Title: Processor Privilege-Levels
1Processor Privilege-Levels
- How the x86 processor accomplishes transitions
among its four distinct privilege-levels
2Rationale
- The usefulness of protected-mode derives from its
ability to enforce restrictions upon softwares
freedom to take certain actions - Four distinct privilege-levels are supported
- Organizing concept is concentric rings
- Innermost ring has greatest privileges, and
privileges diminish as rings move outward
3Four Privilege Rings
Ring 3
Least-trusted level
Ring 2
Ring 1
Ring 0
Most-trusted level
4Suggested purposes
Ring0 operating system kernel
Ring1 operating system services
Ring2 custom extensions
Ring3 ordinary user applications
5Unix/Linux and Windows
Ring0 operating system
Ring1 unused
Ring2 unused
Ring3 application programs
6Legal Ring-Transitions
- A transition from an outer ring to an inner ring
is made possible by using a special
control-structure (known as a call gate) - The gate is defined via a data-structure
located in a system memory-segment normally
not accessible for modifications - A transition from an inner ring to an outer ring
is not nearly so strictly controlled
7Data-sharing
- Function-calls typically require that two
separate routines share some data-values (e.g.,
parameter-values get passed from the calling
routine to the called routine) - To support reentrancy and recursion, the
processors stack-segment is frequently used as a
shared-access storage-area - But among routines with different levels of
privilege this could create a security hole
8An example senario
- Say a procedure that executes in ring 3 calls a
procedure that executes in ring 2 - The ring 2 procedure uses a portion of its
stack-area to create automatic variables that
it uses for temporary workspace - Upon return, the ring 3 procedure would be able
to examine whatever values are left behind in
this ring 2 workspace
9Data Isolation
- To guard against unintentional sharing of
privileged information, different stacks are
provided at each distinct privilege-level - Accordingly, any transition from one ring to
another must necessarily be accompanied by an
mandatory stack-switch operation - The CPU provides for automatic switching of
stacks and copying of parameter-values
10Call-Gate Descriptors
63
32
offset 31..16
gate type
P
0
D P L
parameter count
code-selector
offset 15..0
31
0
Legend
Ppresent (1yes, 0no) DPLDescriptor
Prvilege Level (0,1,2,3) code-selector (specifies
memory-segment containing procedure code) offset
(specifies the procedures entry-point within its
code-segment) parameter count (specifies how many
parameter-values will be copied) gate-type (0x4
means a 16-bit call-gate, 0xC means a 32-bit
call-gate)
11An Interprivilege Call
- When a lesser privileged routine wants to invoke
a more privileged routine, it does so by using a
far call machine-instruction (also known as a
long call in the GNU assemblers terminology) - In as assembly language
- lcall callgate-selector, 0
0x9A
(ignored)
callgate-selector
opcode offset-field segment-field
12What does the CPU do?
- When CPU fetches a far-call instruction, it will
use that instructions selector value to look
up a descriptor in the GDT (or in the current
LDT) - If its a call-gate descriptor, and if access
is allowed (i.e., if CPL ? DPL), then the CPU
will perform a complex sequence of actions which
will accomplish the requested ring-transition - CPL (Current Privilege Level) is based on least
significant 2-bits in register CS (also in SS)
13Sequence of CPUs actions
- - pushes the current SSSP register-values onto a
new stack-segment - - copies the specified number of parameters from
the old stack onto the new stack - - pushes the updated CSIP register-values onto
the new stack - - loads new values into registers CSIP (from the
callgate-descriptor) and into SSSP
14The missing info?
- Where do the new values for SSSP come from?
(Theyre not found in the call-gate) - Theyre from a special system-segment, known as
the TSS (Task State Segment) - The CPU locates its TSS by referring to the value
in register TR (Task Register)
15Diagram of the relationships
old code-segment
new code-segment
TASK STATE SEGMENT
call-instruction
called procedure
CSIP
NEW STACK SEGMENT
OLD STACK SEGMENT
params
stack-pointer
Descriptor-Table
gate-descriptor
params
SSSP
TSS-descriptor
TR
GDTR
16Return to an Outer Ring
- Use the far-return instruction lret
- Restores CSIP from the current stack
- Restores SSSP from the current stack
- Or use the far-return instruction lret n
- Restores CSIP from the current stack
- Discards n parameter-bytes from that stack
- Restores SSSP from that current stack
17Demo-program tryring1.s
- We have created a short program to show how this
ring-transition mechanism works - It enters protected-mode (at ring0)
- It returns to a procedure in ring1
- Procedure shows a confirmation-message
- The ring1 procedure then calls to ring0
- The ring0 procedure exits protected-mode
18Data-structures needed
- Global Descriptor Table needs to contain the
protected-mode segment-descriptors and also the
call-gate descriptor - Code-segments for Ring0 and Ring1
- Stack-segments for Ring0 and Ring1
- Data-segment (for Ring1 to write to VRAM)
- Task-State Segment (for the ring0 SSSP)
- Call-Gate Descriptor (for the lcall to ring0)
19In-class Exercise 1
- Modify the tryring1.s demo so that it uses a
32-bit call-gate and a 32-bit TSS
TSS for 80286 (16-bits)
TSS for 80386 (32-bits)
0
0
2
SP0
ESP0
4
SS0
SS0
8
4
SP1
ESP1
6
12
SS1
SS1
8
16
SP2
10
ESP2
20
SS2
SS2
12
24
20System Segment-Descriptors
S-bit is zero
reserved 0
Limit 19..16
Base 31..24
Base 23..16
type
D P L
P
0
Base 15..0
Limit 15..0
Type-codes for system-segments 0 reserved
1 16-bit TSS (available) 2 LDT 3
16-bit TSS (busy)
8 reserved 9 32-bit TSS (available)
A reserved B 32-bit TSS (busy)