Virtual Machines vs. Containers

Questions and Answers

Which security feature is integrated into Android to ensure the integrity of the operating system?

Seccomp

SELinux

eBPF

Verified Boot (correct)

Linux requires automated sandboxing for all applications.

False

What is the primary difference between Linux and Android in terms of sandboxing?

Linux requires manual configuration while Android has automated sandboxing built into the ecosystem.

Android uses __________ to enforce mandatory app confinement.

SELinux

Match the following Linux security features with their descriptions:

SELinux = Mandatory Access Control Seccomp = Filters system calls eBPF = Fine-grained monitoring Containers = Robust app isolation

What is the primary advantage of using virtual machines?

They allow multiple applications to run on a single server.

Containers contain their own operating systems, just like virtual machines.

False

What is a hypervisor?

A hypervisor is software that allows one machine to run multiple virtual machines by managing hardware resources.

Containers require a ______ to run, which is an environment specific to its content.

similar operating system

Match the following technologies with their characteristics:

Virtual Machines = Heavyweight and slower to boot Containers = Lightweight and faster to boot Hypervisor = Manages multiple VMs Docker = Popular containerization platform

Which of the following is NOT a disadvantage of virtual machines?

Must be packaged for specific operating systems

Both virtual machines and containers can run on any operating system without restrictions.

False

List one advantage of using containers over virtual machines.

Containers are faster to start up than virtual machines.

A ______ is responsible for unpacking container files and passing them to the operating system kernel.

container engine

Match the file permission commands with their functions:

chmod = Changes file permissions chown = Changes file ownership ls = Lists files in a directory mkdir = Creates a new directory

What does the 'D' in the file permission string (e.g., drwxr-xr-x) indicate?

It is a directory.

When a server's underlying operating system crashes, only the virtual machines on that server go down.

False

What does 'rwx' signify in the permissions of a directory?

Read, write, and execute permissions for the owner.

The sum of read (4), write (2), and execute (1) permissions gives a value of ______.

7

What problem does virtual memory primarily solve?

Insufficient RAM

Each program shares the same memory space in a virtual memory system.

False

What is the term for the additional memory that can be accessed when RAM is insufficient?

Swap memory

When a program tries to access data that is not currently in RAM, this situation is known as a __________.

page fault

Match the following key concepts with their definitions:

Virtual Memory = Memory assigned to programs that doesn't overlap Page Table = Mapping of virtual addresses to physical addresses Page Fault = Exception raised when data is not in RAM Swap Memory = Disk space used as additional memory

What does a page table entry map?

Virtual addresses to physical addresses

The offset in virtual and physical addresses is always identical.

True

What is the purpose of a Translation Lookaside Buffer (TLB)?

To cache translations from virtual to physical addresses

Programs can corrupt each other's data if they access the same __________ in a shared memory space.

address

What happens during a page fault?

The CPU raises an exception

Having more RAM generally improves the performance of a computer during memory swapping.

True

What is memory fragmentation?

A condition where free memory is split into small, non-contiguous blocks

A __________ is used to classify and manage memory for each program efficiently.

page table

Match the following terms with their corresponding definitions:

Physical Memory = The actual RAM in the computer Virtual Address = An address used by a program to access memory Dirty Page = A page that has been modified after it was loaded Least Recently Used = A page replacement strategy for memory management

What command is used to add execute privileges for the owner and group in Linux?

chmod 774

The default permissions for a key pair on AWS EC2 instances is set to 644.

False

Which mechanism is used in Android for inter-process communication?

Binder

In a typical directory, the baseline permission can be set to _____ for the owner, group, and others.

755

Match the Linux commands with their respective functions:

chmod = Change file permissions chroot = Change root directory seccomp = Restrict system calls iptables = Manage network traffic rules

Which of the following best describes a key difference between Linux and Android sandboxing?

Android apps run in isolated environments with unique UIDs.

Linux uses a mandatory permission model for applications.

False

What is the primary purpose of cgroups in Linux sandboxing?

Limit and monitor resource usage

In Linux, the permission mode _____ lets the owner read and write, while the group can read only.

640

Match the following sandboxing features to their purposes:

SELinux = Mandatory access controls Namespaces = Isolate resources AppArmor = Security profiles IPCs = Inter-app communication

What does the 'chmod 664' command do?

Adds read and write for owner and group, but read only for others

Android's permission model allows users to revoke permissions at runtime.

True

What is the base permission level for files in Linux commonly used for regular files?

644

Applications in Android have their own unique _____ assigned at install time for sandboxing.

UID and GID

Which security feature in Android helps prevent privilege escalation attacks?

SELinux

Network isolation in Linux can be achieved through network namespaces.

True

Study Notes

Virtual Machines vs. Containers

• Traditional server application setup involved one application per server, often underutilizing server power.
• Virtual machines (VMs) simulate multiple servers on a single physical machine using a hypervisor allocating hardware resources.
• Hypervisors include VMware ESXi, Citrix Zen Server, and Microsoft Hyper-V.
• VMs have drawbacks: large disk space usage due to dedicated OSes, high RAM and CPU consumption, slow startup times, and OS licensing costs.
• Containers package application code with all needed files, configurations, and dependencies.
• This allows easy distribution and runs without extra software/configurations.
• Docker is primarily used to manage containers.
• Containers share the server's underlying OS, making them lightweight, fast, and portable.
• Container images must be compatible with the server's OS.
• Container failure will affect all containers sharing the OS, whereas VM failure affects only the single VM.

Linux File Permissions

• All Linux files/directories have owner, group, and others permission levels.
• Each level has read (r), write (w), and execute (x) permissions.
• The "l" flag in the ls command shows detailed permissions:
  • "d" indicates a directory.
  • "rwx" permissions for owner, group, and others.
  • Dashes represent missing permissions.
• chown command changes file/directory owners and groups (e.g., sudo chown <new_owner>:<new_group> <filename>).
• chmod command changes file/directory permissions using a numerical system (e.g., chmod <number> <filename>).
  • Example: chmod 774 <filename> (owner: rwx, group: rwx, others: r-x)

Linux Sandboxing and Android Sandboxing

• Both mechanisms isolate and protect applications.
• Linux sandboxing uses namespaces, cgroups, SELinux, AppArmor to isolate processes.
• Android leverages Linux features, adding layers of abstraction for mobile app security and efficiency.
• Android's app isolation uses unique UIDs/GIDs, file access restrictions, and IPC mechanisms.
• Android's declarative permission model requires user consent and runtime permission management.
• Key Security Differences: Linux sandboxing customization is manual, while Android is automated and integrated into the platform.
• Android focuses on user privacy and malware prevention utilizing SELinux, Google Play Protect, etc.

Virtual Memory

• Virtual memory solves problems with insufficient RAM, memory fragmentation, and data security.
• Older computers often had limited RAM and the presence of multiple applications frequently causing issues.
• Memory fragmentation occurs when free memory is not contiguous.
• Security issues exist if programs have access to the same memory space.
• Virtual memory gives each program a unique address space, preventing overlaps and crashes.
• It maps virtual addresses (program's view) to physical addresses (RAM).
• Paging divides memory into fixed-size pages, making memory use efficient.
• The OS uses a page table for virtual-to-physical address translation.
• A translation lookaside buffer (TLB) is a cache to speed up translations.
• Page faults occur when a page is not in memory (RAM), and the OS moves a page from RAM to disk or vice-versa.
• Memory management units (MMUs) handle address translations and page faults.
• Multi-level page tables address the challenge of running many programs simultaneously, by keeping the first-level table in RAM, and potentially swapping the second level tables to disk to preserve space.

Description

Explore the differences between virtual machines and containers in server application setups. This quiz covers topics such as hypervisors, resource allocation, and the benefits of using Docker for container management. Understand the technical aspects that make containers lightweight and portable compared to traditional VMs.