A Hardware Architecture for Implementing Protection Rings Schroeder & Saltzer: Mighty Institute of Terminology (m.i.t.) Brought to you by: Chris Sosa I <3 Cornell

Overview Introduction of Protection Rings Allows multiple domains to be associated with a process and process domain movement during execution Hardware a.k.a. Computer Architecture Implementation of Protection Rings for Multics

Introduction of Protection Rings

Allows multiple domains to be associated with a process and process domain movement during execution

Hardware a.k.a. Computer Architecture Implementation of Protection Rings for Multics

Motivation Basic access control mechanisms only allow one set of access permissions (a domain) for a user per resource Intrinsic need to change access capabilities of a user as his/her process runs User A may wish to allow user B to access sensitive data but only through a special program

Basic access control mechanisms only allow one set of access permissions (a domain) for a user per resource

Intrinsic need to change access capabilities of a user as his/her process runs

User A may wish to allow user B to access sensitive data but only through a special program

Four Sets of Criteria to Judge Protection Mechanisms Functional Capability Economy Simplicity Programming Generality

Functional Capability

Economy

Simplicity

Programming Generality

What is a Protection Ring? This does not meet our economy criteria! … let’s try again

This does not meet our economy criteria!

… let’s try again

Protection Rings Each process associated with 0 -> r-1 of domains called rings Concentric = subset of privileges of n for m when m > n Ring 0 =

Each process associated with 0 -> r-1 of domains called rings

Concentric = subset of privileges of n for m when m > n

Ring 0 =

Protection Rings (cont’d) Typical R/W/E privileges divided into brackets R/W brackets must start at ring 0, why? Allows for lowest-numbered ring of execution to be specified (not necessarily 0). Why might this be a good thing?

Typical R/W/E privileges divided into brackets

R/W brackets must start at ring 0, why?

Allows for lowest-numbered ring of execution to be specified (not necessarily 0). Why might this be a good thing?

Moving Between Protection Rings Downward movement restricted to “gates” Specific program locations During execution allows a process to enter a lower domain Example of gates? Upward movement is unrestricted (but you must use a special call to do it)

Downward movement restricted to “gates”

Specific program locations

During execution allows a process to enter a lower domain

Example of gates?

Upward movement is unrestricted (but you must use a special call to do it)

Revisiting Gate Extension Bracket that defines from which rings gate movement is allowed Possible use of this in Windows?

Bracket that defines from which rings gate movement is allowed

Possible use of this in Windows?

Call and Return Procedure transfer = subroutine call Easy to validate protection rings If Call goes through gate => validate caller’s ring w.r.t. gate extension Return restores caller’s ring

Procedure transfer = subroutine call

Easy to validate protection rings

If Call goes through gate => validate caller’s ring w.r.t. gate extension

Return restores caller’s ring

Three Issues with Downward Calls Find new stack area Each process has a stack segment per ring Argument validation Procedure assumes more restricted access capabilities of caller when accessing operand references Knowledge of caller’s ring Processor leaves this in a read-only register

Find new stack area

Each process has a stack segment per ring

Argument validation

Procedure assumes more restricted access capabilities of caller when accessing operand references

Knowledge of caller’s ring

Processor leaves this in a read-only register

Other calls? Dealing with a call and return that doesn’t change rings is trivial … duh! Upward calls are hard Their solution, let’s not support it! What’s wrong with keeping the protection ring of the caller? Internet Explorer bugs anyone?

Dealing with a call and return that doesn’t change rings is trivial … duh!

Upward calls are hard

Their solution, let’s not support it!

What’s wrong with keeping the protection ring of the caller?

Internet Explorer bugs anyone?

Computer Architecture Support Hot or Not?

Hot or Not?

Quick Review of the Multics before Protection Rings Each user has individual VM A segment is the unit of Access Control Users has R/W/E privileges defined per segment (flags) Flags stored in with segment descriptor in H/W … for more information of hardware: see paper  (for those Clint’s out there)

Each user has individual VM

A segment is the unit of Access Control

Users has R/W/E privileges defined per segment (flags)

Flags stored in with segment descriptor in H/W

… for more information of hardware: see paper  (for those Clint’s out there)

Quick Review of Multics AFTER Protection Rings Eight Rings Modification of SDW to include three 3-bit values for bracket management R0 -> SDW.R1 = Write SDW.R1 -> SDW.R2 = Execute SDW.R2+1 -> SDW.R3 = Gate Extension Read = Execute, loses some flexibility Other modifications that only involve adding a 3-bit ring field denoting required or current ring

Eight Rings

Modification of SDW to include three 3-bit values for bracket management

R0 -> SDW.R1 = Write

SDW.R1 -> SDW.R2 = Execute

SDW.R2+1 -> SDW.R3 = Gate Extension

Read = Execute, loses some flexibility

Other modifications that only involve adding a 3-bit ring field denoting required or current ring

An Example Retrieval of Next Instruction to be executed

Retrieval of Next Instruction to be executed

Issues Complicated to design user programs with rings Rare to see more than two rings used We have seen some exceptions … see Xen Implementation lacked some features Execution end bracket same as read bracket Didn’t implement upward movement in terms of ring movement

Complicated to design user programs with rings

Rare to see more than two rings used

We have seen some exceptions … see Xen

Implementation lacked some features

Execution end bracket same as read bracket

Didn’t implement upward movement in terms of ring movement

Questions?