funsec mailing list archives
MS Singularity - singularly impossible?
From: "Dude VanWinkle" <dudevanwinkle () gmail com>
Date: Sat, 12 May 2007 22:54:24 -0400
Some comment on FD opened me up to this link: http://research.microsoft.com/os/singularity/ Which led to this link: ftp://ftp.research.microsoft.com/pub/tr/TR-2006-51.pdf ---------------------- Basically, Singularity (for those who dont already know) is an OS that will run isolated processes' that "cannot be altered" in several different fashions: !: ) The fixed code invariant: Code within a process cannot be altered once the process starts execution. 2: ) The state isolation invariant: Data within a process cannot be directly accessed by another process. 3: ) The explicit communication invariant: All communication between processes must occur through explicit mechanisms, with explicit identification of the sender, and explicit receiver admission control over incoming communication. 4: ) The closed API invariant: The API between a process and the system must maintain the fixed code, state isolation, and explicit communication invariants. This will all apparently be done in non-paged memory running in ring0. So rather than using hardware protection for your processes, you will rely on software. My question is the usage of the word "cannot" in the 4 above invariants. How would this be possible? would everything be considered .text? Will it run checks to see that the integrity of the stack is maintained, and error out if it detects tampering? It seems an answer to the API invariant is here: -------------------------- Most open process systems include debugging APIs that allow reading and writing of another process's memory. Strictly speaking, the closed API invariant does not prohibit debugging APIs, but it does prohibit providing debugging APIs to unprivileged processes. Preferably debugging capabilities should be available in conjunction with specific communication rights and only after both the kernel and the target process (or the certifier of the target process) have agreed that debugging access is appropriate. ----------------------------- So, jumping through processes would still be possible, you just have to authenticate via signed code or some such before doing it, right? I am assuming the rest have similar loopholes as well, but... wait this IS funsec, I had better cover my ass here: -------------------------------- A Pirate walks into a bar with a Steering Wheel attached to his crotch. He walks up to the bartender and orders a bottle of rum and two glasses The bartender gives up and ask "Ok, whats the deal with that Steering Wheel attached to your johnson?" The Pirate replies "Arrgh, I dont know but its been drivin' me nuts all day" --------------------------------- OK, thats the fun part, but I am still wondering whether I should keep reading for a few years before asking these kinda of questions..... probably so, -JP -JP _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- MS Singularity - singularly impossible? Dude VanWinkle (May 12)
- Re: MS Singularity - singularly impossible? Florian Weimer (May 13)
- Re: MS Singularity - singularly impossible? Valdis . Kletnieks (May 13)
- Re: MS Singularity - singularly impossible? Florian Weimer (May 13)