Soma-notes - User contributions [en]

Operating Systems 2017F Lecture 23

2017-12-09T16:16:33Z

Aleksp: /* Additional Notes */

==Video==

[http://homeostasis.scs.carleton.ca/~soma/os-2017f/lectures/comp3000-2017f-lec23-07Dec2017.mp4 Lecture 23 Video]

==Notes==

===In Class===
<pre>
Lecture 23
----------

How can you tell when a process has been compromised?
- from outside the process

Classic: signatures
- is it running "bad code"
- is it doing "bad things"
- bad system calls

For a process to do damage, it has to make "bad" system calls

How can I tell if a process is making bad system calls?

I want to be lazy
- complex rules are a pain
- and, they don't work well either

Make the computer solve the problem for me of determining what is good and bad
- use machine learning

But I can't teach good versus bad because I don't know bad very well

But...I do know how systems "normally" behave

How about teaching the system to differentiate normal from abnormal?
- normal is "good"
- abnormal may be bad

abnormal but not bad => false positive

How do we detect abnormal system calls?

Learn normal patterns of system calls over time
once you've learned enough, watch for abnormal system calls

Since I'm lazy, I want it to learn as it runs
- and automatically decide when it has learned enough

Could I do the learning in a process (or set of processes)?
- you could, but all data would have to come from the kernel

Want something fast and simple
- implement in the kernel

How simple could it be?

First assumption: ignore arguments

Second assumption: look at ordering of systems calls on a per-thread, per-process basis

Third assumption: characterize processes based on the executable they are running

- model per executable, each trained on multiple processes

How to model the trace of system calls coming from a process?

* frequency analysis?
- on a system call basis
- high variance

* what system calls are made (and not made)?

* short sequences of system calls?
6-10
</pre>

===Additional Notes===
Written solutions for midterm exam are on the course webpage 
Assignment 4 
Q2: SSH keygen generates the secret key and the public key file. The private key is stored in the private key file: .ssh/id_rsa 
Q4: Both lines because first you start from 1 and then increment from there. 
Q11: Only bs because it is write. Would be ibs and bs if it was read. 
Q12: Local kernel forwards the write system call but doesn't actually make the system call. Kernels don't make system calls. 
Lecture 23 Prof Notes 
-----------------
How can you tell when a process has been compromised. 
- from outside the process 
Use signatures 
- is it running "bad code" 
- is it doing "bad things" 
-- For example: password program start modifying files other than etc/password. You could specify rules to prevent this. 
-- bad system calls 
For a process to do damage, it has to make "bad" system calls 
I want to be lazy 
- complex rules are a pain 
- and they don't work well either 
Make the computer solve this problem 
- Use Machine Learning 
I can't teach good versus bad if I don't know what is bad 
But I know how systems behave normally 
How about teaching the system to differentiate normal from abnormal 
- normal is good 
- abnormal may be bad 
abnormal but not bad => false positive 
False positives can be a big issue because they may cause ppl to not trust the machine's detection capabilities 
 
How can we detect abnormal system calls? 
Learn normal patterns of system calls over time 
Once you've learned enough, watch for abnormal system calls 
Since I'm lazy, I want to learn it as it runs 
- and automatically decide when it has learned enough 
 
Could I do the learning in a process (or set of processes)? 
you could, but all data would have to come from the kernel 
Want something fast and simple 
- implement in the kernel 
How simple could it be? 
 
First assumption: ignore arguments 
Second assumption: look at ordering of system calls on a per-thread, per-process basis 
Third Assumption: characterize processes based on the executable they are running 
model per executable, each trained on multiple processes 
How to model the trace of system calls coming from a procesd 
* frequency analysis? 
- on a system call basis 
- high variance 
* what system calls are made (and not made)? 
* short sequence of system calls? 6-10 calls 

Lecture 23

How can you tell a process has been compromised (i.e. from outside the process)?
* The process is working on behalf of an attacker
 
Classic way to do this:
* Pattern matching -> signatures
::* is the process running bad code?
::* is the process doing bad things?
:::* i.e. /etc/passwd -> password prog. should only be able to access it
:::* if a process is going to do bad things, it's going to make "bad" system calls
 
So, how can we tell if a process is making bad system calls?
 
Don't want to sit and write complex rules to determine:
* Which programs should make which system calls, etc.
::* i.e. policy based systems and sandboxing of processes
 
Therefore, we want the computer to determine what call is good/bad.
* i.e. use machine learning
 
The issue is, we have to demonstrate, not just "good", but also "bad" 
We have lots of examples of "bad", but is not necessarily representative of "bad" 
Difficult to enumerate all possible occurences of "bad" 
 
However, we know how systems "normally" behave
 
How about teaching the system to differentiate normal from abnormal?
* Assume:
::* normal is "good"
::* abnormal may be bad
:::* there is no guarantee that abnormal is bad, however, if it's bad, but not abnormal... we're in trouble
:::* false positives are bad (i.e. abnormal but not good)
 
How do we detect abnormal system calls?
* a machine learning problem
* the system should learn as it runs and decide when it has learned "enough"
::* learn normal patterns of system calls over time
:::* once learned enough, watch for abnormal system calls
 
Could we do the learning within processes?
* possible, but all data would have to come from the kernel
 
Want something fast and simple, so it can be implemented in the kernel
* you're right at ground-level, where decisions are being made
::* i.e. if bad system call being made -> can stop it immediatelly

* don't want to be training a neural network to do this -> too complicated, too much overhead
 
''Thu 7 Dec 2017 13:53:01 EST -> Video of observing system calls, ls vs. xclock''
 
=== First assumption: ===
ignore the arguments system calls are making -> look at the calls themselves
* but, different processes invoke different calls -> how to compare them?
* even multi-threaded processes will mirror the structure of the code in the calls it makes

=== Second assumption: ===
look at the ordering of system calls on a per-thread, per-process basis
* doesn't make sense to think of 'ls' system calls in the context of 'xclock' system calls
 
Therefore, any profiling will be based on the code being executed

=== Third assumption: ===
characterize processes based on the executable they are running
* model per executable, with each one trained on multiple processes
 
How do we model the trace of system calls coming from a process?
* How often do different system calls hapen? -> frequency analysis
* high variance -> the calls change frequently
::* i.e. ls of a large dir vs. small dir

::* What system calls does a process makes or doesn't make?

::* Rather than examining if a process does or doesn't make a particular system call, instead look at short sequences of system calls being made.
:::* What is the variation in the pattern of sequences of calls being made? A compromised program will be detectable.

:::* Table lookup of sequences made by a program and compare against new sequences
 
How short is a short sequence of system calls? -> 6 to 10

When a program is running, the short sequences define the control flow path of the program 
The short sequences together represent the control flow 
When a program is exploited, an abnormal control flow, an uncommon path, is being used 
 
Try the simple hack first, rather than designing/engineering a complex solution
* the simple hack will often present valuable insights

Operating Systems 2017F Lecture 19

2017-12-07T17:20:06Z

Aleksp: /* Additional Notes */

==Video==

[http://homeostasis.scs.carleton.ca/~soma/os-2017f/lectures/comp3000-2017f-lec19-21Nov2017.mp4]

==Notes==

===In Class===

<pre>
Lecture 19
----------

Where's main?

* lots of programs have "main" functions - a function that runs first and controls the execution of the program
* Do these have "main" functions? In what sense?
- Linux kernel modules
- FUSE applications?
- the Linux kernel?
- node web applications?

In many systems, "main" just sets up event handlers
- the event loop can be implicit or explicit
- or there may be no loop at all, just handlers and "interrupts" of some kind
- event loops poll (check) to see when there are new events

OS kernels are essentially the same thing
</pre>

Additional Notes:

Important notes:
How can you recover a filesystem?
How do you delete a file?
What is a filesystem?:
*persistent data structure
* stored in fixed-sized blocks (at least 512 bytes in size)
*maps hierarchical filenames to file contents
*has metadata about files (somwhow)
What is in a filesystem?
*data blocks
*metadata blocks
How do you organize metdata:
1) First you must identify characteristics of the file system
Superblock : summary y block which tells you about the other blocks you have and it depends on which file system you have. It’s usually the first block of a file system.
In the superblock? :
1) What kind of file system is this? By checking what is the magic number it has
2) How big is the file system?
3) How is it organized?
4) Where can I find the rest of the metadata?

*How can you identify which file system it is from looking at the super class
-> google “magic number of a file”
-> ex: jpg ctr^c ctr^c : switched the pictures into a binary file
-> look at the beginning of the file you will see JFIF: first several bytes in general that identifies the type of the file (magic number)
File extension :
 what is it ?
 is it important
 the kernel does not know and not care about it

For POSIX file systems:
-.> file metadata is stored in inodes
-.> most have pre-reserved inodes
-> the only way you can run out of inodes if you keep creating small files

Usenet : al the things you use to post messages thro social media, email, etc. Those were made using Usenet. Like email but Local Usenet server. But it died over time. Every message is stored in an individual file.

Important commands:
File * : to identify the kind of file system
1. As : Run dumpe2fs foo. What does the output of this command mean?
 Does this give you info about the file system?
 File bar : bar is the file name and cp comp3000-midterm-2017.pdf bar
 Evince bar : opens up the pdf file

=== Additional Notes ===

Where's main?
* lots of program shave "main" functions - a function that runs first and controls the execution of the program 
* Do these have "main" functions? 
** Linux kernel modules 
** FUSE applications? 
** the linux kernel? 
** node web applications? 

In many systems, "main" just sets up even handlers 
* the event loop can be implicit or explicit 
** or there may be no loop at all, just handlers and "interrupts" some kind 
* event loops poll (check) to see when there are new events 
* what are event loops for node app? 
** where are interrupts for node apps? 
***Incoming network requests, it's an event 

Code run differently in the kernel : 

1)functions runs on the bhealf of insmod, unles sit is Independence context 

2)codes that run on the bhelaf o the process 

3)after an interrupt: no process , it is an interrupt cotext 

4) file names : regular programs but the square brackets, execution context + address space. they share the kernel's address space, they are called kernel threads which are independently scheduling . You can not kill them but you can change their scheduling , maybe their priority but not 100%. 

does it create a proces? no , but it can create a kernel thread (is it a process? virtual adress space, . 
multi- threaded: maintains multiple address processes , ex: fire fox. 

ps -elF | less "number" : displays threads.

top : displays all the processes 

ls time : shows you the time .

sys: how much time in the kernel space
real: how much time
user : how much time in user space

process : can't manipulate its own memory map directly, it has an address space, but cant change it. Process: is limited but the kernel is not and the kernel can change it's own address and in charge of its self. 

Kernel tasks : are threads, when a process makes a system call , thi sis schedules in the process priority. 

When running 
"time ls" 
real = realtime it took to run
user = the user space time
sys = kernel time

What's flow of control in tutorial 7? 
What is the connection? 
To exit the program, we must unmount the filesystem, run "sudo umount mnt" 

OS kernels are essentially the same thing 

what is the flow of control ? what connection between things we are doing in the new terminal and the old one 

-> these programs are communicating to each other, it will be invoked when we use mnt (mount) the kernel knows it is a filesystem , process runs system calls, then kernel talks to out original terminal. How? you can use strace to know, it is waiting to be invoked, to receive and responds to messages. events will be passed off to another process. switching between one process to another. it has potential security benefits. 

Key to understand this tutorial : 

-> understand net flow control. 

-> how do processes communicate? 

-> how does it take a directory int and creates a filesystem from it?: 

***sub tree starting at mount is delegated to this process. 
***permissions are limited 

How to kill it? 

-> ctrl c , no , you can but the kernel will be unhappy. 
-> unmount the file system when you are done using it 
-> umount / you have to do it as root 

Node web applications 
* Theres not a dedicated main function but its the first thing that runs 
* Every line in the node application terminates 
* If you start a web server, the function call starting it will terminate 
* Whats running? The main has finished. Is the program doing anything actively if theres no external input? 
* In many systems main just sets up event handlers 
* The event loop can be implicit or explicit 
* Its possible to have no loop at all just handlers and interrupts of some kind 
* Event loops check to see when there are new events 
* Os kernels behave the same way as node applications 
* Waiting for events 
 

What happens when you use insmod? 
* In newgetpid: Init and exit are called when the insmod program makes system calls to load the module 
* Init is run on behalf on insmod 
* Kernel code fits into 3 categories 
** Code that runs on behalf of a process 
** Code that runs after an interrupt 
** Kernel threads, has lots of functionality 
 
Why is a kernel thread not a process? 
* The kernel maintains its own address space 
* Has its own virtual address map 
* The kernel always has just 1 address space regardless of how many threads there are 
* Processes cannot manipulate its own memory map directly, needs to ask kernel first 
* Processes are limited, the kernel is not, has control over itself 
 
* Kernel tasks = kernel threads 
* Independently scheduled 
* Once we call insmod everything happens in user space 
* Strace uses a system call called ptrace 
 
Tutorial 7: Fuse 
* Memoryll.py program 
* Always unmount a filesystem when youre done using it 
*No class Thursday! no office hours on Wednesday

=== Lecture 19 ===

==== Where's main? ====

* lots of programs have "main" functions - a function that runs first and controls the execution of the program
* do these have "main" functions?
:* Linux kernel modules?
:* FUSE applications?
:* the Linux kernel?
:* node web applications?

===== In many systems, "main" just sets up event handlers =====
* the event loop can be implicit or explicit
:* or there may be no loop at all, just handlers and "interrupts" of some kind
* event loops poll (check) to see when there are new events

===== OS kernels are essentially the same thing -> just sitting around waiting for an event =====
* when an event happens -> do something
* in this case events = interrupts, generally

<blockquote>
::* insmod exec. is execve(), new binary, makes system calls to load new module
::* init, called when insmod makes systemcalls to load new module
::* as part of loading a module, run the function that makes the necessary system calls
::* see static int __init newgetpid_init(void) -> soma notes
::* there is no process... it's an interrupt context --> check in context of assignment
::* the kernel maintains its own address space for all kernel operations... it has its own virtual address map... every process has its own address space, which is created every time a process is created
::* try stracing insmod to see what system calls are being made (Openbox, not on live system)
</blockquote>

==== Tut 7 ====
* if you make a new directory inside /mnt it doesn't affect it
:* what's the control flow here?
:* program running is a kernel interface talking to another kernel interface
:* kernel is handing off anything that happens in /mnt to the running python process
:* the kernel talks to the new filesystem in ../../../mnt, which is waiting for events (waiting to be invoked)
::* classic microkernel architecture

* understand the flow of control... what is the kernel doing?
* what does it mean to have a filesystem implemented

Operating Systems 2017F Lecture 20

2017-12-07T17:09:47Z

Aleksp: /* Additional Notes */

==Video==

[http://homeostasis.scs.carleton.ca/~soma/os-2017f/lectures/comp3000-2017f-lec20-28Nov2017.mp4 Class Video]

==Notes==

===In Class===

<pre>
Lecture 20
----------

When we run "ls" on an sshfs-mounted filesystem
* ls makes system calls (open, getdents) to the local Linux kernel
* the local kernel sees filesystem is FUSE, calls FUSE routines for open, getdents (via vfs abstraction)
* FUSE calls the sshfs process that mounted the filesystem
* sshfs process sends request to remote system
- via socket system calls
* remote sshd process receives request (via system calls)
* remote sshd process accesses local filesystem
- makes open, getdents system calls
- remote kernel checks vfs, calls ext4 routines to access data
* remote sshd process responds to request (via system calls)
* local sshfs process receives response (via system calls)
* local sshfs process responds to FUSE request
* FUSE passes data back to vfs layer, then back to requesting process

Normal file access permission check
- compare uid, gid of file with uid, gid of process

But really...
- compares it with fsuid, fsgid of process
- which is normally same as euid, egid of process
</pre>

===Additional Notes===

Assignment 4 will be autograded and in fill in the blank form. This will not be like the final exam. 
You should think about who is doing what? Otherwise FUSE won't make much sense 
 
Inode numbers completely changed when you use ssh. It starts with 1 from "." (root) and increments from there. 
Inodes come from filesystem you are acessing 
He used df to find filesystem info 
The used Commands: mount | grep ubuntu and mount | grep vda1 to find type of filesystem 
In the SSH there is the filesystem type "fuse.sshfs" 
When you run strace on ls on the two terminals (ssh connection and the local one) you see similar output 
When we run "ls" on an ssh-mounted filesystem 
* ls makes system calls (open, getdents) to the local Linux kernel 
* the local kernel sees the filesystem is FUSE, calls DUSE routines for open, getdents (via vfs abstraction) 
* FUSE calls the sshfs process that mounted the filesystem 
* sshfs process sends request to remote system 
- via socket system calls 
* remote sshd process receives request (via system calls) 
* remote sshd process receives requests (via system calls) 
- makes open, getdents sytem calls 
- rmeote kernel checks vfs, calls ext4 routines to access data 
* remote sshd process responds to requests (via system calls) 
* local sshfs process receives response (via system calls) 
* local sshfs process responds to FUSE request (via system calls) 
* FUSE passes data back to vfs layer, then back to requesting process 
 If you look as lsmod | less you see a ton of modules. Some of the modules are not necessary to mount the root filesystem. 
ls /lib/modules there are directories that store the kernel modules 
You have to have a filesystem that you mount initially that has a bunch of modules in it. Thus, there is an initial root file system that is necessary to load everything else 
This is the initial RAM disk. This filesystem loads the modules needed for the real filesystem. 
To remove a file I need to remove the hardlink from the directory where the hardlink exists 
The password files maps usernames to user id's (Linux does not care about your username) 
Normal file access permission check br>
- compare uid, gid of file with uid, gid of process 
But really: 
- compares it with fsuid, fsgid of process 
- which is normally same as euid, egid of process 
 
Sshfs 
* Inode values are different in remote vm vs local vm 
* Values increment from 1 in local vm 
* Who's supplying the inode values? 
** Ext4 filesystem in local vm 
** Fuse.sshfs filesystem in remote vm 
* Filesystem determines the interpretation of inode values 
* Inodes have no meaning outside its filesystem 
* Local to its filesystem => hardlinks are different too 
* "strace ls" in both output the same thing 
* Vfs not built into original unix filesystems 
* Try "strace"ing the sshfs call, see how its interacts with fuse 
* Don't need to know exact system calls, but you should know when it has to make system calls and why 
** Needs to access files over the network 
* Understand why you can't do this with regular library calls 
* Removing the root filesystem will trigger a kernel panic 
** Kernel will prevent you from unmounting filesystems that contain other filesystems 
* Kernel modules located in "/lib/modules/" 
* Initial filesystem is loaded into kernel 
** Fake filesystem, throw away after loaded, not persistent 
** Ram disk = filesystem stored in ram 
** Gets the system up to the point where the kernel can load the real filesystem 
** Bootloader has to load both kernel and the initial ram disk into ram 
** Ram disks located in "/boot = initrd.img<...>" 
** Kernel version specific 
** Generated as part of installation of kernel 
* Cpio: copies files to and from archives 
 
* What determines whether you can access a file? 
** The filesystem 
* How to map from user id to username? 
** Recall that 
- Kernel knows nothing about usernames 
- This is a userspace process 
- Looks in local password file 
* What determines whether an operation is allowed? 
** Checks to see who owns the file 
** Compare uid, gid of file with uid, gid of process 
* In remote system, sftp does file access checks 
********************************************************************
ADDITIONAL NOTES:

Fuse: makes you think who is doing what?
 How it is connected in the kernel .
 Fuse.sshfs : is what chose the inode numbers?
o Can they be identical to the other inode numbers?
 Yes but why?
 What the process of getting the directories?
The inodes come from the filesystem which you are accessing

Who chose the inode number: the filesystem determine the intereprtation of an inode number, Inode is local to a filesystem.
How is the kernel obtaining information? :
Fuse : has three kinds
1) Fuseblk
2) Fuse
3) Fusectl
Summary of sshfs:
Sshfs process that has to make system call to talk to the network to the remote system.
Similar to a web request , but the difference separate from that we have a different system calls which is the ls process. To do this, the kernel must call a process.
Does sshfs create 2 processes? Yes , it actually creates multiple of process
The remote kernel prespective : file accessing files and sending data back to another system. Remote data is not doing anything special.
*To verify : ps aux | grep ssh
To learn system call sshfs doing ,running local strace as much as you can.
You can mount a file system which would not allow you to mount any further
When you update the kernel : the initial ram disk will not be update since it is redundant, it will generate it.
Can we mount a filesystem in a file?
*
What is suspicious? A lot of repetitive inodes
3rd column : amount of hard links.
Avoid multiple of binaries if you want a small system, you just need the basics.
After mounting it it loads the linux system.
Permissions: the owner can change these permissions, but you can’t take away your own privileges.
1) Removing a file : unlinking the file, removing a hardlink which modifies the directory in which a hardlink exists. Why do I have the permission to remove it?
2) Create a file : ouch afile, ls –la afile,
Premissions:
1) Other
2) User
3) Group
4) Files system has EUID( very important because processes can run as a user but have permissions of another user ) AND GID: permissions what you have and fs is what ur system sees
Minix system which manages your CPU.
Busy Box : One binary to pretend it is different programs and we also have a program which pretends to be many. Give it hard link to different names.
Soma vs anilclass: anil class is special account. The current directory is owned by soma so how did anilclass was able to create a file? Filesystem understands those primission checks? (prof is not sure about this fact and will check it)
Map a user ID to your user name? it’s a user space problem, kernel doesn’t care about the username. By looking at the password file : grep 1000 /etc/passwd.
Where are the permissions done in sshfs? (in the steps
*sftp search process which will determine the permissions. remote file system and the remote kernel (ext4) will check via sftp. All the file access (grabbing the files)
Verify : ps aux | grep sftp
Who started this sftp: the sshd did.

Commands:
Mount | grep “name”
Strace ls : directories look the same although they are mounted since ls can not tell , ls is not doing anything differe just opening ur directory and getting data there
Man sshd : run it and give it aport like 222. Easiest way is using 2 machines on open stack and terminal. It is a good exercise
Initial Ram disk : to get the real root system to be mounted , similar to memory ll.
Sudo mount initrd.img-4.10.0-40-generic /mnt : to mount a file in a file system but it didn’t not work and there is an alternative way of doing this
Anther way : man CPIO : copy files to an form archives . ex : TAR
CPI - - help : to figure it out
Ls –a bin | less
Cd \ boot : RAM disk
Du –s –h : in this case (121mb) to see the size of the busy box but the modules takes up half of that space.
Ls –lai | head
Chmod a-w : you are unable to write to this directory anymore
Chmod o+w : granted permission to other….
Ls –la /bin/fusermount
Who gives us premissions: just does a normal open and read , the remote kernel enforces these premissions.

=== Lecture 20 ===

$ ls -lai less
* inode numbers are completely different -> they are determined by the filesystem
* an inode has no meaning outside its fs; it's local to the fs

What's the filesystem?
* $ df .
* $ mount | grep vda1

Find fuse fs:
* $ cat /roc/filesystems | grep fuse

When we run "ls" on an sshfs-mounted filesystem
* ls makes system calls (open, getdents) to the local linux kernel
* the local kernel sees filesystem is FUSE, calls FUSE routines for open, getdents... (via vfs abstraction)
* FUSE calls the sshfs process that mounted the filesystem
:* $ ps aux | grep sshfs
* sshfs is itself a process that has to make system calls to talk over the network to the remote system
* sshfs process sends request to the remote system
::* via socket system calls
* remote sshd process receives request (via system calls)
* remote sshd process accesses local filesystem
::* makes open, getdents system calls
::* remote kernel checks vfs, calls ext4 routines to access data
* remote sshd process responds to request (via system calls)
* local sshfs process receives response (via system calls)
* local sshfs process responds to FUSE request
* FUSE passes data back to vfs layer, then back to requesting process

* Initial ramdisks - Tue 28 Nov 2017 13:44:34 EST
:* bootloaded loads both the kernel and initial ramdisk into RAM on boot
:* /boot -> initrd. = ramdisk

* $ du -s -h asdf/asdflkj/gkgk
* $ du -s -h .

Display a pid's euid
* $ ps -eo pid, euid | grep YOUR_PID_HERE
* $ ps -eo pid, euid, ruid, suid | grep YOUR_PID_HERE

List mounts:
* $ mount -l
* $ df -aTh

[https://help.ubuntu.com/community/SSHFS SSHFS]
[https://www.cs.nmsu.edu/~pfeiffer/fuse-tutorial/ "Writing a FUSE FS: A tutorial"]

Operating Systems 2017F Lecture 22

2017-12-07T16:58:24Z

Aleksp: /* In Class */

==Video==

[http://homeostasis.scs.carleton.ca/~soma/os-2017f/lectures/comp3000-2017f-lec22-05Dec2017.mp4 Lecture 22 Video]

==Notes==

===In Class===

<pre>
Lecture 22
----------

What's left?

* scheduling
* device drivers
* virtual memory
- page replacement algorithms
- predict the future (optimal)
- least recently used
- one-handed, two-handed clocks
* power management
* security
- hardening processes so coding errors don't lead to vulnerabilities
(machine code injection, e.g. buffer overflow attacks)

* virtualization
- hardware-level (run multiple kernels) <-- vmware, openstack
- OS-level (run multiple userspaces) <-- containers, web hosting
- application level (run programs on simulated machines)
- JVM
- JavaScript runtime in browsers/node

* distributed operating systems
</pre>

ADDITIONAL NOTES :

Comp 3000
Premissions on this directory, readable writable and executable
Execute permission on a Regular file : you can execute
Execute permission on a directory : follow the links on the directory
Can’t make any changes to the directory if you can’t write
There are exceptions :
Less/etc/passwd: doesn’t actually store the password
if you want to change this file, you must have a way to allow limited editing to this.
 You can have a process running as root and send it signals and tell it to update the entry in the password file.
o Starting up a process which has more privileges which I can do , ex: EUID
Ls –la /sbin | grep rws : execve EUID will be set to whatever it is from the file . equal to the uid
Ls –la /sbin | grep r-s: s is a sticky bit, if you need extra premissions
You want your stcky bit to be a regular user
Euid = uid yes
Cd /tmp : directory in which everyone can write
This allows binaries run as users
Set uid and get guid :
Myid has euid now
Change the ownership
- > chown root : root myid
- >chown root : root mytouch
Ls –la : 3rd column identifies the ownership of each file on the file system
You can overwrite any file on the fille system using mytouch binary
Question : why can you remove file owned by root?
- > to change the context of the directory , the permissions of a file don’t matter but the permissions and privileges of the directory only matter
o Someone putting a directory in ur directory is hard to remove
- Ssh to a remote serve :
- 2 public keys involved: identity key, private key pair: one in the known host file (connecting to the machine).
- If you rm _known host and do ssh , a question will ask you to add the key to ur host file
- What happens if a person tries to personate your machine (same IP address)?
o It will identity it is a fake person from the host
First line is a Hashed versionof an IP address : cat .ssh/known_host
Ssh demon : running in the background and must have a public key to identify its self. process that runs in the background that doesn’t run in the background(connects 1 file system to another)
- > connects sockets and listens to connect. Doesn’t interact with user
Thursday: written version of the solutions for the midterm and we will talk about assignment 4
3000 class content
We didn’t discuss scheduling much :
Virtual memory: similar to scheduling since, If you don’t have enough memory , you delete the page that you may want to need at last . Choosing which pages you replace : one-handed and two-handed clocks
Power management
Security
Virtualization : not one thing , vm ware, system which run multiple of kernels.
SSH question student asked, how can they know that they have the private key belongs to the pubkey it belongs to: sends a public key or a hash of th Pubkey , then an exchange : yes I have a secret key which can be inverted by the pubkey. Private key must be corresponding. encrypts with thr private key and sends it back

Lecture 22

'''Synopsis''': UID, GUID, EUID, setuid, setguid

What is and isn't permitted on a Linux system?
* a file we create has a user ID and group ID
** i.e. $ touch
** $ which touch
** $ ls -la /bin/touch

::* touch is owned by root, but has global execute permissions

* fork and execve don't change the user ID of a process
* when we create a file, system checks user ID/group ID under which a process is running

::* if we want to create a file somewhere
::* check permissions on the dir

==== N.B. ====
* on a dir, execute permissions means you can follow the links on the dir; write permissions mean we can create a file

* to change contents of a directory (i.e. remove a file), the permissions on the file don't matter -> the permissions on the directory do!

:* Read permissions let us read the dir, obtain all the file names contained within
:* Execute permission lets us pass through the dir when we need to search it to look for a specific filename
:* To create a new file in a directory, we need to have write and execute permissions

:::* exceptions to this:
::::* $ /etc/passwd
::::* $ ls -la /etc/passwd

::::* we have a process running as root, to which we can send a message/request using IPC and request a change

* how to start up a process that has more privilages than we do? -> effective UID
** EUID can be set by special permissions -> sticky bits
*** after an execve the resulting process will have it's group and user ID set accordingly
*** setting the sticky bit, causes the binary to run as that user
**** any files created will have the user's group