CS 571 Operating Systems. Final Review. Angelos Stavrou, George Mason University

Size: px

Start display at page:

Download "CS 571 Operating Systems. Final Review. Angelos Stavrou, George Mason University"

Jade Warren
5 years ago
Views:

1 CS 571 Operating Systems Final Review Angelos Stavrou, George Mason University

2 Mechanics 2 4:30pm 7:00pm, Monday, Dec 14th, in Innovation Hall, room 223 Same style of questions as the midterm I m not asking you to write programs Theory closed books Programming you can ask questions but not browse the Internet, Chat or collaborate Please don t even attempt to cheat it will not help you and you can get dismissed

3 Material 3 Bulk of the final covers material after midterm Memory management, file systems, security, VMMs Some material on concurrency, synchronization Synch primitives, synch problems Similar style to midterm If it s in my slides or I said it in class, you re responsible for it There may be some questions based on the Project You re responsible for the assigned Labs and homework at about the level of class coverage.

4 Memory Management 4 Why is memory management useful? Why do we have virtual memory if it is so complex? What are the mechanisms for implementing MM? Physical and virtual addressing Partitioning, paging, and segmentation Page tables, TLB What are the policies related to MM? Page replacement What are the overheads related to providing memory management?

5 Abstracting Memory 5 What is the difference between a physical and virtual address? What is the difference between fixed and variable partitioning? How do base and limit registers work? What is internal fragmentation? What is external fragmentation? What is a protection fault?

6 Paging 6 How is paging different from partitioning? What are the advantages/disadvantages of paging? What are page tables? What are page table entries (PTE)? Know how to break down virtual addresses into page numbers, offset I might ask you to figure out sizes of page tables, offsets, caching times, hit ratio, etc.

7 Page Table Entries 7 What is a page table entry? What are all of the PTE bits used for? Modify Reference Valid Protection What are the memory management issues and challenges?

8 Segmentation 8 What is segmentation? How does it compare/contrast with paging? What are its advantages/disadvantages with respect to partitioning, paging? What is a segment table? How can paging and segmentation be combined?

9 Page Tables Performance 9 Page tables introduce overhead Space for storing them Time to use them for translation What techniques can be used to reduce their overhead? How do two-level (multi-level) page tables work?

10 TLBs 10 What problem does the TLB solve? How do TLBs work? Why are TLBs effective? How are TLBs managed? What happens on a TLB miss fault? What is the difference between a hardware and software managed TLB?

11 Page Faults 11 What is a page fault? How is it used to implement demand paged virtual memory? What is the complete sequence of steps, from a TLB miss to paging in from disk, for translating a virtual address to a physical address? What is done in hardware, what is done in software?

12 Page Replacement 12 What is the purpose of the page replacement algorithm? What application behavior does page replacement try to exploit? When is the page replacement algorithm used? Different replacement algorithms Belady s (optimal), FIFO, LRU, Approximate LRU, LRU Clock, Working Set, Page Fault Frequency What is Belady s anomaly? thrashing?

13 File Systems 13 Topics Files Directories Sharing Protection Layouts Buffer Cache What is a file system? Why are file systems useful (why do we have them)?

14 Files & Directories 14 What is a file? What operations are supported? What characteristics do they have? What are file access methods? What is a directory? What are they used for? How are the implemented? What is a directory entry? How are directories used to do path name translation

15 File System Security & Protection 15 What is file protection used for? How is it implemented? What are access control lists (ACLs)? What are capabilities? What are the advantages/disadvantages of each?

16 File System Design 16 What are file system layouts used for? What are the general strategies? Contiguous, linked, indexed? What are the tradeoffs for those strategies? How do those strategies reflect file access methods? What is an inode? How are inodes different from directories? How are inodes and directories used to do path resolution, find files?

17 File System Design 17 What is the file buffer cache, and why do operating systems use one? λ What is the difference between caching reads and caching writes? λ What are the tradeoffs of using memory for a file buffer cache vs. VM?

18 Network File Systems 18 What is RPC, and how is it implemented? What is a stub compiler? Interface? What is NFS, how does it relate to file systems and RPC? How does NFS bind clients to servers? What does it mean for NFS servers to be stateless?

19 Security 19 Computer Security Techniques for computing in the presence of adversaries Three categories of security goals Confidentiality: preventing unauthorized release of info Integrity: preventing unauthorized modification of info Availability: preventing Denial of Service (DoS) attacks Protection is about providing all three on a single machine» Usually considered the responsibility of the OS» Could also be runtime (e.g., verification in JVM) Cryptography Techniques for communicating even in the presence of adversaries Good for link-level protection No silver bullet: Key-management the weak point

20 Principle: Least Privilege 20 Figure out exactly which capabilities a program needs to run, and grant it only those Unix Not always easy, but one algorithm: start with granting none, run and see where it breaks, add new privileges, repeat Good example: Should not normally run as root to prevent against accidents Bad example: Some programs run as root just to get a small privilege, such as using a port < 1024 (privileged port) E.g., ftpd Exploit these programs, and you get root access to system Running under a unprivileged user Containing the services to a small subset of capabilities

21 Least Common Mechanism 21 Be very careful integrating shared or reused code Assumptions made may no longer be valid in current context Counter example: Outlook and Internet Explorer Windows exports an API to IE s HTML rendering code Outlook and other programs use this to display HTML in By default, JavaScript and Java parsing are enabled HTML rendering code knows Java(Script) is unsafe Disables it when JavaScript is downloaded from Internet Only enables it when loaded from trusted sources Your own file system is trusted But is spooled on disk...

22 Complete Mediation 22 Check every access to every object Of course, this introduces overhead So, implementers try to get away with less (caching) But only when nothing relevant in environment has changed Counter example: NFS and file handles Client contacts remote mountd to get a file handle to a remotely exported NFS file system Remote mountd checks access control at mount time File handle is a capability: client presents it to read/write file Client responsible for enforcing per-file restrictions An eavesdropper can sniff file handle and access file system

23 ToCtToU 23 Time of Check to Time of Use Check permissions as close as possible to action Complete mediation gets even tougher with multiprogramming Attacker can execute concurrently with TCB Improper synchronization can lead to race conditions Period between verifying authorization and execution is a critical section Why is ToCtToU important? Parallel Multiprogramming/Mult-processing Cluster Systems Does this remind you of locking of shared objects?

24 ToCtToU 24 Time of Check to Time of Use Counter example: set-uid UNIX programs Many utilities run with effective ID of root; allows regular users to perform super-user actions. May also access user s files if (access(filename, W_OK) == 0) { if ((fd = open(filename, O_WRONLY)) == NULL) { return (0); } // Access file

25 Deny by Default 25 Deny all access first, then allow only that which has been explicitly permitted Oversights will then show up as false negatives Somebody is denied access who should have it They will complain. Opposites lead to false positives Somebody is given access that shouldn t get it Not much incentive to report this kind of failure Counter examples SunOS shipped with + in /etc/hosts.equiv Essentially lets anyone login as any local user to host Irix shipped with xhost + Any remote client can connect to local X server

26 (In-)Security through Obscurity 26 Security through obscurity Attempting to gain security by hiding implementation details Claim: A secure system should be secure even if all implementation details are published In fact, systems become more secure as people examine and check the implementation details and find flaws Rely on mathematics and sound design to provide security Many well-published algorithms are still secure (e.g., SSL) Counter example: GSM cell phones GSM committee designed their own crypto algorithm, but hid it from the world Social engineering + reverse engineering revealed the algorithm Turned out to be relatively weak, easy to subvert

27 Types of Virtualization 27 Emulation VM emulates/simulates complete hardware Unmodified guest OS for a different PC can be run Bochs, VirtualPC for Mac, QEMU, Virtualbox, Vmware Workstation Full/native Virtualization VM simulates enough hardware to allow an unmodified guest OS to be run in isolation Same hardware CPU IBM VM family, VMWare Workstation, Parallels,

28 Types of Virtualization (Cont.) 28 Para-virtualization VM does not simulate hardware Use special API that a modified guest OS must use Hypercalls trapped by the Hypervisor and serviced Xen, VMWare ESX Server

29 Virtualization for x86 29 Ease of virtualization influenced by the architecture x86 is perhaps the last architecture you would choose But it s what everyone uses, so that s what we deal with Issues Unvirtualizable events popf does not trap when it cannot modify system flags Hardware-managed TLB VMM cannot easily interpose on a TLB miss (more in a bit) Untagged TLB Have to flush on context switches (just a performance issue) Why Intel and AMD have added virtualization support

30 What to Virtualize 30 Exactly what you would expect CPU Events (exceptions and interrupts) Memory I/O devices Isn t this just duplicating OS functionality in a VMM? Yes and no Approaches will be similar to what we do with Oses Simpler in functionality, though (VMM much smaller than OS) But implements a different abstraction Hardware interface vs. OS interface

31 CPU Virtualization 31 VMM needs to multiplex VMs on CPU How? Just as you would expect Timeslice the VMs Each VM will timeslice its OS/applications during its quantum Typically relatively simple scheduler Round robin, work-conserving (give unused quantum to other VMs)

32 Virtualizing Events & I/O 32 VMM receives interrupts, exceptions Needs to vector to appropriate VM Craft appropriate handler invocation, emulate event registers OSes can no longer interact directly with I/O devices VMWare Workstation: generic devices only (hosted) E.g., AMD Lance chipset/pcnet Ethernet device Load driver into OS in VM, OS uses it normally Driver knows about VMM, cooperates to pass the buck to a real device driver (e.g., on underlying host OS) VMware ESX Server: drivers run in VMM (hypervisor)

33 33 Virtualization Attacks Root Partition Guest Partitions Virtualization Stack WMI Provider VM Worker Processes Guest Applications Server Core Windows Kernel Virtualization Service Device Providers Drivers (VSPs) Virtualization Service Clients (VSCs) VMBus OS Kernel Enlightenments Hypervisor Server Hardware

34 Security Assumptions 34 Guests are untrusted Root must be trusted by hypervisor; parent must be trusted by children. Code will run in all available processor modes, rings, and segments Hypercall interface will be well documented and widely available to attackers. All hypercalls can be attempted by guests Can detect you are running on a hypervisor We ll even give you the version The internal design of the hypervisor will be well understood

35 Virtualizing Memory 35 OSes assume they have full control over memory Managing it: OS assumes it owns it all Mapping it: OS assumes it can map any virtual page to any physical page But VMM partitions memory among VMs VMM needs to assign hardware pages to VMs VMM needs to control mappings for isolation Cannot allow an OS to map a virtual page to any hardware page OS can only map to a hardware page given to it by the VMM Hardware-managed TLBs make this difficult When the TLB misses, the hardware automatically walks the page tables in memory As a result, VMM needs to control access by OS to page tables

36 Shadow Page Tables 36 Three abstractions of memory Machine: actual hardware memory 2 GB of DRAM Physical: abstraction of hardware memory managed by OS If a VMM allocates 512 MB to a VM, the OS thinks the computer has 512 MB of contiguous physical memory (Underlying machine memory may be discontiguous) Virtual: virtual address spaces you know and love Standard 2 32 address space In each VM, OS creates and manages page tables for its virtual address spaces without modification But these page tables are not used by the MMU hardware

37 Parting Notes 37 I will have extended office hours this week: 4 6pm, Research I, room 437 also works Remember that it is most important to get the most out of the class Good Luck with your final!

CSE 120 Principles of Operating Systems

CSE 120 Principles of Operating Systems Spring 2018 Lecture 16: Virtual Machine Monitors Geoffrey M. Voelker Virtual Machine Monitors 2 Virtual Machine Monitors Virtual Machine Monitors (VMMs) are a hot