Path: utzoo!attcan!uunet!husc6!bloom-beacon!tut.cis.ohio-state.edu!osu-cis!att!alberta!access!edm!rroot From: rroot@edm.UUCP (uucp) Newsgroups: comp.arch Subject: Re: Is the Intel memory model safe from NO-ONE ?!? Message-ID: <3117@edm.UUCP> Date: 16 May 88 08:01:08 GMT References: <3039@bsu-cs.UUCP> Organization: Unexsys Systems, Edmonton,AB. Lines: 54 From article <3039@bsu-cs.UUCP>, by neubauer@bsu-cs.UUCP (Paul Neubauer): > In article <8722@ames.arc.nasa.gov> Hugh LaMaster writes: >>In article <1988May12.162207.16764@utzoo.uucp> Henry Spencer writes: >>>Probably because practically every machine in existence routes *all* >>>traps and interrupts to the kernel, which can pass them on to the user >>>if it pleases. I know of no machine, offhand, whose hardware has any >>>notion of a "user handler". > A third machine (family) (not very exotic, in fact, downright mundane) that > permits user-mode, user-written traps is the IBM 370 series. The Program > Status (double) Word is a 64-bit double-word that contains the address of > the next instruction, a condition code, and some other information on the > status of the process. There are also 5 8-byte locations in low (virtual) > memory where a programmer can put predefined PSW's for 5 classes of > interrupts, so that when an interrupt makes that PSW current, the process > will be placed into the appropriate error-handler for that interrupt class. > out-of-limits addresses, or vice-versa. This can all be done in user-mode > with no special privileges. > I beg to differ: (sortof) The 370 DOES definitely allow an interrupt to go directly into user state, but I doubt that the user is ACTUALLY allowed to modify the interrupt PSWs directly for one good reason: 1) Security: Since the PSW includes the supervisor state bit, being able to change the interrupt PSW means that you could gain full system control in the following manner: MVC INT_PSW,MEAN_PSW L R0,=F'0' DIV R0,R0 MEAN_PSW PSW SUPPERVISOR,ZERO_KEY,=A(TROJAN_HORSE) When you do the divide by zero, the OS jumps to your trojan horse in supervisor state. What is more likely is that the OS catches your attempt to change the new PSW, checks to make sure that all is OK, and then either changes the new PSW commensurate with your wishes or leaves a pointer for a TRUSTED interrupt program that then sets things up and jumps to your new nominee. On the '370, MMU protection is limited to a 2K granularity. (some newer systems have special provisions for the lowest 256 bytes which are REAL sensitive), so you can't make just SOME of the real vectors writable by random users. It's either all or nothing -- (but you can make it LOOK like a user has access via virtual memory techniques). -- ------------- Stephen Samuel {ihnp4,ubc-vision,vax135}!alberta!edm!steve or userzxcv@uqv-mts.bitnet