2015 course SPPU SEIT syllabus of subject Processor Architecture and Interfacing (PAI) This covers protection mechanism in 80386 microprocessor through conforming code segment and call gate
1. 1/23/20 1
Protection Mechanism in 80386
Subject : Processor Architecture &
Interfacing
Class : SEIT
Prepared By,
Ms. K. D. Patil, AP
Department of IT, Sanjivani COE,
Kopargaon.
1/23/20 1
1/23/20 1
2. 1/23/20 2
why Security??
●
Computer system security measures prevent
-
Users from interfacing with one another
-
Users from examining secure data
-
Program bugs from damaging other programs
-
Program bugs from damaging data
-
Malicious attempts to compromise system integrity
-
Accidental damage to data
1/23/20 Prepared By: K.D.Patil 2
3. 1/23/20 3
Protection Mechanism
●
80386 protection mechanism is divided into 2 parts
●
Memory Management : Segmentation & Paging
-Memory management hardware catches most
programming errors such as bad or illegal address
generation, runaway subscripts, call/return stack
corruption.
●
Privilege Protection : Catches more subtle errors
and malicious attempts to compromise the integrity
of the system.
1/23/20 Prepared By: K.D.Patil 3
4. 1/23/20 4
Protection in Segmentation
●
When an attempt is made to access a segment first of all,
the 80386 checks to see if the descriptor table indexed
by the selector contains a valid descriptor for that
selector.
●
If the selector attempts to access a location outside the
limit of the descriptor table does not contain a valid
descriptor then an exception is produced.
●
The 80386 also checks to see if the segment descriptor is
of the right type to be loaded into the specified segment
register cache.
●
1/23/20 Prepared By: K.D.Patil 4
5. 1/23/20 5
Protection in Segmentation
●
Example. The descriptor for read-only data segment,
loaded into the SS register, become a stack must be able
to be written to.
●
A selector for code segment which has been marked
‘execute only’ cannot be loaded into the DS register to
allow reading the contents of the segment.
●
Through the following two fields, protection can be provided
- Limit Checking
-Type Checking
●
1/23/20 Prepared By: K.D.Patil 5
6. 1/23/20 6
Type Checking
●
The ‘type’ field of the descriptor specifies type of
the descriptor and the intended usage of the
segment.
●
W, R, C, A, ED bits from type field specify the
usage of the segment and restrict the segment for
particular use only.
●
Type checking is used the detect whether any
program is attempting to use segments in ways
not intended by the programmer.
1/23/20 Prepared By: K.D.Patil 6
7. 1/23/20 7
Limit Checking
●
The 80386 uses limit field of a segment descriptor to prevent
programs from addressing outside the segments.
●
It interprets limit field depending on setting of the G (Granularity bit).
●
In case of data segments processor also checks ED (Expand
Downward) bit and B bit.
●
The 80386 causes a general protection exception when program
attempts to
– Access memory byte at an address > limit
– Access memory word at an address >= limit
– Access memory dword at an address >= (limit-2)
1/23/20 Prepared By: K.D.Patil 7
9. 1/23/20 9
Privilege Level Protection
●
The privilege level protection consists of four levels of
privilege numbered from 0 to 3.
●
Privilege Level 0 is the most privileged level and PL3 is least
privileged
●
When running in protected mode, 80386 continuously checks
that the application is privileged enough to
- Execute certain instruction
- Reference data other than its own
- Transfer control to code other than its own
1/23/20 Prepared By: K.D.Patil 9
10. 1/23/20 10
Privilege Level Protection
●
Descriptor contain a field called the descriptor privilege
level (DPL).
●
Selector contain a field called requestor’s privilege level
(RPL). The RPL is intended to represent the privilege
level of the procedure that originate a selector.
●
The 80386 stores the descriptors in the internal cache
for currently executing segments. Privilege level for
such descriptors are referred to as current privilege
level (CPL).
1/23/20 Prepared By: K.D.Patil 10
14. 1/23/20 14
Restricting Control Transfer
●
In case of far JMP, CALL and RET, control is
transferred to the other segment.
●
To successfully transfer the control to other
segment, both the RPL and the CPL must be
a number less than or equal to DPL of the
segment.
●
MAX (CPL, RPL) <= DPL
1/23/20 Prepared By: K.D.Patil 14
15. 1/23/20 15
Privileged Instructions
●
Privileged Instructions are those that
-
affect the segmentation and protected mechanism
-
alter the interrupt flag
-
perform peripheral I/O
●
To perform first two types of instructions code must be at
CPL 0 (Current Privilege Level 0)
●
Instructions on the next slide can be used in code
segments for which the descriptors‘ privilege level is
equal to 0.
1/23/20 Prepared By: K.D.Patil 15
17. 1/23/20 17
Privileged Instructions
1/23/20 Prepared By: K.D.Patil 17
●
The third type of instructions that perform I/O, same
as above but here CPL does not necessarily have
to be 0 for them to be executed, instead application
can be performed these I/O instruction if CPL is less
than or equal to IOPL field in EFLAGS.
18. 1/23/20 18
Changing Privilege Levels
●
There are two ways to change privilege levels
– Conforming Code Segment
– Call gates
●
A restriction that the segment which has a higher
privilege level must be conforming code segment.
●
Allows to access the segment which has a higher
privilege level using special structure known as
Call Gate.
1/23/20 Prepared By: K.D.Patil 18
19. 1/23/20 19
Conforming Code Segment
● A code segment is considered if bit 2 of the access rights byte of its decriptor is
set
● Conforming code segment can have read permission or not, just like a normal
non-conforming code descriptor
● Conforming code segments have no inherent privilege level of their own, they
conform to the level of code that calls them or jmps to them.
● eg. If the program in PL3 segment transfers control to a conforming code
segment, then the conforming code runs with CPL equal to 3.
● For these reasons, conforming code segments should never contain privilege
instructions
● When control is transfered to a conforming code segment, the RPL bits of
register CS are not changed to match segment’s DPL, as they normally would
be, instead they reflect the correct CPL, the DPL of non-conforming code
segment tha was executed.
20. 1/23/20 20
Conforming Code Segment
● Can be defined with different privilege levels.
● Do not impart additional privileges.
● Do not remove existing privileges.
● Do not alter RPL bits in the code segment register.
● Can be shared by code at all privileg levels.
● DPL of conforming code segment descriptor must be always less than
or equal to current CPL.
DPL conforming code segment <= current CPL
● You can transfer control only across up. You can never transfer control
to segment whose DPL id greater (less privileged) than current
segment.
21. 1/23/20 21
Call Gates
● Conforming code segments does not actually change your privilege
level but conforms to the level of its caller, it does allow programs running
at different privilege levels to share one piece of code. This is ideal for
shared libraries.
● To effect real change in privilege level, you need to use call gate.
● defined like special system segment descriptors.
● It acts as an interface layer between code at different privilege levels.
● Call gates are the only way to change privilege level in 80386. No gate,
No transfer.
● They do not define any memory space.
● They have no base or no limit fields.
● Technically they are not decriptors but it is convenient to place them in
the descriptor tables.
● Call gate is just put into GDT/LDT, just as segment of other descriptors.
22. 1/23/20 22
Call Gates
● The call gate is a mechanism that allows to call a procedure located in any segment
which has highest privilege level.
● The call gate defines the code segment and exact offset where the control is to be
transferred.
● It is important that the CALL instrction must refer a call gate, not the destination code
segment. Applications can never reference a code segment at different privilege levels
directly.
● JMPs are not allowed.
● The call gate defines code segment to which control is to be transfered and the exact
offset within that segment where the execution will begin.
● You are not allowed to specify the desired offset in your program.
● When program does a CALL to procedure in another segment, the selector for that
segment’s call gate is placed into visible portion and call gate descriptor is placed into
hidden portion of CS register.
● Selectors pointing to the call gate decsriptor cannot be loaded into data segment
registers (DS, ES, FS and GS) or stack segment registers (SS). They can be loaded
into CS only.
23. 1/23/20 23
Call Gate Format
Selector: Destination code segment
Offset: offset within destination code segment
DWORD Count: 0 to 31
DPL: Descriptor Privilege level
P: Descriptor present flag
24. 1/23/20 24
During the process,validity of control transfer
is checked using four privilege levels
● The CPL
● The PRL of the selector used to specify the call gate
● The DPL of the gate descriptor
● The DPL of the descriptor of the target executable
segment
● for valid control transfer, the transfer must satisfy the
following privilege rules for CALL instruction:
Target DPL <= Max (RPL, CPL) <= Gate DPL
27. 1/23/20 2727
References
●
James Turley, “Advanced 80386 programming
Techniques”, Tata McGraw Hill
●
Presentation shared by Prof. Tushar Kute at the
time of PAI FDP
1/23/20 Prepared By:K.D.Patil1/23/20 27