On 9/14/18, Paul Boddie <paul@boddie.org.uk> wrote:
On 9/14/18, John <john.r.moser@gmail.com> wrote:
>
> The Kernel-CLR runtime is basically a fancy privileged service loader, and
> doesn't run userspace applications. Basically, if you can load a driver,
> you can get Kernel-CLR to process arbitrary input.
>
Then you effectively have a monolithic kernel, not a microkernel, if
you have a kernel module loader and drivers run in the kernel's
context rather than as normal processes. The whole point of a
microkernel is to make an OS that's extensible through normal
processes. A kernel module loader greatly increases the attack
surface, even if you are using language features to protect kernel
modules from one another (as a few people here have said,
hardware-based protection is generally more robust than language-based
protection).
It doesn't have to run at Ring-0 you know. Think about if you loaded a malicious network card driver into L4.
_______________________________________________
l4-hackers mailing list
l4-hackers@os.inf.tu-dresden.de
http://os.inf.tu-dresden.de/mailman/listinfo/l4-hackers