1 / 12

Privilege Levels

Privilege Levels. Current Privilege Level(CPL). Also called Task Privilege Level It specifies privilege level of currently executing task A task’s CPL can only be changed by control transfers through gate descriptors to a code segment with a different privilege level.

sunila
Download Presentation

Privilege Levels

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privilege Levels

  2. Current Privilege Level(CPL) • Also called Task Privilege Level • It specifies privilege level of currently executing task • A task’s CPL can only be changed by control transfers through gate descriptors to a code segment with a different privilege level. • E.g. an application program running at PL = 3 may call an OS routine at PL = 1 (via a gate) which would cause the task's CPL to be set to 1 until the OS routine is finished.

  3. Current Privilege Level(CPL) • Normally,CPL = DPL of the segment that the processor is currently executing. • CPL changes as control is transferred to segments with differing DPLs.

  4. Requestor Privilege Level (RPL) • RPL is the two least significant bits of selector • RPL is used to establish a less trusted privilege level than CPL for the use of a segment and this level is called the task's Effective Privilege Level (EPL). • EPL is defined as EPL = max { RPL,CPL } (numerically) • Thus the task becomes less privileged • E.g. If RPL = 2 and CPL = 1, EPL = 2  task becomes less privileged

  5. Descriptor Privilege Level (DPL) • It is the least privileged level at which a task may access that descriptor and the segment associated with that descriptor • It is contained in the access right byte of the descriptor of the segment

  6. Restricting Access to Data • To address operands an 80386 program must load the selector of a data segment into a data-segment register (DS, ES, FS, GS, SS). • The processor automatically evaluates access to a data segment by comparing privilege levels. • The evaluation is performed at the time a selector for the descriptor of the target segment is loaded into the data-segment register.

  7. Restricting Access to Data • Three different privilege levels enter into this type of privilege check: 1. CPL 2. RPL of the selector of target segment 3. DPL of the descriptor of the target segment • Instructions may load a data-segment register only if DPL(data) ≥ max {CPL(proc),RPL} numerically • A procedure can only access data that is at the same or less privileged level.

  8. Privilege Check for Data Access

  9. Privilege Check for Control Transfer(Code Access) • Control transfers (except interrupts) are accomplished by the instructions JMP, CALL, and RET • The "near" forms of JMP, CALL, and RET transfer within the current code segment and hence does not require privilege checks. • The "far" forms of JMP and CALL refer to other segments and hence requires privilege checking.

  10. Privilege Check for Control Transfer • There are two ways a JMP or CALL can transfer to another segment 1. Without call gate 2. With call gate

  11. Types of Code Segments • There are two types of code segments: • Conforming Code Segment • Nonconforming Code Segment

  12. Conforming Code Segment • An executable segment whose descriptor has the conforming bit set • It permits sharing of procedures that may be called from various privilege levels but should execute at the privilege level of the calling procedure. • Example: math libraries • When control is transferred to a conforming segment, the CPL does not change

More Related