Scribd
Upload
49 views

Week 1 Talking Points

The document summarizes key aspects of the Linux kernel organization and functionality. It discusses process management facilities, security features like access control and auditing, memory management using paging and segmentation, generic I/O interfaces, filesystem support for files and directories, terminal handling, interprocess communication using sockets, and network communication support using protocols. Device management, file systems anchored as trees with mounts and unmounts, and inter-process communication domains are also outlined.

Uploaded by

007phantom
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
49 views

Week 1 Talking Points

The document summarizes key aspects of the Linux kernel organization and functionality. It discusses process management facilities, security features like access control and auditing, memory management using paging and segmentation, generic I/O interfaces, filesystem support for files and directories, terminal handling, interprocess communication using sockets, and network communication support using protocols. Device management, file systems anchored as trees with mounts and unmounts, and inter-process communication domains are also outlined.

Uploaded by

007phantom
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 18

4P13

Week 1
Talking Points
Kernel Organization
• Basic kernel facilities: timer and system-clock handling, descriptor management, and process
Management

• Security features: conventional UNIX model, but also sandboxing, virtualization, event auditing, and
cryptographic services

• Memory-management support: paging and swapping

• Generic system interfaces: the I/O, control, and multiplexing operations performed on Descriptors

• Filesystems: files, directories, pathname translation, file locking, and I/O buffer management

• Terminal-handling support: the pseudo-terminal interface and terminal line disciplines

• Interprocess-communication facilities: sockets

• Support for network communication: communication protocols and generic network facilities, such
as routing
Table 2.1
Table 2.2
Process Management
• Multi-Tasking
• Process Context
– User level state
• Address space state
• Runtime env
• Kernel state
– Scheduling parameters
– Resource controls
– Id info
Process Management
• Process Identifier (PID)
– Used by Kernel and User to reference a process
• New process (child) is cloned from an existing
(parents) process.
– fork
– Inherits properties of the parent
• Think extends in OOP.
– Implies that the new process will execute in the
resource env of the parent.
• Address space
• Permissions etc.
Fig 2.1

• execve – execute new process from a file.


– Overlay will get parameters from memory address
space of parent.
• exit – terminates and returns info back to parent.
– Implies that if parent exits so must all children
– Implies that process priority of parent is inherited by
child.
Security
• A self-protecting Trusted Computing Base (TCB) guarantees enough system integrity
to implement features such as multiple users and key storage.
• Strong process isolation using virtual memory ensures that the kernel is protected
from user code, and that user processes are protected from one another
• Identification and instrumentation of security-relevant operations throughout the
kernel to implement access control, resource limits, and event auditing
• A coherent privilege model, internal to the kernel, that allows exceptional operations
(such as system administration, device-driver implementations) to occur in a
structured way despite being outside the regular access-control model
• Design abstractions that facilitate future security models, as well as security
localization in downstream products; for example, clean separation of policy and
mechanism, object-oriented
• structure (subject to the limitations of C), and a user space capability-system model
providing protection, rather than policy, as the primitive for application
compartmentalization
• Cryptographic primitives, such as secure random number generation and a library of
encryption and signature functions, that can support many different higher-level
operatingsystem features and applications
• Process Credentials
– UID – user id
– GID – group id
– Passed to processes to allow execution access.
– Setuid & Setgid allow processes to run at elevated
priveledges.
• Privilege Model
– Up to 200 privilege model
• Old model consisted of 2
– 0 root
– other
• Jails
– Virtualization which limits a group or processes
• Limited file system
• Memory
• Access to system-calls
• Can provide duplication of file systems into the Jail
• Mandatory Access Control –MAC
– Similar to Windows security policy system
– Policies are associated to processes to govern
access rights.
• Cryptography
– Kernel has built in Random number generator
• Sys-call
– Unidirectional hashes
• Memory Mgmt
– All processes run in a segmented system
• Stack, code, heap
– Enforces restrictions rwx
• Each segment is paged to VM
– Allows for memory overlays between kernel and
processes, for data transfer.
– Kernel memory is non-paged
• Accessed from a dedicated pool
– Malloc and free
• Descriptors
– Can be thought of as a file handle or pointer
• Contains meta info about resource
– Security info etc.
– 7 types of IO
• File
• Pipe – STD out to STD in between processes
• Fifo – named Pipe, which has file system control
• Socket – named data stream which can be created between
2 processes, Network capable.
• PosIX IPC – message queue, shared memory, semaphores
• Event Queue – queue of events which control several
processes.
• Process descriptors – meta security and control data for a set
of processes.
Devices
• Devices must operate dynamically.
– Connected and disconnected.
– PnP system
– Requires OS to load and unload drivers as
required.
– When a new device is added Kernel must initiate a
configuration process.
File Systems
• Anchored as a tree with a root.
– chroot can set the current root for a process.
– Only executable by superuser priveledge.
• Processes can be restricted to sub-trees of the file
system.
– Any process can chdir to traverse the tree.
– Root file system can link any device with a file
system to it.
• mount
• unmount
• Each directory of the file system can have 3
levels of access.
– Owner, Group, Everyone
– Each of above set to rwx using chmod
– Access control lists further can restrict access to
specific users.
NFS
• Network File System.
– Required so multiple users can access a common
resource.
• servers
– Provides file locking, caching, and access right
control.
Inter-process Communications
• 3 types of domains
– Local
• Processes running on the local machine
– IPv4 and IPv6
• Allows for communications over a network
• Sockets provide connection streams between
processes.
– Binding a name to a socket creates a file
– Binding an IP creates a network tunnel.
The End

You might also like