VIRTUAL MEMORY AND VIRTUAL OPERATING SYSTEMS Course Code: Course Description: CSCI-620 OPERATING SYSTEMS SECURITY : Session: 1 Lecture Unit: CSN1 Topic: Windows virtual memory management Author: Prof. Bill Mihajlović Year: 2011/2012 Dr. R.A. Mihajlovic, 2012 Reproduction in any shape or form is prohibited. Topics Introduction Physical & virtual memory Swap space Virtual memory adjustment Single program virtual memory Removing swap paging file (PF) Tracking swap PF percentage usage OS limits on physical memory usage Dr. R. A. Mihajlovic, 2012 CSCI-620 Operating Systems Security 2 1
Virtual Memory Virtual memory system has hard drive space acting like a background memory extension. Functions of Virtual Machine Manager (VMM) Stores virtual memory extension capacity in a file called a swap file Moves 4KB pages into and out of physical RAM frames Disk thrashing is a problem caused by small RAM and excess memory paging with many programs loaded. Settings you can change in Virtual Memory dialog box Minimum and maximum file size The location of the swap file (Win386.swp) Swap files (UNIX swap partition) can be placed on a compressed drive/volume. Dr. R. A. Mihajlovic, 2012 CSCI-620 Operating Systems Security 3 Physical memory A single program instruction on an Intel 386 or later CPU can address up to 4GB of physical memory, using its full 32 bits. 2 32 = 4294967296 = 4G This is normally far more than the total installed system board physical memory (RAM+ROM) of the machine, (Not always). Dr. R. A. Mihajlovic, 2012 CSCI-620 Operating Systems Security 4 2
Exercise 1: Windows msinfo32 utility Run standard Windows msinfo32.exe utility System board memory is scattered all over the real memory map Dr. R. A. Mihajlovic, 2012 CSCI-620 Operating Systems Security 5 Question 1 Inspect the general screen on your system and determine the following parameters: Total physical memory? Available physical memory? What is the size of total real memory map? Dr. R. A. Mihajlovic, 2012 CSCI-620 Operating Systems Security 6 3
Question 2 Inspect the general screen on your system and determine the following parameters: Total virtual memory? Available virtual memory? Dr. R. A. Mihajlovic, 2012 CSCI-620 Operating Systems Security 7 Virtual and physical memory Virtual memory is a hardware-software computer sybsystem that enables programs to run in a memory address space whose size and addressing are not necessarily tied to the physical memory. When the total size and addressing of the process exceeds the available physical memory, the CPU will swap data to the hard drive and back. Dr. R. A. Mihajlovic, 2012 CSCI-620 Operating Systems Security 8 4
Question 3 Inspect the general report screen of msinfo32 utility shown below and answer the following questions: Is total physical memory larger here than total virtual memory parameter? Does it sound like a paradox? Dr. R. A. Mihajlovic, 2012 CSCI-620 Operating Systems Security 9 Question 4 Inspect the general screen on your system and determine the following parameters: Total swap page file space size? Name and location of the swap page file? Dr. R. A. Mihajlovic, 2012 CSCI-620 Operating Systems Security 10 5
Windows swap page file Only those parts of the program and data that are currently in active use need to stay loaded in physical memory. Other program parts not immediately needed are held in a: swap file (as it s called in Windows 95/98/ME: Win386.swp), or page file (in Windows NT versions including Windows 2000 and XP: pagefile.sys). Dr. R. A. Mihajlovic, 2012 CSCI-620 Operating Systems Security 11 Swap storage space If there is pressure on space in physical memory, then parts of code and data that are not currently needed can be temporarily paged out in order to make room. The page file can be seen as an overflow area to make the RAM behave as if it were larger than it is. Dr. R. A. Mihajlovic, 2012 CSCI-620 Operating Systems Security 12 6
Exercise 2: Swap file The XP page file is a hidden file pagefile.sys. It is regenerated at each boot. Show the screen shot of your system page file? Folder Options View set to Show Hidden and System files, and not to Hide Protected mode System files. Dr. R. A. Mihajlovic, 2012 CSCI-620 Operating Systems Security 13 Question 5 Attack that would start endless count of concurrent programs with large data segments could inflate swap space and consume free storage space. Does such attack appear as denila of service attack or DOS? What services would be denied with such an attack? Windows pagefile.sys growth is limited. What is the maximal swap page files size allowed in your system? Dr. R. A. Mihajlovic, 2012 CSCI-620 Operating Systems Security 14 7
Page fault interrupt When a program tries to access some address that is not currently in physical memory, it generates an interrupt, called a Page Fault. Page fault requests from VM subsystem to retrieve the 4 KB page containing the faulty address: from the swap page file, or possibly from the original program file This valid page fault normally happens quite transparently, (From the user s point of view invisibly.) Dr. R. A. Mihajlovic, 2012 CSCI-620 Operating Systems Security 15 Program code and data At run time, one program s code and data may be distributed and located: In physical memory loaded as CS and DS, On the swap storage space, (Most likely parts of DS), and On the original file system storage space, (Most likely CS unloaded parts). Only one portion is loaded in physical memory. Dr. R. A. Mihajlovic, 2012 CSCI-620 Operating Systems Security 16 8
Program virtually loaded VM creates an illusion of having entire program loaded and available to CPU: Program is virtually loaded, or Program is loaded into virtual memory. Program executes in virtual memory. Dr. R. A. Mihajlovic, 2012 CSCI-620 Operating Systems Security 17 Question 3 paradox Consider N programs virtually loaded using physical memory for N code and data segments CS i, DS i, i=1,2,3,..., N The global capacity of virtual memory space is much larger than the parameter Total Virtual Memory, (2GB). Total Virtual Memory is available just to one program out of N concurrently virtually loaded and executing. Dr. R. A. Mihajlovic, 2012 CSCI-620 Operating Systems Security 18 9
Virtual memory capacity Virtual memory global capacity is limited by the number N of programs that can be concurrently executing. It is equal to the summation of Physical memory available for execution of N programs CS i, DS i, i=1,2,3,..., N Swap space size, and Size of all running program file-portions that have not been yet physically loaded. Virtual memory global capacity may easily be tens of GB in size. Dr. R. A. Mihajlovic, 2012 CSCI-620 Operating Systems Security 19 Exercise 3: VM problems & tuning Sometimes system either has too many programs running at once, (too many concurrent processes) System just does not have enough of free physical memory. Swap space is full and no more programs can be loaded. Dr. R. A. Mihajlovic, 2012 CSCI-620 Operating Systems Security 20 10
Question 6 What is the reason of the following Windows message: Windows - Virtual Memory Minimum Too Low! Dr. R. A. Mihajlovic, 2012 CSCI-620 Operating Systems Security 21 Adjusting-tuning VM parameters Start sysdm.cpl utility. Dr. R. A. Mihajlovic, 2012 CSCI-620 Operating Systems Security 22 11
Adjusting-Tuning VM parameters Dr. R. A. Mihajlovic, 2012 CSCI-620 Operating Systems Security 23 Swap space modification Modify maximal VM size from 4092MB to 8GB. Paging file represents VM supporting storage swap space. If physical memory cannot be added, swap space limit can be increased. Dr. R. A. Mihajlovic, 2012 CSCI-620 Operating Systems Security 24 12
Swap space modification Recommended page file initial size is 1.5 times the size of the physical memory (RAM) installed. The maximum size is 3 times physical memory. Dr. R. A. Mihajlovic, 2012 CSCI-620 Operating Systems Security 25 Performance hint To keep page file from resizing, fragmenting and eventually slowing its access down you have to specify the same amount for both initial and maximal values. You'll have to reboot in order for the changes to take place. Dr. R. A. Mihajlovic, 2012 CSCI-620 Operating Systems Security 26 13
Removing swap paging file To delete a paging file, set both initial size and maximum size to zero, or click No paging file. Microsoft recommends that you do not disable or delete the paging file. Dr. R. A. Mihajlovic, 2012 CSCI-620 Operating Systems Security 27 Question 7 Can swap page file be placed on any drive C:, D: or E:? Dr. R. A. Mihajlovic, 2012 CSCI-620 Operating Systems Security 28 14
Non-Paged Area Non-Paged area parts of the Windows XP OS code and data which are so important that they must be always memory resident, may never be paged out. Mainly contains core code of the system, which is not likely to contain serious faults. Dr. R. A. Mihajlovic, 2012 CSCI-620 Operating Systems Security 29 Non-Paged Area In case of serious OS attack and kernel damage a blue screen referring to PAGE FAULT IN NON- PAGED AREA probably indicates a serious problem. If such faults arise when you have recently installed or updated something, try uninstalling it. Dr. R. A. Mihajlovic, 2012 CSCI-620 Operating Systems Security 30 15
Windows STOP message STOP Messages literally mean Windows OS has crashed, (has stopped!) 0x00000050: PAGE_FAULT_IN_NONPAGED_AREA STOP messages are identified by an 8-digit hexadecimal number, but also commonly written in a shorthand notation; e.g., a STOP 0x0000000A may also be written STOP 0xA. Dr. R. A. Mihajlovic, 2012 CSCI-620 Operating Systems Security 31 Windows VM working set Working set size W of a program translates into a number of memory pages (4kB/page) ofthe application process is being kept loaded and resident in real memory. W 100% When entire program image is resident in physical memory, all pages are loaded, working set is W=100%. Dr. R. A. Mihajlovic, 2012 CSCI-620 Operating Systems Security 32 16
: Inspecting program s memory When trying to investigate problematic behavior of a running program, inspecting memory behavior may be a good idea. Dr. R. A. Mihajlovic, 2012 CSCI-620 Operating Systems Security 33 Windows memory usage To monitor memory usage in Windows servers, use the "Mem Usage" statistic in the Task Manager. This statistic measures the working set size. "Mem Usage" is NOT a measure of overall memory usage, (only per program usage). Dr. R. A. Mihajlovic, 2012 CSCI-620 Operating Systems Security 34 17
VM program size If overall memory usage needs to be checked periodically, use the "VM Size" column in the Task Manager. To view the "VM Size" column, make sure "Processes" is selected. Dr. R. A. Mihajlovic, 2012 CSCI-620 Operating Systems Security 35 Task manager Click on the "View" menu and choose "Select Columns". A dialog box will appear in which "VM Size" will be an option. Dr. R. A. Mihajlovic, 2012 CSCI-620 Operating Systems Security 36 18
VM size and page usage history Check your system Dr. R. A. Mihajlovic, 2012 CSCI-620 Operating Systems Security 37 Exercise 5: Using system monitor Inspect how much page file (PF) does your system use? You should first find out how much memory you're using, and how much of it is on your disk. One accurate way is by monitoring the %Usage Peak counter in the System Monitor tool (The peak usage of the page file instance in percent): Dr. R. A. Mihajlovic, 2012 CSCI-620 Operating Systems Security 38 19
Monitoring page file usage Open Performance console from the Administrative Tools. Dr. R. A. Mihajlovic, 2012 CSCI-620 Operating Systems Security 39 Monitoring page file usage Add new counter Dr. R. A. Mihajlovic, 2012 CSCI-620 Operating Systems Security 40 20
Monitoring page file usage Browse list of performance system objects and select Paging File Dr. R. A. Mihajlovic, 2012 CSCI-620 Operating Systems Security 41 Question 8: Monitoring page file usage What system parameters are aemonitored toednow? Dr. R. A. Mihajlovic, 2012 CSCI-620 Operating Systems Security 42 21
Question 9 What is your PF usage peak [%]? Dr. R. A. Mihajlovic, 2012 CSCI-620 Operating Systems Security 43 Question 10 Search the Web and find out why Windows XP x32 cannot use and report more than 3.5GB of physical memory. Try: http://www.geek.com/articles/chips/windows-xpmaximum-memory-2001102/ Dr. R. A. Mihajlovic, 2012 CSCI-620 Operating Systems Security 44 22
Question 11 Problem: My Task Manager shows I have 2.99 GB of physical memory when I just installed 2 2GB sticks in my notebook. How can I get it back? Dr. R. A. Mihajlovic, 2012 CSCI-620 Operating Systems Security 45 OS Memory Addressing Limits Windows programs are stuck with a 2 GB per program virtual memory limit due to the way OS handles virtual memory. The 2 GB limit is not a physical processor limit, but rather an implementation-in-windows limit Windows XP x64 Professional does not have that limit. It supports 128 GB of RAM and 16 terabytes t of virtual memory address space, as compared to theoretical 4 GB of both physical RAM and virtual memory address space for 32- bit Windows XP Professional." Dr. R. A. Mihajlovic, 2012 CSCI-620 Operating Systems Security 46 23
Exercise 6: Logging PF usage Download custom PF usage logger utility: http://billsway.com/notes_public/winxp_tweaks/ Dr. R. A. Mihajlovic, 2012 CSCI-620 Operating Systems Security 47 WinXP page file monitor utility Save and un-archive the utility Dr. R. A. Mihajlovic, 2012 CSCI-620 Operating Systems Security 48 24
Page file settings Read the text file and test each program. Get your page file settings Dr. R. A. Mihajlovic, 2012 CSCI-620 Operating Systems Security 49 Utility desktop helpers Install two desktop helpers. Test both programs Dr. R. A. Mihajlovic, 2012 CSCI-620 Operating Systems Security 50 25
Question 12 a) What is your exact PF size? a) What is your exact peak PF usage? Dr. R. A. Mihajlovic, 2012 CSCI-620 Operating Systems Security 51 Page file log data inspection View the PF data log. Repeat the previous and this slide activity. Dr. R. A. Mihajlovic, 2012 CSCI-620 Operating Systems Security 52 26
Homework Describe purpose and function of standard and government bodies: The National Information Assurance Partnership (NIAP) is a U.S. Government initiative National Institute of Standards and Technology (NIST) and National Security Agency (NSA). Dr. R. A. Mihajlovic, 2012 CSCI-620 Operating Systems Security 53 Homework Download tool: http://www.grc.com/securable.htm Verify if your hardware platform supports hardware/full virtualization? Present the tool printout. Dr. R. A. Mihajlovic, 2012 CSCI-620 Operating Systems Security 54 27
Homework Export tool print out to internal buffer, than paste it in NOTEPAD.EXE and copy to your homework. Dr. R. A. Mihajlovic, 2012 CSCI-620 Operating Systems Security 55 The End Dr. R. A. Mihajlovic, 2012 CSCI-620 Operating Systems Security 56 28