Pentium Protection Rings

1
Pentium Protection Rings

• COP6614 Operating Systems Techniques
• Instructor Prof. E. Montagne
• Department of Computer Science
• University of Central Florida
• Fall 2005
• Presented By - Poonam Hajgude

2
Overview

• Why Protection is necessary?
• Pentium Architecture
• Protection Types
• - Segment level protection
• - Page level protection
• - Combination of segment and page level
  protection
• Conclusion

3
Why Protection?

• For controlling the access of programs,
  processes, or users to the resources defined by
  the computer system.
• To guarantee reliable multitasking.
• To guarantee total user separation.
• To maintain system stability, reliability.
• In end user systems, guarding against the
  possibility of software failures caused by
  undetected program bugs.

4
Protection Types

• Segment Level Protection
• Page Level Protection
• Combination Of Segment and Page Level Protection

5
Pentium Architecture Segmentation

• A mechanism which enables to divide the linear
  address space into smaller protected address
  spaces called segments.
• Protection mechanism uses a data structure called
  Segment Descriptor which resides in the tables
  in main memory.
• In Intel, six segment registers
  (CS,SS,DS,ES,FS,GS) hold pointers to segment
  descriptor.
• A segment can be accessed if the segment register
  is loaded with a pointer (selector) to that
  segment descriptor.

6
The Execution Environment
Segment Descriptor (SD)
Code Segment (CS)
Stack Segment (SS)
SD
SD
Data Segment (DS)
ES
Memory
SD
GS
SD
FS
SD
7
Segment Selector
8
Segment Descriptor
9
Types Of Segmentation Model

• Flat Segmentation Model
• Does not partition the linear address space.
• Segment size size of linear address space (4
  GB)

10
Types Of Segmentation Model Cont..

• 2) Multi- Segment Model
• Partitions the linear address space into
  different segment sizes.

11
Segment Level Protection

• Each memory reference is checked to verify that
  it satisfies the protection checks which are
  performed in parallel with address translation.
• There are five protection checks
• Type check
• Limit check
• Restriction of address domain
• Restriction of procedure entry points
• Restriction of instruction set
• Each segment has privilege level.
• Any application attempt to access a more
  privileged segment will result in a
  general-protection exception.

12
Type Checking

• Writable bit in Data segment register controls
  whether to write a program to the segment.
• Readable bit of executable segment specifies
  whether a program can read from the segment.

13
Limit Checking

• Limit field of segment descriptor prevents
  program from addressing outside the segment.
• Attempt to access memory outside the segment
  causes the general protection error.

14
Restriction of Addressable Domain(Protection
Rings)

• Processor defines 4 privilege levels (0-3)
• Greater number means less privilege.
• If a program existing in lesser privilege level
  attempts to access a segment in more privilege
  level, then general protection exception is
  generated

15
Terms

• DPL (Descriptor Privilege Level)
• - Segment privilege level is stored in the DPL
  field of segment descriptor.
• CPL (Current Privilege Level)
• - The privilege level of current program in
  execution.
• - Lowest two bits of CS holds the value of
  CPL.
• RPL (Requestor privilege Level)
• - The privilege level of procedure which created
  the selector
• Privilege levels are checked when the selector of
  a descriptor is loaded into a segment
  register.

16
Restricting Access to Data

• To Address operands in memory, a segment selector
  for a data segment must be loaded into a data
  segment register.
• Instruction may load segment register if
• DPL is same or less privileged level then
  CPL and the selectors RPL.
• As CPL changes addressable domain task varies.
• - If CPL 0, data segment at all privilege
  levels are accessible.
• - If CPL3, only data segments at privilege
  level 3 are accessible.

17
Protecting Data Segments Example
18
Restricting Control Transfers

• Control transfers are provided by Jmp and Call
  instructions.
• Near forms of Jmp and Call transfers program
  control within the current code segment
  therefore subject to limit checking.
• Far forms of Jmp and Call transfers program
  control to other segments so processor performs
  privilege checking and operand selects a call
  gate descriptor.

19
Privilege check for Control transfers Without
Gate

• Control can only be transferred to other
  segments of the same privilege segment if
• The DPL of the segment is equal to the CPL.
• (If segment is a conforming code segment, its DPL
  is more privileged than the CPL.)

20
Protecting Code Segment Example(Near Transfer)
CALL C PROC
CALL C PROC
21
Call Gates (Restriction of Procedure Entry Points)

• Used to transfer control among executable
  segments at different privilege levels.
• Two main functions
• To define an entry point of a procedure.
• To specify the privilege level required to enter
  a procedure.

22
Call Gate Privilege Check
Both of the following privilege rules must be
satisfied otherwise, a general-protection
exception is generated. MAX (CPL,RPL) gate
DPL Destination code segment DPL CPL
23
Using Call-Gates Example MAX(CPL,RPL) gate
DPL Destination code segment DPL CPL
CALL ltCG-Agt
CALL ltCG-Bgt
CALL ltCG-Bgt
CALL ltCG-Bgt
24
Interrupt Descriptor Table
25
Using IDT Gates

• The processor compares the CPL with the DPL of
  the IDT Gate.
• Perform the switch only if the DPL is equal or
  higher (less privileged) than the CPL and
  destination code segments DPL is less than or
  equal to CPL.
• MAX (CPL,RPL) gate DPL
• Destination code segment DPL CPL

26
Stack Switching

• A procedure call to a more privileged level does
  the following
• 1. Changes the CPL.
• 2. Transfers control (execution).
• 3. Switches stacks.
• All inner protection rings have their own stacks
  for receiving calls from less privileged levels.

27
Stack Switching Contd.

• Stack operations always performed on the stack
  segment pointed by SS register
• When calling a procedure at higher privileged
  segment, it is important that it will not use the
  same stack as the less privileged code.
• For each process, the operating system is
  responsible to create four stack segments (at
  each privilege level)

Process CPL3
28
Stack Switching Cont..

• The processor copies the procedure parameters to
  the stack whos DPL equals the new CPL
• Also stores the old SS and ESP values in new
  stack
• Then and changes SS to point to the new stack

29
Restriction of Instruction

• Privileged Instructions
• - Used for system control
• - Executed only when CPL0 at ring 0
• If CPLltgt0 and instruction is executed,
  general protection exception is generated.
• Sensitive Instructions
• - Used for I/O related activities.
• - Used by procedures executing at privilege
  levels 1,2,3.

30
Paging

• Linear address space is divided into pages which
  resides in physical memory or swap area. Paging
  translates linear address into physical address.
• 2 level paging architecture.
• 4K page directory consisting of 32 bit page
  directory entries (PDEs)
• Page tables consist of 32-bit page-table entries
• (PTEs)

31
Page Level Protection

• Two page level protection checks are
• Restriction of addressable Domain
• Two levels of privilege
• Superior Level (U/S0) -gt CPL0,1,2
• User Level (U/S1) -gt CPL3
• 2. Type Checking
• Read only access (R/W0)
• Read Write access (R/W1)

32
Combining Page Segment Protection

• When paging is enabled, processor first evaluates
  segment protection and then page protection.
• Possible to define a large flat memory space
• consisting of 1 segment with some portions
• that are read-only and other portions that are
• read-write.

33
Conclusion

• Protection mechanism defines four privilege
  levels and a set of rules for accessing data and
  code segments
• Code running at a high privilege level (CPL0)
  can access all data and code segments
• Code running at a low privilege level (CPL3)
  must use call-gates to call procedures at
  higher-privilege segments.

34
References

• The Intel Architecture Software Developers
  Manual Vol. 3 -Chapter 12
• The Intel Architecture Software Developers
  Manual Vol. 3
• Chapter 3, 9,10,11,13.
• The Intel Architecture Software Developers
  Manual Vol. 1 -Chapter 1
• Barry Bery, The Intel Microprocessors
  Architecture, Programming and Interfacing,
  Fourth Edition
• www.ee.technion.ac.il/matrics/Presentations/pentiu
  m1

35
Thank You.Questions??