Date: Tue, 13 Nov 2001 13:28:39 +0300 From: "Nickolay A.Kritsky" <nkritsky@internethelp.ru> To: Matthew Dillon <dillon@apollo.backplane.com> Cc: freebsd-security@freebsd.org Subject: Re[2]: FreeBSD and i386 VM hardware Message-ID: <2758909837.20011113132839@internethelp.ru> In-Reply-To: <200111121952.fACJqLZ06073@apollo.backplane.com> References: <01b301c16918$be1763a0$0a00000a@atkielski.com> <200111121952.fACJqLZ06073@apollo.backplane.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello Matthew,
Monday, November 12, 2001, 10:52:21 PM, you wrote:
MD> :To what extent does FreeBSD actually use all the fancy virtual-memory features
MD> :of latter-day i386 processors? As I recall (it has been several years since I
MD> :looked into it), the Intel microprocessors provide some very elaborate features
MD> :for management of virtual memory, I/O operations, and security, allowing total
MD> :hardware isolation of untrusted processes. How much of this is used by FreeBSD?
MD> :I know that UNIX is supposed to isolate users from each other, but how much of
MD> :this is done in hardware, and how much of it is simulated in software? Very
MD> :tight security usually requires a lot of interdependency between the hardware
MD> :and the OS, and since UNIX is supposed to be a multiplatform OS, I'm wondering
MD> :how much hardware support for security is actually used by the system.
MD> Well, All UNIX OS's running in intel hardware, including FreeBSD,
MD> use most of the major MMU/VM features of the processor. Not all of
MD> them, because some just don't work properly, but certainly most of
MD> them. For example, FreeBSD uses ring 0 and ring 3 but ring 1 and ring 2
MD> are completely useless to us due to the way interrupt stacks are designed
MD> in the intel architecture. We use 4K MMU pages predominantly but only
MD> use 4M MMU pages in certain (kernel-related) situations. At least for
MD> the moment. We use interrupt and trap gates but do not use the
MD> call-argument-crossing-ring-boundry or hardware tasking crap.
MD> This is really true of all UNIXes... it is the UNIX model, after all!
MD> While it is possible for root processes to access portions of the
MD> hardware directly, the number that do can be counted on one hand,
MD> must ask for it explicitly, and the feature can be disabled through the
MD> securelevel sysctl.
MD> -Matt
MD> Matthew Dillon
MD> <dillon@backplane.com>
Maybe it is not so important, but I think that Matt have forgot
something. In i386 Intel has implemented two independent branches
of hardware-level security - segment-level and page-level. Segment
level security is IMHO `stronger' than page-level, because can mark
some areas as Readable_But_Not_eXecutable, which page-level security
can't and some other features.
Since FreeBSD uses `flat' memory model, it does not take
use very much of Intel's segment registers. I mean that all of DS,
ES, SS are pointing to one `flat' descriptor with the same base, limit and
permissions. CS descriptor is somewhat different in limit (I do not
know why yet). Thus all security (at least for userland) relies on page-level
security which consists of only two bits: Readable/Writable and Supervisor/User .
I suppose, that there were some strong reasons for FreeBSD team to
choose page-level security model instead of segment-level. If you want
to know these reasons you should ask freebsd team directly. Their
emails are at http://www.freebsd.org/doc/en_US.ISO8859-1/articles/contributors/staff-core.html
Summary: FreeBSD uses _some_ i386 security features, but not the
_most_ of them. Anyway, I suppose, that your question has a little to
do with freebsd-security, and you better contact freebsd-hardware,
freebsd-hackers or maybe freebsd-core mailing lists for further
information, or send e-mails directly to me if you need some
explanations on this posting. I strongly advise you to read "Intel Architecture
Software Developer’s Manual" which can be found on Intel's FTP
servers (I don't have correct links right now).
Good Luck
PS: I am using FreeBSD 3.3-RELEASE, so some changes since that
versions are possible, that contradict words.
;-------------------------------------------
; NKritsky
; SysAdmin InternetHelp.Ru
; http://www.internethelp.ru
; mailto:nkritsky@internethelp.ru
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2758909837.20011113132839>