SystemsSec 2018W Lecture 20: Difference between revisions

From Soma-notes
Created page with "==Audio== [https://homeostasis.scs.carleton.ca/~soma/systemssec-2018w/lectures/comp4108-2018w-lec20-26Mar2018.m4a Lecture 20 Audio] ==Notes=="
 
Luc (talk | contribs)
 
Line 4: Line 4:


==Notes==
==Notes==
Senses of Virtual:
JVM/CLR
Hardware virtual machines
--> Hypervisors
Virtual Memory
Virtual Reality
Virtual Functions
VFS Layer (Virtual File System)
What is really meant by virtual in this context?
-Portability
-Hardware -> Software (Made into)
-Level of abstraction
--Resource Abstraction
  Subject ---> Resource
^Virtualization breaks this connection, becoming:
  Subject --->Resource
    |-----> Abstraction |
Example:
File containing digits of pi, is really just a function that generates digits
From the perspective of the Subject the Abstraction is the resource, it's the same thing as having an actual file
Why is this a general strategy for security?
Abstraction is a means of control
Controlling the abstraction controls what the subject perceives. It's not what is actual there, it's keeping the subject "safe"
Social control?
Buy into an abstraction of reality
Abstraction
Tool for how people perceive reality
Civil instutions, money, politics
Live in the real world, but abstraction within out minds
Lots of power in abstractions
Abstraction is a method of control
Note: By controlling the abstraction we can enforce security properties that would otherwise be very difficult.
Virtual Memory
Each program gets it's own memory
You can escape the box when you can't see the box
All the memory they see, is their's
It thinks it has its whole address range
Enforces memory safety in allocation, but also prevents programs of messing with eachother
Virtual Functions
A place you can excicibit control
Basically a direction table
But also leads to less to security in the sense that the table can be manipulated
Hardware Virtual Machines
OS is running, thinks it's accessing the hardware, but it is accessing the hypervisor. THis allows for "windows in a window", multiple os running
Unfortunately
Somethings go to the abstraction, some go to resources
Running directly on the CPU/Memory, go straight to cpu, why? faster/simpler
When does hypervisor come in?
When you want to anything that normally requires privileges
Change page tables
Allocate memory
Access the disk
These get routed through the hypervisor
How?
Classic OS:
Processes
[System calls]
OS - Kernel
[Hypervisor (Provides a hardware-like interface to the Kernel)]
Hardware
Process interacts with the Kernel through System calls
Function Call vs System
Function is a jump to another bit of code in the address space
Access space of the process
System call
Access something out of the address space
Special CPU instruction / Software interrupt
What is an interrupt?
Are CPU mechanism which allows the CPU to be interrupted
Logical equivalent to office talking to student. Someone knocks on the door. Hold on let me talk to him. (Interrupt)
Not part of the normal execution path
External signal
Interrupt Table
List of: Interrupt -> address
Addresses here are the addresses in the Kernel Memory
Normal CPU runs in usermode
Usermode doesn't have access to all resources, CPU has supervisor mode, which see's everything
**Code for interrupt runs in supervisor mode
Keyboard presses, calls interrupt
What is hardware virtualization?
You give the Kernel a fake interrupt table
Modern CPU support Hypervisor
Whenever a privileged operation is run, it goes through the hypervisors Interrupt table.
System call:
Normally
Userspace (proc)-> System call  -> Kernel
(Special Instruction, cpu changes to supervisor code)
Hypervisor
Userspace (proc) -> Hypervisor -> Kernel
(Same as normal, but with middleman.
Ring 0 - 3 Privledge levels on CPU
Modern system has Ring -1 -> 3
Ring -1 is the Hypervisor
Allows the hypervisor to choose with Kerne gets the operation
Guest knowing about the hypervisor is dangerou sin a secuirty sense
Expanded interface, lines of communication that you didn't have before
What prevents the guest from compromising the hypervisor?
Information leakage
Possible or prcoess to see the other kernels (Same physical memory / cpu)
Language run times mostly just go through the abstraction and never have a direct connection to the resources
JVM call some methods that have more provledgess that you do. Equivalents of sudo / setuid. All inside the same address space, enforce permission boundaries inside one address space, have to use software for midigation.

Latest revision as of 05:36, 31 March 2018

Audio

Lecture 20 Audio

Notes

Senses of Virtual: JVM/CLR Hardware virtual machines --> Hypervisors Virtual Memory Virtual Reality Virtual Functions VFS Layer (Virtual File System)

What is really meant by virtual in this context? -Portability -Hardware -> Software (Made into) -Level of abstraction --Resource Abstraction

 Subject ---> Resource

^Virtualization breaks this connection, becoming:

 Subject		--->Resource
   |-----> Abstraction |

Example: File containing digits of pi, is really just a function that generates digits From the perspective of the Subject the Abstraction is the resource, it's the same thing as having an actual file

Why is this a general strategy for security? Abstraction is a means of control Controlling the abstraction controls what the subject perceives. It's not what is actual there, it's keeping the subject "safe" Social control? Buy into an abstraction of reality Abstraction Tool for how people perceive reality Civil instutions, money, politics Live in the real world, but abstraction within out minds Lots of power in abstractions Abstraction is a method of control

Note: By controlling the abstraction we can enforce security properties that would otherwise be very difficult.

Virtual Memory Each program gets it's own memory You can escape the box when you can't see the box All the memory they see, is their's It thinks it has its whole address range Enforces memory safety in allocation, but also prevents programs of messing with eachother

Virtual Functions A place you can excicibit control Basically a direction table But also leads to less to security in the sense that the table can be manipulated


Hardware Virtual Machines OS is running, thinks it's accessing the hardware, but it is accessing the hypervisor. THis allows for "windows in a window", multiple os running Unfortunately Somethings go to the abstraction, some go to resources Running directly on the CPU/Memory, go straight to cpu, why? faster/simpler When does hypervisor come in? When you want to anything that normally requires privileges Change page tables Allocate memory Access the disk These get routed through the hypervisor How? Classic OS: Processes [System calls] OS - Kernel [Hypervisor (Provides a hardware-like interface to the Kernel)] Hardware

Process interacts with the Kernel through System calls Function Call vs System Function is a jump to another bit of code in the address space Access space of the process System call Access something out of the address space Special CPU instruction / Software interrupt What is an interrupt? Are CPU mechanism which allows the CPU to be interrupted Logical equivalent to office talking to student. Someone knocks on the door. Hold on let me talk to him. (Interrupt) Not part of the normal execution path External signal Interrupt Table List of: Interrupt -> address Addresses here are the addresses in the Kernel Memory Normal CPU runs in usermode Usermode doesn't have access to all resources, CPU has supervisor mode, which see's everything **Code for interrupt runs in supervisor mode Keyboard presses, calls interrupt What is hardware virtualization? You give the Kernel a fake interrupt table Modern CPU support Hypervisor Whenever a privileged operation is run, it goes through the hypervisors Interrupt table. System call: Normally Userspace (proc)-> System call -> Kernel (Special Instruction, cpu changes to supervisor code) Hypervisor Userspace (proc) -> Hypervisor -> Kernel (Same as normal, but with middleman.

Ring 0 - 3 Privledge levels on CPU Modern system has Ring -1 -> 3 Ring -1 is the Hypervisor Allows the hypervisor to choose with Kerne gets the operation


Guest knowing about the hypervisor is dangerou sin a secuirty sense Expanded interface, lines of communication that you didn't have before What prevents the guest from compromising the hypervisor? Information leakage Possible or prcoess to see the other kernels (Same physical memory / cpu) Language run times mostly just go through the abstraction and never have a direct connection to the resources

JVM call some methods that have more provledgess that you do. Equivalents of sudo / setuid. All inside the same address space, enforce permission boundaries inside one address space, have to use software for midigation.