Page 1 of 1

Ring Security?

Posted: Thu Jan 03, 2008 4:02 am
by disks86
Ok, so I have been reading "Windows Internals" and in there it says that windows only uses ring 0 "Kernel mode" & ring 3 "User mode". It also says the reason for this is that some processors that were supported in the past only supported two rings for example Alpha.

Now it goes on to say that calls from lower(by that I mean higher than 0) rings are checked and if they pass the check they switch to ring 0 complete their task drop to ring 3 then return to the user process.

Now It also says that drivers run at ring 0 and that driver signing is an attempt to prevent users from installing poorly written or malicious drivers that could damage their system once running in ring 0 because they would have full access to kernel/OS resources.

Now for the question could ReactOS make drivers run in ring 1 instead of ring 0 it seems like if this was possible calls to the kernel/hal could be validated before the call was switched to ring 0 to run. I'm sure setting up the gates would take time but if the drivers have limited access then it seems like they would be less of a security threat.

I know peer reviewed code like the drivers included with ReactOS shouldn't be a threat because they are just that peer reviewed. However 3rd party drivers may not be quite so trust worthy. Correct me if I'm wrong but wouldn't this also improve system stability?


Anyway if I'm correct super if not please include details as to where I went astray as this will help my learning process and help me to be a better member of the ReactOS community.

Posted: Thu Jan 03, 2008 4:42 am
by Z98
I foresee so much pain in compatibility breakage. Trying to move things around like that is not easy, especially without changing what you're moving. It's one of the problems Intel and AMD are facing in trying to run all operating systems in a virtual environment THEY provide.

Posted: Thu Jan 03, 2008 2:26 pm
by Ged
there is no concept of ring1 in NT

arg

Posted: Thu Jan 03, 2008 3:56 pm
by disks86
To Z98

I was afraid it would be allot of work. But it seems like a good idea on paper so I thought I would at least throw it out there.

So how does that work with user mode stuff I'm pretty sure when you make filesystem call the user code isn't aware it needs to ultimately use kernel mode to finish the job.

To Ged

Ah strait and to the point. Yes I know that windows doesn't use ring 1 or 2 but from what I read that was more of a legacy compatibility issue. I guess the argument could be made that using only two rings would allow ReactOS to be ported to more Architectures but I thought some security on drivers would be an over all good thing.

To All

I guess maybe at best talking about modifying the windows design should be tabled until we have the design working. But at least I know I hit on a valid point. Thank you for your feedback.

Re: arg

Posted: Fri Jan 04, 2008 3:00 pm
by Ged
disks86 wrote:Yes I know that windows doesn't use ring 1 or 2 but from what I read that was more of a legacy compatibility issue.
It's a design issue. The whole of NT is designed around the concept of umode and kmode i.e. 3 and 0. There is no scope or requirement to change this design. Doing so would require a complete new OS design with no benefit.

Posted: Sat Jan 05, 2008 1:38 pm
by oiaohm
Ring security most OS's only use 2.

Due to speed issues. Xen is differnet ring 0 is Xen. Ring 1 is OS kernel ring 3 for applications. So having free space is useful.

http://en.wikipedia.org/wiki/Ring_(computer_security) Please note the high cost of changing rings. Its normally just too expensive without motivation.

Posted: Mon Feb 11, 2008 12:58 pm
by etko
oiaohm: What about fastcall instruction? That should makes ring change less costly.

Posted: Tue Feb 12, 2008 5:24 am
by Jawmht
etko wrote:oiaohm: What about fastcall instruction? That should makes ring change less costly.
IIRC fastcall is a calling convention that just sends some of the parameters in the registers, which is completly different from ring changes. To change to kernel mode you must go through a 2E(?) interupt and several other steps. I could be wrong, i haven't read up on this in a while.

Posted: Tue Feb 12, 2008 9:16 am
by oiaohm
fastcall makes no alteration. Is around 100 cycles to go both ways. 70 about to get into kernel mode and about 40 to get back. Now the more you have to do that bounce between rings more cost.

Linux has a few things insane option to run applications in kernel mode http://www.yl.is.s.u-tokyo.ac.jp/~tosh/kml/ And complete go without ring secuirty. Yes it saves a lot of clock ticks but its not without price.

Stacking for things that need to be done and in kernel space and sending them across in a block.

Its been a big problem with ring security from the start the high processor time price.

Posted: Thu Feb 14, 2008 2:33 pm
by etko
I had SYSCALL/SYSRET & SYSENTER/SYSEXIT in mind, sorry to confuse. There was some post aeons ago on mailinglist or where stating that ROS support this. Should be less cycles.