[cap-talk] MMP vs segmentation

David Hopwood david.nospam.hopwood at blueyonder.co.uk
Sun Nov 21 19:48:51 EST 2004 

David Hopwood wrote:
[...]
>> At 01:37 PM 11/17/2004, Wes Felter wrote:
>>
>>> Consider Mondriaan memory protection: 
>>> http://www.cs.utexas.edu/users/witchel/
[...]
> 
> I've only skimmed the papers, but it seems to me that MMP is a fairly
> straightforward segmented memory architecture with word-granularity
> segments.

I oversimplified here. Actually the abstraction provided by MMP, while
technically sufficient for security, is not really what you want for
reliability, performance, or simplicity of implementing an OS or secure
language.

In MMP, pointers are not (selector, offset) pairs; the address space is
linear (ignoring effects of any other segmentation or paging mechanisms).
The information held by the system is essentially the same as in a
segmented memory system, but MMP does not do the bounds checks that
a segmented system would do on pointer indexing; for example adding an
integer to a pointer can skip over a range of addresses not accessible to
the current protection domain.

This would make MMP less efficient than a segmented memory architecture
(a hypothetical one that supported enough word-granularity segments to
access as many objects as needed, not a wimpy one like on a 386+) for
implementing memory-safe languages, because the compiler would still have
to insert bounds-checks.

MMP could be used to ensure that each access is at *some* address
accessible to the current protection domain, even though it may be in
the wrong array/object of the high-level language. This does allow the
compiler to be less-trusted. However, even though an MMP system in
principle has all the information needed to do bounds checks in parallel
with memory accesses, you don't obtain that performance benefit, and must
duplicate information about array/object bounds at user level and kernel
level -- what a waste!

In addition, MMP requires more complex/expensive hardware than segmentation
because it requires a lookaside buffer to cache information from the
protection table, whereas in a segmented architecture the location of a
segment descriptor is obtained immediately from the selector.

-- 
David Hopwood <david.nospam.hopwood at blueyonder.co.uk>

More information about the cap-talk mailing list