User Mode Linux

langed writes: "It appears that Jeff Dike has supplied a new implementation of the Linux kernel, whereby it is possible to boot a Linux kernel from the command line. This allows you to test a kernel before installing it, or completely partition users off from the main system. Networking appears to be through a slip connection, AFAIK, but this thing shows serious potential for increasing security and for kernel hacking, among many other nifty uses."

Re:Similar to FreeBSD jail()

They may have the same result, but unlike jail() this thing requires you to run a kernel under your kernel. FreeBSD's jail() uses the system kernel. There is no second kernel running under it. You get less of a cpu hit with jail().

Re:Some idle thoughts

Good post. More idle thoughts.

It enhances a lot of the capabilities you mention, but it's not a panacea. If you ran a batch of them on one machine, they'd be in contention over a number of system resources and would have to block and wait for one another in a way that kernels in the wild do not. I'll bet tests could be developed to detect such a honeypot. Large-scale distributed systems (which would consume some large-scale memory on the single host :) might not behave the same way. For example, the resource locking and blocking might inadvertently clean up race conditions and whatnot.

I'm not saying it wouldn't be a big help in getting closer to solutions of the problems that you suggest, just that it isn't perfect and will present its own set of problems.

this has been around for quite a while...

At least on the linux-kernel list, discussion of the user-mode port has centered around its usefulness as a tool for debugging kernel code. I haven't heard any suggestions that it actually be used as a production "kernel", or that multiple user-mode kernels run at once. Perhaps that's just because discussion on l-k centers on implementation details. I'll also guarantee that no thought has been put into making a user-mode Linux port for Windows, so you can stop wishing...

Re:Get your mainframe!! Mainframes here!!

There's something similar already: UK company DSVR [dsvr.co.uk] sell virtual servers that are effectively multiple standalone 300Mb Linux boxen on a 500Mhz PC host. They've also made the technology available through the GPL at www.freevsd.org. [freevsd.org]

The ultimate win/lin compatibility already exists!

For many people who already have Windows installed, running a linux kerel on top of it would provide an easy path to get the capabilities of linux.

You can already run Linux on Windows, using VMWare [vmware.com]. I'm running Linux on WinNT4 right now. You can download an eval [vmware.com]. They have a $99 hobbyist price, too.

Also, Cygwin [cygwin.com] provides a good implementation of the GNU tools on Windows, which lets you run GCC and compile and run lots of open source stuff.

Get your mainframe!! Mainframes here!!

User mode Linux == Mainframe-like functionality?

Isn't this sort of thing that the S390s do? So couldn't we now start running mad-crazy numbers of VMs on straight up PC hardware? So if I were an ISP, I could give each of my clients their own host, yes?

Fun stuff!

The ultimate win/lin compatibility

Forget WINE. The ultimate windows/linux compatibility is running a linux kernel under Windows! All the stability of Windows and all the Gui goodness of Linux!
Think on it.

Think on it and tremble. . .

Uses

There are uses for this. Step outside the sysadmin box for a minute and think about it as a powerful development tool, and not just for KERNEL developers, either. The ability to run a kernel in usermode allows you to:

1. - Boot up a whole new DISTRO - never mind a new kernel - in a safe environment, simply by installing it in a subdirectory of /. Projects like
2. Repairlix [sourceforge.net] could use this during development to avoid having to burn the cd, install it on a clean system, reboot to that system (or worse, have a whole 'nother computer for it).

1. - Give developers of drivers and network interfaces something to debug. When your code is likely to crash the whole system, it's crucial that you be able to place your debugger OUTSIDE the system.

1. - Give developers of ALL kinds of systems the ability to see the effects of their installer, compilation system, package management, etc. on different kernels and environments quickly. Want to see if your program runs on 2.0.* Linux? Boot the sucker up. (AFAIK the UML stuff is ported to particular kernels, so I guess you couldn't pick ANY kernel you wanted. Maybe when it comes of age a bit more. . .)

--

Re:this has been around for quite a while...

I'll also guarantee that no thought has been put into making a user-mode Linux port for Windows, so you can stop wishing...

Actually people have thought about it. No one has coughed up any actual code, though.

Jeff

Some idle thoughts

• A user-land kernel would make a great honeypot as it would be indistinguishable from a "real" system.
• It would allow you to test large-scale distributed software -WITHOUT- a large-scale distributed setup.
• As with car mechanics, it would allow you to see the engine running, without being in the car.
• It offers more profiling possibilities (as your profiler won't be changing the state of the kernel by the act of running).
• The first one to port the entire Linux kernel to a Word Macro wins the "Gross, Sick and Disgusting, but very Impressive Hack" Award.

cygwin port

Would it be possible/desirable to port this to cygwin? Then I could boot a linux kernel under NT. Not sure if this makes sense but then it seems this would give me binary compatibility with Linux executables.

-josh

Re:Some idle thoughts

> The first one to port the entire Linux kernel to a Word Macro wins the "Gross, Sick and Disgusting, but very Impressive Hack" Award.

Then we release it as a virus.

--

Re:Old news

Yes, this has been available for months. It must have been reported here before, too. News seems stuck in an infinite loop recently on /. Back in the day this didn't happen very often, and the actual number of front-page stories wasn't lower, so what could be the cause? Is there a drop in the quality of the story queue, or of the attention of the editors? In this case, how could the submittor have failed to notice that this wasn't new? I believe it has quite a high version number, and the diary page on the web site goes back to February of this year. And this thing is often mentioned in the most consumable version of the kernel mailing list, Kernel Traffic.

Security and GPL Considerations Of User Mode Linux

I've actually been talking up User Mode Linux since I first heard about it some time ago. The project's goal is essentially to re-implement Linux in its own system call interfaces, so the entire operating system can be executed as Just Another Application.

It's actually pretty cool code, and it has some pretty interesting implications as time goes on.

Among other things, it's actually a surprisingly good hack for making IPSec on Linux rather more usable. It's pretty obvious that IPSec code belongs in the kernel(after all, it's built off of IP, which *is* kernel code), but the difficulty and potential instablitity of IPSec, when it's not exactly a critical application for many users, precludes the deployment of the code. User mode Linux, with a stripped down FreeSWAN distribution, could give a much less risky and far simpler method for users and administrators to test and perhaps even deploy simple IPSec endpoints.

IPSec may become only marginally more awkward to experiment with than SSH.

Of course, this would require raw access to the network interface--not something generally given user level processes. That illustrates the #1 caveat of User Mode Linux--if the environment runs as root under the parent kernel, the child kernel doesn't particularly lose those root permissions. Granted, control over the operating environment can be much, much finer grained per virtual OS instantiation. But if that environment is broken, the attacker gains all capabilities of the user parent. When the user parent is root...sure, there's a layer of obfuscation, but that's about it.

Of course, if I was attacking a machine, I wouldn't particularly expect that the machine I had taken over was just a temporarily instantiated OS image.

A more troubling question is how much of "User Mode Linux" can be run entirely independent of root. Even creating a new SLIP device for the virtualized OS requires non-user priviledges, so the best case scenario remains that an attacker, knowing they're behind a false root, attempts to corrupt or attack the parent kernel by feeding bad bytes down the network interface. Luckily, that's generally a pretty untrusted interface--and even better, there's absolutely nothing that says you have to give the client a direct network link(slirp, once again, comes in incredibly useful.)

Interestingly enough, User Mode Linux (as noted on the page) will probably eventually be used to port Linux apps en masse to alternate platforms that implement the Linux System Call APIs. lxrun *does* this on Solaris to some degree; this does mean that sometime down the line, Linux IPSec code may function on a non-free OS.

This really shouldn't be a big deal, with everything GPL and open--but RMS and Becker have made some pretty loud noises about kernel functionality being intrinsically separated from the intent of the GPL. User Mode Linux reduces the entire kernel to Just Another Application, no different than anything else. This is, in a technical sense, a beautiful, fascinating example of encapsulation--one that could never have come about without the openness that the GPL grants.

I'd keep an eye on User Mode Linux if I were you. This is among the most interesting work being done with the OS, period.

Yours Truly,

Dan Kaminsky
DoxPara Research
http://www.doxpara.com