CS 6V81-05: System Security and Malicious Code Analysis - An Overview of Linux...

transcript

Linux Kernel Architecture Linux Kernel Source Code Windows Kernel Architecture OS Comparison Summary

CS 6V81-05: System Security and Malicious Code Analysis

An Overview of Linux (with Source) and Windows Kernel

Zhiqiang Lin

Department of Computer ScienceUniversity of Texas at Dallas

February 20th, 2012

Outline

1 Linux Kernel Architecture

2 Linux Kernel Source Code

3 Windows Kernel Architecture

4 OS Comparison

5 Summary

In the following a few weeks: OS Kernel

Unix history

Outline

4 OS Comparison

5 Summary

"Core" Kernel

Applications

System Libraries (libc)

System Call Interface

Hardware

Architecture-Dependent Code

I/O Related Process Related

Scheduler

Memory Management

File Systems

Networking

Device Drivers

Linux Kernel Architecture

2012/2/19 Zhiqiang Lin, Nanjing University 1

Hardware

Hardware Control (Interrupts handling, etc)

File System Management

Buffer Cache

Device Drivers

Process

Scheduling

Memory Mgt.

System Call Interface

Libraries

User Programs User Programs Trap

User level

Kernel level

Module

Why use monolithic kernel?begin from ’slow’ 386 architecturemicro-kernel depends on careful design

Linux use module approach to make use of theadvantages of micro-kernel

Outline

4 OS Comparison

5 Summary

Source Tree LayoutSource Tree Layout

/usr/src/linux Documentation

init kernel

include

drivers

mm lib

scripts

mips64

sparc64

ieee1394

macintosh

autofs

autofs4

cramfs

devpts

asm-alpha

asm-arm

asm-generic

asm-i386

asm-ia64

asm-m68k

asm-mips

asm-mips64

math-emu

pcmcia

autofs

autofs4

cramfs

devpts

appletalk

bridge

decnet

econet

ethernet

khttpd

linux/Documentation

spotty but important collection of developer-generateddocumentation; you need to read what’s in here!recent effort to produce javadoc-style documentation fromsource header comments using OpenDocan ambitious open-source kernel book effort has begun;see kernelbook.sourceforge.net for detailssome especially interesting entries:

kernel-docs.txt (a bit out of date but good)filesystems/ (very extensive)networking/ (very extensive)kmod.txtoops-tracing.txtspinlocks.txt (the official story from Linus)

linux/arch

subdirectories for each current porteach contains kernel, lib, mm, boot and other directorieswhose contents override code stubs in architectureindependent codelib contains highly-optimized common utility routines suchas memcpy, checksums, etc.arch as of 2.6:

alpha, arm, i386, ia64, m68k, mips, mips64ppc, s390, sh, sparc, sparc64

linux/drivers

largest amount of code in the kernel tree ( 1.5M)device, bus, platform and general directoriesdrivers/char - n_tty.c is the default line disciplinedrivers/block - elevator.c, genhd.c, linear.c, ll_rw_blk.c,raidN.cdrivers/net -specific drivers and general routines Space.cand net_init.cdrivers/scsi - scsi_*.c files are generic; sd.c (disk), sr.c(CD-ROM), st.c (tape), sg.c (generic)general:

cdrom, ide, isdn, parport, pcmcia,pnp, sound, telephony, video

buses - fc4, i2c, nubus, pci, sbus, tc, usbplatforms - acorn, macintosh, s390, sgi

linux/fs

contains:virtual filesystem (VFS) frameworksubdirectories for actual filesystems

vfs-related files:exec.c, binfmt_*.c - files for mapping new process imagesdevices.c, blk_dev.c - device registration, block devicesupportsuper.c, filesystems.cinode.c, dcache.c, namei.c, buffer.c, file_table.copen.c, read_write.c, select.c, pipe.c, fifo.cfcntl.c, ioctl.c, locks.c, dquot.c, stat.c

linux/include

include/asm-*architecture-dependent include subdirectories

include/linuxheader info needed both by the kernel and user appsusually linked to /usr/include/linuxkernel-only portions guarded by #ifdefs

#ifdef __KERNEL__/* kernel stuff */#endif

other directories:math-emunetpcmciascsivideo

linux/init

just two files: version.c, main.cversion.c - contains the version banner that prints at bootmain.c - architecture-independent boot codestart_kernel is the primary entry point

linux/ipc

System V IPC facilitiesif disabled at compile-time, util.c exports stubs that simplyreturn -ENOSYSone file for each facility:

sem.c - semaphoresshm.c - shared memorymsg.c - message queues

linux/kernel

the core kernel codesched.c - “the main kernel file”scheduler, wait queues, timers, alarms, task queues

process controlfork.c, exec.c, signal.c, exit.cacct.c, capability.c, exec_domain.c

kernel module supportkmod.c, ksyms.c, module.c

other operationstime.c, resource.c, dma.c, softirq.c, itimer.cprintk.c, info.c, panic.c, sysctl.c, sys.c

linux/lib

kernel code cannot call standard C library routinesfiles:

brlock.c - “Big Reader” spinlockscmdline.c - kernel command line parsing routineserrno.c - global definition of errnoinflate.c - “gunzip” part of gzip.c used during bootstring.c - portable string codeusually replaced by optimized, architecture-dependentroutinesvsprintf.c - libc replacement

linux/mm

paging and swappingswap.c, swapfile.c (paging devices), swap_state.c (cache)vmscan.c - paging policies, kwapdpage_io.c - low-level page transfer

allocation and deallocationslab.c - slab allocatorpage_alloc.c - page-based allocator zone allocatorvmalloc.c - kernel virtual-memory allocator

memory mappingmemory.c - paging, fault-handling, page table codefilemap.c - file mappingmmap.c, mremap.c, mlock.c, mprotect.c

linux/scripts

scripts for:menu-based kernel configurationkernel patchinggenerating kernel documentation

Where to start looking

System startup and initializationarch/i386/kernel/head.SSome arch-dependent setup and then jumps to the main()in init/main.c

Memory managementPage fault handling: mm/memory.cMemory mapping and page caching: mm/filemap.cBuffer cache: mm/buffer.cSwap cache: mm/swap_state.c, mm/swapfile.c

KernelScheduler: kernel/sched.cFork: kernel/fork.cBottom half of int handling: include/linux/interrupt.hProc table: include/linux/sched.h

Where to start looking

Interrupt handlingAlmost architecture specificarch/i386/kernel/irq.c

NetworkNetworking code in net, include files in include/netBSD socket code: net/socket.cIP version 4 INET code: net/ipv4/af_inet.cGeneric protocol support code: net/coreTCP/IP networking code: net/ipv4

How to start lookingFew tools availablevi, ctags, cflow

Outline

4 OS Comparison

5 Summary

Windows Kernel Architecture

User‐mode

Kernel‐mode Trap interface / LPC

ntdll / run‐time library

Win32 GUIProcs & threads

Kernel run‐time / Hardware Adaptation Layer

Virtual memoryIO ManagerSecurity refmon

Cache mgr

File filtersFile systemsVolume mgrsDevice stacks

Scheduler

Kernel32 User32 / GDI

Applications

System Services

Object Manager / Configuration Management

FS run‐time

exec synchr

Subsystemservers

Login/GINA

Critical services

Windows Kernel Organization

Kernel-mode organized into

NTOS (kernel-mode services)Run-time Library, Scheduling, Executive services, objectmanager, services for I/O, memory, processes

Hal (hardware-adaptation layer)Insulates NTOS & drivers from hardware dependenciesProviders facilities, such as device access, timers, interruptservicing, clocks, spinlocks

Driverskernel extensions (primarily for device access)

Major Kernel Services

Process managementProcess/thread creationSchedules thread execution on each processor

Security reference monitorAccess checks, token management

Memory managerPagefaults, virtual address, physical frame, and pagefilemanagement Services for sharing, copy-on-write, mappedfiles, GC support, large apps

Lightweight Procedure Call (LPC)Native transport for RPC and user-mode system services.

I/O manager (plug-and-play, power)Maps user requests into IRP requests, configures/managesI/O devices, implements services for drivers

Cache managerProvides file-based caching for buffer file system I/OBuilt over the memory manager

Windows Kernel Organization

Kernel-mode organized into

NTOS (kernel-mode services)Run-time Library, Scheduling, Executive services, objectmanager, services for I/O, memory, processes

Hal (hardware-adaptation layer)Insulates NTOS & drivers from hardware dependenciesProviders facilities, such as device access, timers, interruptservicing, clocks, spinlocks

Driverskernel extensions (primarily for device access)

Outline

4 OS Comparison

5 Summary

OS Providers

Microsoft, IBM, Apple, Oracle (Sun), Google...

History of Windows

http://windows.microsoft.com/en-US/windows/history1975-1981: Microsoft boots up (Microsoft co-founders PaulAllen (left) and Bill Gates)1982-1985: Introducing Windows 1.01987-1992: Windows 2.0-2.11–More windows, more speed1990-1994: Windows 3.0-Windows NT–Getting thegraphics1995-2001: Windows 95–the PC comes of age (and don’tforget the Internet)1998-2000: Windows 98, Windows 2000, Windows Me2001-2005: Windows XP–Stable, usable, and fast2006-2008: Windows Vista–Smart on security2009-Today: Windows 7 and counting...

Mac OS

Mac OS is a super-modern operating system thatcombines the power and stability of UNIX with thelegendary elegance of the Macintosh.Mac OS features a stunning new user interface, makingwork and play on the Mac even more intuitive for newusers, while providing powerful, customizable tools forprofessionals. At the foundation of Mac OS lies anindustrial-strength UNIX-based core operating system thatdelivers unprecedented stability and performance.Quote fromhttp://en.wikipedia.org/wiki/History_of_Mac_OS

Comparing Operating Systems

Comparing:Windows XP/Vista/7Macintosh OS XLinux

Price?Hardware platform?Included Software?Ease of Use?Pretty?Software Availability?

Outline

4 OS Comparison

5 Summary

Summary

Linux kernelLinux kernel source code

Windows kernelComparison of the common OSes

Book RecommendationUnderstanding the Linux Kernel, 3rd Editionhttp://voinici.ceata.org/ tct/resurse/utlk.pdf

CS 6V81-05: System Security and Malicious Code Analysis - An Overview of Linux...

Documents