Why can't we have a computer like Amiga?

[kolla]

Btw, somewhere I have a keylogger a friend wrote. It logs to ram, survives warmboots, and can dump the log to file, trigger code on certain words etc.

[meynaf]

Quote:

Originally Posted by Mrs Beanbag

That's basically what we've got... Kernel code runs without memory protection, afterall it has to manage the memory protection for everything else. "User mode" is exactly this kind of sandbox. Now if only you could run code in Kernel mode ad-hoc...

My idea was rather to have a single, isolated "user mode" for a single app.

Quote:

Originally Posted by Mrs Beanbag

i'm never 100% sure of anything.

Right, the fact you're paranoid doesn't mean they're not after you

Quote:

Originally Posted by Mrs Beanbag

I have cookies turned off, with exceptions (obviously Twitter is an exception or it would not work). Scripts are not supposed to be able to access cookies from other sites. If i ever have to enable cookies to get some site to work, i always set it "allow for session" and remove the exception when i'm done. I'm about as careful as i think i can be with cookies. I have no idea how somebody's blog post could find out my Twitter handle.

Perhaps your Twitter handle was easy to guess, or available somewhere you're left it.
Going to Twitter is looking for trouble anyway if you ask me

Quote:

Originally Posted by Mrs Beanbag

round in circles... you don't know what code is doing, if you didn't write it, or if you haven't read and understood the source code. you have to trust it.

Ok but a site isn't directly running code on your machine. Some machine code has to sneak in, and that's not easy - and does not depend on memory protection at all.

Quote:

Originally Posted by Mrs Beanbag

Memory protection is not online security. It is offline security. If something does get through the firewalls &c, then it has another challenge ahead of it.

What protection do you have in your home, knowing that someone might lockpick your keyhole and enter ?
Why not having in real life what we have in computers ?

Quote:

Originally Posted by Mrs Beanbag

because it was written for idiots, by idiots. yeah, some of the things i have come up against make me suspect that a lot of their code is very bad.

Even though it was written for idiots, contrary to popular belief it has not been written by idiots.
Ok, some parts are real stupid, because driven by stupid marketing needs. But nevertheless, the miracle with it, is that it can work at all, and this, my friend, requires real good programmers.

[meynaf]

Quote:

Originally Posted by kolla

Btw, somewhere I have a keylogger a friend wrote. It logs to ram, survives warmboots, and can dump the log to file, trigger code on certain words etc.

Oh good. I'm sure gonna run it


EDIT: I have connected MiamiDx thru WinUae's uaenet.device. Come and hack me

[Mrs Beanbag]

Quote:

Originally Posted by meynaf

My idea was rather to have a single, isolated "user mode" for a single app.

sandboxing individual apps might also be a good idea, i've thought about it...

Quote:

Ok but a site isn't directly running code on your machine. Some machine code has to sneak in, and that's not easy - and does not depend on memory protection at all.

i'm not talking about sites, i'm talking about code you explicitly run. if you didn't write it, you don't know how it works. you don't know what bugs it has. if it is network code it might have exploits. or maybe it just trashes your system when it breaks one day and you lose valuable data.

also memory protection can help against attacks, for instance making the stack non-executable helps against buffer overruns.

Quote:

Why not having in real life what we have in computers ?

Because this is a terrible analogy.

[meynaf]

Quote:

Originally Posted by Mrs Beanbag

i'm not talking about sites, i'm talking about code you explicitly run. if you didn't write it, you don't know how it works. you don't know what bugs it has. if it is network code it might have exploits. or maybe it just trashes your system when it breaks one day and you lose valuable data.

Code you explicitly run can always do wrong things, even if it has to call APIs for this. As I said many times, once the code executes it's too late.

Quote:

Originally Posted by Mrs Beanbag

also memory protection can help against attacks, for instance making the stack non-executable helps against buffer overruns.

It can help, but a better way would be to stop misusing the stack when programming

Quote:

Originally Posted by Mrs Beanbag

Because this is a terrible analogy.

How so ?

[Thorham]

Quote:

Originally Posted by Samurai_Crow

@Thorham
Mostly memory protected environments protect against dodgy drivers and libraries. Internal error detection is mostly done with managed code under .NET and such.

Managed code is a nice idea for 68k during development. Something where you can run code managed or natively. Permanently managed seems a bit much, though.

Even better would be an assembler that optionally adds code to check memory access and stack usage. Only during development, of course.

Quote:

Originally Posted by meynaf

I never said that memory protection wasn't useful as a development tool, actually quite the opposite.
What i'm saying is that we should have the freedom to enable or disable it at will.

I can agree with that.

Quote:

Originally Posted by meynaf

So you have an editor to do things graphically and not only code, right ?

Yes. You can use the editor for placing things that are static into the 3D space (there's a 2D mode as well, never used it), and code for things that change (such as those randomly spawning monsters). You also use code for game mechanics. Or you could do everything with code. It's up to the programmer, really.

[kolla]

Quote:

Originally Posted by meynaf

No, you could not. Too bad my A1200 no longer works. An online appointment with you trying to hack me would have been FUN.

Yes, good old fashion core wars, it's been a while

Quote:

Besides, you did not answer the question of "what would you do exactly" - which could be rephrased as "how would you do that" (but i don't expect a precise reply either).

In a targeted attack, the method depends on the target - there are many ways HOW to steal your data, but it all typically begins with installing malicious code that contacts me (my system) to pick up tasks and deliver data.

Quote:

I'm not using torrent software. Also you can not snatch any keyfile off me without scanning my dirs - and this doesn't go inconspicuous.

Well, running "assign" requires no disk access, and most people have dir cache on, listing only filenames is a breeze with close to no disk access required.

Quote:

About IRC, i can perhaps type something starting with "/kick"

You wouldn't know you were trolled. And when you finally do, you wouldn't know why. And at last, kicking the troller is pointless, the troller is decoy, remember?

Quote:

All you need is an exploit of some sort. Unfortunately it's everywhere the case. And you're not gonna get it.

Maybe, maybe not

Quote:

You can sandbox on the Amiga as well.

Maybe we have different understandings of sandboxing?

Quote:

I could type "su" then guess your "1234" (or your birthdate) root password and type "rm -rf /".

Hm, no, your user is not privileged to run su, or do privilege escalation.

Quote:

Might not work on yourself but might work on many people, and memory protection won't help.

Those "many people" are unlikely to just give you some account. Of course you may resort to brute force ssh attack and be lucky, but you still have a long way to go. My systems don't let any user in with merely a password.

The idea, of course, is to have a service (remote login) available, and still be fairly safe.

Quote:

On the other hand, no remote login at all available on my A1200.

Yeah, it is quite boring like that. It does however have a TCP stack, and certain software may look up records in DNS and be confused about what they receive. Also, you may browse on sites (friendly amiga sites) which may or may not have html crafted to exploit features in friendly amiga browsers that have not seen updates in 10+ years. And then magic may happen.

Quote:

Not all of them. But all have memory protection.

Now imagine of they didn't.

Quote:

Are you gonna buy tanks to protect your home ? If not, why ?

My servers are like little fortresses sure. Tanks are expensive, memory protection is free and gives the system features I enjoy and me control that I want and need.

Quote:

What is about memory protection that i'm against ? Simple : it can not be disabled.

And you want to disable it because...?

Quote:

But, good boy, i'm not saying YOU have to live without, ok ?
So what is about memory protection that you don't even want the possibility of it being facultative ? I'm not forcing you to disable it, ok ?

It would be forcing people to deal with a pointless and confusing option. It would complicate the operating system a lot, a whole range of compromises would had to be made to even make disabling of memory protection possible. Many system tools would simply only work in one of the two modes...

If I am a software developer for a system that may run with virtual private memory space, or with shared common memory space... hmm, why would I want to write software for the latter?

[Mrs Beanbag]

Quote:

Originally Posted by meynaf

Code you explicitly run can always do wrong things, even if it has to call APIs for this. As I said many times, once the code executes it's too late.

yes you have said it many times, and it was wrong just as many times. Code can execute in a system with memory protection... but as soon as it tries to do anything such as writing to protected memory - boom! Segmentation fault. Process terminate. No harm done.

Quote:

It can help, but a better way would be to stop misusing the stack when programming

Well this is true, but how do you prevent someone from doing so?

Quote:

How so ?

Because i'm not constantly inviting strangers into my own home off the street all day. If i were, i would certainly want some internal security. A better analogy would be a guest house or inn, or maybe living above a shop. Customers come in, maybe i refuse to serve them if they look a bit dodgy... maybe i have a doorman, maybe i have a list of people who are banned. But i'd still want a lockable door between my own rooms and the guest area, where the customers - or websites - can stay a while.

Actually customers is not such a good analogy, either. It may not likely be the customers who do the damage. But maybe some of them have fleas... fleas with lasers controlled by the evil laser-flea overlord.

Quote:

Originally Posted by kolla

If I am a software developer for a system that may run with virtual private memory space, or with shared common memory space... hmm, why would I want to write software for the latter?

One bug we recently fixed in a client's (Windows) code was that it required to run from an admin account. Of course it didn't really need to at all, but it was storing its config files in the application directory. Windows users are of course used to only using an admin account, and approving of everything that asks for permissions. There must be a parable about this involving wolves, i'm sure.

[meynaf]

Quote:

Originally Posted by kolla

In a targeted attack, the method depends on the target - there are many ways HOW to steal your data, but it all typically begins with installing malicious code that contacts me (my system) to pick up tasks and deliver data.

Right, it begins by... installing code. And you simply can't !

Quote:

Originally Posted by kolla

Well, running "assign" requires no disk access, and most people have dir cache on, listing only filenames is a breeze with close to no disk access required.

Sorry, no dir cache on my HD. Oh, by the way, its heads are parked (actually permanently because it's dead).

Quote:

Originally Posted by kolla

You wouldn't know you were trolled. And when you finally do, you wouldn't know why. And at last, kicking the troller is pointless, the troller is decoy, remember?

That's equal, i've not been on irc for many years and probably will not be again ever.

Quote:

Originally Posted by kolla

Maybe, maybe not

Try it.

Quote:

Originally Posted by kolla

Maybe we have different understandings of sandboxing?

Maybe.

Quote:

Originally Posted by kolla

Hm, no, your user is not privileged to run su, or do privilege escalation.

There are probably several users on your machine. How can you know which one i used ?

Quote:

Originally Posted by kolla

Those "many people" are unlikely to just give you some account. Of course you may resort to brute force ssh attack and be lucky, but you still have a long way to go. My systems don't let any user in with merely a password.

The idea, of course, is to have a service (remote login) available, and still be fairly safe.

I still prefer to not have any remote login available at all.

Quote:

Originally Posted by kolla

Yeah, it is quite boring like that. It does however have a TCP stack, and certain software may look up records in DNS and be confused about what they receive. Also, you may browse on sites (friendly amiga sites) which may or may not have html crafted to exploit features in friendly amiga browsers that have not seen updates in 10+ years. And then magic may happen.

Then create such an exploit site and we'll see. Can you catch IB2.3 red handed ?

Quote:

Originally Posted by kolla

Now imagine of they didn't.

I see zero change.

Quote:

Originally Posted by kolla

My servers are like little fortresses sure. Tanks are expensive, memory protection is free and gives the system features I enjoy and me control that I want and need.

Unfortunately memory protection isn't as free as you think.

Quote:

Originally Posted by kolla

And you want to disable it because...?

Read this thread and you'll know.

Quote:

Originally Posted by kolla

It would be forcing people to deal with a pointless and confusing option. It would complicate the operating system a lot, a whole range of compromises would had to be made to even make disabling of memory protection possible. Many system tools would simply only work in one of the two modes...

Many system tools would only work without memory protection, that's for sure.

Quote:

Originally Posted by kolla

If I am a software developer for a system that may run with virtual private memory space, or with shared common memory space... hmm, why would I want to write software for the latter?

You don't write software for either mode. Your code doesn't even know in which mode it is.

[meynaf]

Quote:

Originally Posted by Mrs Beanbag

yes you have said it many times, and it was wrong just as many times. Code can execute in a system with memory protection... but as soon as it tries to do anything such as writing to protected memory - boom! Segmentation fault. Process terminate. No harm done.

You don't get a seg fault when some nasty program starts deleting files on your HD.

Quote:

Originally Posted by Mrs Beanbag

Well this is true, but how do you prevent someone from doing so?

Oh, sorry. I forgot people's right to be stupid

Quote:

Originally Posted by Mrs Beanbag

Because i'm not constantly inviting strangers into my own home off the street all day. If i were, i would certainly want some internal security. A better analogy would be a guest house or inn, or maybe living above a shop. Customers come in, maybe i refuse to serve them if they look a bit dodgy... maybe i have a doorman, maybe i have a list of people who are banned. But i'd still want a lockable door between my own rooms and the guest area, where the customers - or websites - can stay a while.

Actually customers is not such a good analogy, either. It may not likely be the customers who do the damage. But maybe some of them have fleas... fleas with lasers controlled by the evil laser-flea overlord.

So what you have as a computer is called a server, not a home computer.

Quote:

Originally Posted by Mrs Beanbag

One bug we recently fixed in a client's (Windows) code was that it required to run from an admin account. Of course it didn't really need to at all, but it was storing its config files in the application directory. Windows users are of course used to only using an admin account, and approving of everything that asks for permissions. There must be a parable about this involving wolves, i'm sure.

Windows users use only a single admin account because they want something that works right away and doesn't annoy them.

[Mrs Beanbag]

Quote:

Originally Posted by meynaf

You don't get a seg fault when some nasty program starts deleting files on your HD.

well, ok, that is true in many operating systems. although it has to go through the OS to do so, which means it can't bypass file permissions, it can't compromise the kernel. It could compromise a user account, but not the entire system.

Your idea of each app being in its own sandbox is a good one though, and memory protection would help enforce it (in fact i don't know how you'd do it without).

Quote:

Oh, sorry. I forgot people's right to be stupid

well you can call common practice stupid if you like... and you may well be right... but i bet you run code that follows common practice quite often.

Quote:

So what you have as a computer is called a server, not a home computer.

I really don't care what you call it, i look at websites on my PC all the time. This is inviting digital content into my computer. I also run software i didn't write all the time, this could also be considered "guests". Some of it is the Javascript on websites that we now, for whatever reason, don't seem to be able to do without.

Maybe calling them customers confuses the issue, if i was the customer and they were coming into my home to provide me with a service, would that be a better analogy? Well, maybe. I don't have plumbers, builders and all other sorts of tradesmen in my house every single day, but if i did, again, maybe i'd be wise to invest in internal security.

Also there is another reason the analogy fails. In the real world, if someone breaks in, or if a tradesman steals my stuff, i can call the police. That is a sort of internal security that we all have. There is no police on the internet. It is like the wild west.

Quote:

Windows users use only a single admin account because they want something that works right away and doesn't annoy them.

well they made a big mistake installing Windows then...

Quote:

Originally Posted by meynaf

That's equal, i've not been on irc for many years and probably will not be again ever.

ok suppose someone trolls you on EAB instead.

You know there's something very school playground about all this tit-for-tat. "You can't kill me i've got a shield!" "Yeah well i've got a shield-breaking bazooka!"

[idrougge]

I think Meynaf's entire argumentation proves the point that programmers should be kept as far away as possible from systems design.

[Samurai_Crow]

Quote:

Originally Posted by idrougge

I think Meynaf's entire argumentation proves the point that programmers should be kept as far away as possible from systems design.

Gunnar von Boehn is a hardware designer who advocates Oberon 2 style managed code over MMU based memory protected environments. He is designing the softcore for the Vampire 2 accelerator.

[Mrs Beanbag]

i do really like the idea of managed code, but it does tie you down to writing in particular supported languages. So no Asm!

Although i have been wondering lately about the possibility of safer instruction set architectures. Perhaps it would be an easy mod of 68k to, for instance, forbid address register indirect modes if the relevant address register is zero (including lea instructions).

[meynaf]

Quote:

Originally Posted by Mrs Beanbag

well, ok, that is true in many operating systems. although it has to go through the OS to do so, which means it can't bypass file permissions, it can't compromise the kernel. It could compromise a user account, but not the entire system.

Ah, file permissions. Something that has started to make me crazy as well.

- You don't currently have the correct permissions to access the file location.
- But, stupid computer, i am the supervisor and i own you !
- Sorry, you don't have permission.

Quote:

Originally Posted by Mrs Beanbag

Your idea of each app being in its own sandbox is a good one though, and memory protection would help enforce it (in fact i don't know how you'd do it without).

It can be done with managed code, but the normal memory protection can do it as well. As long as i can bang the metal with asm, it's fine.

Quote:

Originally Posted by Mrs Beanbag

well you can call common practice stupid if you like... and you may well be right... but i bet you run code that follows common practice quite often.

Alas, yes, i run such code. Is slow and crashes a lot.

But remember that a system that is tolerant to errors, actually favors the existence of said errors.

Quote:

Originally Posted by Mrs Beanbag

I really don't care what you call it, i look at websites on my PC all the time. This is inviting digital content into my computer. I also run software i didn't write all the time, this could also be considered "guests". Some of it is the Javascript on websites that we now, for whatever reason, don't seem to be able to do without.

Maybe calling them customers confuses the issue, if i was the customer and they were coming into my home to provide me with a service, would that be a better analogy? Well, maybe. I don't have plumbers, builders and all other sorts of tradesmen in my house every single day, but if i did, again, maybe i'd be wise to invest in internal security.

Also there is another reason the analogy fails. In the real world, if someone breaks in, or if a tradesman steals my stuff, i can call the police. That is a sort of internal security that we all have. There is no police on the internet. It is like the wild west.

Well, you wear an armor and i prefer dodging the blow. It's a matter of choice. I don't like the armor because it hinders my moves. You say i'm not protected but i don't care

Quote:

Originally Posted by Mrs Beanbag

well they made a big mistake installing Windows then...

No. They have something that works right away (especially when it is preinstalled at the time of buying).

Quote:

Originally Posted by Mrs Beanbag

ok suppose someone trolls you on EAB instead.

Everyone trolls me here already

Quote:

Originally Posted by Mrs Beanbag

You know there's something very school playground about all this tit-for-tat. "You can't kill me i've got a shield!" "Yeah well i've got a shield-breaking bazooka!"

Maybe, but while you prefer being in a fortress, i prefer open land, even if you consider it as dangerous. It's my right, isn't it ?

Quote:

Originally Posted by idrougge

I think Meynaf's entire argumentation proves the point that programmers should be kept as far away as possible from systems design.

They have been for a few decades, and we can see the result

Quote:

Originally Posted by Samurai_Crow

Gunnar von Boehn is a hardware designer who advocates Oberon 2 style managed code over MMU based memory protected environments. He is designing the softcore for the Vampire 2 accelerator.

I was right, MMUs aren't exactly the easiest thing to put in a softcore.

I'm not against the idea of managed code, as long as i can still do asm.

Some people like bare metal programming and i want it to be possible.
The machine i want to have is a programmer's dream, not a dumb internet terminal.
Security ? Bah. I surfed the net with my A1200 for more than 15 years and never got hacked. It's about likeliness ; it's less likely to get attacked with such a rare machine than having some attacker pass the numerous defenses on a mainstream machine. So what ?

[Mrs Beanbag]

Quote:

Originally Posted by meynaf

No. They have something that works right away (especially when it is preinstalled at the time of buying).

well it works... but it keeps hassling users asking for permissions all the time.

it's a funny thing, is Windows. Because early on, it had very little security at all, because the average home or business user just didn't really need it. but as things moved on, it needed more and more security, so they started locking things down, and of course this frustrates users because they think "why can't i do this, i used to be able to do this why can't i anymore, this latest version of Windows sucks..."

Windows is getting more Unix-like in its security in its latest incarnations, now it requires permissions for all sorts of things, but because people still expect to be able to configure and use Windows the same way they did before, it all ends up a bit of a mess. Like the example i gave earlier, of a software that requires admin privileges to run, because the programmers thought it was reasonable to demand this from the user even though there was no real need to do so, because it was just too much effort to do it properly (or they didn't know better or there wasn't time or whatever).

Quote:

I was right, MMUs aren't exactly the easiest thing to put in a softcore.

I'm going to say it again, there is more than one way to skin a memory protection. It doesn't have to involve page remapping. Really that is done for various other reasons such as virtual memory support, avoid memory fragmentation problems &c.

Quote:

Security ? Bah. I surfed the net with my A1200 for more than 15 years and never got hacked. It's about likeliness ; it's less likely to get attacked with such a rare machine than having some attacker pass the numerous defenses on a mainstream machine. So what ?

Works for you, fine. But if you were designing a new machine, it would be quite crazy to design it specifically for unpopularity. Which is not the same as designing for a niche market, we don't know if that niche is going to become popular at some point in the future.

I think it is possible to serve everyone's needs here. I outlined a way in which it might be possible for hardcore users to run programs in kernel space if they wanted to, but you didn't like it for some reason.

[Samurai_Crow]

Quote:

Originally Posted by Mrs Beanbag

i do really like the idea of managed code, but it does tie you down to writing in particular supported languages. So no Asm!

Although i have been wondering lately about the possibility of safer instruction set architectures. Perhaps it would be an easy mod of 68k to, for instance, forbid address register indirect modes if the relevant address register is zero (including lea instructions).

Ummm... You do realize you can make up your own macros in Assembly in such a way that there is a debug and release version of the macros, don't you? Also remember that the '020+ has exception vectors specifically for the purpose of range checks and such.

To check the address of an array lookup of type long for range validity, you do something like this on 68020+:

Code:

CHK.W #ARRAY_MAX,D0 ; range check
TST.L A0 ; null check
TRAPEQ
MOVE.L (A0,D0.W*4),D1 ; actual load with scaling address mode

Of course, the trap vectors must be initialized in a debugger or runtime library for these opcodes to be useful. Also, if the index is an immediate value, it can be constant folded for efficiency. Likewise, redundant null checks can be removed via dead-code elimination as well.

[NorthWay]

Quote:

Originally Posted by meynaf

The OS doesn't have to protect from me. I know what i am doing. What i want is a tool, not a cop.

Fantastic, we have now found the single person on earth that never makes a mistake and never has bugs in his code.

Good for you, but I want _my_ OS to protect me from myself.
Humour me this:
-a programmed and intentional write to $100
-a bug ending up writing to $100
how does the OS know the difference?

[Mrs Beanbag]

Quote:

Originally Posted by Samurai_Crow

Ummm... You do realize you can make up your own macros in Assembly in such a way that there is a debug and release version of the macros, don't you?

How will that help me? I don't want null pointers to crash the entire system in the released version, either.

Quote:

Also remember that the '020+ has exception vectors specifically for the purpose of range checks and such.

To check the address of an array lookup of type long for range validity, you do something like this on 68020+:

Well of course you can explicitly check for nulls and out-of-ranges in your own code (debug or release) but i don't think you understand my point... the system is still not protected from code not written that way. I'm thinking about a CPU architecture in which these kinds of errors simply can't happen.

[meynaf]

Quote:

Originally Posted by Mrs Beanbag

I'm going to say it again, there is more than one way to skin a memory protection. It doesn't have to involve page remapping. Really that is done for various other reasons such as virtual memory support, avoid memory fragmentation problems &c.

Oh i could have several options as well : flat with no protection, flat with protection, paged. Why not ?

It's much like the option to run under linux or uclinux (or something else) on the same machine.

Quote:

Originally Posted by Mrs Beanbag

Works for you, fine. But if you were designing a new machine, it would be quite crazy to design it specifically for unpopularity. Which is not the same as designing for a niche market, we don't know if that niche is going to become popular at some point in the future.

Well, do you really think that a configuration option to turn off memory protection (obviously on by default) would make the platform unpopular ?

Quote:

Originally Posted by Mrs Beanbag

I think it is possible to serve everyone's needs here. I outlined a way in which it might be possible for hardcore users to run programs in kernel space if they wanted to, but you didn't like it for some reason.

I didn't like it because it was too complicated.
I prefer to be able to run programs in the same way for both options ; they don't know if they run in protected mode or not and they don't have to.

Frankly the argue that's made here because of that simple option is a little bit overkill...
I bet that if i did the system this way, nobody here using it would even notice the option is there

Quote:

Originally Posted by NorthWay

Fantastic, we have now found the single person on earth that never makes a mistake and never has bugs in his code.

You exaggerate

Quote:

Originally Posted by NorthWay

Good for you, but I want _my_ OS to protect me from myself.

Assuredly. You're dangerous. You need a straitjacket

But don't worry. The memory protection option will be active by default. So you will not harm yourself.

Quote:

Originally Posted by NorthWay

Humour me this:
-a programmed and intentional write to $100
-a bug ending up writing to $100
how does the OS know the difference?

It doesn't have to. It's none of its business.

Quote:

Originally Posted by Mrs Beanbag

How will that help me? I don't want null pointers to crash the entire system in the released version, either.

Perhaps you have to test and debug your code before you make a release