Loading...
You are not logged-in Login/Register





  • Posts   Search Threads
  • shankarkolliNovember 8, 2006 3:11 AM PST   
    Ring Architecture
    I've been recently exploring the x86 security mechanism(ring architecture). Unfortunately I've hit a few roadblocks to further progress, and I'm having a hard time finding any of the answers. I apologize if this isn't the place to field such questions.

     
    The only mechanism to access a higher privilege level code from a
    lower privilege level is through Call Gate. When we use a call gate,
    it points to a Descriptor Table and then you do some comparisons between
    RPL, CPL , DPL before giving access to that code. I understand that this
    Descriptor Table resides in memory.What i am confused is about the 
    protection of this Descriptor Table. If this Descriptor Table resides in
    a lower privilege level, then we could modify that using any 
    MOV instruction right. So i guess it has to reside in a higher privilege 
    level(may be level 0) to be sure that we donot modify that. Correct me 
    if i am wrong.

    I have been looking at the Intel Architecture Software Developer?s Manual
    about this protection mechanism. But they doesnot precisely state the
    privilege level of the Descriptor Table.So i am wondering what are the
    mechanisms that prevent modification of the Descriptor Table.

    Any help would be greatly appreciated.

    Thanks,


    Intel Software Network SupportNovember 8, 2006 6:18 PM PST
    Rate
     
    		 #1
    Re: Ring Architecture

    We forwarded your question to our application engineering team.  One engineer responds:

    You should re-read Section 4.8, 4.8.3 and 4.9 of "Intel® 64 and IA-32 Architectures Software Developer's Manual, Volume 3A: System Programming Guide, Part 1". I presume that you are IA-32 and using Call Gates SYSENTER/SYSEXIT and not IA-32e and using SYSCALL/SYSRET. A call-gate descriptor will reside in the GDT or in a LDT and the only way to affect these are through use of privileged instructions, LGDT and LLDT, which are protected from use by application programs.
     
    "The privileged instructions control system functions (such as the loading of system registers). They can be executed only when the CPL is 0 (most privileged). If one of these instructions is executed when the CPL is not 0, a general-protection exception (#GP) is generated."
     
    "To access a call gate, a far pointer to the gate is provided as a target operand in a CALL or JMP instruction. The segment selector from this pointer identifies the call gate; the offset from the pointer is required, but not used or checked by the processor. When the processor has accessed the call gate, it uses the segment selector from the call gate to locate the segment descriptor for the destination code segment. This segment descriptor can be in the GDT or the LDT. It then combines the base address from the code-segment descriptor with the offset from the call gate to form the linear address of the procedure entry point in the code segment."
     
    So while you can munge together any GDT/LDT of your choosing, one cannot load the table and thus affect privileged state unless you were already at ring 0.

    ==

    Lexi S.

    Intel(R) Software Network Support

    http://www.intel.co m/software

    Contact us

     



    shankarkolliNovember 9, 2006 7:23 PM PST
    Rate
     
    		 #2 Reply To #1
    Re: Ring Architecture
    Thanks a lot for the reply. I think i didn't make my point clear.

    I will try to explain the problem with the help of a simple example.

    Lets assume GDT starts at memory address, say 100(to make things simple) and it is already loaded into GDTR.

    Lets say i am currently at ring 3 and need access to higher privilege level.  Then i should access this GDT via a call gate and do some privilege checking. If the privilege checking fails then the access is denied.

    What i am wondering is we could always do a hack like the following and pass the privilege cheking -

    MOV some_value, appropriate_entry_inGDT

    We can modify the GDT in memory with the above instruction and hack the appropriate entry and then i can follow it with a call gate access now with the right privilege levels to access a higher privilege level.

    What i am wondering about is the mechanisms that prevent this MOV instruction from being executed.


    Hope i made my problem clear.

    Thanks,


    Intel Software Network SupportNovember 9, 2006 7:45 PM PST
    Rate
     
    		 #3 Reply To #2
    Re: Ring Architecture

    Hi,

    Another of our engineers asked us to relay the following to you:

    As far as I see, you confusion is about where the Descriptor Table is stored ('in which privilege level') and what the chances are for your application to modify it.

    If so, I will try to give a simple answer, which is related to memory management in protected mode, which was introduced in x386 and has in principle remained the same up to EM64T - 64-bit processor in fact.

    The term 'Ring Architecture' is a logical concept, and is implemented by Intel® micro-architecture in the following way:

    Any code has a given privilege level (Intel calls it ring 0-3, and now -1 for VT server - to remain the same ring 0 for host OS highest privilege). Physically, this ring number is a property of a code segment and is stored in Segment Descriptor in that descriptor table.

    Thus, the processor always knows the ring level while running the piece of the code, and the privilege level of data it accesses, and can preserve different violations with generating an exception (interruption) - and call some OS callbacks (see details in chapter 4).

    'Call Gate' is, as you mentioned, the mechanism to call procedures with a higher privilege level in some safe way.

    Descriptors' tables are stored in 'Main Memory'. The processor has registers where it stores the LINEAR address of those tables: GDTR and LDTR (if not paging - linear address equal to physical address, with paging - its address in virtual memory space).

    At system boot - and this is the responsibility of the OS (on x386 this stuff was executed in real mode before switching to protected mode, now I am not sure what it's called, but I would say in real addressing-mode), OS code at first does all initialization/resets of hardware, including to create descriptor's tables and set the linear addresses into GDTR and LDTR. Before this, any addressing in protected mode is not possible.

    As already replied, the set of instructions which are limited to ring 0, includes but the instructions to load those registers - you cannot call them from lower privilege level code.

    Thus, you cannot reload these registers, you can call 'kernel' code which sets them, and you cannot directly access that memory where descriptor tables are - just because there is no such descriptor which will point you in protected (segmented address) mode to those tables, but the processor already has access to them via linear address in registers

    Does it make sense?

    If this is unclear, all details are in the manual in already-mentioned chapters. The only thing to note is that finally, the OS is responsible for right use of the processor's technology.

     ==

    Lexi S.

    Intel(R) Software Network Support

    http://www.intel.com/software

    Contact us


     



Forum jump:  

Intel Software Network Forums Statistics

16,374 users have contributed to 46,349 threads and 163,997 posts to date.

In the past 24 hours, we have 12 new thread(s) 80 new posts(s), and 54 new user(s).

In the past 3 days, the most popular thread for everyone has been Formula for the intersection of straight lines The most posts were made to Take a look at John Burkhard&# The post with the most views is \"-check none\" generates error

Please welcome our newest member workh19


For more complete information about compiler optimizations, see our Optimization Notice.