Information Technology Reference
In-Depth Information
name may be corrupted, it may point to memory outside the application's
region, it may start inside the application's memory region but extend
beyond it, the application may not have permission to access the file, and
so forth. If an error is detected, the kernel returns to the user program
with an error; otherwise the kernel performs the operation on behalf of
the application.
Copy before check. In most cases, the kernel copies system call pa-
rameters into kernel memory before performing the necessary checks. The
diculty arises if the application can modify the user memory holding a
system call parameter (such as a file name), after the check is performed,
but before the parameter is used in the actual implementation of the rou-
tine. This is called a \Time of Check vs. Time of Use", or TOCTOU
attack . This is not a new attack | the rst occurrence dates from the
Definition: TOCTOU
attack
mid-1960's. While it might seem that a process necessarily stops when-
ever it does a system call, this can be misleading. For example, if one
process shares a memory region with another process, then the two pro-
cesses working together can launch the TOCTOU attack. Similarly, on a
multiprocessor, one processor can launch the TOCTOU attack while the
other processor traps into the kernel with the system call.
Copy back any results. If the system call reads data into a buffer in
user memory, the stub needs to copy the data from the kernel buffer into
user memory so that the program can access it. Again, the kernel must
first check the user address and convert it to a kernel address before use.
Putting this together, the kernel stub for the system call \open" is given in
Figure 2.14.
When the system call completes, it returns back to the stub which returns
back to the system call handler. At this point, the stub takes steps to pass the
results of the system call back to the user process. In the example, the return
value fits in a register so the stub can return directly; in the case of a file read,
the stub would need to ensure that the data is placed in the buffer pointed to
by the user, that is, in the user program's memory.
In turn, the system call handler pops any saved registers (except
%eax
) and
uses the
iret
instruction to return back to the user stub immediately after the
trap, allowing the user stub to return to the user program.
2.3.5
Starting a new process
So far, we have described how we transfer control from a user-level process to
the kernel on an interrupt, exception, or system call, and how the kernel resumes
execution at user-level when done.
With that context, we can complete the description of how we start run-
ning at user-level in the first place. The mechanism is straightforward, if a bit
