DOCSLIB.ORG

Porting Barrelfish to the Tilera Tilepro64 Architecture

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Porting Barrelfish to the Tilera Tilepro64 Architecture Porting Barrelfish to the Tilera TILEPro64 Architecture ROBERT RADKIEWICZ and XIAOWEN WANG KTH Information and Communication Technology Master of Science Thesis Stockholm, Sweden 2013 TRITA-ICT-EX-2013:69 KTH Royal Institute of Technology Master Project at KTH Porting Barrelfish to the Tilera TILEPro64 Architecture Authors: Robert Radkiewicz and Xiaowen Wang Examiner: Prof. Mats Brorsson, KTH, Sweden Abstract Barrelfish is a research operating system with the focus on the scalability of manycore architectures and the increasing numbers of heterogeneous hardware. Instead of heavily relying on the cache coherency protocol which has been proved to be an inherent bottleneck on manycore systems, Barrelfish employs the thought of distributed systems and uses the message-passing approach to implement inter-core communication. The TilePro architecture is a manycore system with up to 64 cores and several mesh networks. Because of its special hardware design, TilePro is considered to be a ideal vehicle to run Barrelfish on, in order to make full use of the advantages from its manycore and network structure. The porting of Barrelfish on TilePro architecture involves some general set-ups of image booting, virtual memory system, context switch, interrupts and system calls, inter-dispatcher communication and so on. At the beginning, the whole system fully starts up on the first logic core, and later the monitor process on the first core will be responsible for booting up others in order, according to the pre-configuration of memory space on the initial core. There are two sorts of communication provided originally in Barrelfish under the protocol of user remote procedure call (URPC). The local message passing (LMP), which happens when two dispatchers communicate with each other on the same core, is implemented by invoking system calls, passing all the values through reserved registers. The user-level message passing (UMP), which is designed for inter-core communication, depends on a shared memory approach. The inter-core communication begins as the second core is starting. The project also investigates how to utilize TilePro mesh network structure to fulfil the inter-core communication so that the characteristic of the architecture would be exploited thoroughly. TilePro offers several mesh networks with different properties and behaviours. In this case, we mainly use user dynamic network (UDN) instead of UMP to carry out remote core-to-core communication, although still based on the existing protocol of URPC. The result shows that Barrelfish can completely boots up on two cores at least and some user applications could be executed either on the first core or on the second properly, while the core-to-core communication is working on TilePro UDN network. Contents 1 Introduction 3 1.1 Current Implementations . .4 1.1.1 Factored Operating System . .4 1.1.2 Tessellation . .4 1.1.3 Barrelfish . .4 1.2 Core-to-Core Communication . .5 1.3 TilePro64 . .6 1.4 Contributions . .6 1.5 Structure of Thesis . .6 2 Implementation 7 2.1 Requirements . .7 2.2 Booting an OS on Tilera . .7 2.2.1 Shipping the Kernel . .7 2.2.2 Hypervisor . .8 2.2.3 Overview of Booting Process . .9 2.3 newlib . 11 2.4 Virtual Memory . 11 2.5 ASIDs . 14 2.6 Interrupt Handling . 15 2.7 System Calls . 15 2.8 Processes and Threads . 16 2.9 I/O . 17 2.10 Local Communication . 17 2.11 Core-to-Core Communication . 18 2.11.1 Existing Barrelfish Ports . 18 2.11.2 Implementation of Message Passing on TilePro . 18 2.11.2.1 Static Network . 18 2.11.2.2 User Dynamic Network . 18 2.11.2.3 Other Dynamic Networks . 19 2.11.3 Implementation of a New Backend . 19 3 Reflection on the Porting Process 23 4 Results 25 4.1 Porting Results . 25 Contents 4.2 Modifications on Barrelfish . 25 5 Conclusion 29 vi List of Figures 2.1 Procedure to create a bootrom file . .8 2.2 Virtual memory layout . 13 2.3 Barrelfish internal virtual memory layout . 13 2.4 Physical memory layout . 14 2.5 Dispatcher structure in Barrelfish . 16 2.6 UDN backend . 20 4.1 Bootstrap on TilePro . 26 List of Tables 4.1 Modification to Barrelfish . 27 Chapter 1 1 Introduction Computer hardware is changing rapidly in past two decades. From the single-core to dual-core, and then to multi-core architectures, researchers have been always seeking the best way to boost the performance of computers. According to some seemingly inevitable defects on the single-core processor, e.g. the lack of parallelism and the increasing thermal issues, the single-core architecture seems to hit the bottleneck and cannot be developed significantly any more [1]. Meanwhile the multi-core architecture emerges and is widely used in variety of workplaces owing to its inherent advantages. For example, different programs have a different gain in speed due to the usage of multiple processors. It depends on how separated the tasks with most cpu-load are. These separated tasks could be a server, which answers to several network connections and does some calculation per connection. For some tasks which are not separated so naturally, they can be split into several sub-tasks, which are then separated. Another example is image processing, where an image could be split into several sub-images, which can be processed by one task. In this example all tasks have a dependency to the whole image, where they get to select the data from. Based on the fast advancement of hardware and its needs in the real working environment, future OSes should be able to make full use of these new features accordingly. Some traditional general-purpose OSes, e.g. the variants of Unix and Windows, use a shared memory kernel with data structures protected by locks [2], which derives from the basic OS thought on the single-core architecture. They are capable of using multiple cores to allocate the workload between them, but this approach does not scale very well with the number of cores rising significantly [3, 4]. Although those OSes have been developed to fully support SMP and ccNUMA architectures in order to obtain the relatively high performance computing. However, the future computer architectures tend to increase the number of cores and hardware diversity [2]. Then as a result, the cache coherence protocols and memory management will become prohibitively costly, when a large number of cores (manycore system) are involved. 1 Introduction 1.1 Current Implementations How to exploit this so-called manycore system efficiently becomes a popular topic. Some researchers have proposed new thoughts by re-conceiving the OS architecture to avoid being limited by the scalability bottleneck of traditional OSes. 1.1.1 Factored Operating System Factored Operating System (fos) [5] is a new operating system targeting manycore systems with scalability as the primary design constraint, where space sharing replaces time sharing to increase scalability. The main feature of fos is that it factors an OS into a set of services where each service is built to resemble a distributed Internet server. The OS kernel and user application services are respectively located on the different sets of servers, so that they would not interfere each other, thereby increasing the degree of distribution and parallelism of the system. Each server runs on a given core, and they may communicate with each other based on the paradigm of message passing. 1.1.2 Tessellation Tessellation OS [6] restructures the operating system to support a simultaneous mix of interactive, real-time, and high-throughput parallel applications. It utilizes two novel ideas, Space-Time Partitioning and Two-Level Scheduling, to reach the goals of resource distribution, performance isolation and QoS guarantees. Applications are divided into performance-isolated, gang-scheduled cells communicating through secure channels. 1.1.3 Barrelfish Barrelfish [2] demonstrates that the message passing method outperforms traditional shared memory idea which is the main bottleneck to scale the OS to many-core architecture. It also proposes the “share-no-memory” concept for the OS, exploiting the explicit and asynchronous message passing method for the communication between cores in order to reduce the side effects from cache coherence protocols. This message passing or exchanging is also for the implementation of the shared OS state replication for each core, which will reduce the overhead of load on the system interconnect, memory contention and synchronization. Another remarkable characteristic of Barrelfish is the compatibility of heterogeneous architectures. According to the demands from real workplaces, there is a trend that several different types of architectures may be combined into one board, incorporating to deal with some 4 1.2 Core-to-Core Communication tasks together. Barrelfish is designed originally to implement this demand, making it possible to boot up different kernels for different hardware. 1.2 Core-to-Core Communication In a shared memory scenario data may be accessed from different processors and is normally placed somewhere in the RAM. So the accesses to this data must be controlled to avoid the situation where the asynchronous nature of this scenario may corrupt the data or calculations on these. Problems arise, when one processor overwrites data from another processor or a processor is working with outdated data. To maintain control over this there are tools like locking and cache coherence protocols. Locking is a tool to lock accesses to this memory, so that only the processor which holds this lock can access it, while all other access at this time are blocked until the lock is free again. Cache coherence is a tool to let the processor-specific caches stay in sync. Processors have local caches, which allow them to access cached data in orders of magnitude faster.
Load more

Recommended publications
  • Crypto Ransomware Analysis and Detection Using
    CRYPTO RANSOMWARE ANALYSIS AND DETECTION USING PROCESS MONITOR by ASHWINI BALKRUSHNA KARDILE Presented to the Faculty of the Graduate School of The University of Texas at Arlington in Partial Fulfillment of the Requirements for the Degree of MASTER OF SCIENCE IN COMPUTER SCIENCE THE UNIVERSITY OF TEXAS AT ARLINGTON December 2017 Copyright © by Ashwini Balkrushna Kardile 2017 All Rights Reserved ii Acknowledgements I would like to thank Dr. Ming for his timely guidance and motivation. His insights for this research were valuable. I would also like to thank my committee members Dr. David Levine and Dr. David Kung for taking out time from their schedule and attending my dissertation. I am grateful to John Podolanko; it would not have been possible without his help and support. Thank you, John, for helping me and foster my confidence. I would like to thank my colleagues for supporting me directly or indirectly. Last but not the least; I would like to thank my parents, my family and my friends for encouraging me and supporting me throughout my research. November 16, 2017 iii Abstract CRYPTO RANSOMWARE ANALYSIS AND DETECTION USING PROCESS MONITOR Ashwini Balkrushna Kardile, MS The University of Texas at Arlington, 2017 Supervising Professor: Jiang Ming Ransomware is a faster growing threat that encrypts user’s files and locks the computer and holds the key required to decrypt the files for ransom. Over the past few years, the impact of ransomware has increased exponentially. There have been several reported high profile ransomware attacks, such as CryptoLocker, CryptoWall, WannaCry, Petya and Bad Rabbit which have collectively cost individuals and companies well over a billion dollars according to FBI.
    [Show full text]
  • Development Environment
    BLUESPAWN BLUESPAWN Dev Team Apr 28, 2021 CONTENTS 1 Our Mission 3 2 What is BLUESPAWN 5 3 Get Involved & Contribute to the project7 4 Why we made BLUESPAWN9 4.1 Contact Us................................................9 4.2 Sponsoring................................................9 4.3 Licensing.................................................9 4.4 Project Authors.............................................. 10 4.5 Publications............................................... 11 4.6 Hunts................................................... 11 4.7 Scan Mode................................................ 11 4.8 Mitigations................................................ 11 4.9 Reactions................................................. 11 4.10 Logging and Output........................................... 11 4.11 Agent7 Integration............................................ 11 4.12 Getting Started.............................................. 11 4.13 Examples of BLUESPWAN in Action.................................. 13 4.14 Using Mitigations............................................ 14 4.15 Getting Involved............................................. 18 4.16 Setting up your Development Environment............................... 18 4.17 Software Architecture Info........................................ 19 4.18 Project Roadmap............................................. 21 i ii BLUESPAWN CONTENTS 1 BLUESPAWN 2 CONTENTS CHAPTER ONE OUR MISSION BLUESPAWN helps blue teams monitor systems in real-time against active attackers by detecting
    [Show full text]
  • Multiband Plasma-Process Monitor C10346-01
    Multiband plasma-process monitor C10346-01 C10346-01 is a multiband plasma process monitor designed for real-time, monitoring of wide spectrum. Monitoring Plasma (Emission Spectrum) in Real-Time C10346-01 is a monitoring system to detect wide spectrum plasma emission during the process of etching, spattering and CVD in semiconductor manufacturing . With the various analysis functions, it can be used for setting up end-point detection conditions and automatic detection of etching and cleaning, estimation of plasma species and monitoring (plasma) contamination and abnormal discharges. Features Simultaneous measurements of wide (plasma) spectrum Easy measurement using optical fibers Captures wide spectrum (emission) from (plasma) radicals or ions. The equipped optical fiber can be easily attached to plasma C10346-01 : 200 nm to 950 nm chambers through a SMA connector widely used. Real-time plasma (emission) measurement Operation with multiple chambers Continuously measures up to 15 000 spectra at an interval of 20 ms A single analysis unit can control up to four C10346-01 (50 ms with concurrent running of detection software) Multiband plasma-process monitor via a USB 2.0 interface. Highly accurate and reliable measurements Data acquisition software A high resolution spectrometer and a ultra-high sensitive photo The data acquisition software stores the spectrum data into detector are firmly locked in position to assure the acquisition of the database during plasma process. This stored data can accurate spectrum and precise spectrum responsivity data then be used for spectrum data calculations. through sharply focused plasma emission spectrum images. Optional software High-sensitivity detection in UV spectrum region High sensitive endpoint detection and real-time monitoring of Detects the UV spectrum region from 200 nm with high process abnormality are achieved by creating ''detection model''.
    [Show full text]
  • Process Monitor
    Моим коллегам — специалистам по устранению неполадок Windows. Никогда не отступайте и не сдавайтесь! – Марк Руссинович Элизе, благодаря ей сбываются самые прекрасные мечты! (И она гораздо круче меня!) – Аарон Маргозис SIN_Titul.indd I 29.12.2011 13:41:15 Mark Russinovich Aaron Margosis Windows® Sysinternals Administrator's Reference SIN_Titul.indd II 29.12.2011 13:41:15 Марк Руссинович Аарон Маргозис Предисловие Дэвида Соломона Утилиты Sysinternals Справочник администратора 2012 SIN_Titul.indd III 29.12.2011 13:41:15 УДК 004.738.5 ББК 32.973.202 P89 Руссинович Марк, Маргозис Аарон P89 Утилиты Sysinternals. Справочник администратора. / Пер. с англ. — М. : Издательство «Русская редакция» ; СПб. : БХВ-Петербург, 2012. — 480 стр. : ил. ISBN 978-5-7502-0411-3 («Русская редакция») ISBN 978-5-9775-0826-1 («БХВ-Петербург») Эта книга — исчерпывающее руководство по использованию утилит Sysin- ternals. Авторы книги — создатель утилит Sysinternals Марк Руссинович и при- знанный эксперт по Windows Аарон Маргозис — подробно разбирают многочис- ленные функции утилит для диагностики и управления файлами, дисками, си- стемой безопасности и встроенным инструментарием Windows. Рекомендации авторов проиллюстрированы многочисленными примерами из реальной жизни. Изучив их, вы сможете справиться с неполадками в ИТ-системах так, как это делают настоящие профессионалы. Книга состоит из 18 глав и предметного указателя. Она предназначена для ИТ-специалистов и опытных пользователей Windows, которые хотят применять утилиты Sysinternals с максимальной эффективностью. УДК 004.738.5 ББК 32.973.202 © 2011-2012, Translation Russian Edition Publishers. Authorized Russian translation of the English edition of Windows® Sysinternals Administrator’s Reference, ISBN 978- 0-7356-5672-7 © Aaron Margosis and Mark Russinovich. This translation is published and sold by permission of O’Reilly Media, Inc., which owns or controls all rights to publish and sell the same.
    [Show full text]
  • JTB Process Monitor
    JTB Process Monitor About JTB Process Monitor makes it possible to monitor usage of more applications than the core JTB FlexReport handles. There is a service part and a client part of Process Monitor. You need to first install the service and configure it and then install the client and configure it. The data is saved into the JTB FlexReport core database and reports on the usage can be done in the normal way. This means that JTB FlexReport Core and JTB FlexReport Chart Service/Client also need to be installed. The client computer to monitor does not need to be connected to the network all the time. It still can monitor the usage and when connected again it will send back the data to the server. The client-server solution is based on WCF (Windows Communication Foundation) and XML Web services. System requirements .NET Framework 4.0 or newer is needed for the service and client. Other than that most Windows operating systems are supported like Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016. Both 32-bit and 64-bit systems are supported. One limitation is that processes that run in Windows compatibility mode cannot be monitored. Installation of Service The service needs to be installed on one location and it is recommended to be on the same computer where JTB FlexReport’s other services are installed as it needs to save the usage to the JTB FlexReport database. For a trial it can be installed on a workstation if that is easier for the evaluation.
    [Show full text]
  • Windows Rootkit Analysis Report
    Windows Rootkit Analysis Report HBGary Contract No: NBCHC08004 SBIR Data Rights November 2008 Page 1 Table of Contents Introduction ................................................................................................................................... 4 Clean Monitoring Tool Logs......................................................................................................... 5 Clean System PSList ................................................................................................................. 5 Clean System Process Explorer ................................................................................................ 6 Vanquish......................................................................................................................................... 7 PSList Vanquish ........................................................................................................................ 7 Vanquish Process Monitor (Process Start – Exit) .................................................................. 8 Process Explorer Thread Stack Vanquish .............................................................................. 8 Process Monitor Events Vanquish ........................................................................................... 9 Vanquish Log File (Created by rootkit, placed in root directory “C:”) ............................. 21 Process Explorer Memory Strings Vanquish ........................................................................ 23 NTIllusion....................................................................................................................................
    [Show full text]
  • Application Help for SAP Business Planning and Consolidation, Version for SAP Netweaver Company
    PUBLIC SAP Business Planning and Consolidation for SAP NetWeaver 10.1 Document Version: 1.0 – 2021-06-09 Application Help for SAP Business Planning and Consolidation, version for SAP NetWeaver company. All rights reserved. All rights company. affiliate THE BEST RUN 2021 SAP SE or an SAP SE or an SAP SAP 2021 © Content 1 SAP Business Planning and Consolidation, version for SAP NetWeaver...................4 1.1 Getting Started..............................................................10 Preferences..............................................................10 Grid....................................................................11 1.2 Home Page and Navigation......................................................11 1.3 Business Process Flows........................................................12 My Activities.............................................................13 1.4 Process Monitor.............................................................15 1.5 Library....................................................................16 1.6 Documents (Standard only).....................................................17 1.7 Run Consolidation (Standard only)................................................18 Consolidation Monitor (Standard only)...........................................19 Controls Monitor (Standard only)..............................................24 Journals (Standard only)....................................................30 Ownership Manager (Standard only)............................................41 1.8 Run
    [Show full text]
  • Prmon: Process Monitor
    prmon: Process Monitor Serhan Mete (Argonne) and Graeme A Stewart (CERN) Grid Deployment Board Meeting September 9, 2020 What is Process Monitor (prmon)? ● “... a small stand alone program that can monitor the resource consumption of a process and its children.” ○ An open source HSF project, completely application agnostic and self-contained ■ The only external library dependency is nlohmann/json (and only for the build) ○ Tracks (process-level) CPU/GPU, memory, disk I/O, and (device-level) network I/O usage ■ Metrics are primarily collected from ProcFS (except for GPU which comes from nvidia-smi) ● Adding support for additional hardware is in the future plans ○ It produces two main outputs: ■ Time-series text file that contains the measurements at each capture ■ JSON file that contains averages and maxima along with some hardware information ○ It includes python-based software to visualize the time-series data https://github.com/HSF/prmon 2 Building/Distributing/Using prmon... ● prmon has been used in ATLAS distributed computing for many years ○ Predecessor was named MemoryMonitor, which was the starting point for prmon ● There are two main build/deployment options: ○ Integrating prmon as an external software and building it from scratch ■ Primarily requires C++11, Cmake 3.3+, and nlohmann/json ■ For GPU support, needs nvidia-smi installed ○ Using statically built prmon (published for each release, approx. 1 MB) ○ In either case, the binaries can be (are) distributed via CVMFS ○ More information can be found at https://github.com/HSF/prmon#build-and-deployment ● There are two main ways to execute: ○ Attach to an existing process w/ PID : prmon --pid PID ○ Start the program with prmon : prmon [prmon options] -- program [program options] ○ More information can be found at https://github.com/HSF/prmon#running Latest Release: v2.1.0 on Sep 8 3 Available options, monitors, and output formats..
    [Show full text]
  • Legoos: a Disseminated, Distributed OS for Hardware Resource
    LegoOS: A Disseminated, Distributed OS for Hardware Resource Disaggregation Yizhou Shan, Yutong Huang, Yilun Chen, and Yiying Zhang, Purdue University https://www.usenix.org/conference/osdi18/presentation/shan This paper is included in the Proceedings of the 13th USENIX Symposium on Operating Systems Design and Implementation (OSDI ’18). October 8–10, 2018 • Carlsbad, CA, USA ISBN 978-1-939133-08-3 Open access to the Proceedings of the 13th USENIX Symposium on Operating Systems Design and Implementation is sponsored by USENIX. LegoOS: A Disseminated, Distributed OS for Hardware Resource Disaggregation Yizhou Shan, Yutong Huang, Yilun Chen, Yiying Zhang Purdue University Abstract that can fit into monolithic servers and deploying them in datacenters is a painful and cost-ineffective process that The monolithic server model where a server is the unit often limits the speed of new hardware adoption. of deployment, operation, and failure is meeting its lim- We believe that datacenters should break mono- its in the face of several recent hardware and application lithic servers and organize hardware devices like CPU, trends. To improve resource utilization, elasticity, het- DRAM, and disks as independent, failure-isolated, erogeneity, and failure handling in datacenters, we be- network-attached components, each having its own con- lieve that datacenters should break monolithic servers troller to manage its hardware. This hardware re- into disaggregated, network-attached hardware compo- source disaggregation architecture is enabled by recent nents. Despite the promising benefits of hardware re- advances in network technologies [24, 42, 52, 66, 81, 88] source disaggregation, no existing OSes or software sys- and the trend towards increasing processing power in tems can properly manage it.
    [Show full text]
  • Brno University of Technology Vysoké Učení Technické V Brně
    BRNO UNIVERSITY OF TECHNOLOGY VYSOKÉ UČENÍ TECHNICKÉ V BRNĚ FACULTY OF INFORMATION TECHNOLOGY FAKULTA INFORMAČNÍCH TECHNOLOGIÍ DEPARTMENT OF INTELLIGENT SYSTEMS ÚSTAV INTELIGENTNÍCH SYSTÉMŮ AUTOMATED SECURITY COMPLIANCE SCANNING OF MS WINDOWS OPERATING SYSTEM USING OPENSCAP PROJECT AUTOMATIZOVANÉ OVĚŘOVÁNÍ KONFIGURACE OPERAČNÍHO SYSTÉMU MS WINDOWS POMOCÍ PROJEKTU OPENSCAP MASTER’S THESIS DIPLOMOVÁ PRÁCE AUTHOR Bc. JAN ČERNÝ AUTOR PRÁCE SUPERVISOR Ing. ALEŠ SMRČKA, Ph.D. VEDOUCÍ PRÁCE BRNO 2018 Abstract This work deals with security compliance of computer systems, namely operating systems, applications and system services. Concept of security policies, their evaluation and their enforcement is described. Security compliance automation and the SCAP standard are presented. OpenSCAP project, which is used as an SCAP scanner, is described together with its tools and its usage. An idea to add support of Microsoft Windows within Open- SCAP, which was previously unsupported, is presented. The core part of the thesis is to identify necessary changes of OpenSCAP and to design an extension of this project. All these modifications are implemented. The solution is demonstrated on security policies for Windows. The solution is evaluated and further improvements are discussed. Abstrakt Tato práce se zabývá problematikou bezpečné konfigurace výpočetních systémů, jako jsou operační systémy, aplikace a služby. Seznamuje čtenáře s konceptem bezpečnostních poli- tik a jejich ověřováním. Soustředí se na problematiku automatizace bezpečné konfigurace s důrazem na standard SCAP. Popisuje projekt OpenSCAP, který se používá jako SCAP scanner, jeho aplikace a jejich použití. Navrhuje rozšířit OpenSCAP i na operační sys- tém Microsoft Windows, který doposud nebyl podporován. Těžištěm práce je identifikace nutných změn projektu OpenSCAP a návrh jeho rozšíření.
    [Show full text]
  • Sysinternals Learning Resources
    THE PERSONAL COMPUTER SPECIALIST Sysinternals Learning Resources Help and Support Sysinternals Learning Resources Help Desk Books Windows Internals Book Homepage The official updates and errata page for the definitive book on Windows internals, by Mark Russinovich and David Solomon. Windows Sysinternals Administrator's Reference The official guide to the Sysinternals utilities by Mark Russinovich and Aaron Margosis, including descriptions of all the tools, their features, how to use them for troubleshooting, and example real-world cases of their use. Articles Inside the Windows Vista Kernel: Part 1 Inside the Windows Vista Kernel: Part 2 Inside the Windows Vista Kernel: Part 3 Inside Windows Vista User Account Control Inside Windows Server 2008 Kernel Changes Mark's Blog Articles Hunting Down and Killing Ransomware Scareware, a type of malware that mimics antimalware software, has been around for a decade and shows no sign of going away. The goal of scareware is to fool a user into thinking that their computer is heavily infected with malware and the most convenient...(read more) Monday, Jan 7 The Case of the Unexplained FTP Connections A key part of any cybersecurity plan is “continuous monitoring”, or enabling auditing and monitoring throughout a network environment and configuring automated analysis of the resulting logs to identify anomalous behaviors that merit investigation. This...(read more) Tuesday, Oct 30 Windows Azure Host Updates: Why, When, and How Windows Azure’s compute platform, which includes Web Roles, Worker Roles, and Virtual Machines, is based on machine virtualization. It’s the deep access to the underlying operating system that makes Windows Azure’s Platform-as-a-Service (PaaS) uniquely...(read more) Wednesday, Aug 22 The Case of the Veeerrry Slow Logons This case is my favorite kind of case, one where I use my own tools to solve a This case is my favorite kind of case, one where I use my own tools to solve a problem affecting me personally.
    [Show full text]
  • Finding Privesc with Procmon
    FINDING PRIVESC WITH PROCMON Vetle Økland ::1 • Pentester @ Nagarro • Live here in Oslo • Too young to understand why Windows does anything • Twitter: @bordplate • Blog: https://bordplate.no/blog/en What is Procmon? Process Monitor Boot logging • Consider disabling anti-virus scanning for smaller log files What are we looking for? Image from: https://krbtgt.pw/dacl-permissions-overwrite-privilege-escalation- cve-2019-0841/ DACL Permissions Overwrite Privilege Escalation (CVE-2019-0841) by Nabeel Ahmed Paths and Files • PATH NOT FOUND • NAME NOT FOUND Both of these in a user-writable folder indicate you can influence the program. Will wary based on file type and the program handling the files. Image from a vulnerability found by Florian Bogner at bogner.sh: https://bogner.sh/2018/02/local-privilege-escalation-in-crashplans-windows-client/ SetSecurityFile / Permission Overwrite CVE-2019-8452 – Permission Overwrite Hard links to any file • Courtesy of James Forshaw from Google’s Project Zero • Normal mklink tool does not allow hard links to files you don’t have write-access to • ZwSetInformationFile does not enforce that check • CreateHardLinkW does however • Native-HardLink.ps1 from https://github.com/ FuzzySecurity/PowerShell-Suite/blob/master/Native- HardLink.ps1 by @fuzzysec (Ruben Boonen) Unquoted service paths DLL search order hijacking Configuration • Need to have local admin Useful filters • SYSTEM • NAME NOT FOUND / PATH NOT FOUND • SetSecurityFilter (by its own) Exporting for other tools • Exports to CSV and XML • Exporting for XML with stack traces can create *really* big files Exploring in Procmon Hunting in registry • Not seen any potential for abuse • Include SYSTEM user • Exclude starting with HKLM and HKCU AccessEnum .
    [Show full text]