Lines Matching +full:user +full:- +full:files
9 User mode threads are considered to be untrusted by Zephyr and are therefore
10 isolated from other user mode threads and from the kernel. A flawed or
11 malicious user mode thread cannot leak or modify the private data/resources
13 control another user mode thread or the kernel.
15 Example use-cases of Zephyr's user mode features:
17 - The kernel can protect against many unintentional programming errors which
20 - The kernel can sandbox complex data parsers such as interpreters, network
21 protocols, and filesystems such that malicious third-party code or data
24 - The kernel can support the notion of multiple logical "applications", each
31 For threads running in a non-privileged CPU state (hereafter referred to as
32 'user mode') we aim to protect against the following:
34 - We prevent access to memory not specifically granted, or incorrect access to
36 read-only area.
38 - Access to thread stack buffers will be controlled with a policy which
41 - A user thread will by default have read/write access to its own stack
44 - A user thread will never by default have access to user thread stacks
47 - A user thread will never by default have access to thread stacks owned
51 - A user thread may have read/write access to the stacks of other user
54 - On MPU systems, threads may only access their own stack buffer.
56 - On MMU systems, threads may access any user thread stack in the same
59 - By default, program text and read-only data are accessible to all threads
60 on read-only basis, kernel-wide. This policy may be adjusted.
62 - User threads by default are not granted default access to any memory
65 - We prevent use of device drivers or kernel objects not specifically granted,
69 - We validate kernel or driver API calls with incorrect parameters that would
73 - Using the wrong kernel object type.
75 - Using parameters outside of proper bounds or with nonsensical values.
77 - Passing memory buffers that the calling thread does not have sufficient
80 - Use of kernel objects that are not in a proper initialization state.
82 - We ensure the detection and safe handling of user mode stack overflows.
84 - We prevent invoking system calls to functions excluded by the kernel
87 - We prevent disabling of or tampering with kernel-defined and
88 hardware-enforced memory protections.
90 - We prevent re-entry from user to supervisor mode except through the
91 kernel-defined system calls and interrupt handlers.
93 - We prevent the introduction of new executable code by user mode threads,
98 - The kernel itself, and any threads that are executing in supervisor mode,
101 - The toolchain and any supplemental programs used by the build system are
104 - The kernel build is assumed to be trusted. There is considerable build-time
106 and configuring interrupts. The .elf binary files that are worked with
109 - We can't protect against mistakes made in memory domain configuration done in
110 kernel mode that exposes private kernel data structures to a user thread. RAM
111 for kernel objects should always be configured as supervisor-only.
113 - It is possible to make top-level declarations of user mode threads and
115 files that are part of the kernel build producing zephyr.elf are assumed to
118 - We do not protect against denial of service attacks through thread CPU
119 starvation. Zephyr has no thread priority aging and a user thread of a
121 threads of the same priority if time-slicing is not enabled.
123 - There are build-time defined limits on how many threads can be active
124 simultaneously, after which creation of new user threads will fail.
126 - Stack overflows for threads running in supervisor mode may be caught,
129 High-level Policy Details
132 Broadly speaking, we accomplish these thread-level memory protection goals
135 - Any user thread will only have access to a subset of memory:
136 typically its stack, program text, read-only data, and any partitions
144 - User threads cannot directly access memory belonging to kernel objects.
151 - User threads by default have no permission to access any kernel object or
159 - For performance and footprint reasons Zephyr normally does little or no
161 user mode through system calls involves an extra layer of handler functions,
167 - Thread stacks are defined in such a way that exceeding the specified stack
175 at build time if they are to be used from user mode. Dynamic use-cases for
176 kernel objects will need to go through pre-defined pools of available objects.
181 - Loaded object code will not be able to define any kernel objects that will be
185 - Similarly, since the loaded object code will not be part of the kernel build
190 - Loaded object code that does not come from a verified source should always
191 be entered with the CPU already in user mode.