A Hardware Architecture For Implementing Protection Rings


Published on

My take on this famous paper on protection rings made for my graduate OS class

Published in: Technology, Business
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

A Hardware Architecture For Implementing Protection Rings

  1. 1. A Hardware Architecture for Implementing Protection Rings Schroeder & Saltzer: Mighty Institute of Terminology (m.i.t.) Brought to you by: Chris Sosa I <3 Cornell
  2. 2. Overview <ul><li>Introduction of Protection Rings </li></ul><ul><ul><li>Allows multiple domains to be associated with a process and process domain movement during execution </li></ul></ul><ul><li>Hardware a.k.a. Computer Architecture Implementation of Protection Rings for Multics </li></ul>
  3. 3. Motivation <ul><li>Basic access control mechanisms only allow one set of access permissions (a domain) for a user per resource </li></ul><ul><li>Intrinsic need to change access capabilities of a user as his/her process runs </li></ul><ul><ul><li>User A may wish to allow user B to access sensitive data but only through a special program </li></ul></ul>
  4. 4. Four Sets of Criteria to Judge Protection Mechanisms <ul><li>Functional Capability </li></ul><ul><li>Economy </li></ul><ul><li>Simplicity </li></ul><ul><li>Programming Generality </li></ul>
  5. 5. What is a Protection Ring? <ul><li>This does not meet our economy criteria! </li></ul><ul><li>… let’s try again </li></ul>
  6. 6. Protection Rings <ul><li>Each process associated with 0 -> r-1 of domains called rings </li></ul><ul><ul><li>Concentric = subset of privileges of n for m when m > n </li></ul></ul><ul><li>Ring 0 = </li></ul>
  7. 7. Protection Rings (cont’d) <ul><li>Typical R/W/E privileges divided into brackets </li></ul><ul><li>R/W brackets must start at ring 0, why? </li></ul><ul><li>Allows for lowest-numbered ring of execution to be specified (not necessarily 0). Why might this be a good thing? </li></ul>
  8. 8. Moving Between Protection Rings <ul><li>Downward movement restricted to “gates” </li></ul><ul><ul><li>Specific program locations </li></ul></ul><ul><ul><li>During execution allows a process to enter a lower domain </li></ul></ul><ul><ul><li>Example of gates? </li></ul></ul><ul><li>Upward movement is unrestricted (but you must use a special call to do it) </li></ul>
  9. 9. Revisiting Gate Extension <ul><li>Bracket that defines from which rings gate movement is allowed </li></ul><ul><li>Possible use of this in Windows? </li></ul>
  10. 10. Call and Return <ul><li>Procedure transfer = subroutine call </li></ul><ul><li>Easy to validate protection rings </li></ul><ul><li>If Call goes through gate => validate caller’s ring w.r.t. gate extension </li></ul><ul><li>Return restores caller’s ring </li></ul>
  11. 11. Three Issues with Downward Calls <ul><li>Find new stack area </li></ul><ul><ul><li>Each process has a stack segment per ring </li></ul></ul><ul><li>Argument validation </li></ul><ul><ul><li>Procedure assumes more restricted access capabilities of caller when accessing operand references </li></ul></ul><ul><li>Knowledge of caller’s ring </li></ul><ul><ul><li>Processor leaves this in a read-only register </li></ul></ul>
  12. 12. Other calls? <ul><li>Dealing with a call and return that doesn’t change rings is trivial … duh! </li></ul><ul><li>Upward calls are hard </li></ul><ul><ul><li>Their solution, let’s not support it! </li></ul></ul><ul><ul><li>What’s wrong with keeping the protection ring of the caller? </li></ul></ul><ul><ul><ul><li>Internet Explorer bugs anyone? </li></ul></ul></ul>
  13. 13. Computer Architecture Support <ul><li>Hot or Not? </li></ul>
  14. 14. Quick Review of the Multics before Protection Rings <ul><li>Each user has individual VM </li></ul><ul><li>A segment is the unit of Access Control </li></ul><ul><li>Users has R/W/E privileges defined per segment (flags) </li></ul><ul><li>Flags stored in with segment descriptor in H/W </li></ul><ul><li>… for more information of hardware: see paper  (for those Clint’s out there) </li></ul>
  15. 15. Quick Review of Multics AFTER Protection Rings <ul><li>Eight Rings </li></ul><ul><li>Modification of SDW to include three 3-bit values for bracket management </li></ul><ul><ul><li>R0 -> SDW.R1 = Write </li></ul></ul><ul><ul><li>SDW.R1 -> SDW.R2 = Execute </li></ul></ul><ul><ul><li>SDW.R2+1 -> SDW.R3 = Gate Extension </li></ul></ul><ul><ul><li>Read = Execute, loses some flexibility </li></ul></ul><ul><li>Other modifications that only involve adding a 3-bit ring field denoting required or current ring </li></ul>
  16. 16. An Example <ul><li>Retrieval of Next Instruction to be executed </li></ul>
  17. 17. Issues <ul><li>Complicated to design user programs with rings </li></ul><ul><li>Rare to see more than two rings used </li></ul><ul><ul><li>We have seen some exceptions … see Xen </li></ul></ul><ul><li>Implementation lacked some features </li></ul><ul><ul><li>Execution end bracket same as read bracket </li></ul></ul><ul><ul><li>Didn’t implement upward movement in terms of ring movement </li></ul></ul>
  18. 18. Questions?