Secure Operating SystemsLesson 7: The Application OS Interface

Where are we? Time to start to delve deeper into security Let’s look at how non-OS things talk to the

OS…

How we talk… Typically, a programmer will just call

something – perhaps a function – in their library of choice

Example: fopen(); This allows for portability of higher level

languages, adds syntactic sugar, and allows for more portable code

Tracing through fopen… If we trace through fopen we get to the actual

Windows APIs used within the library In this case, it’s CreateFileA/W()… From here, we need to go through to the

kernel – this requires a transition from Ring 3 to Ring 0 (remind me)

Ring What? Unlike some processors (notably Motorola) the

Intel processors don’t use a register or flag to determine mode

Instead, the privilege is determined by the GDT – the Global Descriptor Table

This table tells the processor if the block of memory currently being executed is in Ring 0 or 3 Uses the LGDT command…

Obviously Obviously (and let’s make sure we know why

it’s obvious) lower privilege code cannot directly call higher privilege code

So, Intel provided a few mechanisms to do this: Int 2Eh and SYSENTER

Int 2Eh But Int 2Eh in which mode… Aha! DOS: DOS Reload Transient. Calls in

Interrupt Service Routine, and allows the load and execution of a command to the command interpreter

But DOS runs in REAL mode

Int 2E: Protected Mode A little more complicated… Leverages an “Interrupt Gate Descriptor” –

instead of a vector to the Interrupt Service handler Offset in the segment of the ISR The Entry in the GDT that owns this code Hence: we can change mode, woohoo!

Security: Must use KERNEL stack So this gets complicated We cannot use the user-mode stack for

parameter passing… Why? Solution: we switch to the kernel’s own stack Which call are we calling? Defined in EAX

There’s a danger here too, in EBX (pointer to parms)

SYSENTER Int 2E is slow: has to load two bits of

memory, and then figure out where to jump to The solution? Hardcode where we jump to

from SYSENTER, in a MSR (model specific register – in this case, SYSENTER_EIP_MSR)

Okay. But… The challenge is we’re getting a much higher

privilege process to do something for us Which means what?

Some Random Thoughts 3 Laws:

Simplicity – we need to make the OS as simple as possible

Completeness – quoting Einstein “everything should be as simple as possible, but no simpler”

Efficiency – it needs to be efficient (slightly different to fast)

Everything is a file! One possible way of accomplishing this is to

make everything look like a file (does this sound familiar?)

This helps, as it provides a simple paradigm that once the programmer “gets” it’s easy to code

Unix v. Windows exec(name, argp, envp) Or CreateProcessA (10 parms, plus a struct

with 18 (!) parts) What’s the trade off here? Remember, more code == more bugs

Don’t Hide Power This quote is from Lampson The basic idea is that abstractions are

supposed to hide undesirable properties… not hide things we care about

This is slightly dangerous, but a good adage But what of “public” versus “hidden” system

calls? There are advantages to both approaches

Two Things to do Thursday: You need to read “The Cake is a Lie” by

Locasto Come to class Thursday ready to present a discussion of

this paper – our class Thursday will be ALL discussion on this paper, and I’ll be asking each of you to spend a few minutes talking. YOU WILL GET A GRADE FOR THIS.

Come prepared with something to say Also, before the midterm, read http://

www.pearsonhighered.com/educator/product/Modern-Operating-Systems/9780136006633.page Chapter 13

Questions & Comments What do you want to know?