In the next series of articles, we conduct extensive research on the Linux operating system. We examine its architecture, strengths, vulnerabilities, and optimal ways to mitigate threats to the system. Linux’s two modes – User and Kernel – are analyzed to give an in-depth look at their advantages and weaknesses. We later discuss Linux defense mechanisms against attacks, and which mitigation methods can prevent them.
What is Linux?
Just like Windows, iOS, and Mac OS, Linux is an operating system. In addition to providing a powerful development environment to users, it is an open-source operating system that can be changed as desired, which is one of the biggest differences that distinguishes it from others.
The Linux operating system is a structure in itself, and this structure consists of several parts.
We can consider it a part that makes the necessary pre-loads for the computer to boot, it does its job when the computer boots up, and then retreats to its corner. For end users, we can say that it is the “Welcome” screen they see during the startup of the computer.
In fact, this is the most important part of the “Linux” concept that everyone knows. The kernel is the brain of the operating system and is the part of the computer where all large-scale operations that take place inside are managed. This is exactly what we will discuss in this research. We will try to fully understand the kernel and moreover learn ways to manipulate it.
After completing the bootloader task, everything is not over. Many more apps and tasks that need to be prepared and launched are still waiting for something to trigger them. This is where the Init System part comes in. Among the most well-known is systemd, and this part, which works to make the computer stable and ready for use, is just one of the components.
This is exactly the part that users interact with. There are many desktop environments such as GNOME, Cinnamon, Mate, Pantheon, Enlightenment, KDE, Xfce. Each of them comes with particular applications installed in it.
As we mentioned above, every desktop environment comes with particular basic applications in itself. However, the applications that each user needs or wants to have on their computer may differ. At this point, the applications that users choose and install in line with their needs become a part of this huge structure that we call Linux operating system.
Linux Components, Architecture and Hierarchy
So far, we learned about Linux and its components in general. Let’s look at the main area we focus on, the kernel, and other components with connections. In this section, where we address issues such as Hardware, Kernel, System Libraries, respectively, and discuss the life cycle and hierarchy of an application running on a Linux system.
We can count all the electronic components in the computer in the hardware class, of course, the parts that are later included in the computer can also be counted in this class. In general, we can say that it is the whole of all the parts that the Kernel communicates and uses. Devices, such as CPU, RAM, and HDD, are all in this class and need an OS to interact with the user. Drivers help us with this, but at this point, we should mention that not every hardware component needs a driver to work. CPU and RAM can be an example of this, although the hardware class member that can work without the need for a driver is limited, it is an important detail to be aware of.
Each organ in the human body has its own specific tasks and abilities. They all form a very complex whole in perfect harmony. But some parts are vital for this perfect order to work. They must exist and cannot be dispensed with. Now you can guess the part that fits this description for the computer, right? From the fact that the electronic parts we mentioned in the hardware section work in perfect harmony and are managed according to the needs and wishes of the user, this is the basic part where the logical flow, operation, and decision mechanisms of a whole computer are loaded. The Linux Kernel is a huge chunk of code written entirely in C. It is basically like a “Hello World” program with C on your computer. It is a code, nothing different. Yet, when we consider the authority with its complexity and tasks, it is much more gigantic and has a stronger authority than other codes running on your computer.
Kernel takes over tasks such as Memory Management, Process Management, File Systems, Device Control, and Networking on a computer. It takes them as a whole and communicates with the related Hardware equipment by using the necessary Drivers. At this point, not only the drivers but also the modules that can be found in the Kernel and even added later should be looked at. In fact, the components we call Modules are pieces of code that run in the kernel. We will also understand how and where these modules work with the different Kernel types that different Operating Systems have, which we will talk about shortly. It can basically be counted as a kernel module in Device drivers. The difference between Driver and module is as following: Drivers are programs/applications that work in the kernel and have the task of communicating with hardware components, while Modules are programs that run in the kernel, but do not have a special task such as communicating with any hardware component. You can even write and load modules where you can just print something like “Hello World From Kernel” in the kernel. This is the main difference between kernel modules and kernel drivers.
Specific resources and CPU commands/registers on the computer are only under Kernel access.
- hlt instruction => it shuts CPU computation
- In and out instructions for interacting with hardware peripherals.
- Special Registers
- cr3 (Control Register 3), which controls the page table used to translate virtual addresses to physical addresses. Accessed using mov instruction.
- MSR_LSTAR (Model-Specific Register, Long Syscall Target Address Register), which defines where syscall instruction jumps to. Accessed using wrmsr and rdmsr.
So how does the CPU understand which code belongs to the kernel or with what authority it will work?
In computer science, hierarchical protection domains, often called protection rings, are mechanisms to protect data and functionality from faults (by improving fault tolerance) and malicious behavior (by providing computer security).
These rings, named Ring 3, Ring 2, Ring 1, and Ring 0 respectively, are used to determine the place where the code runs. And each code may have defined permissions or restrictions depending on where it belongs, let’s take a closer look at these rings.
This part of the ring, also called Userspace, has the lowest authority. Most applications running on the computer work in this area. They do not have direct access to computer resources without permission.
Generally Unused, but sometimes are used for drivers or libraries, depending on the OS
Generally Unused, but sometimes are used for drivers or libraries, depending on the OS.
As we mentioned at the beginning, Linux Kernel is a stack of code written entirely in C. Here, we have come to the exact place where these codes work. Ring 0, in other words, supervisor mode, is the part where everything is accessed with full authority on the computer. Any code running here can access an entire computer and perform all the operations it was designed to. There is no limitation. Kernel works in this area, and it can control everything on the computer. It can perform all its duties without any authority restrictions. However, it should be noted that a code running on Ring 0 must be faultless because any error that may occur here can result in damage to the entire computer.
With the development of modern processors, new solutions are also developed for virtualization technologies. One of them is Ring -1, which we call Hypervisor mode, with this mode, a guest operating system can run Ring 0 operations natively without affecting other guests or the host OS.
Another issue that we should mention in this section is that each OS has a different kernel architecture. Let us examine each different kernel architecture.
In a monolithic kernel, there is a single, unified kernel binary that handles all OS-Level tasks, and every driver in a monolithic kernel is loaded directly into the kernel. In other words, the kernel is a whole with its driver and many modules, and all of them work with full authority in Ring 0. Our examples for this architecture are Linux and FreeBSD.
In micro kernel, there is a tiny “main” binary that provides communication with the hardware and userspace. In this architecture, drivers are not part of the kernel. Like applications running on userspace, they work with low authority and limited permissions. At the end of the day, there are only “REAL” kernel codes that have full authority. Examples of this architecture are seL4 and Minux.
The Life Cycle and Hierarchy
Every piece of code running on the Linux operating system has a lifecycle and privileges. As we mentioned in the topics we have covered so far, a Kernel or a simple application is the code that runs on the computer. However, they differ from each other in terms of their complexity, authority, and duties. Sometimes the codes, which run in the Linux operating system on usermode, need to get help from the hardware to perform specific tasks. If the kernel wants to do something, it can do it easily because it has no privilege restrictions. But the same thing will work for an application running on the userland. Due to security measures, applications running on this userland may ask the kernel to do some things for them. The importance of titles such as Process Management and Memory Management, which are among the tasks of the Kernel we have discussed, is understood here. Maybe thousands of different processes running on the computer communicate with the kernel for different things at the same time. When they have insufficient authority to do what they want to do, the Kernel is the place to apply. With this huge task load, the kernel responds to requests by making the necessary evaluations
So, what are the concepts such as Usermode and Kernelmode, which were discussed here?
Moreover, how does an application running in Usermode communicate with the Kernel?
We will examine the answers to these questions in our next article and cover both User mode and Kernel mode.
Maintain awareness regarding unknown threats to your products, technologies, and enterprise networks. Organizations that are willing to take the next step in proactively securing their flagship product or environment can leverage our zero-day vulnerability research offering. Our subscription-based capability provides your organization with immediate access to zero-day vulnerabilities affecting products and software. Learn More →