User Mode Linux

langed writes: "It appears that Jeff Dike has supplied a new implementation of the Linux kernel, whereby it is possible to boot a Linux kernel from the command line. This allows you to test a kernel before installing it, or completely partition users off from the main system. Networking appears to be through a slip connection, AFAIK, but this thing shows serious potential for increasing security and for kernel hacking, among many other nifty uses."

Re:Similar to FreeBSD jail()

[drdink]

They may have the same result, but unlike jail() this thing requires you to run a kernel under your kernel. FreeBSD's jail() uses the system kernel. There is no second kernel running under it. You get less of a cpu hit with jail().

Re:Get your mainframe!! Mainframes here!!

[simong]

There's something similar already: UK company DSVR sell virtual servers that are effectively multiple standalone 300Mb Linux boxen on a 500Mhz PC host. They've also made the technology available through the GPL at www.freevsd.org.

Some idle thoughts

[jd]

• A user-land kernel would make a great honeypot as it would be indistinguishable from a "real" system.
• It would allow you to test large-scale distributed software -WITHOUT- a large-scale distributed setup.
• As with car mechanics, it would allow you to see the engine running, without being in the car.
• It offers more profiling possibilities (as your profiler won't be changing the state of the kernel by the act of running).
• The first one to port the entire Linux kernel to a Word Macro wins the "Gross, Sick and Disgusting, but very Impressive Hack" Award.

Re:Old news

[Taurine]

Yes, this has been available for months. It must have been reported here before, too. News seems stuck in an infinite loop recently on /. Back in the day this didn't happen very often, and the actual number of front-page stories wasn't lower, so what could be the cause? Is there a drop in the quality of the story queue, or of the attention of the editors? In this case, how could the submittor have failed to notice that this wasn't new? I believe it has quite a high version number, and the diary page on the web site goes back to February of this year. And this thing is often mentioned in the most consumable version of the kernel mailing list, Kernel Traffic.

Security and GPL Considerations Of User Mode Linux

[Effugas]

I've actually been talking up User Mode Linux since I first heard about it some time ago. The project's goal is essentially to re-implement Linux in its own system call interfaces, so the entire operating system can be executed as Just Another Application.

It's actually pretty cool code, and it has some pretty interesting implications as time goes on.

Among other things, it's actually a surprisingly good hack for making IPSec on Linux rather more usable. It's pretty obvious that IPSec code belongs in the kernel(after all, it's built off of IP, which *is* kernel code), but the difficulty and potential instablitity of IPSec, when it's not exactly a critical application for many users, precludes the deployment of the code. User mode Linux, with a stripped down FreeSWAN distribution, could give a much less risky and far simpler method for users and administrators to test and perhaps even deploy simple IPSec endpoints.

IPSec may become only marginally more awkward to experiment with than SSH.

Of course, this would require raw access to the network interface--not something generally given user level processes. That illustrates the #1 caveat of User Mode Linux--if the environment runs as root under the parent kernel, the child kernel doesn't particularly lose those root permissions. Granted, control over the operating environment can be much, much finer grained per virtual OS instantiation. But if that environment is broken, the attacker gains all capabilities of the user parent. When the user parent is root...sure, there's a layer of obfuscation, but that's about it.

Of course, if I was attacking a machine, I wouldn't particularly expect that the machine I had taken over was just a temporarily instantiated OS image.

A more troubling question is how much of "User Mode Linux" can be run entirely independent of root. Even creating a new SLIP device for the virtualized OS requires non-user priviledges, so the best case scenario remains that an attacker, knowing they're behind a false root, attempts to corrupt or attack the parent kernel by feeding bad bytes down the network interface. Luckily, that's generally a pretty untrusted interface--and even better, there's absolutely nothing that says you have to give the client a direct network link(slirp, once again, comes in incredibly useful.)

Interestingly enough, User Mode Linux (as noted on the page) will probably eventually be used to port Linux apps en masse to alternate platforms that implement the Linux System Call APIs. lxrun *does* this on Solaris to some degree; this does mean that sometime down the line, Linux IPSec code may function on a non-free OS.

This really shouldn't be a big deal, with everything GPL and open--but RMS and Becker have made some pretty loud noises about kernel functionality being intrinsically separated from the intent of the GPL. User Mode Linux reduces the entire kernel to Just Another Application, no different than anything else. This is, in a technical sense, a beautiful, fascinating example of encapsulation--one that could never have come about without the openness that the GPL grants.

I'd keep an eye on User Mode Linux if I were you. This is among the most interesting work being done with the OS, period.

Yours Truly,

Dan Kaminsky
DoxPara Research
http://www.doxpara.com