Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!csd4.milw.wisc.edu!lll-winken!uunet!mcvax!ukc!dcl-cs!aber-cs!pcg
From: pcg@aber-cs.UUCP (Piercarlo Grandi)
Newsgroups: comp.arch
Subject: Re: Virtualizable RISC Instruction Sets
Summary: Virtualization may/may not help security
Message-ID: <908@aber-cs.UUCP>
Date: 6 May 89 19:33:46 GMT
Reply-To: pcg@cs.aber.ac.uk (Piercarlo Grandi)
Distribution: eunet,world
Organization: Dept of CS, UCW Aberystwyth
	(Disclaimer: my statements are purely personal)
Lines: 61

In article <24898@ames.arc.nasa.gov> lamaster@ames.arc.nasa.gov (Hugh LaMaster) writes:
    In article <30036@apple.Apple.COM> baum@apple.UUCP (Allen Baum) writes:
    
    >You've aroused my curiosity. What can you do efficiently if your arhictecture
    >is virtualizable? I'm posting this instead of replying, because other people
    >are probably interested as well.
    
    I have been told by an "expert" (i.e. I don't know enough about it to
    say anything that isn't in some way misleading, so I will avoid details)
    that virtual machines are the cheapest, most effective way known, to
    produce an operating system which is secure, with capabilities at the
    process level of granularity.

Well, this is not entirely true. When you virtualize, you create a totally
security kernel controlled "contained" environment. But, but you can do
that with a pseudo machine virtualization, which is usually much easier.

Your expert surely has in mind the secure VM/370. Well, they had a problems
with that, because most of the security problems of VM/370 lie precisely
in the virtualization of the grottiest details of virtualizing an exact
rendition of the real machine (i.e. channel programs for the 370).

	[ .... ]

    Well, I am told that you need virtual machines in order to build secure
    capabilities based systems, preferably with some sort of reasonably cheap
    shared memory facility (to do reasonably inexpensive message passing).

First, a note on shared memory: hard to deal with it from a security kernel
point of view.

Again, it is true in part; you need to provide a virtual machine, but this
need not be (and let me add, had better not be) an exact virtualization of
the real machine, especially as, as you correctly observe,
    
    Anyway, to determine if an architecture is virtualizable, you need a
    complete architectural definition handy. (It seems to be non-trivial to
    define an architecture clearly. [ ... ]
    
    Aside: You don't often find documents like the famous "Principles of
    Operation".  I will avoid making specific comments, but some
    microprocessor manufacturers seem to think that an assembler manual is an
    architectural definition. [ ... ]

As a final note: I have designed (a lot of time ago) and am implementing
(finally, and slowly) a security kernel that does create software virtual
machines (without shared memory). It is capability based, of course; there
have been others efforts, usually under the "object oriented OS" label,
starting from CAL-TSS. Recent ones are Ra, Clouds, Elmwood/Psyche,
Accent/Mach, KeyKos, ... They all run on conventional architectures.

But note, the only A1 system around is Honeywell's SCOMP, that extends in
hardware (via a special MMU) a conventional architecture, to support fine
granularity of protection (which is not practical using software alone).

Maybe this is the better compromise -- use a stock CPU, add an ad-hoc
capability MMU (if you can afford to do it).
-- 
Piercarlo "Peter" Grandi           | ARPA: pcg%cs.aber.ac.uk@nsfnet-relay.ac.uk
Dept of CS, UCW Aberystwyth        | UUCP: ...!mcvax!ukc!aber-cs!pcg
Penglais, Aberystwyth SY23 3BZ, UK | INET: pcg@cs.aber.ac.uk