Processor Privilege-Levels - PowerPoint PPT Presentation

About This Presentation
Title:

Processor Privilege-Levels

Description:

offset (specifies the procedure's entry-point within its code-segment) parameter count (specifies how many parameter-values will be copied) ... – PowerPoint PPT presentation

Number of Views:110
Avg rating:3.0/5.0
Slides: 21
Provided by: ProfessorA2
Learn more at: https://www.cs.usfca.edu
Category:

less

Transcript and Presenter's Notes

Title: Processor Privilege-Levels


1
Processor Privilege-Levels
  • How the x86 processor accomplishes transitions
    among its four distinct privilege-levels

2
Rationale
  • The usefulness of protected-mode derives from its
    ability to enforce restrictions upon softwares
    freedom to take certain actions
  • Four distinct privilege-levels are supported
  • Organizing concept is concentric rings
  • Innermost ring has greatest privileges, and
    privileges diminish as rings move outward

3
Four Privilege Rings
Ring 3
Least-trusted level
Ring 2
Ring 1
Ring 0
Most-trusted level
4
Suggested purposes
Ring0 operating system kernel
Ring1 operating system services
Ring2 custom extensions
Ring3 ordinary user applications
5
Unix/Linux and Windows
Ring0 operating system
Ring1 unused
Ring2 unused
Ring3 application programs
6
Legal Ring-Transitions
  • A transition from an outer ring to an inner ring
    is made possible by using a special
    control-structure (known as a call gate)
  • The gate is defined via a data-structure
    located in a system memory-segment normally
    not accessible for modifications
  • A transition from an inner ring to an outer ring
    is not nearly so strictly controlled

7
Data-sharing
  • Function-calls typically require that two
    separate routines share some data-values (e.g.,
    parameter-values get passed from the calling
    routine to the called routine)
  • To support reentrancy and recursion, the
    processors stack-segment is frequently used as a
    shared-access storage-area
  • But among routines with different levels of
    privilege this could create a security hole

8
An example senario
  • Say a procedure that executes in ring 3 calls a
    procedure that executes in ring 2
  • The ring 2 procedure uses a portion of its
    stack-area to create automatic variables that
    it uses for temporary workspace
  • Upon return, the ring 3 procedure would be able
    to examine whatever values are left behind in
    this ring 2 workspace

9
Data Isolation
  • To guard against unintentional sharing of
    privileged information, different stacks are
    provided at each distinct privilege-level
  • Accordingly, any transition from one ring to
    another must necessarily be accompanied by an
    mandatory stack-switch operation
  • The CPU provides for automatic switching of
    stacks and copying of parameter-values

10
Call-Gate Descriptors
63
32
offset 31..16
gate type
P
0
D P L
parameter count
code-selector
offset 15..0
31
0
Legend
Ppresent (1yes, 0no) DPLDescriptor
Prvilege Level (0,1,2,3) code-selector (specifies
memory-segment containing procedure code) offset
(specifies the procedures entry-point within its
code-segment) parameter count (specifies how many
parameter-values will be copied) gate-type (0x4
means a 16-bit call-gate, 0xC means a 32-bit
call-gate)
11
An Interprivilege Call
  • When a lesser privileged routine wants to invoke
    a more privileged routine, it does so by using a
    far call machine-instruction (also known as a
    long call in the GNU assemblers terminology)
  • In as assembly language
  • lcall callgate-selector, 0

0x9A
(ignored)
callgate-selector
opcode offset-field segment-field
12
What does the CPU do?
  • When CPU fetches a far-call instruction, it will
    use that instructions selector value to look
    up a descriptor in the GDT (or in the current
    LDT)
  • If its a call-gate descriptor, and if access
    is allowed (i.e., if CPL ? DPL), then the CPU
    will perform a complex sequence of actions which
    will accomplish the requested ring-transition
  • CPL (Current Privilege Level) is based on least
    significant 2-bits in register CS (also in SS)

13
Sequence of CPUs actions
  • - pushes the current SSSP register-values onto a
    new stack-segment
  • - copies the specified number of parameters from
    the old stack onto the new stack
  • - pushes the updated CSIP register-values onto
    the new stack
  • - loads new values into registers CSIP (from the
    callgate-descriptor) and into SSSP

14
The missing info?
  • Where do the new values for SSSP come from?
    (Theyre not found in the call-gate)
  • Theyre from a special system-segment, known as
    the TSS (Task State Segment)
  • The CPU locates its TSS by referring to the value
    in register TR (Task Register)

15
Diagram of the relationships
old code-segment
new code-segment
TASK STATE SEGMENT
call-instruction
called procedure
CSIP
NEW STACK SEGMENT
OLD STACK SEGMENT
params
stack-pointer
Descriptor-Table
gate-descriptor
params
SSSP
TSS-descriptor
TR
GDTR
16
Return to an Outer Ring
  • Use the far-return instruction lret
  • Restores CSIP from the current stack
  • Restores SSSP from the current stack
  • Or use the far-return instruction lret n
  • Restores CSIP from the current stack
  • Discards n parameter-bytes from that stack
  • Restores SSSP from that current stack

17
Demo-program tryring1.s
  • We have created a short program to show how this
    ring-transition mechanism works
  • It enters protected-mode (at ring0)
  • It returns to a procedure in ring1
  • Procedure shows a confirmation-message
  • The ring1 procedure then calls to ring0
  • The ring0 procedure exits protected-mode

18
Data-structures needed
  • Global Descriptor Table needs to contain the
    protected-mode segment-descriptors and also the
    call-gate descriptor
  • Code-segments for Ring0 and Ring1
  • Stack-segments for Ring0 and Ring1
  • Data-segment (for Ring1 to write to VRAM)
  • Task-State Segment (for the ring0 SSSP)
  • Call-Gate Descriptor (for the lcall to ring0)

19
In-class Exercise 1
  • Modify the tryring1.s demo so that it uses a
    32-bit call-gate and a 32-bit TSS

TSS for 80286 (16-bits)
TSS for 80386 (32-bits)
0
0
2
SP0
ESP0
4
SS0
SS0
8
4
SP1
ESP1
6
12
SS1
SS1
8
16
SP2
10
ESP2
20
SS2
SS2
12
24


20
System Segment-Descriptors
S-bit is zero
reserved 0
Limit 19..16
Base 31..24
Base 23..16
type
D P L
P
0
Base 15..0
Limit 15..0
Type-codes for system-segments 0 reserved
1 16-bit TSS (available) 2 LDT 3
16-bit TSS (busy)
8 reserved 9 32-bit TSS (available)
A reserved B 32-bit TSS (busy)
Write a Comment
User Comments (0)
About PowerShow.com