AdministriviaConfining code with legacy OSesUsing chrootEscaping chrootSystem call interpositionLimitations of syscall interpositionReview: What is an OSWhat ifldots How is a process different from HW?Complete Machine SimulationVirtualizing the CPUVirtualizing trapsVirtualizing memoryMMU VirtualizationTracingI/O device virtualizationVirtual Machine MonitorOld idea from the 1960sVirtual Machine Monitor attributesDifferent thought about OSesBackward compatibility with VMMsIsolation & Multi-level securityLogical partitioning of serversExample: VMMs for IDSVMM-based IDSCollective Project: A Compute UtilityCPU virtualization requirementsBinary translationVMware binary translatorControl transferNon-identically translated codeAdaptive binary translationESX mem. mgmt. [Waldspurger]Reclaiming pagesSharing pages across VMsIdle memory taxAdministrivia• Last project due Thursday•Final Exam- Wednesday December 12, 12:15-3:15pm- Right here in Gates B01- Open book, open notes, just like midterm- Covers material from all 19 lectures• No office hours fo r me this week• Instead, will have them next M onday, 2:45-3:45pm- I also plan to be around most of the afternoon that day, so stopby if you have questions before exam• I will also have televise d question session Friday4:15pm-5:05- Please come and bring any questions you might have on lecturematerial– p. 1/36Confining code with legacy OSes• Often want to confine co de on legacy OSes• Analogy: FirewallsHopelesslyInsecureServerattackerattacker- Your machine runs hopelessly insecure software- Can’t fix it—no source or too complicated- Can reason about network traffic• Similarly block unrusted code within a machine- By limiting what it can interact with– p. 2/36Using chroot•hroot (har *dir)“changes root directory”- Kernel stores root directory of each process- File name “/” now refers todir- Accessing “..” indirnow returnsdir• Need root privs to call chroot- But subsequently can drop privileges• Ideally “Chrooted process” wouldn’t affect parts ofthe system outside ofdir- Even process still running as root shouldn’t escape chroot• In reality, many way s to cause damage o utsidedir– p. 3/36Escaping chroot• Re-chroot to a lower directory, then chroot..- Each process has one root directory, so chrooting to a newdirectory can put you above your new root• Create devices that let you access raw disk• Send signals to or ptrace non-chrooted processes• Create setuid program for non-chrooted proc. to run• Bind privileged ports, mess with clo c k, reboot, etc.• Problem: chroot was not originally intended fo rsecurity- FreeBSD jail, Linux vserver have tried to address problems– p. 4/36System call interposition• Why not use ptrace or other debugging facilities tocontrol untrusted programs?• Almost any “damage” must re s ult from system call- delete files → unlink- overwrite files → open/write- attack over network → socket/bind/connect/send/recv- leak private data → open/read/socket/connect/write . . .• So enforce policy by allow ing/disallowing eachsyscall- Theoretically much more fine-grained than chroot- Plus don’t need to be root to do it•Q: Why is this not a panacea?– p. 5/36Limitations of syscall interposition• Hard to know exact implications of a syste m call- Too much context not available outside of kernel(e.g., what’s does this file descriptor number mean?)- Context-dependent (e.g.,/pro/self/wd)• Indirect paths to resources- File descriptor passing, core dumps, “unhelpful processes”• Race conditions- Remember difficulty of eliminating TOCCTOU bugs?- Now imagine malicious application deliberately doing this- Symlinks, directory renames (so “..” changes), . . .– p. 6/36Review: What is an OS• OS is software between a pplications and reality- Abstracts hardware and mak es portable- Makes finite into (near) infinite- Provides protection– p. 7/36What if. . .• The process abstraction looked just like hardware?– p. 8/36How is a process different from HW?Process Hardware• CPU – Non-Privilegedregisters and instructions.• Memory – Virtual memory.• Exceptions – signals, errors.• I/O – File System, Directory,Files, raw devices.• CPU – All registers andinstructions.• Memory – Both virtual andphysical memory, memorymanagement, TLB/pagetables, etc.• Exceptions – Trap architecture,interrupts, etc.• I/O – I/O devices accessed us-ing programmed I/O, DMA,interrupts.– p. 9/36Complete Machine Simulation• Naïve approach• Build a simulation of a ll the hardware.- CPU – A loop that fetches each instruction, decodes it,simulates its effect on the machine state- Memory – Physical memory is just an array, simulate the MMUon all memory accesses- I/O – Simulate I/O devices, programmed I/O, DMA,interrupts• Problem: Too slow!- 100x slowdown mak es it not too useful- CPU/Memory – 100x CPU/MMU simulation- I/O Device – <2x slowdown.• Need faster ways of emulating CPU/MM U– p. 10/36Virtualizing the CPU• Observations: Most instructions are the sam eregardless of processor privileged le v el- Example:inl %eax• Why not just give instructions to CPU to execute?- Safety – How we going to get CPU back? Or stop it fromstepping on u s? How aboutli/halt?- Answer: Use protection mechanism• Run virtual machine’s OS directly on CPU atnon-privileged level- “Trap and emulate” approach- Most instructions just work- Privileged instructions trap into monitor and run simulator oninstruction-Makes some assumptions about architecture– p. 11/36Virtualizing traps• What happens when an interrupt or trap occurs- Like normal k ernels: w e trap into the monitor• What if the interrupt or trap should go to the VM?- Example: Page fault, illegal instruction, system call, interrupt- Re-start the g u est OS simulating the trap• x86 example:- Lookup trap vector in VM’s IDT- Push virtualizeds,eip,eflags, on stack- Switch to virtualized privileged mode– p. 12/36Virtualizing memory• Basic MMU functionality:- OS manages physical memory (0. . . MAX_MEM)- OS sets up page tables mapping VA→PA- CPU accesses to VA should go to PA (Paging off: PA=VA)- Used for every instruction fetch, load, or store• Need to implement a virtual physical memory- Logically need additional level of indirection- VM’s VA → VM’s PA → machine address• Trick: Use hardware MMU to simulate virtual MMU- Can be folded into page
View Full Document