From: Robert A Duff <bobduff@shell01.TheWorld.com>
Subject: Re: Arbitrary Sandbox
Date: Wed, 07 Mar 2012 08:05:33 -0500
Date: 2012-03-07T08:05:33-05:00 [thread overview]
Message-ID: <wcceht4o92a.fsf@shell01.TheWorld.com> (raw)
In-Reply-To: jj3nu0$1bh$1@munin.nbi.dk
"Randy Brukardt" <randy@rrsoftware.com> writes:
>> You mean "already there" in 386/pentium? Languages don't use it because
>> it's inefficient, and because whatever segmentation can do can be done
>> better by some combination of software and paging.
>
> The only reason it is "inefficient" was because OSes didn't use it.
And OSes didn't use it because it for the reasons I stated. It's a
cyclic thing -- I'm sure Intel could have made it faster if there
was demand.
But there's an inherent inefficiency in segmentation: the size of
all your pointers doubles. Or to look at it the other way around,
for any given amount of address space, it's split inconveniently.
With the amount of memory I can afford today, a 32-bit segment
number plus a 32-bit offset wouldn't be enough (both too few
segments and segment size too small). 64-bit seg num plus
64-bit offset? OK, big enough, but inefficient. 64-bit flat
address space: perfect! ;-)
>... That is,
> it was quite efficient on an 386 (the only big expense occurs when reloading
> segment registers, and that was something that occurred very rarely in the
> two-segment model we used).
OK, I have no idea what two-segment model you used. I was picturing
some sort of one-heap-object-per-segment model, and that sort of
thing, which some folks have advocated as a "solution" to the
problem of indexing out of bounds in languages that don't
require detection of that.
> As far as "software" and "paging" being able to do anything, this makes no
> sense at all. Pages on the x86 architecture don't (or at least didn't until
> fairly recently) have any memory permissions associated with them, so it was
> impossible to use that to prevent executing data.
They had read/write bits and user/supervisor bits (per page) as far
back as 80386. You're right that execute permission was a glaring
omission. And even that isn't such a big deal if you use languages
that have array bounds checking -- like Ada (to bring this slightly
back on topic!). Note that a no-execute stack doesn't prevent
security problems if you can overwrite return addresses -- you
can make them point to snippets of legitimate (executable) code.
But if you allow me to forget about x86 misfeatures, I stand by my
statement, "whatever segmentation can do can be done better by some
combination of software and paging" -- assuming a well designed
paging system. And assuming well designed programming languages!
- Bob
next prev parent reply other threads:[~2012-03-07 13:05 UTC|newest]
Thread overview: 77+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-02-09 23:47 Arbitrary Sandbox Rob Shea
2012-02-10 0:10 ` Rob Shea
2012-02-10 2:01 ` Tez
2012-02-10 2:21 ` Rob Shea
2012-02-10 2:47 ` Tez
2012-02-10 4:11 ` Shark8
2012-02-13 2:23 ` BrianG
2012-02-10 4:17 ` tmoran
2012-02-10 4:41 ` Rob Shea
2012-02-10 6:15 ` Jeffrey Carter
2012-02-10 6:18 ` Rob Shea
2012-02-10 19:39 ` Jeffrey Carter
2012-02-10 6:19 ` Thomas Løcke
2012-02-10 9:32 ` Rob Shea
2012-02-10 10:09 ` Thomas Løcke
2012-02-10 11:39 ` Ludovic Brenta
2012-02-10 12:05 ` Brian Drummond
2012-02-11 10:32 ` Maciej Sobczak
2012-02-11 11:39 ` Dmitry A. Kazakov
2012-02-11 21:15 ` Maciej Sobczak
2012-02-11 21:38 ` Dmitry A. Kazakov
2012-02-11 23:05 ` Rob Shea
2012-02-13 2:10 ` Tez
2012-02-13 9:08 ` Yannick Duchêne (Hibou57)
2012-02-13 16:28 ` Pascal Obry
2012-02-10 9:47 ` Georg Bauhaus
2012-02-10 11:45 ` Erich
2012-02-10 11:48 ` Ludovic Brenta
2012-02-11 6:11 ` Rob Shea
2012-02-12 2:10 ` Randy Brukardt
2012-02-12 8:40 ` björn lundin
2012-02-14 0:26 ` Shark8
2012-02-15 21:07 ` Randy Brukardt
2012-02-15 22:10 ` Yannick Duchêne (Hibou57)
2012-02-18 4:47 ` Shark8
2012-02-18 8:26 ` Dmitry A. Kazakov
2012-02-18 10:45 ` Yannick Duchêne (Hibou57)
2012-02-18 11:31 ` Dmitry A. Kazakov
2012-02-18 11:58 ` Niklas Holsti
2012-02-18 12:57 ` Yannick Duchêne (Hibou57)
2012-02-18 18:55 ` Robert A Duff
2012-02-18 19:24 ` Niklas Holsti
2012-02-18 20:06 ` tmoran
2012-02-18 21:53 ` Niklas Holsti
2012-02-18 22:58 ` Robert A Duff
2012-02-19 0:47 ` tmoran
2012-02-20 23:39 ` Robert A Duff
2012-02-21 3:29 ` tmoran
2012-02-21 17:17 ` tmoran
2012-02-21 21:03 ` Robert A Duff
2012-03-06 0:52 ` Randy Brukardt
2012-02-20 22:52 ` Adam Beneschan
2012-02-18 23:03 ` BrianG
2012-02-19 8:45 ` Dmitry A. Kazakov
2012-02-20 23:27 ` Robert A Duff
2012-02-21 8:36 ` Dmitry A. Kazakov
2012-02-21 9:59 ` Simon Wright
2012-02-21 10:59 ` Dmitry A. Kazakov
2012-02-21 17:25 ` Robert A Duff
2012-02-21 18:53 ` Dmitry A. Kazakov
2012-02-21 21:19 ` Robert A Duff
2012-02-22 8:24 ` Dmitry A. Kazakov
2012-02-21 21:25 ` Yannick Duchêne (Hibou57)
2012-02-22 8:26 ` Dmitry A. Kazakov
2012-02-21 8:47 ` Georg Bauhaus
2012-02-21 16:58 ` Robert A Duff
2012-03-06 1:06 ` Randy Brukardt
2012-03-07 5:43 ` Yannick Duchêne (Hibou57)
2012-03-07 13:05 ` Robert A Duff [this message]
2012-03-07 19:32 ` tmoran
2012-03-07 20:24 ` Dmitry A. Kazakov
2012-03-08 0:50 ` Robert A Duff
2012-03-08 1:50 ` tmoran
2012-03-08 11:01 ` Brian Drummond
2012-03-08 1:01 ` Shark8
2012-03-08 1:33 ` Randy Brukardt
2012-02-20 20:52 ` Tero Koskinen
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox