SlideShare a Scribd company logo

System Calls

Download as PPTX, PDF
David Evans
David Evans

University of Virginia cs4414: Operating Systems http://rust-class.org For embedded notes, see: http://rust-class.org/class-18-system-calls.html

Technology
1 of 68
Plan for Today Access Control User IDs System Calls 1 Sign up for PS4 demos today! PS4 is due 11:59pm Sunday, 6 April
Minimizing Magic 2 Itsallmagic! Physics Four Years Studying Computing at an Elite Public University Itsall understandable! (andIcandomagicalthings!) Cool Computing Stuff Class 1:
Course Goal Reminder: Minimizing Magic3 Itsallmagic! Physics Cool Computing Stuff cs1110 cs2110 cs2150 cs2150 cs2330 cs3330 cs3102 cs4414 cs4610 cs4414 cs4414 electives Class 1:
Course Goal Reminder: Minimizing Magic4 Itsallmagic! Physics Cool Computing Stuff cs1110 cs2110 cs2150 cs2150 cs2330 cs3330 cs3102 cs4414 cs4610 cs4414 cs4414 electives Class 1: If you have any gaps left (other than synchronization primitives), post then in comments or email me.
What’s wrong with Zhtta? 5
What’s wrong with Zhtta? 6 Note: because of the way pathnames are handled, I think it is probably actually secure (except for links in www/).
7 Why Might Letting Anyone Read Any File on your Machine Be a Bad Idea? LMGTFY
8 This is serious: actually trying the passwords would be wrong and criminal.* * Just because someone “broadcasts” their password or uses laughable security, doesn’t mean the FBI considers it “authorized” access. Whether it is you or Google that is breaking the law in this case is unclear.
Unix(Sort-of) “Solution” 9
Zhtta and Apache’s (Partial) Solution 10 DocumentRoot /home/evans/htdocs/ Apache will only serve files in DocumentRoot’s subtree. in httpd.conf:
Apache’s (Partial) Solution 11 DocumentRoot /home/evans/htdocs/ Opps! Now it will follow symlinks inside DocumentRoot subtree to anywhere… in httpd.conf: <Directory /> Options FollowSymLinks </Directory>
Apache’s (Further) Solution 12 User #-1 Apache starts running as root (uid = 0) to be able to listen on port 80, which is default web port. By default, switches to run as uid = -1 (“nobody”) when processing requests. in httpd.conf:
13 bash-3.2$ ps aux | grep httpd dave 20926 0.0 0.0 2423356 208 p0 R+ 10:15PM 0:00.00 grep httpd _www 20923 0.0 0.0 2437400 700 ?? S 10:15PM 0:00.00 httpd root 20922 0.0 0.0 2437400 2376 ?? Ss 10:15PM 0:00.05 httpd # after one request bash-3.2$ ps aux | grep httpd dave 20934 0.0 0.0 2432768 620 p0 S+ 10:16PM 0:00.00 grep httpd _www 20932 0.0 0.0 2437400 700 ?? S 10:16PM 0:00.00 httpd _www 20931 0.0 0.0 2437400 700 ?? S 10:16PM 0:00.00 httpd _www 20930 0.0 0.0 2437400 896 ?? S 10:16PM 0:00.00 httpd _www 20923 0.0 0.0 2437400 1800 ?? S 10:15PM 0:00.01 httpd root 20922 0.0 0.0 2437400 2376 ?? Ss 10:15PM 0:00.05 httpd
Access Control 14 How does the OS know whether or not the (effective) user can read a file?
15
16
17
18 Size of File (bytes) Device ID User ID Group ID File Mode (permission bits) Link count (number of hard links to node) … Diskmap
Access Control Matrix 19 Users Files /alice/www/index.html /dave/secrets.txt /alice/secrets.txt root read, write read, write read, write dave read read, write - www read - - Can Unix-like file system support this?
20 Size of File (bytes) Device ID User ID Group ID File Mode (permission bits) Link count (number of hard links to node) … Diskmap
21 http://lxr.free-electrons.com/source/include/linux/fs.h (Linux Version 3.14)
22 http://lxr.free-electrons.com/source/include/linux/fs.h (Linux Version 3.14) include/linux/types.h#L18 short: at least 16 bits
Unix File Mode Permission Bits 23execute write read execute write read execute write read owner group others + 7 bits for other stuff: file/directory symbolic link etc. 666 644 000 755
24 bash-3.2$ ps aux | grep httpd dave 20926 0.0 0.0 2423356 208 p0 R+ 10:15PM 0:00.00 grep httpd _www 20923 0.0 0.0 2437400 700 ?? S 10:15PM 0:00.00 httpd root 20922 0.0 0.0 2437400 2376 ?? Ss 10:15PM 0:00.05 httpd # after one request bash-3.2$ ps aux | grep httpd dave 20934 0.0 0.0 2432768 620 p0 S+ 10:16PM 0:00.00 grep httpd _www 20932 0.0 0.0 2437400 700 ?? S 10:16PM 0:00.00 httpd _www 20931 0.0 0.0 2437400 700 ?? S 10:16PM 0:00.00 httpd _www 20930 0.0 0.0 2437400 896 ?? S 10:16PM 0:00.00 httpd _www 20923 0.0 0.0 2437400 1800 ?? S 10:15PM 0:00.01 httpd root 20922 0.0 0.0 2437400 2376 ?? Ss 10:15PM 0:00.05 httpd How does Apache create processes running as different users?
Changing Users 25 int setuid(uid_t uid); real user id (ruid) = owner of the process effective user id (euid) = ID used in access control decisions saved user id (suid) = previous user ID that may be restored
Using setuid 26 httpd euid: 0 (root) HTTPGET./../../../user/dave/secrets.txt handler pid_t handler = fork(); if (handler == 0) { setuid(-1); … } fopen(pathname, ‘r’) Error: secrets.txt not readable to user nobody
Using setuid 27 httpd euid: 0 (root) handler pid_t handler = fork(); if (handler == 0) { setuid(-1); … } fopen(pathname, ‘r’) Error: secrets.txt not readable to user nobody Principle of Least Privilege Running code should have as little power as possible to get the job done. HTTPGET./../../../user/dave/secrets.txt
28 SOSP 1973
POSIX Spec for setuid 29
30 Hao Chen, David Wagner, Drew Dean. Setuid Deymystified USENIX Security 2002
Where should Apache httpd call setuid? 31
32 gash> curl http://apache.mirrors.tds.net//httpd/httpd-2.4.9.tar.gz | tar xz gash> cd httpd-2.4.9/ gash> find . -name "*.c" -print | xargs grep "setuid(" ./modules/arch/unix/mod_privileges.c: if (cfg->uid && (setuid(ap_unixd_config.user_id) == -1)) { ./modules/arch/unix/mod_privileges.c: if (cfg->uid && (setuid(cfg->uid) == -1)) { ./modules/arch/unix/mod_unixd.c: setuid(ap_unixd_config.user_id) == -1)) { ./modules/arch/unix/mod_unixd.c: setuid(ap_unixd_config.user_id) == -1)) { ./os/bs2000/os.c:/* This routine complements the setuid() call: it causes the BS2000 job ./os/bs2000/os.c:/* BS2000 requires a "special" version of fork() before a setuid() call */ ./os/unix/unixd.c:/* This routine complements the setuid() call: it causes the BS2000 job ./os/unix/unixd.c:/* BS2000 requires a "special" version of fork() before a setuid() call */ ./server/mpm/prefork/prefork.c: /* BS2000 requires a "special" version of fork() before a setuid() call */ ./support/suexec.c: * before we setuid(). ./support/suexec.c: * setuid() to the target user. Error out on fail. ./support/suexec.c: if ((setuid(uid)) != 0) {
33 in mod_privileges.c: /* if either user or group are not the default, restore them */ if (cfg->uid || cfg->gid) { if (setppriv(PRIV_ON, PRIV_EFFECTIVE, priv_setid) == -1) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02136) "PRIV_ON failed restoring default user/group"); } if (cfg->uid && (setuid(ap_unixd_config.user_id) == -1)) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02137) "Error restoring default userid"); } if (cfg->gid && (setgid(ap_unixd_config.group_id) == -1)) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02138) "Error restoring default group"); } }
Apache’s (Further) Solution 34 User #-1 Apache starts running as root (uid = 0) to be able to listen on port 80, which is default web port. By default, switches to run as uid = -1 (“nobody”) when processing requests. in httpd.conf: A few minutes ago…
35 static int unixd_drop_privileges(apr_pool_t *pool, server_rec *s) { … /* Only try to switch if we're running as root */ if (!geteuid() && (setuid(ap_unixd_config.user_id) == -1)) { rv = errno; ap_log_error(APLOG_MARK, APLOG_ALERT, errno, NULL, APLOGNO(02162) "setuid: unable to change to uid: %ld", (long) ap_unixd_config.user_id); return rv; } in mod_unixd.c:
36 in support/suexec.c: … copyright and license /* * suexec.c -- "Wrapper" support program for suEXEC behaviour for Apache * *********************************************************************** * * NOTE! : DO NOT edit this code!!! Unless you know what you are doing, * editing this code might open up your system in unexpected * ways to would-be crackers. Every precaution has been taken * to make this code as safe as possible; alter it at your own * risk. * *********************************************************************** * * */
37 /* * setuid() to the target user. Error out on fail. */ if ((setuid(uid)) != 0) { log_err("failed to setuid (%lu: %s)n", (unsigned long)uid, cmd); exit(110); }
38 /* * setuid() to the target user. Error out on fail. */ if ((setuid(uid)) != 0) { log_err("failed to setuid (%lu: %s)n", (unsigned long)uid, cmd); exit(110); } … /* * Stat the cwd and verify it is a directory, or error out. */ if (((lstat(cwd, &dir_info)) != 0) || !(S_ISDIR(dir_info.st_mode))) { log_err("cannot stat directory: (%s)n", cwd); exit(115); } …
39 /* * Error out if cwd is writable by others. */ if ((dir_info.st_mode & S_IWOTH) || … { log_err("directory is writable by others: (%s)n", cwd); exit(116); } /* * Error out if we cannot stat the program. */ if (((lstat(cmd, &prg_info)) != 0) || …) { log_err("cannot stat program: (%s)n", cmd); exit(117); } /* * Error out if the program is writable by others. */ if ((prg_info.st_mode & S_IWOTH) || …) { log_err("file is writable by others: (%s/%s)n", cwd, cmd); exit(118); } /* * Error out if the file is setuid or setgid. */ if ((prg_info.st_mode & S_ISUID) || (prg_info.st_mode & S_ISGID)) { log_err("file is either setuid or setgid: (%s/%s)n", cwd, cmd); exit(119); } /* * Error out if the target name/group is different from * the name/group of the cwd or the program. */ if ((uid != dir_info.st_uid) || …) { … exit(120); } /* * Error out if the program is not executable for the user. * Otherwise, she won't find any error in the logs except for * "[error] Premature end of script headers: ..." */ if (!(prg_info.st_mode & S_IXUSR)) { log_err("file has no execute permission: (%s/%s)n", cwd, cmd); exit(121); }
40 /* * Execute the command, replacing our image with its own. */ ... execv(cmd, &argv[3]); /* * (I can't help myself...sorry.) * * Uh oh. Still here. Where's the kaboom? There was supposed to be an * EARTH-shattering kaboom! * * Oh well, log the failure and error out. */ log_err("(%d)%s: exec failed (%s)n", errno, strerror(errno), cmd); exit(255); }
41 /* * suexec.c -- "Wrapper" support program for suEXEC behaviour for Apache *********************************************************************** * * NOTE! : DO NOT edit this code!!! Unless you know what you are doing, * editing this code might open up your system in unexpected * ways to would-be crackers. Every precaution has been taken * to make this code as safe as possible; alter it at your own risk. */ … if ((setuid(uid)) != 0) { log_err("failed to setuid (%lu: %s)n", (unsigned long)uid, cmd); exit(110); } … /* * Error out if the program is writable by others. */ if ((prg_info.st_mode & S_IWOTH) || …) { log_err("file is writable by others: (%s/%s)n", cwd, cmd); exit(118); } … /* * Error out if the program is not executable for the user. * Otherwise, she won't find any error in the logs except for * "[error] Premature end of script headers: ..." */ if (!(prg_info.st_mode & S_IXUSR)) { log_err("file has no execute permission: (%s/%s)n", cwd, cmd); exit(121); } … execv(cmd, &argv[3]); log_err("(%d)%s: exec failed (%s)n", errno, strerror(errno), cmd); exit(255); }
/* * suexec.c -- "Wrapper" support program for suEXEC behaviour for Apache *********************************************************************** * * NOTE! : DO NOT edit this code!!! Unless you know what you are doing, * editing this code might open up your system in unexpected * ways to would-be crackers. Every precaution has been taken * to make this code as safe as possible; alter it at your own risk. */ … if ((setuid(uid)) != 0) { log_err("failed to setuid (%lu: %s)n", (unsigned long)uid, cmd); exit(110); } … /* * Error out if the program is writable by others. */ if ((prg_info.st_mode & S_IWOTH) || …) { log_err("file is writable by others: (%s/%s)n", cwd, cmd); exit(118); } … /* * Error out if the program is not executable for the user. * Otherwise, she won't find any error in the logs except for * "[error] Premature end of script headers: ..." */ if (!(prg_info.st_mode & S_IXUSR)) { log_err("file has no execute permission: (%s/%s)n", cwd, cmd); exit(121); } … execv(cmd, &argv[3]); log_err("(%d)%s: exec failed (%s)n", errno, strerror(errno), cmd); exit(255); } 42 Well done Apache!
How is setuid implemented? 43 if ((setuid(uid)) != 0) { log_err("failed to setuid (%lu: %s)n", …); exit(110); }
libc 44
45 glibc/sysdeps/unix/sysv/linux/setuid.c: int __setuid (uid_t uid) { return INLINE_SETXID_SYSCALL (setuid, 1, uid); } #ifndef __setuid weak_alias (__setuid, setuid) #endif
46 #define DO_CALL(syscall_name, args) lea SYS_ify (syscall_name), %rax; syscall glibc/sysdeps/unix/x86_64/sysdep.h int $0x80 #define PSEUDO(name, syscall_name, args) lose: jmp JUMPTARGET(syscall_error) .globl syscall_error; ENTRY (name) DO_CALL (syscall_name, args); jb lose glibc/sysdeps/x86_64/sysdep.h
Why can’t libc call directly into the kernel? 47
Getting to the Kernel 48 setuid(uid) httpd libc: setuid() linux kernel: syscall int 0x80 jumps into kernel code sets supervisor mode
Traditional PC Design 49 CPU Programmable Interrupt Controller (PIC) TimerKeyboard
50 Page 2213 of Intel x86 Manual: http://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-manual-325462.pdf Modern x86 Design: “APIC” = “Advanced PIC”
51 Page 2213 of Intel x86 Manual: http://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-manual-325462.pdf What should generate an “External Interrupt”? What should generate a “Local Interrupt”?
52
53
54 IronKernel: arch/arm/cpu/interrupt.rs
Handling Syscall Interrupts 55 … lea SYS_setuid,%rax int $0x80 CPU Programmable Interrupt Controller (PIC)
56 Intel manual, p. 146:
57
Context Switch! 58 setuid(uid) httpd libc: setuid() linux kernel: syscall int 0x80 jumps into kernel code sets supervisor mode
59 linux-3.2.0/arch/x86/kernel/traps.c void __init trap_init(void) { … set_intr_gate(X86_TRAP_DE, &divide_error); set_intr_gate_ist(X86_TRAP_NMI, &nmi, NMI_STACK); … set_intr_gate(X86_TRAP_BR, &bounds); set_intr_gate(X86_TRAP_UD, &invalid_op); … /* Reserve all the builtin and the syscall vector: */ for (i = 0; i < FIRST_EXTERNAL_VECTOR; i++) set_bit(i, used_vectors); set_system_intr_gate(IA32_SYSCALL_VECTOR, ia32_syscall); set_bit(IA32_SYSCALL_VECTOR, used_vectors); … cpu_init();
60 linux-3.2.0/arch/x86/kernel/traps.c void __init trap_init(void) { … set_intr_gate(X86_TRAP_DE, &divide_error); set_intr_gate_ist(X86_TRAP_NMI, &nmi, NMI_STACK); … set_intr_gate(X86_TRAP_BR, &bounds); set_intr_gate(X86_TRAP_UD, &invalid_op); … /* Reserve all the builtin and the syscall vector: */ for (i = 0; i < FIRST_EXTERNAL_VECTOR; i++) set_bit(i, used_vectors); set_system_intr_gate(IA32_SYSCALL_VECTOR, ia32_syscall); set_bit(IA32_SYSCALL_VECTOR, used_vectors); … cpu_init(); gash> find . -name "*.h" -print | xargs grep "IA32_SYSCALL_VECTOR" ./arch/x86/include/asm/irq_vectors.h:#define IA32_SYSCALL_VECTOR 0x80
61 linux-3.2.0/kernel/sys.c SYSCALL_DEFINE1(setuid, uid_t, uid) { const struct cred *old; struct cred *new; int retval; new = prepare_creds(); if (!new) return -ENOMEM; old = current_cred(); retval = -EPERM;
62 … if (nsown_capable(CAP_SETUID)) { new->suid = new->uid = uid; if (uid != old->uid) { retval = set_user(new); if (retval < 0) goto error; } } else if (uid != old->uid && uid != new->suid) { goto error; } ... new->fsuid = new->euid = uid; retval = security_task_fix_setuid(new, old, LSM_SETID_ID); if (retval < 0) goto error; return commit_creds(new); error: abort_creds(new); return retval; }
63 /** * commit_creds - Install new credentials upon the current task * @new: The credentials to be assigned * * Install a new set of credentials to the current task, using RCU to replace * the old set. Both the objective and the subjective credentials pointers are * updated. This function may not be called if the subjective credentials are * in an overridden state. * * This function eats the caller's reference to the new credentials. * * Always returns 0 thus allowing this function to be tail-called at the end * of, say, sys_setgid(). */ int commit_creds(struct cred *new) { …
64 int commit_creds(struct cred *new) { struct task_struct *task = current; /* do it * RLIMIT_NPROC limits on user->processes have already been checked * in set_user(). */ alter_cred_subscribers(new, 2); if (new->user != old->user) atomic_inc(&new->user->processes); rcu_assign_pointer(task->real_cred, new); rcu_assign_pointer(task->cred, new); if (new->user != old->user) atomic_dec(&old->user->processes); alter_cred_subscribers(old, -2); …
Back to Apache 65 setuid(uid) httpd libc: setuid() linux kernel: syscall int 0x80 jumps into kernel code sets supervisor mode
Project Idea? 66 Make system calls work in IronKernel
Charge 67 Sign up for PS4 demos today! PS4 is due 11:59pm Sunday, 6 April When writing security-sensitive code, emulate Apache’s suEXEC, not glibc or the Linux kernel. (Note: any code that runs on the Internet is “security-sensitive”.)

Recommended

SSL Failing, Sharing, and Scheduling
SSL Failing, Sharing, and SchedulingSSL Failing, Sharing, and Scheduling
SSL Failing, Sharing, and SchedulingDavid Evans
 
What the &~#@&lt;!? (Pointers in Rust)
What the &~#@&lt;!? (Pointers in Rust)What the &~#@&lt;!? (Pointers in Rust)
What the &~#@&lt;!? (Pointers in Rust)David Evans
 
Kernel-Level Programming: Entering Ring Naught
Kernel-Level Programming: Entering Ring NaughtKernel-Level Programming: Entering Ring Naught
Kernel-Level Programming: Entering Ring NaughtDavid Evans
 
Synchronization
SynchronizationSynchronization
SynchronizationDavid Evans
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneDefconRussia
 
Pledge in OpenBSD
Pledge in OpenBSDPledge in OpenBSD
Pledge in OpenBSDGiovanni Bechis
 
Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)Giovanni Bechis
 
Making a Process
Making a ProcessMaking a Process
Making a ProcessDavid Evans
 

Recommended

SSL Failing, Sharing, and Scheduling
SSL Failing, Sharing, and SchedulingSSL Failing, Sharing, and Scheduling
SSL Failing, Sharing, and SchedulingDavid Evans
 
What the &~#@&lt;!? (Pointers in Rust)
What the &~#@&lt;!? (Pointers in Rust)What the &~#@&lt;!? (Pointers in Rust)
What the &~#@&lt;!? (Pointers in Rust)David Evans
 
Kernel-Level Programming: Entering Ring Naught
Kernel-Level Programming: Entering Ring NaughtKernel-Level Programming: Entering Ring Naught
Kernel-Level Programming: Entering Ring NaughtDavid Evans
 
Synchronization
SynchronizationSynchronization
SynchronizationDavid Evans
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneDefconRussia
 
Pledge in OpenBSD
Pledge in OpenBSDPledge in OpenBSD
Pledge in OpenBSDGiovanni Bechis
 
Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)Giovanni Bechis
 
Making a Process
Making a ProcessMaking a Process
Making a ProcessDavid Evans
 
Crossing into Kernel Space
Crossing into Kernel SpaceCrossing into Kernel Space
Crossing into Kernel SpaceDavid Evans
 
Putting a Fork in Fork (Linux Process and Memory Management)
Putting a Fork in Fork (Linux Process and Memory Management)Putting a Fork in Fork (Linux Process and Memory Management)
Putting a Fork in Fork (Linux Process and Memory Management)David Evans
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...Cyber Security Alliance
 
various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)
various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)
various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)CODE BLUE
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20DefconRussia
 
iCloud keychain
iCloud keychainiCloud keychain
iCloud keychainAlexey Troshichev
 
Feb14 successful development
Feb14 successful developmentFeb14 successful development
Feb14 successful developmentConnor McDonald
 
Joel Falcou, Boost.SIMD
Joel Falcou, Boost.SIMDJoel Falcou, Boost.SIMD
Joel Falcou, Boost.SIMDSergey Platonov
 
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이GangSeok Lee
 
Migrating KSM page causes the VM lock up as the KSM page merging list is too ...
Migrating KSM page causes the VM lock up as the KSM page merging list is too ...Migrating KSM page causes the VM lock up as the KSM page merging list is too ...
Migrating KSM page causes the VM lock up as the KSM page merging list is too ...Gavin Guo
 
Tokyo APAC Groundbreakers tour - The Complete Java Developer
Tokyo APAC Groundbreakers tour - The Complete Java DeveloperTokyo APAC Groundbreakers tour - The Complete Java Developer
Tokyo APAC Groundbreakers tour - The Complete Java DeveloperConnor McDonald
 
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...Tzung-Bi Shih
 
Угадываем пароль за минуту
Угадываем пароль за минутуУгадываем пароль за минуту
Угадываем пароль за минутуPositive Hack Days
 
Down to Stack Traces, up from Heap Dumps
Down to Stack Traces, up from Heap DumpsDown to Stack Traces, up from Heap Dumps
Down to Stack Traces, up from Heap DumpsAndrei Pangin
 
Specializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network StackSpecializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network StackKernel TLV
 
Evgeniy Muralev, Mark Vince, Working with the compiler, not against it
Evgeniy Muralev, Mark Vince, Working with the compiler, not against itEvgeniy Muralev, Mark Vince, Working with the compiler, not against it
Evgeniy Muralev, Mark Vince, Working with the compiler, not against itSergey Platonov
 
Virtual Memory (Making a Process)
Virtual Memory (Making a Process)Virtual Memory (Making a Process)
Virtual Memory (Making a Process)David Evans
 
Csw2016 gawlik bypassing_differentdefenseschemes
Csw2016 gawlik bypassing_differentdefenseschemesCsw2016 gawlik bypassing_differentdefenseschemes
Csw2016 gawlik bypassing_differentdefenseschemesCanSecWest
 
Pf: the OpenBSD packet filter
Pf: the OpenBSD packet filterPf: the OpenBSD packet filter
Pf: the OpenBSD packet filterGiovanni Bechis
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23DefconRussia
 
Invent the Future (Operating Systems in 2029)
Invent the Future (Operating Systems in 2029)Invent the Future (Operating Systems in 2029)
Invent the Future (Operating Systems in 2029)David Evans
 
System calls
System callsSystem calls
System callsBernard Senam
 

More Related Content

What's hot

Crossing into Kernel Space
Crossing into Kernel SpaceCrossing into Kernel Space
Crossing into Kernel SpaceDavid Evans
 
Putting a Fork in Fork (Linux Process and Memory Management)
Putting a Fork in Fork (Linux Process and Memory Management)Putting a Fork in Fork (Linux Process and Memory Management)
Putting a Fork in Fork (Linux Process and Memory Management)David Evans
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...Cyber Security Alliance
 
various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)
various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)
various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)CODE BLUE
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20DefconRussia
 
Feb14 successful development
Feb14 successful developmentFeb14 successful development
Feb14 successful developmentConnor McDonald
 
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이GangSeok Lee
 
Migrating KSM page causes the VM lock up as the KSM page merging list is too ...
Migrating KSM page causes the VM lock up as the KSM page merging list is too ...Migrating KSM page causes the VM lock up as the KSM page merging list is too ...
Migrating KSM page causes the VM lock up as the KSM page merging list is too ...Gavin Guo
 
Tokyo APAC Groundbreakers tour - The Complete Java Developer
Tokyo APAC Groundbreakers tour - The Complete Java DeveloperTokyo APAC Groundbreakers tour - The Complete Java Developer
Tokyo APAC Groundbreakers tour - The Complete Java DeveloperConnor McDonald
 
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...Tzung-Bi Shih
 
Угадываем пароль за минуту
Угадываем пароль за минутуУгадываем пароль за минуту
Угадываем пароль за минутуPositive Hack Days
 
Down to Stack Traces, up from Heap Dumps
Down to Stack Traces, up from Heap DumpsDown to Stack Traces, up from Heap Dumps
Down to Stack Traces, up from Heap DumpsAndrei Pangin
 
Specializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network StackSpecializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network StackKernel TLV
 
Evgeniy Muralev, Mark Vince, Working with the compiler, not against it
Evgeniy Muralev, Mark Vince, Working with the compiler, not against itEvgeniy Muralev, Mark Vince, Working with the compiler, not against it
Evgeniy Muralev, Mark Vince, Working with the compiler, not against itSergey Platonov
 
Virtual Memory (Making a Process)
Virtual Memory (Making a Process)Virtual Memory (Making a Process)
Virtual Memory (Making a Process)David Evans
 
Csw2016 gawlik bypassing_differentdefenseschemes
Csw2016 gawlik bypassing_differentdefenseschemesCsw2016 gawlik bypassing_differentdefenseschemes
Csw2016 gawlik bypassing_differentdefenseschemesCanSecWest
 
Pf: the OpenBSD packet filter
Pf: the OpenBSD packet filterPf: the OpenBSD packet filter
Pf: the OpenBSD packet filterGiovanni Bechis
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23DefconRussia
 

What's hot (20)

Crossing into Kernel Space
Crossing into Kernel SpaceCrossing into Kernel Space
Crossing into Kernel Space
 
Putting a Fork in Fork (Linux Process and Memory Management)
Putting a Fork in Fork (Linux Process and Memory Management)Putting a Fork in Fork (Linux Process and Memory Management)
Putting a Fork in Fork (Linux Process and Memory Management)
 
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
App secforum2014 andrivet-cplusplus11-metaprogramming_applied_to_software_obf...
 
various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)
various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)
various tricks for remote linux exploits  by Seok-Ha Lee (wh1ant)
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20
 
iCloud keychain
iCloud keychainiCloud keychain
iCloud keychain
 
Feb14 successful development
Feb14 successful developmentFeb14 successful development
Feb14 successful development
 
Joel Falcou, Boost.SIMD
Joel Falcou, Boost.SIMDJoel Falcou, Boost.SIMD
Joel Falcou, Boost.SIMD
 
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이
 
Migrating KSM page causes the VM lock up as the KSM page merging list is too ...
Migrating KSM page causes the VM lock up as the KSM page merging list is too ...Migrating KSM page causes the VM lock up as the KSM page merging list is too ...
Migrating KSM page causes the VM lock up as the KSM page merging list is too ...
 
Tokyo APAC Groundbreakers tour - The Complete Java Developer
Tokyo APAC Groundbreakers tour - The Complete Java DeveloperTokyo APAC Groundbreakers tour - The Complete Java Developer
Tokyo APAC Groundbreakers tour - The Complete Java Developer
 
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
Feldo: Function Event Listing and Dynamic Observing for Detecting and Prevent...
 
Угадываем пароль за минуту
Угадываем пароль за минутуУгадываем пароль за минуту
Угадываем пароль за минуту
 
Down to Stack Traces, up from Heap Dumps
Down to Stack Traces, up from Heap DumpsDown to Stack Traces, up from Heap Dumps
Down to Stack Traces, up from Heap Dumps
 
Specializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network StackSpecializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network Stack
 
Evgeniy Muralev, Mark Vince, Working with the compiler, not against it
Evgeniy Muralev, Mark Vince, Working with the compiler, not against itEvgeniy Muralev, Mark Vince, Working with the compiler, not against it
Evgeniy Muralev, Mark Vince, Working with the compiler, not against it
 
Virtual Memory (Making a Process)
Virtual Memory (Making a Process)Virtual Memory (Making a Process)
Virtual Memory (Making a Process)
 
Csw2016 gawlik bypassing_differentdefenseschemes
Csw2016 gawlik bypassing_differentdefenseschemesCsw2016 gawlik bypassing_differentdefenseschemes
Csw2016 gawlik bypassing_differentdefenseschemes
 
Pf: the OpenBSD packet filter
Pf: the OpenBSD packet filterPf: the OpenBSD packet filter
Pf: the OpenBSD packet filter
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23
 

Viewers also liked

Invent the Future (Operating Systems in 2029)
Invent the Future (Operating Systems in 2029)Invent the Future (Operating Systems in 2029)
Invent the Future (Operating Systems in 2029)David Evans
 
Introduction to System Calls
Introduction to System CallsIntroduction to System Calls
Introduction to System CallsVandana Salve
 
Inventing the Future
Inventing the FutureInventing the Future
Inventing the FutureDavid Evans
 
Scheduling in Linux and Web Servers
Scheduling in Linux and Web ServersScheduling in Linux and Web Servers
Scheduling in Linux and Web ServersDavid Evans
 
Once Upon a Process
Once Upon a ProcessOnce Upon a Process
Once Upon a ProcessDavid Evans
 
Flash! (Modern File Systems)
Flash! (Modern File Systems)Flash! (Modern File Systems)
Flash! (Modern File Systems)David Evans
 
Class 1: What is an Operating System?
Class 1: What is an Operating System?Class 1: What is an Operating System?
Class 1: What is an Operating System?David Evans
 
System call (Fork +Exec)
System call (Fork +Exec)System call (Fork +Exec)
System call (Fork +Exec)Amit Ghosh
 
Gash Has No Privileges
Gash Has No PrivilegesGash Has No Privileges
Gash Has No PrivilegesDavid Evans
 
Making a Process (Virtualizing Memory)
Making a Process (Virtualizing Memory)Making a Process (Virtualizing Memory)
Making a Process (Virtualizing Memory)David Evans
 
Segmentation Faults, Page Faults, Processes, Threads, and Tasks
Segmentation Faults, Page Faults, Processes, Threads, and TasksSegmentation Faults, Page Faults, Processes, Threads, and Tasks
Segmentation Faults, Page Faults, Processes, Threads, and TasksDavid Evans
 
Smarter Scheduling (Priorities, Preemptive Priority Scheduling, Lottery and S...
Smarter Scheduling (Priorities, Preemptive Priority Scheduling, Lottery and S...Smarter Scheduling (Priorities, Preemptive Priority Scheduling, Lottery and S...
Smarter Scheduling (Priorities, Preemptive Priority Scheduling, Lottery and S...David Evans
 
Operating system overview concepts ppt
Operating system overview concepts pptOperating system overview concepts ppt
Operating system overview concepts pptRajendraPrasad Alladi
 

Viewers also liked (20)

Invent the Future (Operating Systems in 2029)
Invent the Future (Operating Systems in 2029)Invent the Future (Operating Systems in 2029)
Invent the Future (Operating Systems in 2029)
 
System calls
System callsSystem calls
System calls
 
Introduction to System Calls
Introduction to System CallsIntroduction to System Calls
Introduction to System Calls
 
Storage
StorageStorage
Storage
 
Inventing the Future
Inventing the FutureInventing the Future
Inventing the Future
 
System Calls
System CallsSystem Calls
System Calls
 
The Internet
The InternetThe Internet
The Internet
 
Scheduling in Linux and Web Servers
Scheduling in Linux and Web ServersScheduling in Linux and Web Servers
Scheduling in Linux and Web Servers
 
Once Upon a Process
Once Upon a ProcessOnce Upon a Process
Once Upon a Process
 
Flash! (Modern File Systems)
Flash! (Modern File Systems)Flash! (Modern File Systems)
Flash! (Modern File Systems)
 
Class 1: What is an Operating System?
Class 1: What is an Operating System?Class 1: What is an Operating System?
Class 1: What is an Operating System?
 
System call
System callSystem call
System call
 
System call (Fork +Exec)
System call (Fork +Exec)System call (Fork +Exec)
System call (Fork +Exec)
 
Gash Has No Privileges
Gash Has No PrivilegesGash Has No Privileges
Gash Has No Privileges
 
Managing Memory
Managing MemoryManaging Memory
Managing Memory
 
Making a Process (Virtualizing Memory)
Making a Process (Virtualizing Memory)Making a Process (Virtualizing Memory)
Making a Process (Virtualizing Memory)
 
Segmentation Faults, Page Faults, Processes, Threads, and Tasks
Segmentation Faults, Page Faults, Processes, Threads, and TasksSegmentation Faults, Page Faults, Processes, Threads, and Tasks
Segmentation Faults, Page Faults, Processes, Threads, and Tasks
 
Smarter Scheduling (Priorities, Preemptive Priority Scheduling, Lottery and S...
Smarter Scheduling (Priorities, Preemptive Priority Scheduling, Lottery and S...Smarter Scheduling (Priorities, Preemptive Priority Scheduling, Lottery and S...
Smarter Scheduling (Priorities, Preemptive Priority Scheduling, Lottery and S...
 
Operating system overview concepts ppt
Operating system overview concepts pptOperating system overview concepts ppt
Operating system overview concepts ppt
 
Lesson 10 Application Program Interface
Lesson 10 Application Program InterfaceLesson 10 Application Program Interface
Lesson 10 Application Program Interface
 

Similar to System Calls

Sysdig
SysdigSysdig
Sysdiggnosek
 
Reutov, yunusov, nagibin random numbers take ii
Reutov, yunusov, nagibin random numbers take iiReutov, yunusov, nagibin random numbers take ii
Reutov, yunusov, nagibin random numbers take iiDefconRussia
 
Stability issues of user space
Stability issues of user spaceStability issues of user space
Stability issues of user space晓东 杜
 
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...Marco Balduzzi
 
망고100 보드로 놀아보자 15
망고100 보드로 놀아보자 15망고100 보드로 놀아보자 15
망고100 보드로 놀아보자 15종인 전
 
CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak
CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak
CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak PROIDEA
 
Percona Live UK 2014 Part III
Percona Live UK 2014 Part IIIPercona Live UK 2014 Part III
Percona Live UK 2014 Part IIIAlkin Tezuysal
 
Windbg랑 친해지기
Windbg랑 친해지기Windbg랑 친해지기
Windbg랑 친해지기Ji Hun Kim
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON
 
Introduction to Debuggers
Introduction to DebuggersIntroduction to Debuggers
Introduction to DebuggersSaumil Shah
 
Android 4.2 Internals - Bluetooth and Network
Android 4.2 Internals - Bluetooth and NetworkAndroid 4.2 Internals - Bluetooth and Network
Android 4.2 Internals - Bluetooth and NetworkCaio Pereira
 
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversTroubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversSatpal Parmar
 
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1Jagadisha Maiya
 
A CTF Hackers Toolbox
A CTF Hackers ToolboxA CTF Hackers Toolbox
A CTF Hackers ToolboxStefan
 
Dtrace и немного магии
Dtrace и немного магииDtrace и немного магии
Dtrace и немного магииDan Kruchinin
 

Similar to System Calls (20)

Sysprog 11
Sysprog 11Sysprog 11
Sysprog 11
 
Sysdig
SysdigSysdig
Sysdig
 
Reutov, yunusov, nagibin random numbers take ii
Reutov, yunusov, nagibin random numbers take iiReutov, yunusov, nagibin random numbers take ii
Reutov, yunusov, nagibin random numbers take ii
 
Random numbers
Random numbersRandom numbers
Random numbers
 
Who moved my pixels?!
Who moved my pixels?!Who moved my pixels?!
Who moved my pixels?!
 
Stability issues of user space
Stability issues of user spaceStability issues of user space
Stability issues of user space
 
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...
 
망고100 보드로 놀아보자 15
망고100 보드로 놀아보자 15망고100 보드로 놀아보자 15
망고100 보드로 놀아보자 15
 
CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak
CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak
CONFidence 2015: DTrace + OSX = Fun - Andrzej Dyjak
 
Multipath
MultipathMultipath
Multipath
 
Percona Live UK 2014 Part III
Percona Live UK 2014 Part IIIPercona Live UK 2014 Part III
Percona Live UK 2014 Part III
 
Windbg랑 친해지기
Windbg랑 친해지기Windbg랑 친해지기
Windbg랑 친해지기
 
R-House (LSRC)
R-House (LSRC)R-House (LSRC)
R-House (LSRC)
 
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root
 
Introduction to Debuggers
Introduction to DebuggersIntroduction to Debuggers
Introduction to Debuggers
 
Android 4.2 Internals - Bluetooth and Network
Android 4.2 Internals - Bluetooth and NetworkAndroid 4.2 Internals - Bluetooth and Network
Android 4.2 Internals - Bluetooth and Network
 
Troubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device DriversTroubleshooting Linux Kernel Modules And Device Drivers
Troubleshooting Linux Kernel Modules And Device Drivers
 
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
Troubleshooting linux-kernel-modules-and-device-drivers-1233050713693744-1
 
A CTF Hackers Toolbox
A CTF Hackers ToolboxA CTF Hackers Toolbox
A CTF Hackers Toolbox
 
Dtrace и немного магии
Dtrace и немного магииDtrace и немного магии
Dtrace и немного магии
 

More from David Evans

Cryptocurrency Jeopardy!
Cryptocurrency Jeopardy!Cryptocurrency Jeopardy!
Cryptocurrency Jeopardy!David Evans
 
Trick or Treat?: Bitcoin for Non-Believers, Cryptocurrencies for Cypherpunks
Trick or Treat?: Bitcoin for Non-Believers, Cryptocurrencies for CypherpunksTrick or Treat?: Bitcoin for Non-Believers, Cryptocurrencies for Cypherpunks
Trick or Treat?: Bitcoin for Non-Believers, Cryptocurrencies for CypherpunksDavid Evans
 
Hidden Services, Zero Knowledge
Hidden Services, Zero KnowledgeHidden Services, Zero Knowledge
Hidden Services, Zero KnowledgeDavid Evans
 
Anonymity in Bitcoin
Anonymity in BitcoinAnonymity in Bitcoin
Anonymity in BitcoinDavid Evans
 
Midterm Confirmations
Midterm ConfirmationsMidterm Confirmations
Midterm ConfirmationsDavid Evans
 
Scripting Transactions
Scripting TransactionsScripting Transactions
Scripting TransactionsDavid Evans
 
How to Live in Paradise
How to Live in ParadiseHow to Live in Paradise
How to Live in ParadiseDavid Evans
 
Mining Economics
Mining EconomicsMining Economics
Mining EconomicsDavid Evans
 
Becoming More Paranoid
Becoming More ParanoidBecoming More Paranoid
Becoming More ParanoidDavid Evans
 
Asymmetric Key Signatures
Asymmetric Key SignaturesAsymmetric Key Signatures
Asymmetric Key SignaturesDavid Evans
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to CryptographyDavid Evans
 
Class 1: What is Money?
Class 1: What is Money?Class 1: What is Money?
Class 1: What is Money?David Evans
 
Multi-Party Computation for the Masses
Multi-Party Computation for the MassesMulti-Party Computation for the Masses
Multi-Party Computation for the MassesDavid Evans
 
Proof of Reserve
Proof of ReserveProof of Reserve
Proof of ReserveDavid Evans
 
Blooming Sidechains!
Blooming Sidechains!Blooming Sidechains!
Blooming Sidechains!David Evans
 
Useful Proofs of Work, Permacoin
Useful Proofs of Work, PermacoinUseful Proofs of Work, Permacoin
Useful Proofs of Work, PermacoinDavid Evans
 

More from David Evans (20)

Cryptocurrency Jeopardy!
Cryptocurrency Jeopardy!Cryptocurrency Jeopardy!
Cryptocurrency Jeopardy!
 
Trick or Treat?: Bitcoin for Non-Believers, Cryptocurrencies for Cypherpunks
Trick or Treat?: Bitcoin for Non-Believers, Cryptocurrencies for CypherpunksTrick or Treat?: Bitcoin for Non-Believers, Cryptocurrencies for Cypherpunks
Trick or Treat?: Bitcoin for Non-Believers, Cryptocurrencies for Cypherpunks
 
Hidden Services, Zero Knowledge
Hidden Services, Zero KnowledgeHidden Services, Zero Knowledge
Hidden Services, Zero Knowledge
 
Anonymity in Bitcoin
Anonymity in BitcoinAnonymity in Bitcoin
Anonymity in Bitcoin
 
Midterm Confirmations
Midterm ConfirmationsMidterm Confirmations
Midterm Confirmations
 
Scripting Transactions
Scripting TransactionsScripting Transactions
Scripting Transactions
 
How to Live in Paradise
How to Live in ParadiseHow to Live in Paradise
How to Live in Paradise
 
Bitcoin Script
Bitcoin ScriptBitcoin Script
Bitcoin Script
 
Mining Economics
Mining EconomicsMining Economics
Mining Economics
 
Mining
MiningMining
Mining
 
The Blockchain
The BlockchainThe Blockchain
The Blockchain
 
Becoming More Paranoid
Becoming More ParanoidBecoming More Paranoid
Becoming More Paranoid
 
Asymmetric Key Signatures
Asymmetric Key SignaturesAsymmetric Key Signatures
Asymmetric Key Signatures
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to Cryptography
 
Class 1: What is Money?
Class 1: What is Money?Class 1: What is Money?
Class 1: What is Money?
 
Multi-Party Computation for the Masses
Multi-Party Computation for the MassesMulti-Party Computation for the Masses
Multi-Party Computation for the Masses
 
Proof of Reserve
Proof of ReserveProof of Reserve
Proof of Reserve
 
Silk Road
Silk RoadSilk Road
Silk Road
 
Blooming Sidechains!
Blooming Sidechains!Blooming Sidechains!
Blooming Sidechains!
 
Useful Proofs of Work, Permacoin
Useful Proofs of Work, PermacoinUseful Proofs of Work, Permacoin
Useful Proofs of Work, Permacoin
 

Recently uploaded

Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 

Recently uploaded (20)

Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 

System Calls

  • 1.
  • 2. Plan for Today Access Control User IDs System Calls 1 Sign up for PS4 demos today! PS4 is due 11:59pm Sunday, 6 April
  • 3. Minimizing Magic 2 Itsallmagic! Physics Four Years Studying Computing at an Elite Public University Itsall understandable! (andIcandomagicalthings!) Cool Computing Stuff Class 1:
  • 4. Course Goal Reminder: Minimizing Magic3 Itsallmagic! Physics Cool Computing Stuff cs1110 cs2110 cs2150 cs2150 cs2330 cs3330 cs3102 cs4414 cs4610 cs4414 cs4414 electives Class 1:
  • 5. Course Goal Reminder: Minimizing Magic4 Itsallmagic! Physics Cool Computing Stuff cs1110 cs2110 cs2150 cs2150 cs2330 cs3330 cs3102 cs4414 cs4610 cs4414 cs4414 electives Class 1: If you have any gaps left (other than synchronization primitives), post then in comments or email me.
  • 7. What’s wrong with Zhtta? 6 Note: because of the way pathnames are handled, I think it is probably actually secure (except for links in www/).
  • 8. 7 Why Might Letting Anyone Read Any File on your Machine Be a Bad Idea? LMGTFY
  • 9. 8 This is serious: actually trying the passwords would be wrong and criminal.* * Just because someone “broadcasts” their password or uses laughable security, doesn’t mean the FBI considers it “authorized” access. Whether it is you or Google that is breaking the law in this case is unclear.
  • 11. Zhtta and Apache’s (Partial) Solution 10 DocumentRoot /home/evans/htdocs/ Apache will only serve files in DocumentRoot’s subtree. in httpd.conf:
  • 12. Apache’s (Partial) Solution 11 DocumentRoot /home/evans/htdocs/ Opps! Now it will follow symlinks inside DocumentRoot subtree to anywhere… in httpd.conf: <Directory /> Options FollowSymLinks </Directory>
  • 13. Apache’s (Further) Solution 12 User #-1 Apache starts running as root (uid = 0) to be able to listen on port 80, which is default web port. By default, switches to run as uid = -1 (“nobody”) when processing requests. in httpd.conf:
  • 14. 13 bash-3.2$ ps aux | grep httpd dave 20926 0.0 0.0 2423356 208 p0 R+ 10:15PM 0:00.00 grep httpd _www 20923 0.0 0.0 2437400 700 ?? S 10:15PM 0:00.00 httpd root 20922 0.0 0.0 2437400 2376 ?? Ss 10:15PM 0:00.05 httpd # after one request bash-3.2$ ps aux | grep httpd dave 20934 0.0 0.0 2432768 620 p0 S+ 10:16PM 0:00.00 grep httpd _www 20932 0.0 0.0 2437400 700 ?? S 10:16PM 0:00.00 httpd _www 20931 0.0 0.0 2437400 700 ?? S 10:16PM 0:00.00 httpd _www 20930 0.0 0.0 2437400 896 ?? S 10:16PM 0:00.00 httpd _www 20923 0.0 0.0 2437400 1800 ?? S 10:15PM 0:00.01 httpd root 20922 0.0 0.0 2437400 2376 ?? Ss 10:15PM 0:00.05 httpd
  • 15. Access Control 14 How does the OS know whether or not the (effective) user can read a file?
  • 16. 15
  • 17. 16
  • 18. 17
  • 19. 18 Size of File (bytes) Device ID User ID Group ID File Mode (permission bits) Link count (number of hard links to node) … Diskmap
  • 20. Access Control Matrix 19 Users Files /alice/www/index.html /dave/secrets.txt /alice/secrets.txt root read, write read, write read, write dave read read, write - www read - - Can Unix-like file system support this?
  • 21. 20 Size of File (bytes) Device ID User ID Group ID File Mode (permission bits) Link count (number of hard links to node) … Diskmap
  • 23. 22 http://lxr.free-electrons.com/source/include/linux/fs.h (Linux Version 3.14) include/linux/types.h#L18 short: at least 16 bits
  • 24. Unix File Mode Permission Bits 23execute write read execute write read execute write read owner group others + 7 bits for other stuff: file/directory symbolic link etc. 666 644 000 755
  • 25. 24 bash-3.2$ ps aux | grep httpd dave 20926 0.0 0.0 2423356 208 p0 R+ 10:15PM 0:00.00 grep httpd _www 20923 0.0 0.0 2437400 700 ?? S 10:15PM 0:00.00 httpd root 20922 0.0 0.0 2437400 2376 ?? Ss 10:15PM 0:00.05 httpd # after one request bash-3.2$ ps aux | grep httpd dave 20934 0.0 0.0 2432768 620 p0 S+ 10:16PM 0:00.00 grep httpd _www 20932 0.0 0.0 2437400 700 ?? S 10:16PM 0:00.00 httpd _www 20931 0.0 0.0 2437400 700 ?? S 10:16PM 0:00.00 httpd _www 20930 0.0 0.0 2437400 896 ?? S 10:16PM 0:00.00 httpd _www 20923 0.0 0.0 2437400 1800 ?? S 10:15PM 0:00.01 httpd root 20922 0.0 0.0 2437400 2376 ?? Ss 10:15PM 0:00.05 httpd How does Apache create processes running as different users?
  • 26. Changing Users 25 int setuid(uid_t uid); real user id (ruid) = owner of the process effective user id (euid) = ID used in access control decisions saved user id (suid) = previous user ID that may be restored
  • 27. Using setuid 26 httpd euid: 0 (root) HTTPGET./../../../user/dave/secrets.txt handler pid_t handler = fork(); if (handler == 0) { setuid(-1); … } fopen(pathname, ‘r’) Error: secrets.txt not readable to user nobody
  • 28. Using setuid 27 httpd euid: 0 (root) handler pid_t handler = fork(); if (handler == 0) { setuid(-1); … } fopen(pathname, ‘r’) Error: secrets.txt not readable to user nobody Principle of Least Privilege Running code should have as little power as possible to get the job done. HTTPGET./../../../user/dave/secrets.txt
  • 31. 30 Hao Chen, David Wagner, Drew Dean. Setuid Deymystified USENIX Security 2002
  • 32. Where should Apache httpd call setuid? 31
  • 33. 32 gash> curl http://apache.mirrors.tds.net//httpd/httpd-2.4.9.tar.gz | tar xz gash> cd httpd-2.4.9/ gash> find . -name "*.c" -print | xargs grep "setuid(" ./modules/arch/unix/mod_privileges.c: if (cfg->uid && (setuid(ap_unixd_config.user_id) == -1)) { ./modules/arch/unix/mod_privileges.c: if (cfg->uid && (setuid(cfg->uid) == -1)) { ./modules/arch/unix/mod_unixd.c: setuid(ap_unixd_config.user_id) == -1)) { ./modules/arch/unix/mod_unixd.c: setuid(ap_unixd_config.user_id) == -1)) { ./os/bs2000/os.c:/* This routine complements the setuid() call: it causes the BS2000 job ./os/bs2000/os.c:/* BS2000 requires a "special" version of fork() before a setuid() call */ ./os/unix/unixd.c:/* This routine complements the setuid() call: it causes the BS2000 job ./os/unix/unixd.c:/* BS2000 requires a "special" version of fork() before a setuid() call */ ./server/mpm/prefork/prefork.c: /* BS2000 requires a "special" version of fork() before a setuid() call */ ./support/suexec.c: * before we setuid(). ./support/suexec.c: * setuid() to the target user. Error out on fail. ./support/suexec.c: if ((setuid(uid)) != 0) {
  • 34. 33 in mod_privileges.c: /* if either user or group are not the default, restore them */ if (cfg->uid || cfg->gid) { if (setppriv(PRIV_ON, PRIV_EFFECTIVE, priv_setid) == -1) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02136) "PRIV_ON failed restoring default user/group"); } if (cfg->uid && (setuid(ap_unixd_config.user_id) == -1)) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02137) "Error restoring default userid"); } if (cfg->gid && (setgid(ap_unixd_config.group_id) == -1)) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02138) "Error restoring default group"); } }
  • 35. Apache’s (Further) Solution 34 User #-1 Apache starts running as root (uid = 0) to be able to listen on port 80, which is default web port. By default, switches to run as uid = -1 (“nobody”) when processing requests. in httpd.conf: A few minutes ago…
  • 36. 35 static int unixd_drop_privileges(apr_pool_t *pool, server_rec *s) { … /* Only try to switch if we're running as root */ if (!geteuid() && (setuid(ap_unixd_config.user_id) == -1)) { rv = errno; ap_log_error(APLOG_MARK, APLOG_ALERT, errno, NULL, APLOGNO(02162) "setuid: unable to change to uid: %ld", (long) ap_unixd_config.user_id); return rv; } in mod_unixd.c:
  • 37. 36 in support/suexec.c: … copyright and license /* * suexec.c -- "Wrapper" support program for suEXEC behaviour for Apache * *********************************************************************** * * NOTE! : DO NOT edit this code!!! Unless you know what you are doing, * editing this code might open up your system in unexpected * ways to would-be crackers. Every precaution has been taken * to make this code as safe as possible; alter it at your own * risk. * *********************************************************************** * * */
  • 38. 37 /* * setuid() to the target user. Error out on fail. */ if ((setuid(uid)) != 0) { log_err("failed to setuid (%lu: %s)n", (unsigned long)uid, cmd); exit(110); }
  • 39. 38 /* * setuid() to the target user. Error out on fail. */ if ((setuid(uid)) != 0) { log_err("failed to setuid (%lu: %s)n", (unsigned long)uid, cmd); exit(110); } … /* * Stat the cwd and verify it is a directory, or error out. */ if (((lstat(cwd, &dir_info)) != 0) || !(S_ISDIR(dir_info.st_mode))) { log_err("cannot stat directory: (%s)n", cwd); exit(115); } …
  • 40. 39 /* * Error out if cwd is writable by others. */ if ((dir_info.st_mode & S_IWOTH) || … { log_err("directory is writable by others: (%s)n", cwd); exit(116); } /* * Error out if we cannot stat the program. */ if (((lstat(cmd, &prg_info)) != 0) || …) { log_err("cannot stat program: (%s)n", cmd); exit(117); } /* * Error out if the program is writable by others. */ if ((prg_info.st_mode & S_IWOTH) || …) { log_err("file is writable by others: (%s/%s)n", cwd, cmd); exit(118); } /* * Error out if the file is setuid or setgid. */ if ((prg_info.st_mode & S_ISUID) || (prg_info.st_mode & S_ISGID)) { log_err("file is either setuid or setgid: (%s/%s)n", cwd, cmd); exit(119); } /* * Error out if the target name/group is different from * the name/group of the cwd or the program. */ if ((uid != dir_info.st_uid) || …) { … exit(120); } /* * Error out if the program is not executable for the user. * Otherwise, she won't find any error in the logs except for * "[error] Premature end of script headers: ..." */ if (!(prg_info.st_mode & S_IXUSR)) { log_err("file has no execute permission: (%s/%s)n", cwd, cmd); exit(121); }
  • 41. 40 /* * Execute the command, replacing our image with its own. */ ... execv(cmd, &argv[3]); /* * (I can't help myself...sorry.) * * Uh oh. Still here. Where's the kaboom? There was supposed to be an * EARTH-shattering kaboom! * * Oh well, log the failure and error out. */ log_err("(%d)%s: exec failed (%s)n", errno, strerror(errno), cmd); exit(255); }
  • 42. 41 /* * suexec.c -- "Wrapper" support program for suEXEC behaviour for Apache *********************************************************************** * * NOTE! : DO NOT edit this code!!! Unless you know what you are doing, * editing this code might open up your system in unexpected * ways to would-be crackers. Every precaution has been taken * to make this code as safe as possible; alter it at your own risk. */ … if ((setuid(uid)) != 0) { log_err("failed to setuid (%lu: %s)n", (unsigned long)uid, cmd); exit(110); } … /* * Error out if the program is writable by others. */ if ((prg_info.st_mode & S_IWOTH) || …) { log_err("file is writable by others: (%s/%s)n", cwd, cmd); exit(118); } … /* * Error out if the program is not executable for the user. * Otherwise, she won't find any error in the logs except for * "[error] Premature end of script headers: ..." */ if (!(prg_info.st_mode & S_IXUSR)) { log_err("file has no execute permission: (%s/%s)n", cwd, cmd); exit(121); } … execv(cmd, &argv[3]); log_err("(%d)%s: exec failed (%s)n", errno, strerror(errno), cmd); exit(255); }
  • 43. /* * suexec.c -- "Wrapper" support program for suEXEC behaviour for Apache *********************************************************************** * * NOTE! : DO NOT edit this code!!! Unless you know what you are doing, * editing this code might open up your system in unexpected * ways to would-be crackers. Every precaution has been taken * to make this code as safe as possible; alter it at your own risk. */ … if ((setuid(uid)) != 0) { log_err("failed to setuid (%lu: %s)n", (unsigned long)uid, cmd); exit(110); } … /* * Error out if the program is writable by others. */ if ((prg_info.st_mode & S_IWOTH) || …) { log_err("file is writable by others: (%s/%s)n", cwd, cmd); exit(118); } … /* * Error out if the program is not executable for the user. * Otherwise, she won't find any error in the logs except for * "[error] Premature end of script headers: ..." */ if (!(prg_info.st_mode & S_IXUSR)) { log_err("file has no execute permission: (%s/%s)n", cwd, cmd); exit(121); } … execv(cmd, &argv[3]); log_err("(%d)%s: exec failed (%s)n", errno, strerror(errno), cmd); exit(255); } 42 Well done Apache!
  • 44. How is setuid implemented? 43 if ((setuid(uid)) != 0) { log_err("failed to setuid (%lu: %s)n", …); exit(110); }
  • 46. 45 glibc/sysdeps/unix/sysv/linux/setuid.c: int __setuid (uid_t uid) { return INLINE_SETXID_SYSCALL (setuid, 1, uid); } #ifndef __setuid weak_alias (__setuid, setuid) #endif
  • 47. 46 #define DO_CALL(syscall_name, args) lea SYS_ify (syscall_name), %rax; syscall glibc/sysdeps/unix/x86_64/sysdep.h int $0x80 #define PSEUDO(name, syscall_name, args) lose: jmp JUMPTARGET(syscall_error) .globl syscall_error; ENTRY (name) DO_CALL (syscall_name, args); jb lose glibc/sysdeps/x86_64/sysdep.h
  • 48. Why can’t libc call directly into the kernel? 47
  • 49. Getting to the Kernel 48 setuid(uid) httpd libc: setuid() linux kernel: syscall int 0x80 jumps into kernel code sets supervisor mode
  • 51. 50 Page 2213 of Intel x86 Manual: http://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-manual-325462.pdf Modern x86 Design: “APIC” = “Advanced PIC”
  • 52. 51 Page 2213 of Intel x86 Manual: http://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-software-developer-manual-325462.pdf What should generate an “External Interrupt”? What should generate a “Local Interrupt”?
  • 53. 52
  • 54. 53
  • 56. Handling Syscall Interrupts 55 … lea SYS_setuid,%rax int $0x80 CPU Programmable Interrupt Controller (PIC)
  • 58. 57
  • 59. Context Switch! 58 setuid(uid) httpd libc: setuid() linux kernel: syscall int 0x80 jumps into kernel code sets supervisor mode
  • 60. 59 linux-3.2.0/arch/x86/kernel/traps.c void __init trap_init(void) { … set_intr_gate(X86_TRAP_DE, &divide_error); set_intr_gate_ist(X86_TRAP_NMI, &nmi, NMI_STACK); … set_intr_gate(X86_TRAP_BR, &bounds); set_intr_gate(X86_TRAP_UD, &invalid_op); … /* Reserve all the builtin and the syscall vector: */ for (i = 0; i < FIRST_EXTERNAL_VECTOR; i++) set_bit(i, used_vectors); set_system_intr_gate(IA32_SYSCALL_VECTOR, ia32_syscall); set_bit(IA32_SYSCALL_VECTOR, used_vectors); … cpu_init();
  • 61. 60 linux-3.2.0/arch/x86/kernel/traps.c void __init trap_init(void) { … set_intr_gate(X86_TRAP_DE, &divide_error); set_intr_gate_ist(X86_TRAP_NMI, &nmi, NMI_STACK); … set_intr_gate(X86_TRAP_BR, &bounds); set_intr_gate(X86_TRAP_UD, &invalid_op); … /* Reserve all the builtin and the syscall vector: */ for (i = 0; i < FIRST_EXTERNAL_VECTOR; i++) set_bit(i, used_vectors); set_system_intr_gate(IA32_SYSCALL_VECTOR, ia32_syscall); set_bit(IA32_SYSCALL_VECTOR, used_vectors); … cpu_init(); gash> find . -name "*.h" -print | xargs grep "IA32_SYSCALL_VECTOR" ./arch/x86/include/asm/irq_vectors.h:#define IA32_SYSCALL_VECTOR 0x80
  • 62. 61 linux-3.2.0/kernel/sys.c SYSCALL_DEFINE1(setuid, uid_t, uid) { const struct cred *old; struct cred *new; int retval; new = prepare_creds(); if (!new) return -ENOMEM; old = current_cred(); retval = -EPERM;
  • 63. 62 … if (nsown_capable(CAP_SETUID)) { new->suid = new->uid = uid; if (uid != old->uid) { retval = set_user(new); if (retval < 0) goto error; } } else if (uid != old->uid && uid != new->suid) { goto error; } ... new->fsuid = new->euid = uid; retval = security_task_fix_setuid(new, old, LSM_SETID_ID); if (retval < 0) goto error; return commit_creds(new); error: abort_creds(new); return retval; }
  • 64. 63 /** * commit_creds - Install new credentials upon the current task * @new: The credentials to be assigned * * Install a new set of credentials to the current task, using RCU to replace * the old set. Both the objective and the subjective credentials pointers are * updated. This function may not be called if the subjective credentials are * in an overridden state. * * This function eats the caller's reference to the new credentials. * * Always returns 0 thus allowing this function to be tail-called at the end * of, say, sys_setgid(). */ int commit_creds(struct cred *new) { …
  • 65. 64 int commit_creds(struct cred *new) { struct task_struct *task = current; /* do it * RLIMIT_NPROC limits on user->processes have already been checked * in set_user(). */ alter_cred_subscribers(new, 2); if (new->user != old->user) atomic_inc(&new->user->processes); rcu_assign_pointer(task->real_cred, new); rcu_assign_pointer(task->cred, new); if (new->user != old->user) atomic_dec(&old->user->processes); alter_cred_subscribers(old, -2); …
  • 66. Back to Apache 65 setuid(uid) httpd libc: setuid() linux kernel: syscall int 0x80 jumps into kernel code sets supervisor mode
  • 67. Project Idea? 66 Make system calls work in IronKernel
  • 68. Charge 67 Sign up for PS4 demos today! PS4 is due 11:59pm Sunday, 6 April When writing security-sensitive code, emulate Apache’s suEXEC, not glibc or the Linux kernel. (Note: any code that runs on the Internet is “security-sensitive”.)