a runtime environment for online processing of operating
play

A Runtime Environment for Online Processing of Operating System - PowerPoint PPT Presentation

Jan 01, 2023 •680 likes •889 views

A Runtime Environment for Online Processing of Operating System Kernel Events Michael Schbel, Andreas Polze 7th Intl. Workshop on Dynamic Analysis (WODA) 20. July 2009 Chicago, IL OS Kernel Event Tracing 2 Dynamic Analysis Usage

  1. A Runtime Environment for Online Processing of Operating System Kernel Events Michael Schöbel, Andreas Polze 7th Intl. Workshop on Dynamic Analysis (WODA) 20. July 2009 – Chicago, IL

  2. OS Kernel Event Tracing 2 ■ Dynamic Analysis ■ Usage scenarios □ System analysis □ Debugging □ Runtime-state monitoring ■ Problem identification □ Search “bad” patterns in the event stream □ Adapt the system as reaction to “bad” pattern

  3. Advantages of event tracing 3 ■ Detailed information ■ Hints for solution might be available in trace ■ ... under the assumption that □ Meaningful set of events is monitored □ System is usable with activated tracing

  4. Limiting aspects 4 ■ Problem identification □ Experienced administrators □  Pattern description ■ Huge logfiles □ Detailed event information requires space □  Online processing of events ■ Offline/Post-Mortem analysis model □ Activate tracing – deactivate – (reboot?) – analysis □  Execute callbacks / scripts when a pattern is detected

  5. Agenda 5 ■  Pattern description ■  Online processing of events ■  Execute callbacks / scripts when a pattern is detected

  6. Pattern specification 6 ■ Similar to regular expressions □ Sequence [a, b, c] □ Alternative (a | b | c) □ Negation ~a □ Simple events event:name □ Arrays of events event[>4]:name □ Conditions WHERE □ Timeframe WITHIN □ Result data RETURN

  7. Example 7 Import Event Types Rule Name EVENTS “wmkevents.h” Event Pattern RULE nosyscallexit PATTERN { [syscall:a, ~(syscallexit|threadtermination), syscall] } WHERE { [ProcessId], Conditions [ThreadId], a.SyscallNr < 300 } RETURN { a.SyscallNr, Return Values a.TimeStamp }

  8. Join fields in WHERE statement 8 ■ Abbreviated form ... PATTERN { [syscall:a, ~(syscallexit|threadtermination), syscall] } WHERE { [ProcessId], [ThreadId] } ■ ... instead of PATTERN { [syscall:a, ~(syscallexit:b|threadtermination:c), syscall:d] } WHERE { a.ProcessId == b.ProcessId, a.ProcessId == c.ProcessId, a.ProcessId == d.ProcessId, a.ThreadId == b.ThreadId, a.ThreadId == c.ThreadId, a.ThreadId == d.ThreadId }

  9. Compiler 9 ■ Based on C++ version of Coco/R □ Parse event description and pattern definition □ Generate … ◊ Deterministic Finite Automata (DFA) for pattern ◊ Graphical (.dot) representation of DFA (for debugging) ◊ DLL for console printing of rule results ■ Features □ Check WHERE conditions as early as possible □ Save only the required parts of the event information □ Compact binary representation of DFA

  10. Deterministic Finite Automata 10

  11. Agenda 11 ■  Pattern description ■  Online processing of events ■  Execute callbacks / scripts when a pattern is detected

  12. Instrumentation framework 12 ■ Windows Monitoring Kernel □ Static instrumentation □ Based on Windows Research Kernel ◊ Custom build Windows Server 2003 kernel □ Usage similar to KLogger for Linux □ Overhead ~ 1% for 13k events per second □ Compiler parses C header file wmkevents.h ◊ Get available event types ◊ Read event type descriptions

  13. DFA processing model 13 ■ Runtime state (RTS) information □ Representation for single automata run □ Data structure is generated by compiler ◊ Current state ◊ Event field information ◊ Result information □ Evaluate conditions for current state □ Determine valid transition □ Conditions evaluated based on event data and RTS □ Actions copy event data to RTS

  14. Current implementation 14 ■ User-mode application □ Load rule representation □ Read event stream from WMK logfile □ Output: ◊ Result information match #1 { 106 485370171 } ◊ Processing statistics match #2 { 139 1320873480 } match #3 { 139 1350760491 } match #4 { 139 1351041183 }

  15. Agenda 15 ■  Pattern description ■  Online processing of events ■  Execute callbacks / scripts when a pattern is detected

  16. React to detected patterns 16 ■ Application domain □ Reconfiguration ◊ Caching policy ◊ Number of worker threads □  Callback to application specific function ■ System domain □ Reconfiguration ◊ Prevent execution of malware pattern ◊ Adapt thread/process priorities □  Execute script in kernel mode

  17. Execute application specific callback 17 ■ Programming interface for applications □ Control rule lifecycle (load-activate-deactivate-unload) □ Callback ◊ Registered for a specific rule ◊ Implements reaction to detected pattern ◊ Access to rule results ( RETURN values) ◊ Access to execution context information □ Synchronous or asynchronous processing in user mode

  18. Kernel mode scripting 18 ■ Extend rule specification language □ Allow script definition: DO keyword ◊ Access to (named) events and event data fields ◊ Access to execution context information ◊ Runtime environment exposes some kernel functions □ Execute reactions directly in the kernel

  19. Outlook 19 ■ Kernel integration of runtime environment □ Efficient synchronization □ Condition evaluation / transition search ■ Case studies □ Server applications – worker thread management □ Deadlock detection / prevention □ Context-oriented programming

  20. Summary 20 ■  Pattern description □ Regular expressions □ Compiled to Deterministic Finite Automata ■  Online processing of events □ No logfile required ■  Execute callbacks / scripts when a pattern is detected □ OS kernel integrated runtime environment

Recommend

Online Query Processing Exposure to online query processing algorithms and fundamentals A

Online Query Processing Exposure to online query processing algorithms and fundamentals A

Goals for Today Online Query Processing Exposure to online query processing algorithms and fundamentals A Tutorial Usage examples Basic sampling techniques and estimators Preferential data delivery Peter J. Haas Online

353 views • 10 slides
The good, the bad and the ugly: Experiences with developing a PGAS runtime on top of MPI-3 6th

The good, the bad and the ugly: Experiences with developing a PGAS runtime on top of MPI-3 6th

The good, the bad and the ugly: Experiences with developing a PGAS runtime on top of MPI-3 6th Workshop on Runtime and Operating Systems for the Many-core Era (ROME 2018) www.dash-project.org Karl Frlinger Ludwig-Maximilians-Universitt

450 views • 25 slides
5th Workshop on Runtime and Operating Systems for the Many-core Era (ROME 2017) held in

5th Workshop on Runtime and Operating Systems for the Many-core Era (ROME 2017) held in

5th Workshop on Runtime and Operating Systems for the Many-core Era (ROME 2017) held in conjunction with Euro-Par 2017 Carsten Clauss and Stefan Lankes Topics of interest Idea Predecessor: MARC Symposium Topic: New hardware trends (e. g. SCC)

314 views • 10 slides
An Implementation of Fast memset() Using Hardware Accelerators Runtime and Operating Systems for

An Implementation of Fast memset() Using Hardware Accelerators Runtime and Operating Systems for

An Implementation of Fast memset() Using Hardware Accelerators Runtime and Operating Systems for Supercomputers Workshop June 12 2018 Rob Gardner Jared Smolens Kishore Pusukuri Oracle Inc Arm Inc NetApp Inc Multicore Systems &amp;

692 views • 24 slides
Why secure the OS? Works directly on the hardware but can be adapted during runtime Operating

Why secure the OS? Works directly on the hardware but can be adapted during runtime Operating

Why secure the OS? Works directly on the hardware but can be adapted during runtime Operating System Security Data and process are directly visible Application security can be circumvented from lower layers = &gt; good scope

103 views • 8 slides
Why Nobody Should Care About Operating Systems for Exascale Operating Systems for Exascale Ron

Why Nobody Should Care About Operating Systems for Exascale Operating Systems for Exascale Ron

Why Nobody Should Care About Operating Systems for Exascale Operating Systems for Exascale Ron Brightwell Scalable System Software Sandia National Laboratories Albuquerque, NM, USA International Workshop on Runtime and Operating Systems for

575 views • 32 slides
Runtime System COMP 524: Programming Languages Based in part on slides and notes by J. Erickson,

Runtime System COMP 524: Programming Languages Based in part on slides and notes by J. Erickson,

Runtime System COMP 524: Programming Languages Based in part on slides and notes by J. Erickson, S. Krishnan, B. Brandenburg, S. Olivier, A. Block, and others What is the Runtime System (RTS)? Language runtime environment. OS view : RTS

962 views • 69 slides
Exploring Processing What is Processing? Easy-to-use programming environment Lets you

Exploring Processing What is Processing? Easy-to-use programming environment Lets you

Exploring Processing What is Processing? Easy-to-use programming environment Lets you edit, run, save, share all in one application Designed to support interactive, visual applications Something weve been missing so far in

573 views • 30 slides
Linux Standard Operating Environments What is an SOE? SOE - Standard Operating Environment

Linux Standard Operating Environments What is an SOE? SOE - Standard Operating Environment

Linux Standard Operating Environments What is an SOE? SOE - Standard Operating Environment Greatly reduces time to: deploy new hosts - because the best way to standardise is to automate. fix problems - because everything is built

835 views • 80 slides
Mixup: A Development and Runtime Environment for Integration at the Presentation Layer Conference

Mixup: A Development and Runtime Environment for Integration at the Presentation Layer Conference

See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/220940105 Mixup: A Development and Runtime Environment for Integration at the Presentation Layer Conference Paper July 2007 DOI:

282 views • 6 slides
Providing a Remotely Manageable Runtime Environment for IoT Services (Mid talk Masters Thesis)

Providing a Remotely Manageable Runtime Environment for IoT Services (Mid talk Masters Thesis)

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Providing a Remotely Manageable Runtime Environment for IoT Services (Mid talk Masters Thesis) Fabian Buske Advisor(s): Marc-Oliver Pahl,

341 views • 22 slides
Some Advanced Topics in Processing Getting Stuff In and Out of Processing Exporting your

Some Advanced Topics in Processing Getting Stuff In and Out of Processing Exporting your

Some Advanced Topics in Processing Getting Stuff In and Out of Processing Exporting your sketch as a stand-alone application Select File -&gt; Export Application Create an app for your platform Option to bundle Java Runtime

438 views • 15 slides
Managing Cray XT MPI Runtime Environment Variables to Optimize and Scale Applications Geir

Managing Cray XT MPI Runtime Environment Variables to Optimize and Scale Applications Geir

Managing Cray XT MPI Runtime Environment Variables to Optimize and Scale Applications Geir Johansen May 5, 2008 Cray Inc. Proprietary Slide 1 Goals of the Presentation Provide users an overview of the implementation of MPI on the Cray XT.

790 views • 44 slides
Spack in Shared Environment 2018 Scalable Tools Workshop LANL Programming and Runtime

Spack in Shared Environment 2018 Scalable Tools Workshop LANL Programming and Runtime

Slide 1 Spack in Shared Environment 2018 Scalable Tools Workshop LANL Programming and Runtime Environments Team Paul Ferrell (LA-UR-18-26078) Operated by Los Alamos National Security, LLC for the U.S. Department of Energy's NNSA Slide 2 The

527 views • 16 slides
Running the Processing environment on ARM SBCs Lessons learned &amp; whats missing for

Running the Processing environment on ARM SBCs Lessons learned &amp; whats missing for

Running the Processing environment on ARM SBCs Lessons learned &amp; whats missing for having an Arduino equivalent on top of Linux Gottfried Haider @mrgohai Processing Processing a flexible software sketchbook and a language for

464 views • 29 slides
1 Business &amp; Operating Highlights Overview of the Bank 03 Review of Operating Environment

1 Business &amp; Operating Highlights Overview of the Bank 03 Review of Operating Environment

1 Business &amp; Operating Highlights Overview of the Bank 03 Review of Operating Environment 04 Policy Highlights 05 Recap of 2018 Commitments 06 ALAT Full Digital Bank 07 Leadership Transition 08 1 2 P r e s e n t a t i o n t

816 views • 28 slides
Sambamba : A Runtime System for Online Adaptive Parallelization Clemens Hammacher Kevin Streit

Sambamba : A Runtime System for Online Adaptive Parallelization Clemens Hammacher Kevin Streit

Sambamba : A Runtime System for Online Adaptive Parallelization Clemens Hammacher Kevin Streit Sebastian Hack Andreas Zeller A well-known challenge Modern Legacy Code Hardware The Problem ... The Problem ... Thread 1 Thread 2 Thread 3

379 views • 16 slides
Where Have all the Cycles Gone? Investigating the Runtime Overheads of OS- Assisted Replication

Where Have all the Cycles Gone? Investigating the Runtime Overheads of OS- Assisted Replication

Fakultt Informatik Institut fr Systemarchitektur, Lehrstuhl Betriebssysteme Where Have all the Cycles Gone? Investigating the Runtime Overheads of OS- Assisted Replication Bjrn Dbel, Hermann Hrtig TU Dresden Operating Systems Group

901 views • 23 slides
Processing Recap Processing is a language a library an environment Variables A

Processing Recap Processing is a language a library an environment Variables A

Module 01 Processing Recap Processing is a language a library an environment Variables A variable is a named value. It has a type (which cant change) and a current value (which can change). Variables A declaration introduces

735 views • 58 slides
The online processing of semantic and pragmatic content Brian Dillon LINGUIST510

The online processing of semantic and pragmatic content Brian Dillon LINGUIST510

The online processing of semantic and pragmatic content Brian Dillon LINGUIST510 Psycholinguistics Comprehension: How do we compute the meaning of a sentence in real time? What are the online computations that we use to map word strings to

847 views • 60 slides
1 Table of Contents 1 Overview of Operating Environment and Operations 2 AfDB Financial

1 Table of Contents 1 Overview of Operating Environment and Operations 2 AfDB Financial

1 Table of Contents 1 Overview of Operating Environment and Operations 2 AfDB Financial Profile 3 AfDB Capital Market Activities 4 Appendix 2 1 Overview of Operating Environment and Operations 3 A decade of progress interrupted A

912 views • 49 slides
Chapter 7: Runtime Environment Run time memory organization. char abc[1000]; char

Chapter 7: Runtime Environment Run time memory organization. char abc[1000]; char

Chapter 7: Runtime Environment Run time memory organization. char abc[1000]; char *foo() { char buf[50], *c; buf[0] = \0; c=malloc(50); return( c );} main() {char *c; c = foo();} We need to use memory to store: code

556 views • 17 slides
Developing Managed Code Rootkits for the Java Runtime Environment DEFCON 24, August 6th 2016

Developing Managed Code Rootkits for the Java Runtime Environment DEFCON 24, August 6th 2016

Developing Managed Code Rootkits for the Java Runtime Environment Developing Managed Code Rootkits for the Java Runtime Environment DEFCON 24, August 6th 2016 Benjamin Holland (daedared) ben-holland.com DEFCON 24, August 6th 2016 Developing

762 views • 63 slides
The Power Of Praise and Encouragement in Nontraditional Online Learning Environment Effat

The Power Of Praise and Encouragement in Nontraditional Online Learning Environment Effat

The Power Of Praise and Encouragement in Nontraditional Online Learning Environment Effat Zeidan, PhD Assistant Professor Of Science And Mathematics California Baptist University- Online And Professional Studies THE CONTINUOUS DRIVE TO

377 views • 16 slides

More recommend