1 iAPX86 Protection Electronic Computers M

2 Protection The protection mechanism is active only after PE setting in CR0 and is used before any access (this grants that the intervention is not too late) Multitasking (multiple processes) > the system must prevent an uncontrolled access of a process to the memory space of another….. …..and that an excessive physical space is used An example: uncontrolled stack growth. In segmented system only if a process stack overflows it can overwrite the segment of another process. (This is not possible in a paged system since if a page must be overwritten is must be first written back to the disk). But a process could try to use all physical pages ! Protection: is based on the segment descriptor mechanism and regards both the static protection (i.e. segment size) and the dynamic protection (access permits for read/write/execute)

3 Protection: general criteria The protection system controls the access to privileged instructions, to I/O instructions, to segments and their descriptors and is based on the comparison between different privilege levels (access rights). For instance: check whether a segment can be written, can be executed, whether a jump intra- or inter- code segments is allowed An errors triggers a fault The protection is implemented by means of the following three mechanisms: 1)Processes isolation 2)Segment access type verification 3)Privilege levels management No call gate or task gate selector can be loaded in a segment register. For the access type verification the check is made upon the load of a selector into a segment register: The data segment registers (DS,ES,FS e GS) can be loaded only with data segment selectors or readable code segments selectors The code segment register (CS) can be loaded only with code segment selectors LDTR register can be loaded only with LDT table selectors. TR register can be loaded only with TSS selectors (see later)

4 iAPx Protection system Op. Sy. Kernel Process management Memory management I/O management… Op. Sys. Services Peripheral devices drivers Applications User programs Op. Sys. Services Services for applications: I/O requests management, memory allocation requests etc.

5 The controlled levels EPL: (Effective Privileg Level) is the maximum value (that is the minimum privilege level) between CPL e RPL DPL (Descriptor Privilege Level) is the privilege level stored in a segment descriptor CPL (Current Privilege Level) is the privilege level of the CS (the least significant bits of CS). This is the DPL of the executed segment code. CPL changes during a process execution since through controlled jumps the privilege level can change( see later) Conforming Segment: a code segment which takes during its execution the privilege of the calling segment. The use of conforming segments must be carefully considered since if they include several procedures they have all the same characteristic and therefore all (see later) could be used for instance by lower privilege level processes. An example: a set of mathematical routines RPL (Requestor Privilege Level) is the privilege level of the selector used for addressing a data or a destination (in case of jump). It is the privilege level of the segment whose selector is loaded in a data segment register The protection philosophy is that a process can access data of the same or less privilege and can use procedures of higher or equal privilege (through controlled access).

6 Data protection OPERAND SEGMENT DESCRIPTOR CODE SEGMENT REGISTER OPERAND SEGMENT REGISTER CHECK Data can be accessed if the descriptor PL has the same privilege level (or lower) that is greater or equal value of the EPL Base 31:24G DBDB 0 AVAV Limit P PLPL SType Base 23:16 Limit 15:00Base 15:00 CPL INDEX CPLT INDEX RPLT (DS for instance)

7 It is assumed that in CS the CPL is 1 mov ax, 4F36; load in ax the selector ( LDT RPL=2 ) ; mov ds, ax; and in ds (privilege check) mov al, [0100]; read the 257-th byte (do not forget zero..)… mov [2100], al ; ….and write it in segment location location 2100h An example: DS The selector index points to slot 09E6 h =2534 d (the 13 MSBits of the selector) in the LDT (max val 8192). For instance H 7B3EH3EA0H Base = 00083EA0 (virtual) Size =07B3E Granularity=0 =>byte DB=1=Parallelism=32 Segment present Privilege=2 S=1= User Notice 2100<7B3C: access within the boundaries Base 31:24G DBDB 0 AVAV Limit P PLPL SType Base 23:16 Limit 15:00Base 15:00 C/DEWA C/D=0=data E=0 (expand up/down – only for stack segments) W=1=writable A=1=segment already used (set to 1 by the system) HEX Descriptor Template Content 09E6 EPL=2 (max val between CPL=1 e RPL=2) access granted Descriptor number 09E6

8 An example: DS The byte is then witten at linear address 00085FA0H. The physical address depends on the paging mechanism (if any) The segment can be accessed since EPL<=DPL and therefore the selector can be loaded in the sement register Upon the DS load the small cache (8 bytes – segment descriptor ) linked to the DS is loaded with the segment descriptor and the privilege check is made During the execution of the third instruction the system checks that the address is within the segment size boundary (100< 7B3E). The byte is therefore read at address 83FA0H. During the execution of the fourth instruction the system checks not only the boundary but also whether the segment is writable.

9 To be noticed Possibly it could be a constant pointing to a GDT segment. But all GDT segments have normally (not necessarily) privilege level higher that 3 and if the segment privilege level would be 0 or 1 a General Protection fault would be triggered since the requestor privilege level is 2 (although the CPL is 1) In the previous example selector value 09E6 is the number which is produced after compilation and load. It could be a selector trasferred as a paramenter on the stack or a selector pointing to a segment defined in the context of the program

10 mov ax, 02FF; load in ax 02FF (LDT; RPL=3) …. ; … mov ss, ax;.. in SS (selector index =05F h =95 d ) (protection check) mov esp, 07B3E; 00007B3E in ESP push bx ; save bx -16 bit (stack word oriented) mov bx,[0100]; in bx a 16 bit data read at address 100 of the ; segment pointed by DS add cx, bx; the sum cx pop bx; restore bx Example: SS Base 31:24G DBDB 0 AVAV Limit P PLPL SType Base 23:16 Limit 15:00Base 15:00 00H Base 08H 7B3EH3EA0H C/DEWA Base 0=00083EA0 Size=07B3E Granularity=0 =>byte DB=1=max size FFFFFFFF Segment present Privilege level=3 S=1= User C/D=0=data E=0=downward expansion W=1=writable A=1=used (set to 1 by the sstem) Here it is assumened that CPL is 3 Per each POP and PUSH the processor checks the stack superior limit (07B3E) and inferior limit (0000) EPL=3 access granted Descriptor Template Content selector number 05F

11 Segment and page level protection The system checks first the privilege in the descriptor and then the page level protection. A data segment could be of level 3 (and therefore accessible by programs at levels 0,1,2 and 3) but one of its pages could be of supervisor type (for instance because of a sharing or if the page is aliased and updated by the OS. In this case fault). Page Table Entry Page base address 31:12 Avail0 D Software usable Dirty (written) Used Page cache disable User/Supervisor Writable A PCDPCD PWTPWT UWP Not used in the first protected processors. Page write through Present

12 Jump/Branch protection A call to a higher privilege procedure is possible only by means of a call gate or an interrupt A jump (branch) within the same procedure (intrasegment) is always allowed (provided the destination address is within the segment boundary) A segment can use only code of the same or higher privilege (never lower privilege) (higher is the privilege – smaller the value – safer is considered the code) A jump (JMP o CALL) to a procedure of the same privilege level is always possible directly (without CALL GATE - see later) A direct call to a higher privilege conforming procedure is always possible A call to a higher level non conforming procedure requires the use of a CALL GATE (i.e. OS call) A jump or call to a same privilege level procedure too can use a CALL GATE In all other cases fault

13 Call protection CALLED CODE SEGMENT DESCRIPTOR Calling code segment selector CHECK Base 31:24G DBDB 0 AVAV Limit P PLPL 1Type Base 23:16 Limit 15:00Base 15:00 Called segment selector CPL INDEX CPLT INDEX RPLT

14 CALL GATES A CALL GATE has its own privilege level and the code change to a higher privilege level is allowed only if DPL_destination  EPL  DPL_gate (numerical values) that is Destination privileges  calling privilege  call gate privilege NB:There is an automatic transfer to a lower privilege level (after the transfer to a higher privilege level) only through a RETURN from a higher level routine (RET from subroutine or IRET in case of interrupts) A CALL GATE is a particular segment descriptor which doesn’t correspond to any data structure in memory but which stores all security information which allows the change of the code privilege level

15 Call gates PL0 PL1 PL2 PL3 Procedure GATE The CALL GATE is used to define the called code segment and the specific procedure entry-point Procedure

16 Call gate Offset P PLPL SType Dword count Offset 15:00Selector 15:00 000X The CALL GATE stores the selector of the descriptor of the segment which includes the called procedure. The offset in this case is the called procedure entry point N.B. The RPL of the selector of a Call Gate (which points to the destination descriptor ) has no meaning in this context The called procedure PL value must smaller or equal to that of the calling procedure while the Call Gate PL value must be greater or equal to that of the calling procedure P: present in memory (not used) PL: protection level S: must be 0 (supervisor) X: indicates if this is a 16 or 32 bit CALL GATE Type must be 100 Dword count: it is the number (max. 31) of DWORDS (data) which must be copied from the stack of the calling procedure onto the stack of called procedure (see tasks – each task has four stacks, one for each privilege level for security purposes). When a larger number of data must be transferrent a pointer to the data area is loaded onto the stack

17 Call gate SEGMENT DESCRIPTOR OF THE CALLED PROCEDURE CODE SEGMENT REGISTER CHECK CALL GATE POINTING SELECTOR CALL GATE DESCRIPTOR Base 31:24G DBDB 0 AVAV Limit P PLPL 1Type Base 23:16 Limit 15:00Base 15:00 Offset P PLPL STipo Dword count Offset 15:00Selector 15:00 000X (This is the selector within the CALL address)  DPL_ target  MAX (CPL, RPL)  DPL_gate CPL INDEX CPLT INDEX RPLT

18 An example (part 1) N.B. A segment can include multiple procedures, for each one of them a CALL GATE must exist. But even the same procedure can have multiple entry points and therefore in this case too a CALL GATE for each one of them must exist!! The Call Gate in this case must have PL=3 (since the requestor RPL is 3) Call 0063 : 0000 ;call request level 3 to a level 0 ; procedure (see descriptor next page ;through a call gate located at the thirteenth ;index (value 12) of the GDT Not used OC H =12 10 It is assumed that in CS the CPL is 1 00C 110 IndexGDT RPL=3 63H

19 An example (part 2) 0000H H0150H 0001Offset P PLPL STipo Dword count Offset 15:00Selector 15:00 000X P = 1 segment present (although without meaning) PL = 3 Privilege level 3 S = 0 always for a CALL GATE (Supervisor) X = 1 32 bit CALL GATE Type = 100 always for a CALL GATE Dword Count=2 two dwords must be copied between the stacks Offset= H Selector=150H => index 2A H = 42 d 2A 000 IndexGDT RPL=0 (no meaning) Call Gate in slot 12 of the GDT Call Gate Template

20 An example (part 3) Base 31:24G DBDB 0 AVAV Limit P PLPL 1Type Base 23:16 Limit 15:00Base 15:00 Target segment descriptor pointed by the Call Gate 00H H EE3DH1BCCH G=0 ganularity->byte P=1 present D=1 -> 32 bit PL=0 level 0 Base = 00131BCCH Size= 1EE3DH C/DCRA C/D=1 code Conforming=0 (not conforming) R=0 execution only A=1 used Actual descriptor slot 42 della GDT Descriptor Template

21 Call gates 031 OFFSET (not used) + Entry Point GATE CODE In the GATE selector whether GDT or LDT OFFSET COUNT SELECTOR DPL OFFSET BASE DPLBASE SELECTOR

22 Interrupts The interrupt type is multiplied by 8 (number of bytes of a descriptor) and used as a selector of a descriptor table where the CALL GATES for the response subroutines are stored. The table is pointed by a register (Interrupt Descriptor Table Register). Interrupt descriptor table Max 256 Interrupt Gates -> 2KB (256*8) Data are stored into the IDTR by means of privileged instruction (LIDT). The interrupt gates table is not any more stored in the lower memory addresses The interrupts can be software triggered (instruction INT n) The interrupts handling mechanism is identical to that used in When an interrupts is acknowledged the processor send a double INTA* and during the second INTA* the Interrupt Type is read

System Call 23 In the operating systems like Windows the kernel is a level 0 process which normally is called by means of a software interrupt 2e (which trggers also the stack change). Before the interrupt the pointer to the calling stack parameters must be inserted in EBX which in turn are copied onto the stack of the kernel. Back to the calling procedure by means of an IRET All system tables are pointed by registers (GDTR, LDTR, TR etc.) The system call type must be stored in EAX

24 Interrupts IDT base addressIDT limit IDTR register Interrupt Descriptor Table + Interrupt type * 8 Gate interrupt 1 Gate interrupt 2 Gate interrupt 0 Gate interrupt 255 Gate interrupt n

25 Interrupts Interrupt Gate IDT INTERRUPT type SEGMENT DESCRIPTOR GDT O LDT + OFFSET INT. PROC. DESTINATION CODE SEGMENT External interrupts, Faults, Traps

26 Interrupt Gate Offset P PLPL S110Reser. Offset 15:00Selector 15:00 000X P: Present (not used) PL : Protection level S : must be 0 (system) X :whether it is a 32 bit INTERRUPT GATE Type : must be 110 RESERVED: not used The INTERRUPT GATE stores the handler segment selector and entry point. In case of hw interrupt the PL has no meaning. In case of sw interrupt, trap etc. PL must be greater or equal than that of the calling procedure TRAP gates are identical but the IF is not reset upon the interrupt acknowledge If the handler privilege level is smaller than that of the calling procedure CPL fault Instead of the interrupt gate a task gate can be used (see later) A task can trigger a software interrupt which in turn activates another higher priority task

27 Task What is a TASK ? Each application program is made of several segments (code, data, stack etc.) During the execution the segments are dynamically used. Their set is called task. A TASK can be executing or waiting (for instance because of a page fault ), or ready (waiting for its time slot). The handling of this information depends on the OS. In the last case all information needed for the execution restart must be available (for instance all registers). This means that they must have been saved beforehand. For each task, therefore, a Task State Segment (TSS) is set by the OS which has its own descriptor residing in the GDT. The creation of the TSS is achieved by means of the aliasing mechanism. When a task is suspended the state vector is automatically saved in the TSS via hardware

28 Task In all systems a task executes only temporarily and then is suspended in order to achieve a “parallel” execution of all system tasks. The lenght of the execution time slot (unless blocking events occur – I/O, page/segment fault, exceptions etc.) is an OS parameter. The ready tasks are inserted in a round robin list (normally – but there are cases of high priority tasks). The OS scheduler activates the top of the list after each time slot. The task switch saves automatically via hardware in the TSS all information needed for the task restart A task is activated by means of a JMP or a CALL to a TSS descriptor. In the TSS (not in its descriptor !) the entry point is stored (that is the pointer to the first not yet executed instruction)

29 Task State Segment Paging ! 16 bit Selectors A bit for each I/O address > 8Kbyte=65536 bit max. Where a 1 is stored the corresponding device can be used no matter the value of the IOPL (see later). Link Field – selector of the task suspended because of this task (i.e. an interrupt) which will be restarted by an IRET Level 3 Stack 68H Higher level Stack

30 TSS The TSS is not of fixed size and is at least 67h bytes long: locations with 0s are reserved Among other information the TSS stores the pointer to be stored in CR3 (physical address of the Ist level page table For security reasons (for instance the calling procedure stack could be too small for the following CS:IP push -> stack overflow) upon a call to a more privileged procedure a specific level stack is used

31 I/O access protection For instance: the running task needs to access a disk and sends OUT commands to define the sector, the cylinder and the number of byte to be transferred. During this phase it could be interrupted by another task which alters these parameters. When the supendended task resumes is unaware that these parameters were changed and the outcome is unpredictable It follows that the I/O operations must be queued and coordinated by the OS In 8086 any program can use the I/O instructions: this is the basis of a possible «I/O anarchy».

32 FLAGS Identification Virtual Interrupt Pending Virtual Interrupt Alignment check Virtual 8086 Mode Resume flag Nested Task Input/Output Privilege Level Overflow Direction Interrupt Enable Trap Sign Zero Auxiliary Parity Carry ID VIP VIF AC VM RF 0 NT IOPL OF IF TF SF ZF 0 AF 0 DF PF 1 CF Flags are saved in the TSS upon an interrupt and restored when the task is resumed A task was interrupted and must be therefore resumed after the IRET of the interrupting task task

33 I/O protection The BPM is not necessary if CPLis always lower than IOPL (i.e. OS) or the task never needs I/O instructions. If the running task CPL is lower (or equal) than the IOPL (that is the task is more privileged) it can execute the following instructions IN (I/O input) OUT (I/O output) INS (Input String OUTS (Output String) CLI (Clear interrupt flag) STI (Set interrupt flag) otherwise fault … unless a permit for the specific address is present in the task I/O permission bit map. This TSS map stores a bit for each of the possible I/O addresses: if it is set, one of the previous instructions can be executed for that address (but not CLI e STI) even if CPL > IOPL Theoretically 8K (64K/8) would be necessary for each TSS in order to store the entire Bit Permission Map. But is is necessary to store this map up to the maximum address whose bit is set since this is automatically defined by the TSS size which is present in the TSS itself!!

34 Task State Segment Descriptor Base 31:24G00 AVAV Limit P PLPL SType Base 23:16 Limit 15:00Base 15:00 X0B1 G= granularity (byte/page) P=1 presente S= system/user PL= protectione level(no meaning – it is however zero) Busy bit!! When set the task was triggered by another task and its TSS stores in its LINK field the pointer to the calling task. This prevents the called task to call in turn the calling task otherwise a deadlock would occur (a fault – the return chain would be interrupted). This is not the case if a JUMP is used to trigger a task (BB reset – no return) X= 16 or 32 bit TSS B=busy bit

35 Task activation The OS builds through the aliasing a descriptor in the GDT. A task activation (trigger) occurs by means of a JUMP or a CALL selecting one of the following elements: 1.A CALL GATE which points to a TSS descriptor 2.A TASK GATE (see. later) which points to a TSS descriptor The architecture has a TR (task register) which stores the TSS selector. Its base address and size are automatically stored in the register cache when the task is activated. Descriptor table index (visible part) (invisible part) Initial address 31 0 Size Attributes

36 TASK gate Reserved P PLPL 0Type Reserved TSS (15:00) selector Reserved P : Present (no meaning) P : Protection level S : must be 0 (no meaning) X : whether a 16 or 32 bit CALL GATE Type : 101 A TASK GATE is a CALL GATE pointing to task instead of a procedure. The offset in this case has no meaning.

37 Events which trigger a context switch A jump or a call “far” pointing to a TSS descriptor in the GDT (possible only if CPL = DPL of the TSS descriptor – tha is only if the originating call/jump is at level 0 since the PL of a TSS descriptor is always 0!) A jump or a call “far” to a Task Gate pointing to a TSS descriptor in the GDT (same rules of the Call Gates but the DPL of the TSS descriptor which is always 0 is ignored). This means that only the Task gate PL is checked Hardware interrupt (or exception). If in the IDT a Task Gate is selected, the task is activated without further privilege level check In any case the TR is loaded with the TSS selector and the invisible registers with the corresponding values of the TSS