processor privilege levels n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Processor Privilege-Levels PowerPoint Presentation
Download Presentation
Processor Privilege-Levels

Loading in 2 Seconds...

play fullscreen
1 / 21

Processor Privilege-Levels - PowerPoint PPT Presentation


  • 132 Views
  • Uploaded on

Processor Privilege-Levels. How the x86 processor accomplishes transitions among its four distinct privilege-levels. Rationale. The usefulness of protected-mode derives from its ability to enforce restrictions upon software’s ability to perform certain actions

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Processor Privilege-Levels' - jase


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
processor privilege levels

Processor Privilege-Levels

How the x86 processor accomplishes transitions among its four distinct privilege-levels

rationale
Rationale
  • The usefulness of protected-mode derives from its ability to enforce restrictions upon software’s ability to perform certain actions
  • Four distinct privilege-levels are supported
  • Organizing concept: concentric “rings”
  • Innermost ring has greatest privileges, and privileges diminish as rings move outward
four privilege rings
Four Privilege Rings

Ring 3

Least-trusted level

Ring 2

Ring 1

Ring 0

Most-trusted level

suggested purposes
Suggested purposes

Ring0: operating system kernel

Ring1: operating system services

Rin2: custom extensions

Ring3: ordinary user applications

unix linux and windows
Unix/Linux and Windows

Ring0: operating system

Ring1: unused

Ring2: unused

Ring3: application programs

legal ring transitions
Legal Ring-Transitions
  • A transition from an outer ring to an inner ring is only possible by using a special control-structure (known as a call gate)
  • The ‘gate’ is defined by a data-structure located in a system memory-segment normally inaccessible to modifications
  • A transition from an inner ring to an outer ring is not nearly so strictly controlled
data sharing
Data-sharing
  • Procedure-calls typically require that two separate routines share some data-values (e.g., parameter-values get passed from the calling routine to the called routine)
  • To support reentrancy and recursion, the processor’s stack is frequently used as a shared-access storage-area
  • But among routines with different levels of privilege, this could create “security hole”
an example senario
An example senario
  • Say a procedure that executes in ring 3 calls a procedure that executes in ring 2
  • The ring 2 procedure uses a portion of its stack-area to create ‘automatic’ variables that it uses for temporary workspace
  • Upon return, the ring 3 procedure would be able to examine whatever values are left behind in this ring 2 workspace
data isolation
Data Isolation
  • To guard against unintentional sharing of privileged information, different stacks are provided at each distinct privilege-level
  • Accordingly, any transition from one ring to another must necessarily be accompanied by a ‘stack-switch’ operation
  • The CPU provides for automatic switching of stacks and copying of parameter-values
call gate descriptors
Call-Gate Descriptors

63

32

offset[ 31..16 ]

P

D

P

L

0

gate

type

parameter

count

code-selector

offset[ 15..0 ]

31

0

Legend:

P=present (1=yes, 0=no) DPL=Descriptor Prvilege Level (0,1,2,3)

code-selector (specifies memory-segment containing procedure code)

offset (specifies the procedure’s entry-point within its code-segment)

parameter count (specifies how many parameter-values will be copied)

gate-type (‘0x4’ means a 16-bit call-gate, ‘0xC’ means a 32-bit call-gate)

an interprivilege call
An Interprivilege Call
  • When a lesser privileged routine wants to invoke a more privileged routine, it does so by using a ‘far call’ machine-instruction
  • In as86 assembly language:

callf #0, #callgate-selector

0x9A

(ignored)

callgate-selector

opcode offset-field segment-field

what does the cpu do
What does the CPU do?
  • When CPU fetches a far-call instruction, it looks up that instruction’s specified descriptor
  • If it’s a call-gate descriptor, and if access is allowed (i.e., CPL  DPL), then the CPU will perform a complex series of actions to accomplish a requested ring-transition
  • CPL (Current Privilege Level) is based on least significant 2-bits in CS (also in SS)
series of cpu actions
Series of CPU Actions

- pushes the current SS:SP register-values onto a new stack-segment

- copies the specified number of parameters from the old stack onto the new stack

- pushes the updated CS:IP register-values onto the new stack

- loads new values into registers CS:IP (from the callgate-descriptor) and into SS:SP

the missing info
The missing info?
  • Where do the new values for SS:SP come from? (They’re not found in the callgate)
  • They’re from a special system-segment, called the TSS (Task State Segment)
  • The CPU locates its TSS by referring to the value in register TR (Task Register)
diagram of relationships
Diagram of Relationships

old code-segment

new code-segment

TASK

STATE

SEGMENT

call-instruction

called procedure

CS:IP

NEW

STACK

SEGMENT

OLD

STACK

SEGMENT

params

stack-pointer

Descriptor-Table

gate-descriptor

params

SS:SP

TSS-descriptor

TR

GDTR

return to an outer ring
Return to an Outer Ring
  • Use the far-return instruction: retf
    • Restores CS:IP from current stack
    • Restores SS:SP from current stack
  • Or use the far-return instruction: retf n
    • Restores CS:IP from current stack
    • Discards n bytes from stack (parameters)
    • Restores SS:IP from current stack
demo program tryring1 s
Demo-program: ‘tryring1.s’
  • We have created a short program to show how this ring-transition mechanism works
  • It enters protected-mode (at ring0)
  • It ‘returns’ to a procedure in ring1
  • Procedure shows a confirmation-message
  • The ring1 procedure then ‘calls’ to ring0
  • The ring0 procedure exits protected-mode
data structures needed
Data-structures needed
  • Global Descriptor Table needs to contain the protected-mode segment-descriptors and the call-gate descriptor
    • Code-segments for Ring0 and Ring1
    • Stack-segments for Ring0 and Ring1
    • Data-segment (for Ring1 to write to VRAM)
    • Task-State Segment (for ring0 SS:SP)
    • Task-Gate and TSS Descriptors (for ‘callf’)
in class exercise 1
In-class Exercise #1
  • Modify the ‘tryring1.s’ demo so that it uses a 32-bit call-gate and a 32-bit TSS

TSS for 80286

(16-bits)

TSS for 80386

(32-bits)

0

0

2

SP0

4

ESP0

SS0

4

SS0

8

SP1

6

12

ESP1

SS1

8

16

SS1

10

SP2

20

ESP2

SS2

12

24

SS2

system segment descriptors
System Segment-Descriptors

S-bit is zero

Base[ 31..24 ]

Limit

[19..16]

P

D

P

L

0

type

Base[ 23..16 ]

Base[ 15..0 ]

Limit[ 15..0 ]

type

0 = reserved

1 = 16-bit TSS (available)

2 = LDT

3 = 16-bit TSS (busy)

type

8 = reserved

9 = 32-bit TSS (available)

A = reserved

B = 32-bit TSS (busy)

in class exercise 2
In-class exercise #2
  • Modify the ‘tryring1.s’ demo so that it first enters ring2, then calls to ring1 from ring2 (but returns to ring2), and then finally calls to ring0 in order to exit protected-mode
  • How many stack-segments do you need?
  • How many code-segment descriptors?
  • How many VRAM-segment descriptors?