1 / 10

Microprocessor system architectures – IA32 security

This guide explores the segment protection mechanisms in the IA-32 microprocessor architecture. It covers essential concepts such as segment registers, type checking, privilege level checks, and the handling of null segments. Additionally, it delves into memory access controls, including instruction fetching and limit checks, as well as the importance of direct jumps, returning with privilege level changes, and the role of Control Registers. The implications of these security features on Operating System and application design, especially those lacking protected system facilities, are also discussed.

aldis
Download Presentation

Microprocessor system architectures – IA32 security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Microprocessor system architectures – IA32 security Jakub Yaghob

  2. Segment protection

  3. Protection checks in the segmentation • Segment registers load (including selector as instruction operand) • Type checking • Privilege level checking • Null segment checking • Memory access (including instruction fetching) • Limit checking • Null segment checking • Type checking

  4. Privilege level checking – jumps between segments • Direct jump (CALL, JMP) • Nonconforming segment • CPL = DPL • RPL ≤ CPL • CPL remains • Conforming segment • Code modules as part of OS supporting applications without protected system facilities (math library) • DPL represents numerically lowest CPL, which can call conforming segment • CPL ≥ DPL • RPL ignored • CPL remains (even if DPL is not equal)

  5. RET with privilege level change • CPL ≤ DPL of target (returning to less privileged level) • Using RPL from CS saved on stack • Loads CS:EIP/RIP from the stack • Adds parameter count toESP/RSP • Number in bytes obtained from RET • Loads SS:ESP/RSP – see above • Again adds parameter count toESP/RSP • Check DS, ES, FS, GS • If DPL< CPL, then load null segment

  6. System and control registers • EFLAGS • Changes in system parts silently ignored for CPL>0 • IOPL, VM • Changes working only during IRETfor CPL=0 (return from interrupt or task) • VM, RF • Changesinvoke #GP • IF • Control registers • Only system instruction (CPL=0) excluding SMSW

  7. LLDT, SLDT LGDT,SGDT LTR,STR LIDT,SIDT MOVCRn LMSW,SMSW CLTS ARPL,LAR,LSL VERR,VERW MOVDRn INVD,WBINVD INVLPG HLT LOCK(Prefix) RSM RDMSR,WRMSR RDPMC,RDTSC IN,OUT,INS,OUTS CLI,STI IRET System instructions

  8. Paging protection • U/S flag • =0 – supervisor mode • CPL 0-2 • =1 – user mode • CPL 3 • R/W flag • =0 – read-only • Not used insupervisor mode, until flagWP (CR0[16]) is set • =1 – read/write • NX/XD flag • =0 – can execute • =1 – no execute

  9. I/O protection • Memory mapped I/O • Segment or paging protection • I/O space • CPL ≤ IOPLfor all ports • I/O permission bitmap in the TSS for CPL >IOPLorVM=1

  10. IDT protection • Depends on the source of interrupt • HW interrupt or an exception • Ignore DPL in the proper IDT descriptor • SW interrupt • CPL ≤ DPL • Interrupt vector number> IDT limit • #GP exception

More Related