If you enumerate the key signature, you are going through the circle of fifth in clockwise direction. For example, starting with C and the next key is G. G is the fifth of C. The next key is D and so forth.
Note that if you move counter-clockwise, you have the circle of forth. For example, C is the perfect forth of G.
Thursday, September 18, 2014
tritone
Also called devil's interval\ composed of the tonic and the diminished (flat) fifth or augmented (sharp) forth.
Saturday, September 6, 2014
Scanning
TCP connect scan - complete the 3-way handshake and then tear down the connection directly. This is the most stable scan method which will not flood or crash the target server.
SYN scan - Instead of completing the 3-way handshake, it only does the first 2 steps and then send a RST packet. The speed is faster than the TCP Connect Scan, The scan is also "stealth" as the 3-way handshake does not complete and so the target host is unlikely to log the connection.
UDP scan - If there is response from the scan, the port is positively identified. As the service listening to the UDP port does not always responding to incoming packet, a null return may means the port is open or the UDP packet has dropped by firewall silently.
XMAS Tree scan - the FIN, PSH and URG flags are set on in the scan packet. Because the packet does not contains a SYN or ACK or RST, and if the port is open, the target system would ignore the packet (i.e. no response). If the port is not open, the system responds with a RST packet according to TCP RFC. XMAS Tree scan is effective against UNIX and Linux but not on Windows.
NULL scan - usage is similar to the XMAS Tree scan. The scan packet is devoid of flag (i.e. no flag set)
SYN scan - Instead of completing the 3-way handshake, it only does the first 2 steps and then send a RST packet. The speed is faster than the TCP Connect Scan, The scan is also "stealth" as the 3-way handshake does not complete and so the target host is unlikely to log the connection.
UDP scan - If there is response from the scan, the port is positively identified. As the service listening to the UDP port does not always responding to incoming packet, a null return may means the port is open or the UDP packet has dropped by firewall silently.
XMAS Tree scan - the FIN, PSH and URG flags are set on in the scan packet. Because the packet does not contains a SYN or ACK or RST, and if the port is open, the target system would ignore the packet (i.e. no response). If the port is not open, the system responds with a RST packet according to TCP RFC. XMAS Tree scan is effective against UNIX and Linux but not on Windows.
NULL scan - usage is similar to the XMAS Tree scan. The scan packet is devoid of flag (i.e. no flag set)
4 Phases of Hacking
1. Reconnaissance - to create a list of potential target IP Address
2. Scanning - to map services exposed to network
3. Exploitation - to gain access to remote services
4. Maintain Access - with backdoor and rootkits
2. Scanning - to map services exposed to network
3. Exploitation - to gain access to remote services
4. Maintain Access - with backdoor and rootkits
Friday, September 5, 2014
Linux Kernel Thread
These are standard processes exist solely in kernel space. The kernel threads do not have an address space (mm pointer is NULL). They operates in kernel space and does not switch into user space. Kernel threads are scheduled together with user threads.
A kernel thread can only be created by another kernel thread using
int kernel_thread(int (*fn) (void *), void * arg, unsigned long flags)
which return a pointer to the child task_struct. The child thread exect fn with arguments passed in arg.
The child kernel thread is created using the usual clone() call with CLONE_KERNEL, CLONE_FS, CLONE_FILES and CLONE_SIGHAND.
Linux Thread
Threads are implemented as processes in Linux sharing resources. Threads are created using clone(CLONE_FS | CLONE_VM | CLONE_FILES CLONE_SIGHAND, 0).
Normal process creation uses fork() translates to clone(SIGCHLD, 0). vfork called clone(CLONE_VFORK | CLONE_VM | SIGCHLD, 0)
Process Creation
Linux implements fork() using clone() system call. The call is passed with flags which specifies what are to be shared between the parent and the child process. The vfork() and _clone() lib call all invoke clone(). clone() invoke do_fork() which does the bulk of work. do_fork() called copy_process() which calls
- dup_task_struct() creates a new kernel stack, thread_info and task_struct for the new process. The parent and child process descriptors are initially the same. Various fields are then set or cleared. The task state is set to TASK_UNINTERRUPTIBLE to make sure it is not run yet.
- copy_flag() to copy the flags member of the task_struct. It unset the PF_SUPERPRIV for task that does not run supervisor privileges. It also set PF_FORKNOEXEC to indicate that it has not called exec() yet.
- get_pid() to get the next available pid
Depending on the flags passed to clone(), copy_process() duplicates open files, filesystem info, signal handlers, process address space and namespace. Then the remaining timeslice is split between the parent and the child. copy_process returns a pointer of the child to do_fork(). The new child process is then waken up and run ahead of the parent.
vfork() has same effect as fork except the page table entries of the parent process are not copied. The child process is not allowed to write to the address space. The child runs in the parent address space as the sole thread. The parent process is stopped until the child runs exec() or exits. In do_fork(), a flag vfork_done is set to point to a specific address. When the child exit, the vfork_done is checked and if not NULL will send a signal to the parent.
vfork() is an optimized form for 3BSD at the time when the copy-on-write is not available.
Process Context
When a process executes a system call, it transfer control to kernel. At this point, the kernel is said as executing for the process and in process context. The current macro is valid.
Linux Process States
- TASk_RUNNING - process is runnable (on the run queue) but not necessarily running.
- TASK_INTERRUPTIBLE - process is sleep waiting for some condition to happen. The process may also be waken up by a signal.
- TASK_UNINTERRRUPTIBLE - similar to TASK_INTERRUPTIBLE except it does not wake up by a signal. This is used when the task must wait without interruption or expects the event will occurs quickly. Process in this state cannot be killed.
- TASK_ZOMBIE - process has exited but the task_struct is lefted over to wait for the parent process to call wait4().
- TASK_STOPPED - process stops because it receives SIGSTOP, SIGTSTO, SIGTTIN OR SIGTTPU or it receives any signal while it is being debugged.
The process sstate is set using the set_task_state(task,state) function which also create a memory barrier to force ordering on other processors
Linux Process Descriptor
Process and task are used interchangeably. The process descriptor is implemented in struct task_struct. The task list is a double linklist of task_struct.
Prior to 2.6 kernel, task_stuct is allocated at the end (max top) of kernel stack. This allow a quick location of the task_stuct using the stack register. Since 2.6, the task_struct is now allocated by the slab allocator dynamically in cache. A new struct thread_info sits at the top end of stack. The first element in thread_info points to task_struct. A register-impaired architecture is the only reason to create thread_info.
To look up the task_struct of the current task, kernel uses current macro. The implementation of current macro is hardware dependent. In x86, current is calculated by masking the lowest 13-bit of the esp stack pointer. In PowerPC, the current pointer is stored in a register.
Linux Kernet Stack
The user mode stack has a dynamic size. For kernel, the size is usually fixed size and small. The size of the stack depends on hardware architecture. Historically, kernel stack in Linux is 2 pages (8K in 32-bits and 16K in 64-bits). The size is fixed at kernel compile time.
Using Floating Point
When an application need to use floating point function, the kernel needs to assist to switch mode. What exactly is done depends on the hardware architecture. Kernel will catch this request as a trap to initiate the sequence.
GNU C branch annotation
Two macro likely() and unlikely() can be specified to help the compiler to optimize code.
For example, if (unlikely(i > 10)) then ...
Uses this directives when one of the branch direction is overwhelmingly over the other.
Linux PRINTK
Linux kernel does not link with libc becuase of its size and speed. Many of the libc functions were implemented directly in the kernel.
printf is not defined in the kernel. Kernel uses printk which has similar syntax to printf with an additional priority flag. printk copies the formatted string into a kernel log buffer which normally read by syslogd
Timeslices
If the timeslice duration is too long, it affects responsiveness of the process. If it is too short, it affects the throughput as the system have a high overhead of switching tasks (less usable time for actual processing).
Subscribe to:
Posts (Atom)