1
iAPX86 Protection
Electronic Computers M
2
Protection
• The protection mechanism is active only after PE setting in CR0 and is used before any access (this grants that the intervention is not too late)
• Multitasking (multiple processes) > the system must prevent an uncontrolled access of a process to the memory space of another…..
• …..and that an excessive physical space is used
• An example: uncontrolled stack growth. In segmented system only if a process stack overflows it can overwrite the segment of another process. (This is not possible in a paged system since if a page must be overwritten is must be first written back to the disk). But a process could try to use all physical pages !
• Protection: is based on the segment descriptor mechanism and regards both the static protection (i.e. segment size) and the dynamic protection (access permits for read/write/execute)
3
Protection: general criteria
The protection system controls the access to privileged instructions, to I/O instructions, to segments and their descriptors and is based on the comparison between different privilege levels (access rights).For instance: check whether a segment can be written, can be executed, whether a jump intra- or inter- code segments is allowed An errors triggers a fault
The protection is implemented by means of the following three mechanisms: 1) Processes isolation2) Segment access type verification3) Privilege levels management
• No call gate or task gate selector can be loaded in a segment register.
For the access type verification the check is made upon the load of a selector into a segment register:
• The data segment registers (DS,ES,FS e GS) can be loaded only with data segment selectors or readable code segments selectors
• The code segment register (CS) can be loaded only with code segment selectors
• LDTR register can be loaded only with LDT table selectors.
• TR register can be loaded only with TSS selectors (see later)
4
iAPx Protection system
0
1
2
3
Op. Sy. KernelProcess managementMemory managementI/O management…
Op. Sys. ServicesPeripheral devices drivers
ApplicationsUser programs
0
1
2
3
Op. Sys. ServicesServices for applications: I/O requests management, memory allocation requests etc.
5
The controlled levels
EPL: (Effective Privileg Level) is the maximum value (that is the minimum privilege level) between CPL e RPL
DPL (Descriptor Privilege Level) is the privilege level stored in a segment descriptor
CPL (Current Privilege Level) is the privilege level of the CS (the least significant bits of CS). This is the DPL of the executed segment code. CPL changes during a process execution since through controlled jumps the privilege level can change( see later)
Conforming Segment: a code segment which takes during its execution the privilege of the calling segment. The use of conforming segments must be carefully considered since if they include several procedures they have all the same characteristic and therefore all (see later) could be used for instance by lower privilege level processes . An example: a set of mathematical routines
RPL (Requestor Privilege Level) is the privilege level of the selector used for addressing a data or a destination (in case of jump). It is the privilege level of the segment whose selector is loaded in a data segment register
The protection philosophy is that a process can access data of the same or less privilege and can use procedures of higher or equal privilege (through controlled access).
6
Data protection
OPERAND SEGMENT DESCRIPTOR
CODE SEGMENT REGISTER
OPERAND SEGMENT REGISTER
CHECK
Data can be accessed if the descriptor PL has the same privilege level (or lower) that is greater or equal value of the EPL
31 24 19 16 14 13 11 8 7 0
Base 31:24 GDB
0AV
Limit19-16
PPL
S TypeBase23:16
Limit 15:00Base 15:00
CPLINDEX CPLT
INDEX RPLT
(DS for instance)
7
It is assumed that in CS the CPL is 1
mov ax, 4F36 ; load in ax the selector ( LDT RPL=2 ); 0100 1111 0011 0110
mov ds, ax ; and in ds (privilege check)mov al, [0100] ; read the 257-th byte (do not forget zero..)…mov [2100], al ; ….and write it in segment location location 2100h
An example: DS
The selector index points to slot 09E6h=2534d (the 13 MSBits of the selector) in the LDT (max val 8192). For instance
00 0100 0 1 2 1 3 08H
7B3EH3EA0H
Base = 00083EA0 (virtual) Size =07B3E Granularity=0 =>byteDB=1=Parallelism=32 Segment present Privilege=2S=1= User Notice 2100<7B3C: access within the boundaries
31 24 19 16 14 13 11 8 7 0
Base 31:24 GDB
0AV
Limit19-16
PPL
S TypeBase23:16
Limit 15:00Base 15:00
C/D E W A
C/D=0=data E=0 (expand up/down – only for stack segments)W=1=writable A=1=segment already used (set to 1 by the system)
HEXDescriptor
Template
Content
09E6
EPL=2 (max val between CPL=1 e RPL=2) access granted
Descriptor number
09E6
8
An example: DS
The byte is then witten at linear address 00085FA0H. The physical address depends on the paging mechanism (if any)
The segment can be accessed since EPL<=DPL and therefore the selector can be loaded in the sement register
Upon the DS load the small cache (8 bytes – segment descriptor ) linked to the DS is loaded with the segment descriptor and the privilege check is made
During the execution of the third instruction the system checks that the address is within the segment size boundary (100< 7B3E). The byte is therefore read at address 83FA0H.
During the execution of the fourth instruction the system checks not only the boundary but also whether the segment is writable.
9
To be noticed
Possibly it could be a constant pointing to a GDT segment. But all GDT segments have normally (not necessarily) privilege level higher that 3 and if the segment privilege level would be 0 or 1 a General Protection fault would be triggered since the requestor privilege level is 2 (although the CPL is 1)
In the previous example selector value 09E6 is the number which is produced after compilation and load. It could be a selector trasferred as a paramenter on the stack or a selector pointing to a segment defined in the context of the program
10
mov ax, 02FF ; load in ax 02FF (LDT; RPL=3) ….; ….. 0000 0010 11111111
mov ss, ax ; .. in SS (selector index =05Fh=95d) (protection
check)mov esp, 07B3E ; 00007B3E in ESPpush bx ; save bx -16 bit (stack word oriented)mov bx,[0100] ; in bx a 16 bit data read at address 100 of the
; segment pointed by DS add cx, bx ; the sum cxpop bx ; restore bx
Example: SS
31 24 19 16 14 13 11 8 7 0
Base 31:24 GDB
0AV
Limit19-16
PPL
S TypeBase23:16
Limit 15:00Base 15:00
00H 0100 0 1 3 1 3Base08H
7B3EH3EA0H
C/D E W A
Base 0=00083EA0 Size=07B3E Granularity=0 =>byteDB=1=max size FFFFFFFF Segment present Privilege level=3S=1= User
C/D=0=data E=0=downward expansion W=1=writable A=1=used (set to 1 by the sstem)
Here it is assumened that CPL is 3
Per each POP and PUSH the processor checks the stack superior limit (07B3E) and inferior limit (0000)
EPL=3 access granted
Descriptor Template
Contentselectornumber
05F
11
Segment and page level protection
The system checks first the privilege in the descriptor and then the page level protection. A data segment could be of level 3 (and therefore accessible by programs at levels 0,1,2 and 3) but one of its pages could be of supervisor type (for instance because of a sharing or if the page is aliased and updated by the OS. In this case fault).
Page Table Entry
31 12
Page base address 31:12 Avail 0 0 D
Software usableDirty (written)
UsedPage cache disable
User/SupervisorWritable
11 9 8 7 6 5 4 3 2 1 0
APCD
PWT
U W P
Not used in the first protected processors.
Page write through
Present
12
Jump/Branch protection
A call to a higher privilege procedure is possible only by means of a call gate or an interrupt
• A jump (branch) within the same procedure (intrasegment) is always allowed (provided the destination address is within the segment boundary)
• A segment can use only code of the same or higher privilege (never lower privilege) (higher is the privilege – smaller the value – safer is considered the code)
• A jump (JMP o CALL) to a procedure of the same privilege level is always possible directly (without CALL GATE - see later)
• A direct call to a higher privilege conforming procedure is always possible
• A call to a higher level non conforming procedure requires the use of a CALL GATE (i.e. OS call)
• A jump or call to a same privilege level procedure too can use a CALL GATE
• In all other cases fault
13
Call protection
CALLED CODE SEGMENT DESCRIPTOR
Calling code segment selector
CHECK
31 24 19 16 14 13 11 8 7 0
Base 31:24 GDB
0AV
Limit19-16
PPL
1 TypeBase23:16
Limit 15:00Base 15:00
Called segment selector
CPLINDEX CPLT
INDEX RPLT
14
CALL GATES
A CALL GATE has its own privilege level and the code change to a higher privilege level is allowed only if
DPL_destination £ EPL £ DPL_gate (numerical values)
that is
Destination privileges ³ calling privilege ³ call gate privilege
NB:There is an automatic transfer to a lower privilege level (after the transfer to a higher privilege level) only through a RETURN from a higher level routine (RET from subroutine or IRET in case of interrupts)
A CALL GATE is a particular segment descriptor which doesn’t correspond to any data structure in memory but which stores all security information which allows the change of the code privilege level
15
Call gates
PL0
PL1
PL2
PL3
Procedure
GATE
GATE
GATE
The CALL GATE is used to define the called code segment and the specific procedure entry-point
Procedure
Procedure
ProcedureProcedure
16
Call gate
Offset 31.16 PPL
S TypeDwordcount
Offset 15:00Selector 15:00
000X
31 16 14 13 11 8 7 5 4 0
The CALL GATE stores the selector of the descriptor of the segment which includes the called procedure. The offset in this case is the called procedure entry point
N.B. The RPL of the selector of a Call Gate (which points to the destination descriptor ) has no meaning in this context
The called procedure PL value must smaller or equal to that of the calling procedure while the Call Gate PL value must be greater or equal to that of the calling procedure
P: present in memory (not used)PL: protection levelS: must be 0 (supervisor)X: indicates if this is a 16 or 32 bit CALL GATEType must be 100
Dword count: it is the number (max. 31) of DWORDS (data) which must be copied from the stack of the calling procedure onto the stack of called procedure (see tasks – each task has four stacks, one for each privilege level for security purposes). When a larger number of data must be transferrent a pointer to the data area is loaded onto the stack
17
Call gate
SEGMENT DESCRIPTOR OF THE CALLED PROCEDURE
CODE SEGMENT REGISTER
CHECK
CALL GATE POINTING SELECTOR
CALL GATE DESCRIPTOR
31 24 19 16 14 13 11 8 7 0
Base 31:24 GDB
0AV
Limit19-16
PPL
1 TypeBase23:16
Limit 15:00Base 15:00
Offset 31.16 PPL
S TipoDwordcount
Offset 15:00Selector 15:00
000X
31 16 14 13 11 8 7 5 4 0
(This is the selector within the CALL address)
DPL_ target £ MAX (CPL, RPL) £ DPL_gate
CPLINDEX CPLT
INDEX RPLT
18
An example (part 1)
N.B. A segment can include multiple procedures, for each one of them a CALL GATE must exist. But even the same procedure can have multiple entry points and therefore in this case too a CALL GATE for each one of them must exist!! The Call Gate in this case must have PL=3 (since the requestor RPL is 3)
Call 0063 : 0000 ;call request level 3 to a level 0 ; procedure (see descriptor next page
;through a call gate located at the thirteenth ;index (value 12) of the GDT
Not used
0000 0000 0110 0 011
OCH=1210
It is assumed that in CS the CPL is 1
00C 110
Index GDT RPL=3
63H
19
An example (part 2)
0000H 1 11 0 100 00010
3400H0150H
0001
Offset 31.16 PPL
S TipoDwordcount
Offset 15:00Selector 15:00
000X
31 16 14 13 11 8 7 5 4 0
P = 1 segment present (although without meaning)PL = 3 Privilege level 3S = 0 always for a CALL GATE (Supervisor)X = 1 32 bit CALL GATE Type = 100 always for a CALL GATE
Dword Count=2 two dwords must be copied between the stacks
Offset= 00003400H
Selector=150H => index 2AH = 42d
2A 000
Index GDT RPL=0 (no meaning)
Call Gatein slot 12
of the GDT
Call GateTemplate
20
An example (part 3)
31 24 19 16 14 13 11 8 7 0
Base 31:24 GDB
0AV
Limit19-16
PPL
1 TypeBase23:16
Limit 15:00Base 15:00
Target segment descriptor pointed by the Call Gate
00H 0100 1 1 00 1 1001 13H
EE3DH1BCCH
G=0 ganularity->byte P=1 present D=1 -> 32 bitPL=0 level 0 Base = 00131BCCH Size= 1EE3DH
C/D C R A
C/D=1 code Conforming=0 (not conforming)R=0 execution onlyA=1 used
Actualdescriptor
slot 42della GDT
DescriptorTemplate
21
Call gates
031
OFFSET (not used)
+
Entry Point
GATE
CODE
In the GATE selector whether GDT or LDT
OFFSET COUNT
SELECTOR
DPL
OFFSET
BASE
BASE DPL BASE
SELECTOR
22
Interrupts
The interrupt type is multiplied by 8 (number of bytes of a descriptor) and used as a selector of a descriptor table where the CALL GATES for the response subroutines are stored. The table is pointed by a register (Interrupt Descriptor Table Register).
Interrupt descriptor table
Max 256 Interrupt Gates -> 2KB (256*8)
Data are stored into the IDTR by means of privileged instruction (LIDT). The interrupt gates table is not any more stored in the lower memory addresses
The interrupts can be software triggered (instruction INT n)
The interrupts handling mechanism is identical to that used in 8086. When an interrupts is acknowledged the processor send a double INTA* and during the second INTA* the Interrupt Type is read
24
Interrupts
IDT base address IDT limit
IDTR register
Interrupt Descriptor Table
+
Interrupt type * 8
Gate interrupt 1
Gate interrupt 2
Gate interrupt 0
Gate interrupt 255
Gate interrupt n
31 0 15 0
25
Interrupts
Interrupt Gate
IDT
INTERRUPTtype
SEGMENT DESCRIPTOR
GDT O LDT
+OFFSET
INT. PROC.
DESTINATIONCODE SEGMENT
External interrupts, Faults, Traps
26
Interrupt Gate
Offset 31.16 PPL
S 110 Reser.
Offset 15:00Selector 15:00
000X
31 16 14 13 11 8 7 5 4 0
P: Present (not used)PL : Protection levelS : must be 0 (system)X :whether it is a 32 bit INTERRUPT GATE Type : must be 110RESERVED: not usedThe INTERRUPT GATE stores the handler segment selector and entry point.In case of hw interrupt the PL has no meaning. In case of sw interrupt, trap etc. PL must be greater or equal than that of the calling procedure
• TRAP gates are identical but the IF is not reset upon the interrupt acknowledge
• If the handler privilege level is smaller than that of the calling procedure CPL fault
• Instead of the interrupt gate a task gate can be used (see later)
• A task can trigger a software interrupt which in turn activates another higher priority task
27
Task
What is a TASK ?
Each application program is made of several segments (code, data, stack etc.) During the execution the segments are dynamically used. Their set is called task.
A TASK can be executing or waiting (for instance because of a page fault ), or ready (waiting for its time slot). The handling of this information depends on the OS.In the last case all information needed for the execution restart must be available (for instance all registers). This means that they must have been saved beforehand.
For each task, therefore, a Task State Segment (TSS) is set by the OS which has its own descriptor residing in the GDT. The creation of the TSS is achieved by means of the aliasing mechanism. When a task is suspended the state vector is automatically saved in the TSS via hardware
28
Task
In all systems a task executes only temporarily and then is suspended in order to achieve a “parallel” execution of all system tasks.
The lenght of the execution time slot (unless blocking events occur – I/O, page/segment fault, exceptions etc.) is an OS parameter. The ready tasks are inserted in a round robin list (normally – but there are cases of high priority tasks). The OS scheduler activates the top of the list after each time slot .
The task switch saves automatically via hardware in the TSS all information needed for the task restart
A task is activated by means of a JMP or a CALL to a TSS descriptor. In the TSS (not in its descriptor !) the entry point is stored (that is the pointer to the first not yet executed instruction)
29
Task State Segment
Paging !
16 bitSelectors
A bit for each I/O address > 8Kbyte=65536 bit max. Where a 1 is stored the corresponding device can be used no matter the value of the IOPL (see later).
Link Field – selector of the task suspended because of this task (i.e. an interrupt) which will be restarted
by an IRET
Level 3Stack
68H
Higher levelStack
30
TSS
The TSS is not of fixed size and is at least 67h bytes long: locations with 0s are reserved
Among other information the TSS stores the pointer to be stored in CR3 (physical address of the Ist level page table
For security reasons (for instance the calling procedure stack could be too small for the following CS:IP push -> stack overflow) upon a call to a more privileged procedure a specific level stack is used
31
I/O access protection
For instance: the running task needs to access a disk and sends OUT commands to define the sector, the cylinder and the number of byte to be transferred. During this phase it could be interrupted by another task which alters these parameters. When the supendended task resumes is unaware that these parameters were changed and the outcome is unpredictable
It follows that the I/O operations must be queued and coordinated by the OS
In 8086 any program can use the I/O instructions: this is the basis of a possible «I/O anarchy».
32
FLAGS
IdentificationVirtual Interrupt PendingVirtual InterruptAlignment checkVirtual 8086 ModeResume flag
Nested Task
Input/Output Privilege LevelOverflowDirection
Interrupt EnableTrapSignZero
Auxiliary
Parity
Carry
3130292827262524232221201918171615141312
109876543210
11
0000000000ID
VIPVIFACVMRF0
NT
IOPL
OF
IFTFSFZF0
AF0
DF
PF1
CF
Flags are saved in the TSS upon an interrupt and restored when the task is resumed
A task was interrupted and must be therefore resumed after the IRET of the interrupting task task
33
I/O protection
The BPM is not necessary if CPLis always lower than IOPL (i.e. OS) or the task never needs I/O instructions.
If the running task CPL is lower (or equal) than the IOPL (that is the task is more privileged) it can execute the following instructions
• IN (I/O input)• OUT (I/O output)• INS (Input String
• OUTS (Output String) • CLI (Clear interrupt flag)• STI (Set interrupt flag)
otherwise fault … unless a permit for the specific address is present in the task I/O permission bit map. This TSS map stores a bit for each of the possible 65536 I/O addresses: if it is set, one of the previous instructions can be executed for that address (but not CLI e STI) even if CPL > IOPL
Theoretically 8K (64K/8) would be necessary for each TSS in order to store the entire Bit Permission Map. But is is necessary to store this map up to the maximum address whose bit is set since this is automatically defined by the TSS size which is present in the TSS itself!!
34
Task State Segment Descriptor
31 24 19 16 14 13 11 8 7 0
Base 31:24 G00AV
Limit19-16
PPL
S TypeBase23:16
Limit 15:00Base 15:00
X 0 B 1
G= granularity (byte/page) P=1 presente S= system/userPL= protectione level(no meaning – it is however zero)
Busy bit!! When set the task was triggered by another task and its TSS stores in its LINK field the pointer to the calling task. This prevents the called task to call in turn the calling task otherwise a deadlock would occur (a fault – the return chain would be interrupted). This is not the case if a JUMP is used to trigger a task (BB reset – no return)
X= 16 or 32 bit TSS B=busy bit
35
Task activation
The OS builds through the aliasing a descriptor in the GDT.A task activation (trigger) occurs by means of a JUMP or a CALL selecting one of the following elements:
1. A CALL GATE which points to a TSS descriptor 2. A TASK GATE (see. later) which points to a TSS descriptor
The architecture has a TR (task register) which stores the TSS selector. Its base address and size are automatically stored in the register cache when the task is activated.
Descriptor table index 0 00
15 3 2 1 0
(visible part)
(invisible part)Initial address
31 0
Size
Attributes
36
TASK gate
Reserved PPL
0 Type
Reserved TSS (15:00) selector
Reserved0
31 16 14 13 10 8 7 0
P : Present (no meaning)P : Protection levelS : must be 0 (no meaning)X : whether a 16 or 32 bit CALL GATEType : 101A TASK GATE is a CALL GATE pointing to task instead of a procedure. The offset in this case has no meaning.
37
Events which trigger a context switch
• A jump or a call “far” pointing to a TSS descriptor in the GDT (possible only if CPL = DPL of the TSS descriptor – tha is only if the originating call/jump is at level 0 since the PL of a TSS descriptor is always 0!)
• A jump or a call “far” to a Task Gate pointing to a TSS descriptor in the GDT (same rules of the Call Gates but the DPL of the TSS descriptor which is always 0 is ignored). This means that only the Task gate PL is checked
• Hardware interrupt (or exception). If in the IDT a Task Gate is selected, the task is activated without further privilege level check
In any case the TR is loaded with the TSS selector and the invisible registers with the corresponding values of the TSS
Top Related