CCT 164: Mastering Process States, Execution Types, and System Architectures for the CISSP (Domain 3)

Ever wondered how mastering process states and system architecture can be as straightforward as organizing your child's toy box? Join me, Sean Gerber, on the CISSP Cyber Training Podcast as we unpack the complexities of these crucial concepts to help you ace the CISSP exam. Drawing from my personal journey and the hurdles I faced, I'll share practical tips and relatable analogies that make even the most daunting topics accessible. We start by breaking down the initiation of processes in computer systems and the significance of modular development in application design.

Transitioning from theory to practice, we'll explore the importance of resource allocation and process switching. By comparing familial inheritance with computing, I'll demonstrate how permissions and capabilities are passed down within systems. Recalling my experiences with older technology like the B-1 bomber, we'll examine the challenges and strategies for integrating outdated systems with modern applications. We'll delve into the functions of process control blocks (PCBs), security contexts, and the critical role of process scheduling for optimal system performance.

Lastly, we'll focus on the intricacies of process states and kernel mode operations. Understanding how processes transition between states—ready, running, and waiting—can help mitigate cybersecurity risks such as code injection and privilege escalation. We'll discuss why kernel mode is a prime target for attackers and the importance of context switches, comparing how Windows and Linux handle these operations. Wrapping up, we'll emphasize the need for robust protection mechanisms and running operations in restricted states to ensure system stability and security. Tune in to equip yourself with the knowledge needed for effective decision-making in your cybersecurity career.

Gain access to 60 FREE CISSP Practice Questions each and every month for the next 6 months by going to FreeCISSPQuestions.com and sign-up to join the team for Free. That is 360 FREE questions to help you study and pass the CISSP Certification. Join Today!

TRANSCRIPT

Speaker 1: 0:00 

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Good morning. How are you all doing today? This is Sean Gerber with CISSP Cyber Training, and I hope you all had a great, great weekend this past weekend.

Speaker 1: 0:35 

It's as we are today is CISSP Monday, and this is when the podcast usually comes out. It usually ends up happening where people have the weekend prior to Monday. I think that's usually how it is, unless you are working, like I used to do, in swing shifts and in hours that were not the normal time. Yes, that would make it a little bit challenging for the weekend, but, that being said, yeah, I had the weekend this last weekend and it was great had my wife's business she's just got starting up a new business and we spent the whole weekend getting her area prepped and ready for that. So that was a full couple of days, but now I can get to talk about CISSP stuff, which is awesome yeah, the recording of this show. I do this actually about 4.30, 5 o'clock in the morning in the US, just prior to heading off to work, so as you get a little insight into my life I basically have not much of a life, but the goal is to provide this information for you guys because I know when I took the CISSP, I struggled substantially with the CISSP. It was not my first forte. Coming from a background within being a military air flyer, I did not understand the IT. I didn't go to school to be an IT person, so, since I didn't understand those pieces to it, I needed a lot of extra help, and so the ultimate goal of CISSP Cyber Training and these podcasts is to provide you that level of understanding For folks that are. You probably are way further than I ever was on this, and so, therefore, it's just to kind of help you along and give you that insight that you need before you go and take the CISSP exam, because we do know it can be an extreme challenge.

Speaker 1: 2:21 

Also, before we get started, I have let you know that I am actually making some changes to the CISP Cyber Training site. We're going to be changing around some of the offerings, product offerings we have there. They are going up in price but they're giving you a lot more value for that cost. And the ultimate goal is that I'm seeing what some of my students have been saying, what they need, and we've making some changes to help you with that. So that's the ultimate goal is to provide that, because, bottom line, it's not about the money, it's about providing you the skills that you need to be able to pass the exam, but also to take you into the next, basically into the future, because one thing I get a lot of feedback on is okay, great, I take the test, now what? And we wanna kinda I wanna help you with that, because I've heard that for the past I don't know however many years is people get these tests taken, but they don't know what the next steps are. So that's the ultimate goal of trying to get you to. So, once you get you the test passed, how do we also help you on to the next part of your career?

Speaker 1: 3:17 

Okay, so in CISSP cyber training we're going to be getting into this point is around mastering process states, execution types and system architecture for the CISSP. And you all are probably going what in the world is that. Well, we're gonna kind of break this down a little bit. This can get very confusing very quickly, so I'm gonna try my best to keep it very high level, at a level that maybe you can understand Not that you are all well beyond me, probably, in knowledge, but because it can get a lot of acronyms and it can be kind of confusing into what is the overall role. We'll try to keep it high level and then we'll drill deeper into it. So again, hang on, this will be a fun one, we'll get into it and you may wanna come back and re-listen to this one a little bit more as we proceed over the coming months, because it will definitely help kind of coalesce or bring together the understanding of these different types of roles and what they do.

Speaker 1: 4:09 

So in computer systems, the initiation of a process you know that's occurring in the background can be very similar to starting a new task or an application. So when we talk about a new task now, this is specifically saying around the computer itself. But as we all know know we've talked about within our current world that we live in, with these third parties such as AWS, google Cloud and so forth. These applications can run in the cloud, but we're just going to talk specifically around the process state as it relates to a physical computer, and then from there you can we can take a different path as needed for those other processes. So the key around this is those whether you're typing into a terminal or double clicking an application on a desktop, right, you're going to get this trigger is going to occur, and this trigger is it can either be the application itself or an automated script, and then these actions will begin a new process within that computer system. And this is a foundational piece, obviously, of running a computer right, when you click on it, you want it to run, and when you set this up and the developers are creating these, we want to talk to them about developing their applications to run in a very specific and modular format, and the goal is, in many cases, one is if you have I'll use an example of my kids when in the past, when they were little, they would have toys scattered all over the house. Well, you don't know where you left your toy if you just scatter them everywhere. But if you have them in rooms or in buckets that are in your specific room, then you know where those toys are, and that's the same concept is you want to keep all of your toys, all of your processes, to occur in a modular or very formatted path, because it makes it so much easier for development standpoints as well as understanding.

Speaker 1: 5:59 

What is this overall application trying to do? Now, you're gonna hear this term a lot, with it's called parent-child relationship. Now, you're going to hear this term a lot, with it's called parent-child relationship. Now, the parent-child relationship is you'll hear this within the application space. You'll also hear this within rights, like, for an example of you have added rights within a SharePoint site. The parent-child relationship it's an integral part of overall understanding and ensuring that the processes are occurring correctly. And when a process spawns one, then what will happen is is then it's usually the initiating spawn, right, the initiating process that would be considered the parent, and then every one that comes off of that would be the child, right? So the child comes from the parent and that it makes logical sense, right? Well, this hierarchical relationship does help organize these overall processes that we're just talking about and allows for the resources to be used efficiently, but in the process of doing that, it allows them to inherit for various aspects within that specific role.

Speaker 1: 7:03 

So, as a father with seven children. When I pass on, I have an inheritance set up for my children. Now I'll tell you right now that inheritance will not be very much, because I probably don't have a lot. And the second fact of it is is that they need to earn their own way and how they want to do their life. But the point of it is is that they will inherit something from the parents. Now you also can inherit traits your nose, your ears, your eyes. Same concept, right? Except for my adopted kids. They don't look anything like me.

Speaker 1: 7:31 

But that being aside, you want to actually inherit the various pieces that occur within these processes and the access you want to inherit as well, because it makes the whole process much easier. So if you didn't have that, so let's say, for example, you want to inherit as well, because it makes the whole process much easier. So if you didn't have that, so let's say, for example, you had a parent that go ahead and you go and you run the application and it didn't inherit the permissions from the parent, you would have to physically go in and make those changes yourself. You don't necessarily want that. You would rather have it inherit the permissions, inherit the capability, and then go back in and restrict in areas where you feel it's most appropriate. I hope that makes sense. But again, the parent-child relationship is an important factor when you're dealing with resources within any computer system and also in the overall access that's provided within a system itself. So, resource allocation, so every process requires system resources to function. This involves allocating slices of the CPU, which is your central processing unit it's the time of that the memory blocks that are associated specifically within that CPU, and then any other resource that might be vital to the overall system. So you have to allocate various time for these different resources.

Speaker 1: 8:48 

Now, when I first started in computers right, I'll give you an example of the B-1 bomber I used to fly. They've upgraded the thing since then, but the time when I flew it they didn't really have really state-of-the-art systems that were in it computer systems. Well, when we put in a laptop, just basically to help us with our mobile map display units, that was a game changer in relation to what the system could actually do. And so when you have these computer systems that are older, the amount of resources they can handle is much less than something that is much newer, that has a lot more CPU power than the systems of the past, and so, as these applications demand more and more CPU you become, you're getting yourself into constraints trying to operate older systems with newer applications. So therefore you have to upgrade, and we see this a lot.

Speaker 1: 9:46 

If you go and you will go to a new company after you get your CISSP done one of the things you may see is that they still have a lot of old legacy equipment. Well, the new applications will struggle with that. So what do people do? They keep the old applications. Well, when you keep the old applications, what do you bring with it? A lot of problems. The system won't be able to be upgraded. There's vulnerabilities with that system. Lots of issues come into that. So again, I'm taking a small tangent there to let you know that resource allocation is an important part of what you provide for these systems and therefore you need to make sure they're updated and relatively new.

Speaker 1: 10:26 

Now, when you're dealing with resource allocation, every process does require some level of that resource, and this includes we talked about the CPU time but there's also a part where you deal with process control blocks, or PCB, papa Charlie Baker. Now, pcbs act as a data structure that helps keep track of all the resources that are going on and the states that each one of the processes is in, so kind of like a passport for the process. This details what it can do. It basically tells what resources it has, where they need to go, and so forth. So the PCB the process control block acts as a data structure that keeps track of all the resources and the process states. Each process will run with a set of permissions. This is what we call security context. Security context basically ensures that each of the processes that are running have a certain set of permissions that they what they can and cannot do.

Speaker 1: 11:25 

Why is this important to cyber security? The process that we've created? Right, you're creating all of these different. You're allocating this time. You're providing these process control blocks. You have data. Now there are applications that are inheriting this from the child and parent relationships. You have this back, going back and forth. You want to make sure that you have enough protections in place, that you're monitoring these actions, because what you don't want to have happen is a rogue or unauthorized process that gains access that it shouldn't have and therefore it would end up having a behavior that would be outside of what you're anticipating. Okay, the execution of a process.

Speaker 1: 12:05 

Now we're talking about process scheduling. Now the CPU is what's happening. It's basically your brain of your application or of your system, and the CPU can handle one task at a time per core and that's why you'll hear you have multi-cores and multi-threading. You'll get with all of that. That deals with the CPU specifically. But bottom line is it can handle one task and we're just talking about a CPU right now. If you get into the Google Cloud, into the AWS, you can do all kinds of different tasks because of the capability of this virtual environment. But for the sake of this podcast, we're going to focus specifically on what this one CPU can do.

Speaker 1: 12:45 

Now the process of scheduling is kind of like, obviously, a juggling act, where you have an operating system will decide what process gets the CPU's attention and then it'll ensure that that part of it, that attention that it's getting, was efficiently utilizing every process that gets a turn. So it's basically saying, if I'm going to do task A, if I'm going to pick this block up and move this block over to the table, then it's going to focus on that. It's doing that specific task the way it's supposed to do it. That is process scheduling. So it's ensuring that it picks up that block and takes it over to the table. Cpu utilization is that, once this is scheduled, the process uses the CPU to execute its instructions, and this is basically the doing phase. You have the scheduling phase and then you have the doing phase. The doing phase is where the calculations occur, the data is manipulated or the IO input output operations are initiated. So process scheduling, cpu utilization.

Speaker 1: 13:46 

Okay, so now we're gonna get into actual switching. The switching is between the user and the privileged modes. So you have your normal user mode that is occurring and this is basically a process that might be different levels, basically will have different times that they may access information, but you'll switch between user and privileged mode. So user is a restricted mode, privileged is an elevated mode and it ensures that processes have the necessary permissions that they need to run while ensuring they maintain the security boundaries. So, as an example, one of the big things that a hacker will love to do is take advantage, will start off as in a user mode and then take advantage of that user mode and move into a more privileged mode or elevated mode. Because once they get into that elevated mode, then what ends up happening is they have much more scope within a computer system than what they have as a standard user. This is why local administrator accounts are a bad idea, because what ends up happening is they're fine for that specific system, but what people tend to do is they'll say, sean, let's put Sean in the elevated group and Sean is an admin, and then Sean will be put into a overall group of admins and we'll drop Sean's name in there. So it went from having access to one computer to having access to many.

Speaker 1: 15:10 

Same kind of concept right, when you're dealing with computer systems, you want to keep it as limited or as restricted as possible, and that would be the user person. Right, you want the user account, the user access. Then the privilege would be the elevated access. Now there's process states that you will hear within the CIS as PA, and that comes around busy, waiting or ready to start, and these are the various processes that will be getting ready to go. And your busy means it's processing, you're waiting, is waiting for a command, and then ready to start means it's ready to actually get up and go, and that's the ultimate point within your process states. They reflect what your current status is of the execution lifecycle related to these overall applications. From a standpoint of security, you want to ensure that when these different users and privileged accounts are working, you are watching what's occurring. The reason is is that, like we talked about before, the attacker will want to elevate their privileges and to be able to do malicious activity. So one if you have an attacker that's doing it, or you have an application that is trying to use those elevated privileges, it will be a good indicator that you may have a problem.

Speaker 1: 16:27 

So now we're going to get into what termination of a process, what exactly is a termination? So you have various pieces around the termination piece. You have normal termination, forced termination and then you have resource deallocation. So we're going to get into those main things right there. Normal termination is when you're finishing a task or a process that concludes its operation, makes sense right Once it's done, it terminates, it gives back the borrowed resources and informs the system that it's done. It's completed, and you'd want this to do this because if it didn't, the CPU would just continue to keep running on that specific task. So therefore, you want it to stop and that would be a normal termination. It is the natural end to the overall process's life cycle.

Speaker 1: 17:15 

Then you want to have a forced termination. Now this happens sometimes when there's too many resources that are hanging on without any progress. So you'll see this in the case of in the past with Windows, you get the dreaded blue screen of death. Sometimes it will hang because it's waiting for more processes. If it's waiting for it and it never gets it, then it can create a security risk in many ways, because one, it can go ahead and burp and roll over. Two is the other aspect is that sometimes the application, when it hangs and it can't figure out what to do, it will give up credentials, it will give up access. So therefore a forced termination is happening when the processes don't end as expected. So it's an important factor around this and that you want to ensure in these cases that an external force, like an administrator or an automated system action, ends the process. We don't want to have a hacker or someone else actually try to end this process. You want it to be a normalized force process that's done by somebody that is in or an application that's in that state. Okay. So once this is done, once the process is over, then you want to ensure that the resources are reallocated to ensure there's no waste and they have optimal performance for the other systems that are waiting for it. So you have a normal termination you shut it down. You have a forced termination, where someone will forcefully shut the system down and then you want to have the system reallocate the overall resources that have occurred. Now, again, when it comes down to termination, security privileges and their permissions they can be taken away, ensuring that there's no residual or lindering access remains, and you want to ensure that when these systems, these processes are over, those privileges are removed from that process.

Speaker 1: 19:09 

Okay, the next area we are going to discuss is the process scheduling. Now, when an operating system uses a scheduling algorithm to decide when to use the CPU for execution. There's various pieces around this. There's a scheduling algorithm there when to use the CPU for execution. There's various pieces around this. There's a scheduling algorithm, there's a load balancing, there's priority-based scheduling and there's a preemptive versus non-preemptive scheduling. So we'll get into that piece of it too.

Speaker 1: 19:33 

So when you're dealing with process scheduling, your scheduling algorithms they come there, have various types of them. You have a first come, first serve. Obviously. It's just like when you go to a restaurant you show up, you're the first one in line, you get served, you have the shortest job next, which basically means it knows from a processing standpoint which one is the shortest and so therefore it will run those quick wins early. And then you have the round robin aspect of it, where just basically goes around and it's looking for options. These are all employed to prioritize and be sequenced in the overall processing plan. So you want to ensure that when you're dealing with the algorithms, you may see this on the cissp is first come, first serve, shortest job next and then round robin. Understand what they're asking for, read the question, know that, what that would mean in relation to processes, and know that if you have first come, first serve, that's the you just like it says shortest job next as it relates to the process, you can figure out that that if you have process a is I'm just going to use a 10 milliseconds, and then you have process b is going to take you five milliseconds, it's going to do the shortest job next and then the round robin, where it's basically just going around and getting whatever it can. So load balancing and the load balancing and multi-core system, the scheduler will distribute the load evenly across all cores to optimize performance so that again, like you see within the AWS environment, within the cloud environment, load balancing is distributing the load evenly across them all so that you're not having basically one core that's being idle while another one is working its tail off.

Speaker 1: 21:12 

Priority-based scheduling this is some of the processes might have a higher priority due to the critical nature of the overall process. The operating system will ensure that these processes get the CPUs time preferred or preferential. They want to make sure that those will take that. This process must occur and so it will dump other ones, or it will least it will prioritize them in a lower form than the more higher prioritized option. Then you have preemptive versus non-preemptive. A preemptive scheduling is running a process that can be interrupted and moved to a ready state if a higher priority process comes in. Non-preemptive basically means it's gonna run till completion, whether or not something else comes in or not. So again, when we talk about priority scheduling, you have scheduling algorithms, load balancing, priority-based scheduling and preemptive versus non-preemptive.

Speaker 1: 22:04 

So think about when if you might see this on the CISSP is, understand what they're asking around the scheduling piece of the process and then try to dig deeper into the question when you're dealing with the CPU utilization. There's some key terms you're going to want to understand around that when you're dealing with a CPU utilization, there's some key terms you're gonna want to understand around that. One is instruction set architecture, cycles per instruction and concurrency, and you're probably all going okay, I'm like losing my mind here because there's so many of these questions, there's so much of this context. The main thing to think about is is that when you're dealing with the CPUs, what does a CPU do? It's a central processing unit and it performs various actions such as computational data, data manipulation, input-output operations. So IO is considered input-output and so it will do this with using instruction set architecture. What that means is is that CPUs have a defined set of operations that they can perform, which is called an ISA. This is what they're designed to do and they follow this ISA, and these processes on the CPU are written in a manner that aligns with this specific architecture or framework. It follows those operations.

Speaker 1: 23:16 

Now the next piece of you see, you have the framework, which is ISA, and then you have the cycles per instruction, which is your CPI, and this is the number of clock cycles a CPU takes to execute the instruction. So how many times it's going, how many times it's clicking, is what the CPU or the cycles per instruction on a CPU are. You obviously want to optimize the code to reduce any issues that it may have and have faster performance. So you'll see, some coders will actually develop their codes for a specific CPU type. Now if they do that, that's what they're trying to accomplish is being able to use the CPU to its maximum efficiency. This is where, if you have a CPU that is, you're just basically using commercial grade of CPU and you just have commercial grade applications, they will base it on what they feel the CPU should be able to do from cycles per instruction.

Speaker 1: 24:13 

Now, again, if you're building something out that you really want to optimize it, there's a lot of waste when you just use commercial off-the-shelf CPUs and commercial development code. When you have it where it's tailored, you will be able to maximize that performance of those systems. The downside obviously is technology changes so quickly and because it's changing every 18 months, if you do that very specific development work for that CPU very quickly, it becomes out of date, and so that's where I can see it in a very specific application to do a very specific job. One example would be the military. When they build these systems and they put these in airplanes. They're developed and designed specifically for that purpose and they don't do a lot of upgrades to the hardware, and so you would want the code to be able to be maximizing the CPUs that are being used within that piece of equipment. Then you have what we call context switching. The context switching will switch between the privileged and the user mode as it needs. But when it does this switching it will incur some level of computational cost, which is why, when you're dealing with an operating system, they want to have them very specifically designed so that that minimizes that cost, that computational loss going from an admin mode to a privileged mode, and you don't want to have unnecessary switching, one from a security standpoint and two from a computational standpoint.

Speaker 1: 25:43 

So now we're going to get into the process states. So we've gone through a lot of different terms here, but what we're going to get into is what we call the process state. Focuses on ready, running and waiting. Now this depends on the resources needed and what's available. So those are the three processes that we will talk about. Real quick Ready means the process is loaded into the main memory and awaits CPU time. So it's ready to go, but it's just ready to go, but it doesn't have what it needs. It hasn't been given the go ahead to run.

Speaker 1: 26:16 

Running is when the process is actively using CPU to execute its instructions specifically, and then waiting is a blocked mode, where this process is waiting for an event, such as an input output operation, to complete before it can proceed. So you have ready, which is ready, it's locked and loaded. You have running, which means it's running and actively running on the CPU, and then you have waiting, which is where it's waiting for an event, such as some sort of input or output, to finish up what it's doing. Now the transition between these states is often based on what we call a trigger or a specific event, like a resource availability or a task completion. They will go, then from ready to running and then to waiting. Ready to running to waiting. It'll do this while it's waiting for triggers or other types of activities to occur.

Speaker 1: 27:04 

Now why is this important for security? For you to know this right, it's like oh my gosh, just shoot me now. The point of it is is that a cyber attack will use these types of processes to be able to inject code as it feels like it needs to. So code injection, privilege escalation these are all forms that can utilize these various parts within the CPU and within the overall process stack. So, as a cybersecurity person, you may be looking at how is the behavior of the CPU occurring and if it's acting outside of the normal parameters in which it should, that may be an indication you have a possible problem the forensics piece of this. After the incident is over, you may have to go in and dig through the memory to realize what the attacker was doing specifically to that CPU. And also, by understanding all of this background, you may decide to put in some level of process isolation to keep processes separate, so that would limit any sort of malicious activity that could occur.

Speaker 1: 28:05 

So again, I know all this stuff is just like overwhelming the amount of knowledge you have to have. The key thing to think about as you read through is you one I have all these notes that are on CISSP, cyber, but also in the video as well but also know that if you understand how these processes work and it doesn't have to be you have to know specifically every possible word, but you need to understand the overall, understand the concepts, the bigger picture, because as a CISSP and potentially as a leader within security, these things are going to come up and you're going to have to know how do I communicate with a person around the aspects of resource allocation and, to be honest, I don't know deep, deep, deep knowledge of all these areas. There's just no way. But I know enough to be able to have a conversation with people who do, and that is the overall understanding you need to get out of with the CISSP.

Speaker 1: 28:56 

Now, one thing I'm going to kind of run into is what we call kernel mode, and this is where we deal with privileged escalation that occur, and many times what will happen is bad guys will want to actually modify the kernel, and I didn't know what that meant. At first. I thought the kernel was either Colonel Sanders, who did Kentucky Fried Chicken, or kernel that was based on corn right, your maize, maize, something like that. But no, this kernel is a little different, and this kernel is spelled with K-E-R-N-E-L kernel mode. So the kernel is the most privileged level of execution in a computer system. It's the operating state where the kernel, or the core part of the operating system, has unrestricted access to all hardware resources. So it's basically the keys to the kingdom, and hence that is why hackers will go after them because they know that it has these elevated capabilities and so therefore it needs to run that way.

Speaker 1: 29:50 

Now this differentiates between user mode, where applications run with limited access. If they have to have elevated, they'll go into the actual kernel mode. Now the kernel, like we mentioned before, can interact specifically with hardware components such as the CPU, memory and input output devices, and this does allow for privileged instructions which cannot be run within the user mode. So the kernel mode is a high trust area and so therefore we don't want any sort of application to run in kernel mode. If it doesn't have to and typically they like to try to keep that out of it the application should be able to run in user mode with all of its capabilities, because once you get into that trusted area of the kernel, then you can have a big problem. This is where, then, the system can be compromised very quickly if you gain the right amount of privileges with that specific kernel. Now it basically comes down to is that when you're dealing with these modern operating systems such as memory management units or MMUs, these are designed to protect the kernel's memory space and to keep attackers out or to keep unwanted applications from accessing the kernel's memory space and to keep attackers out or to keep unwanted applications from accessing the kernel. Now, when you're dealing with going from user mode to kernel mode, this is what they call a context switch and it typically goes through system calls, interrupts or exceptions, and this is what happens when it's trying to access the files that require this kernel to basically take over and operate the hardware.

Speaker 1: 31:21 

Now, when you're dealing with kernel mode in the operating system, we'll talk with just the two main ones. I'm not going to get into Mac, but we'll just focus on Windows and Linux. Kernel mode is where the Windows kernel operates and includes most components, such as HAL, which is your hardware abstractation layer. That's another one you're going to have to know because I've seen that one on the CISSP. Before the HAL, then there's Linux. Separates the user in kernel mode, using the applications cannot directly alter the kernel operations without authorization. So you have Windows this is where the kernel operates, which includes the HAL, the hardware abstraction layer. And then you have the Linux, where the kernel operates, which includes the how, the hardware abstraction layer. And then you have the linux, where the user and the kernel mode, basically the application, can't directly interact with the kernel operation without proper authorization. So, as it relates to, what do you do with that? Okay, that's a lot of words, it's a a lot of craziness. How does this help me? Well, when you're dealing with protecting the CPU, they have different levels of rings of protection, and we've talked about this at CISSP Cyber Training in the training contact that I have. You have different rings, and when you're dealing with the different rings, it basically have the different levels to the overall system.

Speaker 1: 32:37 

Ring zero is what they consider the kernel mode. It's like the epicenter, it's the highest level of trust. And when you're dealing with ring zero, you need to have ways to protect from ring one, two and so forth. Operating systems will deploy various protection mechanisms, such as a supervisor mode execution program or SMEP Okay, yeah, that's a really weird word, smep and this prevents users from using code to execute it all in the kernel mode, and so they will put those in place. Again, bottom line is ring zero. Okay, the ring that rules them all. Ring zero is the kernel mode and it is in the center, and you want to have ways to protect anything from running, and what they have is SMEP. Yes, smep is the protection of the ring that rules them all. You didn't know, but it works in the computer system.

Speaker 1: 33:27 

Performance considerations to think about when kernel mode is typically a much faster than user mode. Why? Because of the direct hardware access. However, it obviously has a lot of issues if you do that right. Bad things can happen. But excessive switching between user and kernel mode, which is also known as thrashing that was a term that I had not really heard about before, but they use that term called thrashing which is when it goes back and forth between user and kernel, can obviously degrade performance. You want it to be able to run in a very state and stable mode. Going between kernel and user mode is not stable and therefore you get obviously threshing.

Speaker 1: 34:08 

Now, when you're dealing with the development aspect of this, we want to understand that developers, they must test in kernel mode due to, obviously, the effect of the system stability, but you want individuals to run in user mode. So your developers need to understand the kernel and how it works, but especially if they're having to do any sort of calls to the kernel and that's, I would say it's one of the challenges I had with my developers they didn't truly understand how that worked, and so therefore, if you do have a development team that you deal with, you want to make sure that they basically have the education they need, because you don't want someone dipping their toe into the kernel when they really, truly don't understand what they're trying to accomplish. Now there's various security mechanisms that have been put in place, like we mentioned, to protect the kernel. Patchguard is another one that Windows has that will help modify any sort of kernel mode modifications. But you just need to keep in mind that when you're dealing with kernel mode versus user mode, the kernel mode is the elevated privileges. User mode is the normal operations in your day-to-day aspects, and that's how you need to ensure that they stay that way.

Speaker 1: 35:16 

Okay, so the last thing we're going to talk about with mode switching is around between the privileged and the user modes, is that these user mode and the privileged mode will occur. There's usually a transition phase that goes between these. They call that mode switching, and that's where you go from user to privilege. And that mode switching, like we just mentioned before, if it's done incorrectly, it would be called thrashing. Now, during the CPU changes, you want to ensure that the instructions that are set up will alter the access resources as necessary. Now you want to have the ability. I say you won't have any control of this, right, because you guys are. The computer comes as it is.

Speaker 1: 35:55 

But one of the things that they recommend when you're dealing with kernel is you have a state preservation, and that preservation means that when, just like anything else, things happen, how do I get back to the main state that it was? How do I reinstall or re-go back to a known good state? That's another part that they're going to want to deal with when you're focusing on the kernel and they're running in privilege mode is how do you get back to a known good state? So, again, you don't want to mess with a kernel unless you absolutely have to. And if you do mess with the kernel, you want to ensure that your development team understands what exactly they're doing, how they could get back to a known good state if things go bad. Also, what kind of context are they running this in Is it user or privilege mode? And ensure that they truly understand what they are doing.

Speaker 1: 36:45 

Last thing is is when you're dealing with authorization and validation, it is important that you have some sort of mechanism in place to limit what people can do inside these various modes. Again, we've talked about this time and again it all. If you get it back to the basics, any level of security and focus on you want to run everything you possibly can in a restricted state. Only run what is necessary and needed for the shortest amount of time possible in a privileged state. That is the best way to keep yourself out of trouble. Again, we talked a lot about a lot in this whole thing. This has been a lot of back and forth information around these various states, but if you can just boil it down to your privileged and your user accounts and when you would use those, you can avoid the thrashing. We don't want the thrashing right. So Teenage Mutant Ninja Turtles and there was Thrasher in that. I think, yes, that just shows how old I am. I think, well, actually, they think they redo the Teenage Mutant Ninja Turtles on a yearly basis, but avoid the Thrasher. Anyway, that's all I've got for you today.

Speaker 1: 37:54 

I hope you guys enjoyed this. I hope you're not asleep at the wheel. If you're driving into work, which a lot of people do, they listen to this podcast. Wake up. Now's the time to wake up. Before you get into work, take your Tesla off autopilot and you now can get back to your job. But have a wonderful day everybody. Hope you guys enjoyed this episode. I know it was deep, it was hard and guess what? On Thursday the CISSP questions will be out there specifically for this one, so you will love it. It will be another one that will keep you awake. All right, have a great day and we'll catch you on the flip side, see ya.