SYSTEM CALL IMPLEMENTATION. CS124 Operating Systems Fall , Lecture 14

Similar documents
Operating systems offer processes running in User Mode a set of interfaces to interact with hardware devices such as

Section 4: Threads CS162. September 15, Warmup Hello World Vocabulary 2

CSC369 Lecture 2. Larry Zhang

CSC369 Lecture 2. Larry Zhang, September 21, 2015

Protection and System Calls. Otto J. Anshus

Section 4: Threads and Context Switching

Function Calls COS 217. Reading: Chapter 4 of Programming From the Ground Up (available online from the course Web site)

IMPLEMENTATION OF SIGNAL HANDLING. CS124 Operating Systems Fall , Lecture 15

Assembly Language: Function Calls" Goals of this Lecture"

Assembly Language: Function Calls" Goals of this Lecture"

Assembly Language: Function Calls

W4118: interrupt and system call. Junfeng Yang

Mechanisms for entering the system

KERNEL THREAD IMPLEMENTATION DETAILS. CS124 Operating Systems Winter , Lecture 9

Exceptions and Processes

Assembly Language: Function Calls. Goals of this Lecture. Function Call Problems

OS COMPONENTS OVERVIEW OF UNIX FILE I/O. CS124 Operating Systems Fall , Lecture 2

3. Process Management in xv6

CS 5460/6460 Operating Systems

The IA-32 Stack and Function Calls. CS4379/5375 Software Reverse Engineering Dr. Jaime C. Acosta

ICS143A: Principles of Operating Systems. Midterm recap, sample questions. Anton Burtsev February, 2017

Processes (Intro) Yannis Smaragdakis, U. Athens

x86 assembly CS449 Fall 2017

Processes. Johan Montelius KTH

ECE 391 Exam 1 Review Session - Spring Brought to you by HKN

A process. the stack

CS 550 Operating Systems Spring System Call

6.828: Using Virtual Memory. Adam Belay

CS 31: Intro to Systems Functions and the Stack. Martin Gagne Swarthmore College February 23, 2016

Register Allocation, iii. Bringing in functions & using spilling & coalescing

Lecture 4 CIS 341: COMPILERS

Homework / Exam. Return and Review Exam #1 Reading. Machine Projects. Labs. S&S Extracts , PIC Data Sheet. Start on mp3 (Due Class 19)

CS 537 Lecture 2 - Processes

System calls and assembler

Project 2: Signals. Consult the submit server for deadline date and time

What You Need to Know for Project Three. Dave Eckhardt Steve Muckle

+ Overview. Projects: Developing an OS Kernel for x86. ! Handling Intel Processor Exceptions: the Interrupt Descriptor Table (IDT)

Digital Forensics Lecture 3 - Reverse Engineering

Low Level Programming Lecture 2. International Faculty of Engineerig, Technical University of Łódź

TDDB68. Lesson 1. Simon Ståhlberg

CS61 Section Solutions 3

Ausgewählte Betriebssysteme. Anatomy of a system call

CSCI 350 Ch. 2 The Kernel Abstraction & Protection. Mark Redekopp

CS 318 Principles of Operating Systems

Operating Systems Engineering Recitation #3 (part 2): Interrupt and Exception Handling on the x86. (heavily) based on MIT 6.

CS24: INTRODUCTION TO COMPUTING SYSTEMS. Spring 2016 Lecture 12

CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING

CS 33: Week 3 Discussion. x86 Assembly (v1.0) Section 1G

X86 Stack Calling Function POV

CS24: INTRODUCTION TO COMPUTING SYSTEMS. Spring 2015 Lecture 25

Function Call Convention

CSE 351: Week 4. Tom Bergan, TA

Procedure Calls. Young W. Lim Sat. Young W. Lim Procedure Calls Sat 1 / 27

How Software Executes

x86 segmentation, page tables, and interrupts 3/17/08 Frans Kaashoek MIT

COS 318: Operating Systems. Overview. Prof. Margaret Martonosi Computer Science Department Princeton University

Lecture 15 Intel Manual, Vol. 1, Chapter 3. Fri, Mar 6, Hampden-Sydney College. The x86 Architecture. Robb T. Koether. Overview of the x86

CS 318 Principles of Operating Systems

Low-Level Essentials for Understanding Security Problems Aurélien Francillon

Stack -- Memory which holds register contents. Will keep the EIP of the next address after the call

CSE 153 Design of Operating Systems Fall 18

Project 2-1 User Programs

Secure Programming Lecture 3: Memory Corruption I (Stack Overflows)

System Call. Preview. System Call. System Call. System Call 9/7/2018

AS08-C++ and Assembly Calling and Returning. CS220 Logic Design AS08-C++ and Assembly. AS08-C++ and Assembly Calling Conventions

Operating Systems and Protection CS 217

CPEG421/621 Tutorial

CNIT 127: Exploit Development. Ch 3: Shellcode. Updated

PROCESS VIRTUAL MEMORY PART 2. CS124 Operating Systems Winter , Lecture 19

What the CPU Sees Basic Flow Control Conditional Flow Control Structured Flow Control Functions and Scope. C Flow Control.

Procedure Calls. Young W. Lim Mon. Young W. Lim Procedure Calls Mon 1 / 29

IA32 Intel 32-bit Architecture

Roadmap: Security in the software lifecycle. Memory corruption vulnerabilities

Midterm Exam #2 April 20, 2016 CS162 Operating Systems

4. The Abstraction: The Process

Machine-level Programming (3)

Pintos Project 2 User Programs

The x86 Architecture

Assembly Language Programming: Procedures. EECE416 uc. Charles Kim Howard University. Fall

CSE 509: Computer Security

Hardware OS & OS- Application interface

Return-orientated Programming

Stack Discipline Jan. 19, 2018

Tutorial 10 Protection Cont.

Final Exam. Fall Semester 2016 KAIST EE209 Programming Structures for Electrical Engineering. Name: Student ID:

An Experience Like No Other. Stack Discipline Aug. 30, 2006

See P&H 2.8 and 2.12, and A.5-6. Prof. Hakim Weatherspoon CS 3410, Spring 2015 Computer Science Cornell University

CS213. Machine-Level Programming III: Procedures

16.317: Microprocessor Systems Design I Fall 2014

Syscall Proxying. Simulating Remote Execution. Maximiliano Cáceres.

CSC 2400: Computer Systems. Using the Stack for Function Calls

Introduction to the Process David E. Culler CS162 Operating Systems and Systems Programming Lecture 2 Sept 3, 2014

Practical Malware Analysis

CS24: INTRODUCTION TO COMPUTING SYSTEMS. Spring 2017 Lecture 7

The Process Abstraction. CMPU 334 Operating Systems Jason Waterman

Buffer Overflow Attack

W4118: PC Hardware and x86. Junfeng Yang

Changes made in this version not seen in first lecture:

MICROPROCESSOR TECHNOLOGY

Memory management. Johan Montelius KTH

Transcription:

SYSTEM CALL IMPLEMENTATION CS124 Operating Systems Fall 2017-2018, Lecture 14

2 User Processes and System Calls Previously stated that user applications interact with the kernel via system calls Typically invoked via a trap instruction An intentional software-generated exception The kernel registers a handler for a specific trap int $0x80 for Linux system calls int $0x2e for Windows system calls int $0x30 for Pintos system calls Can t easily pass arguments to system calls on the stack Trap instruction causes the CPU to switch operating modes (i.e. from user mode to kernel mode) Different operating modes have different stacks

3 User Processes and System Calls (2) Typically, arguments to system calls passed in registers, and the return-value(s) come back in registers One of the arguments is an integer indicating which system call to invoke e.g. on Linux and Windows, %eax is set to operation to perform e.g. on UNIX systems, sys/syscall.h specifies these numbers Note: UNIX syscall IDs are not uniform across different UNIXes Obvious constraint: system-call arguments can t be wider than the registers Several possible approaches: Can split larger arguments across multiple registers Can store larger arguments in a struct, then pass a pointer to the struct as an argument

4 User Processes and System Calls (3) The operating system frequently exposes system calls via a standard library e.g. UNIX syscalls are exposed via the C standard library (libc) e.g. Windows syscalls are exposed via the (largely undocumented) Native API (ntapi.dll) The library serves as an intermediary between apps and the operating system Some functions are direct wrappers for system calls e.g. ssize_t read(int fd, void *buf, size_t nbyte) Implementation stores arguments from stack into registers, invokes the system call entry-point (e.g. int $0x80), and returns result Others utilize system call wrappers internally e.g. malloc() is mainly implemented in user space, but uses system calls to increase the process heap size

5 Review: Interrupt Mechanics Previously discussed how interrupts and traps are handled on IA32 (see lecture 9 for details) User process has its own stack Executing the trap causes the CPU to switch to the kernel-mode stack associated with the process Since system calls change from user mode to kernel mode, IA32 saves pointer to previous stack on new stack Next, CPU saves the user process execution state: cs, eip and eflags User Process Stack current contents of user process stack trap Kernel Thread Stack Caller s SS Caller s ESP Caller s EFLAGS Caller s CS Caller s EIP

6 Review: Interrupt Mechanics (2) Operating system has a stub for every possible interrupt Some interrupts push an error code onto the stack; if not, the OS stub will push a dummy value for consistency Next, stub pushes the interrupt number onto the stack Finally, stub records all register state onto kernel stack User Process Stack current contents of user process stack Kernel Thread Stack Caller s SS Caller s ESP Caller s EFLAGS Caller s CS Now the ISR can run without disrupting the interrupted code Caller s EIP Error Code Interrupt No. Register State of Interrupted Program

7 System Call Mechanics The OS exposes the user program s CPU and register state as arguments to the ISR Typically exposed to ISR as a struct with a field for each register System call handler needs to receive arguments from the user program Can easily access these values on the kernel stack Syscall handler must also return a status result in eax Can modify user program s eax on the kernel stack When kernel returns to the user program, its context is restored Program sees new value of eax User Process Stack current contents of user process stack Kernel Thread Stack Caller s SS Caller s ESP Caller s EFLAGS Caller s CS Caller s EIP Error Code Interrupt No. Register State of Interrupted Program

8 System Call Mechanics (2) The ID of the system call is used to dispatch to a function that implements the system call Called a system call service routine System call service routines are usually named after their user-mode entry points e.g. sys_write() implements write() e.g. sys_fork() implements fork() (Aside: these service routines are sometimes called within the kernel implementation to implement more complex operations) A system call table holds an array of function pointers to all system call service routines The syscall ID is used to index into this table when making the call

9 System Call Mechanics (3) Need to check the system call ID to ensure it s valid If it s invalid, return ENOSYS Function not implemented error Can easily check that the ID is below the max syscall ID If a specific syscall ID below the max is not supported, simply register a service routine that returns ENOSYS

Example: Linux System Calls Snippet [paraphrased] of Linux system_call() handler:... # Save registers onto stack # Make sure it's a valid syscall ID cmpl $(NR_syscalls), %eax jb nobadsys # Return-value of syscall() will be in eax # as usual, so set value of eax stored on # kernel stack to ENOSYS to indicate error movl $(-ENOSYS), 24(%esp) jmp ret_from_sys_call nobadsys:...

Example: Linux System Calls (2) Linux system_call() handler, continued:... nobadsys: # Dispatch to the function in the system-call # table corresponding to the specified ID # (On IA32, pointers are 4 bytes, so use # ID*4 as the address within the table) call *sys_call_table(, %eax, 4) # Store return-value from routine into # location of eax on the kernel stack movl %eax, 24(%esp) jmp ret_from_sys_call

12 Example: Linux System Calls (3) Different syscalls require different numbers of arguments e.g. getpid() and fork() require no arguments e.g. mmap() requires up to six arguments System-call arguments are passed from the user process in specific registers ebx is first argument, ecx is second argument, etc. Syscall service routines are written in C, and they expect their args on the kernel stack Linux system_call() handler pushes all of the process registers onto the kernel stack in a specific order Specifically, the reverse order that registers are used to pass arguments to system calls Kernel Thread Stack ebp = arg6 edi = arg5 esi = arg4 edx = arg3 ecx = arg2 ebx = arg1

13 Example: Linux System Calls (4) Arguments to syscall service routines are pushed in reverse order, following the cdecl calling convention Under cdecl, if a function is passed more arguments than it expects, the extra arguments are ignored Allows system_call() to dispatch to all the different service routines, regardless of the ebp = arg6 edi = arg5 number of arguments they take e.g. int sys_write(int fd, char *buf, int size) Service routine for write(int fd, char *buf, int size) When system_call() dispatches to sys_write(), sys_write() sees only the expected arguments Extra arguments are simply ignored by sys_write() Kernel Thread Stack esi = arg4 edx = arg3 size ecx = arg2 buf ebx = = arg1 fd return address sys_write() frame

14 System Calls: Security Holes? It goes without saying that the system call service routine must carefully check all arguments to the system call Are there potential security holes in accepting pointers as arguments to system calls? Example: ssize_t read(int fd, void *buf, size_t nbytes) Reads bytes from a file descriptor into a buffer Caller specifies: The file-descriptor to read A pointer to the buffer to store the data in A number of bytes to read

15 System Calls: Security Holes?! Example: ssize_t read(int fd, void *buf, size_t nbytes) Generally the pointers are expected to be in user space What if the user-mode program specifies an address in the kernel s address space? As long as the user-mode program doesn t access this address, it won t cause a general protection fault But, the kernel is allowed to write to this address! If kernel naïvely accepts the address from the user-mode program, it could overwrite critical data Example: target critical kernel data structures Program opens file containing the data it wants to insert into kernel Program passes that file descriptor and address of kernel struct

16 System Calls: Security Holes Very important to verify all addresses that come from user-mode programs: Addresses must be in userspace! If an address is in kernel space, it s an access violation Fast way to verify addresses: Make sure the address is below the kernel / user address boundary! (e.g. 0xc0000000 in Linux/Pintos) 0xc0000000 %esp 0x40000000 brk 0x08048000 0 Process-specific data structures Kernel stack Mapping to physical memory Kernel code and global data User stack Memory mapped region for shared libraries Run-time heap (via malloc) Uninitialized data (.bss) Initialized data (.data) Program text (.text) Forbidden Kernel Space User Space

17 System Calls and Page Faults Addresses below the kernel / user boundary could still be invalid e.g. pass a pointer to unallocated memory to a read() system call e.g. pass a pointer to read-only memory to a write() system call OS will see a page fault or a general protection fault within the kernel Problem: this isn t always an error! Many OSes don t allocate virtual memory pages until they are actually accessed Private copy-on-write pages are marked read-only; first write attempt causes the page to be copied for the writing process 0xc0000000 %esp 0x40000000 brk 0x08048000 0 Process-specific data structures Kernel stack Mapping to physical memory Kernel code and global data User stack Memory mapped region for shared libraries Run-time heap (via malloc) Uninitialized data (.bss) Initialized data (.data) Program text (.text) Forbidden Kernel Space User Space

18 System Calls and Page Faults (2) Aside: In the Pintos system-call lab, virtual memory management isn t completed yet, so a page fault does mean an invalid address J The OS may see memory faults within the kernel: Sometimes these are valid scenarios Sometimes it s an invalid pointer passed to a syscall L Sometimes it is a kernel bug L L Assume there is a way to identify the valid scenarios (We will examine that question in a few weeks) How do we distinguish between the remaining two cases?

19 System Calls and Page Faults (3) How to distinguish between: Faults caused by invalid addresses passed to system calls Faults caused by kernel bugs Linux has a very interesting solution to this problem How much kernel code actually interacts with user space? (Remember, CPU state of user processes is saved onto the kernel stack, which is in kernel space)

20 System Calls and Page Faults (3) The amount of kernel code that interacts with user space is actually very small Linux kernel keeps an exception table, which records the addresses of all instructions that touch user space In the fault handler, consult the exception table: If the faulting instruction is in the exception table, then the user program passed the kernel a bad pointer Otherwise, it s a kernel bug L Aside: if it s a kernel bug, Linux performs a kernel oops Print out suitable info for a kernel developer to debug the error, and log it to the system log Then terminate the process! Keeps kernel bugs from bringing down the entire system

Example Kernel Oops 21

22 Pintos System Calls Pintos doesn t follow the Linux syscall mechanism Syscall arguments are on the user stack, not in the registers This complicates the syscall mechanism, but only slightly Pictorially: User Process Stack Kernel Thread Stack Arguments to System Call current contents of user process stack Sys-Call Args Caller s SS Caller s ESP Caller s EFLAGS Caller s CS Caller s EIP Error Code struct intr_frame (threads/interrupt.h) Interrupt No. Register State of Interrupted Program Pointer is passed to system-call function (userprog/syscall.c)

23 Pintos System Calls (2) intr_frame struct exposes process machine context Note that topmost values on stack appear at bottom uint32_t edi; of the structure uint32_t esi; uint32_t ebp; Recall: C structure members uint32_t esp_dummy; assigned increasing offsets uint32_t ebx;... Last struct members have the highest addresses uint32_t vec_no; This struct makes it easy to access the user process stack contents e.g. retrieve esp member, cast to uint32_t*, then uint16_t cs, :16; access user stack like an array uint32_t eflags; struct intr_frame { // Pushed by intr_entry (intr-stubs.s). // The interrupted task's saved registers. // Saved EDI // Saved ESI // Saved EBP // Not used // Saved EBX // Pushed by intrnn_stub (intr-stubs.s). // Interrupt vector no. // Sometimes pushed by CPU; otherwise for // consistency, 0 is pushed (intrnn_stub). uint32_t error_code; // Pushed by the CPU. These are the // interrupted task's saved registers. void (*eip) (void); // Next instruction void *esp; uint16_t ss, :16; }; // Code segment // Saved CPU flags // Saved stack ptr // Stack segment

24 Pintos System Calls (3) Pintos system-call arguments are pushed on the user process stack Arguments themselves are pushed in reverse order Finally, system-call number is pushed Caller s esp points to the system-call number Use syscall no. to determine how many args are required Finally, read in the args themselves Accessing user-space, so need to do this carefully Arguments to System Call User Process Stack current contents of user process stack Arg N Arg 1 Syscall Number Kernel Thread Stack Caller s SS Caller s ESP Caller s EFLAGS Caller s CS Caller s EIP Error Code Interrupt No. Register State of Interrupted Program

25 Next Topics! Next three lectures cover two fun topics! How signal handling works (1 lecture) Kernel allocators: how memory allocations are managed within the kernel (2 lectures)

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback