The Protection of Human Participants in Research Instructions
Nessun titolo diapositiva...3 Protection: general criteria The protection system controls the access...
Transcript of Nessun titolo diapositiva...3 Protection: general criteria The protection system controls the access...
1
iAPX86 Protection
Electronic Computers M
2
Protection
• The protection mechanism is active only after PE setting in CR0 andis used before any access (this grants that the intervention is not toolate)
• Multitasking (multiple processes) > the system must prevent anuncontrolled access of a process to the memory space of anotherprocess…..
• …..and that an excessive physical space is used
• An example: uncontrolled stack growth. In segmented systems only(i.e. 8086) if a process stack overflows it can overwrite the segment ofanother process. (This is not possible in a paged system since if apage must be overwritten is must be first written back to the disk).But a process could try to use all physical pages !
• Protection: is based on the segment descriptor mechanism andregards both the static protection (i.e. segment size) and thedynamic protection (access permits for read/write/execute)
3
Protection: general criteria
The protection system controls the access to privileged instructions, toI/O instructions, to segments and their descriptors and is based on thecomparison between different privilege levels (access rights).For instance: it checks whether a segment can be written, can beexecuted, whether a jump intra- or inter- code segments is allowed Anerrors triggers a fault and the intervantion of the OS
The protection is implemented by means of the following threemechanisms:
1) Processes isolation2) Segment access type verification3) Privilege levels management
• No call gate (see later) or task gate selector can be loaded ina segment register.
For the access type verification the check is made upon the load of aselector into a segment register:
• The data segment registers (DS,ES,FS e GS) can be loaded onlywith data segment selectors or readable code segments selectors
• The code segment register (CS) can be loaded only with codesegment selectors
• LDTR register can be loaded only with LDT table selectors.
• TR register can be loaded only with TSS selectors (see later)
4
iAPx Protection system
0
1
2
3
0
1
2
3
Op. Sy. KernelProcess managementMemory managementI/O management…
Op. Sys. ServicesPeripheral devices drivers
ApplicationsUser programs
Op. Sys. ServicesServices for applications: I/O requests management, memory allocation requestsetc.
5
The controlled levels
EPL: (Effective Privileg Level) is the maximum value (that is the minimumprivilege level) between CPL e RPL
DPL (Descriptor Privilege Level) is the segment privilege level stored in itssegment descriptor. It indicates which protection level it belongs to.
CPL (Current Privilege Level) is the privilege level of the CS (the least significantbits of CS) that is of the running task. This is the DPL of the executedsegment code. CPL changes during a process execution since throughcontrolled jumps the privilege level can change( see later)
Conforming Segment: a code segment which takes during its execution theprivilege of the calling segment. The use of conforming segments must becarefully considered since if they include several procedures they have allthe same characteristic and therefore all (see later) could be used forinstance by lower privilege level processes. An example: a set ofmathematical routines
RPL (Requestor Privilege Level) is the privilege level of the selector used bythe program for addressing a data or a destination (in case of jump).
The protection philosophy is that a process canaccess data of the same or less privilege and can useprocedures of higher or equal privilege (throughcontrolled access).
6
Data protection
OPERAND SEGMENT DESCRIPTOR
CODE SEGMENT REGISTER
OPERAND SEGMENT REGISTER
CHECK
Data can be accessed if the descriptor PL has the same privilege level (orlower) that is its PL is greater or equal to the value of the EPL
31 24 19 16 14 13 11 8 7 0
Base 31:24 GDB 0 A
VLimit19-16 P P
L S Type Base23:16
Limit 15:00Base 15:00
CPLINDEX CPLT
INDEX RPLT
(DS for instance)
The check occurs when the program tries to load the descriptor in thesegment register
7
An example: DS
The selector index points to slot 09E6h=253410 (the 13 MSBits of theselector) in the LDT (max val 8192).
Base = 00083EA0 (virtual) Size =07B3E Granularity=0 =>byteDB=1=Parallelism=32 Segment present Privilege=2S=1= User Notice 2100<7B3C: access within the boundaries
C/D E W A
C/D=0=data E=0 (expand up/down – only for stack segments)W=1=writable A=1=segment already used (set to 1 by the system)
HEX31 24 19 16 14 13 11 8 7 0
Base 31:24 GDB 0 A
VLimit19-16 P P
L S Type Base23:16
Limit 15:00Base 15:00
DescriptorTemplate
EPL=2 (max val betweenCPL=1 e RPL=2)
access granted
00 0 1 0 0 0 1 2 1 3 08H
7B3EH3EA0H
ContentDescriptor
number09E6
mov ax, 4F36 ; load in ax the selector ( LDT RPL=2 ); 0100 1111 0011 0110
mov ds, ax ; and in ds (privilege check !)mov al, [0100] ; read the 257-th byte (do not forget zero..)…mov [2100], al ; ….and write it in segment location location 2100h
09E6
Let’s suppose that in CS the CPL is 1
8
An example: DS
The byte is then witten at linear address 00085FA0H (83EA= + 2100).The physical address depends on the paging mechanism (if any)
The segment can be accessed since EPL<=DPL and therefore theselector can be loaded in the sement register
Upon the DS load the small cache (8 bytes – segment descriptor )linked to the DS is loaded with the segment descriptor and the privilegecheck is made
During the execution of the third instruction the system checks thatthe address is within the segment size boundary (100< 7B3E). Thebyte is therefore read at address 83FA0H (83EA0 + 100).
During the execution of the fourth instruction the system checks notonly the boundary but also whether the segment is writable.
9
To be noticed
Possibly it could be a constant pointing to a GDT segment. But allGDT segments have normally (not necessarily) privilege level higherthat 3 and if the segment privilege level were 0 or 1 a GeneralProtection fault would be triggered since the requestor privilege levelis 2 (although the CPL is 1)
In the previous example selector value 09E6 is the number which isproduced after compilation and load. It could be a selectortrasferred as a parameter on the stack or a selector pointing to asegment defined in the context of the program
10
mov ax, 02FF ; load in ax 02FF (LDT; RPL=3) ….; ….. 0000 0010 11111111
mov ss, ax ; .. in SS (selector index =05Fh=9510)(protection check)
mov esp, 07B3E ; 00007B3E in ESPpush bx ; save bx -16 bit (stack word oriented)mov bx,[0100] ; in bx a 16 bit data read at address 100 of the
; segment pointed by DS add cx, bx ; the sum cxpop bx ; restore bx
Example: SS
Base 0=00083EA0 Size=07B3E Granularity=0 =>byteDB=1=max size FFFFFFFF Segment present Privilege level=3S=1= User
C/D=0=data E=0=downward expansionW=1=writable A=1=used (set to 1 by the sstem)
Here it is assumened that CPL is 3
Per each POP and PUSH the processor checks the stack superior limit (07B3E)and inferior limit (0000)
EPL=3 access granted
31 24 19 16 14 13 11 8 7 0
Base 31:24 GDB 0 A
VLimit19-16 P P
L S Type Base23:16
Limit 15:00Base 15:00
00H 0 1 0 0 0 1 3 1 3 Base08H
7B3EH3EA0H
DescriptorTemplate
Contentselectornumber
05F
C/D E W A
11
Segment and page level protection
The system checks first the privilege in the descriptor and then thepage level protection. A data segment could be of level 3 (and thereforeaccessible by programs at levels 0,1,2 and 3) but one of its pages couldbe of supervisor type (for instance because of a sharing or if the page isaliased and updated by the OS. In this case fault).
Page Table Entry
31 12
Page base address 31:12 Avail 0 0 D
Software usableDirty (written)
UsedPage cache disable
User/SupervisorWritable
11 9 8 7 6 5 4 3 2 1 0
APCD
PWT
U W P
Not used in the first protected processors.
Page write through
Present
12
Jump/Branch protection
A call to a higher privilege procedure is possible only by means of a call gate or an interrupt
• A jump (branch) within the same procedure (intrasegment) isalways allowed (provided the destination address is withinthe segment boundary)
• A segment can use only code of the same or higher privilege(never lower privilege) (higher is the privilege – smaller thevalue – safer is considered the code)
• A jump (JMP o CALL) to a procedure of the same privilegelevel is always possible directly (without CALL GATE - seelater)
• A direct call to a higher privilege conforming procedure isalways possible
• A call to a higher level non conforming procedure requiresthe use of a CALL GATE (i.e. OS call)
• A jump or call to a same privilege level procedure too can usea CALL GATE
• In all other cases fault
13
Call protection
CALLED CODE SEGMENT DESCRIPTOR
Calling code segment selector
CHECK
31 24 19 16 14 13 11 8 7 0
Base 31:24 G DB 0 A
VLimit19-16 P P
L 1 Type Base23:16
Limit 15:00Base 15:00
Called segment selector
CPLINDEX CPLT
INDEX RPLT
14
CALL GATES
A CALL GATE has its own privilege level and the codechange to a higher privilege level is allowed only if
DPL_destination ≤ EPL ≤ DPL_gate (numerical values)
that is
Destination privileges≥ calling privilege ≥ call gate privilege
NB:There is an automatic transfer to a lowerprivilege level (after the transfer to a higherprivilege level) only through a RETURNfrom a higher level routine (RET fromsubroutine or IRET in case of interrupts)
A CALL GATE is a particular segment descriptor whichdoesn’t correspond to any data structure in memory butwhich stores all security information which allows thechange of the code privilege level
15
Call gates
PL0
PL1
PL2
PL3
Procedure
GATE
GATE
GATE
The CALL GATE is used to define the called codesegment and the specific procedure entry-point
Procedure
Procedure
ProcedureProcedure
16
Call gate
Offset 31.16 P PL S Type Dword
count
Offset 15:00Selector 15:00
000X31 16 14 13 11 8 7 5 4 0
The CALL GATE stores the selector of the descriptor of thesegment which includes the called procedure. The offset in thiscase is the called procedure entry pointThe called procedure PL value must smaller or equal to that ofthe calling procedure while the Call Gate PL value must begreater or equal to that of the calling procedure
P: present in memory (not used)PL: protection levelS: must be 0 (supervisor)X: indicates if this is a 16 or 32 bitCALL GATEType must be 100Dword count: it is the number (max. 31) of DWORDS (data) whichmust be copied from the stack of the calling procedure onto thestack of called procedure (see tasks – each task has four stacks,one for each privilege level for security purposes). When a largernumber of data must be transferrent a pointer to the data area isloaded onto the stack
17
Call gateSEGMENT DESCRIPTOR OF THE CALLED PROCEDURE
CODE SEGMENT REGISTER
CHECK
CALL GATE POINTING SELECTOR
CALL GATE DESCRIPTOR
31 24 19 16 14 13 11 8 7 0
Base 31:24 GDB 0 A
VLimit19-16 P P
L 1 Type Base23:16
Limit 15:00Base 15:00
Offset 31.16 P PL S Tipo Dword
count
Offset 15:00Selector 15:00
000X
31 16 14 13 11 8 7 5 4 0
(This is the selector withinthe CALL address)
DPL_ target ≤ MAX (CPL, RPL) ≤ DPL_gate
CPLINDEX CPLT
INDEX RPLT
18
An example (part 1)
N.B. A segment can include multiple procedures, for each oneof them a CALL GATE must exist. But even the sameprocedure can have multiple entry points and therefore inthis case too a CALL GATE for each one of them mustexist!! The Call Gate in this case must have PL=3 (sincethe requestor RPL is 3)
Call 0063 : 0000 ;call request level 3 to a level 0 ;procedure (see its segment descriptor; next page ) through a call gate located at;thirteenth slot (value 1210) of the GDT Not used
0000 0000 0110 0 011
0CH=1210
It is assumed that in CS the CPL is 1
00C 110
Index GDT RPL=3
63H
19
An example (part 2)
0000H 1 11 0 100 00010
3400H0150H
0001
Offset 31.16 P PL S Tipo Dword
count
Offset 15:00Selector 15:00
000X
31 16 14 13 11 8 7 5 4 0
P = 1 segment present (although without meaning)PL = 3 Privilege level 3S = 0 always for a CALL GATE (Supervisor)X = 1 32 bit CALL GATEType = 100 always for a CALL GATE
Dword Count=2 two dwords must be copied between the stacks
Offset= 00003400H
Selector=150H => index 2AH = 42d
2A 000
Index GDT RPL=0 (no meaning)
Call Gatein slot 12
of the GDT
Call GateTemplate
20
An example (part 3)
31 24 19 16 14 13 11 8 7 0
Base 31:24 GDB 0 A
VLimit19-16 P P
L 1 Type Base23:16
Limit 15:00Base 15:00
Target segment descriptor pointed by the Call Gate
00H 0 1 0 0 1 1 00 1 1001 13H
EE3DH1BCCH
G=0 ganularity->byte P=1 present D=1 -> 32 bitPL=0 level 0 Base = 00131BCCH Size= 1EE3DH
C/D C R A
C/D=1 code Conforming=0 (not conforming)R=0 execution onlyA=1 used
Actualdescriptor
slot 42ddella GDT
DescriptorTemplate
21
Call gates
031
OFFSET (not used)
+
GATE
CODE
Entry Point
OFFSET COUNT
SELECTOR
DPL
OFFSET
BASE
BASE DPL BASE
SELECTOR
22
Interrupts
The interrupt type is multiplied by 8 (number of bytes of adescriptor) and used as a selector of a descriptor table wherethe CALL GATES for the response subroutines are stored.The table is pointed by a register (Interrupt Descriptor TableRegister).
Interrupt descriptor table
Max 256 Interrupt Gates -> 2KB (256*8)
Data are stored into the IDTR by means of privilegedinstruction (LIDT). The interrupt gates table is not any morestored in the lower memory addresses
The interrupts can be software triggered (instruction INT n)
The interrupts handling mechanism is identical to that used in8086. When an interrupts is acknowledged the processor send adouble INTA* and during the second INTA* the Interrupt Typeis read
24
Interrupts
IDT base address IDT limit
IDTR register
Interrupt Descriptor Table
+
Interrupt type * 8
Gate interrupt 1
Gate interrupt 2
Gate interrupt 0
Gate interrupt 255
Gate interrupt n
31 0 15 0
25
Interrupts
Interrupt Gate
IDT
INTERRUPTtype
SEGMENT DESCRIPTOR
GDT O LDT
+ INT. PROC.
DESTINATIONCODE SEGMENT
External interrupts, Faults, Traps
OFFSET
26
Interrupt Gate
Offset 31.16 P PL S 110 Reser.
Offset 15:00Selector 15:00
000X
31 16 14 13 11 8 7 5 4 0
P: Present (not used)PL : Protection levelS : must be 0 (system)X :whether it is a 32 bit INTERRUPT GATEType : must be 110RESERVED: not usedThe INTERRUPT GATE stores the handler segment selectorand entry point.In case of hw interrupt the PL has no meaning. In case of swinterrupt, trap etc. PL must be greater or equal than that ofthe calling procedure
• TRAP gates are identical but the IF is not reset upon theinterrupt acknowledge
• If the handler privilege level is smaller than that of the callingprocedure CPL fault
• Instead of the interrupt gate a task gate can be used (seelater)
• A task can trigger a software interrupt which in turn activatesanother higher priority task
27
Task
What is a TASK ?
Each application program is made of several segments (code,data, stack etc.) During the execution the segments aredynamically used. Their set is called task.
A TASK can be executing or waiting (for instance because ofa page fault ), or ready (waiting for its time slot). Thehandling of this information depends on the OS. In the lastcase all information needed for the execution restart must beavailable (for instance all registers). This means that theymust have been saved beforehand.
For each task, therefore, a Task State Segment (TSS) is set bythe OS which has its own descriptor residing in the GDT. Thecreation of the TSS is achieved by means of the aliasingmechanism. When a task is suspended the state vector isautomatically saved in the TSS via hardware
28
Task
In all systems a task executes only temporarily and then issuspended in order to achieve a “parallel” execution of all systemtasks.
The lenght of the execution time slot (unless blocking events occur –I/O, page/segment fault, exceptions etc.) is an OS parameter. Theready tasks are inserted in a round robin list (normally – but thereare cases of high priority tasks). The OS scheduler activates the topof the list after each time slot .
The task switch saves automatically via hardware in the TSS allinformation needed for the task restart
A task is activated by means of a JMP or a CALL to a TSSdescriptor. In the TSS (not in its descriptor !) the entry point isstored (that is the pointer to the first not yet executed instruction)
in bytes
29
Task State Segment
Paging !
16 bitSelectors
Link Field – selector of the task suspended becauseof this task (i.e. an interrupt) which will be restarted
by an IRET
Level 3Stack
68H
Higher levelStacks
A bit for each I/O address > 8Kbyte=65536 bit max. Where a 1 is stored thecorresponding device can be used no matter what is the value of the IOPL (seelater).
(In the shadow registerassociated to TR)
30
TSS
The TSS is not of fixed size and is at least 67h bytes long: locationswith 0s are reserved. The number of I/O permissions is given by the segment size
Among other information the TSS stores the pointer to be stored inCR3 (physical address of the Ist level page table
For security reasons (for instance the calling procedure stackcould be too small for the following CS:IP push -> stack overflow)upon a call to a more privileged procedure a specific level stack isused
31
I/O access protection
For instance: the running task needs to access a disk and sendsOUT commands to define the sector, the cylinder and the number ofbyte to be transferred. During this phase it could be interrupted byanother task which alters these parameters. When the supendendedtask resumes is unaware that these parameters were changed and theoutcome is unpredictable
It follows that the I/O operations must be queued andcoordinated by the OS
In 8086 any program can use the I/O instructions: this is thebasis of a possible «I/O anarchy».
32
FLAGS
IdentificationVirtual Interrupt PendingVirtual InterruptAlignment checkVirtual 8086 ModeResume flag
Nested TaskInput/Output Privilege LevelOverflowDirectionInterrupt EnableTrapSignZero
Auxiliary
Parity
Carry
3130292827262524232221201918171615141312
109876543210
11
0000000000ID
VIPVIFACVMRF0
NTIOPL
OF
IFTFSFZF0
AF0
DF
PF1
CF
Flags are saved in the TSS upon an interrupt and restored when the task is resumed
A task wasinterrupted and must be therefore resumedafter the IRET of the interrupting task task
33
I/O protection
The Bit Permission Map is not necessary if CPLis always lower thanIOPL (i.e. OS) or the task never needs I/O instructions.
If the running task CPL is lower (or equal) than the IOPL (that is thetask is more privileged) it can execute the following instructions
•IN (I/O input)•OUT (I/O output)•INS (Input String
•OUTS (Output String) •CLI (Clear interrupt flag)
•STI (Set interrupt flag)
otherwise fault … unless a permit for the specific address is present in thetask I/O permission bit map. This TSS map stores a bit for each of thepossible 65536 I/O addresses: if it is set, one of the previous instructionscan be executed for that address (but not CLI e STI) even if CPL >IOPL
Theoretically 8K (64K/8) would be necessary for each TSS in order tostore the entire Bit Permission Map. But is is necessary to store thismap up to the maximum address whose bit is set since this isautomatically defined by the TSS size which is present in the TRdescriptor !
34
Task State Segment Descriptor
31 24 19 16 14 13 11 8 7 0
Base 31:24 G 0 0 AV
Limit19-16 P P
L S Type Base23:16
Limit 15:00Base 15:00
X 0 B 1
G= granularity (byte/page) P=1 presente S= system/userPL= protectione level(no meaning – it is however zero)
Busy bit!! When set the task was triggered by another task and itsTSS stores in its LINK field the pointer to the calling task. Thisprevents the called task to call in turn the calling task otherwise adeadlock would occur (a fault – the return chain would beinterrupted). This is not the case if a JUMP is used to trigger atask (Busy Bit reset – no return)
X= 16 or 32 bit TSS B=busy bit
35
Task activation
The OS builds through the aliasing a descriptor in the GDT.A task activation (trigger) occurs by means of a JUMP or aCALL selecting one of the following elements:
1. A CALL GATE which points to a TSS descriptor2. A TASK GATE (see. later) which points to a TSS descriptor
The architecture has a TR (task register) which stores the TSSselector. Its base address and size are automatically stored in theregister cache when the task is activated.
Descriptor table index 0 00
15 3 2 1 0
(visible part)
(invisible part)Initial address
31 0
Size
Attributes
36
TASK gate
Reserved P PL 0 Type
ReservedTSS (15:00) selector
Reserved0
31 16 14 13 10 8 7 0
P : Present (no meaning)P : Protection levelS : must be 0 (no meaning)X : whether a 16 or 32 bit CALL GATEType : 101A TASK GATE is a CALL GATE pointing to task instead ofa procedure. The offset in this case has no meaning.
37
Events which trigger a context switch
• A direct jump or a call “far” pointing to a TSS descriptor in theGDT (possible only if CPL = DPL of the TSS descriptor – that isonly if the originating call/jump is at level 0 since the PL of a TSSdescriptor is always 0!)
• A jump or a call “far” to a Task Gate pointing to a TSS descriptorin the GDT (same rules of the Call Gates but the DPL of the TSSdescriptor which is always 0 is ignored). This means that only theTask gate PL is checked
• Hardware interrupt (or exception). If in the IDT a Task Gate isselected, the task is activated without further privilege level check
In any case the TR is loaded with the TSS selector andthe invisible registers with the corresponding values ofthe TSS