WEBVTT

00:00.000 --> 00:11.000
Room full pack of people, so hello everyone, I am David Eberardi, I am here with my master

00:11.000 --> 00:16.200
Renzo Davoli to present you this talk on what is still missing is system portraying all

00:16.200 --> 00:24.000
Linux this time and yeah I have this slide here and you can see that in the bottom of

00:24.000 --> 00:30.000
the slide there is a repository of it in which you can find the code of some example

00:30.000 --> 00:36.200
and the patch is we will present today and yeah we will talk about system call, I assume

00:36.200 --> 00:41.800
that you know what a system call is, that we will talk about system call tracing, so basically

00:41.800 --> 00:47.000
we will talk about something which is similar to a trace in which is a program which

00:47.000 --> 00:52.200
springs every system call where get executed by another program, so in the slide for instance

00:52.200 --> 00:59.200
you can see at the bug procedure like in which we print every read done by cut

00:59.200 --> 01:08.200
it see pass with it, so it is just the prints whatever read is done by the file by the program.

01:08.200 --> 01:20.200
So following this features, basically we can create some kind of multiple layer operating system

01:20.200 --> 01:27.200
in which you have the operating system which does some kind of services which offer services

01:27.200 --> 01:34.200
like file systems like networking and so on, but then you can put some layer in it like

01:34.200 --> 01:41.200
programs use a program use a space like whatever cut whatever you want, but over it you

01:41.200 --> 01:47.200
can put another layer, so you can put some kind of multiple layer, so for instance you can

01:47.200 --> 01:54.200
filter what a system call does, so for instance you ask for a read on a file, you can

01:54.200 --> 02:00.200
alter the part of the file in transit, which is similar to what you can do with in a space

02:00.200 --> 02:06.200
it's obviously because you can alter some part of the system, but on a more finer level

02:06.200 --> 02:15.200
so for instance for every system call you have, this is the concept we will present today

02:15.200 --> 02:22.200
so basically how to create virtual machines based on system calls, so have a system call

02:22.200 --> 02:28.200
can be altered, lying to the user program, so basically you lie to the user program

02:28.200 --> 02:36.200
what the system call is doing and you can change what the program see from its perspective

02:37.200 --> 02:43.200
basically we have two techniques, we will present two techniques, so we will present two

02:43.200 --> 02:50.200
two different set of patches, one is for the hypervisor mode, what we call hypervisor mode

02:50.200 --> 02:57.200
so we have a user space program which hypervisor supervised another program, so basically

02:57.200 --> 03:04.200
you say okay we have this program which manage a system call of the other, so for instance you can

03:04.200 --> 03:12.200
say okay the read done by this program can be ejected to another one and this is done by

03:12.200 --> 03:19.200
hypervisor supervising, we will call it the hypervisor mode, on the other side you

03:19.200 --> 03:26.200
done it inside the program itself, so basically we brought the system call in a system

03:26.200 --> 03:33.200
called wrapper and that is a little bit less secure because you can basically

03:34.200 --> 03:40.200
hijack this wrapper and go outside this wrapper easily, but we will refer to this

03:40.200 --> 03:48.200
like a self-virtualization mode and this is the link production, so I give

03:48.200 --> 03:55.200
this is your screen so go, I'm returning back to this slide, so the operating system

03:56.200 --> 04:02.200
fixed the language of system calls, so a process, running process can

04:02.200 --> 04:11.200
open files and give path in and what the process sees is what is provided by the

04:11.200 --> 04:18.200
kind of, but if you stack as a building blocks layer of

04:18.200 --> 04:25.200
applications, so we can have at the top of layer one a program speaking the same language

04:25.200 --> 04:33.200
so able to support able to run the system call, so the interfaces are the same,

04:33.200 --> 04:41.200
but they can see different things, so why would you test for that you

04:41.200 --> 04:51.200
can use a device project, you can find it as a deviant package even in

04:51.200 --> 05:01.200
the table version, so just to save time I like, we can amount the

05:01.200 --> 05:10.200
file system as if it is a level to save, because it is possible to do

05:10.200 --> 05:19.200
amount a file system without any support in the kernel for few, because it is

05:19.200 --> 05:28.200
completely use a space, so if you amount a file system in a layer, they

05:28.200 --> 05:40.200
files will exist only for the process accessing layer one, so to do this, we use

05:40.200 --> 05:48.200
the tracing system called tracing, there are many ways to do this,

05:48.200 --> 06:03.200
the first, the most ancient way to do this, and upon the trace, for example, use

06:03.200 --> 06:17.200
a motelinox was created, okay, the columns list features of those methods,

06:17.200 --> 06:26.200
so available means to that exist now, skip means, there is the ability to

06:26.200 --> 06:34.200
skip the access fields, p-tracer at this system call, interact with the

06:34.200 --> 06:40.200
diverse types of twice, first at the entrance of the system call, such as

06:40.200 --> 06:48.200
is possible to change the number of the columns in the arguments, one at the exit

06:48.200 --> 06:56.200
after the kernel is executed, it is possible to have a second interaction

06:56.200 --> 07:09.200
in order to change the results themselves, if skip means it is possible to

07:09.200 --> 07:19.200
avoid the second call, that's like when you created use a motelinox given

07:19.200 --> 07:27.200
that well, no possibilities, skip the call, use the two change the system call from

07:27.200 --> 07:34.200
the system call to get p-tracer, because get p-tracer is quick and has no

07:34.200 --> 07:43.200
effect, so that is the funnest problem, because the second round of

07:43.200 --> 07:52.200
exchange was the atomizer, it's useless, the interacting nature with that

07:52.200 --> 08:04.200
system call, it is a status change of the process, so if you want to wait for a

08:04.200 --> 08:11.200
system call for the method of a system call, it must be used to wait, use

08:11.200 --> 08:20.200
it's a conference, it is possible to avoid the second interaction, one

08:20.200 --> 08:27.200
problem we have had, we are having, it's a problem to be potable, trust

08:27.200 --> 08:34.200
constantly potable, so I mean that the exchange code can run on similar

08:34.200 --> 08:45.200
interaction, that was impossible in a p-tracer and in p-tracer's a conference, because

08:45.200 --> 08:58.200
the access to system call argument will make using the name of the single register,

08:58.200 --> 09:13.200
I don't point, it's one point, an option of p-tracer, it was p-tracer, gets

09:13.200 --> 09:20.200
calling for, it was very nice for people using, tracing for the bag, he likes

09:20.200 --> 09:35.200
a straight, because in that way this program could be architectural independent, but p-tracer

09:35.200 --> 09:46.200
is calling for, it was interesting, p-tracer is calling for, should provide the

09:46.200 --> 09:56.200
support for architect, independent, tracing for, it's a last year, sometimes after

09:56.200 --> 10:12.200
the first time, this feature entered the cabinet, and at the time, we started the

10:12.200 --> 10:24.200
party and we discovered two problems, one problem was a performance problem, we had to

10:24.200 --> 10:34.200
return back to the cabinet way, because it wasn't possible to avoid the second call to

10:34.200 --> 10:50.200
the supervisor, because the trace gets calling for, it's trying to get it in three different

10:50.200 --> 11:01.200
time or more, entry, access, access, and so on, and implementation once the, to use the same

11:01.200 --> 11:12.200
off for the site, it means that the error identification as entry, it means that there are, there are

11:12.200 --> 11:25.200
an envelopes to call it the accurate attention change, if there are in this way, there are data, there are

11:25.200 --> 11:32.200
climas, we done with the same operation, so it's possible to change the system called number,

11:32.200 --> 11:38.200
for example, set it to minus one, it's a comfort, it's to say it's a statistical, in this

11:38.200 --> 11:54.200
way there wasn't no way to put, not feel to put the error number, okay, and the second problem was about

11:54.200 --> 12:08.200
the, even if there is the program counter in the data from, from, from countries, it's not

12:08.200 --> 12:18.200
important the way to change the program counter, so let us see this, then at a time

12:18.200 --> 12:33.200
attack, the point is that, I'm, I'm going to propose a set, a set of five, five

12:33.200 --> 12:45.200
sets, the first one is to resolve the problem of the, no skip of the system called, by

12:45.200 --> 12:55.200
I think it's a, the stagger, the stagger, even if the playback through the entry phase can

12:55.200 --> 13:07.200
set to, the time value and the time value and their number, that's number two, that's

13:07.200 --> 13:19.200
it's a set, the test set for the testing of the kernel, but three is to add the function

13:19.200 --> 13:30.200
for the, what the function for changes is the program counter and texture pointer, which is,

13:31.200 --> 13:42.200
present in almost all the attacks of Linux, but some, and the fourth steps is to add the

13:42.200 --> 13:56.200
flagger to set the section pointer, we had a, a main conversation with Dr. Levin and I think

13:56.200 --> 14:03.200
the, the classes are in a very advanced state, so I'm going to propose, we're going

14:03.200 --> 14:17.200
to propose it to crash as soon as possible, we had to architect a problem, blast the questions,

14:17.200 --> 14:29.200
another problem, we had to, it's about to 30 new ways, and maybe more efficient to

14:29.200 --> 14:37.200
trace this thing called, one method is about to set computer to five, so computer to

14:37.200 --> 14:47.200
try, as a different concept, using this color unify, we get to, we get the notification

14:47.200 --> 14:54.200
system called, but it's now, but not possible to change the system called number or to change

14:54.200 --> 15:06.200
that arguments, the only thing we can, it's possible, the only possible interface is to,

15:06.200 --> 15:14.200
why the system calls, calls, keeps the system called, and give, and give the, there's

15:14.200 --> 15:28.200
answer to, there are ten values of the system called, or to ask the counter to run, there's

15:28.200 --> 15:37.200
a thing called, but there is no way to have information after the time in value, so the idea

15:37.200 --> 15:52.200
is to delegate to forward all the notification of system called to the hypervisor, and run

15:52.200 --> 15:58.200
this is the coincidence that hypervisor at the time, just the access value, there are interfaces

15:58.200 --> 16:07.200
to send open files, the creator from the, from the hypervisor to the, to the virtual

16:08.200 --> 16:23.200
program, the event is case we found problems quickly, there is no way to support

16:24.200 --> 16:36.200
the FM have to in a, in if we control, there is one task to do something similar to

16:36.200 --> 16:50.200
two, or interrupt 3, but the file descriptor will be the first, the first, the lowest

16:50.200 --> 17:05.200
I'm not fighting the script, I'm just fighting the script over a fixed number and it's been possible to implement more important.

17:05.200 --> 17:07.200
It is not possible.

17:07.200 --> 17:16.200
So if we open a file in the virtual environment, we send the file the script into the trustee.

17:17.200 --> 17:34.200
The problem is that the file the script at one point will need to be closed and there is no way to close a file the script into the trustee.

17:35.200 --> 17:55.200
And if we like the clause to be processed by the kernel, there is a risk condition because it's not impossible to know if other threads or other processes change the file the script at table.

17:55.200 --> 18:01.200
It's closing, opening an after file at the same 5-6 steps and so on.

18:01.200 --> 18:20.200
Even the scale in the, in the material published with this talker, you will see that a year has in the page of this talk.

18:20.200 --> 18:26.200
We propose a patch to the sources problem.

18:26.200 --> 18:35.200
The patch in this case is at an early stage, so we're working on it.

18:35.200 --> 18:41.200
Okay?

18:41.200 --> 18:46.200
So there is not so much to say.