Menu
▾
▴
syllable-kernel
|
From: Jake H. <jh...@po...> - 2005-04-29 00:38:22
|
I've made a few notes on potential ways we could tighten up the Syllable
security model at the kernel level beyond the typical x86 OS. This is
based partially on the architecture of OpenVMS and partially on the
Microsoft/Intel "trusted computing" initiative.
First, every UNIX OS as well as Windows uses only two of the four
"rings" of protection on x86. The kernel and all modules run in Ring 0
and all user programs run in Ring 3. Ring 0 can bypass all protections.
What's interesting about the special hardware support that is being
added for "Palladium" (what Intel calls "LaGrande Technology", or LT),
is that they've essentially had to add a new "Ring -1" that is more
privileged than the layer at which the normal operating system runs, in
order to be able to assure the privacy and security that Windows itself
is apparently not able to provide. This is stupid: if we have Rings 1
and 2, as well as (in recent x86 chips) efficient ways to switch between
rings (e.g. SYSENTER/SYSEXIT on Intel, SYSCALL/SYSRET on AMD), then we
could theoretically put as little as possible in Ring 0 and have the
majority of kernel threads running in Ring 1, Ring 2, or Ring 3.
So why use Rings 1 and 2 at all? Why not have the "microkernel" portion
in ring 0 and put everything else in ring 3? Well, from a performance
standpoint, it may be possible to set up the shared portion of the
virtual memory space ("kernel space") so that particular areas are
available to all code running at ring 1, while other data structures
would require ring 0. OTOH, it's quite possible that rings 1 and 2 are
essentially useless unless you are writing some old-style segmented
memory or 16/32-bit OS. Perhaps that explains why the only OS I could
find which uses more than 2 rings was OS/2, which uses ring 2 for user
code segments with privileges to access I/O ports directly.
FWIW, here are the names of the four different privilege modes used by
VMS. I still need to learn what the two inner levels are used for, but
at least the names give a hint as to the level of "need to know"
privileges that each layer of a more-secure OS might have:
0 - kernel
1 - executive
2 - supervisor
3 - user
I have a couple of notes here on the requirements needed for a Syllable
user to be able to "fully control any storage or disclosure" of whatever
personal info they want to protect:
- user data in the pagefile would be encrypted (using a randomly
generated key stored in RAM only)
- secure browsing mode:
- no caching of pages/images to disk
- URL history tracking in memory only
- no cookies saved, or optional encrypted cookie file
- support for encrypting any file saved to disk, configured at the file
or folder level (see NTFS).
- no unauthorized screen grabs or keystroke/mouse loggers.
- built-in secure delete (see GNU shred).
- "magic key sequence" always pops up the OS-provided task manager or
login screen (e.g. Windows CTRL-ALT-DEL) and can't be trapped by
malicious programs to create a fake login screen.
Jake
|
|
From: Kip M. <kip...@gm...> - 2005-04-29 15:53:10
|
> Microsoft/Intel "trusted computing" initiative. >=20 > First, every UNIX OS as well as Windows uses only two of the four > "rings" of protection on x86. The kernel and all modules run in Ring 0 > and all user programs run in Ring 3. Ring 0 can bypass all protections. > What's interesting about the special hardware support that is being > added for "Palladium" (what Intel calls "LaGrande Technology", or LT), > is that they've essentially had to add a new "Ring -1" that is more > privileged than the layer at which the normal operating system runs, in > order to be able to assure the privacy and security that Windows itself > is apparently not able to provide. This is stupid: if we have Rings 1 No it isn't, it is necessary if they are to support running Windows _unmodified_ on top of a hypervisor. See VT-x. |
|
From: Daniel G. <da...@fp...> - 2005-04-29 16:05:18
|
On Fri, 2005-04-29 at 08:52 -0700, Kip Macy wrote: > > Microsoft/Intel "trusted computing" initiative. > > > > First, every UNIX OS as well as Windows uses only two of the four > > "rings" of protection on x86. The kernel and all modules run in Ring 0 > > and all user programs run in Ring 3. Ring 0 can bypass all protections. > > What's interesting about the special hardware support that is being > > added for "Palladium" (what Intel calls "LaGrande Technology", or LT), > > is that they've essentially had to add a new "Ring -1" that is more > > privileged than the layer at which the normal operating system runs, in > > order to be able to assure the privacy and security that Windows itself > > is apparently not able to provide. This is stupid: if we have Rings 1 > > No it isn't, it is necessary if they are to support running Windows > _unmodified_ on top of a hypervisor. See VT-x. > Aside from that, rings 1 and 2 don't really exist anymore, because they're not there in amd64. This means that, for all intents and purposes, you cannot depend on them. Within 2 years, x86 as such won't exist anymore, and all processors sold will be amd64. Daniel |
|
From: Mark W. <mar...@cl...> - 2005-04-29 16:07:27
|
Hi Kip, didn't expect to see you here ;-) > > First, every UNIX OS as well as Windows uses only two of the four > > "rings" of protection on x86. The kernel and all modules run in Ring 0 > > and all user programs run in Ring 3. Ring 0 can bypass all protections. > > What's interesting about the special hardware support that is being > > added for "Palladium" (what Intel calls "LaGrande Technology", or LT), > > is that they've essentially had to add a new "Ring -1" that is more > > privileged than the layer at which the normal operating system runs, in > > order to be able to assure the privacy and security that Windows itself > > is apparently not able to provide. This is stupid: if we have Rings 1 > > No it isn't, it is necessary if they are to support running Windows > _unmodified_ on top of a hypervisor. See VT-x. VT-x introduces "root mode" and "non-root mode", which is orthogonal to the ring you're running in (although root mode can only be entered and left in certain restricted ways). Root mode & ring 0 is where a hypervisor would run, non-root mode & rings 0-3 would contain guest OSs. One thing which I'm curious about is exactly what form "Ring -1" in LT will actually take. Both AMD's and Intel's security extensions are dependent on their virtualisation extentions because they use similar mechanisms. I guess it may be that "ring -1" == "root mode ring 0". Speculation on my part... Are there any specs available for LT? I haven't seen any, the deadline for LT seems to have moved back relative to what I was expecting. Cheers, Mark |
|
From: Mark W. <mar...@cl...> - 2005-04-29 16:10:20
|
> Aside from that, rings 1 and 2 don't really exist anymore, because > they're not there in amd64. This means that, for all intents and > purposes, you cannot depend on them. Within 2 years, x86 as such won't > exist anymore, and all processors sold will be amd64. Just as a point of interest, IA64 has 4 rings (not that I think a Syllable port to Itanium would be very sensible ;-)) Of course non-Intel architectures have a range of different numbers and kinds of protection rings, so it's worth bearing in mind portability whilst architecting a system to use the rings. Even on x86, a port to something like Xen (or L4) would restrict the rings available for use. Cheers, Mark |
|
From: Daniel G. <da...@fp...> - 2005-04-29 16:13:40
|
On Fri, 2005-04-29 at 17:09 +0100, Mark Williamson wrote: > Of course non-Intel architectures have a range of different numbers and kinds > of protection rings, so it's worth bearing in mind portability whilst > architecting a system to use the rings. Even on x86, a port to something > like Xen (or L4) would restrict the rings available for use. > There's a reason why Unix systems only use 2 rings. :) Minimal subset makes porting much easier. Daniel |
|
From: Mark W. <mar...@cl...> - 2005-04-29 16:18:02
|
> would require ring 0. OTOH, it's quite possible that rings 1 and 2 are > essentially useless unless you are writing some old-style segmented > memory or 16/32-bit OS. I think the usual way to do this is to overlay multiple segments (with the same base) with different privilege levels. I think it can be worked as a straightforward extension of the usual x86 tricks: map ring0-only memory at the top of memory, then ring 1's private space, then ring 2's private space. Then have a set of segments with different privilege levels that permit access to the relevant range of linear memory. Sound sane? > Perhaps that explains why the only OS I could > find which uses more than 2 rings was OS/2, which uses ring 2 for user > code segments with privileges to access I/O ports directly. Interesting, I never knew what OS/2 did with those rings :-) You don't need this for user IO privileges, though - can still restrict IO port access on a per-process basis (even with IOPL = 3) by setting bits in the TSS IO bitmap. With Syllable using hardware task-switching, this should Just Work, rewriting the TSS IO bitmap on context switches would be necessary for s/w switching (with suitable tracking in place, this needn't have high overhead). Cheers, Mark > > FWIW, here are the names of the four different privilege modes used by > VMS. I still need to learn what the two inner levels are used for, but > at least the names give a hint as to the level of "need to know" > privileges that each layer of a more-secure OS might have: > > 0 - kernel > 1 - executive > 2 - supervisor > 3 - user > > I have a couple of notes here on the requirements needed for a Syllable > user to be able to "fully control any storage or disclosure" of whatever > personal info they want to protect: > > - user data in the pagefile would be encrypted (using a randomly > generated key stored in RAM only) > > - secure browsing mode: > - no caching of pages/images to disk > - URL history tracking in memory only > - no cookies saved, or optional encrypted cookie file > > - support for encrypting any file saved to disk, configured at the file > or folder level (see NTFS). > > - no unauthorized screen grabs or keystroke/mouse loggers. > - built-in secure delete (see GNU shred). > > - "magic key sequence" always pops up the OS-provided task manager or > login screen (e.g. Windows CTRL-ALT-DEL) and can't be trapped by > malicious programs to create a fake login screen. > > Jake > > > ------------------------------------------------------- > SF.Net email is sponsored by: Tell us your software development plans! > Take this survey and enter to win a one-year sub to SourceForge.net > Plus IDC's 2005 look-ahead and a copy of this survey > Click here to start! http://www.idcswdc.com/cgi-bin/survey?id=105hix > _______________________________________________ > Syllable-kernel mailing list > Syl...@li... > https://lists.sourceforge.net/lists/listinfo/syllable-kernel |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X