| Revision as of 19:44, 30 October 2011 editShambhavitayshete (talk | contribs)14 edits Expanded types of privilege levels← Previous edit | Revision as of 20:44, 30 October 2011 edit undoGauravKeskar (talk | contribs)17 edits Renamed Privilege Checks to P. Validation and expanded.Next edit → | ||
| Line 19: | Line 19: | ||
| Today, the ringed privilege system is extremely widespread. It can be found on a large number of computer systems along with other micro-controllers such as the ARM SAM7X series. | Today, the ringed privilege system is extremely widespread. It can be found on a large number of computer systems along with other micro-controllers such as the ARM SAM7X series. | ||
| ==Privilege |
==Privilege Validation== | ||
| The privilege levels allow the processor to control access to descriptors and hence to the corresponding memory segments. These privilege checks provide data protection and prevent any unauthorized access to data or code. | Tasks are given access to various descriptors on the basis of the type of the descriptor and the associated privilege levels(Current, Requested and Descriptor). The privilege levels allow the processor to control access to descriptors and hence to the corresponding memory segments. These privilege checks provide data protection and prevent any unauthorized access to data or code. Segment access occur in two principal ways: | ||
| ===Data Segment Access=== | |||
| Certain instructions that load the data, code or extra segments with selectors come under Data Segment Access. The SS register is always loaded with selectors that point to writable data segment descriptors. If the descriptor is to successfully accessed by the task, the corresponding DPL must be lower than or equal to the CPL or the RPL. In the case of the loaded SS register, the CPL and RPL must be the same as the DPL to prevent stack data from being incorrectly referenced. If this check fails, exception 13 is executed.The only exception to this is for the reading confirming code segment can be read from any privilege level. | |||
| Two other exceptions can be generated by Data Segment Access: | |||
| * If the stack data segment that has to pointer to is not present in the physical memory, exception 12 is generated. | |||
| * In general, if the required data segment is not present, exception 11 is generated. | |||
| ===Control Transfer Access=== | |||
| If a selector is to be loaded into the CS, the following individual cases can occur, assuming that the descriptor being pointed to by the selector is valid. If it isn't, exception 11 is generated. | |||
| * '''Using a CALL or JMP instructions''': The concerned code segment descriptor must have a DPL greater than or equal to the CPL if the descriptor is a conforming descriptor. The DPL of the descriptor must be exactly equal to the CPL if the desciptor is non-conforming. The RPL of the selector must be the same as the CPL of the task. | |||
| * '''Using the RET or IRET instructions''': For these instructions to run without generating exceptions, the DPL of the descriptor must be either equal to or lower than the CPL of the task that is being returned to. Once the flow of control has returned from the sub-program the RPL of the selector becomes the CPL. In case the CPL does change, the old Stack Pointer is popped after the return address. | |||
| *'''TSS Descriptor is referenced''': If the JMP or CALL instructions refer to a Task State Segment(TSS), the associated DPL needs to be lower than or equal to the CPL of the task. If DPL>CPL, exception 13 is generated, otherwise the task is switched. | |||
| *'''Gate Descriptor is referenced''': As above, the DPL needs to be lower than or equal to the CPL of the task. Additionally, if the destination in the gate descriptor references a Code Segment descriptor, then the DPL of the CS descriptor needs to be greater than or equal to the task CPL. If the destination of the gate descriptors points to a TSS, a task switch is automatically performed, as long as the conditions mentioned above are satisfied. | |||
| In both cases, if the necessary conditions between the CPL and DPL are not satisfied, then exception 13 is generated. | |||
| * The processor automatically evaluates the right of a procedure to access another segment by comparing the CPL to the numeric max of the RPL and DPL. If the CPL>](RPL, DPL), then a ] is generated. See ] for more details. | |||
| * The I/O based privileged instructions are executed only if CPL<=IOPL in EFLAGS register. To secure this bit, the POPF/POPFD instructions which load values into the EFLAGS register shall not touch the IOPL bit or IF bit if CPL>0. | * The I/O based privileged instructions are executed only if CPL<=IOPL in EFLAGS register. To secure this bit, the POPF/POPFD instructions which load values into the EFLAGS register shall not touch the IOPL bit or IF bit if CPL>0. | ||
| * ] access comes under referring to other data than its own. In this case a selector is loaded into a DS, ES, FS and GS if and only if max(RPL,CPL)<=DPL. | |||
| * A ] can be loaded into stack only if DPL=CPL. | |||
| * Transferring control to code other than its own comes under control transfer access. A CALL or JMP instruction allows us to transfer control to other code segments with DPL of equal or greater privilege than CPL. An executable ] has DPL<CPL, i.e CPL=2 can execute code segment with DPL=0. However CPL=1 is not allowed to invoke code segment with DPL=3. | |||
| ==Changing Privilege Level== | ==Changing Privilege Level== | ||
Revision as of 20:44, 30 October 2011
A privilege level in the x86 instruction set controls the access of the program currently running on the processor to resources such as memory regions, I/O ports, and special instructions. There are 4 privilege levels ranging from 0 which is the most privileged, to 3 which is least privileged. Most modern operating systems use level 0 for the kernel/executive, and use level 3 for application programs. Any resource available to level n is also available to level 0..n, so the privilege levels are "rings".
It is not necessary to use all four privilege levels. Existing software that was designed to use only one or two levels of privilege can simply ignore the other levels offered by the 80386 and later processors. A one-level system should use privilege level zero; a two-level system should use privilege levels zero and three. Here level zero is called the Supervisor mode while level three is User mode. All versions of Windows below Windows XP use only the two-level system .
History
The basic idea of using privilege levels is to ensure the safety and integrity of the most sensitive data and to prevent easy access to such data.
The Intel 80286 was the first micro-controller to incorporate measures of data protection and security. It did so by implementing the dual concepts of Protected Mode and Privilege Levels.
The protected mode could be entered by setting the Protection Enable bit of the Machine Status Word and concerns itself with the data itself. The privilege level is a designation associated with tasks and defines whether a given tack can perform predefined actions - the actions themselves being set by other tasks. It is important to note here that the whole concept of tasks with their associated privilege levels only exist in the protected mode. Outside of the protected mode, there is no meaning to the concept of a privilege level. For example, the 80296 in the real mode, is nothing but a pipelined version of the 8086.
All operations on the 80286 occur by means of tasks. A task is initiated by accessing the Task State Segment, which defines the privilege level of the task to be run. This privilege level is the Current Privilege Level. Once the CPL is assigned for a task, it cannot be altered for the duration of its execution.
Once the task begins execution, it may at - various points of time - require to access other blocks of information. This access will be allowed only if the CPL of task satisfies the requirements of the DPL of the concerned block. The requirements are as mentioned above.
Today, the ringed privilege system is extremely widespread. It can be found on a large number of computer systems along with other micro-controllers such as the ARM SAM7X series.
Privilege Validation
Tasks are given access to various descriptors on the basis of the type of the descriptor and the associated privilege levels(Current, Requested and Descriptor). The privilege levels allow the processor to control access to descriptors and hence to the corresponding memory segments. These privilege checks provide data protection and prevent any unauthorized access to data or code. Segment access occur in two principal ways:
Data Segment Access
Certain instructions that load the data, code or extra segments with selectors come under Data Segment Access. The SS register is always loaded with selectors that point to writable data segment descriptors. If the descriptor is to successfully accessed by the task, the corresponding DPL must be lower than or equal to the CPL or the RPL. In the case of the loaded SS register, the CPL and RPL must be the same as the DPL to prevent stack data from being incorrectly referenced. If this check fails, exception 13 is executed.The only exception to this is for the reading confirming code segment can be read from any privilege level.
Two other exceptions can be generated by Data Segment Access:
- If the stack data segment that has to pointer to is not present in the physical memory, exception 12 is generated.
- In general, if the required data segment is not present, exception 11 is generated.
Control Transfer Access
If a selector is to be loaded into the CS, the following individual cases can occur, assuming that the descriptor being pointed to by the selector is valid. If it isn't, exception 11 is generated.
- Using a CALL or JMP instructions: The concerned code segment descriptor must have a DPL greater than or equal to the CPL if the descriptor is a conforming descriptor. The DPL of the descriptor must be exactly equal to the CPL if the desciptor is non-conforming. The RPL of the selector must be the same as the CPL of the task.
- Using the RET or IRET instructions: For these instructions to run without generating exceptions, the DPL of the descriptor must be either equal to or lower than the CPL of the task that is being returned to. Once the flow of control has returned from the sub-program the RPL of the selector becomes the CPL. In case the CPL does change, the old Stack Pointer is popped after the return address.
- TSS Descriptor is referenced: If the JMP or CALL instructions refer to a Task State Segment(TSS), the associated DPL needs to be lower than or equal to the CPL of the task. If DPL>CPL, exception 13 is generated, otherwise the task is switched.
- Gate Descriptor is referenced: As above, the DPL needs to be lower than or equal to the CPL of the task. Additionally, if the destination in the gate descriptor references a Code Segment descriptor, then the DPL of the CS descriptor needs to be greater than or equal to the task CPL. If the destination of the gate descriptors points to a TSS, a task switch is automatically performed, as long as the conditions mentioned above are satisfied.
In both cases, if the necessary conditions between the CPL and DPL are not satisfied, then exception 13 is generated.
- The I/O based privileged instructions are executed only if CPL<=IOPL in EFLAGS register. To secure this bit, the POPF/POPFD instructions which load values into the EFLAGS register shall not touch the IOPL bit or IF bit if CPL>0.
Changing Privilege Level
A task may need to change its privilege level during control transfers such as those encountered due to CALL or JUMP instructions. The privilege level can be altered by using confirming code segment or by call gates. A confirming code segment confirms with privilege level calling segment (specified by the 'Confirming' bit in code segment descriptor). For example, if there is control transfer from segment A to confirming segment B then, the privilege level of B would be the privilege level of A.
Areas With Privilege Levels
OS routines, interrupt handlers and a large number of other tasks can have privilege levels applied to them to improve security. They fall under three main categories:
Task Privilege
The Task Privilege is the privilege level that a particular task executes at. The privilege level that it has already been assigned is called the Current Privilege Level and is defined in the lower two bits of the CS register. During the execution of the task, the CPL is constant and cannot be changed. Only by a transfer of control to another code segment can the privilege level of a task be changed. A task executing at level 0 can access all data segments defined in the GDT(Global Descriptor Table) and the task's LDT(Local Descriptor Table) and is considered the most trusted task. By comparision, a task at level 3 has the most restricted access to data and is the least trusted task.
Descriptor Privilege
The Descriptor Privilege Level defines the privilege that a task must be in order to be able to access the descriptor. The descriptor access additionally depends on whether the descriptor is present in the GDT and/or the concerned tasks's LDT. A descriptor with a privilege level of 0 is a very secure descriptor, since only a task with a privilege level of 0 will be able to access it. On the other hand, all tasks - regardless of whether their privilege levels are 0, 1, 2 or 3 - will be able to access a descriptor of privilege level 3. Those descriptors present in the Local Descriptor Table do not follow this rule.
Selector Privilege
The RPL(Requested Privilege Level) is specified by the two least significant bits of a selector. The RPL specifies the privilege level of the selector. The primary purpose of the RPL is that it allows a program/task to request a resource at a lower privilege level than it would otherwise use. This is known as the Effective Privilege Level(EPL) of a task. It may contribute to the "weakening" of the privilege of a task. If the RPL of a selector is 3, then regardless of the CPL of the task, the selector can access only level 3 segments. The RPL/EPL combination ensures that no task - even during unconditional transfers - will be able to access data that has a higher privilege level.
See also
References
- Russinovich, Mark E.; David A. Solomon (2005). Microsoft Windows Internals (4 ed.). Microsoft Press. pp. 16. ISBN 9780735619173
- "The Intel 80286 Datasheet" (PDF).
- A. K. Ray, K. M. Bhurchandi, "Advanced Microprocessors and Peripherals", Second Edition, Tata McGraw-Hill, 2009
- The Intel 80286 Datasheet
- The Intel 80286 Datasheet
- Intel 80386 Programmer's Reference
 | This computer hardware article is a stub. You can help Misplaced Pages by expanding it. |