Virtual Machines vs. Containers

Questions and Answers

Which security feature is integrated into Android to ensure the integrity of the operating system?

• Seccomp
• SELinux
• eBPF
• Verified Boot (correct)

Linux requires automated sandboxing for all applications.

False (B)

What is the primary difference between Linux and Android in terms of sandboxing?

Linux requires manual configuration while Android has automated sandboxing built into the ecosystem.

Android uses __________ to enforce mandatory app confinement.

SELinux

Match the following Linux security features with their descriptions:

SELinux = Mandatory Access Control Seccomp = Filters system calls eBPF = Fine-grained monitoring Containers = Robust app isolation

What is the primary advantage of using virtual machines?

They allow multiple applications to run on a single server. (A)

Containers contain their own operating systems, just like virtual machines.

False (B)

What is a hypervisor?

A hypervisor is software that allows one machine to run multiple virtual machines by managing hardware resources.

Containers require a ______ to run, which is an environment specific to its content.

similar operating system

Match the following technologies with their characteristics:

Virtual Machines = Heavyweight and slower to boot Containers = Lightweight and faster to boot Hypervisor = Manages multiple VMs Docker = Popular containerization platform

Which of the following is NOT a disadvantage of virtual machines?

Must be packaged for specific operating systems (D)

Both virtual machines and containers can run on any operating system without restrictions.

False (B)

List one advantage of using containers over virtual machines.

Containers are faster to start up than virtual machines.

A ______ is responsible for unpacking container files and passing them to the operating system kernel.

container engine

Match the file permission commands with their functions:

chmod = Changes file permissions chown = Changes file ownership ls = Lists files in a directory mkdir = Creates a new directory

What does the 'D' in the file permission string (e.g., drwxr-xr-x) indicate?

It is a directory. (B)

When a server's underlying operating system crashes, only the virtual machines on that server go down.

False (B)

What does 'rwx' signify in the permissions of a directory?

Read, write, and execute permissions for the owner.

The sum of read (4), write (2), and execute (1) permissions gives a value of ______.

7

What problem does virtual memory primarily solve?

Insufficient RAM (A)

Each program shares the same memory space in a virtual memory system.

False (B)

What is the term for the additional memory that can be accessed when RAM is insufficient?

Swap memory

When a program tries to access data that is not currently in RAM, this situation is known as a __________.

page fault

Match the following key concepts with their definitions:

Virtual Memory = Memory assigned to programs that doesn't overlap Page Table = Mapping of virtual addresses to physical addresses Page Fault = Exception raised when data is not in RAM Swap Memory = Disk space used as additional memory

What does a page table entry map?

Virtual addresses to physical addresses (D)

The offset in virtual and physical addresses is always identical.

True (A)

What is the purpose of a Translation Lookaside Buffer (TLB)?

To cache translations from virtual to physical addresses

Programs can corrupt each other's data if they access the same __________ in a shared memory space.

address

What happens during a page fault?

The CPU raises an exception (A)

Having more RAM generally improves the performance of a computer during memory swapping.

True (A)

What is memory fragmentation?

A condition where free memory is split into small, non-contiguous blocks

A __________ is used to classify and manage memory for each program efficiently.

page table

Match the following terms with their corresponding definitions:

Physical Memory = The actual RAM in the computer Virtual Address = An address used by a program to access memory Dirty Page = A page that has been modified after it was loaded Least Recently Used = A page replacement strategy for memory management

What command is used to add execute privileges for the owner and group in Linux?

chmod 774 (B)

The default permissions for a key pair on AWS EC2 instances is set to 644.

False (B)

Which mechanism is used in Android for inter-process communication?

Binder

In a typical directory, the baseline permission can be set to _____ for the owner, group, and others.

755

Match the Linux commands with their respective functions:

chmod = Change file permissions chroot = Change root directory seccomp = Restrict system calls iptables = Manage network traffic rules

Which of the following best describes a key difference between Linux and Android sandboxing?

Android apps run in isolated environments with unique UIDs. (D)

Linux uses a mandatory permission model for applications.

False (B)

What is the primary purpose of cgroups in Linux sandboxing?

Limit and monitor resource usage

In Linux, the permission mode _____ lets the owner read and write, while the group can read only.

640

Match the following sandboxing features to their purposes:

SELinux = Mandatory access controls Namespaces = Isolate resources AppArmor = Security profiles IPCs = Inter-app communication

What does the 'chmod 664' command do?

Adds read and write for owner and group, but read only for others (D)

Android's permission model allows users to revoke permissions at runtime.

True (A)

What is the base permission level for files in Linux commonly used for regular files?

644

Applications in Android have their own unique _____ assigned at install time for sandboxing.

UID and GID

Which security feature in Android helps prevent privilege escalation attacks?

SELinux (B)

Network isolation in Linux can be achieved through network namespaces.

True (A)

Flashcards

SELinux/AppArmor

SELinux and AppArmor are security tools that enforce strict access control policies, limiting what programs and users can do within the system.

Seccomp

Seccomp is a mechanism that allows you to restrict the system calls a program can make, preventing it from doing harmful operations.

eBPF

eBPF allows you to monitor and filter network traffic in real-time, enabling you to identify and block suspicious activity.

Verified Boot

Verified Boot ensures that the Android operating system has not been tampered with, verifying its integrity before booting.

Google Play Protect

Google Play Protect actively scans apps on your device for malware and other threats, protecting your privacy and security.

What is a virtual machine?

A virtual machine (VM) is a software-based emulation of a physical computer system. It allows multiple operating systems and applications to run on a single physical server, each operating independently within its own virtualized environment.

What is a hypervisor?

A hypervisor is a software layer that manages and controls the allocation of hardware resources to virtual machines. It acts as an intermediary between the physical server hardware and the guest operating systems running within the VMs.

What is a container?

A container is a lightweight and portable software package that bundles an application with all its dependencies, such as libraries, configurations, and other required software components. This allows the application to run consistently across different computing environments.

What is Docker?

Docker is a popular open-source platform for creating, managing, and deploying containers. It provides tools for building container images, running containers, and orchestrating container deployments.

What is a container engine?

A container engine is a software component that manages the lifecycle of containers. It unpacks container images, allocates resources, and runs containers on the underlying operating system.

What are file permissions in Linux?

File permissions in Linux control who can access and modify files and directories. They are represented by a three-part code: owner, group, and others, each with permissions for read, write, and execute.

What is the chown command in Linux?

The chown command is used to change the owner of a file or directory in Linux. It takes the new owner's username as the first argument and the file or directory name as the second argument.

What is the chmod command in Linux?

The chmod command is used to change the permissions of a file or directory in Linux. It uses octal numbers representing the permissions for owner, group, and others.

What are owner permissions in Linux?

The owner permissions define what actions the owner of a file or directory can perform, such as reading, writing, or executing.

What are group permissions in Linux?

Group permissions determine what actions members of a specific group can perform on a file or directory. Groups are assigned to files and directories and allow for shared access and collaboration.

What are others permissions in Linux?

Others permissions define what actions any other user on the system can perform on a file or directory. These permissions are typically restricted, granting only read access by default.

What is read permission in Linux?

Read permission allows users to view the contents of a file or list the contents of a directory.

What is write permission in Linux?

Write permission allows users to modify the contents of a file or to create new files or subdirectories within a directory.

What is execute permission in Linux?

Execute permission allows users to run executable files or to access subdirectories within a directory.

What is the key difference in operating system sharing between containers and VMs?

Containers share the underlying operating system of the host machine, while VMs have their own dedicated operating system. This makes containers much lighter and faster, but also means they are less isolated.

Linux Sandboxing

A mechanism that isolates and protects applications and processes from each other in Linux, using features like namespaces, cgroups, SELinux, AppArmor, and file permissions.

Android Sandboxing

A mechanism used in Android to isolate and protect applications, built upon Linux features and tailored for mobile app security.

Namespaces in Linux Sandboxing

In Linux, namespaces create isolated views of resources like process trees, file systems, and network interfaces. For example, a namespace could isolate a process's view of the file system, preventing it from accessing files outside its designated area.

cgroups in Linux Sandboxing

In Linux, cgroups (Control Groups) limit and monitor resource usage (CPU, memory, I/O) for specific processes. It enables the operating system to allocate and track resource consumption for isolated apps.

App Isolation in Android

In Android, each app runs in its own sandbox, isolated using a unique Linux UID (User ID) and GID (Group ID) assigned during installation.

File Access Restrictions in Android

In Android, each app can access its own files, and can only access other files if explicitly shared.

IPC Mechanisms in Android

In Android, apps communicate via controlled inter-process communication (IPC) mechanisms like the Binder framework. For example, Binder can be utilized to pass specific information between apps while enforcing permission restrictions.

Permissions in Linux Sandboxing

In Linux, permissions are based on users and groups. Files and resources are protected using traditional read, write, and execute permissions (rwx).

Permission Systems in Android

In Android, permissions are declared in the app’s AndroidManifest.xml file and are divided into categories, such as normal, dangerous, signature, etc. Users must grant explicit permission for dangerous permissions.

Network Isolation in Linux

In Linux, Network isolation is achieved using techniques like network namespaces that create isolated network stacks, and iptables/nftables to manage network traffic rules.

Network Isolation in Android

In Android, apps cannot directly access network interfaces. Instead, they use system-provided APIs, allowing Android to enforce network restrictions based on user permissions and policies.

Inter-Process Communication (IPC) in Linux

In Linux, traditional IPC mechanisms like pipes, shared memory, and sockets are not sandbox-aware but can be restricted by sandboxing tools to prevent unauthorized communication.

Inter-Process Communication (IPC) in Android

Android uses a custom IPC mechanism called Binder, which enforces permissions for cross-app communication, controls access to data, and prevents apps from directly interfering with each other's processes.

Security Goals of Linux Sandboxing

Linux sandboxing focuses on flexibility and containment, enabling administrators to configure sandboxing policies manually or via tools.

Security Goals of Android Sandboxing

Android sandboxing prioritizes user privacy and malware prevention, protecting users from malicious apps by isolating app data and enforcing strict permissions.

Virtual Memory

The amount of memory that a program thinks it has access to. Each program has its own virtual memory space, which doesn't overlap with other programs.

Physical Memory

The actual amount of RAM available to a computer. This is the physical memory that the CPU directly accesses.

Address Translation

The process of mapping a program's virtual addresses to physical addresses. This allows programs to run even if their total memory needs exceed the available physical RAM.

Page Table

A table that stores the mapping between virtual and physical addresses. It allows the OS to manage the virtual memory system.

Page

A fixed-size block of memory in both virtual and physical memory. Pages are typically 4 kilobytes in size.

Offset

The last 12 bits of a virtual or physical address, used to identify the location within a page.

Page Number

The portion of a virtual or physical address that identifies the page number.

Page Fault

An exception generated by the CPU when a program tries to access a page that is not currently loaded into physical memory.

Translation Lookaside Buffer (TLB)

A special hardware component in the CPU that caches the mappings between virtual and physical addresses to speed up address translation.

Memory Management Unit (MMU)

The hardware component responsible for address translation and generating page faults. It connects virtual addresses to physical memory.

Multi-level TLBs

A technique used to improve the performance of TLBs by adding multiple levels of caches. This reduces the need to access physical RAM.

Multi-level Page Tables

A mechanism that allows the OS to swap out second-level page table entries to disk to save memory. This is especially helpful for programs that don't use much RAM.

Swapping

The process of moving data from disk to RAM when a program needs to access it, and writing data from RAM back to disk when it's no longer needed.

Swap Space

A special area on the disk used to store data that is not currently in RAM. It acts as a temporary holding space for swapped pages.

Study Notes

Virtual Machines vs. Containers

• Traditional server application setup involved one application per server, often underutilizing server power.
• Virtual machines (VMs) simulate multiple servers on a single physical machine using a hypervisor allocating hardware resources.
• Hypervisors include VMware ESXi, Citrix Zen Server, and Microsoft Hyper-V.
• VMs have drawbacks: large disk space usage due to dedicated OSes, high RAM and CPU consumption, slow startup times, and OS licensing costs.
• Containers package application code with all needed files, configurations, and dependencies.
• This allows easy distribution and runs without extra software/configurations.
• Docker is primarily used to manage containers.
• Containers share the server's underlying OS, making them lightweight, fast, and portable.
• Container images must be compatible with the server's OS.
• Container failure will affect all containers sharing the OS, whereas VM failure affects only the single VM.

Linux File Permissions

• All Linux files/directories have owner, group, and others permission levels.
• Each level has read (r), write (w), and execute (x) permissions.
• The "l" flag in the ls command shows detailed permissions:
  • "d" indicates a directory.
  • "rwx" permissions for owner, group, and others.
  • Dashes represent missing permissions.
• chown command changes file/directory owners and groups (e.g., sudo chown <new_owner>:<new_group> <filename>).
• chmod command changes file/directory permissions using a numerical system (e.g., chmod <number> <filename>).
  • Example: chmod 774 <filename> (owner: rwx, group: rwx, others: r-x)

Linux Sandboxing and Android Sandboxing

• Both mechanisms isolate and protect applications.
• Linux sandboxing uses namespaces, cgroups, SELinux, AppArmor to isolate processes.
• Android leverages Linux features, adding layers of abstraction for mobile app security and efficiency.
• Android's app isolation uses unique UIDs/GIDs, file access restrictions, and IPC mechanisms.
• Android's declarative permission model requires user consent and runtime permission management.
• Key Security Differences: Linux sandboxing customization is manual, while Android is automated and integrated into the platform.
• Android focuses on user privacy and malware prevention utilizing SELinux, Google Play Protect, etc.

Virtual Memory

• Virtual memory solves problems with insufficient RAM, memory fragmentation, and data security.
• Older computers often had limited RAM and the presence of multiple applications frequently causing issues.
• Memory fragmentation occurs when free memory is not contiguous.
• Security issues exist if programs have access to the same memory space.
• Virtual memory gives each program a unique address space, preventing overlaps and crashes.
• It maps virtual addresses (program's view) to physical addresses (RAM).
• Paging divides memory into fixed-size pages, making memory use efficient.
• The OS uses a page table for virtual-to-physical address translation.
• A translation lookaside buffer (TLB) is a cache to speed up translations.
• Page faults occur when a page is not in memory (RAM), and the OS moves a page from RAM to disk or vice-versa.
• Memory management units (MMUs) handle address translations and page faults.
• Multi-level page tables address the challenge of running many programs simultaneously, by keeping the first-level table in RAM, and potentially swapping the second level tables to disk to preserve space.

Description

Explore the differences between virtual machines and containers in server application setups. This quiz covers topics such as hypervisors, resource allocation, and the benefits of using Docker for container management. Understand the technical aspects that make containers lightweight and portable compared to traditional VMs.