Data Execution Prevention (DEP)

DEP is a security feature included in modern Microsoft Windows OS that is intended to prevent an application or service from executing code from a non-executable memory region.

It is a system-level memory protection feature that is built into OS starting with Windows XP and Windows Server 2003.

DEP enables the system to mark one or more pages of memory as non-executable. Marking memory regions as non-executable means that code cannot be run from that region of memory, which makes it harder for the exploitation of buffer overruns (buffer overflow). It is a set of hardware and software technologies that perform additional checks on memory to help protect against malicious code exploits.

• This level of pagin has been introduced with AMD64 (the ability to indicate that code should not be executed from a page or a set of pages by setting NX bit = 1; this is 63rd bit in 64-bit entry in the page table)
• This feature is enabled if NO execute bit in Enable Feature Extended Register (EFER.NXE) and the PAE in CR4 are set, regardless of operating mode (this is because x86's original 32-bit page table format obviously has no bit 63)

Modes of Enforcement

1. Hardware Enforcement: Achieving this DEP using NX bit (bit number 63) of a 64-bit Page Translation Entry. It marks all memory locations in a process as non-executable unless the location explicitly contains executable code. There is a class of attacks that attempt to insert and execute code from non-executable memory locations. DEP helps prevent these attacks by intercepting them and raising an exception.
2. Software Enforcement: System software (kernel) can mark pages used for program stacks and data sections as non-executable.

Processor-corresponding features

1. AMD: Enhanced Virus Protection (EVP in AMD64)
2. Intel: Execute Disable (XD in EM64T)

Page State

Any page in VAS (PAS) of a process can be in one of the three states.

1. Committed: A page state of a page which is mapped to a page frame in physical memory (or to a page-sized entry in a file on disk)
2. Reserved: A page state of a page which been set aside for future use so that it cannot be re-used for any other purpose within the process, but has no associated physical page storage
3. Free: A page state of a page which is available to be reserved

Copy-On-Write

Copy-On-Write (COW)

1. optimization strategy used in computer systems
2. Idea is that if multiple callers ask for resources, they can all be given pointers to the same resource. Now, all "callers" (processes) will be in assumption that "I m holding this X resource; and I can do whatever I want". But, when this "caller" tries to modify its so - called "My resource X", a true private copy is created actually, to prevent the changes becoming visible to other "callers".
3. Hence, the primary advandage is that if a caller never makes any modifications, *NO PRIVATE COPY IS CREATED*.

In Virtual Memory:

• COW finds its main-use in virtual memory OS; when a process creates a copy of itself (fork), the pages in memory that might be modified by either the process or its copy, are marked "Copy-On-Write".
• When one process modifies the memory, the OS kernel intercepts the operation and copies the memory so that changes in one process's memory are not visible to other

COW and MMU

• COW can be implemented by telling MMU that certain pages in the process's address space are read only.
• When data is written to these pages, MMU raises an exception which is handled by kernel, which allocates new space in physical memory and makes the page being written to correspond to that new location in physical memory

Basics of Memory Management

Memory Manager:

Implements virtual memory, provides a core set of services such as memory mapped files, copy-on-write memory, large memory support and underlying support for the cache manager.

(For details on Copy-on-Write http://spot-myblog.blogspot.com/2009/07/copy-on-write.html)

Each process on a 32-bit Windows OS has a virtual address space (PAS) of 4GB (It is 8TB for a process in 64-bit Windows). Threads cannot access memory that belongs to another process, which protects a process from being corrupted by another process.

VAS (PAS):

• VAS for a process is the set of virtual memory addresses that it can use. The address space of a process P1, cannot be accessed by other process(es) P2, *unless it is shared*.
• This PAS does not represent the actual physical location in memory; instead the system maintains a Page Table for each process (an internal data structure used to translate VA to PA). Each time a thread references an address, the system translates the VA to PA.
• VAS for 32-bit (Windows) process is divided into two partitions; one for process itself and the other for kernel. Default partition will be 2GB:2GB (0x00000000 - 0x7FFFFFFF: 0x80000000 - 0xFFFFFFFF). If 4GT (4GB Tuning) is enabled, then it will be 3GB:1GB (0x00000000 - 0xBFFFFFFF: 0xC0000000 - 0xFFFFFFFF).
• After 4GT, the process that has IMAGE_FILE_LARGE_ADDRESS_AWARE flag set in its image header will have access to the additional 1GB of memory above the low 2GB.

IMPORTANT NOTE:

We can adjust the VAS of 32-bit process, using the following command, which sets a boot entry option that configures the size of the partition that is available for use by the process to a value between 2048 MB (2GB) and 3072 MB(3GB).

BCDEdit /set increaseuserva <XYZ Megabytes>

after which, partition would be like (0x00000000 - XYZ: XYZ+1 - 0xFFFFFFFF).

Working Set:

• The subset of VAS of a process that resides in physical memory is known as "Working Set"
• If the thread of a process attemt to use more physical memory than is currently available, the kernel, "pages" (swaps) some of the memory contents to disk (the total amount of VAS available to a process is limited by physical memory and the free space on disk available for the paging file)
• Physical storage and the VAS of each process are organized into "pages", units of memory, whose size depends on the host computer (usually 4 KB for x86 computers - Use GetSystemInfo API to get the page size)
• When a thread needs space in RAM, the kernel moves the "least recently used" pages in RAM to paging file in disk.
• When a thread references a page that is not a part of Working Set (means not present in main memory, a "page fault"(called Page Exception) occurs, on which Kernel's Page Fault Handler attempts to resolve the page fault (by "Demand Paging") and if it succeeds, the page is added to the working set.
• Hard Page Fault: Occurs when the demanded page is not on Main Memory
• Soft Page Fault: Occurs when the demanded page is on Main memory but in the working set of some other process or if it is demanded for the first time (called "Demand-Zero" fault)
• Process can reduce or empty its working set by calling "SetProcessWorkingSetSize" or "EmptyWorkingSet" functions

PS: The details on the page state at http://spot-myblog.blogspot.com/2009/07/page-state.html

DLL - Programming basics

Points to be noted:

1. __declspec() : Declares the following class or function to be exported/imported (mainly). For example, __declspec(dllexport) void func() {} implies, func() is exported for applications use
2. Wondering, when my app could not able to get the handle of exported APIs when the .h file of DLL had the definitions. When i moved the definitions to .cpp file of DLL project, my app could get the handle successfully
3. If using visual studio, you can use "Pre-Build Event" (under Build Events) to copy the DLL to the app folder
4. When using LoadLibrary call, due to UNICODE probs, the dll may not get loaded. Hence use _T casting like hHandle = LoadLibrary( _T ( "mydll.dll" ) );
5. To check the "sections" contained in the DLL, open the Visual Studio command prompt (not the normal windows prompt) and go to the directory which has the dll file, and type dumpbin /exports mydll.dll

===============================

DLL CODE

===============================

/*

* This is .h file of a DLL

*/

#include <windows.h>

/* If we try to export all the APIs to the app by preceding each API with __declspec(dllexport)

* then the corresponding API will always be exported even when app does not require it.

* For this very reason, DLL developer tries to export it from his project, where as the

* app developer, will try to import it in his code. */

#if defined EXPORT_DIR

#define DECLAPI __declspec( dllexport )

#else

#define DECLAPI __declspec( dllimport )

#endif

/* Tell the compiler that its OK to use these APIs in either C or C++ */

extern "C"

{

DECLAPI int addition( int a, int b );

DECLAPI int multiply( int a, int b );

}

/*

* This is .cpp file of DLL project

*/

#include "mydll.h"

/* [Important]: Define this macro to try to export the APIs (even though not catched by apps) */

#define EXPORT_DIR

extern "C"

{

DECLAPI int addition ( int a, int b ) { return a + b; }

DECLAPI int multiply ( int a, int b ) { return a * b; }

}

================================

APP Code

================================

/*

* This is the application which uses the DLLs

*/

#include <iostream>

#include <windows.h>

typedef int ( *Addition ) ( int, int );

typedef int ( *Multiply ) ( int, int );

int main()

{

HINSTANCE hInstance;

Addition additionPtr;

Multiply multiplyPtr;

hInstance = LoadLibrary( _T ( "mydll.dll" ) );

if( hInstance )

{

additionPtr = ( Addition ) GetProcAddress ( hInstance, "addition" );

multiplyPtr = ( Multiply ) GetProcAddress ( hInstance, "multiply" );

if( additionPtr )

printf( "DLL addition called and sum: %d.\n", additionPtr( 10, 5 ) );

if( multiplyPtr )

printf( "DLL multiply called and sum: %d.\n", multiplyPtr( 10, 5 ) );

FreeLibrary( hInstance );

}

else

{

printf( "Failed to load mydll.dll!!!!..\n" );

}

return 0;

}

BIOS Boot Sequence - A Closer Look

1. Internal power supply turns on, initializes and then takes few moments to generate reliable power for rest of the system. If power received is not within expectd parameters (by chipset and subsequently processor), then the chipset will generate a reset signal to the processor in the same fashion as you were to touch the reset button. This will continue until motherboard receives "Power Good" signal from power supply
2. Since processor has no idea on what to do next as there is nothing to execute in memory, it has been designed to look at the same place in the system, the BIOS ROM, for the small bit of startup code to begin the boot process (CS = 0xFFFF and EIP = zero => 0xFFFF0). Since there are 16 bytes (total is FFFFF), this location contains just a "jump" instruction telling the processor where to go to find the real BIOS startup program (see the diagram).
3. BIOS then performs POST (Power-On Self Test). If there are any fatal errors, the boot process stops. If the POST is successful, the BIOS calls INT 19 (Interrupt 19) and then proceeds to look for devices attached to the motherboard
4. BIOS enables the video: The BIOS code begins searching by looking for a video card, and video card's built in BIOS program (normally at 0xC000 in memory) and if found, it runs it.
5. Once video is enabled, the BIOS begins searching for other devices that may have their own ROM and whether ROM has its own BIOS code. Normally, the floppy driver is located at 0000:7c00 and the IDE/ATA HDD BIOS will be found at C8000h. If any of these is found, their codes are executed. If during this INT 19 process, any other device BIOS's are found, they are executed as well
6. BIOS displays its startup screen, which provides some key information about the BIOS as well as other system information
7. BIOS then performs some kind of inventory of the hardware installed in the system and then communicates or interrogates it to ensure that the hardware is functioning (at this stage, BIOS will populate BIOS table, can be ACPI table, if the system is ACPI compliant. This table can be used by several purposes including power management, by the OS applications)
8. During the final phase of POST and BIOS boot process, the BIOS will display a summary screen with your systems' configuration.
9. NOW, BIOS finishes what it needs to do, it begins searching for a drive to boot an OS. If its searching a hard disk, it looks for a MBR at cylinder 0, head 0 and sector 1, the first sector on the disk. If its searching for Floppy disk, it looks at the same address on the floppy disk for a volume boot sector
10. Once the boot sector is found, BIOS starts the process of booting OS by using the info in boot sector. If its floppy, the boot sector is also read into memory at 0000:7C00 and then MBR program itself jumps to memory location 0000:7c00 (NOTE: Each OS has its own boot sector format. The next step involves the small program in the boot sector locating the first part of OS's kernel loader proram or in some cases the kernel itself or perhaps a boot manager program, and read then that into memory. In windows, this kernel loader referred to as NTLDR.
11. If no boot device of any type can be found, the system will display an error message and stop.

NOTE: This entire process is called as "cold boot" (since the machine was off, or cold, when it started). A "warm boot" also known as "soft boot" is the same thing except it occurs when the machine is rebooted using Ctrl+Alt+Del keys. In this case, POST is skipped and boot process continues at roughly step 8 above. As a side note, INT19 is also called when the CTRL+ALT+DEL keys are used.

MBR and its necessary

1. When you turn on your PC, the processor does not really have anything to execute or even know where to look for it. To ensure that the PC will always boot regardless of BIOS, bot chip and BIOS manufractures developed their code so that the processor, once turned on, always starts executing at the same place, FFFF0h. This magical address is called "reset vector"

(NOTE: Similarly, every hard disk must have a consistent "starting point" where the key information is stored about the disk, such as number of partitions and their types. There also must be someplace where the BIOS can load the initial boot program that starts the process of loading the OS and this place is called Master Boot Record - MBR, also referred to as Master Boot Sector - MBS or even just Boot Sector - BS)

2. MBR is always located at cylinder 0, head 0 and sector 1, the first sector on the disk (512 bytes). When a computer starts and the BIOS boots the machine, it will always look at this first sector for instructions and information on how to proceed with the boot process and load the OS.

3. MBR contains following structures

• Master Partition Table (MPT): Small bit of code that is referred to as a table contains a complete description of the partitions that are contained on the HDD. (Alas!!.. when the developers designed the size of this MPT, they left juz enuf room for description of 4 partitions, and hence the four partition [four physical partitions] limit. Any additional partions must be logical partitions that are linked to (or are part of) one of the primary partitions.) One of these partitions is marked as active, indicating that it is the one that the computer should used to continue the boot process
• Master Boot Code (MBC): MBC is a small bit of computer code that the BIOS loads and executes to start the boot process. This code, when fully executed transfers control to boot program stored in boot (active) partition to load the operating system (NOTE: MBC is the first program executed when you turn on your PC, and is often the target of a virus)

4. BIOS however, does not care about any of this: it simply loads the contents of the MBR into memory location 0x7c00 and jumps to that location to start executing whatever code is in the MBR.

Traditionally, Microsoft MBR code takes a look at the partition table, finds the (only) partition marked as active, loads the boot sector for that partition, and runs that code. This boot sector is the first sector of a partition, as opposed to the first sector for the whole disk. If something is wrong with the partition table, you would get messages like "Invalid Partition Table" or "Missing Operating System". This message does not come from BIOS but rather from MBR code loaded from disk.

Linux boot loaders LiLo and GRUB (GRand Uniform Boot) loader can handle a wide variety of OSs, file systems and boot configurations. Their MBR code does not necessarily follow the "boot the active partition" approach described above. But functionally the process goes like this:

1. MBR itself contains the first stage of boot loader. GRUB calls this stage 1.

2. Due to its tiny size, the code in MBR does just enuf to load another sector from disk that contains additional bootstrap code. This sector might be the boot sector for a partition, but could also be a sector that was hard-coded into the MBR code when the MBR was installed.

3. MBR code plus code loaded in step 2, then read a file containing the second stage of the boot loader. In GRUB, this is GRUB Stage 2, and in Windows Server, this is C:\NTLDR. If step 2 fails in windows, you 'd get message like "NTLDR is missing". This stage 2 code then reads a boot configuration file (eg., grub.conf in GRUB, boot.ini in windows). It then presents boot choices to the user or simply goes ahead in a single-boot system.

4. At this point, the boot loader code needs to fire up a kernel. It must know enuf about file systems to read the kernel from the boot partition. In Linux, this means reading a file like "vmlinuz-2.6.22-14-server" containing the kernel, loading the file into memory and jumping to the kernel bootstrap code. In Windows Server 2003, some of the kernel start-up code is separte from the kernel image itself and is actually embedded into NTLDR. After performing several initializations, NTLDR loads the kernel image from file C:\Windows\System32\ntoskrnl.exe, just as GRUB does, jumps to kernel entry point.

What is IPMI basic working "algorithm"?

Block Diagram of IPMI

What is IPMI?

1. What is "Platform Management"?

• Monitoring and control functions that are built in to the platform hardware and primarily used for the purpose of monitoring the health of the system hardware (includes monitoring elements such as System Temperatures, voltages, fans, power supplies, bus errors, system physical security etc)
• Inventory, monitoring, logging and recovery functions

2. What is "Intelligent Platform Management (IPM)"?

• The above functions available independent of the main processors, BIOS and OS.
• Also available when the system is in powered down state.

3. What is "Intelligent Platform Management Interface (IPMI)"?

• Hardware level interface specification providing "above" functions, that can be exposed thro' standard management software interfaces such as DMI, WMI, CIM, SNMP etc (see fig below)