[Info-vax] How dangerous is it to be able to get into DCL supervisor mode ?
Stephen Hoffman
seaohveh at hoffmanlabs.invalid
Wed Jul 5 20:56:22 EDT 2017
On 2017-07-03 22:36:08 +0000, Simon Clubley said:
> There's still the bit about being able to set the privilege bits in
> supervisor mode however.
>
> However, if supervisor mode lets you do that, then that would seem to
> defeat the whole point of actually _having_ a supervisor mode. :-)
Supervisor mode is a way to use the VAX hardware memory management
model to perform image rundowns, and a way to limit access to the
interpreter code and data structures. This approach was particularly
useful on older hardware, as the overhead of VAX/VMS process creation
was a common cause for application and/or system performance problems
for many folks on that older and more resource-constrained hardware.
Unix uses a separate process for similar isolation, and runs down
entire processes rather than running down the user mode memory within
the same process. This avoids having a dependency on a processor mode
in the hardware, and also prevents the command interpreter from being
able to directly rummage and potentially corrupt kernel code or data.
This had the interpreter been implemented in the same process context
and executing in kernel mode.
Two different approaches toward the same sorts of housekeeping tasks.
Having a direct change-mode gate between supervisor and exec mode —
akin to the implicit CMKRNL available in exec mode — wouldn't
appreciably change the security of OpenVMS command interpreters, either.
This all touches on kernel designs and assumptions, and how difficult
changing those assumptions can sometimes be. For some completely
different approaches to these same tasks:
https://sel4.systems
http://www.sture.ch/vms/Usenix_VMS-on-Mach.pdf
etc.
--
Pure Personal Opinion | HoffmanLabs LLC
More information about the Info-vax
mailing list