OS Structure

1
OS Structure

• Andrew Whitaker
• CSE451

2
Operating System What Are They Good For?

• Multiprogramming
• Process virtualized address space CPU
• High-level abstractions
• File system, TCP/IP sockets
• Protection

3
Protection

• Challenge OS must safely support multiple
  protection domains
• OS as law enforcement
• Goals
• Protect applications from each other
• Protect applications from themselves
• Prevent malicious application from taking control
  of the OS

4
The User/Kernel boundary

• Kernel mode gives the OS special privileges
• User/kernel boundary is enforced by hardware
• Applications enter kernel mode by executing a
  system call

App
App
App
user
OS
kernel
5
Examples of Privileged Instructions

• Manipulating I/O devices
• Interrupt enable/disable
• Halt instruction
• Manipulating protected registers
• Such as user/kernel mode control

6
System Call Overview

• User program invokes helper procedure
• e.g., read, write, gettimeofday
• Helper passes control to the OS
• Indicates the system call number
• Packages user arguments into registers
• Issues a software interrupt (or trap)
• OS saves user state (registers)
• OS invokes appropriate system call handler
• OS returns control to the user application

7
A kernel crossing illustrated
Firefox read(int fileDescriptor, void
buffer,int numBytes) )
package arguments trap to kernel mode
user mode
kernel mode
restore app state, return to user mode, resume
trap handler
save registers find sys_read( ) handler in vector
table
sys_read( ) kernel routine
8
Kernel Entry Points

• Interrupts
• Disk, network, timer, etc.
• Software interrupts (traps, exceptions)
• System calls
• Protection violations
• e.g,. User executes a privileged instructions
• Page faults
• Error conditions
• e.g., divide by zero, illegal opcode

9
Kernel Entry Points

• Via applications instructions (traps)
• System calls
• Protection violations
• e.g,. User executes a privileged instructions
• Page faults
• Error conditions
• e.g., divide by zero, illegal opcode
• Via hardware interrupts

Applications
OS Kernel
Hardware
10
Errors in the OS

• Q What happens if the OS kernel divides by zero?

Blue Screen -(
11
Memory Protection

• Problem 1 OS must protect applications from
  each other
• Solution virtual memory
• Problem 2 Kernel must protect its own code and
  data
• Solution Partition the address space
• Kernel region requires privileged mode access

12
Simplified Linux Address Space Layout
kernel space
user space
Accessible by kernel only
Accessible by kernel and application
13
Memory Protection Trickiness
Consider a hypothetical system call, zeroFill,
which fills a user buffer with zeroes zeroFill(ch
ar buffer, int bufferSize) The following kernel
implementation of zeroFill contains a security
vulnerability. What is the vulnerability, and
how would you fix it? void sys_zeroFill(char
buffer, int bufferSize) for (int i0 i lt
bufferSize i) bufferi 0
14
Solution

• The user buffer pointer is untrusted and could
  point anywhere. In particular, it could point
  inside the kernel address space. This could lead
  to a system crash or security breakdown.
• Fix verify the pointer is a valid user address

15
Follow-up Question

• Is it a security risk to execute the zeroFill
  function in user-mode?
• void zeroFill(char buffer, int bufferSize)
• for (int i0 i lt bufferSize i)
• bufferi 0

16
Solution

• No. User-mode code does not have permission to
  access the kernels address space. If it tries,
  the hardware raises an exception, which is safely
  handled by the OS
• More generally, no user mode code should ever be
  a security vulnerability.
• Unless the OS has a bug

17
Two Stacks are Better than One?

• Processes generally have two stacks
• One in user space
• One in kernel space
• The stack is switched (by hardware) on each
  kernel entry, exit.
• Why?

kernel space
user space
18
Sample Test Question

• What bad thing could happen if a user application
  could overwrite the interrupt dispatch vector?
• How does the OS prevent this?

19
Solution

• An application could 1) Prevent I/O operations
  from ever completing 2) Prevent time from
  advancing, thus dominating the processor
• Applications cannot modify the interrupt vector
  because it lives in the kernel address space.
  Any attempt to modify the interrupt vector raises
  a kernel exception, which is safely handled.

20
Sample Test Question

• What prevents an application from directly
  reading from the disk, instead of passing through
  file system access control checks?

21
Solution

• Instructions for manipulating I/O devices are
  privileged. Any attempt to use them in user mode
  raises a protection exception, which the
  operating system gracefully handles.