Operating Systems 2020W: Assignment 4

Below are questions for Assignment 4. Written answers will not be graded. Instead, related multiple choice questions will be posted on cuLearn by March 31st and will be due by 2:30 PM on April 3, 2020.

Tutorial 8 Questions

1. [1] Can a process change where data and code is stored in virtual memory? What about in physical memory?
2. [1] If two processes mmap the same library, will that library (necessarily) have the same virtual addresses for both processes? What about the same physical addresses?
3. [1] What system calls does 3000memview2 use to get physical addresses? Are any of these new (ones we haven't previously seen in class)? Why?
4. [1] Who has access to /dev/3000physicalview? How do you know (from the code)?
5. [1] List all of the page table lookups that get_physical() does in 3000physicalview.c. Why are there so many lookups?
6. [1] Can you do an ioctl call on regular files? Why or why not?
7. [1] What are the values of PAGE_SHIFT and PAGE_SIZE? Where are they defined? What do they represent?

Tutorial 9 Questions

1. [1] Where is FILTER_PID defined? Where is it used?
2. [1] How could you make 3000shellwatch.py watch for events in any process, not just a specific one? What events would it then report?
3. [1] Make 3000shellwatch.py monitor all instances of 3000shell by checking a process's comm property. Be sure to remove the PID argument. (Hint: see bashreadline)
4. [1] What code of 3000shellwatch runs in userspace? What runs in kernel space?
5. [1] Why does 3000shellwatch require root privileges to run? Give an example of a small change you could make to 3000shellwatch that would give an unprivileged user the ability to see or do something that they normally can't.
6. [1] How are a uprobe and a uretprobe similar? How are they different?
7. [1] What is the signals dictionary used for?
8. [1] As presented in the tutorial, does 3000shellwatch have to use eBPF to achieve its goals? Could it instead have used ptrace? Argue for or against, based on the level of access you've seen gdb and strace have to processes using the ptrace system call.
9. [1] On line 69 of bpfprogram.c, does sys_exit refer to the exit system call? Explain.

Multiple Choice

1. A process can potentially control, at runtime (select all that are true)
   1. location of a variable in virtual memory
   2. location of a variable in physical memory
   3. location of a library in virtual memory
   4. location of a library in physical memory
2. What file operations does /dev/physicalview (explicitly) support? (select all that are true)
   1. open
   2. read
   3. write
   4. ioctl
   5. seek
3. If you wanted to make /dev/physicalview only usable by the root user, what value should *mode have on line 161?
   1. 0666
   2. 0640
   3. 0004
   4. 0200
   5. 0600
4. What does the permission mask 0666 represent when converted to flags as shown by ls -l?
   1. rwxr-xrw-
   2. rw-rw-rw-
   3. r-xr-xr-x
   4. rw-r--r--
   5. r--r--r--
5. In order to get the page table entry for a page, how many lookups would you expect on a 32 bit x86 system? What about a 64 bit x86 system? Be sure to include the lookup of the top-level page table and the final page table entry.
   1. 1 and 4
   2. 1 and 5
   3. 2 and 5
   4. 2 and 4
   5. 3 and 5
6. Which of these support ioctl operations? Select all that apply.
   1. /home/student
   2. /home/student/.bashrc
   3. /dev/ones
   4. /dev/physicalview
   5. /dev/pts/0
7. Which of the following is NOT true in the Linux kernel source code?
   1. PAGE_SIZE is defined in terms of PAGE_SHIFT
   2. PAGE_SHIFT is always 12
   3. PAGE_SHIFT determines the number of bytes in a page
   4. PAGE_SHIFT is dictated by the underlying CPU
   5. PAGE_SHIFT represents the number of bits in the page offset
8. What does the -D option to a C compiler do?
   1. It specifies a macro for the C pre-processor
   2. It is roughly equivalent to a #define option in the source code
   3. It can be used to set compile-time options.
   4. It allows for source code to be compiled in different ways without changing the source
   5. All of the above
9. filter() in bpfprogram.c is called (select all that apply)
   1. Every time the specified 3000shell process makes a system call, but not when other processes make system calls
   2. Every time any 3000shell process makes a system call, but not when other processes make system calls
   3. Every time any process makes a system call
   4. Every time any process calls fgets()
   5. Every time any process receives a signal
10. Code in which of the following source files runs in kernel space? (select all that apply)
    1. 3000shell.c
    2. 3000shellwatch.py
    3. bpfprogram.c
    4. 3000memview2.c
    5. 3000physicalview.c
11. What can I probe using an eBPF program?
    1. system calls
    2. kernel function calls
    3. process function calls
    4. signals
    5. all of the above
12. In the Linux kernel source, different signals (such as SIGKILL) are specified using
    1. Inline-specified numbers (e.g., 9, 15)
    2. Named constants specified using #define's
    3. Constant strings, e.g. "SIGKILL"
    4. Pointers to strings
    5. Elements of a union
13. In bpfprogram.c, sys_exit (on line 69) refers to
    1. The exit system call
    2. The exit system call, when called by 3000shell
    3. The exit system call, when called by the specified PID
    4. The exiting of any system call made by 3000shell
    5. The exiting of any system call
14. The ptrace system call is used by (select all that apply)
    1. ps
    2. bash
    3. ls
    4. strace
    5. gdb
15. eBPF programs are safer than kernel modules because
    1. They can only be run by the root user
    2. They are compiled just before being loaded
    3. They are checked by a verifier when being loaded into the kernel
    4. They can only access parts of kernel memory
    5. They are written in a safe, garbage-collected language (Python)

Solutions

Assignment 4 (short answer) solutions)