Login/Register
How can I access Ring 0 with Python?
Asked Answered
Solved pythonsecurityoperating-system
N

5

5

This answer, stating that the naming of classes in Python is not done because of special privileges, here confuses me.

  1. How can I access lower rings in Python?
  2. Is the low-level io for accessing lower level rings?
  3. If it is, which rings I can access with that?
  4. Is the statement "This function is intended for low-level I/O." referring to lower level rings or to something else?
  5. C tends to be prominent language in os -programming. When there is the OS -class in Python, does it mean that I can access C -code through that class?
  6. Suppose I am playing with bizarre machine-language code and I want to somehow understand what it means. Are there some tools in Python which I can use to analyze such things? If there is not, is there some way that I could still use Python to control some tool which controls the bizarre machine language? [ctypes suggested in comments]
  7. If Python has nothing to do with the low-level privileged stuff, do it still offers some wrappers to control the privileged?
Northwestwards answered 9/4, 2011 at 6:13 Comment(10)
@hhh: This question makes very little sense. Classes don't require privileges. Users do. Privileges are bound to the user.Forme
@hhh: You're just talking about API requests and privileges. Python has a large library of API requests. Which ones work and which ones raise exceptions depend on your user-defined privileges. If you want API's that aren't already in the Python library, you have several choices. Often we write them in C as a Python extension module. There are some modules like ctypes which allow you to call other OS APIs. But your user privileges determine if the API works or gets an exception. Are you asking how to use ctypes?Forme
@hhh: It's not a "tools" thing. It's not a "python" thing. It's just OS privileges. That's all. It's very simple. To prevent errors, the OS requires privileges, which are assigned to the user. You're just asking about OS API's. Just use ctypes. It's all just privileges and nothing else.Forme
@S.Lott: has the term "low-level io" nothing to do with low-level rings?Northwestwards
@hhh: No idea what you mean by "low-level IO". But everything is done through an API. And all API's are protected by privileges.Forme
@hhh: "hopefully my goal is becoming clearer". Not clear at all. Your question (and comments) make relatively little sense. You should, perhaps, just describe what you want to do. It helps to leave your personal opinions ("I find it rather dangerous generalization but I may be wrong") out of the question. Just ask without providing personal assumptions.Forme
@S.Lott: it is what you wrote in your own answer "This function is intended for low-level I/O." about os.open here.Northwestwards
why down-vote on this? I think it makes perfectly sense to open a separate question on just this narrow topic.Northwestwards
@hhh: Please read the documentation for os.open(). "Low-level" means "OS-level" means "no Python buffering or parsing or iterator or any other python feature" means "bytes". The Python library documentation is really very, very good. Please read it and provide specific quotes from the documentation that confuse you.Forme
@hhh: the down-vote may be because the question has some very strange assumptions in it. The "lower rings" are accessed through API calls. All languages can make such API calls. Python included. "which rings I can access" is silly, since it's just API calls and API calls must be used to access all rings. Since everything is just an OS API call, the details of the question seem to indicate a failure to grasp that simple truth.Forme
C
10

Windows and Linux both use ring 0 for kernel code and ring 3 for user processes. The advantage of this is that user processes can be isolated from one another, so the system continues to run even if a process crashes. By contrast, a bug in ring 0 code can potentially crash the entire machine.

One of the reasons ring 0 code is so critical is that it can access hardware directly. By contrast, when a user-mode (ring 3) process needs to read some data from a disk:

  1. the process executes a special instruction telling the CPU it wants to make a system call
  2. CPU switches to ring 0 and starts executing kernel code
  3. kernel checks that the process is allowed to perform the operation
  4. if permitted, the operation is carried out
  5. kernel tells the CPU it has finished
  6. CPU switches back to ring 3 and returns control to the process

Processes belonging to "privileged" users (e.g. root/Administrator) run in ring 3 just like any other user-mode code; the only difference is that the check at step 3 always succeeds. This is a good thing because:

  • root-owned processes can crash without taking the entire system down
  • many user-mode features are unavailable in the kernel, e.g. swappable memory, private address space

As for running Python code in lower rings - kernel-mode is a very different environment, and the Python interpreter simply isn't designed to run in it, e.g. the procedure for allocating memory is completely different.

In the other question you reference, both os.open() and open() end up making the open() system call, which checks whether the process is allowed to open the corresponding file and performs the actual operation.

Chingchinghai answered 9/4, 2011 at 13:34 Comment(4)
when Python has classes such as OS and SYS, do they actually have nothing to do with the important privileged system/os things? I am starting to feel the naming convention very misleading. Any idea whether Python offers some wrappers for system-language code such as C to control the privileged areas?Northwestwards
The os module provides consistent access (i.e. the same regardless of whether you're on Windows, Linux, etc.) to services provided by the operating system, and the sys module provides system-specific functionality. The ctypes module lets you call C functions from Python but again, most C code runs in user mode (ring 3) and makes system calls into the kernel when it needs to perform a privileged operation.Chingchinghai
@hhh: Python is a wrapper for system-language code in C. To control the "privileged" areas you need privileges. That's all. It's just privileges -- not special code.Forme
@SimonJ: sys isn't for system-specific functionalities, sys module contains information and services for the Python runtime. You use sys for doing various things like getting command line arguments, checking Python version, checking interpreter limits, accessing stdin/stdout/stderr object, registering exception hook, introspection of loaded modules, registering debug/profiling tracer, and modifying runtime parameters like max stack depth.Pung
D
3

I think SimonJ's answer is very good, but I'm going to post my own because from your comments it appears you're not quite understanding things.

Firstly, when you boot an operating system, what you're doing is loading the kernel into memory and saying "start executing at address X". The kernel, that code, is essentially just a program, but of course nothing else is loaded, so if it wants to do anything it has to know the exact commands for the specific hardware it has attached to it.

You don't have to run a kernel. If you know how to control all the attached hardware, you don't need one, in fact. However, it was rapidly realised way back when that there are many types of hardware one might face and having an identical interface across systems to program against would make code portable and generally help get things done faster.

So the function of the kernel, then, is to control all the hardware attached to the system and present it in a common interface, called an API (application programming interface). Code for programs that run on the system don't talk directly to hardware. They talk to the kernel. So user land programs don't need to know how to ask a specific hard disk to read sector 0x213E or whatever, but the kernel does.

Now, the description of ring 3 provided in SimonJ's answer is how userland is implemented - with isolated, unprivileged processes with virtual private address spaces that cannot interfere with each other, for the benefits he describes.

There's also another level of complexity in here, namely the concept of permissions. Most operating systems have some form of access control, whereby "administrators" have total control of the system and "users" have a restricted subset of options. So a kernel request to open a file belonging to an administrator should fail under this sort of approach. The user who runs the program forms part of the program's context, if you like, and what the program can do is constrained by what that user can do.

Most of what you could ever want to achieve (unless your intention is to write a kernel) can be done in userland as the root/administrator user, where the kernel does not deny any API requests made to it. It's still a userland program. It's still a ring 3 program. But for most (nearly all) uses it is sufficient. A lot can be achieved as a non-root/administrative user.

That applies to the python interpreter and by extension all python code running on that interpreter.

Let's deal with some uncertainties:

  • The naming of os and sys I think is because these are "systems" tasks (as opposed to say urllib2). They give you ways to manipulate and open files, for example. However, these go through the python interpreter which in turn makes a call to the kernel.
  • I do not know of any kernel-mode python implementations. Therefore to my knowledge there is no way to write code in python that will run in the kernel (linux/windows).
  • There are two types of privileged: privileged in terms of hardware access and privileged in terms of the access control system provided by the kernel. Python can be run as root/an administrator (indeed on Linux many of the administration gui tools are written in python), so in a sense it can access privileged code.
  • Writing a C extension or controlling a C application to Python would ostensibly mean you are either using code added to the interpreter (userland) or controlling another userland application. However, if you wrote a kernel module in C (Linux) or a Driver in C (Windows) it would be possible to load that driver and interact with it via the kernel APIs from python. An example might be creating a /proc entry in C and then having your python application pass messages via read/write to that /proc entry (which the kernel module would have to handle via a write/read handler. Essentially, you write the code you want to run in kernel space and basically add/extend the kernel API in one of many ways so that your program can interact with that code.
  • "Low-level" IO means having more control over the type of IO that takes place and how you get that data from the operating system. It is low level compared to higher level functions still in Python that give you easier ways to read files (convenience at the cost of control). It is comparable to the difference between read() calls and fread() or fscanf() in C.

Health warning: Writing kernel modules, if you get it wrong, will at best result in that module not being properly loaded; at worst your system will panic/bluescreen and you'll have to reboot.

The final point about machine instructions I cannot answer here. It's a totally separate question and it depends. There are many tools capable of analysing code like that I'm sure, but I'm not a reverse engineer. However, I do know that many of these tools (gdb, valgrind) e.g. tools that hook into binary code do not need kernel modules to do their work.

Deciduous answered 10/4, 2011 at 0:45 Comment(0)
T
1

[note: I was wrong. usermode code can no longer access ring 0 on modern unix systems. -- jc 2019-01-17]

I've forgotten what little I ever knew about Windows privileges. In all Unix systems with which I'm familiar, the root user can access all ring0 privileges. But I can't think of any mapping of Python modules with privilege rings.

That is, the 'os' and 'sys' modules don't give you any special privileges. You have them, or not, due to your login credentials.
Tarsal answered 9/4, 2011 at 6:21 Comment(6)
wait a second. I read somewhere that the system passes ring 0 during the startup but after that it is impossible to access ring 0 (but there may be exceptions if some os really implements ring 0 commands to userspace which sounds really frightening).Northwestwards
as root user you can read or write to any address that physically exists in your computer. I used to test device drivers by writing a main() routine for them and running them as root. is that not ring 0?Tarsal
well-behaved programs generally use system services provided by the kernel for I/O, but at least in most Unix systems it's advisory, not mandatory.Tarsal
don't know, please, note that the definition of driver in NT world means ring 0 things, while the word driver may mean just lower rings in other systems. Have to find some proper way to test whether I can get to ring 0 in obsd, fascinating.Northwestwards
From what I understand, most of the kernel code is running in Ring 0, so it's not impossible to run on Ring 0 after boot time, in fact you're switching to Ring 0 whenever you do a system call. What's not possible is running arbitrary userspace executable on Ring 0. The only way to add new code to Ring 0 is to use loading kernel module mechanism (init_module()/finit_module(), which requires root privilege).Pung
yes, my "knowledge" was probably obsolete when I wrote that, and it definitely is now.Tarsal
T
1

You can use inpout library http://logix4u.net/parallel-port/index.php

import ctypes

#Example of strobing data out with nStrobe pin (note - inverted)
#Get 50kbaud without the read, 30kbaud with
read = []
for n in range(4):
    ctypes.windll.inpout32.Out32(0x37a, 1)
    ctypes.windll.inpout32.Out32(0x378, n)
    read.append(ctypes.windll.inpout32.Inp32(0x378))   #Dummy read to see what is going on
    ctypes.windll.inpout32.Out32(0x37a, 0)

print read
Tanganyika answered 23/1, 2014 at 11:10 Comment(0)
F
0

How can I access lower rings in Python?

ctypes

Is the low-level io for accessing lower level rings?

No.

Is the statement "This function is intended for low-level I/O." referring to lower level rings or to something else?

Something else.

C tends to be prominent language in os -programming. When there is the OS -class in Python, does it mean that I can access C -code through that class?

All of CPython is implemented in C.

The os module (it's not a class, it's a module) is for accessing OS API's. C has nothing to do with access to OS API's. Python accesses the API's "directly".

Suppose I am playing with bizarre machine-language code and I want to somehow understand what it means. Are there some tools in Python which I can use to analyze such things?

"playing with"?

"understand what it means"? is your problem. You read the code, you understand it. Whether or not Python can help is impossible to say. What don't you understand?

If there is not, is there some way that I could still use Python to control some tool which controls the bizarre machine language? [ctypes suggested in comments]

ctypes

If Python has nothing to do with the low-level privileged stuff, do it still offers some wrappers to control the privileged?

You don't "wrap" things to control privileges.

Most OS's work like this.

  1. You grant privileges to a user account.

  2. The OS API's check the privileges granted to the user making the OS API request.

If the user has the privileges, the OS API works.

If the user lacks the privileges, the OS API raises an exception.

That's all there is to it.

Forme answered 11/4, 2011 at 14:34 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.