Slashdot Mirror
User Mode Linux
langed writes: "It appears that Jeff Dike has supplied a new implementation of the Linux kernel, whereby it is possible to boot a Linux kernel from the command line. This allows you to test a kernel before installing it, or completely partition users off from the main system. Networking appears to be through a slip connection, AFAIK, but this thing shows serious potential for increasing security and for kernel hacking, among many other nifty uses."
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
I've actually been talking up User Mode Linux since I first heard about it some time ago. The project's goal is essentially to re-implement Linux in its own system call interfaces, so the entire operating system can be executed as Just Another Application.
It's actually pretty cool code, and it has some pretty interesting implications as time goes on.
Among other things, it's actually a surprisingly good hack for making IPSec on Linux rather more usable. It's pretty obvious that IPSec code belongs in the kernel(after all, it's built off of IP, which *is* kernel code), but the difficulty and potential instablitity of IPSec, when it's not exactly a critical application for many users, precludes the deployment of the code. User mode Linux, with a stripped down FreeSWAN distribution, could give a much less risky and far simpler method for users and administrators to test and perhaps even deploy simple IPSec endpoints.
IPSec may become only marginally more awkward to experiment with than SSH.
Of course, this would require raw access to the network interface--not something generally given user level processes. That illustrates the #1 caveat of User Mode Linux--if the environment runs as root under the parent kernel, the child kernel doesn't particularly lose those root permissions. Granted, control over the operating environment can be much, much finer grained per virtual OS instantiation. But if that environment is broken, the attacker gains all capabilities of the user parent. When the user parent is root...sure, there's a layer of obfuscation, but that's about it.
Of course, if I was attacking a machine, I wouldn't particularly expect that the machine I had taken over was just a temporarily instantiated OS image.
A more troubling question is how much of "User Mode Linux" can be run entirely independent of root. Even creating a new SLIP device for the virtualized OS requires non-user priviledges, so the best case scenario remains that an attacker, knowing they're behind a false root, attempts to corrupt or attack the parent kernel by feeding bad bytes down the network interface. Luckily, that's generally a pretty untrusted interface--and even better, there's absolutely nothing that says you have to give the client a direct network link(slirp, once again, comes in incredibly useful.)
Interestingly enough, User Mode Linux (as noted on the page) will probably eventually be used to port Linux apps en masse to alternate platforms that implement the Linux System Call APIs. lxrun *does* this on Solaris to some degree; this does mean that sometime down the line, Linux IPSec code may function on a non-free OS.
This really shouldn't be a big deal, with everything GPL and open--but RMS and Becker have made some pretty loud noises about kernel functionality being intrinsically separated from the intent of the GPL. User Mode Linux reduces the entire kernel to Just Another Application, no different than anything else. This is, in a technical sense, a beautiful, fascinating example of encapsulation--one that could never have come about without the openness that the GPL grants.
I'd keep an eye on User Mode Linux if I were you. This is among the most interesting work being done with the OS, period.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com