PS3 Cell Processor Security Architecture

hoyhoy writes "IBM Developerworks is discussing the PS3 Cell Processor Security Architecture today on Developerworks. It details the hardware level security for isolating processes that exists in the Cell processor's architecture." From the article: "The architecture's main strength is its ability to allow an application to protect itself using the hardware security features instead of the conventional method of solely relying on the operating system or other supervisory software for protection. Therefore, if the operating system is compromised by an attack, the hardware security features can still protect the application and its valuable data. As an analogy, consider the protection the supervisory software provides as the castle's moat and the Cell BE security hardware features as the locked safe inside the castle."

Intel equivalent

[IamTheRealMike]

For comparison, the Intel equivalent to this technique (allowing processes to shield themselves even from the kernel) is called LaGrande Technology.

I'm not really a fan of this sort of design - it seems to duplicate the purpose of the existing kernel/userspace security architecture, but I can appreciate the pickle we're in with de-facto standard kernels that allow anything to be loaded into them. Windows Vista 64 bit requires all kernel drivers to be signed: correctly so, in my opinion, but this doesn't help the huge 32 bit userbase today.

Re:Intel equivalent

[flooey]

...but I can appreciate the pickle we're in with de-facto standard kernels that allow anything to be loaded into them.

I think it's more that the "pickle" is that the kernels are software, which is inherantly malleable. This type of security architecture isn't designed to protect the user from outside attackers, though it helps with that as a bonus. It's designed to protect the device from the legitimate user doing something the manufacturer doesn't intend (such as, for instance, decrypting movies or games and then saving them to a hard drive or running non-standard operating systems).

Re:Intel equivalent

[HaloZero]

Signed drivers won't matter in this situation. If the chip is going in the PS3, then I'd hope Sony has a decent handle on the hardware that's going in there with it. I'd also hope that they're competant enough to write an operating system with drivers that take correctly catalogue the hardware and it's functionality. The foray of Kernels doesn't really matter when you have a static configuration in terms of hardware and OS.

Re:Intel equivalent

[IamTheRealMike]

The fact that software is malleable is a two-sided coin: most people who end up with their machine modified in the ways this technique helps deal with are the victims of malware and viruses.

Regardless of what you believe it was designed for, the only things that actually matter are what it actually does. It's like saying that asymmetric crypto was designed so the military could hide secrets from civilians. Sure they use it for that, does that mean cryptography is bad? No.

Likewise, look at it from the perspective of the average gamer. This technology could easily be used to shield games from cheats with far greater effectiveness than now. You only have to play Counter Strike for half an hour to see how destructive cheaters can be - even if everybody is totally legit it won't be long until somebody is accusing somebody else of wallhacking. A game service that suffers trace levels of cheating would be enjoyed more by everybody, despite the software being less malleable as a result.

Re:Intel equivalent

I'm not really a fan of this sort of design

I'll say... since it is Treacherous Computing. It's hardware that you do not own and do not control. It's security *against* you, not *for* you.

Re:Intel equivalent

Trusted Computing: Promise and Risk

Summary: The hardware could be useful, if it is under the control and scrutiny of the person who paid for it. Otherwise, it's a menace.

P.S. your claims about DRM compatible with Linux are bullshit. DRM relies first and foremost on a locked-down kernel. It's the kernal that interacts with the sound and video... no amount of Trusted Computing will change that... TC will only allow software providers to enforce the use of particular crippled kernels.

Re:Intel equivalent

[IamTheRealMike]

Or by allowing apps to bypass the kernel for data transfer directly, by having a secure form of DMA. It's still not going to make people happy but it does get the kernel out of the way.

Re:Intel equivalent

[powerlord]

Yes, signed drivers won't mater in this situation. On the other hand, IBM is hoping to use this chip in lots of other applications, which is why TFA on IBM's site is entitled "The Cell Broadband Engine processor security architecture" and doesn't mention the PS3.

Re:Intel equivalent

No, it doesn't. The kernel manages DMA, and access to the hardware, or each app is going to need its own set of drivers. You aren't going to be able implement DRM without a locked-down "Trusted" kernel.

Re:Intel equivalent

[IamTheRealMike]

The kernel manages DMA today because that's what the hardware design requires. Obviously the kernel driver would still be doing the bulk of the work (set up and so on) but there's nothing stopping hardware vendors from supporting a special mode in which the kernel allows a userspace app and hardware to negotiate a secure dma channel by using a new instruction set.

Re:Intel equivalent

And. Sends. What?

Where do you think this audio/video data is coming from? It's not being generated by the app, it's coming from a network card or from a hard disk, or a DVD. How do you think the system negotiated with the other end to get the encrypted data in the first place. I realise you want to dig yourself out of a big hole... you've somehow convinced yourself that Linux needs DRM, and that it can fit in with Free software. It can't.

DRM, at a bare minimum, requires the kernel to be "trusted". If you built the entire kernel into the CPU, *then* you might be able to do it in hardware... but then, exactly what is the difference between that and TC hardware with a trusted and signed kernel? None.

Re:Intel equivalent

[IamTheRealMike]

And sends audio data?

Nothing stops you writing an application that downloads encrypted media and plays it back on Linux today. It just wouldn't be very secure.

If the audio is decrypted inside the app and then sent direct to the sound card, bypassing the operating system entirely, then you can't just dump the audio to a file with an LD_PRELOAD or kernel patch. You'd have to reverse engineer the internals of the application itself, rather difficult, and something which LaGrande makes even more difficult anyway.

I'm not sure what part of this you aren't understanding, the technology isn't _that_ complicated. It's A-OK for data to pass through the kernel as it comes off the network card or disk controller because it's encrypted. It's once the player has decrypted it that things get sensitive and the kernel can't be involved anymore.

Re:Intel equivalent

[q.kontinuum]

Since the OS (more specifically the audio driver in the OS) maintaines the information, where the soundcard is and to configure the sound card, the application still relies heavily on the opearting system. A CPU instruction set can grant the application a secure channel to a device. But since the OS tells the application which device is the sound card, a dump device can be implemented and propagated as sound card by the OS.

DRM

How does it relate to DRM? Can this technology prevent me from doing stuff?

Re:DRM

[IamTheRealMike]

Yes, it can make slightly more effective DRM because an application no longer needs to trust the operating system. But this isn't a black and white issue (realistically, outside of Slashdot groupthink, DRM is never black and white).

For instance, consider this:

• It can make more effective DRM, but it can also make more effective encryption. How do you know your operating system is secure, really? Root kits are not at all uncommon even on desktop machines these days. Have you seen how easy it is to dump form data from Safari before it's encrypted? It's not quite as easy for IE or Firefox because they're written in C++ rather than Objective-C, but it's still possible.

  Personally I wouldn't trust my CC number to an unknown Windows machine these days. SSL/TLS wire security just isn't secure anymore when it's so easy to intercept the data before it's ever encrypted.

• Afraid the government is spying on you? What was that NSAKEY symbol in the Windows crypto libraries anyway? It'd be a LOT harder to put Big Brother style tech into a CPU than an operating system simply because the CPU has much less information to work with. So crypto programs can shield themselves from possibly malicious software in another way.

• DRM exists, a lot of digital media is protected using it, and unless piracy suddenly becomes as unacceptable as murder or somebody invents a new kind of economic system to replace copyright it'll probably be around for a long time to come. Simply saying "we won't accept that" won't cut it with a lot of people, some geeks included (who do you think designs all this DRM anyway? magic programming pixies?).

  Consider - hardware process protection would theoretically allow for Linux-compatible DRM. Right now Windows Media DRM uses the "secure audio path" to try and prevent people using malicious audio drivers to trivially dump the decrypted audio out of the player. Linux has no equivalent, fundamentally cannot, however these kind of hardware features could allow it to get such a thing without breaking the GPL (because the operating system can be GPLd and therefore "untrusted" but the player would not have to trust it to work...)

• Anyway, like most technologies, it cuts both ways. It has uses you'll disagree with and others you will want. Just deal with it.

Re:DRM

[metamatic]

DRM exists, a lot of digital media is protected using it, and unless piracy suddenly becomes as unacceptable as murder or somebody invents a new kind of economic system to replace copyright it'll probably be around for a long time to come.

There's a third possibility you ignore: that DRM reduces software sales. I'm not aware of any credible research on the topic, but I know that there are albums I plan to buy from the iTunes Music Store, but only if JHymn is fixed to allow me to strip the DRM. Similarly, I've skipped buying CDs as soon as I saw the "rootkit inside" warning on the packaging.

As for the PS3, if it's secure enough to prevent cheat systems like Action Replay Max, that's going to have an impact on sales. Other than that and DRMed media playback, I can't really see any point in a complicated security system for a console--it's not like PS2 viruses or rootkits are a problem.

Re:DRM

[Kjella]

a) If your machine is rooted, it's trivial to tap the keyboard. Process "iexplore.exe" getting a number that looks like a CC#?

b) If you are running Windows, you still won't know. The chain of trust runs downwards, your apps trust Windows which again trusts the TCPA. Whatever Windows does, you'll never know. And if you don't run Windows, then it's pretty hard to hide something in plain sight code.

c) I'd wager more on the ubiquitousness of piracy to change things. Have you read the stats on the young generation? Have you looked at the connections future generations will be on?

d) "Consider - hardware process protection would theoretically allow for Linux-compatible DRM. Right now Windows Media DRM uses the "secure audio path" to try and prevent people using malicious audio drivers to trivially dump the decrypted audio out of the player. Linux has no equivalent, fundamentally cannot, however these kind of hardware features could allow it to get such a thing without breaking the GPL (because the operating system can be GPLd and therefore "untrusted" but the player would not have to trust it to work...)"

So, how to you intend to access the output device? Magic kernel pixies, perhaps? All implementations I've seen would require the kernel to be signed - which means it can't be changed and replaced. Basicly it renders the GPL meaningless because all your protected media would cease to function.

Re:DRM

[IamTheRealMike]

There's a third possibility you ignore: that DRM reduces software sales.

It's true I ignored this possibility. The only hard statistics I've seen on this have been done by (drumroll) copy protection vendors, nonetheless, they are at least somewhat pseudo-scientific which is more than the purely anecdotal evidence I've seen to support the opposing view. Essentially copy protection vendors claim that the sales you lose through piracy drop off as time goes by, so for instance if a crack is developed a year after the game comes out nobody really cares (partly because sales are much lower then anyway), but if one comes out a week after it's launched that'll have a big impact. The idea is some people wait for a crack and if one doesn't appear they will "crack" themselves and go buy it.

Trustworthy source? Of course not. But it makes intuitive sense and these appear to be the only repeatable studies done so far.

Alternatively you can also trust the market. Copy protection costs money to implement, presumably after 20 years of widespread software distribution if it was really a dead cost somebody would have realised by now and trailblazed their way across the market with their no-copy-protection policy. I don't see many vendors doing that.

I know that there are albums I plan to buy from the iTunes Music Store, but only if JHymn is fixed to allow me to strip the DRM.

I'm the same! I don't buy things from iTMS because I use Linux and my phone rather than an iPod for portable music.

So I do things the old way and buy CDs instead. Believe me, I don't like todays DRM either, but given a choice between FairPlay/Windows Media being the de-facto standards or having some kind of openly published system that doesn't rely on obscurity (which is what this sort of technology might provide) then I'll go for the latter any day.

As for the PS3, if it's secure enough to prevent cheat systems like Action Replay Max, that's going to have an impact on sales.

You're implying anti-cheat technology reduces sales? I'd be surprised if that was true, most people I know hate game cheats.

As to your final point - PS2 didn't have network access. PS3 does.

Re:DRM

[IamTheRealMike]

a) If your machine is rooted, it's trivial to tap the keyboard. Process "iexplore.exe" getting a number that looks like a CC#?

I'd be interested to see an actual implementation of that. But anyway, this is why LaGrande/Cell Security include "measured boot", so the program can check that the system hasn't been rooted.

b) If you are running Windows, you still won't know. The chain of trust runs downwards, your apps trust Windows which again trusts the TCPA. Whatever Windows does, you'll never know. And if you don't run Windows, then it's pretty hard to hide something in plain sight code.

That's not how it works. Your app trusts some piece of hardware (for instance, the TPM, or some Cell specific thing) and asks it for a "measurement" which proves cryptographically that a "trusted" operating system is running. Once the app has checked that it trusts the operating system it sends the data downwards.

c) I'd wager more on the ubiquitousness of piracy to change things.

That'll provide the incentive to change, it won't provide the solution. The only solution that is being credibly pushed right now is ubiquitous DRM. Other schemes like tip jars and so on have not really taken off.

I'd really like to see a credible economic solution - a programmer would call copyright a "hack" because it kludges supply and demand on top of stuff that fundamentally doesn't obey those rules, simply because that's all capitalism can deal with. But I'm not an economist and if there is any research being done in this field, I'm not aware of it.

So, how to you intend to access the output device?

If you read the article then you can see the way it's intended to be used ... the SPEs decrypt data then either re-encrypt it (eg for multiplayer network packets) or use DMA to move it directly to the output device. The operating system is not involved. I don't know how LaGrande works but it's likely to be either by having "trusted" operating systems that effectively promise not to reroute the audio elsewhere, or by having some similar kind of DMA scheme and sound/video cards that can decrypt video data directly.

Re:DRM

[Trinn]

Most people I know like single-player game cheats, and cheats for multi-player-single-console (non-networked) party type games, because both usually allow more freedom in enjoying the game (eliminate tedious "unlocking", give new options, etc.)

Re:DRM

[IamTheRealMike]

Heya Quinn ;) Yeah, I don't mind single player cheats, I was thinking of multiplayer online cheats ... if everybody involved is happy with the new rules then why not ?

Re:DRM

[drachenstern]

If you read the article then you can see the way it's intended to be used ... the SPEs decrypt data then either re-encrypt it (eg for multiplayer network packets) or use DMA to move it directly to the output device. The operating system is not involved. I don't know how LaGrande works but it's likely to be either by having "trusted" operating systems that effectively promise not to reroute the audio elsewhere, or by having some similar kind of DMA scheme and sound/video cards that can decrypt video data directly.

So why can't a rootkit be used to intervene in this process? I thought that was the whole point of rootkits (legitimately) to intervene in the process of things, on an o/s level? And you seriously mean to tell me that a positive signing can't be duplicated? (So the CPU will have it's own NIC to dial out to a special hardcoded IP address and check a specific file for signed numbers? Yeah right.)

As always, thoughts, questions, rude remarks? (My favorite quote from a HS teacher, many years ago)

Then...

[frosty_tsm]

Imagine the Princess inside that Castle.

... or another castle.

Re:Then...

[chord.wav]

If only Sony had the rights for Mario....

Re:Then...

... they'd probably give him a gun, have him hold up koopas and goombas for coins, then sneak back to his hideaway to enjoy his stash of 'magic mushrooms', 'fire flowers', and 'super stars'.

After all, look what happened to Shadow the Hedgehog when Sega started publishing for other companies.

Not for Windows

[Gates82]

This component of Cell is not for windows, though this type of protection would greatly help windows users. The Cell processor is mainly driven with Linux and Unix I doubt M$ will support the architecture.

--
So who is hotter? Ali or Ali's siter?

Cell Home Workstations

Being one of the lucky ones who gets to work on a Cell system, it is becoming painful to come home to my x86 machine that seemed to powerful just a few months ago.

I really hope Sony goes all the way with the stuff Linux desktop stuff they are working on for the PS3. Linux, plus security features like these set forth in the article, make me want a Cell workstation running Linux at home desperately.

If you are any type of game/graphics/engineering/media engineer you want one of these Cell systems NOW.

Re:Cell Home Workstations

[heinousjay]

Care to elaborate? Your comment is anonymous and fairly generic.

Re:Cell Home Workstations

[Suddenly_Dead]

Add in that it sounds an awful lot like bad marketing, and you've got yourself and obnoxious hat-trick.

Re:Cell Home Workstations

[Slashcrap]

If you are any type of game/graphics/engineering/media engineer you want one of these Cell systems NOW.

Yeah, single precision floating point is just what you need in engineering you astroturfing little fuckstain.

PS3 or Supercomputers

[Gates82]

I wonder where this technology will be more useful, in the set top type devices like the Playstation where a virus or malicous attack may take place without the user as aware, or on large supercomputers or servers that will utilize cell. Most of the large scale uses of cell would seem rather isolated from such attacks.

--
So who is hotter? Ali or Ali's Sister?

Uhh....whaaat?

[HaloZero]

Ok, so, I get it. The PS3 will have a processor that has an instruction set dedicated to protected the threads of a program from infiltration by something that has already compromised the operating system. The obvious advantage is the protection of the data stored in those threads at a time of either pre or post processing.

That sounds like a great technology. Truly. If used for the right purposes.

WHY are you implementing it on a GAME CONSOLE? (I'm also a little scared of the wording '...allow an application to protect itself... - we're writing sentience into these things, now, too? Might cause some ethical issues with first-person shooters..)

I'd love that sort of protection on a kiosk machine, something we'd send to a trade show, or even the laptops employed by our sales force. But the PS3? Nothing mission-critical is going to happen on the PS3. Nothing. Wait, wait.. I think I figured it out...

Digital Rights Management. Gotcha, gotcha. Thanks, Sony. It's nice to know that the PS3 will have an anti-modchip on it from the getgo.

Re:Uhh....whaaat?

[RingDev]

The Cell processor has much wider market desires then just the PS3. It is likely that the PS3 will not take this feature as an advantage, but the feature will be there for Linux based Cell Processor servers. In those kinds of system, memory protection can be extremely important.

-Rick

Re:Uhh....whaaat?

[IamTheRealMike]

If you had RTFA you'd know this isn't about mod chips - the article explicitly states that this kind of protection is not about resisting hardware attacks and only concerns software.

WHY are you implementing it on a GAME CONSOLE?

Maybe because the Cell is designed to be used for more things than just the PlayStation?

Re:Uhh....whaaat?

[Krach42]

WHY are you implementing it on a GAME CONSOLE?

Um, because the Cell isn't just a game console processor, it's a multi-purpose vector processor.

IBM, Sony, and... who's the other person working on it? I forget. Anyways, the people involved each want it for various purposes. Yes, Sony wants to use it in the PS3, but IBM wants to do some serious work with the Cell and potentially replace POWER with it.

Re:Uhh....whaaat?

I guess you just happen to miss the 250+ companies from aerospace, medical, digital media, and defense that are in the process of building Cell based systems. Too busy figuring out how to post in HTML?

It is Interesting, though completely irrelevant, that you took the time to demonstrate to the Net what an idiot you are.

Wait, wait.. I think I figured it out...

HaloZero. Gotcha, gotcha. Thanks, Xbot.

Re:Uhh....whaaat?

[frostfreek]

Zonk is contributing to his confusion by posting "PS3 Cell Processor Security Architecture" instead of "Cell Broadband Engine ..."

Re:Uhh....whaaat?

Maybe because the Cell is designed to be used for more things than just the PlayStation?

YEA!.. like we would use it as bittorrent servers to check the hashs and protect the torrent peers and streams from pirated bluray and HDDVD releases, and there's nothing the MPAA can do about it as they'd need a hacked PS3 to access it, and that would be illegal now wouldn't it.. free 1080P video streams for EVERYONE!

Re:Uhh....whaaat?

[poot_rootbeer]

WHY are you implementing it on a GAME CONSOLE?

Maybe because the Cell is designed to be used for more things than just the PlayStation?

Correct answer, incorrect question.

Question is: why did Sony choose to put a Cell processor--an architecture that's substantially different from what they used before, and that contains features superfluous to the goals of a gaming console--in their upcoming gaming consoles?

Optional bonus question: why did Slashdot title this story "PS3 CELL PROCESSOR Security Architecture" when the information is applicable to Cell Processors, but not very much so to the PS3?

Re:Uhh....whaaat?

[bWareiWare.co.uk]

I think the article was taking the academic, cautious approach here. A hardware attacks (modchips) on this system are theoretically possible. However you would have to attach directly to the processor's internal bus.

This would mean attaching to 90nm wires at 3.2 Gigs; that is it going to make mod chips a bit harder.

(The Xbox modchips use a 33Mhz bus and existing solder points on the motherboard (i.e. a 100 times slower and over a 1,000 times larger)

Re:Uhh....whaaat?

[Kookus]

The lofty goals for the cell processor have it being used in everything from tv's to your microwave. The purpose of this security is to have all of those appliances have the ability to lease out their processing power to other appliances in the event one of them requires it.

Imagine yourself encoding a movie, and your neighbor's ps3 helps you out because it isn't in use... would you like your neighbor having the ability to see what your encoding? Nah, and I'm not saying that this technology will be used in that way yet, but at least it get's us thinking in the direction in which you don't need a computer to be able to use one.

Re:Uhh....whaaat?

[powerlord]

Actually considering that the system will most likely have a network connection and some form of persistant storage, Sony might just use this feature to help keep unauthorized access (i.e. anything they haven't approved) to a minimum.

Wouldn't be surprised if this helped limit potential Homebrew activity.

Re:Uhh....whaaat?

[powerlord]

Answer: Sony is invested in the Cell architecture along with IBM and hopes it will make a good core for a multi-media hub, by pushing chip holding multiple cores that can handle parallellized multimedia transformations quickly. Time will tell if IBM and Sony got this one right.

Obligatory Bonus Answer: Slashdot editors can't usually be bothered to RTFA or edit. :)

Alternate Bonus Answer: Most readers might recognize "PS3" over "Cell Processor" and wonder what the latter has to do with their lives, while the former might be critical to their future :D

Re:Uhh....whaaat?

"Question is: why did Sony choose to put a Cell processor--an architecture that's substantially different from what they used before, and that contains features superfluous to the goals of a gaming console--in their upcoming gaming consoles?"

Answer: Idiots like you should stay out of topics they clearly have no competence in. Shoo fanboy!

Cell "substantially different" than the EE? Nope. Cell is the natural evolution of the EE. You don't even need to have worked with the hardware to know that.

"superfluous to the goals of a gaming console" ??? You don't have a fucking clue about the PS3 if you think this tech has nothing to do with the PS3 and its capabilities.

Shoo!!! Fanboy, Shoo!!!

Re:Uhh....whaaat?

The third partner is Toshiba.

Re:Uhh....whaaat?

[RingDev]

That is actually one of my concerns as a (PC) game modder. A lot of 3rd party add-ons for video games live by reading the game's memory. Depending on how this new feature operates, it could block off an entire array of 3rd party modifications to games.

-Rick

Re:Uhh....whaaat?

[westyx]

The xbox has been hacked only using software - it's a valid place to start hacking the ps3

Re:Uhh....whaaat?

[powerlord]

From what I could see it looks like this is something that a given application would have to turn on.

Hopefully most mod-friendly games won't. On the other hand, as another poster mentioned, if this can help eliminate mods for on-line multiplay, then it might be a good thing if it can be enabled under certain circumstances.

Re:Uhh....whaaat?

[KDR_11k]

A lot of 3rd party add-ons for video games live by reading the game's memory.

Really? The only such app I've seen was a cheat program. Usually mods change the game's datafiles.

Re:Intel equivalent-Insular Security.

Ah yes, because we know it's all about "US". Security has no other purpose but keeping slashgeeks from their hearts desires. Cold, cruel world.

Of course

this "security" would have a backdoor to allow the sony rootkit to be installed

Mod Chips....

So that means its gonna take mod makers....what...an extra 2 or 3 weeks to crack? Seems like a waste of development money to me

Concise summary

[DeadCatX2]

1) The Cell supports a Secure Processing Vault. This is basically hardware-based memory protection; since the OS is software, and software can be compromised, so can the OS. The hardware can't be compromised so easily, so you load up a SPE with some code and data, and then it engages its own memory protection, preventing anyone from reading/writing its memory until it's done, by which time it deletes the important information. So you can't peek at the decrypted results, because they're encrypted when they're loaded, and the decrypted results are deleted when it's done doing its work (which work gets re-encrypted before it leaves the SPE). There's a small communication channel left open, and it's the SPE's duty to protect it.

2) It also has a Runtime Secure Boot. This involves using a cryptographically signed BIOS. This verifies that the BIOS is trusted. From here, any time control is handed over to another program, it first must be cryptographically verified. This prevents unauthorized or compromised code from executing.

3) Once you've securely booted and your SPE is in isolation mode, protected from the eyes of other threads, you have access to The Root Key. The Root Key is stored in hardware, can't be accessed by software, and is used to decrypt other keys. These other keys are then used to do encryption in an individual SPE.

So, we make a key, stick it in some flip flops that you can't read, isolate an SPE to provide memory protection, and then authenticate each and every piece of code from the BIOS through to the currently executing thread. Everything going in is encrypted, isolated when the work is being done, and gets re-encrypted before leaving to the next module, all using encrypted keys. Pretty thick stuff.

KESU offers better protection

[Nefarious+Wheel]

Kernel, Executive, Supervisor, User modes, all with their own protected address space. Kernel for the OS, Executive for the drivers, Supervisor for scripts, and User for images with page-in activation.

Now, where have we all heard that before? VMS suffered from some pretty cruddy hardware (hey, that was then) but at least buffer overflows were not exploitable.

Nothing new under the sun, move along, nothing to see here.