Information on implementing L4

John john.r.moser at gmail.com
Sat Sep 15 03:49:05 CEST 2018 

On Fri, Sep 14, 2018 at 9:36 PM Andrew Warkentin <andreww591 at gmail.com>
wrote:

>
>
> On Fri, Sep 14, 2018, 7:22 PM John <john.r.moser at gmail.com> wrote:
>
>>
>>
>> It doesn't have to run at Ring-0 you know.  Think about if you loaded a
>> malicious network card driver into L4.
>>
>
> No L4 kernel I'm aware of has any facility for loading drivers into the
> kernel. Drivers on L4 OSes are either regular processes that are allowed
> limited hardware access ore are libraries loaded into such processes. From
> what it sounds like, you are wanting to run all privileged services in the
> same address space and hardware privilege level, relying solely on the CLR
> to enforce protection domains, which would be less secure than a formally
> verified microkernel using hardware protection.
>

Those processes with limited hardware access are able to do funny thing.

The process that manages virtual memory, for example, can get into the
memory space of any process running on the system.  It crosses all security
boundaries.

If you load a rogue VFS driver, it can take over all file system access,
injecting code into software and crossing all security boundaries.

Your Ring-3 process scheduler isn't some user process like init or X11;
it's an OS service running at a high privilege level, able to manipulate
how the system runs.

A malicious ring-3 microkernel networking service can eaves drop and MITM
everything going through networking.  It's a packet sniffer, dumper, and
network scanner running in a place with high amounts of control.

Yes, they have different virtual address spaces, they have Ring-3 execution
level, and they function as part of the operating system software instead
of the userland.  They don't load through the POSIX ABI and make mundane
calls; they PROVIDE the POSIX ABI.

So imagine if you loaded a malicious network card driver into L4.  It's
running Ring-3, it's passing IPC messages to the L4 kernel and to the TCP
stack, it has its own memory space, and it's tampering with your connection
and sending copies of bank data to a command and control server in Russia.


> _______________________________________________
> l4-hackers mailing list
> l4-hackers at os.inf.tu-dresden.de
> http://os.inf.tu-dresden.de/mailman/listinfo/l4-hackers
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://os.inf.tu-dresden.de/pipermail/l4-hackers/attachments/20180914/e12886d9/attachment.htm>

More information about the l4-hackers mailing list