Lecture 2 Scribe Notes

By Meng Zhang, Diana Angwar

Goals:

· Protection

· Robustness

· Utilization

· Performance

· Flexibility

· Simplicity

Example Problem:

v tar cf archive.tar /home

[Where what 'cf' does is creates the archive, 'archive.tar' is drive no.2 and contains sensitive data, '/home' is drive no.1 and runs as root]

If the attacker wants to get the protected private file in /home/victim/private/loveletter.txt,

What the attacker can do is:

· Create a directory d: /home/attacker/d

· Then: rm d

· ln -s .. /victim/private d

tar image will then contain:

/home/attacker/d/loveletter.txt

v We can restore from an archive:

tar xf archive.tar

[where 'xf' does extract from archive]

In Virtual Memery:

ln –s /home /victim/loveletter foo

Dependence on Race Condition:

1. Tar looks at file

2. Acts based on type

Attacker need to attack between 1 and 2

Simple application for paranoid grant proposals:

· Word count program

· Standalone desktop x86

· UI

1. Turn on the power

2. Answer(nimber of words in proposal) displayed on the screen

Input: ASCII text, terminated by a null byte

Word = [A-Z, a-z]⁺

Disk 100GB ATA 300

$C:\Users\Meng\Desktop\2.png$ Disk

Bootstrapping:

[We need to write a program to get the word count program off the disk and onto main]

Problem: How do you get started?

Originally: key in machine instruction from toggles on front panel

(BIOS, can’t change it, but need to be safe)

BIOS ---- OS-Independent

On power-on:

1. Hardware checks

2. Looks for devices

3. Find one that looks bootable, boots it.

MBR – Master Boot Record

MBR is typically operating system agnostic. It loads Volume Boot Records from start of 1^st bootable partitions.

Chain loading: BIOS -> MBR -> VBR -> kernel of OS

In Linux : BIOS -> MBR -> VBR -> GRUB -> Kernel

Disk Layout:

			One partition
MBR	VBR	WC Program	1 File	0

100GB

0x 1000000

Memory Layout:

0x 7000 0x 10000 0x100000

MBR

VBR

WC program

BIOS

1GB

Programmed I/O:

Disk Controller registers

ln b lnsn (Copy byte from disk controller register to CPU)

ln b: in byte.

lnsn: instruction.

To read sector i:

Wait until controller is ready 0X 1F7

Store number of sectors into 0X 1F2

Store sector offset into 0X 1F3 – 6 (2³² sectors 2⁹ byte/sector = 2⁴¹ bytes= 2TB)

Store READ command into 0X 1F7

Wait for ready

Get result later into CPU -> store into RAM

read_ide_sector(int s, charbuf[512]){

While((inb(0x1F7) & 0x c0) != 0x40)

continue;

outb(0x1F2,1); //prepare to read sector 1

outb(0x1F3, s & 0xFF); //initialize the sector offset

outb(0x1F4, (s>>8) & 0xFF);

outb(0x1F5, (s>>16) & 0xFF);

outb(0x1F6, (S>>24) & 0xFF);

outb(0x1F7, 0x20); //send read command and wait for IDE()

insl(0x1F0, buf, 128);//copy 128 words to location pointer, in units of 4bytewords

VBR (or MBR):

for( i=1; i<20; i++)

read_ide_sector(i, 0x10000 + (i-1)*512);

go to 0x10000;

int main(void){

int nwords = 0;

bool inword = false;

int s = 1000000000/512; //rounding down to nearest sector

for(;;){

char buf[512];

read_ide_sector(s,buf);

for(int j=0;j<512; j++){

if(int j=0; j<512; j++){

if(buf[j]){

nwords+=inwords;

write(inword);

return 0;}

//unsigned char is because it is only works on non-negative value

bool this alpha = isalpha((unsigned char) buf[j]);

nwords+=inword&~thisalpha;

inword=this.alpha;

}}}}

In order to write (inword), certain addresses map directly to the I/O display.

0x B8000

Memory-Mapped Display

What the catch that can go wrong?

I/O error when trying to write of the OS because it has bad system and if there is null byte in it then it will fall off.