But it all boils down to one simple concept - you have a privileged core which has access to data & instructions which the unpriviledged code can’t be trusted with, and you have unpriviledged code which doesn’t.
Within that unpriviledged code you probably have a great deal of differentiation - different processes, layered components that talk to each other over LPC/RPC, security groups, etc.
The sticking point seems to be whether this needs to be done with “Rings”. I propose it doesn’t. As long as you can make a strong line between priviledged and non-priviledged code/data, and as long as you can compartmentalize non-priviledged code/data it doesn’t really matter if the processor supports 2 levels of execution or 2 + N (the 2 is pretty important though )
X86 Rings are difficult to use well - at least as far as I’ve thought it through. Unless you can really hurt portability and use segments (and 48 bit pointers screw portability no matter how clever you are with them) the fact that the MMU only supports two levels of protection makes it very hard to do calls through the intermediate rings because you have no way to protect the code & stack of the inner rings without having per-thread page tables. So regardless of whether “rings” are good or not, Windows doesn’t run on a processor today (and hasn’t really in the past) where they aren’t more trouble than they’re worth.
-p
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Gregory G. Dyess
Sent: Friday, March 30, 2007 7:01 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Two Rings Good, Four Rings Bad
I disagree, slightly. You’re only looking at privileged vs non-privileged
*instructions*. There’s more to an OS than just instructions. There are
data structures, some of which are more sensitive than others. By putting
the most sensitive data structures at the innermost ring, you can grant a
device driver access to its registers/memory without granting it access to
the PFN database or scheduling structures or something outside its own
structures.
In addition to rings, there are compartments. Instead of thinking in terms
of rings, think in terms of layers (horizontal). In addition to layers,
there are vertical separations (compartments). The OS can compartmentalize
code in “semi-privileged” layers into different compartments, much like what
happens with user-mode processes.
Of course, all of this has to be designed into the OS from the beginning.
It cannot be shoe-horned in later. Just my $0.02 worth based upon
observation of and working with actual, highly stable, commercial OS
implementations.
Greg
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@hotmail.com
Sent: Thursday, March 29, 2007 10:56 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Two Rings Good, Four Rings Bad
Tim,
As I think about the design, all drivers would probably live at ring 1,
with core operating system services, and maybe the HAL, at ring 0.
However, I’ve only spent a few minutes thinking about it.
Think about it a little bit more, and you will understand that there are
just 2 types of code
-
Privileged code that is able to crash the OS
-
Unprivileged one that is unable to do the above, because it is unable to
execute provileged instructions and because provileged code validates all
parameters that it receives from unprivileged one.
Even if you introduce sub-gradation of unprivileged code by using the
additional protection rings,
validation of calls that it makes still has to be *exactly* the same for all
sub-levels (think about it carefully, and you will understand why it works
this way). In other words, as far as system reliability is concerned, you
need just 2 and not 4 protection levels
In other words, although at the first glance it seems that 4 protection
rings may be usefull, after a bit thinking it becones obvious that you don’t
need more than just 2 of them, no matter how you look at it
Anton Bassov
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer