Processor Privilege-Levels

1
Processor Privilege-Levels

• How the x86 processor accomplishes transitions
  among its four distinct privilege-levels

2
Rationale

• The usefulness of protected-mode derives from its
  ability to enforce restrictions upon softwares
  freedom to take certain actions
• Four distinct privilege-levels are supported
• Organizing concept is concentric rings
• Innermost ring has greatest privileges, and
  privileges diminish as rings move outward

3
Four Privilege Rings
Ring 3
Least-trusted level
Ring 2
Ring 1
Ring 0
Most-trusted level
4
Suggested purposes
Ring0 operating system kernel
Ring1 operating system services
Ring2 custom extensions
Ring3 ordinary user applications
5
Unix/Linux and Windows
Ring0 operating system
Ring1 unused
Ring2 unused
Ring3 application programs
6
Legal Ring-Transitions

• A transition from an outer ring to an inner ring
  is made possible by using a special
  control-structure (known as a call gate)
• The gate is defined via a data-structure
  located in a system memory-segment normally
  not accessible for modifications
• A transition from an inner ring to an outer ring
  is not nearly so strictly controlled

7
Data-sharing

• Function-calls typically require that two
  separate routines share some data-values (e.g.,
  parameter-values get passed from the calling
  routine to the called routine)
• To support reentrancy and recursion, the
  processors stack-segment is frequently used as a
  shared-access storage-area
• But among routines with different levels of
  privilege this could create a security hole

8
An example senario

• Say a procedure that executes in ring 3 calls a
  procedure that executes in ring 2
• The ring 2 procedure uses a portion of its
  stack-area to create automatic variables that
  it uses for temporary workspace
• Upon return, the ring 3 procedure would be able
  to examine whatever values are left behind in
  this ring 2 workspace

9
Data Isolation

• To guard against unintentional sharing of
  privileged information, different stacks are
  provided at each distinct privilege-level
• Accordingly, any transition from one ring to
  another must necessarily be accompanied by an
  mandatory stack-switch operation
• The CPU provides for automatic switching of
  stacks and copying of parameter-values

10
Call-Gate Descriptors
63
32
offset 31..16
gate type
P
0
D P L
parameter count
code-selector
offset 15..0
31
0
Legend
Ppresent (1yes, 0no) DPLDescriptor
Prvilege Level (0,1,2,3) code-selector (specifies
memory-segment containing procedure code) offset
(specifies the procedures entry-point within its
code-segment) parameter count (specifies how many
parameter-values will be copied) gate-type (0x4
means a 16-bit call-gate, 0xC means a 32-bit
call-gate)
11
An Interprivilege Call

• When a lesser privileged routine wants to invoke
  a more privileged routine, it does so by using a
  far call machine-instruction (also known as a
  long call in the GNU assemblers terminology)
• In as assembly language
• lcall callgate-selector, 0

0x9A
(ignored)
callgate-selector
opcode offset-field segment-field
12
What does the CPU do?

• When CPU fetches a far-call instruction, it will
  use that instructions selector value to look
  up a descriptor in the GDT (or in the current
  LDT)
• If its a call-gate descriptor, and if access
  is allowed (i.e., if CPL ? DPL), then the CPU
  will perform a complex sequence of actions which
  will accomplish the requested ring-transition
• CPL (Current Privilege Level) is based on least
  significant 2-bits in register CS (also in SS)

13
Sequence of CPUs actions

• - pushes the current SSSP register-values onto a
  new stack-segment
• - copies the specified number of parameters from
  the old stack onto the new stack
• - pushes the updated CSIP register-values onto
  the new stack
• - loads new values into registers CSIP (from the
  callgate-descriptor) and into SSSP

14
The missing info?

• Where do the new values for SSSP come from?
  (Theyre not found in the call-gate)
• Theyre from a special system-segment, known as
  the TSS (Task State Segment)
• The CPU locates its TSS by referring to the value
  in register TR (Task Register)

15
Diagram of the relationships
old code-segment
new code-segment
TASK STATE SEGMENT
call-instruction
called procedure
CSIP
NEW STACK SEGMENT
OLD STACK SEGMENT
params
stack-pointer
Descriptor-Table
gate-descriptor
params
SSSP
TSS-descriptor
TR
GDTR
16
Return to an Outer Ring

• Use the far-return instruction lret
• Restores CSIP from the current stack
• Restores SSSP from the current stack
• Or use the far-return instruction lret n
• Restores CSIP from the current stack
• Discards n parameter-bytes from that stack
• Restores SSSP from that current stack

17
Demo-program tryring1.s

• We have created a short program to show how this
  ring-transition mechanism works
• It enters protected-mode (at ring0)
• It returns to a procedure in ring1
• Procedure shows a confirmation-message
• The ring1 procedure then calls to ring0
• The ring0 procedure exits protected-mode

18
Data-structures needed

• Global Descriptor Table needs to contain the
  protected-mode segment-descriptors and also the
  call-gate descriptor
• Code-segments for Ring0 and Ring1
• Stack-segments for Ring0 and Ring1
• Data-segment (for Ring1 to write to VRAM)
• Task-State Segment (for the ring0 SSSP)
• Call-Gate Descriptor (for the lcall to ring0)

19
In-class Exercise 1

• Modify the tryring1.s demo so that it uses a
  32-bit call-gate and a 32-bit TSS

TSS for 80286 (16-bits)
TSS for 80386 (32-bits)
0
0
2
SP0
ESP0
4
SS0
SS0
8
4
SP1
ESP1
6
12
SS1
SS1
8
16
SP2
10
ESP2
20
SS2
SS2
12
24


20
System Segment-Descriptors
S-bit is zero
reserved 0
Limit 19..16
Base 31..24
Base 23..16
type
D P L
P
0
Base 15..0
Limit 15..0
Type-codes for system-segments 0 reserved
1 16-bit TSS (available) 2 LDT 3
16-bit TSS (busy)
8 reserved 9 32-bit TSS (available)
A reserved B 32-bit TSS (busy)