Two Rings Good, Four Rings Bad

Maxim_S_Shatskih · March 29, 2007, 11:36am

> Perhaps I was not clear when I said “secure”. Secure means

resists/withstands malicious attacks. NT has been plagued from it’s initial
release with security holes.

Most of these holes were in the DCE RPC monster or in Internet Explorer and its
active content features, not in the core OS.

–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

Gregory_G_Dyess · March 29, 2007, 12:04pm

And where did MS put many part of Internet Exploder? Anyone? Yes, you in
the back…That’s right, embedded into the kernel and running in privilege
mode.

I think this thread has moved from the original topic of the relative
complexity/stability of a 2-ring OS design vs a 4-ring design. Each model
has its advantages and disadvantages over the other. In fact, many
real-time OSes run entirely in ring 0. Either design can be done well, and
either can be done very poorly. I think we have pointed out ways in which
MS has done well and places where they made glaringly poor decisions in the
OS design (L/RPC, internet browser in the kernel, windowing manager in the
kernel, etc) and how these decisions have produced an OS that has fallen
short of where it really could have been had they adhered more to their VMS
roots.

Perhaps the days of the highly stable and robust OS is over? Maybe people
are just no longer willing to wait a little longer and pay for quality?
Maybe everyone is now willing to accept crashes as a standard part of
computing? What does this have to do with 2 rings vs 4 rings? I dunno.
Just a topic, I guess.

Greg

Don_Burn_1 · March 29, 2007, 12:19pm

“Gregory G. Dyess” wrote in message news:xxxxx@ntdev…

> Perhaps the days of the highly stable and robust OS is over?

Funny the first time I saw teh above phrase was over 30 years ago, at the
time people were talking about VAX/VMS!!!

–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply

Doron_Holan · March 29, 2007, 12:37pm

Umh, there are no parts of IE in the kernel. That is a bit ridiculous. http.sys does exist, but that is for a web *server* (IIS), not a web client.

d

Maxim_S_Shatskih · March 29, 2007, 1:02pm

> And where did MS put many part of Internet Exploder? Anyone? Yes, you in

the back…That’s right, embedded into the kernel and running in privilege
mode.

What particular parts of IE are embedded to the kernel???

MS has done well and places where they made glaringly poor decisions in the
OS design (L/RPC, internet browser in the kernel

Where do you see Internet browser in the kernel??? MSHTML.DLL and others are
usual user-mode GUI DLLs.

I would say even more: modern web browser #1 will necessary suffer from the
same issues as IE suffers. The reason is that it is a very complex piece of
software which deals with active content. Some things about this active
content will be overlooked for sure, and, being the product #1, it will be the
main target for the malware authors.

I do not think Firefox or Opera have lesser bugs then IE. They are just not so
popular as malware targets, being not the #1 browser in the world.

Firefox, for instance, is known to have memory leaks for years (though fixed in
the recent builds probably) and thus sub-optimal memory use patterns.

As about open source GUI software… well, when I tried the Kate open-source
code editor (similar to Visual Studio 2003) - I immediately noticed several
bugs in its coloring options screen and syntax highlight. Sorry, but MS’s
software usually has no bugs noticeable just from 30 minutes of playing with
it.

And it is not only Kate. I’ve heard the same about OpenOffice.

Perhaps the days of the highly stable and robust OS is over?

What is necessary on the market is features, features, features. Delivering
them is hurry, hurry, hurry. In-the-hurry made software will surely have
exploitable bugs.

Only enterprise software can concentrate on stability, the home/SOHO one
cannot - its target audience has another interests (like “being kool” ),
and satisfying these interests leaves too small calendar and manpower resource
for robustness and stability.

Maybe everyone is now willing to accept crashes as a standard part of
computing?

On home and small office desktop it is already so. In the enterprises with
proper IT professionals - not so.

–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

Maxim_S_Shatskih · March 29, 2007, 1:10pm

> Umh, there are no parts of IE in the kernel. That is a bit ridiculous.
http.sys

does exist, but that is for a web *server* (IIS)

It is also for many small HTTP listeners like .NET Remoting server-side
infrastructure.

–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

Gregory_G_Dyess · March 29, 2007, 1:30pm

I refer everyone to MS’es own testimony in the outrageous anti-trust lawsuit
brought by Clinton & company several years ago. Microsoft themselves pushed
the argument that IE could not be removed from the OS because it’s too
intertwined in the kernel.

I think this thread is about to turn into a flame-fest instead of a
discussion of the relative merits of a 2-ring vs 4-ring OS. As such, I’m
not going to respond any more.

Greg

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S. Shatskih
Sent: Thursday, March 29, 2007 12:10 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Two Rings Good, Four Rings Bad

Umh, there are no parts of IE in the kernel. That is a bit ridiculous.
http.sys
does exist, but that is for a web *server* (IIS)

It is also for many small HTTP listeners like .NET Remoting server-side
infrastructure.

–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · March 29, 2007, 1:38pm

So, people call bullshit on your assertion, and then you declare that you won’t post anymore? How convenient.

No one from Microsoft argued that IE could not be removed from the kernel. The argument was made that *components* of IE (such as the HTML rendering engine in MSHTML.DLL) could not be removed from the OS-as-a-whole, because other OS components (such as HTML Help) made use of them. Show me one component of IE that runs in the kernel.

You shouldn’t complain about impending flame wars, when you’re posting obviously bogus information.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Gregory G. Dyess
Sent: Thursday, March 29, 2007 1:30 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Two Rings Good, Four Rings Bad

I refer everyone to MS’es own testimony in the outrageous anti-trust lawsuit
brought by Clinton & company several years ago. Microsoft themselves pushed
the argument that IE could not be removed from the OS because it’s too
intertwined in the kernel.

I think this thread is about to turn into a flame-fest instead of a
discussion of the relative merits of a 2-ring vs 4-ring OS. As such, I’m
not going to respond any more.

Greg

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S. Shatskih
Sent: Thursday, March 29, 2007 12:10 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Two Rings Good, Four Rings Bad

Umh, there are no parts of IE in the kernel. That is a bit ridiculous.
http.sys
does exist, but that is for a web *server* (IIS)

It is also for many small HTTP listeners like .NET Remoting server-side
infrastructure.

–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Tim_Roberts · March 29, 2007, 1:47pm

Arlie Davis wrote:

Try to imagine the excruciating number of combinations of paged/non-paged, 4x rings, and multiple drivers all communicating with each other.

Well, we were speaking theoretically, after all. I’m not advocating a
full-scale redesign of the operating system. I was merely trying to
point out that the concept was not without merit.

If I allocate data at ring 1, and I pass it to a driver or OS component that runs at ring 0, what should happen? Boom?

Of course not. Why would it? I can allocate data at ring 3 and pass it
to a driver at ring 0 today. The situation is no different. The
software in the inner ring has to understand that outer ring data is
“less trusted”, but that’s not a bad thing to worry about.

Now raise that number of combinations to the power of the average PNP device stack depth, and it quickly becomes obvious that more than 2 rings just causes insanity.

As I think about the design, all drivers would probably live at ring 1,
with core operating system services, and maybe the HAL, at ring 0.
However, I’ve only spent a few minutes thinking about it.

At least if it is shoe-horned into an existing OS design, and not part of it from the beginning. (And I don’t know of any OS designed after 1980 where this was a feature. I’m sure the peanut gallery will point one out, though, if there is.)

You bet I will! The Control Data Cyber 180 mainframes included 16
rings. The design was strongly influenced by the Multics research. Its
native operating system, NOS/VE, designed in the early 1980s, only
assigned meaning to 8 of the rings. Applications lived in ring 11.
Subsystems (like database engines) lived in ring 8. Basic operating
system services lived in ring 5. I/O was done from ring 2. Rings in
between were used for “trusted” transitions. For example, code in ring 9
knew how to marshal data between ring 11 and ring 8, so that untrusted
data gained trust.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Gregory_G_Dyess · March 29, 2007, 1:56pm

KO, I was trying to prevent a flame war. My assertions are not bogus
either. Have you ever tried to build a Windows XP Embedded image without
IE? The kernel barfs all over itself.

Look, I was NOT trying to start a flame war. I merely pointed out that a
very stable OS used a 4-ring model and that OS was far more stable than NT
has or probably ever will be (even though it was actually the foundation of
a lot of the Windows NT code and architecture). That cannot possibly be
disputed by anyone who, as have I, done serious work at all levels (drivers,
kernel, user) for 25 years now (OK, that was my VMS longevity, NT only
since 1993 as a beta product).

If anyone wants to return this thread to a discussion of the relative merits
of a 2-ring vs a 4-ring architecture, I’ll be happy to discuss that in a
calm and professional manner.

BTW, MS lawyers DID claim that IE could not be removed from Windows because
it was too tightly integrated into the kernel.

Greg

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Arlie Davis
Sent: Thursday, March 29, 2007 12:38 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Two Rings Good, Four Rings Bad

So, people call bullshit on your assertion, and then you declare that you
won’t post anymore? How convenient.

No one from Microsoft argued that IE could not be removed from the kernel.
The argument was made that *components* of IE (such as the HTML rendering
engine in MSHTML.DLL) could not be removed from the OS-as-a-whole, because
other OS components (such as HTML Help) made use of them. Show me one
component of IE that runs in the kernel.

You shouldn’t complain about impending flame wars, when you’re posting
obviously bogus information.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Gregory G. Dyess
Sent: Thursday, March 29, 2007 1:30 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Two Rings Good, Four Rings Bad

I refer everyone to MS’es own testimony in the outrageous anti-trust lawsuit
brought by Clinton & company several years ago. Microsoft themselves pushed
the argument that IE could not be removed from the OS because it’s too
intertwined in the kernel.

I think this thread is about to turn into a flame-fest instead of a
discussion of the relative merits of a 2-ring vs 4-ring OS. As such, I’m
not going to respond any more.

Greg

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S. Shatskih
Sent: Thursday, March 29, 2007 12:10 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Two Rings Good, Four Rings Bad

Umh, there are no parts of IE in the kernel. That is a bit ridiculous.
http.sys
does exist, but that is for a web *server* (IIS)

It is also for many small HTTP listeners like .NET Remoting server-side
infrastructure.

–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Tim_Roberts · March 29, 2007, 2:00pm

Maxim S. Shatskih wrote:

“Sauron” seems to be the good code name for hypervisor, like “Chicago” was
for Win95 and “Whistler” was for XP :-))))

I’d have to vote for “MCP”. Tron remains one of my all-time favorite
movies. I want Dillinger’s desk!

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Tim_Roberts · March 29, 2007, 2:03pm

Sisimon E S wrote:

I read somewhere that the Window/graphics managers in Windows NT is
running in kernel mode. Is it really require to be in Ring 0 ?. I feel
Ring 1 is the best place for Window manager. But the question still
remains, will a bug in Ring 1 crash the machine ?

On the other hand, let’s say that there is a bug in the display driver,
and it lives in ring 3. If the display driver crashes, rendering your
display useless, is the experience any different than a ring 0 crash?
Now, for a server, that might be a perfectly survivable condition, and
indeed many ATMs continued to run Windows NT 3.51 long into the 21st
Century. For a workstation, a display driver crash is fatal, whether it
occurs in ring 0 or ring 3.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

OSR_Community_User · March 29, 2007, 2:10pm

Actually, “fatal” isn’t quite right. I’ve already seen Vista survive crashes of the user-mode display driver, then restart the display driver, and then politely inform me that it just saved my bacon. Not so much as a window moved.

Not always possible, but I’m glad when it is!

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Tim Roberts
Sent: Thursday, March 29, 2007 2:03 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Two Rings Good, Four Rings Bad

Sisimon E S wrote:

I read somewhere that the Window/graphics managers in Windows NT is
running in kernel mode. Is it really require to be in Ring 0 ?. I feel
Ring 1 is the best place for Window manager. But the question still
remains, will a bug in Ring 1 crash the machine ?

On the other hand, let’s say that there is a bug in the display driver,
and it lives in ring 3. If the display driver crashes, rendering your
display useless, is the experience any different than a ring 0 crash?
Now, for a server, that might be a perfectly survivable condition, and
indeed many ATMs continued to run Windows NT 3.51 long into the 21st
Century. For a workstation, a display driver crash is fatal, whether it
occurs in ring 0 or ring 3.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · March 29, 2007, 2:24pm

If this were a courtroom, then the assertions of lawyers would be relevant. Fortunately, we’re discussing kernels in an engineering forum. And if you’ve been developing for 25 years now, you ought to know that IE doesn’t run in ring 0, and you ought to know better than to make such an assertion here.

I never said a 4-ring kernel can’t work. I said that the current commodity OSes (Windows, Linux, OS X, Sun OS, *nix, etc.) don’t use anything but 2-ring isolation, and that any sort of n>2-ring design needs to be part of the OS from the beginning, rather than shoe-horned into an existing design.

I’m all for better isolation, between kernel, drivers, apps, you name it. I’ve yet to see a retrofit that looks like anything but a retrofit, however. Good isolation design has to be there from the start. But if someone can hunt up interesting work on better isolation, I’m all ears. After all, it’s my day job.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Gregory G. Dyess
Sent: Thursday, March 29, 2007 1:56 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Two Rings Good, Four Rings Bad

KO, I was trying to prevent a flame war. My assertions are not bogus
either. Have you ever tried to build a Windows XP Embedded image without
IE? The kernel barfs all over itself.

Look, I was NOT trying to start a flame war. I merely pointed out that a
very stable OS used a 4-ring model and that OS was far more stable than NT
has or probably ever will be (even though it was actually the foundation of
a lot of the Windows NT code and architecture). That cannot possibly be
disputed by anyone who, as have I, done serious work at all levels (drivers,
kernel, user) for 25 years now (OK, that was my VMS longevity, NT only
since 1993 as a beta product).

If anyone wants to return this thread to a discussion of the relative merits
of a 2-ring vs a 4-ring architecture, I’ll be happy to discuss that in a
calm and professional manner.

BTW, MS lawyers DID claim that IE could not be removed from Windows because
it was too tightly integrated into the kernel.

Greg

OSR_Community_User · March 29, 2007, 2:52pm

Tim Roberts writes:
> Maxim S. Shatskih wrote:
> > “Sauron” seems to be the good code name for hypervisor, like “Chicago” was
> > for Win95 and “Whistler” was for XP :-))))
>
> I’d have to vote for “MCP”. Tron remains one of my all-time favorite
> movies. I want Dillinger’s desk!

Of course it has to be MCR, to complete a cycle, and keep Cutler’s
ghost happy.

> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.

Nikita.

Michal_Vodicka-2 · March 29, 2007, 3:03pm

Exactly. Even without a display it is possible to close apps and make graceful shutdown. At least, there is a good chance to avoid data loss. After BSOD all bets are off.

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Arlie Davis[SMTP:xxxxx@microsoft.com]
Reply To: Windows System Software Devs Interest List
Sent: Thursday, March 29, 2007 8:10 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Two Rings Good, Four Rings Bad

Actually, “fatal” isn’t quite right. I’ve already seen Vista survive crashes of the user-mode display driver, then restart the display driver, and then politely inform me that it just saved my bacon. Not so much as a window moved.

Not always possible, but I’m glad when it is!

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Tim Roberts
Sent: Thursday, March 29, 2007 2:03 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Two Rings Good, Four Rings Bad

Sisimon E S wrote:
> I read somewhere that the Window/graphics managers in Windows NT is
> running in kernel mode. Is it really require to be in Ring 0 ?. I feel
> Ring 1 is the best place for Window manager. But the question still
> remains, will a bug in Ring 1 crash the machine ?

On the other hand, let’s say that there is a bug in the display driver,
and it lives in ring 3. If the display driver crashes, rendering your
display useless, is the experience any different than a ring 0 crash?
Now, for a server, that might be a perfectly survivable condition, and
indeed many ATMs continued to run Windows NT 3.51 long into the 21st
Century. For a workstation, a display driver crash is fatal, whether it
occurs in ring 0 or ring 3.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Gregory_G_Dyess · March 29, 2007, 3:16pm

OK, I never said ALL of IE runs in ring 0. I said that IE is intertwined
into the kernel. Possibly you can argue semantics here, if you want to just
argue, then fine, go ahead. All I did was point out that a very stable OS
has 4 rings and is not unstable or overly complex simply because it has more
than 2 rings.

I am not in any way pushing for NT to try to modify to fit the VMS model.
Was it a good decision to drop that part of the VMS architecture? I don’t
know. I have learned that there is no ONE RIGHT answer, there are only
tradeoffs.

I was hoping this forum, being professionals, could have such a conversation
of the relative merits of 2 vs 4 rings. Apparently, I was incorrect. I
have been on this list for 5 or 6 years now. I have witnessed many flame
wars fought over completely tangential minutia. I tried to pull the
discussion back to the primary topic of 2 vs 4 rings. If everyone wants to
get back to that topic, I’d love to discuss it, otherwise, there is no point
in continuing.

Greg

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Arlie Davis
Sent: Thursday, March 29, 2007 1:24 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Two Rings Good, Four Rings Bad

If this were a courtroom, then the assertions of lawyers would be relevant.
Fortunately, we’re discussing kernels in an engineering forum. And if
you’ve been developing for 25 years now, you ought to know that IE doesn’t
run in ring 0, and you ought to know better than to make such an assertion
here.

I never said a 4-ring kernel can’t work. I said that the current commodity
OSes (Windows, Linux, OS X, Sun OS, *nix, etc.) don’t use anything but
2-ring isolation, and that any sort of n>2-ring design needs to be part of
the OS from the beginning, rather than shoe-horned into an existing design.

I’m all for better isolation, between kernel, drivers, apps, you name it.
I’ve yet to see a retrofit that looks like anything but a retrofit, however.
Good isolation design has to be there from the start. But if someone can
hunt up interesting work on better isolation, I’m all ears. After all, it’s
my day job.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Gregory G. Dyess
Sent: Thursday, March 29, 2007 1:56 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Two Rings Good, Four Rings Bad

KO, I was trying to prevent a flame war. My assertions are not bogus
either. Have you ever tried to build a Windows XP Embedded image without
IE? The kernel barfs all over itself.

Look, I was NOT trying to start a flame war. I merely pointed out that a
very stable OS used a 4-ring model and that OS was far more stable than NT
has or probably ever will be (even though it was actually the foundation of
a lot of the Windows NT code and architecture). That cannot possibly be
disputed by anyone who, as have I, done serious work at all levels (drivers,
kernel, user) for 25 years now (OK, that was my VMS longevity, NT only
since 1993 as a beta product).

If anyone wants to return this thread to a discussion of the relative merits
of a 2-ring vs a 4-ring architecture, I’ll be happy to discuss that in a
calm and professional manner.

BTW, MS lawyers DID claim that IE could not be removed from Windows because
it was too tightly integrated into the kernel.

Greg

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · March 29, 2007, 3:46pm

> OK, I never said ALL of IE runs in ring 0. I said that IE is

intertwined into the kernel.

In the same way that Notepad.exe is intertwined with the kernel.

Greg, there’s nothing unprofessional going on here. We *are* discussing the merits of different techniques for isolation. And if you want to moan about professionalism, perhaps using terms like “Internet Exploder” is not the best way to set an example, especially when it is irrelevant to the topic, and even misleading. (It’s an app, with no special privileges, not a driver.)

One of the problems with using rings (no matter how many) to implement isolation is that MMUs have very coarse granularity (pages), that you cannot easily transfer ownership of the data (you are forced either to use shared memory, or to copy between isolation spaces), and that there is a very real hardware cost (including significant runtime costs) associated with all of this protection. This is the main reason that so many subsystems on Windows have been pushed into shared address spaces – shared, either in the kernel (such as the GUI being moved into the kernel), or in user-mode processes. For example, a distressing number of services run in shared svchost.exe, for a variety of reasons (sharing per-process resources, such as thread pools, but also communicating). They also share, of course, fates.

I know this is wayyyyy off-topic for NTDEV, so this will be my last(*) post on the subject, but I would encourage anyone interested in isolation to read these papers (and others, available at http://research.microsoft.com/os/singularity/).

Deconstructing Process Isolation
http://research.microsoft.com/copyright/accept.asp?path=http://www.research.microsoft.com/os/publications/MSPC2006-%20Deconstructing%20Process%20Isolation.pdf&pub=ACM

Language Support for Fast and Reliable Message-based Communication in Singularity OS
http://www.cs.kuleuven.ac.be/conference/EuroSys2006/papers/p177-fahndrich.pdf

[* we’ll see]

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Gregory G. Dyess
Sent: Thursday, March 29, 2007 3:15 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Two Rings Good, Four Rings Bad