2. P.B.BOROLE 2
Protection Mechanism
The purpose of the protection features of the
Pentium is to help detect and identify bugs.
Protection in the Pentium has six aspects:
1. Type checking.
2. Limit checking.
3. Privilege level check
4. Restriction of addressable domain .
5. Restriction of procedure entry points.
6. Restriction of instruction set.
The protection hardware of the Pentium is an
integral part of the memory management
hardware.
3. P.B.BOROLE 3
Protection Mechanism
Protection applies both to segment translation
and to page translation.
Available in protected mode only.
Each reference to memory is checked by the
hardware to verify that it satisfies the
protection criteria.
All these checks are made before the memory
cycle is started; any violation prevents that
cycle from starting and results in an exception.
Since the checks are performed concurrently
with address formation, there is no
performance penalty.
4. P.B.BOROLE 4
Applied to procedures, privilege is the degree to
which the procedure can be trusted not to make
a mistake that might affect other procedures or
data.
Applied to data, privilege is the degree of
protection that a data structure should have
from less trusted procedures.
The segment is the unit of protection, and
segment descriptors store protection
parameters.
Protection checks are performed automatically
by the CPU when the selector of a segment
descriptor is loaded into a segment register and
with every segment access.
Protection Mechanism
5. P.B.BOROLE 5
Protection Mechanism
Segment registers hold the protection
parameters of the currently addressable
segments.
The protection parameters are placed in the
descriptor by systems software at the time a
descriptor is created.
In general, applications programmers do not
need to be concerned about protection
parameters.
When a program loads a selector into a
segment register, the processor loads not only
the base address of the segment but also
protection information.
subsequent protection checks on the same
segment do not consume additional clock
6. P.B.BOROLE 6
Multitasking and Protection
Task – Collection of Programs that
performs a specific function.
Function is also called process.
In protected mode, each process is
identified as an independent task.
Protects task’s memory resources from
unauthorized access.
Provides task switching mechanism.
Without protection mechanism
multitasking cannot be done.
7. P.B.BOROLE 7
Protection Mechanism types -1
Provides protection between application tasks
and system tasks.
All application tasks have least privilege level.
All system tasks have more privilege levels.
Application tasks and system tasks can be
distinguished by assigning different privilege
levels.
They are distinguish by assigning GDT to
system task and LDTs to the application tasks
9. P.B.BOROLE 9
Protection Mechanism types -3
Provides 4 protection or privilege levels.
OS level can be further divided into 3
additional levels viz. level 0, level 1 and
level 2.
Level 3 is still used by application tasks.
Each task can use level 2, level 1 and
level 0 programs under the control of OS.
Application task cannot modify level 0,
level 1 and level 2 OS programs.
11. P.B.BOROLE 11
Protection Mechanism types -3
Assigns separate LDT for each task. This
provides protection among tasks.
Isolation among tasks through LDTs.
LDT provides protection for segments of
each task.
Protection among code and data
segments.
12. P.B.BOROLE 12
Protection Type 2 Limit check
Segments are not allowed to overlap.
Provides protection among segments..
Protection is provided by Limit field of
descriptor.
The execution of current program will not be
extended into another code segment.
Data access will not go out of current data
segment.
Stack overflow or underflow will be detected.
A byte at an offset greater than the effective limit.
A word at an offset greater than the (effective-limit
– 1).
A doubleword at an offset greater than the
13. P.B.BOROLE 13
Protection Type 2 Limit check
A quadword at an offset greater than the
(effective-limit – 7)
Limit checking catches programming errors
such as runaway code, runaway subscripts,
and invalid pointer calculations.
These errors are detected when they occur,
so identification of the cause is easier.
In addition to checking segment limits, the
processor also checks descriptor table
limits.
14. P.B.BOROLE 14
Protection Type 5: Type checking
Type field of access right byte of descriptor is
used to identify type of segment.
Type checking can be used to detect
programming errors that would attempt to
use segments in ways not intended by the
programmer.
15. P.B.BOROLE 15
Protection Type 5: Type checking
Type field is used to distinguish between
system and non system segments. In system
segment, type of segment is important.
The processor uses this information( S bit) to
detect programming errors that result in an
attempt to use a segment or gate in an incorrect or
unintended manner..
In non system segment, it is used to distinguish between
code segment( conforming and nonconforming) and
data segment (stack and data).
16. P.B.BOROLE 16
Type checking
The processor examines type information on
two kinds of occasions:
1. When a selector of a descriptor is loaded into a
segment register. Certain segment registers can
contain only certain descriptor types; for
example:
The CS register can be loaded only with a
selector of an executable segment.
Selectors of executable segments that are not
readable cannot be loaded into data-segment
registers.
Only selectors of writable data segments can be
loaded into SS.
17. P.B.BOROLE 17
Type checking
2. When an instruction refers (implicitly or
explicitly) to a segment register. Certain
segments can be used by instructions only in
certain predefined ways; for example:
No instruction may write into an executable
segment.
No instruction may write into a data segment
if the writable bit is not set.
No instruction may read an executable
segment unless the readable bit is set.
The LDTR can only be loaded with a selector for
an LDT.
The task register can only be loaded with a
segment selector for a TSS.
18. P.B.BOROLE 18
Type checking
No instruction may write into an executable
segment.
No instruction may write into a data
segment if it is not writable.
No instruction may read an executable
segment unless the readable flag is set.
A far CALL or far JMP instruction can only
access a segment descriptor for a
conforming code segment, nonconforming
code segment, call gate, task gate, or TSS.
The LLDT instruction must reference a
segment descriptor for an LDT.
19. P.B.BOROLE 19
Type checking
The LTR instruction must reference a
segment descriptor for a TSS.
The LAR instruction must reference a
segment or gate descriptor for an LDT, TSS,
call gate, task gate, code segment, or data
segment.
The LSL instruction must reference a
segment descriptor for a LDT, TSS, code
segment, or data segment.
IDT entries must be interrupt, trap, or task
gates.
A null segment selector cannot be loaded
20. P.B.BOROLE 20
Protection Type 6: IO protection
Assigns separate protection levels for IO
ports.
IO instruction cannot access protected IO
ports.
Control IO routines are stored in kernel.
Application program cannot change
control words of protected IO devices.
To access IO port, the privilege level of
IO port should be numerically greater
than CPL.
21. P.B.BOROLE 21
Protection Type 7: Page Level
protection
Provides protection among pages of a segment.
One segment is shared by User and OS.
Two types of pages: User and Supervisor.
Enabled automatically when paging is enabled.
22. P.B.BOROLE 22
Protection Type 7: Page Level
protection
There is no mode bit for turning off page-level
protection once paging is enabled. However, page-
level protection can be disabled by performing the
following
operations: Clear the WP flag in control register
CR0.
• Set the read/write (R/W) and user/supervisor
(U/S) flags for each page-directory and pagetable
entry.
This action makes each page a writable, user
page, which in effect disables page-level
protection.
23. P.B.BOROLE 23
User page R/W
User Page R/W
User
Page R/W
pp=3
pp=2
pp=11
pp=0
User Page R
User Page R
Super page
Super page
Super page
TASK 1
Current
Segment
24. P.B.BOROLE 24
Protection Mechanism Concepts
PL – Privilege Level: One of the four hierarchical
privilege levels. PL = 0 -> Most Privilege level and PL =
3 -> Least Privilege level.
More Privilege Levels are numerically smaller than low
privilege levels.
RPL – Request Privilege Level: Privilege Level
provided by the selector. The processor checks
the RPL along with the CPL to determine if access
to a segment is allowed. If the RPL of a segment
selector is numerically greater than the CPL, the
RPL overrides the CPL, and vice versa.
The RPL can be used to insure that privileged
code does not access a segment on behalf of an
application program unless the program itself has
access privileges for that segment.
25. P.B.BOROLE 25
Protection Mechanism Concepts
DPL – Descriptor privilege Level: Determined by access
right byte of a descriptor. Less priority. Gives privilege
level of descriptor. The DPL of the segment or gate is
compared to the CPL and RPL of the segment or gate
selector. The DPL is interpreted differently, depending on
the type of segment or gate being accessed:
Data segment;. The DPL indicates the numerically highest
privilege level that a program or task can have to be
allowed to access the segment.
Nonconforming code segment (without using a call gate);
The DPL indicates the privilege level that a program or task
must be at to access the segment.
Call gate; The DPL indicates the numerically highest
privilege level that the currently executing program or task
can be at and still be able to access the call gate.
26. P.B.BOROLE 26
Protection Mechanism Concepts
Conforming code segment and nonconforming code
segment accessed through a call gate. The DPL indicates
the numerically lowest privilege level that a program or
task can have to be allowed to access the segment.
TSS; The DPL indicates the numerically highest privilege
level that the currently executing program or task can be at
and still be able to access the TSS.
CPL : Privilege Level of currently executing code
segment. Determined by lowest two bits of CS register
and SS register. Normally, the CPL is equal to the privilege
level of the code segment from which instructions are
being fetched. If the called segment is conforming type,
these two bits are not modified. Conforming code
segments can be accessed from any privilege level that is
equal to or numerically greater (less privileged) than the
DPL of the conforming code segment.
27. P.B.BOROLE 27
Protection Mechanism
Concepts
The processor changes the CPL when
program control is transferred to a code
segment with a different privilege level (
nonconforming type). But DPL should
be greater than CPL.
Normally the CPL is equal to the DPL
of the segment that the processor is
currently executing.
28. P.B.BOROLE 28
Rules of Privilege - DATA
To address operands in memory,the Pentium
program must load the selector of a data
segment into a data-segment register (DS, ES,
FS, GS and SS)
The processor automatically evaluates access to
a data segment by comparing privilege levels.
The evaluation is performed at the time a
selector for the descriptor of the target
segment is loaded into the data-segment
register. It performs a privilege check by
comparing the privilege levels of the currently
running program or task (the CPL), the RPL of the
segment selector, and the DPL of the segment’s
segment descriptor.
29. P.B.BOROLE 29
Privilege – check DATA
SEGMENT BASE 15 .. 0
BASE 23..16
BASE 31..24 G X 0 P
DPL S TYPE A
0
3
4
7
AVL
0
23 16 15 8 7
24
32
SEGMENT LIMIT 15 .. 0
DPL 1
0 E W
A
LIMIT
19..16 1 R
C
CS
RPL
CPL
INDEX
Target Segment Selector
Data Segment Descriptor
16-bit visible selector Invisible Descriptor
Privilege
Checked
By CPU
30. P.B.BOROLE 30
Checking:
When the selector of a descriptor is loaded into
a segment register
Restricting Access Data
Descriptors : DS, ES, FS, GS, or SS
CPL : current privilege level
DPL : seg descriptor of the segment
containing the operand
RPL : requestor's privilege of the selector ;
DPL MAX (CPL, RPL)
EPL
Stack : RPL = CPL
31. P.B.BOROLE 31
Privilege – check DATA
When CPL is zero, data segments at all
privilege levels are accessible; when CPL
is one, only data segments at privilege
levels one through three are accessible;
when CPL is three, only data segments at
privilege level three are accessible.
34. P.B.BOROLE 34
Accessing Data in code segment
The following techniques are adopted to access data
in code segment or program
1. Load a data-segment register with a selector of a
nonconforming, readable, executable segment.
2. Load a data-segment register with a selector of a
conforming, readable, executable segment.
3. Use a CS override prefix to read a readable,
executable segment whose selector is already loaded
in the CS register.
The same rules as for access to data segments apply
to case 1. Case 2 is always valid because the privilege
level of a segment whose conforming bit is set is
effectively the same as CPL regardless of its DPL.
Case 3 always valid because the DPL of the code
segment in CS is, by definition, equal to CPL.
35. P.B.BOROLE 35
Code segment access protection
Accessed by branch instructions only like JMP,
CALL, RET, INT and IRET
Two types of branch – intersegment and
intrasegment.
In intra segment, segment protection is not
available but page protection is available
because descriptor is common for calling and
called programs. Limit check is performed..
In intersegment, both segment and page
protections are available because descriptor is
not common for calling and called programs.
This protection mechanism (Privilege) is
intended to inter segment branch.
36. P.B.BOROLE 36
Protected mode task types
Single level task – single task system.
Multilevel task system – single task
system.
Multiple task system – multilevel.
37. P.B.BOROLE 37
Single level task system
In this system all programs have same
privilege level. Data may be at different
level.
Control is transferred from one program
to another at same level. CPL is not
changed.
Two types of control transfers:
Intrasegment and intersegment.
Intrasegment: Privilege levels are not
checked. Limit is checked. Paging
protection is available. To access data,
CPL DPL(data segment). To access stack
CPL = DPL(stack segment)
38. P.B.BOROLE 38
Single level task system
Intersegment: Far JMP or Far CALL is
executed.
Privilege levels are same for calling
programs and called programs.
Two types of called code segments viz.
conforming and non conforming.
For non conforming, CPL = DPL ( called
code)
For conforming, CPL DPL, but for single
level task CPL = DPL.
RPL CPL for nonconforming segments.
39. P.B.BOROLE 39
Single level task system
For conforming code segment, RPL is not checked.
For conforming code segment, CPL is not changed,
hence New CPL = Old CPL.
For conforming code segment, the level of stack is not
changed.
Called program can use stack of calling program.
Conforming code segments are math library, exception
handler, which are executed at lower privilege levels.
Allows the called segment to take on the level of the
calling segment. This is used by IO driver that can be
executed at all level, but should not change original
level.
Called Conforming code segment access data at calling
segment level.
40. P.B.BOROLE 40
Single level task system
To access data :
(DPL) data segment max ( CPL, RPL of
data selector).
To access stack:
(RPL)ss = (CPL) = (DPL)stack segment
41. P.B.BOROLE 41
Multilevel task – single task system
Control is transferred from one privilege level
to another privilege level.
Intrasegment JMP or CALL is not allowed for
interlevel transfer.
Intersegment far JMP or far CALL is allowed in
multilevel task.
The operand selects the descriptor of another
executable segment (Case 1).
The operand selects a call gate descriptor
( Case2).
Single level task is also allowed.
Privilege level will change.
42. P.B.BOROLE 42
Multilevel task - case 1
For nonconforming segment (CPL)calling
segment = (DPL)called segment and RPL
(CPL)calling segment
When the segment selector of a
nonconforming code segment is loaded into
the CS register, the privilege level field is
not changed; that is, it remains at the CPL
(which is the privilege level of the calling
procedure). This is true, even if the RPL of
the segment selector is different from the
CPL.
43. P.B.BOROLE 43
Multilevel task - case 1
For conforming segment (CPL)calling segment (DPL) called
segment
For conforming code segments, the DPL represents the
numerically lowest privilege level that a calling procedure
may be at to successfully make a call to the code segment.
When program control is transferred to a conforming code
segment, the CPL does not change, even if the DPL of the
destination code segment is less than the CPL.
Keeping the CPL at the level of a calling code segment
when switching to a conforming code segment prevents an
application program from accessing nonconforming code
segments while at the privilege level (DPL) of a conforming
code segment and thus prevents it from accessing more
privileged data.
Most code segments are nonconforming.
44. P.B.BOROLE 44
Privilege
check
by CPU
Restricting Control Transfers
Intrasegment
Jmp Call
Ret E
1
3
2
Intersegment
Jmp Call
Ret
E E
1
2
3
DPL =1
Conforming
Code
Seg
E
E
E
1
2
3
Calling a Confirming Segment
SEGMENT BASE 15 .. 0
BASE 23..16
BASE 31..24 G X 0 P
DPL S TYPE A
0
3
4
7
AVL
0
23 16 15 8 7
24
32
SEGMENT LIMIT 15 .. 0
DPL 1 0 E W A
LIMIT
19..16 1 R
C
CS CPL
Data Segment Descriptor
16-bit visible selector Invisible Descriptor
45. P.B.BOROLE 45
Multilevel task - case 1
JMPs can be made to a nonconforming code segment
with the same privilege level.
JMPs can be made to a conforming code segment with
less or equal privilege level.
CALLs can be made to a nonconforming code segment
with the same privilege.
Interrupts handled within a task obey the same
privilege rules as CALLs.
Conforming code segments are accessible by privilege
levels which are the same or greater privilege than the
conforming code segment’s DPL.
The JMP instruction may never transfer control to a
nonconforming segment whose DPL does not equal
CPL.
48. P.B.BOROLE 48
Multilevel task case 2
To provide controlled access to code
segments with different privilege levels, the
processor provides special set of
descriptors called gate descriptors.
Gates are used when the privilege level of
called segment is greater than calling
segment i.e (CPL) > (DPL)called segment
Gate provides entry point to high privilege
level programs.
Gate alters CPL indirectly.
Gate is legal entry point for high privilege
programs.
49. P.B.BOROLE 49
OFFSET 15 .. 0
SELECTOR
DWORD
COUNT
OFFSET 31..16 P DPL 0 TYPE 0 0 0
0
3
4
7
0
23 16 15 8 7
24
32
Gate Descriptors
Call Gates
Trap Gates
Interrupt Gates
Task Gates
Call Gates
To define an entry point of a procedure
To specify the privilege level required to
enter a procedure
50. P.B.BOROLE 50
Gate Descriptors
Type: Indicates type of gate.
TYPE GATE
0100 16 bit call gate
0101 16 bit or 32 bit Task gate
0110 16 bit interrupt gate
0111 16 bit trap gate
1100 32 bit call gate
1110 32 bit interrupt gate
1111 32 bit trap gate
51. P.B.BOROLE 51
Gate Descriptors
P= 0 : Descriptor contents are not valid
P= 1: Descriptor contents are valid.
DPL: Least privilege level at which may
access.
Word count: 5 bit field; Value varies from 0
to 31. Indicates number of double words to
copy from calling stack to called stack.
This field present in CALL gate only.
Selector: 16 bit field: Points descriptor of
called segment stored in GDT or LDT.
Offset: Added into base address of
descriptor.
52. P.B.BOROLE 52
Gate Descriptors
Gates provide a level of indirection
between the calling and called programs..
Allows the processor to automatically
perform protection checks.
Allows system designer to control entry
point to the OS.
Used to change privilege level securely.
Provide protected indirect call.
53. P.B.BOROLE 53
CALL gate descriptor
A call-gate descriptor may reside in the GDT or in an LDT,
but not in the interrupt descriptor table (IDT).
It performs six functions:
• It specifies the code segment to be accessed.
• It defines an entry point for a procedure in the specified
code segment.
• It specifies the privilege level required for a caller trying
to access the procedure.
If a stack switch occurs, it specifies the number of optional
parameters to be copied between stacks.
• It defines the size of values to be pushed onto the target
stack: 16-bit gates force 16-bit pushes and 32-bit gates
force 32-bit pushes.
• It specifies whether the call-gate descriptor is valid.
54. P.B.BOROLE 54
CALL gate descriptor
The application program need not know
the actual location of the target.
Offset address is supplied by gate, hence
offset address provided by instruction is
ignored.
The location of target program can be
changed by modifying contents of Gate.
This is particularly useful when OS
updates, the program remains
compatible.
Call gate descriptors are used by call and
jump instructions in the same manner as
code segment descriptors.
55. P.B.BOROLE 55
CALL gate descriptor
The selector and offset fields of a gate form a
pointer to the entry point of a procedure.
A call gate guarantees that all transitions to
another segment go to a valid entry point,
rather than possibly into the middle of a
procedure (or worse, into the middle of an
instruction).
The far pointer operand of the control transfer
instruction does not point to the segment and
offset of the target instruction; rather, the
selector part of the pointer selects a gate, and
the offset is not used.
56. P.B.BOROLE 56
Call Gate Mechanism
Call gate: control transfers to more
privileged levels or to the same
privilege level
Call : to more privileged levels
JMP : same privilege level or to a
confirming code segment with the
same or a more privileged level
57. P.B.BOROLE 57
Call Gate Mechanism
Four different privilege levels are used to check
the validity of a program control transfer through a
call gate:
• The CPL (current privilege level).
• The RPL (requestor's privilege level) of the call
gate’s selector.
• The DPL (descriptor privilege level) of the call
gate descriptor.
• The DPL of the segment descriptor of the
destination code segment.
The C flag (conforming) in the segment descriptor
for the destination code segment is also checked.
58. P.B.BOROLE 58
Call-gate operation
OPCODE SELECTOR
CALL
OFFSET
(NOT USED) RPL
INDEX
EXECUTABLE
SEGMENT
DESCRIPTOR
DESCRIPTOR TABLE
GATE
DESCRIPTOR CNT
DPL
OFFSET
OFFSET
SELECTOR
EXECUTABLE
SEGMENT
BASE
BASE
BASE
60. P.B.BOROLE 60
Call Gate Protection
The DPL field of the gate descriptor determines
what privilege levels can use the gate.
Gates can be used for control transfers to
numerically smaller privilege levels or to the
same privilege level (though they are not
necessary for transfers to the same level).
Only CALL instructions can use gates to transfer
to numerically smaller privilege levels.
Gate may be used by a JMP instruction only to
transfer to an executable segment with the
same privilege level or to a conforming
segment.
61. P.B.BOROLE 61
Call-gate operation
JMP
nonconforming segment
MAX(CPL, RPL) gate DPL
destination code segment DPL = CPL
CALL (JMP instruction to a confirming segment)
MAX(CPL, RPL) gate DPL
destination code segment DPL CPL
1
3
2
G
G
E
E
E
1
3
2
G
E
G
E
E
62. P.B.BOROLE 62
Call Gate Protection
To access a call gate, the CPL of a calling
procedure must be equal to or less than the DPL
of the call gate.
The RPL must be less than or equal to the DPL of
the call gate.
63. P.B.BOROLE 63
Call Gate Protection
If the privilege checks between the calling
procedure and call gate are successful, the
processor then checks the DPL of the code-
segment descriptor against the CPL of the calling
procedure.
Only CALL instructions can use call gates to
transfer program control to more privileged
(numerically lower privilege level) nonconforming
code segments; that is, to nonconforming code
segments with a DPL less than the CPL.
64. P.B.BOROLE 64
Call Gate Protection
A JMP instruction can use a call gate only to
transfer program control to a
nonconforming code segment with a DPL
equal to the CPL.
65. P.B.BOROLE 65
Call Gate Protection
CALL and JMP instruction can both transfer
program control to a more privileged
conforming code segment; that is, to a
conforming code segment with a DPL less
than or equal to the CPL.
If a call is made to a more privileged
(numerically lower privilege level)
nonconforming destination code segment,
the CPL is lowered to the DPL of the
destination code segment and a stack
switch occurs.
66. P.B.BOROLE 66
Call Gate Protection
If a call or jump is made to a more privileged
conforming destination code segment, the
CPL is not changed and no stack switch
occurs.
Call gates allow a single code segment to
have procedures that can be accessed at
different privilege levels. For example, an
operating system located in a code segment
may have some services which are intended
to be used by both the operating system
and application software (such as
procedures for handling character I/O).
67. P.B.BOROLE 67
Stack switching
For CALL gate the pentium selects new stack
i.e. stack of target.
This stack switching is carried out to prevent more
privileged procedures from crashing due to
insufficient stack space.
It also prevents less privileged procedures from
interfering (by accident or intent) with more
privileged procedures through a shared stack.
Each task must define up to 4 stacks.
The segment selector and stack pointer for the
privilege level 3 stack is located in the SS and ESP
registers, respectively, when privilege-level-3 code
is being executed and is automatically stored on
the called procedure’s stack when a stack switch
occurs.
68. P.B.BOROLE 68
Stack switching
Pointers to the privilege level 0, 1, and 2
stacks are stored in the TSS for the currently
running task
Each of these pointers consists of a segment
selector and a stack pointer (loaded into the
ESP register).
These initial pointers are strictly read-only
values. The processor does not change them
while the task is running.
They are used only to create new stacks when
calls are made to more privileged levels
(numerically lower privilege levels).
These stacks are disposed of when a return is
made from the called procedure.
69. P.B.BOROLE 69
Stack switching
The operating system is responsible for creating
stacks and stack-segment descriptors for all the
privilege levels to be used and for loading initial
pointers for these stacks into the TSS.
Each stack must be read/write accessible (as
specified in the type field of its segment
descriptor) and must contain enough space (as
specified in the limit field) to hold the following
items:
• The contents of the SS, ESP, CS, and EIP
registers for the calling procedure.
• The parameters and temporary variables required
by the called procedure.
• The EFLAGS register and error code, when
implicit calls are made to an exception or interrupt
70. P.B.BOROLE 70
Stack switching
The stack will need to require enough space to
contain many frames of these items, because
procedures often call other procedures, and an
operating system may support nesting of multiple
interrupts.
The DPL of the new stack data segment must
equal the new CPL; if it does not, a stack
exception occurs.
To make privilege transitions transparent to the
called procedure, the processor copies the
parameters to the new stack.
The count field of a call gate tells the processor
how many double words (up to 31) to copy
from the caller's stack to the new stack. If the
count is zero, no parameters are copied.
71. P.B.BOROLE 71
Stack switching
The processor performs the following stack-
related steps in executing an interlevel CALL.
1. The new stack is checked to assure that it is
large enough to hold the parameters and
linkages; if it is not, a stack fault occurs with an
error code of 0.
2. The old value of the stack registers SS:ESP is
pushed onto the new stack as two double
words.
3. The parameters are copied.
4. A pointer to the instruction after the CALL
instruction (the former value of CS:EIP) is
pushed onto the new stack. The final value of
SS:ESP points to this return pointer on the new
stack.
73. P.B.BOROLE 73
Stack switching
The TSS does not have a stack pointer for a
privilege level 3 stack, because privilege level 3
cannot be called by any procedure at any other
privilege level.
Procedures that may be called from another
privilege level and that require more than the
31 double words for parameters must use the
saved SS:ESP link to access all parameters
beyond the last double word copied.
A call via a call gate does not check the values
of the words copied onto the new stack. The
called procedure should check each parameter
for validity.
74. P.B.BOROLE 74
CG
C
C C
Call through the
Gate cannot be
Made from level3
Call cannot be made from level 0
Because of the called code
segment’s level
0
1
2
3
77. P.B.BOROLE 77
PRIVILEGED INSTRUCTIONS
Some of the system instructions can be
executed only when the CPL is 0
E.g.
• LGDT—Load GDT register.
• LLDT—Load LDT register.
• LTR—Load task register.
• LIDT—Load IDT register.
• MOV (control registers)—Load and store control
registers.
• LMSW—Load machine status word.
CLTS—Clear task-switched flag in register CR0.
• MOV (debug registers)—Load and store debug
registers.
79. P.B.BOROLE 79
POINTER VALIDATION
When operating in protected mode, the processor
validates all pointers to enforce protection
between segments and maintain isolation between
privilege levels. Pointer validation consists of the
following checks:
1. Checking access rights to determine if the
segment type is compatible with its use.
2. Checking read/write rights
3. Checking if the pointer offset exceeds the
segment limit.
4. Checking if the supplier of the pointer is allowed
to access the segment.
5. Checking the offset alignment.
80. P.B.BOROLE 80
POINTER VALIDATION
The processor automatically performs first,
second, and third checks during instruction
execution. Software must explicitly request
the fourth check by issuing an ARPL
instruction. The fifth check (offset
alignment) is performed automatically at
privilege level 3 if alignment checking is
turned on. Offset alignment does not affect
isolation of privilege levels.
81. P.B.BOROLE 81
Checking Access Rights (LAR
Instruction)
When the processor accesses a segment using a
far pointer, it performs an access rights check on
the segment descriptor pointed to by the far
pointer. This check is performed to determine if
type and privilege level (DPL) of the segment
descriptor are compatible with the operation to be
performed. To prevent type incompatibility
exceptions from being generated, software can
check the access rights of a segment descriptor
using the LAR (load access rights) instruction.
The LAR instruction
specifies the segment selector for the segment
descriptor whose access rights are to be checked
82. P.B.BOROLE 82
Checking Access Rights (LAR
Instruction)
The instruction then performs the following
operations:
1. Check that the segment selector is not null.
83. P.B.BOROLE 83
Checking Access Rights (LAR
Instruction)
2. Checks that the segment selector points to a
segment descriptor that is within the descriptor
table limit (GDT or LDT
3. Checks that the segment descriptor is a code,
data, LDT, call gate, task gate, or TSS segment-
descriptor type.
4. If the segment is not a conforming code
segment, checks if the segment descriptor is
visible at the CPL (that is, if the CPL and the RPL
of the segment selector are less than or equal to
the DPL).
84. P.B.BOROLE 84
Checking Access Rights
(LAR Instruction)
5. If the privilege level and type checks
pass, loads the second doubleword of the
segment descriptor into the destination
register (masked by the value 00FXFF00H,
where X indicates that the corresponding 4
bits are undefined) and sets the ZF flag in
the EFLAGS register. If the segment selector
is not visible at the current privilege level or
is an invalid type for the LAR instruction,
the instruction does not modify the
destination register and clears the ZF flag.
85. P.B.BOROLE 85
Checking Read/Write Rights
VERR and VERW Instructions are used.
When the processor accesses any code or
data segment it checks the read/write
privileges assigned to the segment to verify
that the intended read or write operation is
allowed. Software can check read/write
rights using the VERR (verify for reading)
and VERW (verify for writing) instructions.
Both these instructions specify the segment
selector for the segment being checked. The
instructions then perform the following
operations:
86. P.B.BOROLE 86
Checking Read/Write Rights
1. Check that the segment selector is not null.
2. Checks that the segment selector points to a
segment descriptor that is within the descriptor
table limit (GDT or LDT).
87. P.B.BOROLE 87
Checking Read/Write Rights
3. Checks that the segment descriptor is a code or
data-segment descriptor type.
4. If the segment is not a conforming code
segment, checks if the segment descriptor is
visible at the CPL (that is, if the CPL and the RPL
of the segment selector are less than or equal to
the DPL).
5. Checks that the segment is readable (for the
VERR instruction) or writable (for the VERW)
instruction.
88. P.B.BOROLE 88
Checking Read/Write Rights
The VERR instruction sets the ZF
flag in the EFLAGS register if the
segment is visible at the CPL and
readable; the VERW sets the ZF flag
if the segment is visible and writable.
(Code segments are never writable.)
The ZF flag is cleared if any of these
checks fail.
89. P.B.BOROLE 89
Checking limit of pointer access
When the processor accesses any segment it
performs a limit check to insure that the offset is
within the limit of the segment. Software can
perform this limit check using the LSL (load
segment limit) instruction.
The instruction then performs the following
operations:
1. Check that the segment selector is not null.
90. P.B.BOROLE 90
Checking limit of pointer access
2. Checks that the segment selector points to a
segment descriptor that is within the descriptor
table limit (GDT or LDT).
3. Checks that the segment descriptor is a code,
data, LDT, or TSS segment-descriptor type.
4. If the segment is not a conforming code
segment, checks if the segment descriptor is
visible at the CPL (that is, if the CPL and the RPL
of the segment selector less than or equal to the
DPL).
91. P.B.BOROLE 91
Checking limit of pointer access
5. If the privilege level and type checks
pass, loads the unscrambled limit (the limit
scaled according to the setting of the G flag
in the segment descriptor) into the
destination register and sets the ZF flag in
the EFLAGS register. If the segment selector
is not visible at the current privilege level or
is an invalid type for the LSL instruction, the
instruction does not modify the destination
register and clears the ZF flag
Once loaded in the destination register,
software can compare the segment limit
with the offset of a pointer.
92. P.B.BOROLE 92
Trojan Horse Attack
This is the weak point of Pentium.
This type of attack or privilege rule violation is
not detected by protection mechanism
Trojan Horse is an illegal pointer that can
access high privilege level data.
Malicious program can use this parameter to
corrupt protected data.
Transparent to the protection mechanism.
This type of attack occurs due parameter
passing mechanism of CALL gate.
Parameters are checked by protection
mechanism.
93. P.B.BOROLE 93
Trojan Horse Attack operation
1) Consider CPL =3 having data pointer that
points level 0 data (e.g.. IO command words)
2) A control to be transferred from Level 3
program to level 0 program.
3) This control transfer cannot be done directly.
4) Level 3 program uses CALL gate.
5) During CALL gate mechanism level 3
program pushes level 0 data pointer on the
stack.
6) Control is transferred from level 3 program
to level 0 IO program with level 0 pointer.(This
is equivalent to the horse that gained entry
onto Troy.)
94. P.B.BOROLE 94
Trojan Horse Attack operation
7) Level 0 IO program can access IO
command word by using level 3
pointer(horse) without protection fault.
8)This is not desirable, because level 3
pointer is accessing level 0 data.
9) This is Trojan horse attack.
10) In this case, application program can
modify IO command words. This may
damage hardware.
11) Applications:- Develop Virus.
96. P.B.BOROLE 96
How to solve this problem
ARPL instruction is provided to prevent such an
attack.
ARPL instruction is used to increase the RPL of
an address pointer passed by calling program.
This will change the EPL. E.g.. CPL of calling
segment is 3, DPL of data pointer is 2 and called
procedure sets the RPL of the data pointer to 3
then EPL = max(1,3) = 3. But DPL = 2, hence
DPL < EPL. Hence access is not allowed.
ARPL instruction is used to increase RPL field of
a selector in memory or register, destination to
match the protection level of the selector in a
register source.
97. P.B.BOROLE 97
How to solve this problem
The called procedure can guard against the type
of Trojan Horse attack.
ARPL instruction has two operands:
Word operand( Memory or Register).
Register.
Both operands are assumed to be selectors.
ARPL D,R16
D specifies the selector whose RPL field is
increased to match the RPL field in the register.
ARPL compares lower two bits of D and R16 and
loads two bits of D with maximum value.
[Max (D,R16)]2 [D]2.
98. P.B.BOROLE 98
How to solve this problem
If ARPL increases the RPL of the first
operand(D),then it sets zero flag otherwise
clears zero flag.
A cautious procedure can thus load the selector
from its return address into a register and then
apply ARPL to each parameter selector in order
to guard against attack.
Those programmers unconcerned about Trojan
Horses may find the following observations
reassuring:
1) If a program uses an RPL of 0 in all of its
selectors, it can be used in any ring without
danger of spurious protection exceptions. This
is because the criterion for legal access is:
DPL max(CPL,RPL) = max (CPL,0) = CPL
99. P.B.BOROLE 99
How to solve this problem
2 A program running just in ring 3( the user
ring) produces the same results, no matter
what RPL values it uses. This is because the
criterion for a legal is:
DPL max (CPL,RPL) = max(3,RPL) =3
There are two instructions that check whether
or not a segment is accessible without risking
protection exception.VERR(Verify for Reading)
takes a word operand ( memory or register)
which is to be considered to be selector. If it’s
okay use the selector for reading, then VERR
sets the zero flag. VERW is similar to VERR
except it checks to see if writing is permitted.
100. P.B.BOROLE 100
How to solve this problem
The following program must be used to avoid attack:
LVLOPROC: PROC FAR WC(1)
PUSH EBP
MOV EBP,ESP
MOV EAX,[EBP+4]
ARPL [EBP+6],AX
MOV DS,[EBP+6]
:
:
POP EBP
RET 2
LVLOPROC ENDP
ARPL is not needed for level3 segment. ARPL is not needed
for a special Purpose code segments that is called by limited
101. P.B.BOROLE 101
Checking Alignment
When the CPL is 3, alignment of memory
references can be checked by setting the
AM flag in the CR0 register and the AC flag
in the EFLAGS register. Unaligned memory
references generate alignment exceptions
(#AC). The processor does not generate
alignment exceptions when operating at
privilege level 0, 1, or 2.