operating systems 1 (4/12) - architectures (windows)

Operating System Architectures - Windows

Beuth HochschuleSummer Term 2014

Operating Systems I PT / FF 2014

Example: Windows Operating System Family

• Since Windows XP (2001), all kernels are successors of the original NT development

• Requirements for the original NT project

• Provide a true 32-bit, preemptive, reentrant, virtual memory operating system

• Run on multiple hardware architectures and platforms

• Run and scale well on symmetric multiprocessing systems

• Be a great distributed computing platform (Client & Server)

• Run most existing 16-bit MS-DOS and Microsoft Windows 3.1 applications

• Meet government requirements for POSIX 1003.1 compliance and security

• Meet government and industry requirements for operating system security

• Be easily adaptable to the global market by supporting Unicode

2


Windows Operating System Family

• Extensibility: Code must be able to grow and change as market requirements change.

• Portability: The system must be able to run on multiple hardware architectures and must be able to move with relative ease to new ones as market demands dictate.

• Dependability: Protection against internal malfunction and external tampering.

• Applications should not be able to harm the OS or other running applications.

• Compatibility: User interface and APIs should be compatible with older versions of Windows as well as older operating systems such as MS-DOS.

• It should also interoperate well with UNIX, OS/2, and NetWare.

• Performance: Within the constraints of the other design goals, the system should be as fast and responsive as possible on each hardware platform.

3


Windows Versions

• Each Windows version comes in different flavors differing in ...

• ... number of physical processors being supported (not cores)

• ... amount of physical memory supported

• ... number of concurrent network connections supported

• ... support for TabletPC and/or Media Center Edition

• ... more than 100 configurable software licensing values (e.g. BitLocker, DVD burn)

• Example:

• Windows Server 2008 Standard Edition: max. 4 CPUs, max. 32 GB RAM

• Windows Server 2008 Datacenter Edition: max. 64 CPUs, max. 2048 GB RAM

• All flavors of one version are built from the same core components

4


Simplified Windows Architecture

5

VMS and WindowsVMS and Windows-- a bird’sa bird’s--eye view on architectureseye view on architectures

Program Development Tools

Layered Products(Apps)

Layered design for VAX/VMSoperating system OS/2 Windows

POSIX

Environment Subsystems

UserApplication

Subsystem DLLUserModeKernelMode

System& ServiceProcesses

Windows

46

System-wide data structures

Memory Management I/O Subsystem Process and

time management

System servicesKernel

Record Management Service (RMS)Executive

Command Language Interpreter (CLI)Supervisor

Platform-Adaptation Layer (PAL) - Alpha

Support LibrariesUtilities

User

Windows high-level architecture

WindowsUser/GDIDeviceDriver

Executive

Device Drivers Kernel

Hardware Abstraction Layer (HAL)

Mode


Windows Portability

• Past and present: x86 (initial), MIPS (initial), Alpha AXP (initial), PowerPC (NT 3.51), Itanium (Windows XP/2003), ARM (Windows 8) instruction set architectures

• PowerPC and MIPS dropped soon after NT 4 release, Alpha AXP dropped in 1999 (supported through SP6)

• Layered design: Architecture-specific functions located in kernel

• Windows kernel components are primarily written in C (executive, drivers)

• UI and graphics subsystem are written in C++

• HW-specific/performance-sensitive parts written in assembly language (e.g. interrupt trap handler, context switching)

• HAL (Hardware Abstraction Layer)

• Machine-specific functions located in HAL

• Became pluggable in Windows 8 to support different core components (e.g. separate drivers for the interrupt controller)

6


Windows Hardware Abstraction Layer (HAL)

• Responsible for a small part of “hardware abstraction” - components on the motherboard not handled by drivers

• System timers, Cache coherency, and flushing, SMP, interrupt priorities

• Subroutine library for the kernel & device drivers

• Isolates Kernel and Executive from platform-specific details

• Presents uniform model of I/O hardware interface to drivers

• Windows Vista and later automatically detect HAL version to be used on startup

• HAL also implements some functions that appear to be in the Executive and Kernel

• Selected at installation time, can select manually at boot time with /HAL= in boot.ini

• Special kit only for vendors that must write custom HALs (requires MS approval)

7





POSIX


UserApplication



Windows

46



time management






User



Executive



Mode


Windows Hardware Abstraction Layer (HAL)

8

HalBugCheckSystem This function stops the system because of an uncorrectable hardware error.

KeAcquireSpinLock The KeAcquireSpinLock routine acquires a spin lock so the caller can synchronize access to shared data in a multiprocessor-safe way by raising IRQL.

HalAllocateHardwareCounters The HalAllocateHardwareCounters routine allocates a set of hardware performance counters.

HalProcessorIdle Enter power saving mode of the CPU hardware

HalQueryRealTimeClock Initialize system time

KeQueryPerformanceCounter The KeQueryPerformanceCounter routine provides the finest grained running count available in the system, can disable system-wide interrupts for a minimal interval.

READ_PORT_UCHAR READ_PORT_UCHAR returns the byte that is read from the specified port address.

geoffchappell.com





POSIX


UserApplication



Windows

46



time management






User



Executive



Mode



9





POSIX


UserApplication



Windows

46



time management






User



Executive



Mode


Windows Kernel

• Lower layers of the operating system

• Implements processor-dependent functions (x86 vs. Itanium etc.)

• Also implements many processor-independent functions that are closely associated with processor-dependent functions

• Main services

• Thread waiting, scheduling & context switching

• Exception and interrupt dispatching

• Operating system synchronization primitives (different for MP vs. UP) , a few of them are exposed to user mode

• Not a classic “microkernel”, since it shares the memory with rest of the kernel

10





POSIX


UserApplication



Windows

46



time management






User



Executive



Mode



11





POSIX


UserApplication



Windows

46



time management






User



Executive



Mode


Windows Device Drivers

• Device drivers (*.sys)

• Hardware device drivers translate user I/O function calls into specific hardware device I/O requests, based on kernel and HAL functions

• Concept of virtual devices - system volumes and network protocols

• Programming models over the years: Windows NT driver model, Windows Driver Model (WDM) since Windows 2000, Windows Driver Foundation (WDF) since Vista

• Windowing and Graphics Driver (Win32k.sys)

• Graphical user interface (GUI) functions (USER and GDI)

• Windows, user interface controls, and drawing

• Hardware Abstraction Layer (Hal.dll) in itself is a driver

12





POSIX


UserApplication



Windows

46



time management






User



Executive



Mode


Windows Device Drivers

• Separate loadable modules (drivername.SYS)

• Linked like .EXE files

• Typically linked against NTOSKRNL.EXE and HAL.DLL

• Only one version of each driver binary for both uniprocessor (UP) and multiprocessor (MP) systems -driver relies on kernel support for the according management

• Several types

• “ordinary”, file system drivers, NDIS mini-port drivers, SCSI mini-port drivers (linked against port drivers), bus drivers

• Use driverquery /v to list loaded drivers

• drivers.exe from resource kit for older Windows versions

13

Kernel-Mode Device Drivers• Separate loadable modules (drivername.SYS)

– Linked like .EXEs

– Typically linked against NTOSKRNL.EXE and HAL.DLL

– Only one version of each driver binary for both uniprocessor (UP) and multiprocessor (MP) systems…

– … but drivers call routines in the kernel that behave differently for UP vs. MP Versions

• Defined in registry

• Several types:– “ordinary”, file system, NDIS miniport,

SCSI miniport (linked against port drivers), bus drivers

– More information in I/O subsystem section

• To view loaded drivers, run drivers.exe– Also see list at end of output from pstat.exe –

includes addresses of each driver

• To update & control:– System properties->Hardware Tab->Device Manager

– Computer Management->Software Environment->Drivers

16

File System Driver

Port Driver Port Driver

RAID Driver





POSIX


UserApplication



Windows

46



time management






User



Executive



Mode



14





POSIX


UserApplication



Windows

46



time management






User



Executive



Mode


Windows Executive

• Upper layer of the operating system

• Process and thread manager - additional semantics to lower level objects

• Object manager - manages representation of resources

• Configuration manager - implementation of the system registry

• Memory manager / cache manager - implementation of virtual memory

• Security reference monitor (SRM) - policy enforcement, auditing, object protection

• I/O manager - device-independent I/O dispatching

• Power manager, Plug-and-Play manager, LPC (local procedure call) facility

• Almost completely portable C code, runs in kernel mode

• Most interfaces to executive services not officially documented

15





POSIX


UserApplication



Windows

46



time management






User



Executive



Mode



16





POSIX


UserApplication



Windows

46



time management






User



Executive



Mode


Windows Subsystem

• Documented callable Windows API functions

• Examples: CreateProcess, CreateFile, GetMessage

• Subsystem DLLs translate Windows API calls to NTOSKRNL.EXE and WIN32K.SYS system service calls

• Undocumented functions, callable from user space

• Example: NtCreateProcess is used by Windows CreateProcess and POSIX fork()

• Prior to Windows NT 4.0, the window manager and graphics services were part of the user-mode Win32 subsystem process - more stable ?

• Internal routines of the Windows subsystem

• Callable only from kernel mode, such as ExAllocatePool for Windows system heap

17





POSIX


UserApplication



Windows

46



time management






User



Executive



Mode


Calling Windows Kernel from User Mode

• Kernel-mode functions are invoked from user mode via a protected mechanism

• x86: INT 2E (as of XP: SYSENTER on x86, SYSCALL on AMD)

• Last thing that happens in user mode is this “change mode to kernel” instruction

• Causes an exception or interrupt, handled by the system service dispatcher (KiSystemService) in kernel mode

• Return to user mode is done by dismissing the interrupt or exception

• The desired system function is selected by the “system service number”

• Every Windows function exported to user mode has a unique number

• This number is stored in a register just before the “change mode” instruction

• This number is an index into the system service dispatch table

• Table gives kernel-mode entry point address and argument list length for each function

18



• All validity checks are done after the user to kernel mode transition

• KiSystemService: probes argument list, copies it to kernel-mode stack, calls the executive or kernel routine pointed to by the table

• Service-specific routine checks argument values, probes pointed-to buffers, etc.

• Once past that point, everything is “trusted”

• This is safe, because:

• System service table is in kernel-protected memory

• Kernel mode routines pointed to by the system service table are in kernel-protected memory

• User mode code can’t supply the code to be run in kernel mode, just select

• Arguments are copied to the kernel mode stack before validation, other threads in the process can’t corrupt the arguments “out from under” the service

19



• Representation of Windows kernel functions in NTDLL.DLL user mode library

• User-mode routines have the same function names and arguments as the kernel mode routines they invoke

• Example: NtWriteFile in NTDLL.DLL invokes NtWriteFile in NTOSKRNL.EXE

• Some counter examples exits (e.g. NtQuerySystemInformation)

• Used by subsystem DLLs

• Other examples, marked by method name prefix

• Image loader (“Ldr”), debug infrastructure (“Dbg”),CSRSS support routines (“Csr”), RTL routines (“Rtl”), tracing routines (“Etw”)

20





POSIX


UserApplication



Windows

46



time management






User



Executive



Mode


Windows Subsystem Call

21

Example: Invoking a Windows Kernel API

20

call WriteFile(…)

call NtWriteFilereturn to caller

do the operationreturn to caller

Int 2E or SYSCALL or SYSENTERreturn to caller

call NtWriteFiledismiss interrupt

Windows application

WriteFile in Kernel32.Dll

NtWriteFilein NtDll.Dll

KiSystemServicein NtosKrnl.Exe

NtWriteFilein NtosKrnl.Exe

Windows-specific

used by all subsystems

software interrupt

U

K


Windows Subsystem GDI Call

22

Invoking (most) User and GDI Services

26

call user or GDI service(…)

do the operationreturn to caller

call Windows routinedismiss interrupt

application

Gdi32.Dllor User32.Dll

KiSystemServicein NtosKrnl.Exe

service entry pointin Win32K.Sys

Windows-specific

software interrupt

U

K

Int 2Ereturn to caller


Key Windows System Files

23





POSIX


UserApplication



Windows

46



time management






User



Executive



Mode

• Core components

• NTOSKRNL.EXE (executive and kernel)

• HAL.DLL (hardware abstraction layer)

• NTDLL.DLL (dispatch stubs to executive)

• Core system processes

• SMSS.EXE (session manager process)

• WINLOGON.EXE (logon process)

• SERVICES.EXE (service controller process)

• LSASS.EXE (local security authority subsystem)

• Windows subsystem

• CSRSS.EXE (Windows subsystem process)

• WIN32K.SYS (User and GDI kernel components)

• KERNEL32/USER32.GDI32.DLL (Windows subsystem DLLs)


Compatibility - Windows API• Originally named as Win32 API to distinguish it from the Windows 2.0 Win16 API

• Thousands of Windows subsystem functions

• Base services, component services, user interface services, graphics and multimedia services, messaging and collaboration, networking, web services

• Most internal text strings are stored / processed as 16bit Unicode strings

• Windows API string functions typically have 2 versions

• Unicode (wide) version: L“This string uses 16-bit characters“

• ANSI (narrow) version: “This string uses 8-bit characters“

• Windows 95/98/ME had Windows API but no Unicode characters

• Unique property in comparison to Unix systems

24


Windows API

• System resources are kernel objects referenced by a handle

• handle vs. UNIX file descriptors & PIDs

• Kernel objects can be manipulated only via a subsystem API

• Objects have security attributes

• Files, processes, threads, IPC pipes, memory mappings, events

• Windows API is rich & flexible

• Convenience functions often combine common sequences of function calls

• Function names are long and descriptive (as in VMS)

• WaitForSingleObject(), WaitForMultipleObjects()

• Windows API offers numerous synchronization and communication mechanisms

25


Windows Security

• Foundational concepts: Objects and handles

• Objects are placeholders for (protected) system resources that may be shared

• Process, thread, file, event objects from user space are mapped on executive objects

• Object services offer read/write access to attributes

• All security and protection based on NT Executive objects

• Discretionary control: read/write/access rights

• Privileged access: administrator may take ownership of files

• Windows API take handles to system “objects” as parameter

• Handle table in kernel adress space, unique per process,

• Security check at handle creation time only26


Windows Architecture

27

Windows Architecture

40hardware interfaces (buses, I/O devices, interrupts,

interval timers, DMA, memory cache control, etc., etc.)

System Service Dispatcher

Task ManagerExplorer

SvcHost.ExeWinMgt.Exe

SpoolSv.Exe

ServiceControl Mgr.

LSASS

Object

Mgr.

WindowsUSER,

GDI

FileSystemCache

I/O Mgr


UserApplication

Subsystem DLLs

System Processes Services Applications

Original copyright by Microsoft Corporation. Used by

permission.

SystemThreads

UserMode

KernelMode

NTDLL.DLL

Device &File Sys.Drivers

WinLogon

Session Manager

Services.Exe POSIX

Windows DLLs

Plug andPlay M

gr.

Power

Mgr.

SecurityReference

Monitor

VirtualM

emory

Processes&

Threads

LocalProcedure

Call GraphicsDrivers

Kernel


(kernel mode callable interfaces)

Configura-tion M

gr(registry)

OS/2

Windows


Demos for Windows

• Spending time in user mode vs. kernel mode - mouse and window movements

• Applications vs. processes in task manager and SysInternals process explorer

• Determine the utilized HAL with device manager

• Using dependency walker with ntoskrnl.exe

• List of open handles (Process Explorer)

• Stack trace checking (Process Explorer)

• Suspending notepad

• Killing the Windows subsystem (csrss.exe)

• Killing security (lsass.exe)

• Minimal process set: Killing first smss.exe and then winlogon.exe

28

operating systems 1 (4/12) - architectures (windows)

Education

windows versions

arm windows

microsoft windows

older versions of windows

windows portability

itanium windows xp2003

gb ram windows server

older operating systems