Windows Kernel Internals II Overview University of Tokyo

  • Slides: 16
Download presentation
Windows Kernel Internals II Overview University of Tokyo – July 2004* Dave Probert, Ph.

Windows Kernel Internals II Overview University of Tokyo – July 2004* Dave Probert, Ph. D. Advanced Operating Systems Group Windows Core Operating Systems Division Microsoft Corporation © Microsoft Corporation 2004 1

Contributors Neill Clift Adrian Marinescu Eric Li Nar Ganapathy Jake Oshins Eric Traut Dragos

Contributors Neill Clift Adrian Marinescu Eric Li Nar Ganapathy Jake Oshins Eric Traut Dragos Sambotin Arun Kishan Brad Abrams Brian Andrew Ben Leis Dan Lovinger © Microsoft Corporation 2004 2

Course Overview Four projects – – Writing kernel extensions for Windows OS subsystems NTFS

Course Overview Four projects – – Writing kernel extensions for Windows OS subsystems NTFS investigation using C# Monad (future) Lecture topics – – Overview, kernel extensions, I/O drivers, WDF Object manager, LPC, Processes & Threads X 86, Virtual. PC, Advanced File Systems Longhorn, Monad, Win. FX © Microsoft Corporation 2004 3

Windows Overview Current source base is Windows NT – Foundation for NT 4, Win

Windows Overview Current source base is Windows NT – Foundation for NT 4, Win 2 K, Win. XP, WS 03, Longhorn – API is still Win 32 – compatible with Win 9 x –. NET Framework pushing out Win 32 for Longhorn Most applications written in VB or VC++ today – Future is managed applications – marrying VB productivity with C++/Java richness => C# Hot issues – Trustworthy Computing – Enable new computing experiences – Create new business opportunities © Microsoft Corporation 2004 4

Security Issues Lots of legacy code now hooked to the internet Most code written

Security Issues Lots of legacy code now hooked to the internet Most code written to work correctly under normal conditions Security design issues are subtle, particularly w. r. t. Do. S Constantly evolving threats: Stack-buffer overruns, Heap overruns, Format string overruns One byte overruns, Integer overflows © Microsoft Corporation 2004 5

Reliability Issues – – – Reboots required to do just about anything Huge base

Reliability Issues – – – Reboots required to do just about anything Huge base of third party code, esp. drivers Hangs are hard to track and debug Patch management is tough Windows extension points poorly defined • Apps break other apps • Installation not idempotent • Uninstall doesn’t return system to pre-install state – Compatibility issues everytime OS changes • Apps test out the bugs in a particular OS environment • Apps hardcode OS version information – Windows management particularly hard • Can’t answer: what is the difference between 2 systems • Registry is too opaque and heavily abused • GUI-based management doesn’t scale © Microsoft Corporation 2004 6

Customer Experience Establish tighter feedback loops – – WATSON – capture data on app

Customer Experience Establish tighter feedback loops – – WATSON – capture data on app crashes and hangs OCA – capture data on BSODs Windows Update and SUS – simplify patching of systems Enterprise tools – for deployment, event log analysis, helpdesk Use collected data to – – prioritize fixes work with 3 rd parties analyze common usage patterns improve future products Feedback loops pioneered by Office © Microsoft Corporation 2004 7

Windows Architecture Applications Subsystem servers DLLs System Services Kernel 32 Critical services User-mode ntdll

Windows Architecture Applications Subsystem servers DLLs System Services Kernel 32 Critical services User-mode ntdll / run-time library Kernel-mode Trap interface / LPC Security refmon IO Manager File filters File systems Volume mgrs Device stacks Virtual memory Login/GINA Procs & threads FS run-time Scheduler Cache mgr exec synchr User 32 / GDI Win 32 GUI Object Manager / Configuration Management Kernel run-time / Hardware Adaptation Layer © Microsoft Corporation 2004 8

Windows Kernel Organization Kernel-mode organized into NTOS (kernel-mode services) – Run-time Library, Scheduling, Executive

Windows Kernel Organization Kernel-mode organized into NTOS (kernel-mode services) – Run-time Library, Scheduling, Executive services, object manager, services for I/O, memory, processes, … Hal (hardware-adaptation layer) – – Insulates NTOS & drivers from hardware dependencies Providers facilities, such as device access, timers, interrupt servicing, clocks, spinlocks Drivers – kernel extensions (primarily for device access) © Microsoft Corporation 2004 9

Major Kernel Services Process management Process/thread creation Security reference monitor Access checks, token management

Major Kernel Services Process management Process/thread creation Security reference monitor Access checks, token management Memory manager Pagefaults, virtual address, physical frame, and pagefile management Services for sharing, copy-on-write, mapped files, GC support, large apps Lightweight Procedure Call (LPC) Native transport for RPC and user-mode system services. I/O manager (& plug-and-play & power) Maps user requests into IRP requests, configures/manages I/O devices, implements services for drivers Cache manager Provides file-based caching for buffer file system I/O Built over the memory manager Scheduler (aka ‘kernel’) Schedules thread execution on each processor © Microsoft Corporation 2004 10

CPU Scheduling & IRQLs Thread scheduling occurs at PASSIVE or APC level (IRQL <

CPU Scheduling & IRQLs Thread scheduling occurs at PASSIVE or APC level (IRQL < 2) APCs (Asynchronous Procedure Calls) deliver I/O completions, thread/process termination, etc (IRQL == 1) Not a general mechanism like unix signals (user-mode code must explicitly block pending APC delivery) Interrupt Service Routines run at IRL > 2 ISRs defer most processing to run at IRQL==2 (DISPATCH level) A pool of worker threads available for kernel components to run in a normal thread context when user-mode thread is unavailable or inappropriate Normal thread scheduling is round-robin among priority levels, with priority adjustments (except for fixed priority real-time threads) © Microsoft Corporation 2004 11

Process/Thread structure Any Handle Table Object Manager Process Object Thread Files Events Process’ Handle

Process/Thread structure Any Handle Table Object Manager Process Object Thread Files Events Process’ Handle Table Virtual Address Descriptors Devices Thread Drivers Thread © Microsoft Corporation 2004 12

Process Container for an address space and threads Associated User-mode Process Environment Block (PEB)

Process Container for an address space and threads Associated User-mode Process Environment Block (PEB) Primary Access Token Quota, Debug port, Handle Table etc Unique process ID Queued to the Job, global process list and Session list MM structures like the Working. Set, VAD tree, AWE etc © Microsoft Corporation 2004 13

Thread Fundamental schedulable entity in the system Represented by ETHREAD that includes a KTHREAD

Thread Fundamental schedulable entity in the system Represented by ETHREAD that includes a KTHREAD Queued to the process (both E and K thread) IRP list Impersonation Access Token Unique thread ID Associated User-mode Thread Environment Block (TEB) User-mode stack Kernel-mode stack Processor Control Block (in KTHREAD) for cpu state when not running © Microsoft Corporation 2004 14

Significant Windows Releases • • • Windows NT 3. 1 Windows 95 Windows 98/98

Significant Windows Releases • • • Windows NT 3. 1 Windows 95 Windows 98/98 se/ME Windows NT 4 Windows 2000 (enterprise) Windows. XP (consumer) Windows Server 2003 Windows XP/SP 2 “Longhorn” © Microsoft Corporation 2004 15

Longhorn: codename for next major release – Most kernel improvements are clean-up, scalability, URT

Longhorn: codename for next major release – Most kernel improvements are clean-up, scalability, URT support, fundamentals – Big bets: • • • Win. FX – managed replacement for Win 32 Win. FS – new unified information model Avalon – new GUI programming model Indigo – new messaging infrastructure for services Media – improve audio/video streaming Management, reliability, security © Microsoft Corporation 2004 16

kernel kernel sbininit kernel sbinmodprobe kernel sbinhotplug kernelkernel kernel sbininit kernel sbinmodprobe kernel sbinhotplug kernel
Windows Kernel Internals II Windows Driver Model UniversityWindows Kernel Internals II Windows Driver Model University
Windows Kernel Internals II Windows Driver Foundation UniversityWindows Kernel Internals II Windows Driver Foundation University
Windows Kernel Internals Windows Service Processes David BWindows Kernel Internals Windows Service Processes David B
WHY TOKYO EXIST TOKYO v Tokyo is theWHY TOKYO EXIST TOKYO v Tokyo is the
Windows Windows Windows XP Windows Vista Windows 7Windows Windows Windows XP Windows Vista Windows 7
Windows Windows 951995 Windows 981996 Windows 20002000 WindowsWindows Windows 951995 Windows 981996 Windows 20002000 Windows
Windows Kernel Internals II System Extensions University ofWindows Kernel Internals II System Extensions University of
Windows Kernel Internals II Advanced File Systems UniversityWindows Kernel Internals II Advanced File Systems University
Windows Kernel Internals II x 86 overview TrapsWindows Kernel Internals II x 86 overview Traps
Windows Kernel Internals Overview David B Probert PhWindows Kernel Internals Overview David B Probert Ph
Windows Performance Lifecycle Windows Internals Windows Performance ToolkitWindows Performance Lifecycle Windows Internals Windows Performance Toolkit
Model Kernel Microkernel Definisi Kernel Kernel adalah suatuModel Kernel Microkernel Definisi Kernel Kernel adalah suatu
kernel Kernel source https www kernel orgpublinuxkernelv 3kernel Kernel source https www kernel orgpublinuxkernelv 3
kernel Kernel source https www kernel orgpublinuxkernelv 4kernel Kernel source https www kernel orgpublinuxkernelv 4