Posted: Mon Feb 25, 2008 10:42 pm
edited out the nonsense. 
OSDev.org
The Place to Start for Operating System Developers
https://f.osdev.org/
Procesess in Ring 0
Page 2 of 3
Posted: Tue Feb 26, 2008 6:45 am
Not really, because you only have two levels of memory protection - Supervisor and User.
Posted: Tue Feb 26, 2008 11:41 am
Yes, and I wanted to write an article on pagingucosty wrote:Not really, because you only have two levels of memory protection - Supervisor and User.
That would make a better system if there was more than two level though.
Now I remember, the |4 I put with the |3.
Posted: Thu Feb 28, 2008 4:20 am
At the moment I run all tasks in ring0 (which is insanely fast), but very soon I'm going to switch all userspace tasks (ie, the shell, and anything started by execve) to ring3.
It depends on whether you want protection with a minor speed hit or an easily hacked OS.
It depends on whether you want protection with a minor speed hit or an easily hacked OS.
Posted: Thu Feb 28, 2008 7:09 am
I think your missing the point, if you want a desktop OS for every day use and you do not want to use a good and free desktop OS like linux, and you have a spare 600 year's or 600 good coder's with a year to spare.pcmattman wrote:At the moment I run all tasks in ring0 (which is insanely fast), but very soon I'm going to switch all userspace tasks (ie, the shell, and anything started by execve) to ring3.
It depends on whether you want protection with a minor speed hit or an easily hacked OS.
Then you should use ring3, or on the other hand maybe you do not want a desktop OS, but a OS you have full controll over, that run's a single program as fast as possible.
Then stick with ring0.
Posted: Thu Feb 28, 2008 3:35 pm
Good point Dex, I didn't think of the possibility of a non-desktop OS.Dex wrote:on the other hand maybe you do not want a desktop OS, but a OS you have full controll over, that run's a single program as fast as possible.
Then stick with ring0.
Posted: Thu Feb 28, 2008 7:56 pm
If the process is in the level 0 it owns the system just like OS does. As I know four-levels are:
0: Operating system level
1: Device drivers level
2: Developer environment level
3: User-mode level
So ring/level 1 means that process can in/out to all ports in the system, but cannot execute Privilege level 0 instruction like LGDT and so on.
And what about rings 2 and 3. What a ring 2 processes can do more than ring 3 process?
Sorry but for me it seems the only topic where it is logical to ask such question without posting new topic
0: Operating system level
1: Device drivers level
2: Developer environment level
3: User-mode level
So ring/level 1 means that process can in/out to all ports in the system, but cannot execute Privilege level 0 instruction like LGDT and so on.
And what about rings 2 and 3. What a ring 2 processes can do more than ring 3 process?
Sorry but for me it seems the only topic where it is logical to ask such question without posting new topic
Posted: Thu Feb 28, 2008 8:26 pm
Probably ring2 can issue interrupts that are dpl 0? 
Or is it that the dpl of an interrupt can be between 0-3? I dont remember.
It must be about the debugger? Also there's the playing with the data segment, code segment, they are always present. so you can give a different segment for ring2 but now my thinking isnt clear.
http://en.wikipedia.org/wiki/Ring_(computer_security)
ring 0 -3? there's also ring -1, the hypervisor
Or is it that the dpl of an interrupt can be between 0-3? I dont remember.
It must be about the debugger? Also there's the playing with the data segment, code segment, they are always present. so you can give a different segment for ring2 but now my thinking isnt clear.
http://en.wikipedia.org/wiki/Ring_(computer_security)
ring 0 -3? there's also ring -1, the hypervisor
Posted: Fri Feb 29, 2008 5:36 am
The four rings only make sense in a segmented memory model. If you use a flat memory model with paging, you can't isolate more than two rings since each page table entry only has one bit for this: the U/S (user-supervisor). Should you be in ring 2, you could freely modify memory that belongs to ring 1.Masterkiller wrote:If the process is in the level 0 it owns the system just like OS does. As I know four-levels are:
0: Operating system level
1: Device drivers level
2: Developer environment level
3: User-mode level
So ring/level 1 means that process can in/out to all ports in the system, but cannot execute Privilege level 0 instruction like LGDT and so on.
And what about rings 2 and 3. What a ring 2 processes can do more than ring 3 process?
Sorry but for me it seems the only topic where it is logical to ask such question without posting new topic
There are the IOPL bits in EFLAGS that tell the processor what rings can execute I/O instructions. Normally one would set it to ring-0 only, but you can even allow ring 3 to freely access I/O ports.
Posted: Sun Mar 02, 2008 9:18 am
Nobody has mentioned this yet:
To run processes in ring0 and have some level of protection one can scan the executable for protected instructions (in, out, lgdt, etc.) before it is executed. The scanning would have to be pretty sophisticated because there are a number of tricks to fool simple scanners, but it is possible.
- TJ
To run processes in ring0 and have some level of protection one can scan the executable for protected instructions (in, out, lgdt, etc.) before it is executed. The scanning would have to be pretty sophisticated because there are a number of tricks to fool simple scanners, but it is possible.
- TJ
Posted: Sun Mar 02, 2008 9:38 am
This would be much slower then just using ring3 etc, also you would still be able to over write any memory address.tjhastings wrote:Nobody has mentioned this yet:
To run processes in ring0 and have some level of protection one can scan the executable for protected instructions (in, out, lgdt, etc.) before it is executed. The scanning would have to be pretty sophisticated because there are a number of tricks to fool simple scanners, but it is possible.
- TJ
Posted: Sun Mar 02, 2008 10:00 am
Yes, scanning does take time but only when an application is loaded. Small applications that are ran frequently can be cached in memory and thus do not have to be scanned every time they are executed. Applications that run for a long time (such as database/web/mail servers) will not notice any slowdown except for the initial scan.Dex wrote: This would be much slower then just using ring3 etc, also you would still be able to over write any memory address.
Processes can run in ring0 and still have seperate address spaces using paging or segmentation. Because no process is allowed to run if it contains instructions which modifies the page directories/tables or GDT/LDT then it cannot break out of it's own address space and thus cannot harm anything else in the system.
- TJ
Posted: Sun Mar 02, 2008 10:11 am
Ring0 processes would be able to crash the kernel even if they are separated by paging. Scanning executables for unsafe instructions is often not possible. Imagine a function that takes a pointer as an argument and does some kind of operation to the memory pointed to by the pointer. It is often impossible for a scanner to analyze which pointer is passed to that function. Self modifying code would also be difficult to analyze. One way to handle this would be using a virtual machine that "emulates" or just-in-time compiles the application.
Posted: Sun Mar 02, 2008 11:12 am
Have you all read about "Singularity"? That's one real OS that can run entirely in ring 0.
Posted: Mon Mar 03, 2008 12:14 am
Well, you can perhaps do a little better than that, if you only use segmentation on Ring1, in physical memory, say -- for drivers.Combuster wrote: The four rings only make sense in a segmented memory model. If you use a flat memory model with paging, you can't isolate more than two rings ...