On Fri, Sep 14, 2018 at 9:05 PM Andrew Warkentin andreww591@gmail.com wrote:
On 9/14/18, Paul Boddie paul@boddie.org.uk wrote:
On 9/14/18, John john.r.moser@gmail.com wrote:
The Kernel-CLR runtime is basically a fancy privileged service loader,
and
doesn't run userspace applications. Basically, if you can load a driver, you can get Kernel-CLR to process arbitrary input.
Then you effectively have a monolithic kernel, not a microkernel, if you have a kernel module loader and drivers run in the kernel's context rather than as normal processes. The whole point of a microkernel is to make an OS that's extensible through normal processes. A kernel module loader greatly increases the attack surface, even if you are using language features to protect kernel modules from one another (as a few people here have said, hardware-based protection is generally more robust than language-based protection).
It doesn't have to run at Ring-0 you know. Think about if you loaded a malicious network card driver into L4.
l4-hackers mailing list l4-hackers@os.inf.tu-dresden.de http://os.inf.tu-dresden.de/mailman/listinfo/l4-hackers