Presentation is loading. Please wait.

Presentation is loading. Please wait.

Processor Privilege-Levels How the x86 processor accomplishes transitions among its four distinct privilege-levels.

Similar presentations


Presentation on theme: "Processor Privilege-Levels How the x86 processor accomplishes transitions among its four distinct privilege-levels."— Presentation transcript:

1 Processor Privilege-Levels How the x86 processor accomplishes transitions among its four distinct privilege-levels

2 Rationale The usefulness of protected-mode derives from its ability to enforce restrictions upon softwares freedom to take certain actions Four distinct privilege-levels are supported Organizing concept is concentric rings Innermost ring has greatest privileges, and privileges diminish as rings move outward

3 Four Privilege Rings Ring 3 Ring 2 Ring 1 Ring 0 Least-trusted level Most-trusted level

4 Suggested purposes Ring0: operating system kernel Ring1: operating system services Ring2: custom extensions Ring3: ordinary user applications

5 Unix/Linux and Windows Ring0: operating system Ring1: unused Ring2: unused Ring3: application programs

6 Legal Ring-Transitions A transition from an outer ring to an inner ring is made possible by using a special control-structure (known as a call gate) The gate is defined via a data-structure located in a system memory-segment normally not accessible for modifications A transition from an inner ring to an outer ring is not nearly so strictly controlled

7 Data-sharing Function-calls typically require that two separate routines share some data-values (e.g., parameter-values get passed from the calling routine to the called routine) To support reentrancy and recursion, the processors stack-segment is frequently used as a shared-access storage-area But among routines with different levels of privilege this could create a security hole

8 An example senario Say a procedure that executes in ring 3 calls a procedure that executes in ring 2 The ring 2 procedure uses a portion of its stack-area to create automatic variables that it uses for temporary workspace Upon return, the ring 3 procedure would be able to examine whatever values are left behind in this ring 2 workspace

9 Data Isolation To guard against unintentional sharing of privileged information, different stacks are provided at each distinct privilege-level Accordingly, any transition from one ring to another must necessarily be accompanied by an mandatory stack-switch operation The CPU provides for automatic switching of stacks and copying of parameter-values

10 Call-Gate Descriptors offset[ ] code-selectoroffset[ ] gate type P0 DPLDPL parameter count Legend: P=present (1=yes, 0=no) DPL=Descriptor Prvilege Level (0,1,2,3) code-selector (specifies memory-segment containing procedure code) offset (specifies the procedures entry-point within its code-segment) parameter count (specifies how many parameter-values will be copied) gate-type (0x4 means a 16-bit call-gate, 0xC means a 32-bit call-gate)

11 When a lesser privileged routine wants to invoke a more privileged routine, it does so by using a far call machine-instruction (also known as a long call in the GNU assemblers terminology) In as assembly language: lcall$callgate-selector, $0 An Interprivilege Call 0x9A (ignored)callgate-selector opcode offset-field segment-field

12 What does the CPU do? When CPU fetches a far-call instruction, it will use that instructions selector value to look up a descriptor in the GDT (or in the current LDT) If its a call-gate descriptor, and if access is allowed (i.e., if CPL DPL), then the CPU will perform a complex sequence of actions which will accomplish the requested ring-transition CPL (Current Privilege Level) is based on least significant 2-bits in register CS (also in SS)

13 Sequence of CPUs actions - pushes the current SS:SP register-values onto a new stack-segment - copies the specified number of parameters from the old stack onto the new stack - pushes the updated CS:IP register-values onto the new stack - loads new values into registers CS:IP (from the callgate-descriptor) and into SS:SP

14 The missing info? Where do the new values for SS:SP come from? (Theyre not found in the call-gate) Theyre from a special system-segment, known as the TSS (Task State Segment) The CPU locates its TSS by referring to the value in register TR (Task Register)

15 Diagram of the relationships TASK STATE SEGMENT NEW STACK SEGMENT stack-pointer OLD STACK SEGMENT params SS:SP Descriptor-Table gate-descriptor call-instruction TSS-descriptor TR CS:IP GDTR old code-segment new code-segment called procedure

16 Return to an Outer Ring Use the far-return instruction: lret –Restores CS:IP from the current stack –Restores SS:SP from the current stack Or use the far-return instruction: lret $n –Restores CS:IP from the current stack –Discards n parameter-bytes from that stack –Restores SS:SP from that current stack

17 Demo-program: tryring1.s We have created a short program to show how this ring-transition mechanism works It enters protected-mode (at ring0) It returns to a procedure in ring1 Procedure shows a confirmation-message The ring1 procedure then calls to ring0 The ring0 procedure exits protected-mode

18 Data-structures needed Global Descriptor Table needs to contain the protected-mode segment-descriptors and also the call-gate descriptor –Code-segments for Ring0 and Ring1 –Stack-segments for Ring0 and Ring1 –Data-segment (for Ring1 to write to VRAM) –Task-State Segment (for the ring0 SS:SP) –Call-Gate Descriptor (for the lcall to ring0)

19 In-class Exercise #1 Modify the tryring1.s demo so that it uses a 32-bit call-gate and a 32-bit TSS TSS for (16-bits) SP1 SP2 SS SP0 SS0 SS1 ESP0 ESP1 ESP2 SS0 SS1 SS2 TSS for (32-bits) ……

20 System Segment-Descriptors Base[ ]Limit[ ] reserved =0 Limit [19..16] Base[ ]Base[ ]type DPLDPL P0 Type-codes for system-segments: 0 = reserved 1 = 16-bit TSS (available) 2 = LDT 3 = 16-bit TSS (busy) 8 = reserved 9 = 32-bit TSS (available) A = reserved B = 32-bit TSS (busy) S-bit is zero

21 In-class exercise #2 Modify the tryring1.s demo so that it first enters ring2, then calls to ring1 from ring2 (but returns to ring2), and then finally calls to ring0 in order to exit protected-mode How many stack-segments do you need? How many code-segment descriptors? How many VRAM-segment descriptors?


Download ppt "Processor Privilege-Levels How the x86 processor accomplishes transitions among its four distinct privilege-levels."

Similar presentations


Ads by Google