CCT 088: Mastering Process States, Execution Types, and System Architectures for the CISSP (D3.5)

Nov 13, 2023
 
Ready to decode the enigma of process states, execution types, and system architecture? We promise you'll walk away with a newfound understanding of how processes are initiated in a computer system in our latest episode. Discover the efficiency of modular application development and unravel how this foundational knowledge can fast-track your success in the CISSP exam and deepen your cybersecurity proficiency. 

Moving on, we unpack the intricacies of process scheduling and the nuances of CPU utilization. Get a grip on the transformation of processes between user and privileged modes, and learn about process states in detail. We'll delve into the world of kernel mode, where we'll discuss its crucial role in the security of computer systems. We'll also discuss how memory management units are used to protect the kernel's memory space and the differences in the handling of user and kernel modes by Windows and Linux. This episode is a treasure trove of insights into process isolation and rings of protection in CPU security. Tune in to expand your knowledge horizon!

Gain access to 30 FREE CISSP Exam Questions each and every month by going to FreeCISSPQuestions.com and sign-up to join the team for Free. 

Transcript

Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Good morning, how are you all doing today? I'm Sean Gerber with CISSP Cyber Training, and I hope you all had a great, great weekend this past weekend. As we are today is CISSP Monday, and this is when the podcast usually comes out. It usually ends up happening where people have the weekend prior to Monday. I think that's usually how it is, unless you are working, like I used to do, in swing shifts and in hours that were not the normal time. Yes, that would make it a little bit challenging for the weekend. But, that being said, yeah, I had the weekend this last weekend and it was great had my wife's business she's just got started up, a new business and we spent the whole weekend getting her area prepped and ready for that. So that was a full couple of days, but now I can get to talk about CISSP stuff, which is awesome, yeah, the recording of this show. I do this actually about 4.30, 5 o'clock in the morning in the US, just prior to heading off to work, so as you get a little inside into my life that I basically have not much of a life, but the goal is to provide this information for you guys, because I know when I took the CISSP, I struggled substantially with the CISSP. It was not my first forte. I did not, coming from a background within being a military air flyer. I did not understand the IT. I didn't go to school to be an IT person. So, since I didn't understand those pieces to it, I needed a lot of extra help, and so the ultimate goal of CISSP Cyber Training and these podcasts is to provide you that level of understanding for folks that are probably are way further than I ever was on this, and so, therefore, it's just to kind of help you along and give you that insight that you need before you go and take the CISSP exam, because we do know it can be an extreme challenge. Also, before we get started, I have let you know that I am actually making some changes to the CISSP Cyber Training site. We're going to be changing around some of the offerings, product offerings we have there. They are going up in price but they're giving you a lot more value for that cost and the ultimate goal is that I'm seeing what are some of my students have been saying what they need and we've making some changes to help you with that. So that's the ultimate goal is to provide that, because, bottom line it is, it's not about the money, it's about providing you the skills that you need to be able to pass the exam, but also to take you into the next, basically into the future, because one thing I get a lot of feedback on is okay, great, I take the test, now what? And we want to, kind of I want to help you with that, because I've heard that for the past I don't know how many years is people get these tests taken, but they don't know what the next steps are. So that's the ultimate goal of trying to get you to. So, once you get you the test passed, how do we also help you on to the next part of your career? Okay, so in CISP cyber training we're going to be getting into this point is around mastering process states, execution types and system architecture for the CISP and you all are probably going. What in the world is that? Well, we're going to kind of break this down a little bit. This can get very confusing very quickly. So I'm going to try my best to to keep it very high level, at a level that maybe you can understand, not that you you are all well beyond me, probably, in knowledge, but because it's it can get a lot of acronyms and it can be kind of confusing into what is the overall role. We'll try to keep it high level and then we'll drill deeper into it. So again, hang on, this will be a fun one. We'll. We'll get into it and you may want to come back and re-listen to this one a little bit more as we proceed over the coming months, because it will. It will definitely help kind of coalesce or bring together the understanding of these different types of roles and what they do. So in computer systems, the initiation of a process you know we that's occurring in the background, can be very similar to starting a new task or an application. So we talk about a new task. Now this is specifically saying around the computer itself. But, as we all know, we've talked about within our current world that we live in with these third parties, such as AWS, google Cloud and so forth. These applications can run in the cloud, but we're just going to talk specifically around the process state as it relates to a physical computer and then from there you can, we can take a different path as needed for those other processes. So the key around this is those whether you're typing into a terminal or double clicking an application on a desktop, right, you're going to get this trigger is going to occur and there's a trigger is it can either be the application itself or an automated script, and then these actions will begin a new process within that computer system. And this is a foundational piece, obviously, of running a computer. Right, you want you, when you click on it, you want it to run and it you need. When you set this up and the developers are creating these, they want to. We want to talk to them about developing their applications to run in a very specific, in modular format, and the goal is, in many cases, one is, if you have I'll use an example of my kids when, in the past, when they were little, they would have toys scattered all over the house. Well, you don't know where you left your, your toy if you just scattered them everywhere, but if you have them in rooms or in buckets that are in your specific room, then you know where those toys are. And, as the same concept is, you want to keep all of your toys, all of your processes, to occur in a modular or very formatted path, because it makes it so much easier for development standpoints as well as understanding. What is this overall application trying to do? Now, you're going to hear this term a lot, with it's called parent child relationship. Now, the parent child relationship is you'll hear this within the application space. You'll also hear this within rights, like, for an example of you have added rights within a SharePoint site. The parent child relationship it's an integral part of overall understanding and ensuring that the processes are occurring correctly. And when a process spawns one and then what will happen is is then it's usually the initiating spawn, right, the initiating process that would be considered the parent, and then every one that comes off of that would be the child, right? So the child comes from the parent and that it makes logical sense, right? Well, this hierarchical relationship does help organize these overall processes that we're just talking about and allows for the resources to be used efficiently, but in the process of doing that. It allows them to inherit for various aspects within that specific role. So, as a father with seven children, when I pass on I have an inheritance set up for my children. Now I'll tell you right now that inheritance will not be very much, because I probably don't have a lot. And the second fact of it is is that they need to earn their own way and how they want to do their life. But the point of it is that they will inherit something from the parents. Now you also can inherit traits your nose, your ears, your eyes same concept, right? Except for my adopted kids. They don't look anything like me. But, that being said, you want to actually inherit the various pieces that occur within these processes and the access you want to inherit as well, because it makes the whole process much easier. If you didn't have that so let's say, for example, you had a parent that go ahead and you go and you run the application and it didn't inherit the permissions from the parent you would have to physically go in and make those changes yourself. You don't necessarily want that. You would rather have it inherit the permissions, inherit the capability and then go back in and restrict in areas where you feel it's most appropriate. I hope that makes sense. But again, the parent-child relationship is an important factor when you're dealing with resources within any computer system and also in the overall access that's provided within a system itself. So, resource allocation, so every process requires system resources to function. Okay, this involves allocating slices of the CPU, which is your central processing unit it's the time of that the memory blocks that are associated specifically within that CPU, and then any other resource that might be vital to the overall system. So you have to allocate various time for these different resources. Now, when I first started in computers, I'll give you an example of the B1 bomber I used to fly. They've upgraded the thing since then, but the time when I flew it they didn't really have really state-of-the-art systems that were in it computer systems. Well, when we put in a laptop just basically to help us with our mobile map display units, that was a game changer in relation to what the system could actually do. And so when you have these computer systems that are older, the amount of resources they can handle is much less than something that is much newer, that has a lot more CPU power than the systems of the past. And so, as these applications demand more and more CPU. You get yourself into construction drains trying to operate older systems with newer applications. So therefore you have to upgrade, and we see this a lot. If you go and you will go to a new company after you get your CISP done one of the things you may see is that they still have a lot of old legacy equipment. Well, the new applications will struggle with that. So what do people do? They keep the old applications. Well, when you keep the old applications, what do you bring with it? A lot of problems. The system won't be able to be upgraded. There's vulnerabilities with that system. Lots of issues come into that. So again, I'm taking a small tangent there to let you know that resource allocation is an important part of what you provide for these systems and therefore you need to make sure they're updated and relatively new. Now, when you're dealing with resource allocation, every process does require some level of that resource. Okay, and this includes we talked about the CPU time but there's also a part where we deal with process control blocks, or PCB, papa Charlie Baker. Now, pcbs act as a data structure that helps keep track of all the resources that are going on and the states that each one of the processes is in so kind of like a passport for the process. This is to details what it can do. It basically tells what resources it has, where they need to go and so forth. So the PCB okay, the process control block acts as a data structure that keeps track of all the resources and the process states. Now, each process will run with a set of permissions and this is what we call security context. Security context is the process basically ensures that each of the process that are running or have a certain set of permissions that they what they can and cannot do. Why is this important to cybersecurity? The process that we've created? Right, you're creating all of these different you're allocating this time. You're providing these process control blocks. You have data that are applications that are inheriting this from the child and parent relationships. You have this back, going back and forth. You want to make sure that you have enough protections in place, that you're monitoring these actions, because what you don't want to have happen is a rogue or unauthorized process that gains access that it shouldn't have and therefore, it would end up having a behavior that would be outside of what you're anticipating. Okay, the execution of a process. Now we're talking about process scheduling. Now the CPU is what's happening. It's basically your brain of your application or of your system, and the CPU can handle one task at a time per core and that's why you'll hear you have multi-cores and multi-threading. You'll get with all of that. That deals with the CPU specifically. But bottom line is it can handle one task and we're just talking about a CPU right now. If you get into the Google Cloud and to the AWS, you can do all kinds of different tasks because of the capability of this virtual environment. But for the sake of this podcast, we're going to focus specifically on what this one CPU can do. Now the process of scheduling is kind of like a juggling act where you have an operating system will decide what process gets the CPU's attention and then it'll ensure that that part of it, that attention that it's getting, was efficiently utilizing every process that gets a turn. So it's basically saying, if I'm going to do task A, if I'm going to pick this block up and move this block over to the table, then it's going to focus on that. It's doing that specific task the way it's supposed to do it. That is process scheduling. So it's ensuring that it picks up that block and takes it over to the table. Cpu utilization is that, once this is scheduled, the process uses the CPU to execute its instructions, and this is basically the doing phase. You have the scheduling phase and then you have the doing phase. The doing phase is where the calculations occur, the data's manipulated or the IO input output operations are initiated. So process scheduling, cpu utilization. Okay, so now we're going to get into actual switching. The switching is between the user and the privileged modes. So you have your normal user mode that is occurring and this is basically a process that might be different levels basically will have different at times that they may access information, but you'll switch between user and privileged mode. So user is a restricted mode, privileged is an elevated mode and it ensures that processes have the necessary permissions that they need to ensure to run. While ensuring this, they maintain the security boundaries. So, as an example, one of the big things that a hacker will love to do is take advantage. We'll start off as in a user mode and then take advantage of that user mode and move into a more privileged mode or elevated mode, because once they get into that elevated mode, then what ends up happening is they have much more scope within a computer system than what they have as a standard user. This is why local administrator accounts are bad idea, because what ends up happening is is they're fine for that specific system. But what people tend to do is they'll say, sean, let's put Sean in the elevated group and Sean is an admin, and then Sean would be put into a overall group of admins and we'll drop Sean's name in there. So we went from having access to one computer to having access to many. Same kind of concept right, when you have you're dealing with computer systems, you want to keep it as limited or as restricted as possible. And that would be the user person. Right, you want the user account, the user access. Then the privilege would be the elevated access. Now there's process states that you will hear that kind of within the CIS as PA, and that comes around busy, waiting or ready to start, and these the various processes that will be getting ready to go, and you were. Your busy means it's processing. Your waiting is waiting for a command and then ready to start means it's ready to actually get up and go and that's the ultimate point within your process states. They reflect what your current status is of the execution lifecycle related to these overall applications. From a standpoint of security, you want to ensure that, when these different users and privileged accounts are working, you are watching what's occurring. The reason is is that, like we talked about before, the attacker will want to elevate their privileges and to do be able to do malicious activity. So one if you have an attacker that's doing it, or you have an application that is trying to use those elevated privileges, it will be a good indicator that you may have a problem. So now we're going to get into what termination of a process, what, what exactly is a termination? So you have various pieces around the termination piece. You have normal termination, forced termination, and then you have resource deallocation. So we're going to get into those main things right there. Normal termination is when you're finishing a task or a process that concludes its operation, makes sense right. Once it's done, it terminates, it gives back the borrowed resources and informs the system that it's done. It's completed. And you'd want this to do this because if it didn't, the CPU would just continue to keep running on that specific task. So therefore, you want it to stop and that would be a normal termination. It is the natural end to the overall processes lifecycle, then you want to have a forced termination. Now this happens sometimes when there's too many resources that are hanging on without any progress. So you'll see this in the case of in the past with Windows. You get the dreaded blue screen of death. Sometimes it will hang because there's it's waiting for more processes. If it's waiting for it and it never gets it, then it can create a security risk in many ways because one, it can go ahead and burp and roll over. Two is the other aspect is that sometimes the application, when it hangs and it can't figure out what to do, it will give up credentials, it will give up access. So therefore a forced termination is happening when the processes don't end as expected. So it's an important factor around this and that you want to ensure in these cases that an external force, like an administrator or an automated system action, ends the process. We don't want to have a hacker or someone else actually try to end this process. You want it to be a normalized force process that's done by somebody that is in or an application that's in that state. Okay. So once this is done, once the process is over, then you want to ensure that the resources are reallocated to ensure there's no waste and they have optimal performance for the other systems that are waiting for it. So you, once you have a normal termination, you shut it down. You have a forced termination where someone will forcibly shut the system down and then you want to have the system reallocate the overall resources that are that have occurred. Now, again, when it comes down to termination, security privileges and their permissions, they can be taken away, ensuring that there's no residual or rendering access remains, and you want to ensure that when these systems, these processes, are over, those privileges are removed from that process. Okay, the next area we are going to discuss is the process scheduling. Now, when an operating system uses a scheduling algorithm to decide when to use the CPU for execution, there's various pieces around this. There's a scheduling algorithm, there's a load balancing, there's priority based scheduling and there's a preemptive versus non preemptive scheduling. So we'll get into that piece of it too. So, when you're dealing with process scheduling, your scheduling algorithms, they come, they have various types of them. You have a first come, first serve. Obviously. It's just like when you go to a restaurant you show up, you're the first one in line, you get served, you have the shortest job next, which basically means it knows from a processing standpoint which one is the shortest and so therefore it will run those quick wins early. And then you have the round robin aspect of it, where just basically goes around and it's looking for options. These are all employed to prioritize and be sequenced in the overall processing plan. So you want to ensure that when you're dealing with the algorithms, you may see this on the CISSP is first come, first serve, shortest job next and then round robin. Understand what they're asking for, read the question, know that what that would mean in relation to processes, and know that if you have first come, first serve, that's what you just like. It says shortest job next. As it relates to the process, you can figure out that that if you have process A is I'm just going to use a 10 milliseconds and then you have process B is going to take you to the process B and then you have process A is going to take you five milliseconds. It's going to do the shortest job next and then the round robin, where it's basically just going around and getting whatever it can. So load balancing and load balancing and multi core system the scheduler will distribute the load evenly across all cores to optimize performance. Again, like you see, within the AWS environment, within the cloud environment, load balancing is distributing the load evenly across them all so that you're not having basically one core that's being idle while another one is working its tail off. Priority based scheduling this is some of the processes might have a higher priority due to the critical nature of the overall process. The operating system will ensure that these processes get this. The CPUs time preferred or preferential they want to make sure that those will take that. This process must occur and so it will dump other ones or it will least it will prioritize them in a lower form than the more higher prioritized option. Then you have preemptive versus non preemptive. A preemptive scheduling is running a process that can be interrupted and moved to a ready state if a higher priority process comes in. Non preemptive basically means it's going to run till completion whether or not something else comes in or not. So again, when we talk about priority scheduling, you have scheduling algorithms, load balancing, priority based scheduling and preemptive versus non preemptive. So think about when if you might see this on the CISSP is, understand what they're asking around the scheduling piece of the process and then try to dig deeper into the question. When you're dealing with the CPU utilization, there's some key terms you're going to want to understand around. That one is instruction set, architecture, cycles per instruction and concurrency, and you're probably all going up. Okay, I'm like losing my mind here because there's so many of these questions are so much of this context. The main thing to think about is is that when you're dealing with the CPUs, what does a CPU do? It's a central processing unit and it creates these, performs various actions, such as computational data, data manipulation, input output operations. So I o is considered input output, and so it will do this with using instruction set, architect texture. What that means is is a CPUs have a defined set of operations that they can perform, which is called an ISA. This is what they're designed to do and they follow this ISA and these processes that on the CPU are written in a matter that aligns with this specific architecture or framework. It follows those operations. Now the next piece of the you see have the framework, which is ISA, and then you have the cycles per instruction, which is your CPI, and this is the number of clock cycles a CPU takes to execute the instruction. So when you it's how many times it's going, how many times it's clicking. Is that the CPU or the cycles per instruction on a CPU are? You will obviously want to optimize the code to reduce any issues that it may have and have faster performance. So you'll see, some coders will actually develop their codes for a specific CPU type. Now, if they do that, that's what they're trying to accomplish is being able to use the CPU to its maximum efficiency. This is where, if you have a CPU that is your chart you just basically using commercial grade of CPU and you just have commercial grade applications, they will base it on what they feel the CPU should be able to do from cycles per instruction. Now, again, if you're building something out that you really want to optimize it, there's a lot of waste. When you just use commercial off the shelf CPUs and commercial development code, where you have it, where it's tailored, you will be able to maximize that performance of those systems. The downside, obviously, is this technology changes so quickly and because it's changing every 18 months, if you do that very specific development work for that CPU, very quickly it becomes out of date, and so that's where I can see it in a very specific application to do a very specific job. One example would be the military. When they have, they build these systems and they put these in airplanes. They're developed and designed specifically for that purpose and they don't do a lot of upgrades to the hardware, and so you would want the code to be able to be maximizing the CPUs that are being used within that piece of equipment. Then you have what we call context switching. The context switching will switch between the privileged and the user mode as it needs. But when it does this switching it will incur some level of computational cost, which is why, when you're dealing with an operating system, they want to have them very specifically designed so that that minimizes that cost, that computational loss going from an admin mode to a privileged mode, and you don't want to have unnecessary switching, one from a security standpoint and two from a computational standpoint. Because now we're going to get into the process states. So we've gone through a lot of different terms here, but what we're going to get into is what we call the process state. Focuses on ready, running and waiting. Now this depends on the resources needed and what's available. So there's the three processes that we will talk about. Real quick Ready means the process is loaded into the main memory and awaits CPU time. So it's ready to go, but it's just ready to go, but it doesn't have what it needs or it's not, it hasn't given given the go ahead to run. Running is when the process is actively using CPU to execute its instructions specifically, and then waiting is a blocked mode. With this is processes waiting for an event, such as an input output operation, to complete before it can proceed. So you have ready, which is ready. It's locked and loaded. You have running, which means is running and actively running on the CPU, and then you have waiting, which is where is waiting for an event, such as some sort of input or output, to finish up what it's doing. Now, the transition between these states is often based on what we call a trigger or a specific event, like resource availability or a task completion. They will go then from ready to running and then to waiting, ready to running to waiting. It'll do this while it's waiting for triggers or other types of activities to occur. Now why is this important for security? For you to know this right, it's like oh my gosh, just shoot me now. The point of it is is that a cyber attack will use these types of processes to be able to inject code as it sees that it feels like it needs to. So code injection, privilege escalation these are all forms that can utilize these various parts within the CPU and within the overall process stack. So, as a cybersecurity person, you may be looking at how is the behavior of the CPU occurring and if it's acting outside of the normal parameters in which it should, that may be an indication you have a possible problem, the forensics piece of this. After the incident is over, you may have to go in and dig through the memory to realize what the attacker was doing specifically to that CPU and and also by understanding all of his background, you may decide to put in some level of process isolation, to keep processes separate, so that would limit any sort of malicious activity that could occur. So again, I know all this stuff is just like overwhelming the amount of knowledge you have to have. The key thing to think about is you read through I have all these notes that are on CISSP cyber, but also in the video as well but also know that if you understand how these processes work and it doesn't have to be you have to know specifically every possible word, but you need to understand the overall, understand the concepts, the bigger picture, because as a CISSP and potentially as a leader within security, these things are going to come up and you're going to have to know how do I communicate with a person around the aspects of resource allocation and, to be honest, I don't know deep, deep, deep knowledge of all these areas. There's just no way. But I know enough to be able to have a conversation with people who do, and that is the overall understanding you need to get out of with the CISSP. Now, one thing I'm going to kind of run into is what we call kernel mode, and this is where we deal with privileged escalation that occur and many times what'll happen is bad guys will want to actually modify the kernel, and I didn't know what that meant at first. I thought the kernel was either kernel Sanders, who did Kentucky Fried Chicken, or kernel that was based on corn right your maze, something like that. But no, this kernel is a little different and this kernel is spelled with K? E R N E L kernel mode. So the kernel is the most privileged level of execution in a computer system. It's the operating state where the kernel, or the core part of the operating system, has unrestricted access to all hardware resources. So it is, it's basically like the keys to the kingdom, and hence that is why hackers will go after them, because they know that it has these elevated capabilities and so therefore it needs to run that way. Now this differentiate between user mode, where applications run with limited access if they have to have elevated, they'll go into the actual kernel mode. Now the kernel, like we mentioned before, can interact specifically with hardware components such as the CPU, memory and input output devices, and this does allow for privileged instructions which cannot be run within the user mode. So the kernel mode is a high trust area and so therefore, we don't want any sort of application to run in kernel mode. If it doesn't have to and it's typically they like to try to keep that out of it. The application should be able to run in user mode with all of its capabilities, because once you get into that trusted area of the kernel, then you can have a big problem. This is where, then, the system can be compromised very quickly if you gain the right amount of privileges with that specific kernel. Now, basically this comes down to is that when you're dealing with these modern operating systems such as memory management units, or MMUs. These are designed to protect the kernel's memory space and to keep attackers out or to keep unwanted applications from accessing the kernel. Now, when you're dealing with going from user mode to kernel mode, this is what they call a context switch and it typically goes through system calls, interrupts or exceptions, and this is what happens when it's trying to access the files that require this kernel to basically take over and operate the hardware. Now, when you're dealing with kernel mode in the operating system, we'll talk with just the two main ones. I'm not going to get into Mac, but we'll just focus on Windows and Linux. Kernel mode is where the Windows kernel operates and includes most components such as HAL, which is your hardware abstraction layer. That's another one you're going to have to know, because I've seen that one on the CISP before the HAL. Then there's Linux uses separates. The user and kernel mode using the applications cannot directly alter the kernel operations without authorization. So you have Windows. This is where the kernel operates. It includes the HAL, the hardware abstraction layer, and then you have the Linux, where the user and the kernel mode, basically the application, can't directly interact with the kernel operation without proper authorization. So, as it relates to. What do you do with that? Okay, that's a lot of words, it's a lot of craziness. How does this help me? Well, when you're dealing with protecting the CPU, they have different levels of rings of protection, and we've talked about this at CISP, cyber training and the training contact that I have. You have different rings and when you're dealing with the different rings, it basically have the different levels to the overall system. Ring zero is what they consider the kernel mode. It's like the epicenter, it's the highest level of trust, and when you're dealing with ring zero, you need to have ways to protect from ring one, two and so forth. Operating systems will deploy various protection mechanisms, such as a supervisor mode execution program or SMEP. Okay, yeah, that's that's a really weird word SMEP and this prevents users from get using code to execute it all in the kernel mode, and so they will put those in place Again. Bottom line is ring zero. Okay, the ring that rules them all. Ring zero is the kernel mode and it is in the center, and you want to have ways to protect anything from running, and what they have is SMEP. Yes, smep is the protection of the ring that rules them all. You didn't know, but it works in the computer system, performance considerations to think about when kernel mode is typically a much faster than user mode. Why? Because of the direct hardware access. However, it obviously has a lot of issues if you do that right. Bad things can happen. But excessive switching between user and kernel mode, which is also known as thrashing that was a term that I had not really heard about before, but they use that term called thrashing which is when it goes back and forth between user and kernel, can obviously degrade performance. You want it to be able to run in a very state and stable mode. Going between kernel and user mode is not stable and therefore you get obviously thrashing. Now, when you're dealing with the development aspect of this, we want to understand that developers, they must test in kernel mode due to, obviously, the effect of the system stability, but you want individuals to run in user mode. So your developers need to understand the kernel and how it works, but especially if they're having to do any sort of calls to the kernel and that's, I would say, it's one of the challenges I had with my developers they didn't truly understand how that worked and so therefore, if you do have a development team that you deal with you want to make sure that they are basically have the education they need, because you don't want someone dipping their toe into the kernel when they really truly don't understand what they're trying to accomplish. Now there's various security mechanisms that have been put in place, like we mentioned, to protect the kernel. Patch guard is another one that Windows has that will help modify any sort of kernel mode modifications. But you just need to keep in mind that when you're dealing with kernel mode versus user mode, the kernel mode is the elevated privileges, user mode is the normal operations in your day to day aspects, and that's how you need to ensure that they stay that way. Okay, so the last thing we're going to talk about with mode switching is around between the privileged and the user modes is that these user mode and the privileged mode will occur. There's usually a transition phase that goes between these. They call that mode switching, and that's where you go from user to privilege and that mode switching or, if we just mentioned before, if it's done incorrectly, it would be called thrashing. Now, during the CPU changes, you want to ensure that the instructions that are set up will alter the access resources as necessary. Now you want to have the ability. I say you won't have any control of this right, because you guys are. The computer comes as it is. But one of the things that they recommend when you're dealing with kernel is you have a state preservation, and that preservation means that when, just like anything else, things happen, how do I get back to the main state that it was? How do I reinstall or re-go back to a known good state? That's another part that they're going to want to deal with when you're focusing on the kernel and they're running in privileged mode is how do you get back to a known good state? So, again, you don't want to mess with a kernel unless you absolutely have to. And if you do mess with the kernel, you want to ensure that your development team understands what exactly they're doing, how they can get back to a known good state if things go bad. Also, what kind of context are they running this in user or privilege mode, and ensure that they truly understand what they are doing. Last thing is is when you're dealing with author, authorization and validation, it is important that you have some sort of mechanism in place to limit what people can do inside these various modes. Again, we've talked about this time and again it all. If you get it back to the basics and any level of security and focus on you want to run everything you possibly can in a restricted state. Only run what is necessary and needed for the shortest amount of time possible in a privileged state. That is the best way to keep yourself out of trouble. Again, we talked a lot about a lot in this whole thing. This has been a lot of back and forth information around these various states, but if you can just boil it down to your privileged and your user accounts and when you would use those, you would can avoid the thrashing. We don't want the thrashing right. So Teenage Mutant Ninja Turtles and there was thrash right in that I think, yes, that just shows how old I am. I think actually, they think they redo the Teenage Mutant Ninja Turtles on a yearly basis, but avoid the thrasher. Anyway, that's all I've got for you today. I hope you guys enjoyed this. I hope you're not asleep at the wheel. If you're driving into work, which a lot of people do, they listen to this podcast. Wake up. Now's the time to wake up. Before you get into work, take your Tesla off autopilot and you now can get back to your job. But have a wonderful day, everybody. Hope you guys enjoyed this episode. I know it was deep, it was hard, but guess what? On Thursday the CISSP questions will be out there specifically for this one, so you will love it. It will be another one that'll keep you awake. All right, have a great day and we'll catch you on the flip side, see ya.

CISSP Cyber Training Academy Program!

Are you an ambitious Cybersecurity or IT professional who wants to take your career to a whole new level by achieving the CISSP Certification? 

Let CISSP Cyber Training help you pass the CISSP Test the first time!

LEARN MORE | START TODAY!