On Tuesday, 09/10/2002 at 09:00 AST, David Andrews <[EMAIL PROTECTED]> wrote: > On Mon, 2002-09-09 at 17:31, Alan Cox wrote: > > > > The mainframe gets a big chunk of this one right - you can run your web > > server and finance database very seperated because of the way VM > > virtualization works. > > S/390 has lots of facilities that have been layered on over time to > isolate programs. There's the original storage protection keys, fetch > protection, PSA protection, multiple address spaces, subspace groups, > Program Call/Transfer and other stuff that escapes me for the nonce. > > How many of these does the Linux implementation use? Certainly address > spaces, but I'm (ignorantly) guessing that only token use is made of > protect keys, there's no fetch protection, no subspaces, no PC/PT... > right? There's lots of room for exploitation, depending on your > toleration for port-specific minutiae.
Anyone interested in how z/VM uses the zSeries hardware facilities to maintain the security and integrity of the system and its guests may wish to read the z/VM Security and Integrity technical paper at http://www-1.ibm.com/servers/eserver/zseries/library/techpapers/gm130145.html. Alan Altmark Sr. Software Engineer IBM z/VM Development
