MS Singularity - singularly impossible?

["Dude VanWinkle" <dudevanwinkle () gmail com>]

Some comment on FD opened me up to this link:

http://research.microsoft.com/os/singularity/

Which led to this link:

ftp://ftp.research.microsoft.com/pub/tr/TR-2006-51.pdf

----------------------

Basically, Singularity (for those who dont already know) is an OS that
will run isolated processes' that "cannot be altered" in several
different fashions:


!: ) The fixed code invariant: Code within a process
cannot be altered once the process starts
execution.

2: ) The state isolation invariant: Data within a
process cannot be directly accessed by another
process.

3: ) The explicit communication invariant: All
communication between processes must occur
through explicit mechanisms, with explicit
identification of the sender, and explicit receiver
admission control over incoming communication.

4: ) The closed API invariant: The API between a
process and the system must maintain the fixed
code, state isolation, and explicit communication
invariants.

This will all apparently be done in non-paged memory running in ring0.
So rather than using hardware protection for your processes, you will
rely on software.

My question is the usage of the word "cannot" in the 4 above
invariants. How would this be possible? would everything be considered
.text? Will it run checks to see that the integrity of the stack is
maintained, and error out if it detects tampering?

It seems an answer to the API invariant is here:
--------------------------
Most open process systems include debugging APIs
that allow reading and writing of another process's
memory. Strictly speaking, the closed API invariant
does not prohibit debugging APIs, but it does prohibit
providing debugging APIs to unprivileged processes.
Preferably debugging capabilities should be available
in conjunction with specific communication rights and
only after both the kernel and the target process (or the
certifier of the target process) have agreed that
debugging access is appropriate.
-----------------------------

So, jumping through processes would still be possible, you just have
to authenticate via signed code or some such before doing it, right?

I am assuming the rest have similar loopholes as well, but... wait
this IS funsec, I had better cover my ass here:
--------------------------------
A Pirate walks into a bar with a Steering Wheel attached to his crotch.

He walks up to the bartender and orders a bottle of rum and two glasses

The bartender gives up and ask "Ok, whats the deal with that Steering
Wheel attached to your johnson?"

The Pirate replies "Arrgh, I dont know but its been drivin' me nuts all day"
---------------------------------

OK, thats the fun part, but I am still wondering whether I should keep
reading for a few years before asking these kinda of questions.....

probably so,

-JP



-JP
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.