[<< wikibooks] Security Architecture and Design/Computer Systems Architecture
==  ==
A computer system consists of different types of components like hardware, software,operating systems and firmware.
The most important and common components being

Hardware Components like: CPU, Storage Devices, I/O Devices, Communication Devices
Software Components like: Operating Systems, Application Programs

=== Central Processing Unit (CPU) ===

CPU is the brain of the computer.
It fetches the instructions from memory and executes them
Each CPU type has its own instruction set and architectureCPU Components

Registers: are temporary storage locations that can store references to memory locations, next instruction to be executed etc and also enable the CPU to keep its status information.
Arithmetic Logic Unit (ALU): performs the actual execution of complex mathematical functions and logical operations on data.
Control Unit: manages and synchronizes the system while different applications code and OS instructions are being executed. It fetches the code,interprets the code and oversees the execution of the different instruction sets.It determines what application instructions get processed and in what priority and time slice. It controls when instructions are executed, and this execution enables applications to process data.
General registers: are used to hold variables and temporary results as the ALU works through its execution steps.
Special registers: (dedicated registers) hold information such as the program counter, stack pointer, and program status word (PSW)
Program counter (PC): register contains the memory address of the next instruction that needs to be fetched
Program status word (PSW): holds different condition bits. One of the bits indicates whether the CPU should be working in user mode (also called problem state) or privileged mode (also called kernel or supervisor mode).
Stack pointer: directs the CPU where the next piece of data is located.
Address bus: is a hardwired connection to the RAM chips in the system and the individual (I/O) devices. It is used by the CPU to indicate the location of the instructions that need to be processed.
Data bus: is used by the memory or I/O device in response to CPU request for sending the data that resides at the requested location.

=== Storage ===

A storage device is a hardware device capable of storing data.
Storage devices can be classified into 3 categories
Primary Storage or Memory: which are directly accessible to the CPU like Cache Memory (L1,L2,L3),Main Memory (RAM)
Secondary Storage: Which are permanent storage devices like Hard Disks, Floppy Disks, CDs, DVDs, flash memory, ZIP drives etc.
Tertiary Storage : TapesRandom Access Memory

RAM stores data and program instructions temporarily by the operating system and application programs.
It is described as volatile because if the computer’s power supply is terminated, then all information within this type of memory is lost.
RAM Types
Dynamic RAM- uses capacitors which have to be refreshed periodically to hold the data, slow.
Synchronous DRAM (SDRAM)- timing of the CPU and the timing of the memory activities are synchronized. can access only one block at a time.
Extended data out DRAM (EDO DRAM)- can capture the next block of data while the first block is being sent to the CPU for processing, faster than SDRAM.
Burst EDO DRAM (BEDO DRAM)- Build on top of EDO DRAM.It reads and sends up to four memory addresses in a small number of clock cycles.
Double data rate SDRAM (DDR SDRAM)- Carries out read operations on the rising and falling cycles of a clock pulse. speed is twice of SDRAM
Static RAM- uses more transistors, faster than DRAM,expensive, used in cache.Read Only Memory

ROMs are non-volatile memories.the instructions stored in these memories are called as firmware.
ROM Types
Programmable read-only memory (PROM)-can be programmed only one time after the manufacturing.
Erasable and programmable read-only memory (EPROM)- can be erased, modified,and upgraded.
Flash memory- a special type of memory that is used in digital cameras, BIOS chips, memory cards for laptops, and video game consoles. It is used more as a type of hard drive than memory.Cache Memory 

The cache memory is a smaller, faster memory which stores copies of the data from the most frequently used main memory locations.
Cache Levels
L1 Cache- located within the CPU
L2 Cache- located between the CPU and the main memory (RAM)
L3 Cache- can be an externally managed memory that has faster access time than RAM.
Cache Types
Prefetch Cache(P-Cache)- used to store data that has been brought in as a result of a prefetch operation
W-Cache - acts as a holding station for stored data.
Instruction Cache- used to store instructions.
Data Cache- stores data
Translation Look aside Buffer (TLB)- stores the translated addresses of virtual page address to a valid physical address.
Cache Organization- describes the organization of lines and the replacement policy
Direct Mapping- The (virtual or physical) memory address of the incoming cache line controls which cache location is going to be used.Suffers from thrashing.
Fully Associative- based on LRU policy where the LRU line is replaced.
Set Associative- uses several direct-mapped caches or set. A cache controller decides which set the line will go into. Within the set, a direct-mapped scheme is used to allocate a slot in the cache.Virtual Memory

Virtual memory is a logical memory that gives an application program the impression that it has a contiguous working memory.
A VM logically extends the capabilities of RAM by allocation a separate portion of the hard disk space called swap space.

=== Operating Systems ===

An operating system provides an environment for applications and users to work within.
It is responsible for managing the underlying hardware components,memory management, I/O operations, file system, process management, and providing system services
OS Architectures
Monolithic operating system architecture- mainly made up of various procedures that can call upon each other in a haphazard manner, provides single layer security only. For example, DOS.
Layered operating system- separates system functionality into hierarchical layers,provide data hiding, provides multilayer security. For example, Unix.
Layer 0 controlled access to the processor and provided multiprogramming functionality
Layer 1 carried out memory management
Layer 2 provided interprocess communication
Layer 3 dealt with I/O devices and
Layer 4 was where the applications resided
Microkernel Based- The OS functions are divided into several different processes that run in user mode, instead of kernel mode.The processes communicate in a C/S model.The server processes are called as subsystems and provide services to user process and other OS processes. For example, Windows 2000.Process Management

A process is a program in execution that is loaded and actuated by the OS.It contains a set of the instructions and the assigned resources.
When a process is created, the operating system assigns resources to it, such as a memory segment, CPU time slot (interrupt), access to system application programming interfaces (APIs), and files to interact with.
Process States: A process can run in running state (CPU is executing its instructions and data),ready state (waiting to send instructions to the CPU), or blocked state (waiting for input data, such as keystrokes from a user).
Process Table: A data structure that contains each individual process’s state, stack pointer, memory allocation,program counter, and status of open files in use.
Threads: A thread is a unit of program execution. conversely a process is a single thread of execution.A thread is made up of individual instruction set and the data that needs to be worked on by the CPU.All the threads of a process share the resources of the processes that created them.
Process Scheduling: governs the way different processes communication(or synchronize) between each other in order to overcome deadlock conditions.Memory Management

The main objectives of memory management is to
Provide an abstraction level for programmers
Maximize performance with the limited amount of memory available
Protect the operating system and applications loaded into memory
The memory manager has five basic responsibilities:
Swap contents from RAM to the hard drive as needed
Provide pointers for applications if their instructions and memory segment have been moved to a different location in main memory
Limit processes to interact only with the memory segments that are assigned to them
Provide access control to memory segments
Use complex controls to ensure integrity and confidentiality when processes need to use the same shared memory segments
Allow many users with different levels of access to interact with the same application running in one memory segment
Logical organization
Allow for the sharing of specific software modules, such as dynamic link library (DLL) procedures
Physical organization
Segment the physical memory space for application and operating system processesI/O Device Management

I/O devices are usually considered block or character devices.
A block device works with data in fixed-size blocks, each block with its own unique address. For example, disk drive .
A character device, such as a printer, network interface card, or mouse, works with streams of characters, without using any fixed sizes. This type of data is not addressable
There are different ways that operating systems can manage software I/O procedures.
Programmed I/O- the CPU sends data to an I/O device and polls the device to see if it is ready to accept more data. If the device is not ready to accept more data, the CPU wastes time by waiting for the device to become ready. very slow
Interrupt-driven I/O- the CPU sends a character/block over to the device and then goes and works on another process’s request. When the device is done with its job it sends an interrupt to the CPU. The CPU stops what it is doing, sends the next block/character and this continues until the entire job is processes by the device.lot of interrupt handling overhead.
I/O using DMA- A DMA controller feeds the characters from the memory to the device without bothering the CPU. This method is sometimes referred to as unmapped I/O.OS Protection Mechanisms

CPU Modes
CPU modes also called processor modes or CPU privilege levels,are operating modes for the central processing unit of some computer architectures that place restrictions on the operations that can be performed by the process currently running in the CPU. This design allows the operating system to run at different privilege levels like kernel mode, user mode, master mode etc.
Protection Rings
Protection Rings are concentric rings that provide strict boundaries and definitions for what the processes that work within each ring can access and what operations they can successfully execute.
The processes that operate within the inner rings have more privileges than the processes operating in the outer rings, because the inner rings only permit the most trusted components and processes to operate within them.
Protection rings support the availability, integrity, and confidentiality requirements of multitasking operating systems.
The most commonly used architecture provides four protection rings:
Ring 0 Operating system kernel
Ring 1 Remaining parts of the operating system
Ring 2 I/O drivers and utilities
Ring 3 Applications and user activity
Memory Protection
Limit processes to interact only with the memory segments that are assigned to them
Provide access control to memory segments
Process Isolation
Ensures that processes do not “step on each other’s toes," negatively affect each other’s productivity and thus communicate in an insecure manner.
Methods for process isolation:
Encapsulation of objects- no other process understands or interacts with the internal programming code of a process.
Time multiplexing of shared resources- allows processes to use the same resources on a time sharing basis.
Naming distinctions- different processes have their own name or identification value called as PID
Virtual mapping- Every process has its own virtual memory address space.
A domain is defined as a set of objects that a subject is able to access.
The domain can be all the resources a user can access, all the files available to a program, the memory segments available to a process, or the services and processes available to an application.
A process that resides in a privileged domain needs to be able to execute its instructions and process its data with the assurance that programs in a different domain cannot negatively affect its environment. This is referred to as an execution domain
The higher the level of trust, the larger the number of available resources or objects

=== Firmware ===

Firmware is a computer program that is embedded in a hardware device
Like software, it is a computer program which is executed by a microprocessor or a microcontroller. But it is also tightly linked to a piece of hardware, and has little meaning outside of it.BIOS

BIOS refers to the firmware code run by a personal computer when first powered on.
The primary function of the BIOS is to identify and initiate component hardware (such as hard disk, floppy and optical disk drives). This is to prepare the machine so other software programs stored on various media can load, execute, and assume control of the PC.This process is known as booting, or booting up, which is short for bootstrapping.ROM image

A ROM image, or simply ROM, is a computer file which contains a copy of the data from a read-only memory chip, often from a video game cartridge, a computer's firmware, or from an arcade game's main board.
The term is frequently used in the context of emulation, whereby older games or computer firmware are copied to ROM files on modern computers and can, using a piece of software known as an emulator, be run on the newer computer.

=== Virtual Machines ===

A virtual machine (VM) is a software implementation of a machine (computer) that executes programs like a real machine
An essential characteristic of a virtual machine is that the software running inside is limited to the resources and abstractions provided by the virtual machine -- it cannot break out of its virtual worldVM Categories

Virtual machines are separated in two major categories, based on their use and degree of correspondence to any real machine.
system virtual machine provides a complete system platform which supports the execution of a complete operating system.
process virtual machine is designed to run a single program, which means that it supports a single process.