First come, first trusted

Discussions on more advanced topics such as monolithic vs micro-kernels, transactional memory models, and paging vs segmentation should go here. Use this forum to expand and improve the wiki!
Post Reply
User avatar
AndrewAPrice
Member
Member
Posts: 2300
Joined: Mon Jun 05, 2006 11:00 pm
Location: USA (and Australia)

First come, first trusted

Post by AndrewAPrice »

Hello, my OS is built around a microkernel and I want to come up with a permission system.

I'm inspired by the permission systems on a phone, where I trust the user more than I trust the programs they can install.

E.g. asking the user: "Can Snapchat access your camera?", "Can Photoshop access this file?" "Can Steam install software?"

But, being a microkernel, I want to keep this permission system outside of the kernel. The microkernally thing to do is to build a Permissions Service to act as the trusted source when anyone is wondering "Can this process perform device IO?" "Can this process access your photos?"

But, how can the operating system (the ecosystem of servers, drivers, and applications) know who to trust, to tell you who you can trust (in other words: multiple processes can say "I'm the Permissions Service" but which one is the real one?)

This problem can extend to other services. Part of the flexibility of a microkernel is that it's super flexible if you want to exchange parts around. But, if two processes say "I'm the Window Manager", who should your UI system talk to?

I don't like the idea of my microkernel being biased and favoring one Window Manager over the other if multiple processes register themselves as Window Managers. Nor do I want you to be using your computer then run what you think is a game and it registers itself as the Window Manager and streams your screen to a server.

What options do microkernel based OS's have for dealing with this?

The best option that can come to my mind is "first come, first trusted". The first service* that says it's the Permission Service, Window Manager, etc. is the one we believe. Then you just need to make sure your essential services get loaded at boot time before any applications.

This still has at least potential exploit. A process could find a way to crash a service it wants to replace first, then register itself as the new service. This doesn't close the attack, but could help a little if we had a Health Monitor service that said "Solitaire 5000 is trying to register itself as the virtual file system service, and one is already running on your computer. I think this is malicious, so I've killed the process." The Health Monitor service could have a list of services that should be singletons and trigger if another instance is trying to run.

* I load the initial set of services as multiboot modules. Something critical like the Permissions Service could be loaded via GRUB to ensure it becomes the first Permissions Service.
My OS is Perception.
xeyes
Member
Member
Posts: 212
Joined: Mon Dec 07, 2020 8:09 am

Re: First come, first trusted

Post by xeyes »

Assume that the micro kernel is still the one that loads binary images to execute and can talk to HW.

Then the canonical way to lock things down is to store signatures in a hardware vault like the TPM.

The kernel can thus positively identify that a file being loaded is the "permission system", a file with the name of "Solitaire 5000" with the correct signature would still run as the permission system.

Of course, turtles all the way down.

Who can attest that the kernel, grub or even the TPM is trustworthy?
Crono
Posts: 12
Joined: Tue Jul 19, 2022 2:49 pm

Re: First come, first trusted

Post by Crono »

You want security and you want flexibility. Do not exist together. Other than signatures you best option is as rigid/strict api as possible.
As far as 1st come 1st trusted - erasing code that does initial setup and setups initial communications is most effective. With human user involved - it is simply considerably more code.
You cant crash a service actively running and missbehaving - you crash OS saving info about the service which you wont run on next reboot. But you are not yet ready for this?

Nothing should be loaded thru 3rd party soft. Buggy uefi is enough i think.
User avatar
AndrewAPrice
Member
Member
Posts: 2300
Joined: Mon Jun 05, 2006 11:00 pm
Location: USA (and Australia)

Re: First come, first trusted

Post by AndrewAPrice »

I want my kernel not to be dependent on my greater OS, so one idea I had was to take advantage of multiboot modules. I use multiboot modules to load the initial services (e.g. I need some way to load the VFS before I my OS can load services itself off disk.)

I could load an allowlist as a multiboot module. The allowlist could be a list of processes and services they're allowed to register. The kernel would use this until we've finished loading all of the multiboot modules after which the Permissions Service would take over.
My OS is Perception.
nexos
Member
Member
Posts: 1081
Joined: Tue Feb 18, 2020 3:29 pm
Libera.chat IRC: nexos

Re: First come, first trusted

Post by nexos »

My plan is for the kernel to launch one process (init), and than init uses whatever policy it wants to load other services.

My system is somewhat co-located; the core of user-space (the VFS, object manager, security manager, settings manager, etc) are only going to be in one process since they interact a lot with each other. Hence init's loading logic is also pretty simple as it only needs to load one service before it has access to the whole security infrastructure. Of course drivers are all going to be in there own process so we get the security of microkernels, plus 3rd party services can be loaded as well.
"How did you do this?"
"It's very simple — you read the protocol and write the code." - Bill Joy
Projects: NexNix | libnex | nnpkg
User avatar
eekee
Member
Member
Posts: 891
Joined: Mon May 22, 2017 5:56 am
Location: Kerbin
Discord: eekee
Contact:

Re: First come, first trusted

Post by eekee »

nexos wrote:My system is somewhat co-located; the core of user-space (the VFS, object manager, security manager, settings manager, etc) are only going to be in one process since they interact a lot with each other.
Uh... with all those in 1 process, it looks like vulnerabilities in VFS, object manager or settings manager could be used to attack the security manager.
Kaph — a modular OS intended to be easy and fun to administer and code for.
"May wisdom, fun, and the greater good shine forth in all your work." — Leo Brodie
nexos
Member
Member
Posts: 1081
Joined: Tue Feb 18, 2020 3:29 pm
Libera.chat IRC: nexos

Re: First come, first trusted

Post by nexos »

eekee wrote:
nexos wrote:My system is somewhat co-located; the core of user-space (the VFS, object manager, security manager, settings manager, etc) are only going to be in one process since they interact a lot with each other.
Uh... with all those in 1 process, it looks like vulnerabilities in VFS, object manager or settings manager could be used to attack the security manager.
I mean yes, but a lot of making a good microkernel is balancing performance and security right. It still is better than a monolithic kernel.
"How did you do this?"
"It's very simple — you read the protocol and write the code." - Bill Joy
Projects: NexNix | libnex | nnpkg
Crono
Posts: 12
Joined: Tue Jul 19, 2022 2:49 pm

Re: First come, first trusted

Post by Crono »

eekee wrote:Uh... with all those in 1 proces.....
Wrong api, wrong functions inputs and returns, wrong policies, absent extra('unneeded') sanity checks.
User avatar
eekee
Member
Member
Posts: 891
Joined: Mon May 22, 2017 5:56 am
Location: Kerbin
Discord: eekee
Contact:

Re: First come, first trusted

Post by eekee »

nexos wrote:
eekee wrote:
nexos wrote:My system is somewhat co-located; the core of user-space (the VFS, object manager, security manager, settings manager, etc) are only going to be in one process since they interact a lot with each other.
Uh... with all those in 1 process, it looks like vulnerabilities in VFS, object manager or settings manager could be used to attack the security manager.
I mean yes, but a lot of making a good microkernel is balancing performance and security right. It still is better than a monolithic kernel.
Well all right. I only asked because of my time with Plan 9 where the security manager (or or rather the authentication service) is intended to run on a separate computer! :)


Crono wrote:
eekee wrote:Uh... with all those in 1 proces.....
Wrong api, wrong functions inputs and returns, wrong policies, absent extra('unneeded') sanity checks.
Uh, who or what are you criticizing?
Kaph — a modular OS intended to be easy and fun to administer and code for.
"May wisdom, fun, and the greater good shine forth in all your work." — Leo Brodie
Post Reply