"It will have full access to all kernel objects in the system including all user pages, CNodes, and endpoints (it won't actually map user pages except if a process opens the associated file for read/write I/O as opposed to mapping the file), and it will control access to all user-visible resources in the system by managing process file permission lists." Ok, I still don't have the required skills (know-how of the seL4 inners) to say if this is the right/secure way to do this job, but just in case it is (others should put some light on this) as an attacker I would put all my effort to find vulnerabilities in this piece of code as per your description it looks to me like a "sexy" entry point to the system. El sáb., 31 jul. 2021 12:54, Andrew Warkentin <andreww591@gmail.com> escribió:
On 7/31/21, Hugo V.C. <skydivebcn@gmail.com> wrote:
"Therefore the process server will be almost as important as the kernel when it comes to security"
I'm not developer, so please excuse my ignorance in some topics (like OS dev), but, I've experience in exploiting OS stuff and I always prefer a ring 0 vuln than a ring 3 vuln... If the process server is implemented at user space (ring 3) then I don't get how we can compare security in so different cpu execution modes. Am I missing something?
(sorry, mistakenly sent this privately instead of to the list before)
Even though the process server will run in user mode as far as the hardware and microkernel are concerned, functionally it will be akin to something above user processes but below the kernel. It will have full access to all kernel objects in the system including all user pages, CNodes, and endpoints (it won't actually map user pages except if a process opens the associated file for read/write I/O as opposed to mapping the file), and it will control access to all user-visible resources in the system by managing process file permission lists. This is very similar in scope to QNX's process server except that it won't be colocated in the kernel.
Therefore, vulnerabilities in the process server will be almost equivalent to kernel vulnerabilities, so it will be written in Rust for better memory safety and will be kept as minimal as is reasonably possible. _______________________________________________ Devel mailing list -- devel@sel4.systems To unsubscribe send an email to devel-leave@sel4.systems