DOCSLIB.ORG

Kpatch Without Stop Machine the Next Step of Kernel Live Patching

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

LinuxCon NA 2014 (Aug. 2014) Kpatch Without Stop Machine The Next Step of Kernel Live Patching Masami Hiramatsu <[email protected]> Linux Technology Research Center Yokohama Research Lab. Hitachi Ltd., © Hitachi, Ltd. 2014. All rights reserved. 1 Speaker • Masami Hiramatsu – A researcher, working for Hitachi • Researching many RAS features – A linux kprobes-related maintainer • Ftrace dynamic kernel event (a.k.a. kprobe-tracer) • Perf probe (a tool to set up the dynamic events) • X86 instruction decoder (in kernel) © Hitachi, Ltd. 2014. All rights reserved. 2 Agenda: Kpatch Without Stop Machine Background Story Kpatch internal Kpatch without stop_machine Conclusion and Discussion Note: this presentation is only focusing on the kernel-module side of kpatch. More generic design and implementation, please attend to - kpatch: Have Your Security And Eat It Too! – Josh Poimboeuf Aug. 22. pm2:30 © Hitachi, Ltd. 2014. All rights reserved. 3 Agenda: Kpatch Without Stop Machine Background Story What is kpatch? Live patching requirements Major updates and Minor updates Kpatch internal Kpatch Overview Active Safeness check Stop_machine Kpatch without stop_machine Live Patcing Rules Kpatch Reference Counter Safeness check without stop_machine Conclusion and Discussion © Hitachi, Ltd. 2014. All rights reserved. 4 What’s Kpatch? • Kpatch is a LIVE patching function for kernel – This applys a binary patch to kernel on-line – Patching is done without shutdown • Only for a small and critical issues – Not for major kernel update © Hitachi, Ltd. 2014. All rights reserved. 5 Why Live Patching Required? • Live patching is important for appliances for mission critical systems – Some embedded appliances are hard to maintain frequently • Those are distributed widely in country side • Not in the big data center! – Some appliances can’t accept 10ms downtime • Factory control system etc. © Hitachi, Ltd. 2014. All rights reserved. 6 But for Major Updates? • M.C. systems have periodic maintenance – Major fixes can be applied and rebooted – In between the maintenance, live patching will be used • Live patching and major update are complement each other – Live patching temporarily fixes small critical incidents – Major update permanently fixes all bugs Planned Maintenance minor critical Live Patching Major Update © Hitachi, Ltd. 2014. All rights reserved. 7 The History of Live patching on Linux • Live patching is not new 2004 2014 For Pannus Live Patch (2004-2006) Developed for CGL http://pannus.sourceforge.net/ applic No distribution support ation Ptrace and mmap based one Livepatch (2005) http://ukai.jp/Slides/2005/1202-b2con/mop/livepatch.html ksplice (2007-) For https://www.ksplice.com/ kernel Build from scratch kGraft (2014) Acquired and supported by Oracle kpatch (2014) Use ftrace to replace function Will be supported by major distributors © Hitachi, Ltd. 2014. All rights reserved. 8 Agenda: Kpatch Without Stop Machine Background Story What is kpatch? Live patching requirements Major updates and Minor updates Kpatch internal Kpatch Overview Active Safeness check Stop_machine Kpatch without stop_machine Live Patcing Rules Kpatch Reference Counter Safeness check without stop_machine Conclusion and Discussion © Hitachi, Ltd. 2014. All rights reserved. 9 Kpatch: Overview • Kpatch has 2 components – Kpatch build: Build a binary patch module – Kpatch.ko: The kernel module of Kpatch Running Original Build Current Per-function src vmlinux diff linux Patch Patch module Kpatch.ko Patched Patched Build A module which Do patch src vmlinux contains new New functions functions On old functions Done by Kpatch build Done by kpatch.ko Today’s talk © Hitachi, Ltd. 2014. All rights reserved. 10 Kpatch: How to Patch • Kpatch uses Ftrace to patch – Hook the target function entry with registers – Change regs->ip to new function (change the flow) Ftrace hooks Find the new Foo() entry IP from hash Call foo() table foo() ftrace … Call fentry Save Regs kpatch.ko … Call ftrace_ops Get new IP from Return Hash table Restore Regs Change regs->ip Ret to regs->ip Foo() is called even Ret to regs->ip Return After patching. New foo() Function pointer is Available … Ftrace returns Return To new foo() © Hitachi, Ltd. 2014. All rights reserved. 11 Conflict of Old and New Functions • Kpatch will update the execution path of a function – Q: What happen if the patched function is under executed? – A: Old and new functions are executed at the same time !!This should not happen!! • Kpatch ensures the old functions are not executed when patching – “Active Safeness Check” © Hitachi, Ltd. 2014. All rights reserved. 12 Active Safeness Check • Executing functions are on the stack • And IP register points current function too Stack at here Func1 Func1+XX Func2 Stack at here Func2+YY Func1+XX Func3 • Active Safeness Check – Do stack dump to check the target functions are not executed, for each thread. – Need to be done when the process is stopped. – stop_machine is used © Hitachi, Ltd. 2014. All rights reserved. 13 Active Safeness Check With Stop_machine • Kpatch uses stop_machine to check stacks Time Patching Add Process Ftrace entry Call old Process1 func1 Process2 Call old Process3 func2 © Hitachi, Ltd. 2014. All rights reserved. 14 Active Safeness Check With Stop_machine • Kpatch uses stop_machine to check stacks Call Stop Machine Time Patching Add Process Ftrace entry Call old Process1 func1 Process2 Call old Process3 func2 All running processes and interrupts are stopped © Hitachi, Ltd. 2014. All rights reserved. 15 Active Safeness Check With Stop_machine • Kpatch uses stop_machine to check stacks Call Stop Machine Time Patching Add Safeness Process Ftrace entry Check Call old Process1 func1 Walk through the all Thread and check Process2 Old funcs on stacks Call old Process3 func2 All running processes and interrupts are stopped © Hitachi, Ltd. 2014. All rights reserved. 16 Active Safeness Check With Stop_machine • Kpatch uses stop_machine to check stacks Call Stop Machine Return Time Patching Add Safeness Update hash Process Ftrace entry Check table Call old Process1 func1 Walk through the all Thread and check Process2 Old funcs on stacks Call New func2 Call old Call New Process3 func2 func1 Now switch to All running processes and New functions interrupts are stopped © Hitachi, Ltd. 2014. All rights reserved. 17 Stop_machine: Pros and Cons • Pros – Safe, simple and easy to review, Good for the 1st version • Cons – Stop_machine stops all processes a while • It is critical for control/network appliances – In virtual environment, this takes longer time • We need to wait all VCPUs are scheduled on the host machine © Hitachi, Ltd. 2014. All rights reserved. 18 Agenda: Kpatch Without Stop Machine Background Story What is kpatch? Live patching requirements Major updates and Minor updates Kpatch internal Kpatch and Ftrace Kpatch and Safeness check Stop_machine Kpatch without stop_machine Live Patching Rules Kpatch Reference Counter Safeness check without stop_machine Conclusion and Discussion © Hitachi, Ltd. 2014. All rights reserved. 19 Live Patching Rules • Live patching must follow the rules 1. All the new functions in a patch must be applied at once ● We need an atomic operation 2. After switching new function, the old function must not be executed ● We have to ensure no threads runs on old functions ● And no threads sleeps on them © Hitachi, Ltd. 2014. All rights reserved. 20 Two actions for the solution 1. Introduce an atomic reference counter 2. Active safeness check at the context switch © Hitachi, Ltd. 2014. All rights reserved. 21 Atomic Function Reference Counter 1. Introduce an atomic reference counter – Without stop_machine, functions can be called while patching • Ensure no one actually runs functions -> refcounter • Increment the refcounter at entry • Decrement the refcounter at exit – If refcounter is 0, update ALL function paths • We are sure there is no users © Hitachi, Ltd. 2014. All rights reserved. 22 Kpatch Reference Counter • Patching(switching) controlled by refcount Time Patching Add Process +1 Ftrace entry Process1 Process2 Process3 Start patcing Refcnt = 1 © Hitachi, Ltd. 2014. All rights reserved. Kpatch Reference Counter • Patching(switching) controlled by refcount Time Patching Add Prepare new Safeness Process +1 Ftrace entry Hash table Check Call old Call old Process1 +1 func1 -1 +1 func2 -1 Each function call Process2 Inc/dec refcnt While patching Call old Process3 +1 func1 -1 Start patcing Refcnt = 1 © Hitachi, Ltd. 2014. All rights reserved. Kpatch Reference Counter • Patching(switching) controlled by refcount Time Patching Add Prepare new Safeness Process +1 Ftrace entry Hash table Check -1 Call old Call old Call old Process1 +1 func1 -1 +1 func2 -1 +1 func3 Each function call Call old Process2 Inc/dec refcnt While patching +1 func3 -1 Call old Process3 +1 func1 -1 Patching process Is over, but refcnt Is not 0 Start patcing Refcnt = 1 © Hitachi, Ltd. 2014. All rights reserved. 25 Kpatch Reference Counter • Patching(switching) controlled by refcount Time Patching Add Prepare new Safeness +1 -1 Process Ftrace entry Hash table Check Don’t count Call old Call old Call old refcnt anymore Process1 +1 func1 -1 +1 func2 -1 +1 func3 -1 Each function call Call old Call New Process2 Inc/dec refcnt Call New While patching +1 func3 -1 func2 Call old Process3 +1 func1 -1 Patching process Call New Is over, but refcnt func1 Is not 0 Refcnt is 0 Start patcing Patch enabled on Refcnt = 1 all funcs © Hitachi, Ltd. 2014. All rights reserved. 26 Kpatch Reference Counter (cont.) • Control the reference counter – Need to stop counting before and after patching – Use atomic_inc_not_zero/dec_if_positive • These are stopped automatically if counter == 0 refcnt 0 0 func call Do not hook function 27 Entry/exit before patching © Hitachi, Ltd. 2014. All rights reserved. Kpatch Reference Counter (cont.) • Control the reference counter – Need to stop counting before and after patching – Use atomic_inc_not_zero/dec_if_positive • These are stopped automatically if counter == 0 refcnt 0 0 1 2 1 0 atomic_inc forcibly inc refcnt atomic_dec Patching atomic_inc_not_zero atomic_dec_if_positive func call func call Do not hook function 28 Entry/exit before patching © Hitachi, Ltd. 2014.
Recommended publications
  • Demystifying the Real-Time Linux Scheduling Latency

    Demystifying the Real-Time Linux Scheduling Latency

    Demystifying the Real-Time Linux Scheduling Latency Daniel Bristot de Oliveira Red Hat, Italy [email protected] Daniel Casini Scuola Superiore Sant’Anna, Italy [email protected] Rômulo Silva de Oliveira Universidade Federal de Santa Catarina, Brazil [email protected] Tommaso Cucinotta Scuola Superiore Sant’Anna, Italy [email protected] Abstract Linux has become a viable operating system for many real-time workloads. However, the black-box approach adopted by cyclictest, the tool used to evaluate the main real-time metric of the kernel, the scheduling latency, along with the absence of a theoretically-sound description of the in-kernel behavior, sheds some doubts about Linux meriting the real-time adjective. Aiming at clarifying the PREEMPT_RT Linux scheduling latency, this paper leverages the Thread Synchronization Model of Linux to derive a set of properties and rules defining the Linux kernel behavior from a scheduling perspective. These rules are then leveraged to derive a sound bound to the scheduling latency, considering all the sources of delays occurring in all possible sequences of synchronization events in the kernel. This paper also presents a tracing method, efficient in time and memory overheads, to observe the kernel events needed to define the variables used in the analysis. This results in an easy-to-use tool for deriving reliable scheduling latency bounds that can be used in practice. Finally, an experimental analysis compares the cyclictest and the proposed tool, showing that the proposed method can find sound bounds faster with acceptable overheads. 2012 ACM Subject Classification Computer systems organization → Real-time operating systems Keywords and phrases Real-time operating systems, Linux kernel, PREEMPT_RT, Scheduling latency Digital Object Identifier 10.4230/LIPIcs.ECRTS.2020.9 Supplementary Material ECRTS 2020 Artifact Evaluation approved artifact available at https://doi.org/10.4230/DARTS.6.1.3.
  • Red Hat Enterprise Linux 7 7.1 Release Notes

    Red Hat Enterprise Linux 7 7.1 Release Notes

    Red Hat Enterprise Linux 7 7.1 Release Notes Release Notes for Red Hat Enterprise Linux 7 Red Hat Customer Content Services Red Hat Enterprise Linux 7 7.1 Release Notes Release Notes for Red Hat Enterprise Linux 7 Red Hat Customer Content Services Legal Notice Copyright © 2015 Red Hat, Inc. This document is licensed by Red Hat under the Creative Commons Attribution-ShareAlike 3.0 Unported License. If you distribute this document, or a modified version of it, you must provide attribution to Red Hat, Inc. and provide a link to the original. If the document is modified, all Red Hat trademarks must be removed. Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law. Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries. Linux ® is the registered trademark of Linus Torvalds in the United States and other countries. Java ® is a registered trademark of Oracle and/or its affiliates. XFS ® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries. MySQL ® is a registered trademark of MySQL AB in the United States, the European Union and other countries. Node.js ® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
  • Context Switch in Linux – OS Course Memory Layout – General Picture

    Context Switch in Linux – OS Course Memory Layout – General Picture

    ContextContext switchswitch inin LinuxLinux ©Gabriel Kliot, Technion 1 Context switch in Linux – OS course Memory layout – general picture Stack Stack Stack Process X user memory Process Y user memory Process Z user memory Stack Stack Stack tss->esp0 TSS of CPU i task_struct task_struct task_struct Process X kernel Process Y kernel Process Z kernel stack stack and task_struct stack and task_struct and task_struct Kernel memory ©Gabriel Kliot, Technion 2 Context switch in Linux – OS course #1 – kernel stack after any system call, before context switch prev ss User Stack esp eflags cs … User Code eip TSS … orig_eax … tss->esp0 es Schedule() function frame esp ds eax Saved on the kernel stack during ebp a transition to task_struct kernel mode by a edi jump to interrupt and by SAVE_ALL esi macro edx thread.esp0 ecx ebx ©Gabriel Kliot, Technion 3 Context switch in Linux – OS course #2 – stack of prev before switch_to macro in schedule() func prev … Schedule() saved EAX, ECX, EDX Arguments to contex_switch() Return address to schedule() TSS Old (schedule’s()) EBP … tss->esp0 esp task_struct thread.eip thread.esp thread.esp0 ©Gabriel Kliot, Technion 4 Context switch in Linux – OS course #3 – switch_to: save esi, edi, ebp on the stack of prev prev … Schedule() saved EAX, ECX, EDX Arguments to contex_switch() Return address to schedule() TSS Old (schedule’s()) EBP … tss->esp0 ESI EDI EBP esp task_struct thread.eip thread.esp thread.esp0 ©Gabriel Kliot, Technion 5 Context switch in Linux – OS course #4 – switch_to: save esp in prev->thread.esp
  • Oracle® Linux Administrator's Solutions Guide for Release 6

    Oracle® Linux Administrator's Solutions Guide for Release 6

    Oracle® Linux Administrator's Solutions Guide for Release 6 E37355-64 August 2017 Oracle Legal Notices Copyright © 2012, 2017, Oracle and/or its affiliates. All rights reserved. This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable: U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S.
  • Adaptive Android Kernel Live Patching

    Adaptive Android Kernel Live Patching

    Adaptive Android Kernel Live Patching Yue Chen Yulong Zhang Zhi Wang Liangzhao Xia Florida State University Baidu X-Lab Florida State University Baidu X-Lab Chenfu Bao Tao Wei Baidu X-Lab Baidu X-Lab Abstract apps contain sensitive personal data, such as bank ac- counts, mobile payments, private messages, and social Android kernel vulnerabilities pose a serious threat to network data. Even TrustZone, widely used as the se- user security and privacy. They allow attackers to take cure keystore and digital rights management in Android, full control over victim devices, install malicious and un- is under serious threat since the compromised kernel en- wanted apps, and maintain persistent control. Unfortu- ables the attacker to inject malicious payloads into Trust- nately, most Android devices are never timely updated Zone [42, 43]. Therefore, Android kernel vulnerabilities to protect their users from kernel exploits. Recent An- pose a serious threat to user privacy and security. droid malware even has built-in kernel exploits to take Tremendous efforts have been put into finding (and ex- advantage of this large window of vulnerability. An ef- ploiting) Android kernel vulnerabilities by both white- fective solution to this problem must be adaptable to lots hat and black-hat researchers, as evidenced by the sig- of (out-of-date) devices, quickly deployable, and secure nificant increase of kernel vulnerabilities disclosed in from misuse. However, the fragmented Android ecosys- Android Security Bulletin [3] in recent years. In ad- tem makes this a complex and challenging task. dition, many kernel vulnerabilities/exploits are publicly To address that, we systematically studied 1;139 An- available but never reported to Google or the vendors, droid kernels and all the recent critical Android ker- let alone patched (e.g., exploits in Android rooting nel vulnerabilities.
  • What Is an Operating System III 2.1 Compnents II an Operating System

    What Is an Operating System III 2.1 Compnents II an Operating System

    Page 1 of 6 What is an Operating System III 2.1 Compnents II An operating system (OS) is software that manages computer hardware and software resources and provides common services for computer programs. The operating system is an essential component of the system software in a computer system. Application programs usually require an operating system to function. Memory management Among other things, a multiprogramming operating system kernel must be responsible for managing all system memory which is currently in use by programs. This ensures that a program does not interfere with memory already in use by another program. Since programs time share, each program must have independent access to memory. Cooperative memory management, used by many early operating systems, assumes that all programs make voluntary use of the kernel's memory manager, and do not exceed their allocated memory. This system of memory management is almost never seen any more, since programs often contain bugs which can cause them to exceed their allocated memory. If a program fails, it may cause memory used by one or more other programs to be affected or overwritten. Malicious programs or viruses may purposefully alter another program's memory, or may affect the operation of the operating system itself. With cooperative memory management, it takes only one misbehaved program to crash the system. Memory protection enables the kernel to limit a process' access to the computer's memory. Various methods of memory protection exist, including memory segmentation and paging. All methods require some level of hardware support (such as the 80286 MMU), which doesn't exist in all computers.
  • Kernel Boot-Time Tracing

    Kernel Boot-Time Tracing

    Kernel Boot-time Tracing Linux Plumbers Conference 2019 - Tracing Track Masami Hiramatsu <[email protected]> Linaro, Ltd. Speaker Masami Hiramatsu - Working for Linaro and Linaro members - Tech Lead for a Landing team - Maintainer of Kprobes and related tracing features/tools Why Kernel Boot-time Tracing? Debug and analyze boot time errors and performance issues - Measure performance statistics of kernel boot - Analyze driver init failure - Debug boot up process - Continuously tracing from boot time etc. What We Have There are already many ftrace options on kernel command line ● Setup options (trace_options=) ● Output to printk (tp_printk) ● Enable events (trace_events=) ● Enable tracers (ftrace=) ● Filtering (ftrace_filter=,ftrace_notrace=,ftrace_graph_filter=,ftrace_graph_notrace=) ● Add kprobe events (kprobe_events=) ● And other options (alloc_snapshot, traceoff_on_warning, ...) See Documentation/admin-guide/kernel-parameters.txt Example of Kernel Cmdline Parameters In grub.conf linux /boot/vmlinuz-5.1 root=UUID=5a026bbb-6a58-4c23-9814-5b1c99b82338 ro quiet splash tp_printk trace_options=”sym-addr” trace_clock=global ftrace_dump_on_oops trace_buf_size=1M trace_event=”initcall:*,irq:*,exceptions:*” kprobe_event=”p:kprobes/myevent foofunction $arg1 $arg2;p:kprobes/myevent2 barfunction %ax” What Issues? Size limitation ● kernel cmdline size is small (< 256bytes) ● A half of the cmdline is used for normal boot Only partial features supported ● ftrace has too complex features for single command line ● per-event filters/actions, instances, histograms. Solutions? 1. Use initramfs - Too late for kernel boot time tracing 2. Expand kernel cmdline - It is not easy to write down complex tracing options on bootloader (Single line options is too simple) 3. Reuse structured boot time data (Devicetree) - Well documented, structured data -> V1 & V2 series based on this. Boot-time Trace: V1 and V2 series V1 and V2 series posted at June.
  • Protecting Your Linux Systems with Oracle Ksplice

    Protecting Your Linux Systems with Oracle Ksplice

    Staying Ahead of Cyberthreats: Protecting Your Linux Systems with Oracle Ksplice The Advantages Of Zero-Downtime Patching April 23, 2020 Copyright © 2020, Oracle and/or its affiliates Public TABLE OF CONTENTS Introduction 2 Why Patching Matters 2 About Oracle Ksplice 3 Other Benefits 3 Conclusion 4 Learn More 4 1 WHITE PAPER | Staying Ahead of Cyberthreats: Protecting Your Linux Systems Copyright © 2020, Oracle and/or its affiliates |Public INTRODUCTION IT systems require regular patching for security, performance, and compliance reasons. For Linux operating system (OS) kernel updates, which include “Availability requirements important new security enhancements and bug fixes, releases happen about 1 are on the rise for once per month. These updates help keep systems current with the latest organizations undergoing innovations. However, manually patching systems has many inherent digital transformations. challenges and difficulties which tends to delay their timely application. For this Downtimes are costly, reason, zero-downtime patching solutions for Linux, like Oracle Ksplice, are with unplanned becoming essential tools. In this paper, Oracle Ksplice’s capabilities and many infrastructure downtimes advantages are explained. costing $100,000 per hour on an average. With Why Patching Matters the possibility of every organization being a Inadequate patch management can leave loopholes in the IT infrastructure leading to target for cyberattacks various security and performance issues. Ideally, patches should be applied shortly after and attackers moving very release to ensure the latest system protections. Patching typically requires downtime quickly to exploit system which, depending on operations, can require weeks or months of advanced planning. vulnerabilities, IDC Most Linux patching also traditionally happens at the disk level for file systems, which has recommends several disadvantages.
  • Hiding Process Memory Via Anti-Forensic Techniques

    Hiding Process Memory Via Anti-Forensic Techniques

    DIGITAL FORENSIC RESEARCH CONFERENCE Hiding Process Memory via Anti-Forensic Techniques By: Frank Block (Friedrich-Alexander Universität Erlangen-Nürnberg (FAU) and ERNW Research GmbH) and Ralph Palutke (Friedrich-Alexander Universität Erlangen-Nürnberg) From the proceedings of The Digital Forensic Research Conference DFRWS USA 2020 July 20 - 24, 2020 DFRWS is dedicated to the sharing of knowledge and ideas about digital forensics research. Ever since it organized the first open workshop devoted to digital forensics in 2001, DFRWS continues to bring academics and practitioners together in an informal environment. As a non-profit, volunteer organization, DFRWS sponsors technical working groups, annual conferences and challenges to help drive the direction of research and development. https://dfrws.org Forensic Science International: Digital Investigation 33 (2020) 301012 Contents lists available at ScienceDirect Forensic Science International: Digital Investigation journal homepage: www.elsevier.com/locate/fsidi DFRWS 2020 USA d Proceedings of the Twentieth Annual DFRWS USA Hiding Process Memory Via Anti-Forensic Techniques Ralph Palutke a, **, 1, Frank Block a, b, *, 1, Patrick Reichenberger a, Dominik Stripeika a a Friedrich-Alexander Universitat€ Erlangen-Nürnberg (FAU), Germany b ERNW Research GmbH, Heidelberg, Germany article info abstract Article history: Nowadays, security practitioners typically use memory acquisition or live forensics to detect and analyze sophisticated malware samples. Subsequently, malware authors began to incorporate anti-forensic techniques that subvert the analysis process by hiding malicious memory areas. Those techniques Keywords: typically modify characteristics, such as access permissions, or place malicious data near legitimate one, Memory subversion in order to prevent the memory from being identified by analysis tools while still remaining accessible.
  • Improving the Performance of Hybrid Main Memory Through System Aware Management of Heterogeneous Resources

    Improving the Performance of Hybrid Main Memory Through System Aware Management of Heterogeneous Resources

    IMPROVING THE PERFORMANCE OF HYBRID MAIN MEMORY THROUGH SYSTEM AWARE MANAGEMENT OF HETEROGENEOUS RESOURCES by Juyoung Jung B.S. in Information Engineering, Korea University, 2000 Master in Computer Science, University of Pittsburgh, 2013 Submitted to the Graduate Faculty of the Kenneth P. Dietrich School of Arts and Sciences in partial fulfillment of the requirements for the degree of Doctor of Philosophy in Computer Science University of Pittsburgh 2016 UNIVERSITY OF PITTSBURGH KENNETH P. DIETRICH SCHOOL OF ARTS AND SCIENCES This dissertation was presented by Juyoung Jung It was defended on December 7, 2016 and approved by Rami Melhem, Ph.D., Professor at Department of Computer Science Bruce Childers, Ph.D., Professor at Department of Computer Science Daniel Mosse, Ph.D., Professor at Department of Computer Science Jun Yang, Ph.D., Associate Professor at Electrical and Computer Engineering Dissertation Director: Rami Melhem, Ph.D., Professor at Department of Computer Science ii IMPROVING THE PERFORMANCE OF HYBRID MAIN MEMORY THROUGH SYSTEM AWARE MANAGEMENT OF HETEROGENEOUS RESOURCES Juyoung Jung, PhD University of Pittsburgh, 2016 Modern computer systems feature memory hierarchies which typically include DRAM as the main memory and HDD as the secondary storage. DRAM and HDD have been extensively used for the past several decades because of their high performance and low cost per bit at their level of hierarchy. Unfortunately, DRAM is facing serious scaling and power consumption problems, while HDD has suffered from stagnant performance improvement and poor energy efficiency. After all, computer system architects have an implicit consensus that there is no hope to improve future system’s performance and power consumption unless something fundamentally changes.
  • Review Der Linux Kernel Sourcen Von 4.9 Auf 4.10

    Review Der Linux Kernel Sourcen Von 4.9 Auf 4.10

    Review der Linux Kernel Sourcen von 4.9 auf 4.10 Reviewed by: Tested by: stecan stecan Period of Review: Period of Test: From: Thursday, 11 January 2018 07:26:18 o'clock +01: From: Thursday, 11 January 2018 07:26:18 o'clock +01: To: Thursday, 11 January 2018 07:44:27 o'clock +01: To: Thursday, 11 January 2018 07:44:27 o'clock +01: Report automatically generated with: LxrDifferenceTable, V0.9.2.548 Provided by: Certified by: Approved by: Account: stecan Name / Department: Date: Friday, 4 May 2018 13:43:07 o'clock CEST Signature: Review_4.10_0_to_1000.pdf Page 1 of 793 May 04, 2018 Review der Linux Kernel Sourcen von 4.9 auf 4.10 Line Link NR. Descriptions 1 .mailmap#0140 Repo: 9ebf73b275f0 Stephen Tue Jan 10 16:57:57 2017 -0800 Description: mailmap: add codeaurora.org names for nameless email commits ----------- Some codeaurora.org emails have crept in but the names don't exist for them. Add the names for the emails so git can match everyone up. Link: http://lkml.kernel.org/r/[email protected] 2 .mailmap#0154 3 .mailmap#0160 4 CREDITS#2481 Repo: 0c59d28121b9 Arnaldo Mon Feb 13 14:15:44 2017 -0300 Description: MAINTAINERS: Remove old e-mail address ----------- The ghostprotocols.net domain is not working, remove it from CREDITS and MAINTAINERS, and change the status to "Odd fixes", and since I haven't been maintaining those, remove my address from there. CREDITS: Remove outdated address information ----------- This address hasn't been accurate for several years now.
  • Context Switch Overheads for Linux on ARM Platforms

    Context Switch Overheads for Linux on ARM Platforms

    Context Switch Overheads for Linux on ARM Platforms Francis David [email protected] Jeffrey Carlyle [email protected] Roy Campbell [email protected] http://choices.cs.uiuc.edu Outline What is a Context Switch? ◦ Overheads ◦ Context switching in Linux Interrupt Handling Overheads ARM Experimentation Platform Context Switching ◦ Experiment Setup ◦ Results Interrupt Handling ◦ Experiment Setup ◦ Results What is a Context Switch? Storing current processor state and restoring another Mechanism used for multi-tasking User-Kernel transition is only a processor mode switch and is not a context switch Sources of Overhead Time spent in saving and restoring processor state Pollution of processor caches Switching between different processes ◦ Virtual memory maps need to be switched ◦ Synchronization of memory caches Paging Context Switching in Linux Context switch can be implemented in userspace or in kernelspace New 2.6 kernels use Native POSIX Threading Library (NPTL) NPTL uses one-to-one mapping of userspace threads to kernel threads Our experiments use kernel 2.6.20 Outline What is a Context Switch? ◦ Overheads ◦ Context switching in Linux Interrupt Handling Overheads ARM Experimentation Platform Context Switching ◦ Experiment Setup ◦ Results Interrupt Handling ◦ Experiment Setup ◦ Results Interrupt Handling Interruption of normal program flow Virtual memory maps not switched Also causes overheads ◦ Save and restore of processor state ◦ Perturbation of processor caches Outline What is a Context Switch? ◦ Overheads ◦ Context switching