Linux Permissions UID 0 vs Ring 0

kernellinuxx86

I am studying for a Computer Security exam, and I am struggling to understand the following sample question.

'Explain the difference between running in ring 0 on x86 and running as UID 0 in Linux. Give an example of something that each one enables, but the other does not.'

My current understanding is that ring 0 on x86 is the most privileged OS level and that kernel code is run in ring 0. UID 0 is the linux superuser that can essentially run anything. With my current understanding of these concepts, I don't understand how to answer this question.

Please Note, this is NOT a homework question and is NOT something I will be graded upon, it is study material only.

Best Answer

Your understanding is correct. “Ring 0” is the x86 term for the kernel mode of the processor. “Running in ring 0” means “kernel code”.

In terms of security, everything that can be done by a process (under any UID) can be done by the kernel. Some things are very inconvenient to do from kernel code, for example opening a file, but they are possible.

Conversely, under normal circumstances, if you can run code under UID 0, then you can run kernel code, by loading a kernel module. Thus there is no security barrier between UID 0 and kernel level under a typical configuration. However code running in a process is still bound by the limitations of the processor's user mode: every access to a peripheral (including disks, network, etc.) still has to go via a system call. It is possible to configure a machine to have a UID 0 that isn't all powerful, for example:

Disable the loading of kernel modules.
Use a security framework such as SELinux to take away privileges from a process: UID 0 does not necessarily trump those, for example it's possible to make a guest account with UID 0 but essentially no privileges with the right SELinux policy.
UID 0 in a user namespace only has the permissions of the namespace creator.

Question 1

Some of that memory is used for the kernel code itself, some is reserved, etc. The kernel spits it out in the system boot messages:

[    0.000000] Memory: 6106920k/7340032k available (3633k kernel code, 1057736k absent, 175376k reserved, 3104k data, 616k init)

The "absent" line is memory that isn't actually there (this machine currently has 6GiB of RAM installed). The kernel also spits out the memory map (this is earlier in the boot messages):

[    0.000000] e820: BIOS-provided physical RAM map:
[    0.000000] BIOS-e820: [mem 0x0000000000000000-0x000000000009ebff] usable
[    0.000000] BIOS-e820: [mem 0x000000000009ec00-0x000000000009ffff] reserved
[    0.000000] BIOS-e820: [mem 0x00000000000e2c00-0x00000000000fffff] reserved
[    0.000000] BIOS-e820: [mem 0x0000000000100000-0x00000000bf77ffff] usable
[    0.000000] BIOS-e820: [mem 0x00000000bf780000-0x00000000bf797fff] ACPI data
[    0.000000] BIOS-e820: [mem 0x00000000bf798000-0x00000000bf7d9fff] ACPI NVS
[    0.000000] BIOS-e820: [mem 0x00000000bf7da000-0x00000000bfffffff] reserved
[    0.000000] BIOS-e820: [mem 0x00000000fee00000-0x00000000fee00fff] reserved
[    0.000000] BIOS-e820: [mem 0x00000000ffe00000-0x00000000ffffffff] reserved
[    0.000000] BIOS-e820: [mem 0x0000000100000000-0x00000001bfffffff] usable

The kernel then does various fixups to that map, usually reserving more memory. Especially as the drivers load.

Question 2

The kernel/user split is of virtual address space, not memory. Its pretty much irrelevant on a 64-bit box, because there is so much address space to go around.

On a 32-bit box, virtual addresses 0x00000000–0xBFFFFFFF were used for user address space. 0xC0000000–0xFFFFFFFF were used by the kernel (that's the 3:1 split, other options inlcuded a 2:2 split. Note those numbers are gigabytes, so it's 2:2 not 1:1). Virtual addresses are process-specific, too (each process can have a page at 0x00001000, and it's a different page).

But a virtual address doesn't correspond to a byte of memory. It can be backed by basically four things:

Nothing. The page isn't in use. Try to access it, get a segfault.
Physical RAM. The MMU translates the virtual address to some physical address, which actually corresponds to capacitors on a DIMM somewhere.
Swap (or memory-mapped file). If you access this, there will be a page fault, and the kernel will suspend your process while it reads the data into memory (and possibly writes other data to disk, to make room). Then the kernel updates the page tables, turning this into case #2.
Zero page. This is a newly allocated page, which hasn't been used yet. When it is, the kernel will find a page of physical memory (possibly swapping other stuff out), fill it with zeros (for security), and then it's case #2.

Transparent huge pages makes more cases. There are probably a few less-important ones I've forgotten, too...

Anyway, my 64-bit chip has a 48-bit virtual address size. I'm not sure what split the kernel uses, but even if its half, that's 47 bits of space, well in excess of the 36-bit physical address size. And 131,072 GiB of RAM is too expensive... (And, remember, when it gets cheaper, there are a lot of bits left in 64, future processors will probably just allow more of them).

Best Answer

Related Solutions

Linux – Why Nmap fragmented scan on Linux is only working from virtual environment

Linux – What happened to the RAM

Question 1

Question 2

Related Question