SystemsSec 2018W Lecture 20

From Soma-notes
Jump to: navigation, search

Audio

Lecture 20 Audio

Notes

Senses of Virtual: JVM/CLR Hardware virtual machines --> Hypervisors Virtual Memory Virtual Reality Virtual Functions VFS Layer (Virtual File System)

What is really meant by virtual in this context? -Portability -Hardware -> Software (Made into) -Level of abstraction --Resource Abstraction

 Subject ---> Resource

^Virtualization breaks this connection, becoming:

 Subject		--->Resource
   |-----> Abstraction |

Example: File containing digits of pi, is really just a function that generates digits From the perspective of the Subject the Abstraction is the resource, it's the same thing as having an actual file

Why is this a general strategy for security? Abstraction is a means of control Controlling the abstraction controls what the subject perceives. It's not what is actual there, it's keeping the subject "safe" Social control? Buy into an abstraction of reality Abstraction Tool for how people perceive reality Civil instutions, money, politics Live in the real world, but abstraction within out minds Lots of power in abstractions Abstraction is a method of control

Note: By controlling the abstraction we can enforce security properties that would otherwise be very difficult.

Virtual Memory Each program gets it's own memory You can escape the box when you can't see the box All the memory they see, is their's It thinks it has its whole address range Enforces memory safety in allocation, but also prevents programs of messing with eachother

Virtual Functions A place you can excicibit control Basically a direction table But also leads to less to security in the sense that the table can be manipulated


Hardware Virtual Machines OS is running, thinks it's accessing the hardware, but it is accessing the hypervisor. THis allows for "windows in a window", multiple os running Unfortunately Somethings go to the abstraction, some go to resources Running directly on the CPU/Memory, go straight to cpu, why? faster/simpler When does hypervisor come in? When you want to anything that normally requires privileges Change page tables Allocate memory Access the disk These get routed through the hypervisor How? Classic OS: Processes [System calls] OS - Kernel [Hypervisor (Provides a hardware-like interface to the Kernel)] Hardware

Process interacts with the Kernel through System calls Function Call vs System Function is a jump to another bit of code in the address space Access space of the process System call Access something out of the address space Special CPU instruction / Software interrupt What is an interrupt? Are CPU mechanism which allows the CPU to be interrupted Logical equivalent to office talking to student. Someone knocks on the door. Hold on let me talk to him. (Interrupt) Not part of the normal execution path External signal Interrupt Table List of: Interrupt -> address Addresses here are the addresses in the Kernel Memory Normal CPU runs in usermode Usermode doesn't have access to all resources, CPU has supervisor mode, which see's everything **Code for interrupt runs in supervisor mode Keyboard presses, calls interrupt What is hardware virtualization? You give the Kernel a fake interrupt table Modern CPU support Hypervisor Whenever a privileged operation is run, it goes through the hypervisors Interrupt table. System call: Normally Userspace (proc)-> System call -> Kernel (Special Instruction, cpu changes to supervisor code) Hypervisor Userspace (proc) -> Hypervisor -> Kernel (Same as normal, but with middleman.

Ring 0 - 3 Privledge levels on CPU Modern system has Ring -1 -> 3 Ring -1 is the Hypervisor Allows the hypervisor to choose with Kerne gets the operation


Guest knowing about the hypervisor is dangerou sin a secuirty sense Expanded interface, lines of communication that you didn't have before What prevents the guest from compromising the hypervisor? Information leakage Possible or prcoess to see the other kernels (Same physical memory / cpu) Language run times mostly just go through the abstraction and never have a direct connection to the resources

JVM call some methods that have more provledgess that you do. Equivalents of sudo / setuid. All inside the same address space, enforce permission boundaries inside one address space, have to use software for midigation.