can a virus accesses hard disk directly without need of OS?
copy all instructions in device drivers and interrupts and etc. to skip OS's control.
Or how can an OS stop programs to do this?
I mean, OS will not inspect each instruction in a program before start executing them, right? So can a program gather all the instructions in device drive or something like that, and control hard drive all by itself?
newbie to OS dev, looking for any advice, thanks.
viruses access hard disk directly without need of os
-
- Posts: 1
- Joined: Fri Jan 13, 2023 3:24 am
- Libera.chat IRC: wljackhero
-
- Member
- Posts: 5501
- Joined: Mon Mar 25, 2013 7:01 pm
Re: viruses access hard disk directly without need of os
Modern OSes use the CPU's hardware privilege separation to stop ordinary programs from accessing the hardware. If you try to access hardware in an ordinary program, the CPU will tell the OS that your program is doing something it's not allowed to do, and the OS will stop your program.
Re: viruses access hard disk directly without need of os
Although some very advanced viruses may be able to jailbreak/do privilege escalation and skip a critical set of OS protections, by exploiting either OS or hardware attack vectors.Octocontrabass wrote:Modern OSes use the CPU's hardware privilege separation to stop ordinary programs from accessing the hardware. If you try to access hardware in an ordinary program, the CPU will tell the OS that your program is doing something it's not allowed to do, and the OS will stop your program.
Writing a bootloader in under 15 minutes: https://www.youtube.com/watch?v=0E0FKjvTA0M
Re: viruses access hard disk directly without need of os
If you are a newbie to OS development then you have a lot of years of learning before you need to worry too much about virus prevention in your OS. The truth is that until your OS is in widespread use no hacker is going to devote resources towards it.
It's difficult to go into too much detail answering your question as any useful information could be used by malicious actors.
It's difficult to go into too much detail answering your question as any useful information could be used by malicious actors.
Re: viruses access hard disk directly without need of os
I don't think an ordinary virus can do it, but malicious hardware certainly can. Hardware basically can do anything with PCIe bus mastering.
Re: viruses access hard disk directly without need of os
That's what IOMMUs are for. But not every PC has those and the ones that do exist are not necessarily easy to use.rdos wrote:I don't think an ordinary virus can do it, but malicious hardware certainly can. Hardware basically can do anything with PCIe bus mastering.
BTW, it doesn't even have to be malicious hardware. If an OS can be tricked into submitting bad requests, even perfectly ordinary hardware can read and write arbitrary memory.
Carpe diem!
-
- Posts: 24
- Joined: Thu Jul 14, 2022 10:46 am
- Libera.chat IRC: json
- Location: Canada
- Contact:
Re: viruses access hard disk directly without need of os
How does malicious software "trick" the OS? Can I have an example to study? Could that happen, say, on Windows 11 or any other modern main-stream OS?
Re: viruses access hard disk directly without need of os
I don't have specific examples, but if you pay close attention to the major tech news sites like The Register and Slashdot, you'll see that almost weekly (roughly speaking) a new vulnerability pops up in one of the major OSs. Privilege escalation vulnerabilities are the typically the ones that allow for that.jaihsonk wrote:How does malicious software "trick" the OS? Can I have an example to study? Could that happen, say, on Windows 11 or any other modern main-stream OS?
Writing a bootloader in under 15 minutes: https://www.youtube.com/watch?v=0E0FKjvTA0M
- bellezzasolo
- Member
- Posts: 110
- Joined: Sun Feb 20, 2011 2:01 pm
Re: viruses access hard disk directly without need of os
Classic attack vectors apply to operating system kernels.
Don't validate the size of a buffer and strcpy() it? Now you've got malicious code in kernel space.
There's a reason a lot of modern OSes use Address Space Layout Randomisation, it makes it much harder to hit a target.
Various levels of rootkit exist - user mode privilege escalation is the most common. That's injection into a process running with a higher user privilege level - so e.g. a webserver running as root. The attack surface is minimised by not running servers as root, and giving them access to only the requisite resources.
Kernel mode rootkits - the attack surface is smaller than an arbitrary number of user processes, as this has to cross the syscall interface. But, if malicious code is run in kernel mode, it can call into drivers directly and bypass OS protections.
Bootkits - Infecting the bootloader. The virus is running before your OS is, and probably has its own drivers.
Hypervisor - The virus is running your OS in a virtual machine.
Firmware - viruses can infect the system firmware, they could even be ACPI routines in a modified DSDT.
There's even a proof of concept for infecting the Intel Management Engine (Ring -3).
Don't validate the size of a buffer and strcpy() it? Now you've got malicious code in kernel space.
There's a reason a lot of modern OSes use Address Space Layout Randomisation, it makes it much harder to hit a target.
Various levels of rootkit exist - user mode privilege escalation is the most common. That's injection into a process running with a higher user privilege level - so e.g. a webserver running as root. The attack surface is minimised by not running servers as root, and giving them access to only the requisite resources.
Kernel mode rootkits - the attack surface is smaller than an arbitrary number of user processes, as this has to cross the syscall interface. But, if malicious code is run in kernel mode, it can call into drivers directly and bypass OS protections.
Bootkits - Infecting the bootloader. The virus is running before your OS is, and probably has its own drivers.
Hypervisor - The virus is running your OS in a virtual machine.
Firmware - viruses can infect the system firmware, they could even be ACPI routines in a modified DSDT.
There's even a proof of concept for infecting the Intel Management Engine (Ring -3).
Whoever said you can't do OS development on Windows?
https://github.com/ChaiSoft/ChaiOS
https://github.com/ChaiSoft/ChaiOS