SystemsSec 2018W Lecture 20: Difference between revisions
Created page with "==Audio== [https://homeostasis.scs.carleton.ca/~soma/systemssec-2018w/lectures/comp4108-2018w-lec20-26Mar2018.m4a Lecture 20 Audio] ==Notes==" |
|||
Line 4: | Line 4: | ||
==Notes== | ==Notes== | ||
Senses of Virtual: | |||
JVM/CLR | |||
Hardware virtual machines | |||
--> Hypervisors | |||
Virtual Memory | |||
Virtual Reality | |||
Virtual Functions | |||
VFS Layer (Virtual File System) | |||
What is really meant by virtual in this context? | |||
-Portability | |||
-Hardware -> Software (Made into) | |||
-Level of abstraction | |||
--Resource Abstraction | |||
Subject ---> Resource | |||
^Virtualization breaks this connection, becoming: | |||
Subject --->Resource | |||
|-----> Abstraction | | |||
Example: | |||
File containing digits of pi, is really just a function that generates digits | |||
From the perspective of the Subject the Abstraction is the resource, it's the same thing as having an actual file | |||
Why is this a general strategy for security? | |||
Abstraction is a means of control | |||
Controlling the abstraction controls what the subject perceives. It's not what is actual there, it's keeping the subject "safe" | |||
Social control? | |||
Buy into an abstraction of reality | |||
Abstraction | |||
Tool for how people perceive reality | |||
Civil instutions, money, politics | |||
Live in the real world, but abstraction within out minds | |||
Lots of power in abstractions | |||
Abstraction is a method of control | |||
Note: By controlling the abstraction we can enforce security properties that would otherwise be very difficult. | |||
Virtual Memory | |||
Each program gets it's own memory | |||
You can escape the box when you can't see the box | |||
All the memory they see, is their's | |||
It thinks it has its whole address range | |||
Enforces memory safety in allocation, but also prevents programs of messing with eachother | |||
Virtual Functions | |||
A place you can excicibit control | |||
Basically a direction table | |||
But also leads to less to security in the sense that the table can be manipulated | |||
Hardware Virtual Machines | |||
OS is running, thinks it's accessing the hardware, but it is accessing the hypervisor. THis allows for "windows in a window", multiple os running | |||
Unfortunately | |||
Somethings go to the abstraction, some go to resources | |||
Running directly on the CPU/Memory, go straight to cpu, why? faster/simpler | |||
When does hypervisor come in? | |||
When you want to anything that normally requires privileges | |||
Change page tables | |||
Allocate memory | |||
Access the disk | |||
These get routed through the hypervisor | |||
How? | |||
Classic OS: | |||
Processes | |||
[System calls] | |||
OS - Kernel | |||
[Hypervisor (Provides a hardware-like interface to the Kernel)] | |||
Hardware | |||
Process interacts with the Kernel through System calls | |||
Function Call vs System | |||
Function is a jump to another bit of code in the address space | |||
Access space of the process | |||
System call | |||
Access something out of the address space | |||
Special CPU instruction / Software interrupt | |||
What is an interrupt? | |||
Are CPU mechanism which allows the CPU to be interrupted | |||
Logical equivalent to office talking to student. Someone knocks on the door. Hold on let me talk to him. (Interrupt) | |||
Not part of the normal execution path | |||
External signal | |||
Interrupt Table | |||
List of: Interrupt -> address | |||
Addresses here are the addresses in the Kernel Memory | |||
Normal CPU runs in usermode | |||
Usermode doesn't have access to all resources, CPU has supervisor mode, which see's everything | |||
**Code for interrupt runs in supervisor mode | |||
Keyboard presses, calls interrupt | |||
What is hardware virtualization? | |||
You give the Kernel a fake interrupt table | |||
Modern CPU support Hypervisor | |||
Whenever a privileged operation is run, it goes through the hypervisors Interrupt table. | |||
System call: | |||
Normally | |||
Userspace (proc)-> System call -> Kernel | |||
(Special Instruction, cpu changes to supervisor code) | |||
Hypervisor | |||
Userspace (proc) -> Hypervisor -> Kernel | |||
(Same as normal, but with middleman. | |||
Ring 0 - 3 Privledge levels on CPU | |||
Modern system has Ring -1 -> 3 | |||
Ring -1 is the Hypervisor | |||
Allows the hypervisor to choose with Kerne gets the operation | |||
Guest knowing about the hypervisor is dangerou sin a secuirty sense | |||
Expanded interface, lines of communication that you didn't have before | |||
What prevents the guest from compromising the hypervisor? | |||
Information leakage | |||
Possible or prcoess to see the other kernels (Same physical memory / cpu) | |||
Language run times mostly just go through the abstraction and never have a direct connection to the resources | |||
JVM call some methods that have more provledgess that you do. Equivalents of sudo / setuid. All inside the same address space, enforce permission boundaries inside one address space, have to use software for midigation. |
Latest revision as of 05:36, 31 March 2018
Audio
Notes
Senses of Virtual: JVM/CLR Hardware virtual machines --> Hypervisors Virtual Memory Virtual Reality Virtual Functions VFS Layer (Virtual File System)
What is really meant by virtual in this context? -Portability -Hardware -> Software (Made into) -Level of abstraction --Resource Abstraction
Subject ---> Resource
^Virtualization breaks this connection, becoming:
Subject --->Resource |-----> Abstraction |
Example: File containing digits of pi, is really just a function that generates digits From the perspective of the Subject the Abstraction is the resource, it's the same thing as having an actual file
Why is this a general strategy for security? Abstraction is a means of control Controlling the abstraction controls what the subject perceives. It's not what is actual there, it's keeping the subject "safe" Social control? Buy into an abstraction of reality Abstraction Tool for how people perceive reality Civil instutions, money, politics Live in the real world, but abstraction within out minds Lots of power in abstractions Abstraction is a method of control
Note: By controlling the abstraction we can enforce security properties that would otherwise be very difficult.
Virtual Memory Each program gets it's own memory You can escape the box when you can't see the box All the memory they see, is their's It thinks it has its whole address range Enforces memory safety in allocation, but also prevents programs of messing with eachother
Virtual Functions A place you can excicibit control Basically a direction table But also leads to less to security in the sense that the table can be manipulated
Hardware Virtual Machines
OS is running, thinks it's accessing the hardware, but it is accessing the hypervisor. THis allows for "windows in a window", multiple os running
Unfortunately
Somethings go to the abstraction, some go to resources
Running directly on the CPU/Memory, go straight to cpu, why? faster/simpler
When does hypervisor come in?
When you want to anything that normally requires privileges
Change page tables
Allocate memory
Access the disk
These get routed through the hypervisor
How?
Classic OS:
Processes
[System calls]
OS - Kernel
[Hypervisor (Provides a hardware-like interface to the Kernel)]
Hardware
Process interacts with the Kernel through System calls Function Call vs System Function is a jump to another bit of code in the address space Access space of the process System call Access something out of the address space Special CPU instruction / Software interrupt What is an interrupt? Are CPU mechanism which allows the CPU to be interrupted Logical equivalent to office talking to student. Someone knocks on the door. Hold on let me talk to him. (Interrupt) Not part of the normal execution path External signal Interrupt Table List of: Interrupt -> address Addresses here are the addresses in the Kernel Memory Normal CPU runs in usermode Usermode doesn't have access to all resources, CPU has supervisor mode, which see's everything **Code for interrupt runs in supervisor mode Keyboard presses, calls interrupt What is hardware virtualization? You give the Kernel a fake interrupt table Modern CPU support Hypervisor Whenever a privileged operation is run, it goes through the hypervisors Interrupt table. System call: Normally Userspace (proc)-> System call -> Kernel (Special Instruction, cpu changes to supervisor code) Hypervisor Userspace (proc) -> Hypervisor -> Kernel (Same as normal, but with middleman.
Ring 0 - 3 Privledge levels on CPU Modern system has Ring -1 -> 3 Ring -1 is the Hypervisor Allows the hypervisor to choose with Kerne gets the operation
Guest knowing about the hypervisor is dangerou sin a secuirty sense
Expanded interface, lines of communication that you didn't have before
What prevents the guest from compromising the hypervisor?
Information leakage
Possible or prcoess to see the other kernels (Same physical memory / cpu)
Language run times mostly just go through the abstraction and never have a direct connection to the resources
JVM call some methods that have more provledgess that you do. Equivalents of sudo / setuid. All inside the same address space, enforce permission boundaries inside one address space, have to use software for midigation.