Re: vulndev-1 and a suggestion about the ensuing discussion

[Valdis.Kletnieks () vt edu]

On Fri, 16 May 2003 16:46:57 -0000, xenophi1e <oliver.lavery () sympatico ca>  said:

> That's interesting. I'm passingly familiar with the VMs used by AS/400, 
> but I wasn't aware that out of bound accesses would immediately trap. I 
> wonder how they do this...

> I was under the impression that VMs used in this way were really just a 
> sort of defense in depth. They don't prevent an individual process from 
> being compromised but prevent that compromise from expanding beyond the 
> boundaries of the VM. Do they really trap overruns from one valid chunk 
> of memory into an adjacent one? 

It's a tagged architecture, with descriptors.  When you reference memory,
you aren't referencing a memory address - you're using a reference to a
descriptor that contains length/type/etc info (so it knows if it's stack,
heap, executable, and so on).

It's hardly a new idea - the original Multics penetration analysis paper (see
http://csrc.nist.gov/publications/history/karg74.pdf) discusses on page 11 of
the hardware on the Honeywell 645, which was a mid-1960's machine.

Unfortunately, we haven't learned much in the meantime:

http://www.acsac.org/2002/papers/classic-multics.pdf

(Incidentally, I consider *BOTH* of these papers required reading for
anybody who's subscribed to 'vuln-dev').

Attachment: _bin
Description: