42 aula

(1)

Interface Hardware-Software

Aula 4-2

Protected Mode Mechanisms

Prof. Dr. Stefan Michael Blawid

(2)

IHS - §4 ProMo Mech 2

Tópicos

1) Recapitulation

2) Access to Data and Stack Segments 3) Jumps, Calls and Privilege Checks 4) Call gates

(3)

Tópicos

1) Recapitulation

2) Access to Data and Stack Segments 3) Jumps, Calls and Privilege Checks 4) Call gates

(4)

Segment Descriptor

(5)

Using Selectors

(6)

Validity Checks Before Loading Descriptor

(7)

Pre-Load Privilege Check for Data Access

Future Data Segment Cache

Current Code Segment Cache

Data Segment Register

(8)

CPL, RPL and DPL

CPL (Current Privilege Level)

Privilege level of the currently running code

It is found in the CS and SS register (in the hidden part = cache) RPL (Requestor Privilege Level)

Code privilege level that originates from the selector Found in the selector

Can be changed with specific instructions DPL (Descriptor Privilege Level)

Segment or gate privilege level Found in the descriptor

(9)

Example

Assume that the code is fetched from a non-conforming code segment with a DPL=2d=CPL

Selector: RPL = 2d, TI=1d (LDT), Index = 2534d

If the fetched data segment from the LDT has DPL=2d, the

corresponding eight bytes are loaded into the invisible part of DS

mov AL, [0100] verifies that

CPL==DPL of DS;

The offset 0100H is smaller than the DS limit

(10)

Tópicos

1) Recapitulation

2) Access to Data and Stack Segments

3) Jumps, Calls and Privilege Checks 4) Call gates

(11)

Data Segment Access

Data segment selectors must be loaded into DS, ES, FS, GS, or SS registers with instructions like mov, pop, lds, les, lfs, lgs, etc.

(12)

Examples

(13)

Stack Segment Access

(14)

Tópicos

1) Recapitulation

2) Access to Data and Stack Segments

3) Jumps, Calls and Privilege Checks

(15)

Access to Code Segments

Transfer of control may result in change of executed code segment When there are inter-segment detours

Transfer instructions: call (far), ret (far), jmp (far), int, iret,

sysenter, sysexit, etc.

A privilege check is required to determine that the code in the

original CS is allowed to jump to or call code within the target CS No privilege check on near calls or near jumps

Code segment access rules differ from data access rules The rules are different for

Accessing non-conforming code segments Accessing conforming code segments

(16)

CPL Definition

The privilege level, i.e., the DPL (!), of the currently active CS from which the instructions are fetched

One exception: The currently active CS is conforming (C-Bit=1 in the CS descriptor)

The CPL is given by the CS DPL that called the currently active CS

Without the use of a call gate, effectively the CPL does not change when control is transferred to a new CS

(17)

Access to Code Segments (wo Gates)

Information verified on this type of access: CPL, RPL, Destination DPL, Destination C-Bit

(18)

Access to Non-Conforming Code Segments

Most code segments are non-conforming:

Control transfer can only occur between same-privilege segments (except when a gate is used)

(19)

Example for valid access

(20)

Examples for Invalid Access

(21)

Access to Conforming Code Segments

Allows to make calls from a lower privilege segment to a routine located on a higher privilege segment

CPL does not change

(22)

Example of Valid Access

(23)

Example of Invalid Access

(24)

Jumping from a Higher-to-Lesser Privilege

iret can do the trick:

1) Push the desired initial values for CS:EIP, SS:EIP and EFLAGS on the current stack

2) Execute iret

Since the CS selector value on the stack indicates the “return” to a lesser privilege, SS:EIP is also loaded from the stack

3) The new CS selector points to a CS descriptor with a lower privilege DPL that becomes the new CPL

4) The new SS selector points to a SS descriptor with a lower privilege DPL

(25)

Tópicos

1) Recapitulation

2) Access to Data and Stack Segments 3) Jumps, Calls and Privilege Checks

(26)

Gates Types

Call Gates

Used to control access to routines of a different code segment Located in GDT or LDT

Interrupt Gates and Trap Gates

Used to control access to interrupt routines Located in IDT

Task Gates

Used to control access between different tasks that not

necessarily consist of just one set of code and data segments Located in GDT

(27)

Example Scenario

OS kernel may include a privilege zero CS containing procedures designed to handle requests from other programs The service routines shall only be accessed by sufficiently privileged callers

➡ Need different “portals” to control the access to each procedure within the CS  

(28)

Call Gates

Allows to control which parts of one code segment can be accessed by another code segment

Safer form of transfer of control Main Functions:

Specifies the code segment to access

Specifies the entry point for a routine in the specified code segment

Determines the required privilege level of the caller attempting to access the routine

If a stack change occurs, specifies the number of parameters to copy between the stacks

(29)

The Call Gate Descriptor

Target Code-Segment Selector (16 bits)

Specifies the descriptor of the code segment to be accessed This selector is loaded in CS on transfer of control

Target Code-Segment Offset (32 bits)

Specifies the entry point for a routine in the specified code segment

(30)

The Call Gate Descriptor (cont.)

P (Present): Indicating that the descriptor is valid

DPL (Descriptor Privilege Level): Defines the minimum privilege level to use the gate

Type = 100b indicates a call gate descriptor

Parameter count: Number (0 - 31) of dwords to copy from the caller’s stack to the stack of the called procedure

(31)

Far Call through a Call Gate

(32)

Control Transfer with Call Gates

A far pointer to the gate is provided as the target operand in a call or

jmp statement: The selector of this pointer (first 16 bits) identifies the

(33)

Typical Use of Call Gates: Operating System

OS has services (routines) that can be used by both application programs and the OS itself

Call Gates can be defined for routines that allow access to all privilege levels (e.g. I/O routines)

More privileged call gates can be defined for routines that can only be called by the OS (e.g. driver initialization routines)

(34)

Access to Code Segments with Gates

Information verified on this type of access: CPL, RPL (selector to the call gate), DPLg (descriptor of the call gate), DPLs (descriptor of the target code segment)

(35)

Access to Conforming Code Segments

Current segment privilege level must be greater than or equal to call gate descriptor

(36)

Access to Non-Conforming Code Segments

Rules differ slightly if jmp or call is used for a call gate when target segment is non-conforming

(37)

Example of Valid Access

If call is made to a higher privilege non-conforming segment, a stack swap occurs

(38)

Example of an Invalid Access

(39)

Stack change

Stack change occurs for two reasons

Prevent the most privileged routine from failing to execute properly due to insufficient stack space

Prevent lower privilege routines from interfering with higher privilege routines through shared stacks

The OS is responsible for creating stacks and stack descriptors of all privilege levels that are used (by a task) and for storing pointers to it in the Task State Segment (TSS)

TSS is pointed to by a type of system descriptor maintained in GDT

Even if the OS is not multitasking, but if it runs in protected mode, it is required to create at least one TSS

(40)

Stack Change between Different PL Routines

(41)

Overview

(42)

Using Call Gates Nowadays

Call gates fell out of use some time ago Especially after Pentium

Today's operating systems allow access to larger privilege-level routines through official interfaces with system calls

Accessible through system interrupts, e.g., int 80H (Linux) … … or through instructions like sysenter (32-bit) or syscall (64-bit)

However, a special type of Call Gate is used for calling interrupt handling routines

(43)