Download It to a Target System Where It Is Executed As the Local OS

Total Page:16

File Type:pdf, Size:1020Kb

Download It to a Target System Where It Is Executed As the Local OS ENABLING USER-MODE PROCESSES IN THE TARGET OS FOR CSC 159 OPERATING SYSTEM PRAGMATICS A Project Presented to the faculty of the Department of Computer Science California State University, Sacramento Submitted in partial satisfaction of the requirements for the degree of MASTER OF SCIENCE in Computer Science by Michael Bradley Colson SPRING 2018 © 2018 Michael Bradley Colson ALL RIGHTS RESERVED ii ENABLING USER-MODE PROCESSES IN THE TARGET OS FOR CSC 159 OPERATING SYSTEM PRAGMATICS A Project by Michael Bradley Colson Approved by: __________________________________, Committee Chair Dr. Weide Chang __________________________________, Second Reader Dr. Yuan Cheng ____________________________ Date iii Student: Michael Bradley Colson I certify that this student has met the requirements for format contained in the University format manual, and that this project is suitable for shelving in the Library and credit is to be awarded for the project. __________________________, Graduate Coordinator ___________________ Dr. Jinsong Ouyang Date Department of Computer Science iv Abstract of ENABLING USER-MODE PROCESSES IN THE TARGET OS FOR CSC 159 OPERATING SYSTEM PRAGMATICS by Michael Bradley Colson One of the main responsibilities of an Operating System (OS) is to ensure system stability and security. Most OSes utilize mechanisms built into the CPU hardware to prevent user-mode processes from altering the state of the system or accessing protected spaces and hardware I/O ports. A process should only read from or write to memory addresses in its address space. In order to accomplish the above, the CPU is typically designed to operate in two or more modes with different privilege levels. The OS typically runs in the mode with highest privilege level, which enables it to execute any instruction and gives it access to all the memory in the system. To improve system reliability, security and stability, applications usually run in the mode with the lowest privilege level. At Sacramento State University, CSC 159 (Operating System Pragmatics) students learn to develop an OS using the SPEDE (System Programmer’s Educational Development Environment) framework. SPEDE provides an environment to build an OS executable image and download it to a target system where it is executed as the local OS. While SPEDE provides an excellent development environment for students to learn how v to develop an OS, one limitation is it does not currently support running processes in user-mode (only kernel-mode is supported). In order to give students a better understanding of how an OS can provide security and protection, it is necessary to enable the support for user-mode processes. The goals of this project are to establish a supportive software component for the creation of user-mode processes, enabling and enforcing memory protection for the process runtime and handling of runtime exceptions in a virtual memory paging system, such as page faults and general protection faults in the OS kernel. In order to achieve these goals, additional kernel data structures must be implemented (e.g. paging table structures, a Task State Segment, modified process trap frame, etc.) along with handlers for page faults and general protection faults. _______________________, Committee Chair Dr. Weide Chang _______________________ Date vi ACKNOWLEDGEMENTS I would like to thank the project sponsor, Dr. Weide Chang for his guidance and support on this project. Dr. Chang took time out of his busy schedule to provide me with valuable advice and feedback on all phases of the project. His knowledge of Operating Systems and Computer Architecture played a significant role in the successful completion of this project. I would also like to thank Dr. Yuan Cheng for being the second reader for this project. His guidance and feedback were extremely helpful in completing all the requirements for the project in a timely manner. I would also like to thank the entire CSUS Computer Science department and faculty for supporting me to become a successful student. vii TABLE OF CONTENTS Page Acknowledgements .................................................................................................... vii List of Tables .............................................................................................................. xi List of Figures ............................................................................................................ xii Chapter 1. INTRODUCTION .................................................................................................. 1 1.1 Project Overview ........................................................................................ 1 1.2 Project Objectives ....................................................................................... 2 1.3 Related Work .............................................................................................. 3 1.4 Expected Results ......................................................................................... 4 1.5 Background ................................................................................................. 5 2. OVERVIEW OF THE X86 CPU ARCHITECTURE ............................................ 9 2.1 Intel/AMD x86 Architecture Overview ...................................................... 9 2.2 Protected Mode Structures ........................................................................ 12 2.3 Task Switching .......................................................................................... 14 2.4 Virtual Memory and Address Translation ................................................ 18 2.5 Exceptions and Interrupts ......................................................................... 21 3. OVERVIEW OF THE SPEDE X86 DEVELOPMENT ENVIRONMENT ........ 25 3.1 Overview of SPEDE ................................................................................. 25 3.2 FLASH – Flames Shell ............................................................................. 30 3.3 Flint – Flames Interface ............................................................................ 31 viii 3.4 GNU Debugger ......................................................................................... 32 3.5 Virtual SPEDE .......................................................................................... 33 4. METHODOLOGY ............................................................................................... 36 4.1 Creating User-Mode and Kernel-Mode Processes .................................... 36 4.2 Dispatching User-Mode and Kernel-Mode Processes .............................. 38 4.3 Memory Protection for User-Mode Processes .......................................... 39 4.4 Handling Exceptions and Faults Generated by User-Mode Processes ..... 39 5. IMPLEMENTATION ........................................................................................... 41 5.1 Organization of the Target OS Source Code ............................................ 41 5.2 Kernel Data Structures Overview ............................................................. 43 5.3 Kernel Data Structures to Enable User-Mode Processes .......................... 44 5.4 Kernel Task State Segment Implementation ............................................. 46 5.5 API for Creating and Dispatching User-Mode Processes ......................... 47 5.6 API for Creating and Dispatching Kernel-Mode Processes ..................... 49 5.7 Handling Software Interrupts Generated by User-Mode Processes ......... 50 5.8 Page-Fault Handler Implementation ......................................................... 50 5.9 General-Protection Fault Handler Implementation ................................... 53 6. TESTING .............................................................................................................. 54 6.1 Testing Approach ...................................................................................... 54 6.2 Test Cases ................................................................................................. 56 7. RESULTS AND EVALUATION......................................................................... 60 8. CONCLUSION AND FUTURE WORK ............................................................. 63 ix Appendix A. SOURCE CODE ................................................................................. 65 References .................................................................................................................. 76 x LIST OF TABLES Tables Page 1. Segment Descriptors Added to the GDT in the Target OS ............................. 27 2. SPEDE Library Files........................................................................................ 28 3. Target OS Source Files .................................................................................... 42 4. Target OS Kernel Data Structures ................................................................... 43 5. Test Cases to Verify the Software Requirements ............................................ 56 xi LIST OF FIGURES Figures Page 1. General-Purpose and Segment Registers in an x86 CPU ................................ 12 2. Protection Rings in an x86 CPU ...................................................................... 14 3. 32-bit x86 Task State Segment ........................................................................ 15 4. Paging Structures in an x86 Computer ............................................................ 20 5. Stack Contents after an Exception or Interrupt ...............................................
Recommended publications
  • Demystifying the Real-Time Linux Scheduling Latency
    Demystifying the Real-Time Linux Scheduling Latency Daniel Bristot de Oliveira Red Hat, Italy [email protected] Daniel Casini Scuola Superiore Sant’Anna, Italy [email protected] Rômulo Silva de Oliveira Universidade Federal de Santa Catarina, Brazil [email protected] Tommaso Cucinotta Scuola Superiore Sant’Anna, Italy [email protected] Abstract Linux has become a viable operating system for many real-time workloads. However, the black-box approach adopted by cyclictest, the tool used to evaluate the main real-time metric of the kernel, the scheduling latency, along with the absence of a theoretically-sound description of the in-kernel behavior, sheds some doubts about Linux meriting the real-time adjective. Aiming at clarifying the PREEMPT_RT Linux scheduling latency, this paper leverages the Thread Synchronization Model of Linux to derive a set of properties and rules defining the Linux kernel behavior from a scheduling perspective. These rules are then leveraged to derive a sound bound to the scheduling latency, considering all the sources of delays occurring in all possible sequences of synchronization events in the kernel. This paper also presents a tracing method, efficient in time and memory overheads, to observe the kernel events needed to define the variables used in the analysis. This results in an easy-to-use tool for deriving reliable scheduling latency bounds that can be used in practice. Finally, an experimental analysis compares the cyclictest and the proposed tool, showing that the proposed method can find sound bounds faster with acceptable overheads. 2012 ACM Subject Classification Computer systems organization → Real-time operating systems Keywords and phrases Real-time operating systems, Linux kernel, PREEMPT_RT, Scheduling latency Digital Object Identifier 10.4230/LIPIcs.ECRTS.2020.9 Supplementary Material ECRTS 2020 Artifact Evaluation approved artifact available at https://doi.org/10.4230/DARTS.6.1.3.
    [Show full text]
  • University of California at Berkeley College of Engineering Department of Electrical Engineering and Computer Science
    University of California at Berkeley College of Engineering Department of Electrical Engineering and Computer Science EECS 61C, Fall 2003 Lab 2: Strings and pointers; the GDB debugger PRELIMINARY VERSION Goals To learn to use the gdb debugger to debug string and pointer programs in C. Reading Sections 5.1-5.5, in K&R GDB Reference Card (linked to class page under “resources.”) Optional: Complete GDB documentation (http://www.gnu.org/manual/gdb-5.1.1/gdb.html) Note: GDB currently only works on the following machines: • torus.cs.berkeley.edu • rhombus.cs.berkeley.edu • pentagon.cs.berkeley.edu Please ssh into one of these machines before starting the lab. Basic tasks in GDB There are two ways to start the debugger: 1. In EMACS, type M-x gdb, then type gdb <filename> 2. Run gdb <filename> from the command line The following are fundamental operations in gdb. Please make sure you know the gdb commands for the following operations before you proceed. 1. How do you run a program in gdb? 2. How do you pass arguments to a program when using gdb? 3. How do you set a breakpoint in a program? 4. How do you set a breakpoint which which only occurs when a set of conditions is true (eg when certain variables are a certain value)? 5. How do you execute the next line of C code in the program after a break? 1 6. If the next line is a function call, you'll execute the call in one step. How do you execute the C code, line by line, inside the function call? 7.
    [Show full text]
  • Theendokernel: Fast, Secure
    The Endokernel: Fast, Secure, and Programmable Subprocess Virtualization Bumjin Im Fangfei Yang Chia-Che Tsai Michael LeMay Rice University Rice University Texas A&M University Intel Labs Anjo Vahldiek-Oberwagner Nathan Dautenhahn Intel Labs Rice University Abstract Intra-Process Sandbox Multi-Process Commodity applications contain more and more combina- ld/st tions of interacting components (user, application, library, and Process Process Trusted Unsafe system) and exhibit increasingly diverse tradeoffs between iso- Unsafe ld/st lation, performance, and programmability. We argue that the Unsafe challenge of future runtime isolation is best met by embracing syscall()ld/st the multi-principle nature of applications, rethinking process Trusted Trusted read/ architecture for fast and extensible intra-process isolation. We IPC IPC write present, the Endokernel, a new process model and security Operating System architecture that nests an extensible monitor into the standard process for building efficient least-authority abstractions. The Endokernel introduces a new virtual machine abstraction for Figure 1: Problem: intra-process is bypassable because do- representing subprocess authority, which is enforced by an main is opaque to OS, sandbox limits functionality, and inter- efficient self-isolating monitor that maps the abstraction to process is slow and costly to apply. Red indicates limitations. system level objects (processes, threads, files, and signals). We show how the Endokernel Architecture can be used to develop enforces subprocess access control to memory and CPU specialized separation abstractions using an exokernel-like state [10, 17, 24, 25, 75].Unfortunately, these approaches only organization to provide virtual privilege rings, which we use virtualize minimal parts of the CPU and neglect tying their to reorganize and secure NGINX.
    [Show full text]
  • Context Switch in Linux – OS Course Memory Layout – General Picture
    ContextContext switchswitch inin LinuxLinux ©Gabriel Kliot, Technion 1 Context switch in Linux – OS course Memory layout – general picture Stack Stack Stack Process X user memory Process Y user memory Process Z user memory Stack Stack Stack tss->esp0 TSS of CPU i task_struct task_struct task_struct Process X kernel Process Y kernel Process Z kernel stack stack and task_struct stack and task_struct and task_struct Kernel memory ©Gabriel Kliot, Technion 2 Context switch in Linux – OS course #1 – kernel stack after any system call, before context switch prev ss User Stack esp eflags cs … User Code eip TSS … orig_eax … tss->esp0 es Schedule() function frame esp ds eax Saved on the kernel stack during ebp a transition to task_struct kernel mode by a edi jump to interrupt and by SAVE_ALL esi macro edx thread.esp0 ecx ebx ©Gabriel Kliot, Technion 3 Context switch in Linux – OS course #2 – stack of prev before switch_to macro in schedule() func prev … Schedule() saved EAX, ECX, EDX Arguments to contex_switch() Return address to schedule() TSS Old (schedule’s()) EBP … tss->esp0 esp task_struct thread.eip thread.esp thread.esp0 ©Gabriel Kliot, Technion 4 Context switch in Linux – OS course #3 – switch_to: save esi, edi, ebp on the stack of prev prev … Schedule() saved EAX, ECX, EDX Arguments to contex_switch() Return address to schedule() TSS Old (schedule’s()) EBP … tss->esp0 ESI EDI EBP esp task_struct thread.eip thread.esp thread.esp0 ©Gabriel Kliot, Technion 5 Context switch in Linux – OS course #4 – switch_to: save esp in prev->thread.esp
    [Show full text]
  • Memory Layout and Access Chapter Four
    Memory Layout and Access Chapter Four Chapter One discussed the basic format for data in memory. Chapter Three covered how a computer system physically organizes that data. This chapter discusses how the 80x86 CPUs access data in memory. 4.0 Chapter Overview This chapter forms an important bridge between sections one and two (Machine Organization and Basic Assembly Language, respectively). From the point of view of machine organization, this chapter discusses memory addressing, memory organization, CPU addressing modes, and data representation in memory. From the assembly language programming point of view, this chapter discusses the 80x86 register sets, the 80x86 mem- ory addressing modes, and composite data types. This is a pivotal chapter. If you do not understand the material in this chapter, you will have difficulty understanding the chap- ters that follow. Therefore, you should study this chapter carefully before proceeding. This chapter begins by discussing the registers on the 80x86 processors. These proces- sors provide a set of general purpose registers, segment registers, and some special pur- pose registers. Certain members of the family provide additional registers, although typical application do not use them. After presenting the registers, this chapter describes memory organization and seg- mentation on the 80x86. Segmentation is a difficult concept to many beginning 80x86 assembly language programmers. Indeed, this text tends to avoid using segmented addressing throughout the introductory chapters. Nevertheless, segmentation is a power- ful concept that you must become comfortable with if you intend to write non-trivial 80x86 programs. 80x86 memory addressing modes are, perhaps, the most important topic in this chap- ter.
    [Show full text]
  • Allgemeines Abkürzungsverzeichnis
    Allgemeines Abkürzungsverzeichnis L.
    [Show full text]
  • What Is an Operating System III 2.1 Compnents II an Operating System
    Page 1 of 6 What is an Operating System III 2.1 Compnents II An operating system (OS) is software that manages computer hardware and software resources and provides common services for computer programs. The operating system is an essential component of the system software in a computer system. Application programs usually require an operating system to function. Memory management Among other things, a multiprogramming operating system kernel must be responsible for managing all system memory which is currently in use by programs. This ensures that a program does not interfere with memory already in use by another program. Since programs time share, each program must have independent access to memory. Cooperative memory management, used by many early operating systems, assumes that all programs make voluntary use of the kernel's memory manager, and do not exceed their allocated memory. This system of memory management is almost never seen any more, since programs often contain bugs which can cause them to exceed their allocated memory. If a program fails, it may cause memory used by one or more other programs to be affected or overwritten. Malicious programs or viruses may purposefully alter another program's memory, or may affect the operation of the operating system itself. With cooperative memory management, it takes only one misbehaved program to crash the system. Memory protection enables the kernel to limit a process' access to the computer's memory. Various methods of memory protection exist, including memory segmentation and paging. All methods require some level of hardware support (such as the 80286 MMU), which doesn't exist in all computers.
    [Show full text]
  • Advanced Practical Programming for Scientists
    Advanced practical Programming for Scientists Thorsten Koch Zuse Institute Berlin TU Berlin SS2017 The Zen of Python, by Tim Peters (part 1) ▶︎ Beautiful is better than ugly. ▶︎ Explicit is better than implicit. ▶︎ Simple is better than complex. ▶︎ Complex is better than complicated. ▶︎ Flat is better than nested. ▶︎ Sparse is better than dense. ▶︎ Readability counts. ▶︎ Special cases aren't special enough to break the rules. ▶︎ Although practicality beats purity. ▶︎ Errors should never pass silently. ▶︎ Unless explicitly silenced. ▶︎ In the face of ambiguity, refuse the temptation to guess. Advanced Programming 78 Ex1 again • Remember: store the data and compute the geometric mean on this stored data. • If it is not obvious how to compile your program, add a REAME file or a comment at the beginning • It should run as ex1 filenname • If you need to start something (python, python3, ...) provide an executable script named ex1 which calls your program, e.g. #/bin/bash python3 ex1.py $1 • Compare the number of valid values. If you have a lower number, you are missing something. If you have a higher number, send me the wrong line I am missing. File: ex1-100.dat with 100001235 lines Valid values Loc0: 50004466 with GeoMean: 36.781736 Valid values Loc1: 49994581 with GeoMean: 36.782583 Advanced Programming 79 Exercise 1: File Format (more detail) Each line should consists of • a sequence-number, • a location (1 or 2), and • a floating point value > 0. Empty lines are allowed. Comments can start a ”#”. Anything including and after “#” on a line should be ignored.
    [Show full text]
  • Irmx® 286/Irmx® II Troubleshooting Guide
    iRMX® 286/iRMX® II Troubleshooting Guide Q1/1990 Order Number: 273472-001 inter iRMX® 286/iRMX® II Troubleshooting Guide Q1/1990 Order Number: 273472-001 Intel Corporation 2402 W. Beardsley Road Phoenix, Arizona Mailstop DV2-42 Intel Corporation (UK) Ltd. Pipers Way Swindon, Wiltshire SN3 1 RJ United Kingdom Intel Japan KK 5-6 Tokodai, Toyosato-machi Tsukuba-gun Ibaragi-Pref. 300-26 An Intel Technical Report from Technical Support Operations Copyright ©1990, Intel Corporation Copyright ©1990, Intel Corporation The information in this document is subject to change without notice. Intel Corporation makes no warranty of any kind with regard to this material, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Intel Corporation assumes no responsibility for any errors that ~ay :!ppe3r in this d~ur:::ent. Intel Corpomtion make:; nc ccmmitmcut tv update nor to keep C"l..iiTeilt thc information contained in this document. Intel Corporation assUmes no responsibility for the use of any circuitry other than circuitry embodied in an Intel product. No other circuit patent licenses are implied. Intel software products are copyrighted by and shall remain the property of Intel Corporation. Use, duplication or disclosure is subject to restrictions stated in Intel's software license, or as defined in FAR 52.227-7013. No part of this document may be copied or reproduced in any form or by any means without the prior written consent of Intel Corporation. The following are trademarks of Intel Corporation
    [Show full text]
  • Measuring and Improving Memory's Resistance to Operating System
    University of Michigan CSE-TR-273-95 Measuring and Improving Memory’s Resistance to Operating System Crashes Wee Teck Ng, Gurushankar Rajamani, Christopher M. Aycock, Peter M. Chen Computer Science and Engineering Division Department of Electrical Engineering and Computer Science University of Michigan {weeteck,gurur,caycock,pmchen}@eecs.umich.edu Abstract: Memory is commonly viewed as an unreliable place to store permanent data because it is per- ceived to be vulnerable to system crashes.1 Yet despite all the negative implications of memory’s unreli- ability, no data exists that quantifies how vulnerable memory actually is to system crashes. The goals of this paper are to quantify the vulnerability of memory to operating system crashes and to propose a method for protecting memory from these crashes. We use software fault injection to induce a wide variety of operating system crashes in DEC Alpha work- stations running Digital Unix, ranging from bit errors in the kernel stack to deleting branch instructions to C-level allocation management errors. We show that memory is remarkably resistant to operating system crashes. Out of the 996 crashes we observed, only 17 corrupted file cache data. Excluding direct corruption from copy overruns, only 2 out of 820 corrupted file cache data. This data contradicts the common assump- tion that operating system crashes often corrupt files in memory. For users who need even greater protec- tion against operating system crashes, we propose a simple, low-overhead software scheme that controls access to file cache buffers using virtual memory protection and code patching. 1 Introduction A modern storage hierarchy combines random-access memory, magnetic disk, and possibly optical disk or magnetic tape to try to keep pace with rapid advances in processor performance.
    [Show full text]
  • Clusterfuzz: Fuzzing at Google Scale
    Black Hat Europe 2019 ClusterFuzz Fuzzing at Google Scale Abhishek Arya Oliver Chang About us ● Chrome Security team (Bugs--) ● Abhishek Arya (@infernosec) ○ Founding Chrome Security member ○ Founder of ClusterFuzz ● Oliver Chang (@halbecaf) ○ Lead developer of ClusterFuzz ○ Tech lead for OSS-Fuzz 2 Fuzzing ● Effective at finding bugs by exploring unexpected states ● Recent developments ○ Coverage guided fuzzing ■ AFL started “smart fuzzing” (Nov’13) ○ Making fuzzing more accessible ■ libFuzzer - in-process fuzzing (Jan’15) ■ OSS-Fuzz - free fuzzing for open source (Dec’16) 3 Fuzzing mythbusting ● Fuzzing is only for security researchers or security teams ● Fuzzing only finds security vulnerabilities ● We don’t need fuzzers if our project is well unit-tested ● Our project is secure if there are no open bugs 4 Scaling fuzzing ● How to fuzz effectively as a Defender? ○ Not just “more cores” ● Security teams can’t write all fuzzers for the entire project ○ Bugs create triage burden ● Should seamlessly fit in software development lifecycle ○ Input: Commit unit-test like fuzzer in source ○ Output: Bugs, Fuzzing Statistics and Code Coverage 5 Fuzzing lifecycle Manual Automated Fuzzing Upload builds Build bucket Cloud Storage Find crash Write fuzzers De-duplicate Minimize Bisect File bug Fix bugs Test if fixed (daily) Close bug 6 Assign bug ClusterFuzz ● Open source - https://github.com/google/clusterfuzz ● Automates everything in the fuzzing lifecycle apart from “fuzzer writing” and “bug fixing” ● Runs 5,000 fuzzers on 25,000 cores, can scale more ● Cross platform (Linux, macOS, Windows, Android) ● Powers OSS-Fuzz and Google’s fuzzing 7 Fuzzing lifecycle 1. Write fuzzers 2. Build fuzzers 3. Fuzz at scale 4.
    [Show full text]
  • Understanding the Microsoft Office 2013 Protected-View Sandbox
    MWRI PUBLIC UNDERSTANDING THE MICROSOFT OFFICE 2013 PROTECTED-VIEW SANDBOX Yong Chuan, Koh (@yongchuank) 2015/07/09 mwrinfosecurity.com | © MWR InfoSecurity MWRI PUBLIC MWRI PUBLIC Table of Contents 1. Introduction .................................................................................................................... 3 2. Sandbox Internals ............................................................................................................. 4 2.1 Architecture .............................................................................................................. 4 2.1.1 Interception Component ......................................................................................... 4 2.1.2 Elevation Policy Manager ........................................................................................ 4 2.1.3 Inter-Process Communication ................................................................................... 5 2.2 Sandbox Restrictions.................................................................................................... 6 2.2.1 Sandbox Initialization ............................................................................................ 6 2.2.2 File Locations .................................................................................................... 12 2.2.3 Registry Keys ..................................................................................................... 12 2.2.4 Network Connections ..........................................................................................
    [Show full text]