Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Bigger burger roll needed
From: Steve Friedl <steve () unixwiz net>
Date: Mon, 3 Oct 2005 13:09:45 -0700

On Mon, Oct 03, 2005 at 03:41:58PM -0400, TheGesus wrote:
In NT4 they redesigned the GDI so that the user could bypass
"userland" and talk straight to the kernel.

It's been so long I don't recall the exact details, but this re-hack
paved the way for  DirectX and sped up the response of the new
desktop, which of course was lifted from WIndows 95.

After NT4 anything that hooked into the GDI could BSOD.  New video
driver?  BSOD.  New printer driver?  BSOD.  It was quite a mess.

This is only partly the case; this is the history.

In NT3.51, *all* GDI (printer and video) was done in userland, but
GDI calls involved an expensive context switch and/or local procedure
call. I guess for printer drivers this was not really a big deal,
but for video it matters a lot. Gamers care about this, right?

In NT4 all GDI dove into kernel space, and it provided a substantial
performance boost, but it completely sucked for print driver writers.
No thread support, no real support for floating point math, not any
performance difference to write home about, and a BSOD was as easy
as an assertion failure. Porting a complex user-mode driver to
kernel mode could be a daunting task.

Well, all that silly "but kernel-mode print drivers won't be as robust"
talk turned out to be true, so Windows 2000 supported both kernel mode
(version 2) and user mode (version 3) drivers. I assume that version 1
drivers were NT3.51 usermode.

XP is the same way, and in Server 2003 there is a Group Policy option
that disables kernel mode drivers, and I understand that Vista/Longhorn
will forbid kernel mode print drivers altogether.

Saying that the user "bypasses user mode and talks directly to the
kernel" is not really that meaningful: it doesn't talk "to the kernel",
just to the GDI, and it's not really any different from an IOCTL.

It wasn't terribly robust, but I don't think it was inherently insecure.

Steve (who writes print drivers too)

Stephen J Friedl | Security Consultant |  UNIX Wizard  |   +1 714 544-6561
www.unixwiz.net  | Tustin, Calif. USA  | Microsoft MVP | steve () unixwiz net
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]