Professional Documents
Culture Documents
OF
Regn.No:- 10803495
Section:- J1801
Contents
1. Introduction.
8. Conclusion
INTRODUCTION
In computing, a system call is how a program requests a service from an operating
system's kernel that it does not normally have permission to run. System calls provide
the interface between a process and the operating system. Most operations interacting
with the system require permissions not available to a user level process, e.g. I/O
performed with a device present on the system, or any form of communication with
other processes requires the use of system calls.
A system call is used by application (user) programs to request service from the
operating system. The following statements illustrate why system calls are needed. An
operating system can access a system's hardware directly, but a user program is not
given direct access to the hardware. This is done so that the kernel can keep the
system safe and secure from malicious user programs. But often, a user program
requires some information from the hardware (e.g., from a web camera to show you
the picture), but it cannot get the information directly. So, it requests the operating
system to supply it the information. This request is made by using an appropriate
system call.
A system call executes in the kernel mode. Every system call has a number associated
with it. This number is passed to the kernel and that's how the kernel knows which
system call was made. When a user program issues a system call, it is actually calling
a library routine. The library routine issues a trap to the Linux operating system by
executing INT 0x80 assembly instruction. It also passes the system call number to the
kernel using the EAX register. The arguments of the system call are also passed to the
kernel using other registers (EBX, ECX, etc.). The kernel executes the system call and
returns the result to the user program using a register. If the system call needs to
supply the user program with large amounts of data, it will use another mechanism
(e.g., copy_to_user call).
Introduction
System call interception enables many McAfee Entercept proactive server protection
capabilities. This paper addresses the followin questions:
In order to protect the core of the operating system from damage by errant or
malicious programs, modern operating systems separate code executed by users from
code executed by the operating system itself. To achieve this, modern processors
include a mode bit that specifies whether the processor is executing kernel-mode code
or user-mode code. If the mode bit is set (i.e., user-mode code is executing), the
processor hardware prevents all access to the kernel memory space. If a user-mode
program attempts to access anything in the kernel memory space, the processor
generates an illegal access exception. Thus, no user-mode program can access kernel
memory directly.
User-mode programs need to utilize the functionality provided by the kernel in order
to access disk drives, network connections, and shared memory. Since the processor
prevents direct access to kernel-mode functions, usermode programs must use system
calls, which form the only permitted interface between user-mode and kernel-mode.
System calls expose all kernel functionality that user-mode programs require. System
calls, such as “fopen,” which opens a file, are implemented inside the OS using a
system call table. The system call table relates each system call to a specific function
address within the OS kernel.
Conceptually, the structure of a
system call table is as follows:
System Call Kernel Function Address
Fopen 0x0000A1F2*
Unlink 0x00003F16*
Rmdir 0x00009C57*
The following C-language program illustrates how system calls are used:
#include <stdio.h>
void main()
FILE* handle;
handle = fopen
("explorer.exe", "w");
When the above C-language program is executed, the processor encounters the
“fopen” instruction, looks-up “fopen” in the system call table, and transfers control to
the kernel-mode function at 0x0000A1F2.
Each system call has an entry in the system call table, which then points to a
corresponding function in the OS kernel.
How Does System Call Interception Work?
McAfee Entercept adjusts the entries in the system call table, pointing them at the kernel-
mode driver. This makes the above system call table look like this.
As shown in Figure 3,
McAfee Entercept does not modify the kernel. It simply inserts itself into the command
execution chain. Several commercial products, including most anti-virus products, use system
call interception for various purposes. McAfee Entercept applies this wellunderstood
technique to protecting servers from intrusions and misuse.
Rule 1—The Web server can only access Web files and Web-server resources. All other
accesses will be blocked.
The following case examples illustrate how McAfee Entercept enforces this behavioral rule:
Case 1—The Web-server process attempts to access the Web file “index.html.” McAfee
Entercept intercepts the call to open the file and determines the following:
With the above information, McAfee Entercept determines that this call involves the Web
server running under the proper user authority and accessing a Web file. Since this
matches Rule 1 above, McAfee Entercept allows the call.
Since “credit_cards.mdb” is not a Web file, this violates Rule 1. McAfee Entercept blocks the
call to open the file, and the exploit is prevented. Another McAfee Entercept behavioral rule,
the converse of Rule1, is:
Rule 2—Only the Web server can access Web files and Web-server resources. Any other
process or user that attempts to access Web files and/or resources will be blocked.
The following example illustrates how McAfee Entercept enforces this behavioral rule:
Case 3—An attacker obtains the administrator’s account password to the Web server, using
social engineering. He or she then logs in to the server as the administrator, opens the
company’s homepage in Notepad and attempts to modify it. McAfee Entercept intercepts the
call to modify the file “company_hompage.html” and determines the following:
• Process making the call: notepad.exe.
Since “company_homepage.html” is a Web file, but the process and user accessing it are not
the Web-server process and user, McAfee Entercept blocks the call to open the file, and the
defacement is prevented.