Operating Systems 2019F Lecture 21
Video
The video from the lecture given on November 22, 2019 is now available.
Notes
Lecture 21 ---------- questions about the assignment? assignment 3 due sunday evening please do course evaluations! A lot of problems, weird errors come from running out of disk space. To clean up a disk, you'll probably have to deal with logs (esp. if you have something like the kernel printing lots and lots of messages) But...logs aren't just text files * old style log files are text files * systemd introduced binary logs (similar to Windows) So you may need to delete both To delete text log files * if it has a number at the end (and is or is not compressed), you can just delete it * but if it doesn't have a number at the end, you'll have to delete *and* have the logging program close and reopen their log file - say, by sending SIGHUP or just killing and restarting the process, or just reboot Key idea of Linux kernel rootkit * load kernel module * module patches system call table so custom code is run * custom syscall code does bad things, then calls real system call When the kernel processes a system call, it looks up the system call handler in a system call table * system call 5 => 5th function in table To change what system call is made, you patch the table You could try patching the entire system call handler, but that is much harder and in general not feasible from a module Kernel developers know bad guys want to mess with the system call table - so there are protections in place that have to be circumvented - main protection: table is marked read only - so you have to get around this If you do even the slightest thing wrong, you'll corrupt the kernel so, you may need to reboot for every time you try new code - you can't decide whether an old bug is messing up your new code or not, unless you reboot Contrast this with eBPF and trace - did you ever have to reboot? note the safety/functionality tradeoff Assignment 4 will not be graded by the TAs, it will be on cuLearn - but general questions will be posted as will be solutions