Re: Is VMS Security being dumbed-down for Java?
- From: Hoff Hoffman <hoff-remove-this@xxxxxx>
- Date: Mon, 27 Mar 2006 20:31:23 GMT
Richard Maher wrote:
Can I just pin you down on your definition of an RTL? Is a call to
SYS$GETUAI or SYS$PERSONA_CREATE in sys$library:secureshp.exe a "RTL call"?
So as not to try and trick you, when previously (couple of years ago?) I
asked "Is it safe to call sys$getuai from a UWSS?" your answer was "AFAIK
No.". I am now of the opinion that what we're walking away with here is "It
is safe to call other UWSS shareable images (including SECURESHRP) but not
other user-mode RTLs." Is that right?
What I am referring to here as an RTL is anything not built into the kernel. If it's loaded and activated separately or otherwise not part of the kernel, it's not necessarily safe to call it from inner-mode code. And AFAIK, it is not safe to call sys$getuai, since this call is implemented as a UWSS and not as part of the kernel -- the LOADSS calls needed to use outer-mode APIs as part of their operations, so the LOADSS APIs are not directly part of the kernel.)
But if problems do arise and the report
gets to OpenVMS Engineering, my input is going to be "not supported".
You can't get much plainer than that, and I appreciate your candour. But the
image I'm stuck with is that of the poor developer's face who, after just
spending a big chunk of his life reinventing a new heap-managment wheel,
stumbles across ACMS or Rdb (or PCA$COLLECTOR) code that's called
LIB$GET_VM_PAGE from year dot and has had oodles of VMS engineering
involvement. He's gutted!!!
I've extricated my share of locally-written memory management code from existing applications. Maintaining it was more work than replacing it.
And in any event, inner-mode code cannot call RTL calls. There are cases where it might work for some folks, but there are cases where mixing the access modes and the memory heap page protections will encounter failures -- or worse, you'll introduce a security hole.
If I'm coding in user-mode, I call the RTLs and set up what I need, and pass it along to inner-mode code (where I then verify the memory via probes). If I'm coding in inner-mode code, I use the kernel memory management routines, and the kernel debugging routines (tr_print and friends, for instance). Or I expect the outer-mode code to have set up the necessary memory, and I then probe it for access rights.
If working in this area, access to the source listings are required.
But if the VMS documentation set did not consistently refer to
LIB$GET_VM_PAGE being called from inner mode then I suspect that support and
engineering would not be hounded about it for all eternity. Will these
references be removed from the doc set?
I can't say I've seen any documentation to inner-mode code referring to the RTLs. If it is, we'll either have to fix the existing RTLs to be mode-sensitive or we'll have to fix the documentation, or both. In either case, the resolution doesn't immediately matter here as calls to the RTL from inner mode don't work.
NOSHRIMG, privileged shareable image cannot have outbound calls
When did it become legal to drop the /PROTECT qualifier on the $LINK
command? Are we agreed that a re-visit of the relevant documentation should
have taken place at that time and, sadly, didn't?
You can't call RTLs from inner-mode code.
obviously the kernel-mode C library, are safe to call.
Once again, can you please tell me the file-spec for this library? (And are
the routines as well documented as the EXE$ routines) Are there kernel mode
equivalents of malloc, and realloc et al?
You can't call user-mode code and user-mode RTLs from inner-mode code.
The kernel C library is part of the kernel, and is callable from inner-mode code.
Key here is the use of LINK/NOSYSLIB/SYSEXE. If you have C calls and use this command, per the driver documentation, you will get a subset of the standard C library calls resolved via the kernel C library. (If you have both the user-mode C library and the inner-mode C library, you'll get duplicate symbols.)
Inner-mode calls to anything other than
exec-based system services are not generally considered supported.
Anyone got just *one* example of a non exec-based system service call being
specifically supported?
You can't call user-mode code from inner-mode code. If you need to get out to user-mode to do something, you need to use an AST or an ACP or a connection to a remote server process or other such.
I can choose to use a pseudo device driver, too, as there are a variety of constructs and APIs available that can make operations within a driver easier (and easier to secure) than those within a UWSS; within a privileged shareable image. And there is more documentation for drivers, too.
Anyone writing inner-mode code really needs access to the OpenVMS source listings kit, too. The part numbers are in the FAQ.
.
- Follow-Ups:
- Re: Is VMS Security being dumbed-down for Java?
- From: Richard Maher
- Re: Is VMS Security being dumbed-down for Java?
- References:
- Is VMS Security being dumbed-down for Java?
- From: Richard Maher
- Re: Is VMS Security being dumbed-down for Java?
- From: Hoff Hoffman
- Re: Is VMS Security being dumbed-down for Java?
- From: Richard Maher
- Re: Is VMS Security being dumbed-down for Java?
- From: Hoff Hoffman
- Re: Is VMS Security being dumbed-down for Java?
- From: Richard Maher
- Is VMS Security being dumbed-down for Java?
- Prev by Date: Customer Times HP Integrity Servers Special Edition
- Next by Date: Re: Customer Times HP Integrity Servers Special Edition
- Previous by thread: Re: Is VMS Security being dumbed-down for Java?
- Next by thread: Re: Is VMS Security being dumbed-down for Java?
- Index(es):
Relevant Pages
|
