1

This is a hypothetical question. Suppose there is an application (which typically executes in user mode) that wants to access kernel data structures, read register values, and perform some kernel-level functions.

Is there a way for kernel and/or CPU to allow this application to perform its functions while maintaining the normal user-level/kernel-level isolation for other applications except this one?

cout_display_name
  • 303
  • 2
  • 11
  • highly doubt it. once you're kernel space, there's few (none?) limits on where you can go or what you can do. "But I promise to behave" doesn't cut it in software security. – Marc B Aug 25 '16 at 16:11
  • Edited the last part of the question. Please have a look at it again – cout_display_name Aug 25 '16 at 16:20
  • Run as root, mmap /dev/kmem :P (probably requires building a custom insecure kernel to have /dev/kmem in the first place) – Notlikethat Aug 25 '16 at 21:44
  • @Notlikethat can you please elaborate your comment further? If I can mmap the /dev/kmem into a user process' address space, would the process be able to read kernel memory while running at ring 3? – cout_display_name Aug 26 '16 at 10:46
  • Well, yeah; that's what it's _for_ (as a blunt instrument for kernel debugging). The clue's in the name. – Notlikethat Aug 26 '16 at 12:35
  • Thanks for the comments. I will look into kmem – cout_display_name Aug 26 '16 at 18:59
  • @cout_display_name It would be easier to correctly answer your question if you explain which task you are trying to solve (more generally). Can be some sort of [XY problem](http://xyproblem.info/). – Sam Protsenko Aug 26 '16 at 20:24

1 Answers1

0

In order to either put your app in kernel space (kernel memory) or to run it in ring 0 CPU mode, you will need to do that from kernel code. In normal state of operation you can't run app from the kernel with mentioned privileges (at least there is no existing API to do that). It's probably possible to implement some kernel code which is able of this. But it will be tricky and will mess up the whole concept of kernel-space/user-space separation, and if any advanced user-space API was used -- it won't work anyway.

If you are thinking about just giving your app ring 0 privileges -- it won't work either, because kernel has its own stack and because of kernel-space/user-space memory separation, so you won't be able to run internal kernel API.

Basically, you can achieve the same thing by writing kernel module instead. And for running some kernel code on behalf of user-space app -- you can use system calls interface.

So, answering your question: no, it's not possible to run user-space app in kernel mode so it can use internal kernel API.

Community
  • 1
  • 1
Sam Protsenko
  • 12,371
  • 2
  • 53
  • 69
  • Thanks for your detailed answer. How about this: I create a system call which points to the code of user application. When this system call is called, would it make the application run at ring 0? – cout_display_name Aug 26 '16 at 19:06
  • System call can't point to user-space code. All system calls are listed in syscall table (in kernel), and they point to some kernel functions (located in kernel space). So when you are executing system call from your app, corresponding system call (located somewhere in kernel) is called. Context will be [switched](https://en.wikipedia.org/wiki/Context_switch#User_and_kernel_mode_switching) to kernel mode (so CPU runs in ring 0), and your app's PID will be in effect, but CPU will be running only predefined system-call from kernel space, not your user-space code. – Sam Protsenko Aug 26 '16 at 20:03
  • See also this related question: [Escalating to Ring 0 in Linux application](http://stackoverflow.com/questions/18298097/escalating-to-ring-0-in-linux-application). The long story short: in Linux, you **can't** run user-space process in ring 0. The only way to obtain ring 0 -- is to run your code from kernel space. For example you can do that by writing kernel module and loading it to kernel space. – Sam Protsenko Aug 26 '16 at 20:16
  • So summarizing all that was written: only kernel can be ran in ring 0 mode, and the only way to switch from ring 3 (user-space mode) to ring 0 (kernel mode) is to use system call. It's hardware way to achieve security (to isolate kernel from user-space), and you can't violate it from software. [Here is](http://stackoverflow.com/a/499199/3866447) how it's done on x86 architecture. – Sam Protsenko Aug 26 '16 at 20:34