Trinity A Linux kernel fuzz tester.

Size: px
Start display at page:

Download "Trinity A Linux kernel fuzz tester."

Transcription

1 Trinity A Linux kernel fuzz tester. Presented by Dave Jones Red Hat. Slides license: CC-BY-SA

2 Syscall fuzzing.

3 A short history lesson.. Completely random. Circa 1991: Tsys. SVR4 Circa 2001: kg_crashme.

4 A short history lesson.. More intelligent. 2005: Ilja van Sprundel: 'sysfuzz' 2006: Clement LECIGNE: netusse 2006: 'scrashme' begins. Malformed, but good enough arguments.

5 A short history lesson.. Current state of the art. 2010: scrashme becomes 'Trinity'. 2010: Tavis Ormandy: iknowthis. A mix of malformed and plausible arguments.

6 How it works..

7 Trinity architecture. Give syscalls what they expect. Annotations. 'Address', 'length', 'file descriptor', 'filename'... Generic fuzz routines based on arg type. Generate 'things' on startup. Multi-process fuzzing using 'things'. Shared mmap between children.

8 Process model. Startup Main loop. Watchdog Child1 Child2 Child3 Child4

9 Watchdog. Keeps track of child progress. SIGKILL if 'stuck' Sanity check shm.

10 Types ARG_RANDOM_INT ARG_FD ARG_LEN ARG_ADDRESS ARG_NON_NULL_ADDRESS ARG_PID ARG_RANGE ARG_OP ARG_LIST ARG_RANDPAGE ARG_CPU ARG_PATHNAME ARG_IOVEC ARG_IOVECLEN ARG_SOCKADDR ARG_SOCKADDR_LEN

11 Syscall annotation example. struct syscall syscall_mmap = {.name = "mmap",.num_args = 6,.arg1name = "addr",.arg1type = ARG_ADDRESS,.arg2name = "len",.arg2type = ARG_LEN,.arg3name = "prot",.arg3type = ARG_LIST,.arg3list = {.num = 4,.values = { PROT_READ, PROT_WRITE, PROT_EXEC, PROT_SEM }, },.arg4name = "flags",.arg4type = ARG_OP,.arg4list = {.num = 2,.values = { MAP_SHARED, MAP_PRIVATE }, },.arg5name = "fd",.arg5type = ARG_FD,.arg6name = "off",.arg6type = ARG_LEN, };.sanitise = sanitise_mmap,

12 .sanitise routines. void sanitise_mmap(int childno) { /* no fd if anonymous mapping. */ if (shm->a4[childno] & MAP_ANONYMOUS) shm->a5[childno] = -1; } /* page align non-anonymous mappings. */ if (shm->a4[childno] & MAP_ANONYMOUS) shm->a6[childno] &= PAGE_MASK; else shm->a6[childno] = 0;

13 Interesting numbers. Instead of completely random numbers.. 0x x Rand() % 256; 0x00000fff // x // x // x x0000ffff 0x x x7fffffff 0x x x8fffffff 0xc xf xff xffff0000 0xffffe000 0xffffff00 (rand() % 256); 0xffffffff;

14 More interesting numbers.. Addresses. 0x ; 0x7fffffff ; 0x ; 0xffffffff ; 0x low; 0x00007fffffffffff; // x86-64 canonical addr end. 0x ; // First x86-64 non-canonical addr 0xffff (low << 4); // x86-64 canonical range 2 begin 0x7fffffff low; 0x low; 0xffff (low << 4); // x86-64 PAGE_OFFSET 0xffffffff (low & 0xffffff); // x86-64 kernel text 0xffffffffa (low & 0xffffff); // x86-64 module space 0xffffffffff (low & 0x0fffff); // x86-64 vdso

15 Struct fabrication. Struct size parameter checks or EINVAL Sockaddr Needs knowledge of every protocol. static void gen_ipv4(unsigned long *addr, unsigned long *addrlen) { struct sockaddr_in *ipv4; ipv4 = malloc(sizeof(struct sockaddr_in)); if (ipv4 == NULL) return; } ipv4->sin_family = PF_INET; ipv4->sin_addr.s_addr = random_ipv4_address(); ipv4->sin_port = rand() % 65535; *addr = (unsigned long) ipv4; *addrlen = sizeof(struct sockaddr_in);

16 Self Protection. Check addresses when passing them to syscalls Blocking syscalls. Trapping signals.

17 Mo' problems..

18 Did I break the fuzzer? Proving absence of kernel bug after fix.

19 Over-sanitising void sanitise_tee(int childno) { if ((rand() % 10) > 0) { shm->a1[childno] = shm->pipe_fds[rand() % MAX_PIPE_FDS]; shm->a2[childno] = shm->pipe_fds[rand() % MAX_PIPE_FDS]; } }

20 Multiplexed syscalls. Socketcall calls other syscalls. Fcntl, others...

21 Avoiding OOM. Leaks! Tracking allocations.

22 Reproducability. Periodic reseeding. System state on startup. Corrupting state.

23 The results..

24 Results: Over 150 bugs found last year. +more by others. Bugs in new code found very quickly. Once discovered, bugs usually are repeatable Bugs tend to mask other bugs.

25 Types of bugs found. Not just syscall code! Lots of networking bugs. VM bugs. Drivers.

26 Types of bugs found. Very old bugs. (Oldest: Nov setsockopt) only libfoo calls this mempolicy: (bug lifetime: 4+ years) VM under stress corner cases. page_alloc failures. OOM killer bugs.

27 Types of bugs found. CVE fix that needed a CVE. Error path memory leaks. Poor coverage tested code (Weirdo network protocols) Clearly untested code. Broken locks (ATM/BKL)

28 Types of bugs found. Hardware bugs. Marginal hardware shows up faults quickly under load. SMI handlers.

29 Types of bugs found. Trinity can break userspace too! trinity -c execve -V /bin

30 What next?

31 Next? Extending existing code New syscall support. More.sanitise routines. (currently just 10%) More struct fabrication. Lots to do here. More network protocol support. Most protos already done, but need improving. More flags for ARG_OP/ARG_LIST

32 Next? Syscall chains. Destructors. Root mode.

33 Ioctl Worst interface known to man. int ioctl(int fd, int request,...); The second argument is a device-dependent request code. The third argument is an untyped pointer to memory. request has encoded in it whether the argument is an in parameter or out parameter, and the size of the argument argp in bytes Need to annotate every ioctl. Pass down correct structures to right fd. Need to be very careful.

34 Demo time!

35 Questions? Contact: Slides license: CC-BY-SA

Fault Injection in System Calls

Fault Injection in System Calls Fault Injection in System Calls Angelo Haller 2015-05-28 Fault Injection in System Calls 1 Angelo Haller 1 Why System Calls? 2 Trinity Bugs Found Inner Workings Fuzzing Process 3 Demo Annotated System

More information

Perf: From Profiling to Kernel Mobile Threat Response Team

Perf: From Profiling to Kernel Mobile Threat Response Team Perf: From Profiling to Kernel Exploiting @Wish_Wu Mobile Threat Response Team 0 The Perf Performance counters: = hardware features (CPU/PMU, Performance Monitoring Unit) + software features (software

More information

Applications of. Virtual Memory in. OS Design

Applications of. Virtual Memory in. OS Design Applications of Virtual Memory in OS Design Nima Honarmand Introduction Virtual memory is a powerful level of indirection Indirection: IMO, the most powerful concept in Computer Science Fundamental Theorem

More information

Virtual Memory: Systems

Virtual Memory: Systems Virtual Memory: Systems 5-23: Introduction to Computer Systems 8 th Lecture, March 28, 27 Instructor: Franz Franchetti & Seth Copen Goldstein Recap: Hmmm, How Does This Work?! Process Process 2 Process

More information

Lab 09 - Virtual Memory

Lab 09 - Virtual Memory Lab 09 - Virtual Memory Due: November 19, 2017 at 4:00pm 1 mmapcopy 1 1.1 Introduction 1 1.1.1 A door predicament 1 1.1.2 Concepts and Functions 2 1.2 Assignment 3 1.2.1 mmap copy 3 1.2.2 Tips 3 1.2.3

More information

Outline. 1 Details of paging. 2 The user-level perspective. 3 Case study: 4.4 BSD 1 / 19

Outline. 1 Details of paging. 2 The user-level perspective. 3 Case study: 4.4 BSD 1 / 19 Outline 1 Details of paging 2 The user-level perspective 3 Case study: 4.4 BSD 1 / 19 Some complications of paging What happens to available memory? - Some physical memory tied up by kernel VM structures

More information

CMSC 412 Project #4 Virtual Memory Due Friday April 11, 2014, at 5:00pm

CMSC 412 Project #4 Virtual Memory Due Friday April 11, 2014, at 5:00pm CMSC 412 Project #4 Virtual Memory Due Friday April 11, 2014, at 5:00pm Overview Introduction The purpose of this project is to add paging to your GeekOS kernel. This will require many small, but difficult,

More information

API 퍼징을통한취약점탐지 카이스트 차상길

API 퍼징을통한취약점탐지 카이스트 차상길 API 퍼징을통한취약점탐지 카이스트 차상길 API Fuzzing? void foo(int x) // This is an API function { // (side-effect-free) //... } void fuzz() { while (1) { foo(rand()); } } // Fuzzer MAIN Found a crash in foo when x = 42

More information

Processes and Threads

Processes and Threads Process Processes and Threads A process is an abstraction that represent an executing program A program in execution An instance of a program running on a computer The entity that can be assigned to and

More information

CMPSC 311 Exam 2. March 27, 2015

CMPSC 311 Exam 2. March 27, 2015 Name: Section: 11:15 1:25 CMPSC 311 Exam 2 March 27, 2015 Closed book, closed neighbor, no electronic tools or additional papers. You may not share or discuss exam questions with anyone. 1 Short Questions

More information

Dissecting a 17-year-old kernel bug

Dissecting a 17-year-old kernel bug Dissecting a 17-year-old kernel bug Vitaly Nikolenko bevx 2018 - Hong Kong https://www.beyondsecurity.com/bevxcon/ Agenda Vulnerability analysis CVE-2018-6554^ - memory leak CVE-2018-6555^ - privilege

More information

Princeton University. Computer Science 217: Introduction to Programming Systems. Dynamic Memory Management

Princeton University. Computer Science 217: Introduction to Programming Systems. Dynamic Memory Management Princeton University Computer Science 217: Introduction to Programming Systems Dynamic Memory Management 1 Agenda The need for DMM DMM using the heap section DMMgr 1: Minimal implementation DMMgr 2: Pad

More information

ECE 650 Systems Programming & Engineering. Spring 2018

ECE 650 Systems Programming & Engineering. Spring 2018 ECE 650 Systems Programming & Engineering Spring 2018 Inter-process Communication (IPC) Tyler Bletsch Duke University Slides are adapted from Brian Rogers (Duke) Recall Process vs. Thread A process is

More information

File Systems: Consistency Issues

File Systems: Consistency Issues File Systems: Consistency Issues File systems maintain many data structures Free list/bit vector Directories File headers and inode structures res Data blocks File Systems: Consistency Issues All data

More information

ECEN 449 Microprocessor System Design. Review of C Programming. Texas A&M University

ECEN 449 Microprocessor System Design. Review of C Programming. Texas A&M University ECEN 449 Microprocessor System Design Review of C Programming 1 Objectives of this Lecture Unit Review C programming basics Refresh programming skills 2 Basic C program structure # include main()

More information

Tutorial 1: C-Language

Tutorial 1: C-Language Tutorial 1: C-Language Problem 1: Data Type What are the ranges of the following data types? int 32 bits 2 31..2 31-1 OR -2147483648..2147483647 (0..4294967295 if unsiged) in some machines int is same

More information

CSCE 548 Building Secure Software Dirty COW Race Condition Attack

CSCE 548 Building Secure Software Dirty COW Race Condition Attack CSCE 548 Building Secure Software Dirty COW Race Condition Attack Professor Lisa Luo Spring 2018 Outline Dirty COW vulnerability Memory Mapping using mmap() Map_shared, Map_Private Mapping Read-Only Files

More information

CAN STRACE MAKE YOU FAIL?

CAN STRACE MAKE YOU FAIL? CAN STRACE MAKE YOU FAIL? Nahim El Atmani @brokenpi_pe July 15, 2016 1 DEFINITION 1.0 strace is a diagnostic, debugging and instructional userspace utility for Linux. It is used to monitor interactions

More information

System Calls and Signals: Communication with the OS. System Call. strace./hello. Kernel. Context Switch

System Calls and Signals: Communication with the OS. System Call. strace./hello. Kernel. Context Switch System Calls and Signals: Communication with the OS Jonathan Misurda jmisurda@cs.pitt.edu System Call An operation (function) that an OS provides for running applications to use CS 1550 2077 strace./hello

More information

ECEN 449 Microprocessor System Design. Review of C Programming

ECEN 449 Microprocessor System Design. Review of C Programming ECEN 449 Microprocessor System Design Review of C Programming 1 Objectives of this Lecture Unit Review C programming basics Refresh es programming g skills s 2 1 Basic C program structure # include

More information

CSE 124 Discussion Section Sockets Programming 10/10/17

CSE 124 Discussion Section Sockets Programming 10/10/17 CSE 124 Discussion Section Sockets Programming 10/10/17 Topics What s a socket? Creating a socket Connecting a socket Sending data Receiving data Resolving URLs to IPs Advanced socket options Live code

More information

Princeton University Computer Science 217: Introduction to Programming Systems. Dynamic Memory Management

Princeton University Computer Science 217: Introduction to Programming Systems. Dynamic Memory Management Princeton University Computer Science 217: Introduction to Programming Systems Dynamic Memory Management 1 Goals of this Lecture Help you learn about: The need for dynamic* memory mgmt (DMM) Implementing

More information

Introduction to Linux, for Embedded Engineers Tutorial on Virtual Memory. Feb. 22, 2007 Tetsuyuki Kobayashi Aplix Corporation. [translated by ikoma]

Introduction to Linux, for Embedded Engineers Tutorial on Virtual Memory. Feb. 22, 2007 Tetsuyuki Kobayashi Aplix Corporation. [translated by ikoma] Introduction to Linux, for Embedded Engineers Tutorial on Virtual Memory Feb. 22, 2007 Tetsuyuki Kobayashi Aplix Corporation [translated by ikoma] 1 Target Audience of this Presentation People who have

More information

Foundations of Computer Systems

Foundations of Computer Systems 8-6 Foundations of Computer Systems Lecture 5: Virtual Memory Concepts and Systems October 8, 27 8-6 SE PL OS CA Required Reading Assignment: Chapter 9 of CS:APP (3 rd edition) by Randy Bryant & Dave O

More information

CLIENT-SIDE PROGRAMMING

CLIENT-SIDE PROGRAMMING CLIENT-SIDE PROGRAMMING George Porter Apr 11, 2018 ATTRIBUTION These slides are released under an Attribution-NonCommercial-ShareAlike 3.0 Unported (CC BY-NC-SA 3.0) Creative Commons license These slides

More information

libnetfilter_log Reference Manual

libnetfilter_log Reference Manual libnetfilter_log Reference Manual x.y Generated by Doxygen 1.4.6 Tue Mar 21 13:47:12 2006 CONTENTS 1 Contents 1 libnetfilter_log File Index 1 2 libnetfilter_log File Documentation 1 1 libnetfilter_log

More information

Virtual Memory. Alan L. Cox Some slides adapted from CMU slides

Virtual Memory. Alan L. Cox Some slides adapted from CMU slides Alan L. Cox alc@rice.edu Some slides adapted from CMU 5.23 slides Objectives Be able to explain the rationale for VM Be able to explain how VM is implemented Be able to translate virtual addresses to physical

More information

TIP675-SW-82. Linux Device Driver. 48 TTL I/O Lines with Interrupts Version 1.2.x. User Manual. Issue November 2013

TIP675-SW-82. Linux Device Driver. 48 TTL I/O Lines with Interrupts Version 1.2.x. User Manual. Issue November 2013 The Embedded I/O Company TIP675-SW-82 Linux Device Driver 48 TTL I/O Lines with Interrupts Version 1.2.x User Manual Issue 1.2.5 November 2013 TEWS TECHNOLOGIES GmbH Am Bahnhof 7 25469 Halstenbek, Germany

More information

TCP: Three-way handshake

TCP: Three-way handshake Sockets in C 1 Sockets in C The slides by themselves will not be sufficient to learn how to write socket code. If you did not attend class, then you will want to review the relevant chapters in Kerrisk

More information

Page Which had internal designation P5

Page Which had internal designation P5 Intel P6 Internal Designation for Successor to Pentium Which had internal designation P5 Fundamentally Different from Pentium 1 Out-of-order, superscalar operation Designed to handle server applications

More information

Having fun with apple s IOKit. Ilja van sprundel

Having fun with apple s IOKit. Ilja van sprundel Having fun with apple s IOKit Ilja van sprundel who am I Ilja van sprundel IOActive netric blogs.23.nu/ilja Introduction what is the IOKit why UserClients entry points marshaling

More information

CSC209H Lecture 9. Dan Zingaro. March 11, 2015

CSC209H Lecture 9. Dan Zingaro. March 11, 2015 CSC209H Lecture 9 Dan Zingaro March 11, 2015 Socket Programming (Kerrisk Ch 56, 57, 59) Pipes and signals are only useful for processes communicating on the same machine Sockets are a general interprocess

More information

Project 2-1 User Programs

Project 2-1 User Programs Project 2-1 User Programs Prof. Jin-Soo Kim ( jinsookim@skku.edu) T.A. Sejun Kwon (sejun000@csl.skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu Supporting User Programs

More information

User Programs. Computer Systems Laboratory Sungkyunkwan University

User Programs. Computer Systems Laboratory Sungkyunkwan University Project 2: User Programs Jin-Soo Kim (jinsookim@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu Supporting User Programs What should be done to run user programs? 1. Provide

More information

The Embedded I/O Company TIP700-SW-82 Linux Device Driver User Manual TEWS TECHNOLOGIES GmbH TEWS TECHNOLOGIES LLC

The Embedded I/O Company TIP700-SW-82 Linux Device Driver User Manual TEWS TECHNOLOGIES GmbH TEWS TECHNOLOGIES LLC The Embedded I/O Company TIP700-SW-82 Linux Device Driver Digital Output 24V DC Version 1.2.x User Manual Issue 1.2.1 February 2009 TEWS TECHNOLOGIES GmbH Am Bahnhof 7 Phone: +49 (0) 4101 4058 0 25469

More information

1 Do not confuse the MPU with the Nios II memory management unit (MMU). The MPU does not provide memory mapping or management.

1 Do not confuse the MPU with the Nios II memory management unit (MMU). The MPU does not provide memory mapping or management. Nios II MPU Usage March 2010 AN-540-1.0 Introduction This application note covers the basic features of the Nios II processor s optional memory protection unit (MPU), describing how to use it without the

More information

Memory management. Johan Montelius KTH

Memory management. Johan Montelius KTH Memory management Johan Montelius KTH 2017 1 / 22 C program # include int global = 42; int main ( int argc, char * argv []) { if( argc < 2) return -1; int n = atoi ( argv [1]); int on_stack

More information

Intel P The course that gives CMU its Zip! P6/Linux Memory System November 1, P6 memory system. Review of abbreviations

Intel P The course that gives CMU its Zip! P6/Linux Memory System November 1, P6 memory system. Review of abbreviations 15-213 The course that gives CMU its Zip! P6/Linux ory System November 1, 01 Topics P6 address translation Linux memory management Linux fault handling memory mapping Intel P6 Internal Designation for

More information

TDDB68 Lesson 2 Pintos Assignments 3 & 4. Mattias Eriksson 2010 (or

TDDB68 Lesson 2 Pintos Assignments 3 & 4. Mattias Eriksson 2010 (or TDDB68 Lesson 2 Pintos Assignments 3 & 4 Mattias Eriksson 2010 mater@ida.liu.se (or mattias.eriksson@liu.se) some slides by Viacheslav Izosimov 2007-2008 Instead of Motivation Plan for something like this:

More information

Operating systems. Lecture 9

Operating systems. Lecture 9 Operating systems. Lecture 9 Michał Goliński 2018-11-27 Introduction Recall Reading and writing wiles in the C/C++ standard libraries System calls managing processes (fork, exec etc.) Plan for today fork

More information

P6 memory system P6/Linux Memory System October 31, Overview of P6 address translation. Review of abbreviations. Topics. Symbols: ...

P6 memory system P6/Linux Memory System October 31, Overview of P6 address translation. Review of abbreviations. Topics. Symbols: ... 15-213 P6/Linux ory System October 31, 00 Topics P6 address translation Linux memory management Linux fault handling memory mapping DRAM bus interface unit instruction fetch unit processor package P6 memory

More information

lpengfei Ding & Chenfu Bao lsecurity Researcher & Baidu X-Lab lfocused on Mobile, IoT and Linux kernel security

lpengfei Ding & Chenfu Bao lsecurity Researcher & Baidu X-Lab lfocused on Mobile, IoT and Linux kernel security lpengfei Ding & Chenfu Bao lsecurity Researcher & Developer @ Baidu X-Lab lfocused on Mobile, IoT and Linux kernel security l Introduction l Past Compat Vulnerabilities l Newly Identified Compat Vulnerabilities

More information

CS 31: Intro to Systems Pointers and Memory. Martin Gagne Swarthmore College February 16, 2016

CS 31: Intro to Systems Pointers and Memory. Martin Gagne Swarthmore College February 16, 2016 CS 31: Intro to Systems Pointers and Memory Martin Gagne Swarthmore College February 16, 2016 So we declared a pointer How do we make it point to something? 1. Assign it the address of an existing variable

More information

CSC C69: OPERATING SYSTEMS

CSC C69: OPERATING SYSTEMS CSC C69: OPERATING SYSTEMS Tutorial 1 Thursday, Jan 17, 2013 TA: Ioan Stefanovici (ioan@cs.toronto.edu) HOW DO YOU SUCCEED IN THIS COURSE? Show up to lectures & tutorials (way too much material) Work on

More information

Virtual Memory: Systems

Virtual Memory: Systems Virtual Memory: Systems 5-23 / 8-23: Introduc2on to Computer Systems 7 th Lecture, Mar. 22, 22 Instructors: Todd C. Mowry & Anthony Rowe Today Virtual memory ques7ons and answers Simple memory system example

More information

Memory Mapping. Sarah Diesburg COP5641

Memory Mapping. Sarah Diesburg COP5641 Memory Mapping Sarah Diesburg COP5641 Memory Mapping Translation of address issued by some device (e.g., CPU or I/O device) to address sent out on memory bus (physical address) Mapping is performed by

More information

POSIX Shared Memory. Linux/UNIX IPC Programming. Outline. Michael Kerrisk, man7.org c 2017 November 2017

POSIX Shared Memory. Linux/UNIX IPC Programming. Outline. Michael Kerrisk, man7.org c 2017 November 2017 Linux/UNIX IPC Programming POSIX Shared Memory Michael Kerrisk, man7.org c 2017 mtk@man7.org November 2017 Outline 10 POSIX Shared Memory 10-1 10.1 Overview 10-3 10.2 Creating and opening shared memory

More information

PROJECT 2 - MEMORY ALLOCATOR Computer Systems Principles. October 1, 2010

PROJECT 2 - MEMORY ALLOCATOR Computer Systems Principles. October 1, 2010 PROJECT 2 - MEMORY ALLOCATOR Computer Systems Principles Emery Berger Mark Corner October 1, 2010 1 Overview The purpose of this project is to acquaint you with how memory allocators provide virtual memory

More information

Other array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned

Other array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned Other array problems CSci 5271 Introduction to Computer Security Day 4: Low-level attacks Stephen McCamant University of Minnesota, Computer Science & Engineering Missing/wrong bounds check One unsigned

More information

A Client-Server Exchange

A Client-Server Exchange Socket programming A Client-Server Exchange A server process and one or more client processes Server manages some resource. Server provides service by manipulating resource for clients. 1. Client sends

More information

Processes. Dr. Yingwu Zhu

Processes. Dr. Yingwu Zhu Processes Dr. Yingwu Zhu Process Growing Memory Stack expands automatically Data area (heap) can grow via a system call that requests more memory - malloc() in c/c++ Entering the kernel (mode) Hardware

More information

Final Exam, Spring 2012 Date: May 14th, 2012

Final Exam, Spring 2012 Date: May 14th, 2012 Full Name: Final Exam, Spring 2012 Date: May 14th, 2012 Instructions: This final exam takes 1 hour and 30 minutes. Read through all the problemsandcompletetheeasy ones first. This exam is OPEN BOOK. You

More information

Operating System Labs. Yuanbin Wu

Operating System Labs. Yuanbin Wu Operating System Labs Yuanbin Wu CS@ECNU Operating System Labs Project 2 Due 21:00, Oct. 24 Project 3 Group of 3 If you can not find a partner, drop us an email You now have 3 late days, but start early!

More information

SYSTEM CALL IMPLEMENTATION. CS124 Operating Systems Fall , Lecture 14

SYSTEM CALL IMPLEMENTATION. CS124 Operating Systems Fall , Lecture 14 SYSTEM CALL IMPLEMENTATION CS124 Operating Systems Fall 2017-2018, Lecture 14 2 User Processes and System Calls Previously stated that user applications interact with the kernel via system calls Typically

More information

Lecture 24. Thursday, November 19 CS 375 UNIX System Programming - Lecture 24 1

Lecture 24. Thursday, November 19 CS 375 UNIX System Programming - Lecture 24 1 Lecture 24 Log into Linux. Copy directory /home/hwang/cs375/lecture24 Final project posted. Due during finals week. Reminder: No class next Tuesday (11/24) Questions? Thursday, November 19 CS 375 UNIX

More information

MoonShine: Optimizing OS Fuzzer Seed Selection with Trace Distillation. Shankara Pailoor, Andrew Aday, Suman Jana Columbia University

MoonShine: Optimizing OS Fuzzer Seed Selection with Trace Distillation. Shankara Pailoor, Andrew Aday, Suman Jana Columbia University MoonShine: Optimizing OS Fuzzer Seed Selection with Trace Distillation Shankara Pailoor, Andrew Aday, Suman Jana Columbia University 1 OS Fuzzing Popular technique to find OS vulnerabilities Primarily

More information

Scaling CQUAL to millions of lines of code and millions of users p.1

Scaling CQUAL to millions of lines of code and millions of users p.1 Scaling CQUAL to millions of lines of code and millions of users Jeff Foster, Rob Johnson, John Kodumal and David Wagner {jfoster,rtjohnso,jkodumal,daw}@cs.berkeley.edu. UC Berkeley Scaling CQUAL to millions

More information

EL2310 Scientific Programming

EL2310 Scientific Programming Lecture 11: Memory, Files and Bitoperations (yaseminb@kth.se) Overview Overview Lecture 11: Memory, Files and Bit operations Main function; reading and writing Bitwise Operations Lecture 11: Memory, Files

More information

Changelog. Corrections made in this version not in first posting: 1 April 2017: slide 13: a few more %c s would be needed to skip format string part

Changelog. Corrections made in this version not in first posting: 1 April 2017: slide 13: a few more %c s would be needed to skip format string part 1 Changelog 1 Corrections made in this version not in first posting: 1 April 2017: slide 13: a few more %c s would be needed to skip format string part OVER questions? 2 last time 3 memory management problems

More information

Linux TCP Bind Shell from Scratch with Intel x86 Assembly

Linux TCP Bind Shell from Scratch with Intel x86 Assembly Linux TCP Bind Shell from Scratch with Intel x86 Assembly Amonsec https://amonsec.com Jun 13, 2017 (V 1.0) 1 1 7 This blog post has been created for completing the requirements of the SecurityTube Linux

More information

Inside ptmalloc2. Peng Xu Sep 14, 2013

Inside ptmalloc2. Peng Xu Sep 14, 2013 Inside ptmalloc2 Peng Xu peng.p.xu@ericsson.com Sep 14, 2013 Part I basic concept and data structure Memory Translation process memory layout kernel space command line and environment variables stack heap

More information

Sockets. Dong-kun Shin Embedded Software Laboratory Sungkyunkwan University Embedded Software Lab.

Sockets. Dong-kun Shin Embedded Software Laboratory Sungkyunkwan University  Embedded Software Lab. 1 Sockets Dong-kun Shin Embedded Software Laboratory Sungkyunkwan University http://nyx.skku.ac.kr Internet Connections (1) 2 Connection Clients and servers communicate by sending streams of bytes over

More information

Process Address Spaces and Binary Formats

Process Address Spaces and Binary Formats Process Address Spaces and Binary Formats Don Porter Background We ve talked some about processes This lecture: discuss overall virtual memory organizafon Key abstracfon: Address space We will learn about

More information

Ports under 1024 are often considered special, and usually require special OS privileges to use.

Ports under 1024 are often considered special, and usually require special OS privileges to use. 1 2 Turns out that besides an IP address (used by the IP layer), there is another address that is used by TCP (stream sockets) and, coincidentally, by UDP (datagram sockets). It is the port number. It's

More information

My malloc: mylloc and mhysa. Johan Montelius HT2016

My malloc: mylloc and mhysa. Johan Montelius HT2016 1 Introduction My malloc: mylloc and mhysa Johan Montelius HT2016 So this is an experiment where we will implement our own malloc. We will not implement the world s fastest allocator, but it will work

More information

Huawei Frame Buffer Driver Arbitrary Memory Write

Huawei Frame Buffer Driver Arbitrary Memory Write Huawei Frame Buffer Driver Arbitrary Memory Write 18/07/2017 Software Affected Versions Author Severity Vendor Vendor Response MediaTek Frame Buffer Driver Huawei Y6 Pro Dual SIM (TIT-L01C576B115) Mateusz

More information

Shared Memory Memory mapped files

Shared Memory Memory mapped files Shared Memory Memory mapped files 1 Shared Memory Introduction Creating a Shared Memory Segment Shared Memory Control Shared Memory Operations Using a File as Shared Memory 2 Introduction Shared memory

More information

CSE 120 Principles of Operating Systems

CSE 120 Principles of Operating Systems CSE 120 Principles of Operating Systems Spring 2018 Lecture 10: Paging Geoffrey M. Voelker Lecture Overview Today we ll cover more paging mechanisms: Optimizations Managing page tables (space) Efficient

More information

MMAP AND PIPE. UNIX Programming 2015 Fall by Euiseong Seo

MMAP AND PIPE. UNIX Programming 2015 Fall by Euiseong Seo MMAP AND PIPE UNIX Programming 2015 Fall by Euiseong Seo Memory Mapping mmap(2) system call allows mapping of a file into process address space Instead of using read() and write(), just write to memory

More information

Processes COMPSCI 386

Processes COMPSCI 386 Processes COMPSCI 386 Elements of a Process A process is a program in execution. Distinct processes may be created from the same program, but they are separate execution sequences. call stack heap STACK

More information

Project 2 Overview: Part A: User space memory allocation

Project 2 Overview: Part A: User space memory allocation Project 2 Overview: Once again, this project will have 2 parts. In the first part, you will get to implement your own user space memory allocator. You will learn the complexities and details of memory

More information

Contiguous memory allocation in Linux user-space

Contiguous memory allocation in Linux user-space Contiguous memory allocation in Linux user-space Guy Shattah, Christoph Lameter Linux Plumbers Conference 2017 Contents Agenda Existing User-Space Memory Allocation Methods Fragmented Memory vs Contiguous

More information

Memory Mapped I/O. Michael Jantz. Prasad Kulkarni. EECS 678 Memory Mapped I/O Lab 1

Memory Mapped I/O. Michael Jantz. Prasad Kulkarni. EECS 678 Memory Mapped I/O Lab 1 Memory Mapped I/O Michael Jantz Prasad Kulkarni EECS 678 Memory Mapped I/O Lab 1 Introduction This lab discusses various techniques user level programmers can use to control how their process' logical

More information

Design Overview of the FreeBSD Kernel CIS 657

Design Overview of the FreeBSD Kernel CIS 657 Design Overview of the FreeBSD Kernel CIS 657 Organization of the Kernel Machine-independent 86% of the kernel (80% in 4.4BSD) C code Machine-dependent 14% of kernel Only 0.6% of kernel in assembler (2%

More information

Signal Example 1. Signal Example 2

Signal Example 1. Signal Example 2 Signal Example 1 #include #include void ctrl_c_handler(int tmp) { printf("you typed CTL-C, but I don't want to die!\n"); int main(int argc, char* argv[]) { long i; signal(sigint, ctrl_c_handler);

More information

CSE 306/506 Operating Systems Process Address Space. YoungMin Kwon

CSE 306/506 Operating Systems Process Address Space. YoungMin Kwon CSE 306/506 Operating Systems Process Address Space YoungMin Kwon Process s Address Space Memory allocation for user processes On request, a right to use a new range of linear address is given to the process

More information

Design Overview of the FreeBSD Kernel. Organization of the Kernel. What Code is Machine Independent?

Design Overview of the FreeBSD Kernel. Organization of the Kernel. What Code is Machine Independent? Design Overview of the FreeBSD Kernel CIS 657 Organization of the Kernel Machine-independent 86% of the kernel (80% in 4.4BSD) C C code Machine-dependent 14% of kernel Only 0.6% of kernel in assembler

More information

Intel P6 (Bob Colwell s Chip, CMU Alumni) The course that gives CMU its Zip! Memory System Case Studies November 7, 2007.

Intel P6 (Bob Colwell s Chip, CMU Alumni) The course that gives CMU its Zip! Memory System Case Studies November 7, 2007. class.ppt 15-213 The course that gives CMU its Zip! ory System Case Studies November 7, 07 Topics P6 address translation x86-64 extensions Linux memory management Linux fault handling ory mapping Intel

More information

BINDER THE ANDROID IPC FRAMEWORK. Antoine 'xdbob' Damhet. July 15, 2016

BINDER THE ANDROID IPC FRAMEWORK. Antoine 'xdbob' Damhet. July 15, 2016 BINDER THE ANDROID IPC FRAMEWORK Antoine 'xdbob' Damhet July 15, 2016 1 THE INTERPROCESS COMMUNICATION Share memory Share privileges Call a remote functions (RPC) Synchronize the processes 2 THE GOAL 3

More information

CS 31: Intro to Systems Pointers and Memory. Kevin Webb Swarthmore College October 2, 2018

CS 31: Intro to Systems Pointers and Memory. Kevin Webb Swarthmore College October 2, 2018 CS 31: Intro to Systems Pointers and Memory Kevin Webb Swarthmore College October 2, 2018 Overview How to reference the location of a variable in memory Where variables are placed in memory How to make

More information

Optimizing Dynamic Memory Management

Optimizing Dynamic Memory Management Optimizing Dynamic Memory Management 1 Goals of this Lecture Help you learn about: Details of K&R heap mgr Heap mgr optimizations related to Assignment #5 Faster free() via doubly-linked list, redundant

More information

Session NM056. Programming TCP/IP with Sockets. Geoff Bryant Process software

Session NM056. Programming TCP/IP with Sockets. Geoff Bryant Process software Session NM056 Programming TCP/IP with Sockets Geoff Bryant Process software Course Roadmap Slide 57 NM055 (11:00-12:00) Important Terms and Concepts TCP/IP and Client/Server Model Sockets and TLI Client/Server

More information

Lecture 7. Followup. Review. Communication Interface. Socket Communication. Client-Server Model. Socket Programming January 28, 2005

Lecture 7. Followup. Review. Communication Interface. Socket Communication. Client-Server Model. Socket Programming January 28, 2005 Followup symbolic link (soft link): pathname, can be across file systems, replacement of file will be active on all symbolic links, consumes at least an inode. hard link: pointers to an inode, only in

More information

Architecture and Drivers for Smartphones Introduction Labo 2

Architecture and Drivers for Smartphones Introduction Labo 2 Architecture and Drivers for Smartphones Introduction Labo 2 Cours APS Salvatore Valenza Version 1.0 (2012-2013) 1 Cours APS - Institut REDS/HEIG-VD - Introduction Linux User Space vs Kernel Space Application

More information

SUPPORTING NATIVE PTHREADS IN SYSCALL EMULATION MODE BRANDON POTTER JUNE 14 TH, 2015

SUPPORTING NATIVE PTHREADS IN SYSCALL EMULATION MODE BRANDON POTTER JUNE 14 TH, 2015 SUPPORTING NATIVE PTHREADS IN SYSCALL EMULATION MODE BRANDON POTTER JUNE 14 TH, 2015 WHAT ARE M5THREADS PROBLEMS? Gem5 currently supports pthreadsusing the gem5-specific m5threads library. M5threads is

More information

CS61, Fall 2012 Midterm Review Section

CS61, Fall 2012 Midterm Review Section CS61, Fall 2012 Midterm Review Section (10/16/2012) Q1: Hexadecimal and Binary Notation - Solve the following equations and put your answers in hex, decimal and binary. Hexadecimal Decimal Binary 15 +

More information

Midterm Exam Nov 8th, COMS W3157 Advanced Programming Columbia University Fall Instructor: Jae Woo Lee.

Midterm Exam Nov 8th, COMS W3157 Advanced Programming Columbia University Fall Instructor: Jae Woo Lee. Midterm Exam Nov 8th, 2012 COMS W3157 Advanced Programming Columbia University Fall 2012 Instructor: Jae Woo Lee About this exam: - There are 4 problems totaling 100 points: problem 1: 30 points problem

More information

Asynchronous Events on Linux

Asynchronous Events on Linux Asynchronous Events on Linux Frederic.Rossi@Ericsson.CA Open System Lab Systems Research June 25, 2002 Ericsson Research Canada Introduction Linux performs well as a general purpose OS but doesn t satisfy

More information

Pentium/Linux Memory System March 17, 2005

Pentium/Linux Memory System March 17, 2005 15-213 The course that gives CMU its Zip! Topics Pentium/Linux Memory System March 17, 2005 P6 address translation x86-64 extensions Linux memory management Linux page fault handling Memory mapping 17-linuxmem.ppt

More information

ECE 598 Advanced Operating Systems Lecture 10

ECE 598 Advanced Operating Systems Lecture 10 ECE 598 Advanced Operating Systems Lecture 10 Vince Weaver http://web.eece.maine.edu/~vweaver vincent.weaver@maine.edu 22 February 2018 Announcements Homework #5 will be posted 1 Blocking vs Nonblocking

More information

Linux Kernel Futex Fun: Exploiting CVE Dougall Johnson

Linux Kernel Futex Fun: Exploiting CVE Dougall Johnson Linux Kernel Futex Fun: Exploiting CVE-2014-3153 Dougall Johnson Overview Futex system call Kernel implementation CVE-2014-3153 My approach to exploiting it Futexes Fast user-space mutexes 32-bit integer

More information

Exploiting Concurrency Vulnerabilities in System Call Wrappers

Exploiting Concurrency Vulnerabilities in System Call Wrappers Exploiting Concurrency Vulnerabilities in System Call Wrappers Robert N. M. Watson Security Research Group Computer Laboratory University of Cambridge USENIX WOOT07 August 6, 2007 The Plan A brief history

More information

A Socket Example. Haris Andrianakis & Angelos Stavrou George Mason University

A Socket Example. Haris Andrianakis & Angelos Stavrou George Mason University A Socket Example & George Mason University Everything is a file descriptor Most socket system calls operate on file descriptors Server - Quick view socket() bind() listen() accept() send(), recv() close()

More information

bytes per disk block (a block is usually called sector in the disk drive literature), sectors in each track, read/write heads, and cylinders (tracks).

bytes per disk block (a block is usually called sector in the disk drive literature), sectors in each track, read/write heads, and cylinders (tracks). Understanding FAT 12 You need to address many details to solve this problem. The exercise is broken down into parts to reduce the overall complexity of the problem: Part A: Construct the command to list

More information

sottotitolo Socket Programming Milano, XX mese 20XX A.A. 2016/17 Federico Reghenzani

sottotitolo Socket Programming Milano, XX mese 20XX A.A. 2016/17 Federico Reghenzani Titolo presentazione Piattaforme Software per la Rete sottotitolo Socket Programming Milano, XX mese 20XX A.A. 2016/17 Outline 1) Introduction to Sockets 2) UDP communication 3) TCP communication 4) RAW

More information

C Structures in Practice

C Structures in Practice CS 2060 Use of C Structures in Unix/Linux To further illustrate C structures, we will review some uses of struct in system calls. Here is a function from BSD to get the current time (found in sys/time.h):

More information

Recitation Processes, Signals,UNIX error handling

Recitation Processes, Signals,UNIX error handling 15-213 Recitation Processes, Signals,UNIX error handling Section X - TA name 18 March 2019 Bryant and O Hallaron, Computer Systems: A Programmer s Perspective, Third Edition 1 Outline Logistics Process

More information

EECS 482 Introduction to Operating Systems

EECS 482 Introduction to Operating Systems EECS 482 Introduction to Operating Systems Winter 2018 Harsha V. Madhyastha Recap: Page Replacement LRU OPT for realistic workloads Leverage temporal locality to reduce page faults Clock replacement is

More information

CSC369 Lecture 2. Larry Zhang

CSC369 Lecture 2. Larry Zhang CSC369 Lecture 2 Larry Zhang 1 Announcements Lecture slides Midterm timing issue Assignment 1 will be out soon! Start early, and ask questions. We will have bonus for groups that finish early. 2 Assignment

More information

BACKGROUND & TWI_CLKDIV

BACKGROUND & TWI_CLKDIV BACKGROUND & TWI_CLKDIV I have one TS7500 and I2C sensors. The communication between TS7500 and sensors fail. I probed the i2c communication between the sensors and one Arduino and it was OK. This communication

More information