Privilege levels 80386

3,308 views

Published on

Privilege levels_80386

Published in: Technology
1 Comment
5 Likes
Statistics
Notes
No Downloads
Views
Total views
3,308
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
179
Comments
1
Likes
5
Embeds 0
No embeds

No notes for slide

Privilege levels 80386

  1. 1. Privilege Levels
  2. 2. Computer system security measures prevent <ul><li>Users from interfering with one another </li></ul><ul><li>Users from examining secure data </li></ul><ul><li>Program bugs from damaging other programs </li></ul><ul><li>Program bugs from damaging data </li></ul><ul><li>Malicious attempts to compromise system integrity </li></ul><ul><li>Accidental damage to data </li></ul>
  3. 3. Privilege protection <ul><li>80386 protection mechanism </li></ul><ul><ul><li>Memory management </li></ul></ul><ul><ul><li>Privilege protection </li></ul></ul><ul><li>4 privilege level protection </li></ul><ul><ul><li>PL0 (highest) </li></ul></ul><ul><ul><li>PL1 </li></ul></ul><ul><ul><li>PL2 </li></ul></ul><ul><ul><li>PL3(lowest) </li></ul></ul><ul><li>A numerically </li></ul><ul><li>Smaller PL means a </li></ul><ul><li>Higher privilege. </li></ul>
  4. 4. <ul><li>When running in protected mode, the 80386 continually checks that the application is privileged enough to </li></ul><ul><ul><li>Execute certain instructions. </li></ul></ul><ul><ul><li>Reference data other than its own. </li></ul></ul><ul><ul><li>Transfer control to code other than its own. </li></ul></ul>
  5. 5. Executing privileged instructions <ul><li>Privilege instructions </li></ul><ul><ul><li>Modify interrupt flag </li></ul></ul><ul><ul><li>Alter segmentation </li></ul></ul><ul><ul><li>Affect protection mechanism </li></ul></ul><ul><li>They are allowed only if the program is running at PL0 </li></ul>
  6. 6. References to other data <ul><li>Shared data </li></ul><ul><li>Programs are not allowed to read or write data items that have a higher privilege level. </li></ul>
  7. 7. Transferring control to other code <ul><li>Programs are not allowed to CALL or JMP to code that does not have exactly the same privilege level that they do. </li></ul>
  8. 8. Defining privilege levels <ul><li>Privileges are assigned by segment. </li></ul><ul><li>Everything contained in a segment have same privilege. </li></ul><ul><li>The privilege level is defined in the segment descriptors. </li></ul><ul><li>The privilege level of the code segment determines the current privilege level(CPL). </li></ul>
  9. 9. Privileged instructions <ul><li>19 instructions </li></ul><ul><li>Privilege instructions are those </li></ul><ul><ul><li>That affect the segmentation and protection mechanism CPL=0 </li></ul></ul><ul><ul><li>Alter interrupt flag </li></ul></ul><ul><ul><li>Perform peripheral I/O CPL <IOPL </li></ul></ul><ul><ul><li>numerically </li></ul></ul>A numerically smaller PL means a higher privilege level
  10. 10. Privileged instructions <ul><li>HLT (Halts the processor) </li></ul><ul><li>CLTS (Clear task switch flag) </li></ul><ul><li>LGDT,LIDT,LLDT(Loads GDT,IDT,LDT register) </li></ul><ul><li>LTR (Load task register) </li></ul><ul><li>LMSW (Load machine status word) </li></ul><ul><li>Mov CRn,…. (moves to control register) </li></ul><ul><li>Mov DRn,.. (moved to debug registers) </li></ul><ul><li>Mov TRn,…. (moves to test registers) </li></ul>
  11. 11. IOPL sensitive instructions <ul><li>CLI Disables interrupts </li></ul><ul><li>STI Enables interrupts </li></ul><ul><li>IN Inputs data from I/O port </li></ul><ul><li>Out Outputs data to output port </li></ul>
  12. 12. Privildged Data References <ul><li>Second type of privilege checking </li></ul><ul><li>DPL of code segment descriptor must have smaller value (higher privilege)than DPL of data segment descriptor. </li></ul>
  13. 13. <ul><li>After u have placed each descriptor in a descriptor table, you need to inform the processor </li></ul><ul><li>U can place theses tables anywhere in the processor’s address space and u need not keep them together. </li></ul><ul><li>To allow processor to locate the GDT, IDT and current LDT, u load three special purpose registers, GDTR, IDTR,LDTR resply. </li></ul>
  14. 14. GDTR,IDTR,LDTR contains <ul><li>Base address of table </li></ul><ul><li>Limit </li></ul>
  15. 15. Segment Selectors <ul><li>Once the descriptors are defined , how does the processor make use of them? </li></ul><ul><li>Any 16 bit value that u write into a segment register is called a selector, because it selects a segment descriptor from a descriptor table. </li></ul><ul><li>15 2 1 0 </li></ul>INDEX RPL TI
  16. 16. 80386 segment registers <ul><li>80386 has 6 segment registers </li></ul><ul><ul><li>One for current code segment(CS) </li></ul></ul><ul><ul><li>One for current stack segment (SS) </li></ul></ul><ul><ul><li>Four for general data segments (DS, ES,FS,GS) </li></ul></ul><ul><li>Segment registers select segment descriptors: </li></ul><ul><ul><li>Thirteen bits select descriptors </li></ul></ul><ul><ul><li>One bit selects descriptor table </li></ul></ul><ul><ul><li>Two bits privilege checking </li></ul></ul>
  17. 17. Loading Segment Selectors <ul><li>Any given selector value selects one and only one descriptor </li></ul><ul><li>When loading segment selector ,the 80386 check that </li></ul><ul><ul><li>The selector index is within the descriptor table limit </li></ul></ul><ul><ul><li>The selector references the correct descriptor table </li></ul></ul><ul><ul><li>The descriptor is of correct type </li></ul></ul><ul><ul><li>The selector uses the correct privilege level </li></ul></ul>
  18. 18. GDT GDT 0 GDT 1 GDT 2 GDTR Offset Index 2 1 0 TI RPL
  19. 19. SEGMENTATION Addressing GDT Prog GDT Main Memory Index 2 1 0 TI RPL GD 0 GD 1 GD 2 GDTR Offset
  20. 20. Addressing GDT GD 0 GD 1 GD 2 Main Memory Base Address Seg Limit Attrib Index 3 2 1 0 TI RPL GDTR Offset
  21. 21. GD 0 GD 1 GD 2 GDTR Index 2 1 0 TI RPL GDT Base Address Seg Limit Attrib + Offset
  22. 22. Local Descriptor Tables(LDT’s) <ul><li>LDT’s act like extension to GDT </li></ul><ul><li>Are assigned to individual tasks when task switching is done. </li></ul><ul><li>While running, any program can assess descriptors from GDT and LDT </li></ul><ul><li>The way in which the processor locates LDT’s is much different, however. </li></ul>
  23. 23. Descriptor LDT Descriptor Descriptor Descriptor Data Descriptor Descriptor GDT LDT GDTR LDTR 1 DS ESI
  24. 24. Local Descriptor table <ul><li>Hold segment descriptors </li></ul><ul><li>May be used in addition to the global descriptor table </li></ul><ul><li>Are defined by special “system descriptor” in GDT. </li></ul><ul><li>May be larger or smaller than GDT. </li></ul><ul><li>May not be define other LDTs </li></ul>

×