Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
1/18 x86-64 Exceptions: OS Perspective Konstantin Belousov kib@FreeBSD.org November 30, 2019, git date: 2019-11-25 (b) lab...
2/18 Agenda Architecture AMD64 = x86-64 = IA32-64 = IA32e Introductory half What is Exception Exceptions vs. Interrupts OS...
3/18 What is Exception Core Loop CPU core fetches, decodes, and executes instructions. Speculatively and out-of-order. Har...
4/18 What is Exception, cont. Exception Non-local control transfer Synchronous, hw execution context is recoverable Typica...
5/18 Interrupts Normal Interrupts Caused by external events Asynchronous Can be delayed (disabled, masked) * * Non-Maskabl...
6/18 OS Handling of Exceptions Out of scope How CPU finds an exception handler: IDT, GDT, TSS, etc Try to handle Page fault...
7/18 Exceptions and Signals Signals on Unhandled Exceptions #PF (Page Fault) SIGSEGV, SIGBUS #GP (General Protection Fault...
8/18 End of Introductory Part Questions Konstantin Belousov kib@FreeBSD.org x86-64 Exceptions: OS Perspective
9/18 x86 Segmentation Code Properties Code %cs Stack %ss Data %ds %es Segments Cache Thread Local Storage (TLS) User TLS b...
10/18 SWAPGS Kernel Entry /* interrupts disabled */ if (frame->cs.rpl != 0) /* from user */ SWAPGS; NMI Can interrupt code...
11/18 Return to Usermode The last kernel instructions SWAPGS IRETQ ... <Execution continues in user mode> IRETQ Frame %ss ...
12/18 Return to Usermode, cont. What can go wrong ? %cs invalid → #np %ss invalid → #ss %rip not canonical → #gp %rsp not ...
13/18 Delaying Exceptions Stack reload movq $STACKSEG,%ss movq $BASE,%rsp /* Intrs and breakpoints delayed */ next instruc...
14/18 Delaying Exceptions: diagram User Code syscall entry #db handler, check prev mode SWAPGS #db handler body syscall #d...
15/18 Delaying Exceptions Coordinated disclosure, MS lead CVE-2018-8897 Konstantin Belousov kib@FreeBSD.org x86-64 Excepti...
16/18 VMX Exceptions VM Exits Konstantin Belousov kib@FreeBSD.org x86-64 Exceptions: OS Perspective
17/18 End of Second Part Questions Konstantin Belousov kib@FreeBSD.org x86-64 Exceptions: OS Perspective
18/18 References Intel 64 and IA-32 Architectures Software Developer Manuals, Volume 3 AMD, AMD64 Architecture Programmer’...
Upcoming SlideShare
Loading in …5
×

Embedded Fest 2019. Константин Белоусов. Исключения и прерывания на amd64: как ОС управляет компьютером

78 views

Published on

Доклад расскажет о том, как операционные системы (в частности, FreeBSD) управляют выполнением программ. О том, как исключительные ситуации, которые в действительности не слишком исключительные, дают ядру возможность контролировать исполнение пользовательского кода.

Published in: Education
no profile picture user

  • Login to see the comments

Embedded Fest 2019. Константин Белоусов. Исключения и прерывания на amd64: как ОС управляет компьютером

  1. 1. 1/18 x86-64 Exceptions: OS Perspective Konstantin Belousov kib@FreeBSD.org November 30, 2019, git date: 2019-11-25 (b) label 2Konstantin Belousov kib@FreeBSD.org x86-64 Exceptions: OS Perspective
  2. 2. 2/18 Agenda Architecture AMD64 = x86-64 = IA32-64 = IA32e Introductory half What is Exception Exceptions vs. Interrupts OS Handling of Exceptions Advanced half Segments and Segments Cache Exceptions on return to usermode POP %SS VMM Exceptions: VM Exits Konstantin Belousov kib@FreeBSD.org x86-64 Exceptions: OS Perspective
  3. 3. 3/18 What is Exception Core Loop CPU core fetches, decodes, and executes instructions. Speculatively and out-of-order. Hardware Assists Helpers used when normal execution fails. Examples: TLB miss: page table walker denormals: FPU handlers If something went bad If CPU has no way to execute instruction up to spec, it raises Exception. Konstantin Belousov kib@FreeBSD.org x86-64 Exceptions: OS Perspective
  4. 4. 4/18 What is Exception, cont. Exception Non-local control transfer Synchronous, hw execution context is recoverable Typically raise the privilege mode, change hw stack Cannot be masked * One instruction can cause more than one exception Not exceptional, in fact very common Allows control software (OS, VMM) to keep control Syscalls are not implemented as exceptions for long time Konstantin Belousov kib@FreeBSD.org x86-64 Exceptions: OS Perspective
  5. 5. 5/18 Interrupts Normal Interrupts Caused by external events Asynchronous Can be delayed (disabled, masked) * * Non-Maskable Interrupt Cannot be delayed ** ** Except inside NMI handler IRETQ reenables NMI Konstantin Belousov kib@FreeBSD.org x86-64 Exceptions: OS Perspective
  6. 6. 6/18 OS Handling of Exceptions Out of scope How CPU finds an exception handler: IDT, GDT, TSS, etc Try to handle Page fault: page-in Co-processor not available: load HW context, enable FPU Unsupported instruction: emulate Cannot handle Handle == Continue faulted execution Send synchronous signal to the thread Terminate the process Panic the machine Konstantin Belousov kib@FreeBSD.org x86-64 Exceptions: OS Perspective
  7. 7. 7/18 Exceptions and Signals Signals on Unhandled Exceptions #PF (Page Fault) SIGSEGV, SIGBUS #GP (General Protection Fault), #SS (Stack Fault), #NP (Segment Not Present), #AC (Alignment) SIGBUS #MF (x87 floating-point error), #XM (SIMD floating point error), #DE (Divide Exception), SIGFPE #UD (Invalid Opcode) SIGILL Konstantin Belousov kib@FreeBSD.org x86-64 Exceptions: OS Perspective
  8. 8. 8/18 End of Introductory Part Questions Konstantin Belousov kib@FreeBSD.org x86-64 Exceptions: OS Perspective
  9. 9. 9/18 x86 Segmentation Code Properties Code %cs Stack %ss Data %ds %es Segments Cache Thread Local Storage (TLS) User TLS base %fs, base MSR FSBASE Kernel TLS base (Per-CPU area, PCPU) %gs, two bases: GSBASE, KGSBASE SWAPGS Konstantin Belousov kib@FreeBSD.org x86-64 Exceptions: OS Perspective
  10. 10. 10/18 SWAPGS Kernel Entry /* interrupts disabled */ if (frame->cs.rpl != 0) /* from user */ SWAPGS; NMI Can interrupt code above Konstantin Belousov kib@FreeBSD.org x86-64 Exceptions: OS Perspective
  11. 11. 11/18 Return to Usermode The last kernel instructions SWAPGS IRETQ ... <Execution continues in user mode> IRETQ Frame %ss %rsp %rflags %cs %rip <- current %rsp Konstantin Belousov kib@FreeBSD.org x86-64 Exceptions: OS Perspective
  12. 12. 12/18 Return to Usermode, cont. What can go wrong ? %cs invalid → #np %ss invalid → #ss %rip not canonical → #gp %rsp not canonical → #ss GPF, Segment, and Stack Fault handlers User Mode → Signal Delivery Kernel Mode → Kernel Bug and panic ? Yes, unless faulted on IRETQ to usermode Kernel mode, but GSBASE is User, and User page tables (KPTI) Konstantin Belousov kib@FreeBSD.org x86-64 Exceptions: OS Perspective
  13. 13. 13/18 Delaying Exceptions Stack reload movq $STACKSEG,%ss movq $BASE,%rsp /* Intrs and breakpoints delayed */ next instruction /* Pending interrupts delivered */ Exploit movq $STACKSEG,%ss syscall <= Set hardware breakpoint there <KERNEL ENTRY> swapgs <= Exception occurs there Konstantin Belousov kib@FreeBSD.org x86-64 Exceptions: OS Perspective
  14. 14. 14/18 Delaying Exceptions: diagram User Code syscall entry #db handler, check prev mode SWAPGS #db handler body syscall #db kerneluser Exec modes: userspace, kernel Konstantin Belousov kib@FreeBSD.org x86-64 Exceptions: OS Perspective
  15. 15. 15/18 Delaying Exceptions Coordinated disclosure, MS lead CVE-2018-8897 Konstantin Belousov kib@FreeBSD.org x86-64 Exceptions: OS Perspective
  16. 16. 16/18 VMX Exceptions VM Exits Konstantin Belousov kib@FreeBSD.org x86-64 Exceptions: OS Perspective
  17. 17. 17/18 End of Second Part Questions Konstantin Belousov kib@FreeBSD.org x86-64 Exceptions: OS Perspective
  18. 18. 18/18 References Intel 64 and IA-32 Architectures Software Developer Manuals, Volume 3 AMD, AMD64 Architecture Programmer’s Manual Volume 2: System Programming Konstantin Belousov kib@FreeBSD.org x86-64 Exceptions: OS Perspective

×