https://homeostasis.scs.carleton.ca/wiki/index.php?action=history&feed=atom&title=Operating_Systems_2019F_Lecture_21Operating Systems 2019F Lecture 21 - Revision history2026-05-18T20:02:35ZRevision history for this page on the wikiMediaWiki 1.42.1https://homeostasis.scs.carleton.ca/wiki/index.php?title=Operating_Systems_2019F_Lecture_21&diff=22543&oldid=prevSoma: Created page with "==Video== The video from the lecture given on November 22, 2019 [https://homeostasis.scs.carleton.ca/~soma/os-2019f/lectures/comp3000-2019f-lec21-20191122.m4v is now availabl..."2020-03-20T02:10:51Z<p>Created page with "==Video== The video from the lecture given on November 22, 2019 [https://homeostasis.scs.carleton.ca/~soma/os-2019f/lectures/comp3000-2019f-lec21-20191122.m4v is now availabl..."</p>
<p><b>New page</b></p><div>==Video==<br />
<br />
The video from the lecture given on November 22, 2019 [https://homeostasis.scs.carleton.ca/~soma/os-2019f/lectures/comp3000-2019f-lec21-20191122.m4v is now available].<br />
<br />
==Notes==<br />
<br />
<pre><br />
Lecture 21<br />
----------<br />
<br />
questions about the assignment?<br />
assignment 3 due sunday evening<br />
<br />
please do course evaluations!<br />
<br />
A lot of problems, weird errors come from running out of disk space.<br />
<br />
To clean up a disk, you'll probably have to deal with logs (esp. if you have something like the kernel printing lots and lots of messages)<br />
<br />
But...logs aren't just text files<br />
* old style log files are text files<br />
* systemd introduced binary logs (similar to Windows)<br />
<br />
So you may need to delete both<br />
<br />
To delete text log files<br />
* if it has a number at the end (and is or is not compressed), you can just<br />
delete it<br />
* but if it doesn't have a number at the end, you'll have to delete *and* have the logging program close and reopen their log file<br />
- say, by sending SIGHUP or just killing and restarting the process, or just reboot<br />
<br />
<br />
Key idea of Linux kernel rootkit<br />
* load kernel module<br />
* module patches system call table so custom code is run<br />
* custom syscall code does bad things, then calls real system call<br />
<br />
<br />
When the kernel processes a system call, it looks up the system call handler in a system call table<br />
* system call 5 => 5th function in table<br />
<br />
To change what system call is made, you patch the table<br />
<br />
You could try patching the entire system call handler, but that is much harder and in general not feasible from a module<br />
<br />
Kernel developers know bad guys want to mess with the system call table<br />
- so there are protections in place that have to be circumvented<br />
- main protection: table is marked read only<br />
- so you have to get around this<br />
<br />
If you do even the slightest thing wrong, you'll corrupt the kernel<br />
so, you may need to reboot for every time you try new code<br />
- you can't decide whether an old bug is messing up your new code or not,<br />
unless you reboot<br />
<br />
<br />
Contrast this with eBPF and trace<br />
- did you ever have to reboot?<br />
<br />
note the safety/functionality tradeoff<br />
<br />
<br />
Assignment 4 will not be graded by the TAs, it will be on cuLearn<br />
- but general questions will be posted as will be solutions<br />
</pre></div>Soma