Valdis.Kletnieksat_private wrote: > On Wed, 30 May 2001 00:14:41 -0300, Bruj0 said: > > No no, you didnt got it, its a linux kernel in all ways from boot > > to halt, running in top of other. So you can test boot stuff without a > > serial link :) and not to mention rebooting everytime it oopses. > > Off topic, but... ;) This same exact logic was wny IBM programmers > developed CP/67, which eventually evolved into the VM operating system.... Actually, that is very much on-topic. Virtual machines are a classic method of security containment. As Valdis says, IBM's VM system is the classic progenitor of self-virtualizing machines. With a virtualized machine, you cna run multiple instances of the OS as processes, creating a very effective security confinement mechanism for un-trusted services. The big catch is the cost. Some CPU architectures (the 360 mainframe of old, and the contemporary Alpha) can self-virtualize, i.e. all CPU features work in such a way that a program running in non-privileged mode cannot tell that it is in non-privileged mode. Some other processors (the x86, and the Itanium) are not self-virtualizing: one has to employ expensive software tricks to create a virtual environment. VMWare is such a software trick: they trap privileged instructions, and emulate them in software. This is why user-mode apps run at speed in VMWare environments, but system code slows down. VMWare exists because the x86 instruction set architecture does not allow for virtual processors. This is forgivable: who knew in 1980 that people would want to run virtually emulated operating systems on this little chip 25 years after it was designed? What is tragic is that the Itanium does not support self-virtualization. It is unclear whether this was negligance (Intel just didn't care enough) or if it was capricious (Intel doesn't *want* you to be able to run virtual processors; buy more chips) but according to a heresay report from a friend, it was at least a conscious decision. So at least VMWare has job security for the future :-) In LSM land: I can imagine someone wanting to make a LSM module that does essentially what VMWare does. Anyone from VMWare, Plex86, or User Mode Linux on this list care to comment? Thanks, Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX Communications, Inc. http://wirex.com Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com//Products/Immunix/purchase.html _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Wed May 30 2001 - 13:47:41 PDT