Application commands

[intel_breaker]

Call gates are avilable only on the i386p+ (It's slover than interrupts - i was used call gates in early stage of my o.s - now i use interrupts;)

[bontanu]

Callgates have been there to use starting from the first protected mode on i386 they are prety clearly described on Intel CPU manuals (System programming)

Besides the fastest way to call an API is to simply CALL it, NEAR Call i mean -> one that is without any ring switch and no protection in a flat memory model... like I do in SolarOS.

You can not beat that speed but you loose protection... well, as if that is any loose at all.

For speed considerations Windows did the same but for security they "wisely" choose to move most of the API in the ring-3 user space ... and you know that this generated a lot of problems but has given them great speed of execution when compared with Linux/Unix variants.

The full ring protection switch is simply too slow to be bearable without clear performance loss... that is a fact. You can choose in between very secure and very slow or insecure but much faster. Windows tries to do something in between because commercially speaking an slow OS has problems flying...


Ring protection / switch is slow any way you do it. Slow with INTs or with Callgates. Recently Intell added SYSCALL for speeding this up to no real success aparently.

However the discussion was based on the assumptions regarding parameter transfer (via registers versus via stack) in the context of an API Call...

The ring-3 to ring-0 switch and back is another issue (related).

[carbonBased]

The stack is always in cache...

This depends on the platform, but its pretty widely accepted. I'd imagine this would be L2, though? I could be wrong.

This will require that you save the registers --ironically-- on the stack and restore them later on...

Yes, this is, indeed, the kicker. If you can manage to avoid a bunch of register movement/stack pushes, then you might come out on top, but this is unlikely.

Speed aside, every platform has a stack, not every platform has a good number of general purpose registers.

--Jeff

[carbonBased]

First: Ctrl-A, Ctrl-V before that happens again

Second, on topic. My OS is completely based on message ppassing, so it's very simple. Just send a message to the kernel with what you want to do, and it will put you into the scheduler.

How do you handle protection with this mechanism?

[carbonBased]

Besides the fastest way to call an API is to simply CALL it, NEAR Call i mean -> one that is without any ring switch and no protection in a flat memory model... like I do in SolarOS.

You can not beat that speed but you loose protection... well, as if that is any loose at all.

That's a huge loss. Are you suggesting that it's a good idea to run apps at the same privelege level as the OS?

Do you also have the OS and apps mapped into the same address space? If so, what's to prevent me from overwritting the entire OS with null characters and/or jumping to some random indeterminate address?

The full ring protection switch is simply too slow to be bearable without clear performance loss... that is a fact. You can choose in between very secure and very slow or insecure but much faster. Windows tries to do something in between because commercially speaking an slow OS has problems flying...

The irony being that my unix installs are considerably faster then in winX installs, and are also much more secure.

Switching privelege levels is slow, yes, but if you're smart about it, you can keep the security *AND* a decent speed.

--Jeff

[Legend]

The biggest thing about calling speed is to make your API reasonable.
Somebody using a SetPixel-like function should be shot immediately (there are enough thinking it will match the speed of drawing a whole line with one function call or copying a bitmap with one function call vs. copying it pixel by pixel), no matter how fast or slow the calling mechanism the person uses is.

[bontanu]

That's a huge loss. Are you suggesting that it's a good idea to run apps at the same privelege level as the OS?

No loss for me

I do know that it brings a good bussines for security proffesionals. And since I have a job in this line of bussines now I could care more.

However i do not have to also believe it is true

Sitting here in my room alone in front of my PC who am I protecting against? Me against myself... looks like paranoia indeed.

I think the only protection should be in the network connection and concentrate to make NULL the chances of anything wrong comming in from the TCP/IP stack.

And I do understand that sometimes I might need some degree of protection because we do live in a very non evolved world, but still protecting ALWAYS just because once you might have a problem looks like a waste of resources to me.

It is like having a key locked front door (that is ok - although it should not be) and then closing with a heavy key all doors behing me at each move in my house: to the kitchen (open/close door with key) to bathroom (open close dor with key) to the living room (open close dor with key) ...

That will make a somehow secure house... but a very inefficient one... I do know it can work like that but it is a pitty...

We do need a level of TRUST and to ask ourselfes Why we did reach such a situation?

Instead I would provide a safe sandbox for untrusted applications and situattions... in THAT situation the performance loos will be an acceptable trade-off. It is like putting a murder susped behing bars for a short while until the acuzations can be confirmed or denyed.

Sounds more decent to me that putting everything under a high security alert.

So back on computers... to check always? every memory access? every application? No way man... At least I do trust my own OS and I do trust my own source code. And if i do make mistakes it is all for the best... I will learn and improve myself.

I do not know how people did ever get into this security mania and protection... I guess it must be the students of University crowding mainframe terminals and trying to make fun of the System admin / teachers... well who cares?

Are you suggesting that it's a good idea to run apps at the same privelege level as the OS?

Exactly, and I sure hope I do have the right to my own oppinion that does not come from ignorance (since i do know how to use protection) but from my own joy, taste and experience.

Let me say that since now I do work every day in making security and protections; For the sake of my own soul --> I would like to explore the other side of the path also. This way is will understand more and come out even more happy

The irony being that my unix installs are considerably faster then in winX installs, and are also much more secure.

The keyword here is are considered

May be on a huge speed machine with big RAM it might look like this but it certainly it is not. You can not have the cake and laso eat it. But you can easy lie yourself about it... well with a little help from XP that is going on a path that copy UNIX more and more

Try on a very slow machine because it increases the truth and differences making them more clear.

On a Pentium 2 with 64Mgabytes of RAM and at a speed of 233Mhz (66Mhz buss) HP Kayak Workstation.

You will see there how Windows2K or WindowsXP (not to mention Win98 or 95) will beat the hell out of Linux/KDE or GNome at speed and useability ... big times...

I mean unless you want a CLI...1950 DOS style OS ... cough Unix style ...

Switching privelege levels is slow, yes, but if you're smart about it, you can keep the security *AND* a decent speed.

It is clearly impossible. not unless you ahve a very high speed CPU that makes thing apear "as if" there would be no performance loss... but the loss will be there allright.

You can either:
---------------------
1) have no doors inside the house (or keep them unlocked) an move easy and fast in between you own rooms
-OR-
2)locking/unlocking every door behind you and having a secure house but moving arround slowly...

Honestly once the attacker is inside your house the doors will be just a delay for an inteligent attacker that is

[bontanu]

BTW Legend is right also:

The algorithmical optimizations are the most important of all.

[JoeKayzA]

@bontanu:

Respecting your opinion, of course.

But running all software at the same privilege level as the OS (or, say, the kernel) assumes that _all_ software that is to be run on the machine is free of bugs, trusted (I know, the magic word...) and absolutely fair in terms of resource consumption. Of course you can improve performance by avoiding message passing, address space switching and ring transitions. It might work fine as long as the user exactly knows the software he/she's running. But what to do when the user _wants_ to run potentially untrusted software (I mean, he/she knows that the program _could_ be evil), like something downloaded from the net, for example. You should at least offer the option of boxing up a piece of software.

cheers Joe

[carbonBased]

Sitting here in my room alone in front of my PC who am I protecting against? Me against myself... looks like paranoia indeed.

If you don't ever intend on running a 3rd party app then so be it. I'd imagine a lot of us have dilutions of gradeur that involve running applications from a multitude of vendors in the future.

And I do understand that sometimes I might need some degree of protection because we do live in a very non evolved world, but still protecting ALWAYS just because once you might have a problem looks like a waste of resources to me.

That's implying configurable app security. Sounds like a decent concept to me, but if it's up to an end-user to do, they'll destroy their system.

It's pretty easy to write an app that claims to be the best at something, indice some people to run it, and watch it trash your HD, memory, MBR, etc. An OS should never allow that. The OS is there to facilitate the apps that facilitate the user... it shouldn't allow an app to trash what the user does.

It is like having a key locked front door (that is ok - although it should not be) and then closing with a heavy key all doors behing me at each move in my house: to the kitchen (open/close door with key) to bathroom (open close dor with key) to the living room (open close dor with key) ...

That will make a somehow secure house... but a very inefficient one... I do know it can work like that but it is a pitty...

So you suggest leaving the door unlocked and open? I have too many valuables I wouldn't like stolen or damaged.

We do need a level of TRUST and to ask ourselfes Why we did reach such a situation?

Because the world, quite obviously, isn't trustworthy. Virii and trojan horses are the way of the world. Even something much less drastic as a crappy written program... there's billions of lines of crappy source code out there. I'd rather they didn't crash my OS when they ran.

Instead I would provide a safe sandbox for untrusted applications and situattions... in THAT situation the performance loos will be an acceptable trade-off. It is like putting a murder susped behing bars for a short while until the acuzations can be confirmed or denyed.

Sounds more decent to me that putting everything under a high security alert.

An interesting idea, indeed, but... given an end-user, I still see a very likely and plausable situation arising, involving a malicious app.

So back on computers... to check always? every memory access? every application? No way man... At least I do trust my own OS and I do trust my own source code. And if i do make mistakes it is all for the best... I will learn and improve myself.

I trust my own code, too... but I'm not the first person to mistakeningly run faulty code... would be a pity if it was an HD driver... or a USB interface to your digital camera...

heaven forbid if you intend your OS to work in an embedded environment...

I do not know how people did ever get into this security mania and protection... I guess it must be the students of University crowding mainframe terminals and trying to make fun of the System admin / teachers... well who cares?

I'm certainly not the only one... if you're suggesting I'm naive for listening to the evolution of software and hardware, then...

Exactly, and I sure hope I do have the right to my own oppinion that does not come from ignorance (since i do know how to use protection) but from my own joy, taste and experience.

I never said otherwise, I'm just challenging it.

The irony being that my unix installs are considerably faster then in winX installs, and are also much more secure.

The keyword here is are considered

No, the keywords were are considerably. There's a difference.

May be on a huge speed machine with big RAM it might look like this but it certainly it is not. You can not have the cake and laso eat it. But you can easy lie yourself about it... well with a little help from XP that is going on a path that copy UNIX more and more

Try on a very slow machine because it increases the truth and differences making them more clear.

How's a 486dx4/100? WinXP wont even run on it... X11 does.

Switching privelege levels is slow, yes, but if you're smart about it, you can keep the security *AND* a decent speed.

It is clearly impossible. not unless you ahve a very high speed CPU that makes thing apear "as if" there would be no performance loss... but the loss will be there allright.

It truely isn't impossible. Chose your API appropriately, realize when and why you must context switch and, as you agreed: "The algorithmical optimizations are the most important of all."

I'm not saying that context switching is faster then not. Obviously doing nothing over something will be faster. But you have to chose your battles. You optimize your calls to the OS, and the API there-in, still maintain solid protection, and outperform other OSs at the same time.

Honestly once the attacker is inside your house the doors will be just a delay for an inteligent attacker that is

So by all means, leave a welcome mat...