privileged operations

A key challenge for full virtualization is the interception and simulation of privileged operations, such as I/O instructions.

Thus, any successful attack against the larger program will gain minimal access, even though the pair of programs will be capable of performing privileged operations.

Privileged processes may perform privileged operations.

VM-CP provides full virtualization of the physical machine - including all I/O and other privileged operations.

With hardware based protection, software cannot manipulate the user privilege levels, it is impossible for a hacker or a malicious program to gain access to secure data protected by hardware or perform unauthorized privileged operations.

The driver will refer back to the master object when it needs to interact with a central point of reference for the running environment, such as for accepting network connections, handling errors, and validating attempts to perform privileged operations.

Delegation and impersonation are privileged operations (impersonation initially wasn't, but historical carelessness in the implementation of client APIs failing to restrict the default level to "identification", letting an unprivileged server impersonate an unwilling privileged client, called for it).

Whenever the guest operating system tries to perform one of these privileged operations, the processor will "trap" the instruction and hand over control to the host operating system or hypervisor, so that it can do the required operation and then return control back to the guest.

Privilege separation is a technique, pioneered on OpenBSD and inspired by the principle of least privilege, where a program is split into two or more parts, one of which performs privileged operations and the other-almost always the bulk of the code-runs without privilege.

The creation of primary tokens and their association to processes are both privileged operations, requiring two different privileges in the name of privilege separation - the typical scenario sees the authentication service creating the token, and a logon service associating it to the user's operating system shell.

Since the current implementation of capabilities contains no notion of a subject for the operation (only the actor and the operation itself) it is usually the job of the MAC layer to prevent privileged operations on files outside the actor's enforced realm of control (i.e "Sandbox").