From: Shark8 <onewingedshark@gmail.com>
Subject: Re: Arbitrary Sandbox
Date: Fri, 17 Feb 2012 20:47:36 -0800 (PST)
Date: 2012-02-17T20:47:36-08:00 [thread overview]
Message-ID: <e10bf38c-3c48-4fa4-bb0a-e61211aee90d@f30g2000yqh.googlegroups.com> (raw)
In-Reply-To: jhh6qr$9av$1@munin.nbi.dk
On Feb 15, 3:07 pm, "Randy Brukardt" <ra...@rrsoftware.com> wrote:
> "Shark8" <onewingedsh...@gmail.com> wrote in message
>
> news:203d63cf-42a9-49ef-82cd-943d77b5e438@c21g2000yqi.googlegroups.com...
> On Feb 11, 8:10 pm, "Randy Brukardt" <ra...@rrsoftware.com> wrote:
>
>
>
> >> Windows and Unix-based systems do not have a properly designed (native)
> >> runtime environment -- stuff we did to make Janus/Ada more secure on DOS
> >> extenders in the 1980s never made it to OS environments).
>
> >Could you elaborate on that? (Both what's needed to make such an
> >environment and what was done on Janus/Ada.)
>
> The vast majority of programs do not have self-modifying code, and it
> shouldn't be possible for them to run such code in any way. If that's the
> case, most code-injection attacks cannot happen.
>
> We used the native segmentation of the Intel hardware to completely separate
> code and data in Janus/Ada programs. It was impossible to accidentally
> execute data simply because the data wasn't even in the same address space.
>
> Of course, some programs do need self-modifying code, and an OS would have
> provided an API for that purpose. But it should have been rarely used.
>
> Now, I recognize that DEP was added to Intel hardware to provide some of
> this protection, but the problem is that a lot of programs can't use it
> because of the basic architectual mistake (including GNAT programs until
> recently, which is why I had to leave it off on my computer - boo). Plus
> requiring a new feature to get this protection is annoying as it was always
> available in Intel hardware (back to 80286); people just had to use it and
> they didn't. (I think that was a consequence of Windows NT copying the bad
> Unix memory model more than an intentional decision - and of course the
> security issues hadn't popped up so much then). [Aside: Intel has
> de-emphasized segments in modern hardware to the point that you probably
> couldn't do this today, as you would pay a nasty performance price. Boo
> again (understandable, though).]
>
> Randy.
You know; I always wondered why they (developers, and OS designers)
didn't take advantage of segments. It seems to be a very nice way to
enforce security. (As you said, going all the way to the 286.)
I realize that the flat memory model is simpler, in concept, and
likely the programming community wanted to be able to "just take the
integer value of the location"... and likely was a "cheap-and-dirty"
way of handling inter-process communication. But isn't such a layout/
usage is almost asking for abuse (as you can then just fiddle around
in memory), and asking for both uncontrolled memory usage (leaks) and
unauthorized access (like you mentioned about self-modifying code)?
Though, that does bring to mind a design question: what is/are the
best way(s) to handle inter-process communication in a general-purpose
OS?
next prev parent reply other threads:[~2012-02-18 4:47 UTC|newest]
Thread overview: 77+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-02-09 23:47 Arbitrary Sandbox Rob Shea
2012-02-10 0:10 ` Rob Shea
2012-02-10 2:01 ` Tez
2012-02-10 2:21 ` Rob Shea
2012-02-10 2:47 ` Tez
2012-02-10 4:11 ` Shark8
2012-02-13 2:23 ` BrianG
2012-02-10 4:17 ` tmoran
2012-02-10 4:41 ` Rob Shea
2012-02-10 6:15 ` Jeffrey Carter
2012-02-10 6:18 ` Rob Shea
2012-02-10 19:39 ` Jeffrey Carter
2012-02-10 6:19 ` Thomas Løcke
2012-02-10 9:32 ` Rob Shea
2012-02-10 10:09 ` Thomas Løcke
2012-02-10 11:39 ` Ludovic Brenta
2012-02-10 12:05 ` Brian Drummond
2012-02-11 10:32 ` Maciej Sobczak
2012-02-11 11:39 ` Dmitry A. Kazakov
2012-02-11 21:15 ` Maciej Sobczak
2012-02-11 21:38 ` Dmitry A. Kazakov
2012-02-11 23:05 ` Rob Shea
2012-02-13 2:10 ` Tez
2012-02-13 9:08 ` Yannick Duchêne (Hibou57)
2012-02-13 16:28 ` Pascal Obry
2012-02-10 9:47 ` Georg Bauhaus
2012-02-10 11:45 ` Erich
2012-02-10 11:48 ` Ludovic Brenta
2012-02-11 6:11 ` Rob Shea
2012-02-12 2:10 ` Randy Brukardt
2012-02-12 8:40 ` björn lundin
2012-02-14 0:26 ` Shark8
2012-02-15 21:07 ` Randy Brukardt
2012-02-15 22:10 ` Yannick Duchêne (Hibou57)
2012-02-18 4:47 ` Shark8 [this message]
2012-02-18 8:26 ` Dmitry A. Kazakov
2012-02-18 10:45 ` Yannick Duchêne (Hibou57)
2012-02-18 11:31 ` Dmitry A. Kazakov
2012-02-18 11:58 ` Niklas Holsti
2012-02-18 12:57 ` Yannick Duchêne (Hibou57)
2012-02-18 18:55 ` Robert A Duff
2012-02-18 19:24 ` Niklas Holsti
2012-02-18 20:06 ` tmoran
2012-02-18 21:53 ` Niklas Holsti
2012-02-18 22:58 ` Robert A Duff
2012-02-19 0:47 ` tmoran
2012-02-20 23:39 ` Robert A Duff
2012-02-21 3:29 ` tmoran
2012-02-21 17:17 ` tmoran
2012-02-21 21:03 ` Robert A Duff
2012-03-06 0:52 ` Randy Brukardt
2012-02-20 22:52 ` Adam Beneschan
2012-02-18 23:03 ` BrianG
2012-02-19 8:45 ` Dmitry A. Kazakov
2012-02-20 23:27 ` Robert A Duff
2012-02-21 8:36 ` Dmitry A. Kazakov
2012-02-21 9:59 ` Simon Wright
2012-02-21 10:59 ` Dmitry A. Kazakov
2012-02-21 17:25 ` Robert A Duff
2012-02-21 18:53 ` Dmitry A. Kazakov
2012-02-21 21:19 ` Robert A Duff
2012-02-22 8:24 ` Dmitry A. Kazakov
2012-02-21 21:25 ` Yannick Duchêne (Hibou57)
2012-02-22 8:26 ` Dmitry A. Kazakov
2012-02-21 8:47 ` Georg Bauhaus
2012-02-21 16:58 ` Robert A Duff
2012-03-06 1:06 ` Randy Brukardt
2012-03-07 5:43 ` Yannick Duchêne (Hibou57)
2012-03-07 13:05 ` Robert A Duff
2012-03-07 19:32 ` tmoran
2012-03-07 20:24 ` Dmitry A. Kazakov
2012-03-08 0:50 ` Robert A Duff
2012-03-08 1:50 ` tmoran
2012-03-08 11:01 ` Brian Drummond
2012-03-08 1:01 ` Shark8
2012-03-08 1:33 ` Randy Brukardt
2012-02-20 20:52 ` Tero Koskinen
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox