On Mon, Sep 16, 2002 at 11:01:06PM -0400, Perry E. Metzger wrote:
[...] in a correctly operating OS, MMUs+file permissions do more or less stop processes from seeing each others data if the OS functions correctly.
The OS can stop user processes inspecting each others address space. Therefor a remote exploit in one piece of application software should not result in a compromise of another piece of software. (So an IE bug should not allow the banking application to be broken.) (Note also that in practice with must current OSes converting gaining root once given access to local processes is not that well guaranteed). However the OS itself is a complex piece of software, and frequently remote exploits are found in it and/or the device drivers it runs. OS exploits can freely ignore the protection between user applications, reading your banking keys. Even if a relatively secure OS is run (like some of the BSD variants), the protection is not _that_ secure. Vulnerabilities are found periodically (albeit mostly by the OS developers rather than externally -- as far as we know). Plus also the user may be tricked into running trojaned device drivers. So one approach to improve this situation (protect the user from the risks of trojaned device drivers and too large and complex to realistically assure security of OSes) one could run the OS itself in ring0 and a key store and TOR in ring-1 (the palladium approach). Some seem to be arguing that you don't need a ring-1. But if you read the paper Peter provided a reference for, they conclude that the pentium architecture is not (efficiently) securely virtualizable. The problem area is the existance of sensitive but unprivileged instructions. The fact that VMWare works just means they used some tricks to make it practically virtualize some common OSes, not that it is no longer possible to write malicious software to run as user or privileged level inside the guest OS and have it escape the virtualization. (It is potentially inefficently securely virtualizable using complete software emulation, but this is highly inefficient). (Anonymous can continue on cypherpunks if Perry chooses to censor his further comments.) Adam -- http://www.cypherspace.net/