Microprocessor system architectures

1
Microprocessor system architectures IA32
security

• Jakub Yaghob

2
Segment protection
3
Protection checks in the segmentation

• Segment registers load (including selector as
  instruction operand)
• Type checking
• Privilege level checking
• Null segment checking
• Memory access (including instruction fetching)
• Limit checking
• Null segment checking
• Type checking

4
Privilege level checking jumps between segments

• Direct jump (CALL, JMP)
• Nonconforming segment
• CPL DPL
• RPL CPL
• CPL remains
• Conforming segment
• Code modules as part of OS supporting
  applications without protected system facilities
  (math library)
• DPL represents numerically lowest CPL, which can
  call conforming segment
• CPL DPL
• RPL ignored
• CPL remains (even if DPL is not equal)

5
RET with privilege level change

• CPL DPL of target (returning to less privileged
  level)
• Using RPL from CS saved on stack
• Loads CSEIP/RIP from the stack
• Adds parameter count to ESP/RSP
• Number in bytes obtained from RET
• Loads SSESP/RSP see above
• Again adds parameter count to ESP/RSP
• Check DS, ES, FS, GS
• If DPLlt CPL, then load null segment

6
System and control registers

• EFLAGS
• Changes in system parts silently ignored for
  CPLgt0
• IOPL, VM
• Changes working only during IRET for CPL0
  (return from interrupt or task)
• VM, RF
• Changes invoke GP
• IF
• Control registers
• Only system instruction (CPL0) excluding SMSW

7
System instructions

• LLDT, SLDT
• LGDT, SGDT
• LTR, STR
• LIDT, SIDT
• MOV CRn
• LMSW, SMSW
• CLTS
• ARPL, LAR, LSL
• VERR, VERW
• MOV DRn

• INVD, WBINVD
• INVLPG
• HLT
• LOCK (Prefix)
• RSM
• RDMSR, WRMSR
• RDPMC, RDTSC
• IN, OUT, INS, OUTS
• CLI, STI
• IRET

8
Paging protection

• U/S flag
• 0 supervisor mode
• CPL 0-2
• 1 user mode
• CPL 3
• R/W flag
• 0 read-only
• Not used in supervisor mode, until flag WP
  (CR016) is set
• 1 read/write
• NX/XD flag
• 0 can execute
• 1 no execute

9
I/O protection

• Memory mapped I/O
• Segment or paging protection
• I/O space
• CPL IOPL for all ports
• I/O permission bitmap in the TSS for CPL gt IOPL
  or VM1

10
IDT protection

• Depends on the source of interrupt
• HW interrupt or an exception
• Ignore DPL in the proper IDT descriptor
• SW interrupt
• CPL DPL
• Interrupt vector number gt IDT limit
• GP exception