Operating SystemsAddress Translation in Segmentation

Segmentation Address Translation

LevelIntermediate

Duration90 mins

TopicAddress Translation in Segmentation

3 / 5

Bounds Checking

The Guardian at the Gate

Every memory access in a segmented system must pass through a critical checkpoint: bounds checking. Before any data is read or written, before any instruction is fetched, the hardware asks a simple but vital question: Is this access within the legal range for this segment?

Bounds checking is the enforcement mechanism that transforms segmentation from a mere addressing scheme into a robust protection system. Without it, segments would be meaningless lines on a memory map—easily crossed, trivially violated. With it, segments become fortress walls that confine programs to their allocated territory, protecting the operating system, other processes, and the data integrity of the system as a whole.

What You Will Learn

By the end of this page, you will understand the precise mechanics of bounds checking, how it's implemented in hardware, the different checking strategies used across architectures, what happens when bounds are violated, and how this mechanism prevents entire classes of security vulnerabilities.

The Fundamental Bounds Check

At its core, bounds checking is a comparison operation that validates the offset against the segment's limit before allowing memory access to proceed.

The Core Validation:

Given:

Offset d (extracted from logical address)
Segment limit L (from segment table entry)
Access size s (number of bytes being accessed)

The bounds check must verify:

d + s ≤ L

Or equivalently, to avoid overflow:

d ≤ L - s

This ensures that every byte being accessed falls within the segment's boundaries. For a single-byte access, this simplifies to d < L (or d ≤ L depending on whether the limit is inclusive).

Properties of Bounds Checking

•Mandatory: Every memory access must pass bounds checking—there are no exceptions, no privileged bypasses (though the check may be faster for cached segments).
•Hardware-Enforced: The check is performed by the MMU hardware, not software. This makes it impossible for user programs to circumvent.
•Fast: The comparison is implemented as a simple magnitude comparator circuit, adding minimal latency to memory access.
•Precise: The check considers the full size of the access, catching violations at any byte within a multi-byte read/write.
•Non-Recoverable at User Level: A bounds violation cannot be 'fixed' by user code—it triggers a trap to the operating system.

Converting Mermaid diagram...

Limit Interpretation Matters

The exact comparison depends on architectural convention. Some systems define the limit as the segment SIZE (check: offset < limit), others as the LAST VALID OFFSET (check: offset ≤ limit). Intel x86 protected mode uses the latter—a segment of 4096 bytes has limit = 4095. Always verify the architecture's specification!

Hardware Implementation

Bounds checking must be blazingly fast—it happens on every memory access, and any delay directly impacts system performance. Hardware implementations achieve this through parallel comparison circuits that execute simultaneously with other translation steps.

Parallel Execution:

In a typical MMU, bounds checking occurs in parallel with the base address lookup:

Segment number is used to index the segment table
Limit value is read from the segment table entry
Offset is compared against limit (parallel comparator)
Base address is read from the segment table entry
If check passes, physical address = base + offset

Steps 3 and 4 happen simultaneously, so bounds checking adds no latency to the critical path when implemented correctly.

bounds_check_hardware.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
Bounds Checking Hardware Architecture:
 
┌────────────────────────────────────────────────────────────────┐
│                    Segment Translation Unit                     │
├────────────────────────────────────────────────────────────────┤
│                                                                 │
│   Logical Address ─────┬────────────────────┐                  │
│   [seg | offset]       │                    │                  │
│                        ▼                    ▼                  │
│              ┌─────────────────┐    ┌───────────────┐          │
│              │ Segment Number  │    │    Offset     │          │
│              │   Extraction    │    │  Extraction   │          │
│              └────────┬────────┘    └───────┬───────┘          │
│                       │                     │                  │
│                       ▼                     │                  │
│    ┌─────────────────────────────────┐      │                  │
│    │       Segment Table             │      │                  │
│    │  ┌─────┬───────┬────────┐      │      │                  │
│    │  │ Seg │ Base  │ Limit  │      │      │                  │
│    │  ├─────┼───────┼────────┤      │      │                  │
│    │  │  0  │0x1000 │  4096  │      │      │                  │
│    │  │  1  │0x5000 │  8192  │      │      │                  │
│    │  │  2  │0x9000 │  2048  │      │      │                  │
│    │  └─────┴───────┴────────┘      │      │                  │
│    └────────────┬──────────┬────────┘      │                  │
│                 │          │               │                  │
│                 ▼          ▼               │                  │
│   ┌─────────────────┐ ┌────────────────┐   │                  │
│   │   Base Value    │ │  Limit Value   │   │                  │
│   └────────┬────────┘ └───────┬────────┘   │                  │
│            │                  │            │                  │
│            │                  ▼            ▼                  │
│            │         ┌───────────────────────┐                │
│            │         │    COMPARATOR         │                │
│            │         │   offset + size ≤ L?  │                │
│            │         └──────────┬────────────┘                │
│            │                    │                             │
│            │     ┌──────────────┼──────────────┐              │
│            │     │              │              │              │
│            ▼     ▼              ▼              │              │
│     ┌─────────────────┐   ┌──────────┐        │              │
│     │     ADDER       │   │  Valid?  │        │              │
│     │  base + offset  │   │   Gate   │        │              │
│     └────────┬────────┘   └────┬─────┘        │              │
│              │                 │              │              │
│              └────────┬────────┘              │              │
│                       ▼                       ▼              │
│              ┌────────────────┐      ┌────────────────┐     │
│              │Physical Address│      │  Fault Signal  │     │
│              │ (if valid)     │      │  (if invalid)  │     │
│              └────────────────┘      └────────────────┘     │
│                                                              │
└──────────────────────────────────────────────────────────────┘
 
Timing: Comparison and addition happen IN PARALLEL.
The "valid gate" blocks the physical address if bounds check fails.

The Comparator Circuit:

A binary magnitude comparator determines if offset ≤ limit. For n-bit values, this requires O(n) gate delays in a ripple implementation, or O(log n) delays with carry-lookahead techniques. With segment limits typically 16-32 bits, this comparison completes in nanoseconds.

Multi-Byte Access Handling:

For accesses larger than one byte, the hardware must verify that the entire access falls within bounds. Two approaches exist:

Pre-computation: Check offset + size - 1 ≤ limit (risks overflow)
Equivalent check: Check offset ≤ limit - size + 1 (requires subtraction)
Dual comparison: Check offset ≥ 0 AND offset + size ≤ limit

Most implementations handle common access sizes (1, 2, 4, 8 bytes) with dedicated comparison logic.

Caching Reduces Overhead

Modern processors cache recently-used segment descriptors. When a segment's base and limit are cached, the bounds check uses the cached limit, avoiding a segment table lookup. This makes repeated accesses to the same segment extremely fast—the comparison is pure combinational logic with no memory access needed.

What Happens on Bounds Violation

When bounds checking fails, the hardware initiates a well-defined exception handling sequence. This sequence ensures that violations are caught, reported, and handled appropriately by the operating system.

The Fault Sequence:

Detection: Hardware comparator determines offset exceeds limit
Abort: Current instruction execution is aborted; no memory access occurs
State Save: Processor saves current state (registers, flags, faulting address)
Privilege Switch: CPU switches to kernel mode
Vector Jump: Control transfers to OS-defined fault handler (via interrupt/exception vector)
Handler Execution: OS examines fault, determines response
Resolution: Process terminated, signal delivered, or (rarely) fault resolved

fault_handling.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
#include <stdio.h>
#include <signal.h>
#include <setjmp.h>
#include <stdlib.h>
 
/*
 * Segment Fault Handling Demonstration
 * 
 * On Unix-like systems, segment violations manifest as SIGSEGV.
 * This shows how the OS notifies user processes of such faults.
 */
 
static sigjmp_buf jump_buffer;
static volatile sig_atomic_t fault_occurred = 0;
 
/**
 * Signal handler for segmentation violations
 * In a real OS, similar logic runs in kernel space
 */
void segfault_handler(int signum) {
    fault_occurred = 1;
    
    printf("\n!!! SEGMENT VIOLATION DETECTED !!!\n");
    printf("  Signal received: %d (SIGSEGV)\n", signum);
    printf("  Cause: Memory access outside valid bounds\n");
    printf("  Action: Longjmp to recovery point\n\n");
    
    // In real scenarios without recovery, process would terminate
    siglongjmp(jump_buffer, 1);
}
 
/**
 * Attempt an out-of-bounds access
 * Simulates what happens when offset exceeds limit
 */
void trigger_bounds_violation() {
    // This simulates what happens in segmented systems when
    // offset >= limit: the access is blocked and fault raised
    
    int* null_ptr = NULL;
    
    printf("Attempting to access address 0x0 (invalid)...\n");
    
    // This will trigger SIGSEGV on most systems
    // In a segmented system, this would be caught by bounds checking
    int value = *null_ptr;  // FAULT!
    
    // Never reached
    printf("Value: %d\n", value);
}
 
/**
 * The OS's perspective on handling segment faults
 */
void explain_os_response() {
    printf("=== OS Response to Segment Violation ===\n\n");
    
    printf("When bounds checking fails, the OS must decide:\n\n");
    
    printf("1. Is this a legitimate fault?\n");
    printf("   - Bug in program (buffer overflow, null pointer)\n");
    printf("   - Malicious access attempt\n");
    printf("   - Stack growth beyond current allocation\n\n");
    
    printf("2. Can it be resolved?\n");
    printf("   - Demand paging: page in the needed data\n");
    printf("   - Stack expansion: allocate more stack space\n");
    printf("   - Copy-on-write: create private copy\n\n");
    
    printf("3. If unresolvable:\n");
    printf("   - Deliver SIGSEGV to process (Unix)\n");
    printf("   - Default action: terminate with core dump\n");
    printf("   - Or process handles signal (if handler installed)\n\n");
}
 
int main() {
    printf("=== Bounds Violation Handling Demo ===\n\n");
    
    explain_os_response();
    
    // Install signal handler
    struct sigaction sa;
    sa.sa_handler = segfault_handler;
    sigemptyset(&sa.sa_mask);
    sa.sa_flags = 0;
    
    if (sigaction(SIGSEGV, &sa, NULL) == -1) {
        perror("sigaction");
        return 1;
    }
    
    printf("Signal handler installed.\n\n");
    
    // Set up recovery point
    if (sigsetjmp(jump_buffer, 1) == 0) {
        // First time through - trigger the fault
        trigger_bounds_violation();
    } else {
        // Returned via longjmp - fault was caught
        printf("Recovered from segment violation.\n");
        printf("In production: process would typically be terminated.\n");
    }
    
    return fault_occurred ? 1 : 0;
}
 
/*
 * Hardware/OS Interaction on Fault:
 * 
 * 1. MMU detects: offset > limit
 * 2. MMU asserts: fault signal
 * 3. CPU: aborts instruction, saves state
 * 4. CPU: looks up exception handler in IDT/IVT
 * 5. CPU: jumps to kernel fault handler
 * 6. Kernel: examines CR2 (faulting address on x86)
 * 7. Kernel: checks if fault is resolvable
 * 8. Kernel: terminates process or delivers signal
 */

Possible OS Responses to Bounds Violations
Scenario	Resolution	Outcome
Stack growth needed	Extend stack segment, map new pages	Instruction restarted, execution continues
Demand paging fault	Load page from disk (in paged systems)	Instruction restarted after page loaded
Copy-on-write trigger	Create private copy of shared page	Instruction restarted with writable copy
Null pointer dereference	Unresolvable	SIGSEGV, process terminated
Buffer overflow	Unresolvable	SIGSEGV, process terminated
Malicious access attempt	Unresolvable	SIGSEGV, security log entry

Instruction Restart Capability

For fault resolution to work, the processor must be able to restart the faulting instruction. This requires saving precise state before the instruction commits any changes. In segmented systems, the fault occurs before any memory access, making restart straightforward—the instruction simply never completed.

Security Implications of Bounds Checking

Bounds checking is a fundamental security mechanism. It prevents entire classes of attacks that exploit unchecked memory access to corrupt data, hijack control flow, or leak sensitive information.

Attacks Prevented

•Buffer Overflows: Writing past array bounds into adjacent data structures is caught at segment boundary
•Stack Smashing: Overwriting return addresses fails if it exceeds stack segment limit
•Heap Corruption: Out-of-bounds heap writes are blocked at segment boundary
•Data/Code Confusion: Attempting to execute data or modify code segment triggers fault
•Inter-Process Attacks: Accessing another process's memory is impossible—different segment tables

Limitations

•Intra-Segment Overflows: Bounds checking only catches violations at segment boundaries, not within a segment
•Coarse Granularity: If code and data share a segment, overflows between them aren't caught
•Return-to-existing-code: Attacks using code already in the code segment may succeed
•Information Leakage: Reading within bounds but unauthorized data isn't prevented by bounds alone
•Segment Boundary Alignment: Data structures may not align with segment boundaries

The Buffer Overflow Example:

Consider a classic buffer overflow attack:

char buffer[64];
strcpy(buffer, user_input);  // No length check!

In a flat address space without bounds checking, a 100-byte input overwrites 36 bytes beyond the buffer, potentially corrupting return addresses or function pointers.

In a segmented system with bounds checking:

If the buffer is at the end of its segment, overflow is caught
If the segment contains only this buffer (fine-grained segmentation), any overflow is caught
If the buffer is in a larger segment with other data, intra-segment overflow may still occur

The effectiveness depends on segment granularity—finer segments provide stronger protection.

bounds_security.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
#include <stdio.h>
#include <string.h>
#include <stdint.h>
 
/*
 * Security Analysis: Bounds Checking vs Buffer Overflow
 * 
 * Demonstrates how segment boundaries affect exploit possibilities.
 */
 
// Simulated segment layout
typedef struct {
    char buffer[64];      // Offsets 0-63
    int important_value;  // Offsets 64-67
    void (*callback)(void);  // Offsets 68-75
} VulnerableData;
 
// Simulated segment limits for different scenarios
#define LIMIT_TIGHT    64   // Segment covers only buffer
#define LIMIT_STRUCT   76   // Segment covers entire struct  
#define LIMIT_LOOSE   1024  // Segment has extra space
 
void check_overflow_scenario(const char* name, uint32_t limit, 
                            uint32_t write_offset, uint32_t write_size) {
    printf("Scenario: %s\n", name);
    printf("  Segment limit: %u bytes\n", limit);
    printf("  Write offset: %u, size: %u\n", write_offset, write_size);
    
    uint32_t write_end = write_offset + write_size - 1;
    
    if (write_end >= limit) {
        printf("  Result: BOUNDS VIOLATION - Attack blocked!\n");
        printf("  Write end (%u) exceeds limit (%u)\n", write_end, limit);
    } else {
        printf("  Result: Write permitted within segment bounds\n");
        if (write_end >= 64) {
            printf("  WARNING: Intra-segment overflow corrupts struct fields!\n");
        }
    }
    printf("\n");
}
 
int main() {
    printf("=== Bounds Checking Security Analysis ===\n\n");
    
    printf("Vulnerable struct layout:\n");
    printf("  Bytes 0-63:  char buffer[64]\n");
    printf("  Bytes 64-67: int important_value\n");
    printf("  Bytes 68-75: void (*callback)(void)\n\n");
    
    printf("Attack: Overflow buffer with 100 bytes starting at offset 0\n\n");
    
    // Scenario 1: Tight segment around buffer only
    check_overflow_scenario(
        "Tight Segmentation (buffer in its own segment)",
        LIMIT_TIGHT,
        0, 100  // Attempt to write 100 bytes starting at offset 0
    );
    
    // Scenario 2: Segment contains entire struct
    check_overflow_scenario(
        "Struct-level Segmentation",
        LIMIT_STRUCT,
        0, 100  // 100 bytes > 76 byte segment
    );
    
    // Scenario 3: Loose segment with extra space
    check_overflow_scenario(
        "Loose Segmentation (large segment)",
        LIMIT_LOOSE,
        0, 100  // 100 bytes < 1024 byte segment
    );
    
    printf("=== Key Insight ===\n");
    printf("Bounds checking effectiveness depends on segmentation granularity.\n");
    printf("Finer segments = more protection, but more overhead.\n");
    printf("Coarse segments = less protection, but simpler management.\n");
    
    return 0;
}
 
/*
 * Output:
 * 
 * Attack: Overflow buffer with 100 bytes starting at offset 0
 * 
 * Scenario: Tight Segmentation (buffer in its own segment)
 *   Segment limit: 64 bytes
 *   Write offset: 0, size: 100
 *   Result: BOUNDS VIOLATION - Attack blocked!
 *   Write end (99) exceeds limit (64)
 * 
 * Scenario: Struct-level Segmentation
 *   Segment limit: 76 bytes
 *   Write offset: 0, size: 100
 *   Result: BOUNDS VIOLATION - Attack blocked!
 *   Write end (99) exceeds limit (76)
 * 
 * Scenario: Loose Segmentation (large segment)
 *   Segment limit: 1024 bytes
 *   Write offset: 0, size: 100
 *   Result: Write permitted within segment bounds
 *   WARNING: Intra-segment overflow corrupts struct fields!
 */

Bounds Checking Is Necessary but Not Sufficient

Bounds checking prevents segment-boundary violations but doesn't stop all attacks. Intra-segment overflows, type confusion, time-of-check-time-of-use races, and many other vulnerabilities require additional defenses. Modern systems combine bounds checking with ASLR, stack canaries, DEP/NX, and other mitigations for defense in depth.

Bounds Checking Strategies Across Architectures

Different processor architectures implement bounds checking with varying strategies, reflecting different design philosophies and performance/security tradeoffs.

Bounds Checking Implementation Strategies
Architecture	Checking Method	Limit Interpretation	Notes
Intel 8086	Software (near), none (far)	N/A in real mode	No hardware protection in real mode
Intel 80286+	Hardware comparator	Last valid offset	Limit is size-1; 20-bit limit field
Intel 80386+	Hardware + granularity	Byte or 4KB units	G bit: limit × 4096 if set
MIPS (segments)	Base + bound registers	Size in bytes	Separate registers per segment
Multics	Hardware per segment	Segment size	Very fine-grained segments
ARM (legacy)	Domain-based	Regions defined in CP15	Coarse protection domains

Intel x86 Protected Mode Bounds Checking:

The x86 architecture provides sophisticated bounds checking in protected mode:

Limit Field: 20-bit limit in segment descriptor
Granularity Bit (G): If G=0, limit is in bytes (max 1 MB). If G=1, limit is in 4 KB pages (max 4 GB)
Expand-Down Segments: For stacks, the valid range is (limit, 0xFFFFFFFF] instead of [0, limit]
Type Checking: Code segments can't be written, data segments can't be executed (unless specifically allowed)

x86_bounds_check.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
Intel x86 Segment Descriptor and Bounds Checking:
 
Segment Descriptor (8 bytes):
┌───────────────────────────────────────────────────────────────┐
│ 63        56 55   52 51   48 47        40 39        32        │
│ Base[31:24] │ Flags │ Limit │ Access    │ Base[23:16]         │
│             │ G D L │[19:16]│ Rights    │                     │
├───────────────────────────────────────────────────────────────┤
│ 31                           16 15                           0│
│        Base[15:0]              │       Limit[15:0]            │
└───────────────────────────────────────────────────────────────┘
 
Flags:
  G (Granularity): 0 = limit in bytes, 1 = limit in 4KB pages
  D (Default): 0 = 16-bit, 1 = 32-bit
  L (Long mode): 1 = 64-bit code segment
 
Limit Calculation:
  If G = 0: Effective Limit = Limit (up to 1 MB)
  If G = 1: Effective Limit = (Limit × 4096) + 4095 (up to 4 GB)
 
Bounds Check (Normal Segment):
  IF offset > Effective_Limit THEN #GP(0)  // General Protection Fault
 
Bounds Check (Expand-Down Stack Segment):
  IF offset ≤ Effective_Limit THEN #SS(0)  // Stack Fault
  (Valid range is ABOVE the limit, not below)
 
Example:
  Limit = 0x7FFFF, G = 1
  Effective Limit = (0x7FFFF × 4096) + 4095 = 2,147,483,647
  Maximum addressable offset = 2 GB - 1
 
Access Rights byte includes:
  - Present bit: segment must be in memory
  - DPL: Descriptor Privilege Level (0-3)
  - S: System vs code/data segment
  - Type: Readable, writable, executable, conforming, etc.

Advanced Bounds Checking Features

•Intel MPX (Memory Protection Extensions): Hardware bounds checking for pointers, storing bounds in special registers—now deprecated
•ARM MTE (Memory Tagging Extension): Tags pointers and memory, catches misuse—probabilistic bounds checking
•CHERI Capabilities: Fat pointers that encode bounds, enforced on every access—hardware capability system
•Software Bounds Checking: AddressSanitizer, Valgrind—runtime instrumentation for debugging

The Evolution Continues

Traditional segment-based bounds checking has largely been replaced by paging in modern systems. However, the need for bounds checking led to new approaches: Intel MPX attempted hardware-assisted pointer bounds (discontinued), while ARM MTE and CHERI represent current efforts to bring fine-grained bounds checking back in new forms.

Summary: Bounds Checking as Protection Foundation

Bounds checking transforms segmentation from an addressing convenience into a protection mechanism. Every offset is validated against the segment's limit before any memory access proceeds, catching violations at the hardware level.

Key Takeaways

•Bounds checking validates every memory access — the offset plus access size must not exceed the segment limit
•Hardware implementation enables speed — parallel comparator circuits add minimal latency to address translation
•Violations trigger OS-handled faults — the processor traps to kernel, which decides whether to resolve or terminate
•Security depends on granularity — finer segments catch more violations, but coarse segments allow intra-segment overflows
•Multiple architectures, same principle — from x86 protected mode to Multics, bounds checking is a universal protection concept

What's Next:

With bounds checking passed, the offset is confirmed to be within legal range. Now we can proceed to the final step of address translation: forming the physical address. By adding the validated offset to the segment's base address, we compute the actual memory location that the hardware will access.

Page Complete

You now understand bounds checking—the guardian that validates every memory access against segment limits. You can explain its hardware implementation, describe what happens on violation, and analyze its security implications. Next, we'll see how the physical address is finally computed.

3 / 5

Loading learning content...

Operating SystemsAddress Translation in Segmentation

Segmentation Address Translation

LevelIntermediate

Duration90 mins

TopicAddress Translation in Segmentation

3 / 5

Bounds Checking

The Guardian at the Gate

What You Will Learn

The Fundamental Bounds Check

At its core, bounds checking is a comparison operation that validates the offset against the segment's limit before allowing memory access to proceed.

The Core Validation:

Given:

Offset d (extracted from logical address)
Segment limit L (from segment table entry)
Access size s (number of bytes being accessed)

The bounds check must verify:

d + s ≤ L

Or equivalently, to avoid overflow:

d ≤ L - s

This ensures that every byte being accessed falls within the segment's boundaries. For a single-byte access, this simplifies to d < L (or d ≤ L depending on whether the limit is inclusive).

Properties of Bounds Checking

•Mandatory: Every memory access must pass bounds checking—there are no exceptions, no privileged bypasses (though the check may be faster for cached segments).
•Hardware-Enforced: The check is performed by the MMU hardware, not software. This makes it impossible for user programs to circumvent.
•Fast: The comparison is implemented as a simple magnitude comparator circuit, adding minimal latency to memory access.
•Precise: The check considers the full size of the access, catching violations at any byte within a multi-byte read/write.
•Non-Recoverable at User Level: A bounds violation cannot be 'fixed' by user code—it triggers a trap to the operating system.

Converting Mermaid diagram...

Limit Interpretation Matters

Hardware Implementation

Parallel Execution:

In a typical MMU, bounds checking occurs in parallel with the base address lookup:

Segment number is used to index the segment table
Limit value is read from the segment table entry
Offset is compared against limit (parallel comparator)
Base address is read from the segment table entry
If check passes, physical address = base + offset

Steps 3 and 4 happen simultaneously, so bounds checking adds no latency to the critical path when implemented correctly.

bounds_check_hardware.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
Bounds Checking Hardware Architecture:
 
┌────────────────────────────────────────────────────────────────┐
│                    Segment Translation Unit                     │
├────────────────────────────────────────────────────────────────┤
│                                                                 │
│   Logical Address ─────┬────────────────────┐                  │
│   [seg | offset]       │                    │                  │
│                        ▼                    ▼                  │
│              ┌─────────────────┐    ┌───────────────┐          │
│              │ Segment Number  │    │    Offset     │          │
│              │   Extraction    │    │  Extraction   │          │
│              └────────┬────────┘    └───────┬───────┘          │
│                       │                     │                  │
│                       ▼                     │                  │
│    ┌─────────────────────────────────┐      │                  │
│    │       Segment Table             │      │                  │
│    │  ┌─────┬───────┬────────┐      │      │                  │
│    │  │ Seg │ Base  │ Limit  │      │      │                  │
│    │  ├─────┼───────┼────────┤      │      │                  │
│    │  │  0  │0x1000 │  4096  │      │      │                  │
│    │  │  1  │0x5000 │  8192  │      │      │                  │
│    │  │  2  │0x9000 │  2048  │      │      │                  │
│    │  └─────┴───────┴────────┘      │      │                  │
│    └────────────┬──────────┬────────┘      │                  │
│                 │          │               │                  │
│                 ▼          ▼               │                  │
│   ┌─────────────────┐ ┌────────────────┐   │                  │
│   │   Base Value    │ │  Limit Value   │   │                  │
│   └────────┬────────┘ └───────┬────────┘   │                  │
│            │                  │            │                  │
│            │                  ▼            ▼                  │
│            │         ┌───────────────────────┐                │
│            │         │    COMPARATOR         │                │
│            │         │   offset + size ≤ L?  │                │
│            │         └──────────┬────────────┘                │
│            │                    │                             │
│            │     ┌──────────────┼──────────────┐              │
│            │     │              │              │              │
│            ▼     ▼              ▼              │              │
│     ┌─────────────────┐   ┌──────────┐        │              │
│     │     ADDER       │   │  Valid?  │        │              │
│     │  base + offset  │   │   Gate   │        │              │
│     └────────┬────────┘   └────┬─────┘        │              │
│              │                 │              │              │
│              └────────┬────────┘              │              │
│                       ▼                       ▼              │
│              ┌────────────────┐      ┌────────────────┐     │
│              │Physical Address│      │  Fault Signal  │     │
│              │ (if valid)     │      │  (if invalid)  │     │
│              └────────────────┘      └────────────────┘     │
│                                                              │
└──────────────────────────────────────────────────────────────┘
 
Timing: Comparison and addition happen IN PARALLEL.
The "valid gate" blocks the physical address if bounds check fails.

The Comparator Circuit:

Multi-Byte Access Handling:

For accesses larger than one byte, the hardware must verify that the entire access falls within bounds. Two approaches exist:

Pre-computation: Check offset + size - 1 ≤ limit (risks overflow)
Equivalent check: Check offset ≤ limit - size + 1 (requires subtraction)
Dual comparison: Check offset ≥ 0 AND offset + size ≤ limit

Most implementations handle common access sizes (1, 2, 4, 8 bytes) with dedicated comparison logic.

Caching Reduces Overhead

What Happens on Bounds Violation

The Fault Sequence:

Detection: Hardware comparator determines offset exceeds limit
Abort: Current instruction execution is aborted; no memory access occurs
State Save: Processor saves current state (registers, flags, faulting address)
Privilege Switch: CPU switches to kernel mode
Vector Jump: Control transfers to OS-defined fault handler (via interrupt/exception vector)
Handler Execution: OS examines fault, determines response
Resolution: Process terminated, signal delivered, or (rarely) fault resolved

fault_handling.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
#include <stdio.h>
#include <signal.h>
#include <setjmp.h>
#include <stdlib.h>
 
/*
 * Segment Fault Handling Demonstration
 * 
 * On Unix-like systems, segment violations manifest as SIGSEGV.
 * This shows how the OS notifies user processes of such faults.
 */
 
static sigjmp_buf jump_buffer;
static volatile sig_atomic_t fault_occurred = 0;
 
/**
 * Signal handler for segmentation violations
 * In a real OS, similar logic runs in kernel space
 */
void segfault_handler(int signum) {
    fault_occurred = 1;
    
    printf("\n!!! SEGMENT VIOLATION DETECTED !!!\n");
    printf("  Signal received: %d (SIGSEGV)\n", signum);
    printf("  Cause: Memory access outside valid bounds\n");
    printf("  Action: Longjmp to recovery point\n\n");
    
    // In real scenarios without recovery, process would terminate
    siglongjmp(jump_buffer, 1);
}
 
/**
 * Attempt an out-of-bounds access
 * Simulates what happens when offset exceeds limit
 */
void trigger_bounds_violation() {
    // This simulates what happens in segmented systems when
    // offset >= limit: the access is blocked and fault raised
    
    int* null_ptr = NULL;
    
    printf("Attempting to access address 0x0 (invalid)...\n");
    
    // This will trigger SIGSEGV on most systems
    // In a segmented system, this would be caught by bounds checking
    int value = *null_ptr;  // FAULT!
    
    // Never reached
    printf("Value: %d\n", value);
}
 
/**
 * The OS's perspective on handling segment faults
 */
void explain_os_response() {
    printf("=== OS Response to Segment Violation ===\n\n");
    
    printf("When bounds checking fails, the OS must decide:\n\n");
    
    printf("1. Is this a legitimate fault?\n");
    printf("   - Bug in program (buffer overflow, null pointer)\n");
    printf("   - Malicious access attempt\n");
    printf("   - Stack growth beyond current allocation\n\n");
    
    printf("2. Can it be resolved?\n");
    printf("   - Demand paging: page in the needed data\n");
    printf("   - Stack expansion: allocate more stack space\n");
    printf("   - Copy-on-write: create private copy\n\n");
    
    printf("3. If unresolvable:\n");
    printf("   - Deliver SIGSEGV to process (Unix)\n");
    printf("   - Default action: terminate with core dump\n");
    printf("   - Or process handles signal (if handler installed)\n\n");
}
 
int main() {
    printf("=== Bounds Violation Handling Demo ===\n\n");
    
    explain_os_response();
    
    // Install signal handler
    struct sigaction sa;
    sa.sa_handler = segfault_handler;
    sigemptyset(&sa.sa_mask);
    sa.sa_flags = 0;
    
    if (sigaction(SIGSEGV, &sa, NULL) == -1) {
        perror("sigaction");
        return 1;
    }
    
    printf("Signal handler installed.\n\n");
    
    // Set up recovery point
    if (sigsetjmp(jump_buffer, 1) == 0) {
        // First time through - trigger the fault
        trigger_bounds_violation();
    } else {
        // Returned via longjmp - fault was caught
        printf("Recovered from segment violation.\n");
        printf("In production: process would typically be terminated.\n");
    }
    
    return fault_occurred ? 1 : 0;
}
 
/*
 * Hardware/OS Interaction on Fault:
 * 
 * 1. MMU detects: offset > limit
 * 2. MMU asserts: fault signal
 * 3. CPU: aborts instruction, saves state
 * 4. CPU: looks up exception handler in IDT/IVT
 * 5. CPU: jumps to kernel fault handler
 * 6. Kernel: examines CR2 (faulting address on x86)
 * 7. Kernel: checks if fault is resolvable
 * 8. Kernel: terminates process or delivers signal
 */

Possible OS Responses to Bounds Violations
Scenario	Resolution	Outcome
Stack growth needed	Extend stack segment, map new pages	Instruction restarted, execution continues
Demand paging fault	Load page from disk (in paged systems)	Instruction restarted after page loaded
Copy-on-write trigger	Create private copy of shared page	Instruction restarted with writable copy
Null pointer dereference	Unresolvable	SIGSEGV, process terminated
Buffer overflow	Unresolvable	SIGSEGV, process terminated
Malicious access attempt	Unresolvable	SIGSEGV, security log entry

Instruction Restart Capability

Security Implications of Bounds Checking

Bounds checking is a fundamental security mechanism. It prevents entire classes of attacks that exploit unchecked memory access to corrupt data, hijack control flow, or leak sensitive information.

Attacks Prevented

•Buffer Overflows: Writing past array bounds into adjacent data structures is caught at segment boundary
•Stack Smashing: Overwriting return addresses fails if it exceeds stack segment limit
•Heap Corruption: Out-of-bounds heap writes are blocked at segment boundary
•Data/Code Confusion: Attempting to execute data or modify code segment triggers fault
•Inter-Process Attacks: Accessing another process's memory is impossible—different segment tables

Limitations

•Intra-Segment Overflows: Bounds checking only catches violations at segment boundaries, not within a segment
•Coarse Granularity: If code and data share a segment, overflows between them aren't caught
•Return-to-existing-code: Attacks using code already in the code segment may succeed
•Information Leakage: Reading within bounds but unauthorized data isn't prevented by bounds alone
•Segment Boundary Alignment: Data structures may not align with segment boundaries

The Buffer Overflow Example:

Consider a classic buffer overflow attack:

char buffer[64];
strcpy(buffer, user_input);  // No length check!

In a flat address space without bounds checking, a 100-byte input overwrites 36 bytes beyond the buffer, potentially corrupting return addresses or function pointers.

In a segmented system with bounds checking:

If the buffer is at the end of its segment, overflow is caught
If the segment contains only this buffer (fine-grained segmentation), any overflow is caught
If the buffer is in a larger segment with other data, intra-segment overflow may still occur

The effectiveness depends on segment granularity—finer segments provide stronger protection.

bounds_security.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
#include <stdio.h>
#include <string.h>
#include <stdint.h>
 
/*
 * Security Analysis: Bounds Checking vs Buffer Overflow
 * 
 * Demonstrates how segment boundaries affect exploit possibilities.
 */
 
// Simulated segment layout
typedef struct {
    char buffer[64];      // Offsets 0-63
    int important_value;  // Offsets 64-67
    void (*callback)(void);  // Offsets 68-75
} VulnerableData;
 
// Simulated segment limits for different scenarios
#define LIMIT_TIGHT    64   // Segment covers only buffer
#define LIMIT_STRUCT   76   // Segment covers entire struct  
#define LIMIT_LOOSE   1024  // Segment has extra space
 
void check_overflow_scenario(const char* name, uint32_t limit, 
                            uint32_t write_offset, uint32_t write_size) {
    printf("Scenario: %s\n", name);
    printf("  Segment limit: %u bytes\n", limit);
    printf("  Write offset: %u, size: %u\n", write_offset, write_size);
    
    uint32_t write_end = write_offset + write_size - 1;
    
    if (write_end >= limit) {
        printf("  Result: BOUNDS VIOLATION - Attack blocked!\n");
        printf("  Write end (%u) exceeds limit (%u)\n", write_end, limit);
    } else {
        printf("  Result: Write permitted within segment bounds\n");
        if (write_end >= 64) {
            printf("  WARNING: Intra-segment overflow corrupts struct fields!\n");
        }
    }
    printf("\n");
}
 
int main() {
    printf("=== Bounds Checking Security Analysis ===\n\n");
    
    printf("Vulnerable struct layout:\n");
    printf("  Bytes 0-63:  char buffer[64]\n");
    printf("  Bytes 64-67: int important_value\n");
    printf("  Bytes 68-75: void (*callback)(void)\n\n");
    
    printf("Attack: Overflow buffer with 100 bytes starting at offset 0\n\n");
    
    // Scenario 1: Tight segment around buffer only
    check_overflow_scenario(
        "Tight Segmentation (buffer in its own segment)",
        LIMIT_TIGHT,
        0, 100  // Attempt to write 100 bytes starting at offset 0
    );
    
    // Scenario 2: Segment contains entire struct
    check_overflow_scenario(
        "Struct-level Segmentation",
        LIMIT_STRUCT,
        0, 100  // 100 bytes > 76 byte segment
    );
    
    // Scenario 3: Loose segment with extra space
    check_overflow_scenario(
        "Loose Segmentation (large segment)",
        LIMIT_LOOSE,
        0, 100  // 100 bytes < 1024 byte segment
    );
    
    printf("=== Key Insight ===\n");
    printf("Bounds checking effectiveness depends on segmentation granularity.\n");
    printf("Finer segments = more protection, but more overhead.\n");
    printf("Coarse segments = less protection, but simpler management.\n");
    
    return 0;
}
 
/*
 * Output:
 * 
 * Attack: Overflow buffer with 100 bytes starting at offset 0
 * 
 * Scenario: Tight Segmentation (buffer in its own segment)
 *   Segment limit: 64 bytes
 *   Write offset: 0, size: 100
 *   Result: BOUNDS VIOLATION - Attack blocked!
 *   Write end (99) exceeds limit (64)
 * 
 * Scenario: Struct-level Segmentation
 *   Segment limit: 76 bytes
 *   Write offset: 0, size: 100
 *   Result: BOUNDS VIOLATION - Attack blocked!
 *   Write end (99) exceeds limit (76)
 * 
 * Scenario: Loose Segmentation (large segment)
 *   Segment limit: 1024 bytes
 *   Write offset: 0, size: 100
 *   Result: Write permitted within segment bounds
 *   WARNING: Intra-segment overflow corrupts struct fields!
 */

Bounds Checking Is Necessary but Not Sufficient

Bounds Checking Strategies Across Architectures

Different processor architectures implement bounds checking with varying strategies, reflecting different design philosophies and performance/security tradeoffs.

Bounds Checking Implementation Strategies
Architecture	Checking Method	Limit Interpretation	Notes
Intel 8086	Software (near), none (far)	N/A in real mode	No hardware protection in real mode
Intel 80286+	Hardware comparator	Last valid offset	Limit is size-1; 20-bit limit field
Intel 80386+	Hardware + granularity	Byte or 4KB units	G bit: limit × 4096 if set
MIPS (segments)	Base + bound registers	Size in bytes	Separate registers per segment
Multics	Hardware per segment	Segment size	Very fine-grained segments
ARM (legacy)	Domain-based	Regions defined in CP15	Coarse protection domains

Intel x86 Protected Mode Bounds Checking:

The x86 architecture provides sophisticated bounds checking in protected mode:

Limit Field: 20-bit limit in segment descriptor
Granularity Bit (G): If G=0, limit is in bytes (max 1 MB). If G=1, limit is in 4 KB pages (max 4 GB)
Expand-Down Segments: For stacks, the valid range is (limit, 0xFFFFFFFF] instead of [0, limit]
Type Checking: Code segments can't be written, data segments can't be executed (unless specifically allowed)

x86_bounds_check.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
Intel x86 Segment Descriptor and Bounds Checking:
 
Segment Descriptor (8 bytes):
┌───────────────────────────────────────────────────────────────┐
│ 63        56 55   52 51   48 47        40 39        32        │
│ Base[31:24] │ Flags │ Limit │ Access    │ Base[23:16]         │
│             │ G D L │[19:16]│ Rights    │                     │
├───────────────────────────────────────────────────────────────┤
│ 31                           16 15                           0│
│        Base[15:0]              │       Limit[15:0]            │
└───────────────────────────────────────────────────────────────┘
 
Flags:
  G (Granularity): 0 = limit in bytes, 1 = limit in 4KB pages
  D (Default): 0 = 16-bit, 1 = 32-bit
  L (Long mode): 1 = 64-bit code segment
 
Limit Calculation:
  If G = 0: Effective Limit = Limit (up to 1 MB)
  If G = 1: Effective Limit = (Limit × 4096) + 4095 (up to 4 GB)
 
Bounds Check (Normal Segment):
  IF offset > Effective_Limit THEN #GP(0)  // General Protection Fault
 
Bounds Check (Expand-Down Stack Segment):
  IF offset ≤ Effective_Limit THEN #SS(0)  // Stack Fault
  (Valid range is ABOVE the limit, not below)
 
Example:
  Limit = 0x7FFFF, G = 1
  Effective Limit = (0x7FFFF × 4096) + 4095 = 2,147,483,647
  Maximum addressable offset = 2 GB - 1
 
Access Rights byte includes:
  - Present bit: segment must be in memory
  - DPL: Descriptor Privilege Level (0-3)
  - S: System vs code/data segment
  - Type: Readable, writable, executable, conforming, etc.

Advanced Bounds Checking Features

•Intel MPX (Memory Protection Extensions): Hardware bounds checking for pointers, storing bounds in special registers—now deprecated
•ARM MTE (Memory Tagging Extension): Tags pointers and memory, catches misuse—probabilistic bounds checking
•CHERI Capabilities: Fat pointers that encode bounds, enforced on every access—hardware capability system
•Software Bounds Checking: AddressSanitizer, Valgrind—runtime instrumentation for debugging

The Evolution Continues

Summary: Bounds Checking as Protection Foundation

Key Takeaways

•Bounds checking validates every memory access — the offset plus access size must not exceed the segment limit
•Hardware implementation enables speed — parallel comparator circuits add minimal latency to address translation
•Violations trigger OS-handled faults — the processor traps to kernel, which decides whether to resolve or terminate
•Security depends on granularity — finer segments catch more violations, but coarse segments allow intra-segment overflows
•Multiple architectures, same principle — from x86 protected mode to Multics, bounds checking is a universal protection concept

What's Next:

Page Complete

3 / 5