Processor PrivilegeLevels

1
Processor Privilege-Levels

• How the x86 processor accomplishes transitions
  among its four distinct privilege-levels

2
Rationale

• The usefulness of protected-mode derives from its
  ability to enforce restrictions upon softwares
  ability to perform certain actions
• Four distinct privilege-levels are supported
• Organizing concept concentric rings
• Innermost ring has greatest privileges, and
  privileges diminish as rings move outward

3
Four Privilege Rings
Ring 3
Least-trusted level
Ring 2
Ring 1
Ring 0
Most-trusted level
4
Suggested purposes
Ring0 operating system kernel
Ring1 operating system services
Rin2 custom extensions
Ring3 ordinary user applications
5
Unix/Linux and Windows
Ring0 operating system
Ring1 unused
Ring2 unused
Ring3 application programs
6
Legal Ring-Transitions

• A transition from an outer ring to an inner ring
  is only possible by using a special
  control-structure (known as a call gate)
• The gate is defined by a data-structure located
  in a system memory-segment normally inaccessible
  to modifications
• A transition from an inner ring to an outer ring
  is not nearly so strictly controlled

7
Data-sharing

• Procedure-calls typically require that two
  separate routines share some data-values (e.g.,
  parameter-values get passed from the calling
  routine to the called routine)
• To support reentrancy and recursion, the
  processors stack is frequently used as a
  shared-access storage-area
• But among routines with different levels of
  privilege, this could create security hole

8
An example senario

• Say a procedure that executes in ring 3 calls a
  procedure that executes in ring 2
• The ring 2 procedure uses a portion of its
  stack-area to create automatic variables that
  it uses for temporary workspace
• Upon return, the ring 3 procedure would be able
  to examine whatever values are left behind in
  this ring 2 workspace

9
Data Isolation

• To guard against unintentional sharing of
  privileged information, different stacks are
  provided at each distinct privilege-level
• Accordingly, any transition from one ring to
  another must necessarily be accompanied by a
  stack-switch operation
• The CPU provides for automatic switching of
  stacks and copying of parameter-values

10
Call-Gate Descriptors
63
32
offset 31..16
gate type
P
0
D P L
parameter count
code-selector
offset 15..0
31
0
Legend
Ppresent (1yes, 0no) DPLDescriptor
Prvilege Level (0,1,2,3) code-selector (specifies
memory-segment containing procedure code) offset
(specifies the procedures entry-point within its
code-segment) parameter count (specifies how many
parameter-values will be copied) gate-type (0x4
means a 16-bit call-gate, 0xC means a 32-bit
call-gate)
11
An Interprivilege Call

• When a lesser privileged routine wants to invoke
  a more privileged routine, it does so by using a
  far call machine-instruction
• In as86 assembly language
• callf 0, callgate-selector

0x9A
(ignored)
callgate-selector
opcode offset-field segment-field
12
What does the CPU do?

• When CPU fetches a far-call instruction, it looks
  up that instructions specified descriptor
• If its a call-gate descriptor, and if access is
  allowed (i.e., CPL ? DPL), then the CPU will
  perform a complex series of actions to accomplish
  a requested ring-transition
• CPL (Current Privilege Level) is based on least
  significant 2-bits in CS (also in SS)

13
Series of CPU Actions

• - pushes the current SSSP register-values onto a
  new stack-segment
• - copies the specified number of parameters from
  the old stack onto the new stack
• - pushes the updated CSIP register-values onto
  the new stack
• - loads new values into registers CSIP (from the
  callgate-descriptor) and into SSSP

14
The missing info?

• Where do the new values for SSSP come from?
  (Theyre not found in the callgate)
• Theyre from a special system-segment, called the
  TSS (Task State Segment)
• The CPU locates its TSS by referring to the value
  in register TR (Task Register)

15
Diagram of Relationships
old code-segment
new code-segment
TASK STATE SEGMENT
call-instruction
called procedure
CSIP
NEW STACK SEGMENT
OLD STACK SEGMENT
params
stack-pointer
Descriptor-Table
gate-descriptor
params
SSSP
TSS-descriptor
TR
GDTR
16
Return to an Outer Ring

• Use the far-return instruction retf
• Restores CSIP from current stack
• Restores SSSP from current stack
• Or use the far-return instruction retf n
• Restores CSIP from current stack
• Discards n bytes from stack (parameters)
• Restores SSIP from current stack

17
Demo-program tryring1.s

• We have created a short program to show how this
  ring-transition mechanism works
• It enters protected-mode (at ring0)
• It returns to a procedure in ring1
• Procedure shows a confirmation-message
• The ring1 procedure then calls to ring0
• The ring0 procedure exits protected-mode

18
Data-structures needed

• Global Descriptor Table needs to contain the
  protected-mode segment-descriptors and the
  call-gate descriptor
• Code-segments for Ring0 and Ring1
• Stack-segments for Ring0 and Ring1
• Data-segment (for Ring1 to write to VRAM)
• Task-State Segment (for ring0 SSSP)
• Task-Gate and TSS Descriptors (for callf)

19
In-class Exercise 1

• Modify the tryring1.s demo so that it uses a
  32-bit call-gate and a 32-bit TSS

TSS for 80286 (16-bits)
TSS for 80386 (32-bits)
0
0
2
SP0
ESP0
4
SS0
4
SS0
8
SP1
6
ESP1
12
SS1
8
SS1
16
SP2
10
ESP2
20
SS2
12
SS2
24


20
System Segment-Descriptors
S-bit is zero
Limit 19..16
Base 31..24
Base 23..16
type
D P L
P
0
Base 15..0
Limit 15..0
type 0 reserved 1 16-bit TSS
(available) 2 LDT 3 16-bit TSS (busy)
type 8 reserved 9 32-bit TSS
(available) A reserved B 32-bit TSS
(busy)
21
In-class exercise 2

• Modify the tryring1.s demo so that it first
  enters ring2, then calls to ring1 from ring2 (but
  returns to ring2), and then finally calls to
  ring0 in order to exit protected-mode
• How many stack-segments do you need?
• How many code-segment descriptors?
• How many VRAM-segment descriptors?