absurd loop, what is done is to mark through a bit in the virtual address that the binary that is stored is not a program but data.

In such a way that when the CPU goes back to these virtual memory addresses, it no longer does so as if it were a program, but as a set of data that it ignores. Obviously if there is a program with a jump instruction to that memory address then an error will occur, but the code that was trying to access the RAM will no longer be executed.

Bit no Execute

This bit on x86 CPUs is called the No-Execute or NX bit. This is a very simple security measure that the operating system can handle, but it is not the only one that an operating system has to prevent the execution of invalid code. Although the protection mechanism does not always work and there are other mechanisms with which the CPU obfuscates the protected memory to the applications.

For example, the operating system assigns itself an exclusive access bit for all its threads. When an application without its privileges is assigned access to the protected RAM by changing the access bit, what the OS does is revert that bit by manipulating the section that corresponds to the applications in the Page Table

How does the CPU get the Page Table?

BIOS

The first program to run on a PC, whatever form factor it has, is the operating system. Some more complex systems load a preview system that powers up the hardware and passes the testimony to the OS in a disguised manner. This process does not depend on the hardware, but all hardware has a memory address where it begins and from there it travels through the memory in one direction or another depending on whether we are dealing with a Big Endian or Little Endian CPU.

Therefore, in these memory addresses there must be the information to start the PC, which today is the UEFI but in its beginnings it was the BIOS. Which acts as an opening act for the operating system. But where does the operating system get the RAM situation? Well, it does so through the use of two tables stored inside the motherboard chipset called ACPI tables.

chipset integrado

The ACPI is the first mechanism that is in charge of managing the memory accesses of the peripherals and also the organization of the RAM. To do this, it delivers two tables to the operating system that have the same function. These tables are:

  • RSDT (Root System Descriptor Table).
  • XSDT (Extended Root System Descriptor Table).

If the operating system is 32 bits then it will give you the RSDT, if it is 64 bits the XSDT. From there, the operating system will already have everything it needs to manage memory access with the processor.

The operating system is monarch

Windows

In memory addressing there are a series of bits that applications cannot use and that are completely banned from access. In reality, requests to hardware resources are not made by the applications themselves, but by the operating system. So no application can touch the bit that disables access to protected memory without permission from the operating system itself.

This causes a series of problems with regard to memory access in virtualized systems, which leads to having to add additional bits in the virtual memory addressing, which serves to indicate to the CPU a special privilege level for the applications that are run in a virtual machine.

To do this, not only must the CPU be equipped with this possibility, but it also influences the way in which the operating system is organized. Operating systems in the cloud usually run a hypervisor, which is responsible for managing access to the RAM of the different virtual machines.