Fundamentals of Information Security system design 11th week 20135218 Jing Mengxin

8th. Abnormal control Flow

Control Flow: Controls the transfer sequence.

Control transfer: From an instruction to the next instruction. Cases:从k到k+1的过渡称为控制转移。

Exception control Flow: The modern operating system responds to the system state by causing mutations in the control flow, known as abnormal control flows.

Smoothing: means that the instructions are contiguous in memory.

Mutation: A non-contiguous occurrence, usually caused by instructions such as jumps, calls, and returns.

8.1 Exceptions

An exception is one of the ECF, partially implemented by hardware, and partly by the operating system. Is the ECF located between the hardware and the operating system.

On the hardware, the state of the system is actually the state of the processor, the state of the processor is usually different bits and signals (bits of the Register), and the change in processor state (say a bit) is called an event .

How the exception is handled:

1.处理器检测到有异常发生

2.通过异常表，进行间接过程调用，到达异常处理程序

3.完成处理后：①返回给当前指令②返回给下一条指令③终止

Category of exception

Categories of exceptions-interrupts, traps, failures, and terminations

1 Interrupt handling: Asynchronous means that a hardware interrupt is not caused by any instruction, but by an event of an external I/O device.

  中断处理程序——异步异常——由处理器外部I/O设备中的事件产生的。同步异常是执行一条指令的直接产物。

2 Traps and system calls: System calls are encapsulated functions that are internally implemented by instruction Int N.

The most important use of 3 traps is to provide system calls. System calls run in kernel mode and can access stacks in the kernel.

  陷阱最重要的用途是在用户程序和内核之间提供一个像过程一样的接口，叫做系统调用。

4 The parameters of the system call are passed through a generic register instead of a stack, such as the%EAX storage system call number,%EBX,%ECX,%EDX,%ESI,%EDI,%EBP stores up to six parameters,%esp is not available, because it is overwritten after entering kernel mode.

5 failure

61 Classic Failure example is a page fault, when the instruction refers to a virtual address, and the virtual address corresponding to the physical pages are not in memory, so must be removed from the disk when the failure occurs.

7 termination

8 termination is the result of an unrecoverable fatal error, usually a hardware error, such as a parity error that occurs when a dram or SRAM bit is damaged. The terminating handler never returns control to the application. The handler returns control to an abort routine, which terminates the application.

Each type of exception in the system is assigned the exception number of a unique nonnegative integer, some of which are assigned by the processor designer: 0 Divide, missing pages, memory access violation, breakpoints, arithmetic overflow

Some are assigned by the operating system Kernel Designer: System calls, signals from external i/o devices.

we refer to system calls and the wrapper functions associated with them as system-level functions. 8.2 Process

Exceptions are the basic building blocks that are required to allow the operating system to provide the concept of a process.

Process (operating system layer): logical control flow, private address space, multitasking, concurrency, parallelism, context, context switching, scheduling.

进程提供给应用程序的关键抽象：

一个独立的逻辑控制流，它提供了一个假象，好像我们的程序独占的使用处理器。

一个私有的地址空间，它提供了一个假象，好像我们的程序独占的使用存储器系统。

上下文是集合，进程其实是这个集合下实际一条一条执行代码的过程。进程包含上下文以及执行的过程。

A sequence of PC values is called a logical control flow .

Concurrent streams:

1 Concurrent streams: Concurrent streams the execution of one logical stream overlaps the other stream in time, called a parallel stream

2 Concurrency: The general phenomenon of concurrent execution of multiple streams is called concurrency.

3 multitasking: Multiple processes concurrency is called multitasking.

4 Parallel: The concurrent stream is on a different CPU or computer, called parallel.

The general phenomenon of concurrent execution of multiple streams is called concurrency .

The concept of a process and other processes running in turn is called multi-tasking .

x86 the top of the Linux address space is reserved for the kernel: Code,数据、栈。

The operating system kernel uses a higher-level exception control flow to achieve multitasking. This exception control flow is called a context switch .

上下文切换是建立在前面的4种异常的基础上的。内核为每个进程维持一个上下文，上下文就是内核重新启动一个被抢占的进程所需的状态。

At some point in the process execution, the kernel can decide to preempt the current process and restart a previously preempted process. This decision is called scheduling and is handled by code called the Scheduler in the kernel.

Context Switch:

保存当前进程的上下文。恢复某个先前被抢占的进程被保存的上下文。将控制传递给这个新恢复的进程。

8.3 System call Error

1：当UNIX系统级函数遇到错误时，它们典型地会返回-1，并设置全局整数变量errno来表示什么出错了。
2：通过使用错误处理包装函数，我们可以更进一步地简化我们的代码。对于一个给定的基本函数foo，我们定义一个具有相同参数的包装函数Foo，但是第一个字母大写了。包装函数调用基本函数，检查错误，如果有任何问题就终止。

8.4 Process Control

The process is always in one of the following three states:

运行——在cpu上运行，或者，等待运行且最终会运行（会被内核调度）停止——进程被挂起（也就是被其他的进程抢占了），且不会被调度，但可以被信号唤醒终止——进程被永远的停止了，受到终止信号，或者从主程序返回，或者调用exit函数。
进程会因为三种原因终止进程：收到信号，该信号默认终止进程；从主程序返回；调用exit函数。

The process includes:

Get Process ID

Creating and terminating processes

Reclaim Child processes

Let the process hibernate

Load and run the program

During the recycling process:

1 Recycle: When a process terminates, the kernel does not immediately purge it from the system. Instead, the process is kept in a state that has been terminated until it is reclaimed by its parent process.

2 Zombie Process: a process that has been terminated but not yet reclaimed is called a zombie process.

3 Two ways to reclaim sub-processes: 1, init process 2 for the kernel, parent process waitpid function

The 4 waitpid function is somewhat complex, and by default (when options=0), waitpid suspends execution of the calling process, knowing that it waits for a child process in the collection to terminate.

Let the process hibernate:

1 The Sleep function suspends a process for a specified period of time.

2 If the requested amount of time has arrived, sleep returns 0, otherwise the number of seconds left to sleep is returned. The latter case is possible if the sleep function is returned prematurely due to a signal interruption. We will discuss the signal in detail in section 8.5

The 3 pause function lets the calling function hibernate until the process receives a signal.

of the fork function Three parameters:pid、status、options。

wait function equivalent to Waitpid ( -1, &status, 0).

The execve function loads and runs a new program in the context of the current process. The fork is called two times back, Execve is called once, and never returned.

the difference between the fork function and the EXECVE function:

fork函数在新的子进程中运行相同的程序，新的子进程是父进程的一个复制品。execve函数在当前进程的上下文中加载并运行一个新的程序，它会覆盖当前进程的地址空间，但并没有创建一个新进程。新的程序仍然有相同的pid，并且继承了调用execve函数时已打开的所有文件描述符。

8.5 signal

The underlying hardware exception is handled by the kernel exception handler,

Send signal--the kernel tells the destination process that a signal is coming by updating a state in the context of the destination process.

接受信号——当目的进程被内核强迫以某种方式对信号的发送做出反应时，目的进程就接收了信号。

How to send a signal/bin/kill、键盘发送信号、kill函数、alarm函数。

Receive signal:

1.忽略 2.终止 3.执行信号处理程序，捕获信号

Each signal type has a predetermined default behavior:

(1) Process termination

(2) Process termination and dump memory

(3) process stops until the Sigcont model is restarted

(4) process ignores the signal

Signal Processing:

The pending signal is blocked. UNIX signal handlers typically block pending signals of the type being processed by the current handler.

Pending signals are not queued for processing. Any type at most has only one pending signal. Therefore, if a signal of two type K is transmitted to a destination process, and because the destination process is currently executing a signal K handler, so the signal K is blocked, then the second and the signal is simply discarded, he will not wait in line.

System calls can be interrupted. System calls such as read, wait, and accept can potentially block a process for a long time, called a slow system call. In some systems, when the handler captures a signal, the interrupted slow system call no longer resumes when the signal handler returns, but immediately returns to the user an error condition and sets the errno to Eintr.

Three different methods

• Perform the default action

• Ignore signal

• Capture signal: Perform signal processing function, switch to user state.

Capture: Signal function.

8.6 Non-local jump

C language provides a user-level exception control flow form- non-local jump .

The C language provides a form of user-level exception control flow called a local jump. Provided through the setjmp and LONGJMP functions.

The SETJMP function is called only once, but is returned multiple times: once when setjmp is first called and the calling environment is stored in the buffer env.

Once is called for each corresponding longjmp. On the other hand, longjmp is called only once, but never returned.

8.7 Tools for manipulating processes

• STRACE: Prints the trajectory of each system call that is being called by a running program and its child processes. Right
• PS: Lists the processes in the current system (including zombie processes)
• TOP: Prints out information about the current process resource usage.
• PMAP: Displays the memory mappings for the process. Proc: A virtual file system that outputs the contents of a large number of kernel data structures in ASCII text format, the user program can be cat 2/proc/load avg ", observing the average load on Linux systems.

References

The eighth chapter of the textbook, which comes from the "in-depth understanding computer system" PDF version.

Fundamentals of Information Security system design 11th week 20135218 Jing Mengxin