35 points per question ****************************************************** question #1: processes ****************************************************** Key features/benefits of process abstraction: - isolation by VM - virtualized resources: CPU, memory, I/O Important even for single-user systems? Yes, because applications may be untrustworthy. Scoring: Lack of a clear message on each of these is up to 10 points off. I took off more if there was nonsense in your answer, and less if your answer had other good content in it. E.g., I gave credit for discussion of extended memory, parallelism, isolated kernel, preemptive timeslicing, IPC, fork, etc. Mistakes: - These systems do not necessarily use round robin scheduling. The scheduler may use other criteria. - There is no distinction between user processes and kernel processes. Any given process typically runs in user mode and kernel mode at different times: these are process states. ****************************************************** question #2: traps ****************************************************** What causes a trap? - intentional execution of a trap instruction - purpose is a system call - may be in a wrapper What happens on a trap? - Transition to kernel mode - Transitions to kernel stack - Begin execution at kernel trap handler - Trap handler examines registers and other state, where the user program has left system call code, arguments, etc. - Handler provides system call service which may involve manipulating OS-level state, blocking, initiating I/O, manipulating VM translations, etc. What special privileges does a trap handler have? This was a question about kernel mode. - Privileged instructions - Access to privileged registers (e.g., address space) - Access to all of machine memory - Access to I/O devices - Context switch, address space switch, VM manipulation, etc. Of course, the kernel could be running in a virtual machine, in which case it only has these privileges on its virtual machine, but not on the underlying physical machine. Scoring: up to 10 points off for failing to be clear about most of the subpoints in each of the three subquestions, depending on the other content of the answer. It was OK to leave something out, as long as you gave me most of what I was looking for. For part 1, I wanted to hear about syscalls, but I did not mark off for discussion of other exceptions, e.g., faults and interrupts, unless you failed to discuss system calls at all. Mistakes: - A system call trap is caused by a machine instruction that exists specifically for that purpose. It is a machine feature, not exclusively an OS feature. Some referred to it as a "command" but that is a bit loose. - A system call wrapper procedure is useful to allow a high-level language program to execute a system call, but the wrapper itself has no special privilege. ****************************************************** Question #3 (a) Key features: rings. (b) Problems: hardware TLB, and instructions that fail silently. (c) How different? The machine support for virtualization is fundamentally the same as for a kernel-based OS, "only more so". What is needed in both cases is an exception mechanism that allows the supervisor/hypervisor to interpose on "significant" events, by transitioning to a more protected mode within sufficient state in the registers for the *visor to figure out how to service or emulate the event. For virtualization, the machine has to be able to do this for any machine instruction that attempts to access privileged machine state. And for each event, it should be possible to select which of privileged modes must handle the event, e.g., the hypervisor must mediate the delivery of interrupts to the VMs. Scoring: 5-10 points off for leaving something important out, depending on the overall quality of the rest of the answer. Mistakes: - Traps and faults always pertain to whatever VM is hosted on the processor at the time it occurs (since they are synchronous). It is easy to find which VM/process to "deliver it to". Interrupts are a bit trickier. ****************************************************** Question #4 Primary issue here is that PTE manipulations require validation by Xen, or writes to the PTE must fault into hypervisor (in later versions). So PTE manipulations are more expensive. Fork is page-table intensive because it must clone the entire address space, i.e., set up complete new page tables for a new process. Exec is expensive because it must overwrite a large portion of the page table to map in the new data from a file. Mistakes: - fork/exec don't copy memory or process state - Xens have pages to work with...don't need to request a memory page from the hypervisor on each fault-in. ****************************************************** Question #5 How can Harry Hacker intercept your communication with opensecrets.org? DNS lookup could return his own IP address. But would have to gain control of a DNS server (or intercept its traffic and masquerade), and the server must be in the 'chain of custody' for the name translations. That means it must be either my configured primary DNS server, or a root server for the .org domain. He could infiltrate my LAN and masquerade as the gateway router. When I ARP for the IP address of my router, he could respond, but my node would get two responses: one from the real router and one from the impostor. Or he could poison my ARP cache by ARPing me with the IP address of my router....but then the router could see the ARP with the false IP address, and could detect the attack. He could physically take over the LAN. But that requires him to be on the premises. He could attack any router between me and opensecrets.org. If he owns the router (e.g., he has router admin privilege in my domain or opensecret's domain) then he can do it easily. Otherwise, he will have to take over a router closer to the 'core' of the Internet, and he may need to take over multiple routers in order to intercept all of my traffic to opensecrets. Harry's best attack is probably to gain control of my machine and install some spyware or malware. Scoring: 25-30 points for a good answer that hits the big three potential man-in-the-middle attacks: DNS, ARP, IP path. Full credit is reserved for finer distinctions, e.g., between local and root DNS servers, or an ARP attack against a local gateway vs. the server itself, or the difficulty of picking a set of routers to attack. Up to 10 points off for omitting one of the major points of vulnerability, depending on the rest of the content of the answer. Mistakes: - ARP poisoning only works if the attacker is on the same LAN segment. - If the IP address of a destination is not on a subnet configured as reachable to the sender, then it will forward it to a configured gateway router, rather than ARPing for the IP address. However, it does have to ARP the gateway at some point. - One proposed attack was for the attacker to assume the target's IP address! But that would require the attacker to be on my subnet, so it amounts to an ARP attack. Of course, the attacker still needs to communicate with the target at its IP address, and more importantly, the attacker needs a way to intercept traffic from the target to opensecrets.org.