A Wavefunction in Wonderland

This April gone, a discussion appeared on the NTDEV list at OSR online. Before you ask what I was doing there, I was studying the intended applications of the security rings in x86 processors. While I had studied the security design of the official successor to CTSS, Honeywell's "MULTICS" operating system, I do not know much about the gates in the x86. But this is unimportant, because what I really want to talk about is the bumbling incompetence of some people on the NTDEV list. [Yes, I should have known this already.]

For the uninitiated, modern x86 CPUs offer four "rings", that effectively control communication between processes and limit damage that can be done by untrusted code. Modern operating systems such as the BSDs, Linux, OSX, and for sufficiently small values of "operating", Windows, only use two of the rings. The reasons are complicated, but they are not a design choice, rather, each of these operating systems are based on code that existed before the Pentium existed. Some modern operating systems have been designed to use more rings [especially microkernel operating systems], but they required too much investment to get working well- writing a modern OS from scratch is not a trivial task.

The NTDEV discussion begins with an argument that fewer rings simplifies driver development. As I am not a driver developer, I cannot really comment on that. However, I'm quite certain the methodologies followed in driver development are mandated by the kernel. Whatever ring the driver runs in, communication between the running processes and a driver should be required to pass through a ring gateway.

The way of making sure this happens in windows is by having drivers in what is called kernel space. Kernel space is a truly trusted part of the computer, and drivers are often in here because they need direct access to hardware. But, if a driver fails or has an exploitable security vulnerability, it affects the whole computer. Not just one user, not just one program, not just where there is a vulnerability in the kernel- an attacker can take complete control of the computer if they can get code to work here.

The setting up of separate rings provides a powerful code separation tool. It allows a software engineer to restrict direct access to a nameserver or device, it allows login managers to be cleanly separated from the rest of the code, it ensures that the correct route is taken to getting something done rather than a dirty hack that brings security vulnerabilities into play. It allows the hardware to do some security evaluation, much like the memory management unit provides separation of address spaces for different processes.

Which makes me ponder the stupidity which would lead someone like Stephen Prochniak to quip: "added rings add complexity and thus inefficiency. Two rings is simple - priviledged (sic) and not." Does anyone really believe that their scanner driver should have access to their hard drive? Privilege should be rationed out on a per-request basis, which is not truly possible given the pace of hardware development, but the multi-ring methodology along with a reasonable nameserver or capability setup brings us most of the way there.

I think I now know why Windows is what it is...