Specific Syscalls #152
Specific Syscalls #152
Conversation
If I understand the problem, you are making edits but not seeing those in the tree viewer for the classes. Sometimes the Protege app will not display what it should even though you've made a change. Try closing the tree and re-opening. You may need to save and reload to get it to render the tree as expected.
[It's possible I haven't interpreted this question right, but here goes...] By 'neighbors' I will assume you mean specifically sibling entries for specific types of calls for say, different OSes (i.e., children of a common parent class.) As an example of a singleton (no siblings aka neighbors), I see a singleton child 'Windows NtDuplicateToken' as subclass (child) of 'Copy Token'. Generally, we'd hope to find some additional children, just like one would in document outlines so we would have something additional to contrast or even to create a partition across the children classes. But sometimes there is a specialization of a parent concept that needs to be expressed and is just that, a singleton class. Don't worry too much if you haven't found an equivalent Linux specialization of the notion of 'Copy Token' just yet. If you are highly confident there is no equivalent anywhere, then moving Windows NtDuplicateToken up a level might make sense the general case of ontology class design [1]. [1] I'm not sure of all the use cases or prior discussion here, so even if you are sure there is no Linux analog to Windows for Copy Token, delay moving it up until we have a quick chat with the rest of the syscall taxonomy dev & review team. Having an 'unnecessary' abstraction won't hurt any of the logic and might make it easier to navigate (having a first layer of only syscall abstractions at the top level of System Call hierarchy could come in handy.)
Well you can reuse a class in the sense it can show up in different contexts, structures, or occasionally even have multiple parents. If there are different concepts (say one for pausing a thread and one for pausing a process) then they should be different classes with different IRIs and different labels. I'd recommend having two different classes here: one under Suspend Process (rename existing IRI and label from LinuxPause and Linux Pause to LinuxPauseProcess and 'Linux Pause Process) respectively and add one under Suspend Thread (Linux Pause Thread). Both of these Linux children classes can reference seeAlso -> ..../pause(2). Then copy over and distinguish the definition of Linux Pause Thread, borrowing from Linux Pause Process. |
|
Shouldn't we have a POSIX taxonomy first? |
This is a great idea, since we've already done the windows analysis perhaps second :) @ryantxu1 let me know your thoughts here. |
|
@netfl0 Open to exploring this eventually, are we envisioning a similar process of bucketing the system interfaces in POSIX similar to the linux/windows syscalls? |
|
Further considerations you may have already taken into account and that - imho - could shift the bar towards POSIX APIs. OTOH POSIX APIs can be either system calls (eg.
Forking can done in different ways, e.g.,
It is probably easier to use that kind of reference. Moreover it can apply to other OSs Questions:
|
src/ontology/d3fend-protege.ttl
Outdated
| @@ -16216,8 +16593,7 @@ order to constitute a complete standard. For a complete definition of all requir | |||
| rdfs:label "Linux ELF File 64bit" . | |||
|
|
|||
| :LinuxExec a :CreateProcess, | |||
There was a problem hiding this comment.
LinuxExec does not create a process. Instead, it replaces the program that is currently being run by the calling process with a new program, with newly initialized stack, heap, and (initialized and
uninitialized) data segments.
There are other parts of the process that are not replaced, eg.,
The process's real UID and real GID, as well its supplementary group IDs, are unchanged;
file descriptors remain open unless marked close-on-exec.
Syscalls are a slippery slope...
src/ontology/d3fend-protege.ttl
Outdated
| @@ -6264,6 +6296,216 @@ Most current Unix-like systems and Microsoft Windows support loadable kernel mod | |||
| rdfs:subClassOf :DigitalArtifact ; | |||
| rdfs:seeAlso "https://dbpedia.org/resource/Link" . | |||
|
|
|||
| :Linux_Exit a owl:Class ; | |||
| rdfs:label "Linux _Exit" ; | |||
There was a problem hiding this comment.
Can't find _exit in man 2 syscalls | grep _exit
instead, there's an _exit in POSIX.
Here and elsewhere: why don't use the verbatim syscall name, e.g. "exit(2)" in the label?
There was a problem hiding this comment.
@ioggstream I put '_exit' because the man page of that specifically states that as the name when actually calling the function.
https://man7.org/linux/man-pages/man2/exit.2.html
That is also why I left out the '(2)' in the labels as I was focusing on the function names themselves. However, I'm happy to reconsider the naming convention if there's an advantage to do so!
There was a problem hiding this comment.
Using system call names or function signatures is a "design" choice. Since implementations can vary in time (see also the link you posted https://man7.org/linux/man-pages/man2/exit.2.html) if we want to focus on Linux, I'd use a man-like uri (e.g. man-pages/man2/exit.2.html references both exit and 2).
This allows us to define a POSIX version (e.g., POSIX_exit)
Moreover, I'd avoid camelizing the syscall name (e.g., Linux-exit or Linux-_exit, or something like that)
src/ontology/d3fend-protege.ttl
Outdated
| :LinuxExecve a owl:Class ; | ||
| rdfs:label "Linux Execve" ; | ||
| rdfs:subClassOf :CreateProcess ; | ||
| :definition "Execute program." ; | ||
| rdfs:seeAlso "https://man7.org/linux/man-pages/man2/execve.2.html" . | ||
|
|
||
| :LinuxExecveat a owl:Class ; | ||
| rdfs:label "Linux Execveat" ; | ||
| rdfs:subClassOf :CreateProcess ; | ||
| :definition "Execute program relative to a directory file descriptor." ; | ||
| rdfs:seeAlso "https://man7.org/linux/man-pages/man2/execveat.2.html" . |
There was a problem hiding this comment.
Are Execute and Create in the same class?
There was a problem hiding this comment.
They both Create Process (this they are both a sublcass of that semantic class) if that makes sense. We've got some clean up coming, @ryantxu1 will be pushing to this branch soon.
There was a problem hiding this comment.
Understood. Since I don't think this reflects the Linux taxonomy I will wait for the cleanup.
|
let me know when ready for review |
|
@netfl0 Ready for review |
src/ontology/d3fend-protege.ttl
Outdated
| [ a owl:Restriction ; | ||
| owl:onProperty :executes ; | ||
| owl:someValuesFrom :Process ] ; | ||
| :definition "Executes a process." ; |
There was a problem hiding this comment.
IIUC with system calls, you execute a program. I see that in the Windows world there's spawnwe() that makes fork/exec, but the name ExecuteProcess is confusing to me.
src/ontology/d3fend-protege.ttl
Outdated
| @@ -4525,7 +4535,7 @@ SafeSEH might be applied only to some executable files or modules, allowing an a | |||
| owl:someValuesFrom :ExecutableFile ], | |||
| [ a owl:Restriction ; | |||
| owl:onProperty :restricts ; | |||
| owl:someValuesFrom :CreateProcess ] ; | |||
| owl:someValuesFrom :SpawnProcess ] ; | |||
There was a problem hiding this comment.
Formally, when the execve(2) is invoked, the process was already spawn.
Moreover, I can create a new process just forking an existing one without execve(2) - e.g., running another instance of the same program.
src/ontology/d3fend-protege.ttl
Outdated
| rdfs:label "Spawn Process" ; | ||
| skos:altLabel "Process Spawn" ; | ||
| rdfs:subClassOf :SystemCall ; | ||
| :definition "A process spawn refers to a function that loads and executes a new child process.The current process may wait for the child to terminate or may continue to execute asynchronously. Creating a new subprocess requires enough memory in which both the child process and the current program can execute. There is a family of spawn functions in DOS, inherited by Microsoft Windows. There is also a different family of spawn functions in an optional extension of the POSIX standards. Fork-exec is another technique combining two Unix system calls, which can effect a process spawn." ; |
There was a problem hiding this comment.
| :definition "A process spawn refers to a function that loads and executes a new child process.The current process may wait for the child to terminate or may continue to execute asynchronously. Creating a new subprocess requires enough memory in which both the child process and the current program can execute. There is a family of spawn functions in DOS, inherited by Microsoft Windows. There is also a different family of spawn functions in an optional extension of the POSIX standards. Fork-exec is another technique combining two Unix system calls, which can effect a process spawn." ; | |
| :definition "A process spawn refers to a function that loads an executable and executes it in a new child process. The current process may wait for the child to terminate or may continue to execute asynchronously. Creating a subprocess requires enough memory in which both the child process and the current program can execute. There is a family of spawn functions in DOS, inherited by Microsoft Windows. There is also a different family of spawn functions in an optional extension of the POSIX standards. Fork-exec is another technique combining two Unix system calls, which can effect a process spawn." ; |
src/ontology/d3fend-protege.ttl
Outdated
| owl:onProperty :suspends ; | ||
| owl:someValuesFrom :Thread ] ; | ||
| :definition "Suspending a thread causes the thread to stop executing user-mode code." ; | ||
| rdfs:seeAlso "https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-suspendthread" . |
There was a problem hiding this comment.
See also https://man7.org/linux/man-pages/man2/signal.2.html
IIRC on Linux it's the Kernel scheduler pausing the thread (e.g., https://docs.kernel.org/scheduler/sched-design-CFS.html ) but I can be a bit rusty on this topic.
Adding specific linux and windows syscalls to the taxonomy.
Before merging @hack-sentinel I have a few questions: