cs 6v81-05: system security and malicious code analysis - an overview of linux...

Linux Kernel Architecture Linux Kernel Source Code Windows Kernel Architecture OS Comparison Summary

CS 6V81-05: System Security and Malicious Code Analysis

An Overview of Linux (with Source) and Windows Kernel

Zhiqiang Lin

Department of Computer ScienceUniversity of Texas at Dallas

February 20th, 2012


Outline

1 Linux Kernel Architecture

2 Linux Kernel Source Code

3 Windows Kernel Architecture

4 OS Comparison

5 Summary


In the following a few weeks: OS Kernel


Unix history

Outline




4 OS Comparison

5 Summary


"Core" Kernel

1

Applications

System Libraries (libc)

System Call Interface

Hardware

Architecture-Dependent Code

I/O Related Process Related

Scheduler

Memory Management

IPC

File Systems

Networking

Device Drivers

Mo

du

les


Linux Kernel Architecture

2012/2/19 Zhiqiang Lin, Nanjing University 1


Hardware

Hardware Control (Interrupts handling, etc)

File System Management

Buffer Cache

Device Drivers

Process

Mgt.

IPC

Scheduling

Memory Mgt.

System Call Interface

Libraries

User Programs User Programs Trap

User level

Kernel level

Module

s



Why use monolithic kernel?begin from ’slow’ 386 architecturemicro-kernel depends on careful design

Linux use module approach to make use of theadvantages of micro-kernel

Outline




4 OS Comparison

5 Summary


Source Tree LayoutSource Tree Layout

/usr/src/linux Documentation

arch

fs

init kernel

include

ipc

drivers

net

mm lib

scripts

alpha

arm

i386

ia64

m68k

mips

mips64

ppc

s390

sh

sparc

sparc64

acorn

atm

block

cdrom

char

dio

fc4

i2c

i2o

ide

ieee1394

isdn

macintosh

misc

net

…

adfs

affs

autofs

autofs4

bfs

code

cramfs

devfs

devpts

efs

ext2

fat

hfs

hpfs

…

asm-alpha

asm-arm

asm-generic

asm-i386

asm-ia64

asm-m68k

asm-mips

asm-mips64

…

linux

math-emu

net

pcmcia

scsi

video

adfs

affs

autofs

autofs4

bfs

code

cramfs

devfs

devpts

efs

ext2

fat

hfs

hpfs

…

802

appletalk

atm

ax25

bridge

core

decnet

econet

ethernet

ipv4

ipv6

ipx

irda

khttpd

lapb

…


linux/Documentation

spotty but important collection of developer-generateddocumentation; you need to read what’s in here!recent effort to produce javadoc-style documentation fromsource header comments using OpenDocan ambitious open-source kernel book effort has begun;see kernelbook.sourceforge.net for detailssome especially interesting entries:

kernel-docs.txt (a bit out of date but good)filesystems/ (very extensive)networking/ (very extensive)kmod.txtoops-tracing.txtspinlocks.txt (the official story from Linus)


linux/arch

subdirectories for each current porteach contains kernel, lib, mm, boot and other directorieswhose contents override code stubs in architectureindependent codelib contains highly-optimized common utility routines suchas memcpy, checksums, etc.arch as of 2.6:

alpha, arm, i386, ia64, m68k, mips, mips64ppc, s390, sh, sparc, sparc64


linux/drivers

largest amount of code in the kernel tree ( 1.5M)device, bus, platform and general directoriesdrivers/char - n_tty.c is the default line disciplinedrivers/block - elevator.c, genhd.c, linear.c, ll_rw_blk.c,raidN.cdrivers/net -specific drivers and general routines Space.cand net_init.cdrivers/scsi - scsi_*.c files are generic; sd.c (disk), sr.c(CD-ROM), st.c (tape), sg.c (generic)general:

cdrom, ide, isdn, parport, pcmcia,pnp, sound, telephony, video

buses - fc4, i2c, nubus, pci, sbus, tc, usbplatforms - acorn, macintosh, s390, sgi


linux/fs

contains:virtual filesystem (VFS) frameworksubdirectories for actual filesystems

vfs-related files:exec.c, binfmt_*.c - files for mapping new process imagesdevices.c, blk_dev.c - device registration, block devicesupportsuper.c, filesystems.cinode.c, dcache.c, namei.c, buffer.c, file_table.copen.c, read_write.c, select.c, pipe.c, fifo.cfcntl.c, ioctl.c, locks.c, dquot.c, stat.c


linux/include

include/asm-*architecture-dependent include subdirectories

include/linuxheader info needed both by the kernel and user appsusually linked to /usr/include/linuxkernel-only portions guarded by #ifdefs

#ifdef __KERNEL__/* kernel stuff */#endif

other directories:math-emunetpcmciascsivideo


linux/init

just two files: version.c, main.cversion.c - contains the version banner that prints at bootmain.c - architecture-independent boot codestart_kernel is the primary entry point


linux/ipc

System V IPC facilitiesif disabled at compile-time, util.c exports stubs that simplyreturn -ENOSYSone file for each facility:

sem.c - semaphoresshm.c - shared memorymsg.c - message queues


linux/kernel

the core kernel codesched.c - “the main kernel file”scheduler, wait queues, timers, alarms, task queues

process controlfork.c, exec.c, signal.c, exit.cacct.c, capability.c, exec_domain.c

kernel module supportkmod.c, ksyms.c, module.c

other operationstime.c, resource.c, dma.c, softirq.c, itimer.cprintk.c, info.c, panic.c, sysctl.c, sys.c


linux/lib

kernel code cannot call standard C library routinesfiles:

brlock.c - “Big Reader” spinlockscmdline.c - kernel command line parsing routineserrno.c - global definition of errnoinflate.c - “gunzip” part of gzip.c used during bootstring.c - portable string codeusually replaced by optimized, architecture-dependentroutinesvsprintf.c - libc replacement


linux/mm

paging and swappingswap.c, swapfile.c (paging devices), swap_state.c (cache)vmscan.c - paging policies, kwapdpage_io.c - low-level page transfer

allocation and deallocationslab.c - slab allocatorpage_alloc.c - page-based allocator zone allocatorvmalloc.c - kernel virtual-memory allocator

memory mappingmemory.c - paging, fault-handling, page table codefilemap.c - file mappingmmap.c, mremap.c, mlock.c, mprotect.c


linux/scripts

scripts for:menu-based kernel configurationkernel patchinggenerating kernel documentation


Where to start looking

System startup and initializationarch/i386/kernel/head.SSome arch-dependent setup and then jumps to the main()in init/main.c

Memory managementPage fault handling: mm/memory.cMemory mapping and page caching: mm/filemap.cBuffer cache: mm/buffer.cSwap cache: mm/swap_state.c, mm/swapfile.c

KernelScheduler: kernel/sched.cFork: kernel/fork.cBottom half of int handling: include/linux/interrupt.hProc table: include/linux/sched.h


Where to start looking

Interrupt handlingAlmost architecture specificarch/i386/kernel/irq.c

NetworkNetworking code in net, include files in include/netBSD socket code: net/socket.cIP version 4 INET code: net/ipv4/af_inet.cGeneric protocol support code: net/coreTCP/IP networking code: net/ipv4

How to start lookingFew tools availablevi, ctags, cflow

Outline




4 OS Comparison

5 Summary


Windows Kernel Architecture

© Microsoft Corporation 2004

User‐mode

Kernel‐mode Trap interface / LPC

ntdll / run‐time library

Win32 GUIProcs & threads

Kernel run‐time / Hardware Adaptation Layer

Virtual memoryIO ManagerSecurity refmon

Cache mgr

File filtersFile systemsVolume mgrsDevice stacks

Scheduler

Kernel32 User32 / GDI

DLLs

Applications

System Services

Object Manager / Configuration Management

FS run‐time

exec synchr

Subsystemservers

Login/GINA

Critical services


Windows Kernel Organization

Kernel-mode organized into

NTOS (kernel-mode services)Run-time Library, Scheduling, Executive services, objectmanager, services for I/O, memory, processes

Hal (hardware-adaptation layer)Insulates NTOS & drivers from hardware dependenciesProviders facilities, such as device access, timers, interruptservicing, clocks, spinlocks

Driverskernel extensions (primarily for device access)


Major Kernel Services

Process managementProcess/thread creationSchedules thread execution on each processor

Security reference monitorAccess checks, token management

Memory managerPagefaults, virtual address, physical frame, and pagefilemanagement Services for sharing, copy-on-write, mappedfiles, GC support, large apps

Lightweight Procedure Call (LPC)Native transport for RPC and user-mode system services.

I/O manager (plug-and-play, power)Maps user requests into IRP requests, configures/managesI/O devices, implements services for drivers

Cache managerProvides file-based caching for buffer file system I/OBuilt over the memory manager


Windows Kernel Organization

Kernel-mode organized into

NTOS (kernel-mode services)Run-time Library, Scheduling, Executive services, objectmanager, services for I/O, memory, processes

Hal (hardware-adaptation layer)Insulates NTOS & drivers from hardware dependenciesProviders facilities, such as device access, timers, interruptservicing, clocks, spinlocks

Driverskernel extensions (primarily for device access)

Outline




4 OS Comparison

5 Summary


OS Providers

Microsoft, IBM, Apple, Oracle (Sun), Google...


History of Windows

http://windows.microsoft.com/en-US/windows/history1975-1981: Microsoft boots up (Microsoft co-founders PaulAllen (left) and Bill Gates)1982-1985: Introducing Windows 1.01987-1992: Windows 2.0-2.11–More windows, more speed1990-1994: Windows 3.0-Windows NT–Getting thegraphics1995-2001: Windows 95–the PC comes of age (and don’tforget the Internet)1998-2000: Windows 98, Windows 2000, Windows Me2001-2005: Windows XP–Stable, usable, and fast2006-2008: Windows Vista–Smart on security2009-Today: Windows 7 and counting...


Mac OS

Mac OS is a super-modern operating system thatcombines the power and stability of UNIX with thelegendary elegance of the Macintosh.Mac OS features a stunning new user interface, makingwork and play on the Mac even more intuitive for newusers, while providing powerful, customizable tools forprofessionals. At the foundation of Mac OS lies anindustrial-strength UNIX-based core operating system thatdelivers unprecedented stability and performance.Quote fromhttp://en.wikipedia.org/wiki/History_of_Mac_OS


Comparing Operating Systems

Comparing:Windows XP/Vista/7Macintosh OS XLinux

Price?Hardware platform?Included Software?Ease of Use?Pretty?Software Availability?

Outline




4 OS Comparison

5 Summary


Summary

Linux kernelLinux kernel source code

Windows kernelComparison of the common OSes

Book RecommendationUnderstanding the Linux Kernel, 3rd Editionhttp://voinici.ceata.org/ tct/resurse/utlk.pdf

cs 6v81-05: system security and malicious code analysis - an overview of linux...

Documents