How Do Linux Kernel Drivers Work? - Learning Resource

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

today I want to show you a resource that I was introduced to to get a better understanding and learn more about Linux I might have mentioned it before but I did my bachelor's degree in like a dual study program so I was studying at University and working in a company and for me that was IBM and during the time I was always in different teams and had different things to do and during one particular internship I was given a resource to introduce me deeper into Linux because my task was it to write a custom tool to measure timings inside of the kernel for very specific IO operations and so I want to share this with you because I do think that this is actually a really awesome resource and it's really interesting long story short it's about a book it's called Linux device drivers and it's in its third edition now I have to say this book is at this point kind of old this edition is about the 2.6 kernel in my open toe here is on the kernel of 5.0 right now so a lot of stuff has obviously changed since then but also the kernel didn't get simpler and easier with time so it might make sense to even like go a bit back and check out these parts also there is no modern book about this I saw a post on reddit by one of the authors that they have no plan of creating another book the motivation for this book mainly seemed to have been to motivate and help new kernel developers to get into it and nowadays it seems like they are pretty satisfied with the contributions they get from the industry and just other individuals they don't seem to feel like it's necessary right now to write such a book and also obviously writing a book is a massive endeavor and they have better things to do I guess so to be completely honest with you I didn't read the whole book I'm really bad at reading but I did read a couple of important chapters for me like I said it was an internship and so I was working there with experienced Linux developers they knew they knew their way around the kernel they knew what I had to do so they kind of had already an idea how to implement this task so they were pointing me to the interesting chapters for me and so nowadays the book is freely available under Creative Commons and you can here download it on lwn so this book is pretty large it has obviously a lot of chapters and I'm obviously not going to read this here I want to try to share one key lesson that I took away from when I was working with this so I actually don't quite remember in which chapter it was and I also don't know if the code and everything will still work so let's see how this goes chapter 1 an introduction to device drivers the operating system wants a dark and mysterious area whose code was restricted to a small number of programmers can now we readily examined understood and modified by anybody the Linux kernel remains a large and complex body of code however and would be kernel hackers need an entry point where they can approach the code without being overwhelmed by complexity often device drivers provide that gateway I would say this is definitely true I mean I by no means a kernel hacker but I feel like this book and the particular part that I try to show you today is what kind of like clicked for me and made me really understand a certain important aspect of Linux it took my fear away of also looking into the Linux kernel source code and kind of provide me a gateway into it this book teaches you how to write your own drivers and how to hack around in related parts of the kernel as you learn to write drivers you find out a lot about the Linux kernel in general this may help you understand how your machine works and why things aren't always as fast as you expect or don't do quite what you want we introduce new ideas gradually starting off with very simple drivers and building on them every new concept is accompanied by sample code that doesn't need special hardware to be tested I think this sounds really interesting and sounds like a great opportunity to learn something obviously I don't have the time in this video to like talk about everything and obviously that would also be a dumb video you can just read it yourself and there are a lot of interesting parts especially also in this introduction you get a lot of interesting insight into kind of the ideas of the Linux kernel so for example here how the kernel is split up in different parts they even talk here about security issues and they even talk about concurrency and race conditions of course this area is also important for security if you want to find the vulnerability in a kernel or even exploit it you need to understand how the kernel and also obviously when you develop for the kernel you also need to know about security to make sure you have safe code and here we get to the first more relevant information that we need one of the good features of Linux is the ability to extend at runtime the set of features offered by the kernel this may be sound trivial but it's not given that a system has to be able to somehow loud code new additional code into the kernel this is a great feature of Linux each piece of code that can be added to the kernel at runtime is called a module each module is made up of an object code it can be dynamically linked to the running kernel by the in smart program and be unlinked by the our m watt program and now it introduces the different classes of devices and modules they are char models block modules or network modules and I want to specifically look at character devices a character char device is one that can be accessed as a stream of bytes like a file a charge driver is in charge of implementing this behavior such a driver usually implements at least the open/close read and write system calls may be you can slowly see where this is going the text console slash dev console and the serial ports as /dev TTY and others are examples of jar devices choices are accessed by means of file system notes such as deaf TTY one see where this is slowly going you probably have heard of it before everything in Linux is a file but this seems so difficult to understand to grasp this concept so for example I was coming from Windows and you know I I knew files I can click on them double click and like an image comes up or a word document or a game starts but files can be so much more but there's more to what a file can be especially on Linux and so whatever these child advices are they can be accessed through a file system path and they look like a file to you but actually they implement something much more alright let's start by building and running modules let's see if just the hello world module still works ok so here we have the code we define two functions a hello in it and a hello exit the names basically don't matter we use module in it and module exit to define which ones are the init and exit functions for our module also notice how we are not using printf here but print K we are not in userland we don't have let's see we are writing code that is running in the kernel we are not running in user space so we cannot use typical code that you would use in user space and so in the kernel there's a special print method called print k print kernel we will see in a moment where this gets printed okay so how do we compile this I don't remember okay so they use here a make file you must have a properly configured and built kernel tree in a place where the make file is able to find it okay I think I think I need to set up my system here first okay so let's try to figure this out for bun to here's also a repository with the Linux device drivers three examples updated to work in recent kernels so I hope that we can find here some set of information so let's figure out maybe in the make file how it works okay it goes into all the sub directories for compilation so let's see if we can find the hello world in here okay so here's the hello world code so let's see that make file looking at this make file it specifies here our kernel directory and lip modules and then and then it gets the version and then built and I have that here already so maybe we can actually use it already so let's copy that make file and we only have hello let's see if their work okay I think this worked we have now here a hello data file so can we now do in smart hello oh it's mr. wrong file is it k oh ok this worked I think no error okay wait so this is the kernel object I guess okay so this one is the correct one so now with LS mode we should see that our module is loaded yeah there it is our module hello is loaded but we didn't see the hello world output so where's that so let's look into the syslog there it is there's our hello world and now let's remove the module now we should have removed it let's check the Siuslaw and there it is goodbye cruel world ok awesome so we can write and compile kernel modules and they will be executed inside of the kernel they are not user space programs they executed in the kernel and in this cool it's code that is running in the kernel let's check Chapter three cha drivers throughout the chapter we present code fragments extracted from a real device driver skull simple character utility for loading localities Gao is a child driver that acts on a memory area as started were device in this chapter we use the word device interchangeably with the memory area used by skull it will create four devices each consisting of a memory area that is both global and persistent Global means that if the device is opened multiple times the data contained within the device is shared by all the file descriptors that opened it persistent means that if the device is closed and reopened data isn't lost this device can be fun to work with because it can be accessed and tested using conventional commands such as CP copy cat and Shell IO redirection and then there are a couple of other devices created skull pipe skull single scope Roth but I'm not really interested in those shower vices are accessed through names in the file system so files those names are called special files or device files or simply notes of the file system tree they are conventionally located in the /dev directory special files for draw drivers are identified by a C in the first column of the output LS - L so let's check that up so look at this here we have char devices and this here is obviously a directory so it has a D and when we scroll down we can also find a B which means these are block devices they are all nodes they all look like files but some files are directories some files are character devices and some files are block devices if you issue the LS - L command you will see two numbers separated by a comma in the device files entries before the date of the last modification where the file length normally appears these numbers are the major and minor device numbers of the particular device so here now you know what these numbers you mean it's the device number 10 and has the minor number 175 and you can check the devices that exist in prop devices ok we clearly don't have the time to go through like it step-by-step so let me just grab the whole repository with the examples okay so we can't compile it we get an error has here three arguments but it takes only two obviously this is a common issue so here is a change in the 5-0 kernel that excess of K now takes two and a three so I guess it drops the type so let's just change that and hope it works okay so now we were able to build it but I want to make a small modification to show you something okay so here's the skull open method so let me add a print K here and then we have here the read and I want to show how many bytes we are reading and then we have here the right I want to also show how many bytes are being written and then we have to release here so what are these functions so down here we find a struct called file operations and you will find here seek read write open release and i/o control each field in the structure must point to the function in the driver that implements a specific operation or be left null for unsupported operations and so for example the read function is used to retrieve data from the device and a null pointer in this position causes the read system call to fail the read system call so we are creating here a character driver which looks like a file that implements functionality for typical system calls like open read and write so let's build the code and then we have here this script called skull load and it does a few things that I explained in the book but most importantly it's using insmod to add our module that we are just compiling and then it's setting up the device properly in the file system alright okay so it should be loaded okay now we can find here deaths call zero one two and three now I have two windows open so on the Left we just look at the syslog with tail - f - C always new messages and now here on the right let me get a Python prompt and now let me open one of the skull files now I am opening the skull 0 device like it would open any other files with W so that we can also write to it open tonight sudo python let's do that again so now I have opened this file and see our code was executed our print K was executed when we executed open in Python Python eventually called the syscall open and then kernel magic happened and then it saw that we want to open this device and it looks into this file operation structure and finds okay this is this is what I have to execute on then open and then it executed this code here with our printf now we didn't go over the code what it's doing here but see it can also check if it was opened write only and now let's write something to the file oh okay I'm not quite sure why it didn't show up actually I'm just acting I did this before and I failed and I figured out what happens so let me now close this file and now you can see we entered the right function and wrote 11 bytes and after that we got the release because we close this file we released it so here you can also see some buffering going on just because we called write on the file didn't mean that python was immediately creating a syscall to write to it but when we said we wanted to close it then the buffer had to be flushed and actually be written and then it's when it's happened okay I'm to be honest I'm not quite sure if python is buffering here or if maybe even the curl in turn early is buffering before it's writing to the device not quite sure about that but let's see if we can force a flush yeah so this works also if we call flush then does wherever this buffer is either it's in Python or in the kernel it will actually then flush it and then write it to the device and how does it write this information to the device think about now you had opened a different file a regular file and you would write to it how would it actually write to the device how would it write it to the harddrive here who USB stick somewhere the kernel has to call a driver hey please write the state an hour to the device and so that's what these drivers do all right in our case we just have this kind of like basics dumb driver that does now nothing else that just like prints here now that we were writing 11 bytes but you could imagine that this is now accessing real hardware and telling please write this data here at this address on this hard drive I hope you enjoyed this playing around with it and and I really encourage you to do this yourself for me this was really like the mind-blowing moment when I realized oh this is what it means to have a driver and this what it means to have files on Linux in the end you are calling Cisco's like open and read and they get through the kernel code wherever they need to go in this case it was our own driver and we were handling the read and write but it could also be the drive of a device and that driver then does all the low-level magic to actually make that happen and here you can also see the role of an operating system the kernel it's providing this abstraction layer this API with the Cisco's of open bright clothes and you as a programmer I can just write Python code right I can open and write to files thanks to the kernel providing us with this interface and then internally the kernel might do different things with it and these device drivers are following certain specification as well because they need to expect an open or riot and they need to react to that ah I just love this anyway I hope you learned something see you tomorrow [Music]

Info

Channel: LiveOverflow

Views: 352,228

Rating: 4.9536495 out of 5

Keywords: Live Overflow, liveoverflow, hacking tutorial, how to hack, exploit tutorial, linux, device drivers, writing driver, hacking kernels, kernel hacks, reverse engineering kernel, insmod, rmmod, kernel modules, syscalls, what is syscall, open syscall, write syscall, how write works

Id: juGNPLdjLH4

Channel Id: undefined

Length: 17min 2sec (1022 seconds)

Published: Thu Dec 12 2019