How can I ensure security without the formal verification of the program running in ring0? Can a VM be used without the userspace kernels space?
The question is a bit misleading, but I'll do my best to answer.
Running any untrusted code in a privileged mode is not possible to be "safe" in the sense that most people understand it. As you guess correctly, however, it is possible to use something similar to a virtual machine to moderate any untrusted process that can be taken in that environment. This is a principle on which the modern "hypervisor" operates - access to hardware (or memory) is operated by "monitor" software or piece of hardware.
He said, if you are taking that approach, it is likely that the formal verification of the virtual machine is highly desirable. Otherwise it seems that a malicious program can find a way to escape from the virtual machine, or the virtual machine can behave in an unwanted way.
A reasonable modern approach to this problem, in which a piece of unbelievable code is done with a machine-tested proof in which it behaves according to some security policy. All host operating systems must do at that point to check the evidence against the code (a fairly computational cheaper operation), and then secure that code without virtualizing or runtime checking.
Comments
Post a Comment