Presentation is loading. Please wait.

Presentation is loading. Please wait.

Electronic Computers M

Published byFranklin Washington Modified over 6 years ago

Similar presentations

Presentation on theme: "Electronic Computers M"— Presentation transcript:

1 Electronic Computers M
iAPX86 Protection Electronic Computers M

2 Protection Multitasking (multiple processes) > the system must prevent an uncontrolled access of a process to the memory space of another process….. …..and that an excessive physical space is used An example: uncontrolled stack growth. In segmented systems only (i.e. 8086) if a process stack overflows it can overwrite the segment of another process. (This is not possible in a paged system since if a page must be overwritten is must be first written back to the disk). But a process could try to use all physical pages ! Protection: is based on the segment descriptor mechanism and regards both the static protection (i.e. segment size) and the dynamic protection (access permits for read/write/execute) The protection mechanism is active only after PE setting in CR0 and is used before any access (this grants that the intervention is not too late)

3 Protection: general criteria
The protection system controls the access to privileged instructions, to I/O instructions, to segments and their descriptors and is based on the comparison between different privilege levels (access rights). For instance: it checks whether a segment can be written, can be executed, whether a jump intra- or inter- code segments is allowed An errors triggers a fault and the intervantion of the OS The protection is implemented by means of the following three mechanisms: Processes isolation Segment access type verification Privilege levels management For the access type verification the check is made upon the load of a selector into a segment register: The data segment registers (DS,ES,FS e GS) can be loaded only with data segment selectors or readable code segments selectors The code segment register (CS) can be loaded only with code segment selectors LDTR register can be loaded only with LDT table selectors. TR register can be loaded only with TSS selectors (see later) No call gate (see later) or task gate selector can be loaded in a segment register.

4 iAPx Protection system
Op. Sy. Kernel Process management Memory management I/O management… Op. Sys. Services Services for applications: I/O requests management, memory allocation requests etc. 1 1 2 3 2 Op. Sys. Services Peripheral devices drivers Applications User programs 3

5 The controlled levels DPL (Descriptor Privilege Level) is the segment privilege level stored in its segment descriptor. It indicates which protection level it belongs to. CPL (Current Privilege Level) is the privilege level of the CS (the least significant bits of CS) that is of the running task. This is the DPL of the executed segment code. CPL changes during a process execution since through controlled jumps the privilege level can change( see later) RPL (Requestor Privilege Level) is the privilege level of the selector used by the program for addressing a data or a destination (in case of jump). EPL: (Effective Privileg Level) is the maximum value (that is the minimum privilege level) between CPL e RPL Conforming Segment: a code segment which takes during its execution the privilege of the calling segment. The use of conforming segments must be carefully considered since if they include several procedures they have all the same characteristic and therefore all (see later) could be used for instance by lower privilege level processes. An example: a set of mathematical routines The protection philosophy is that a process can access data of the same or less privilege and can use procedures of higher or equal privilege (through controlled access).

6 OPERAND SEGMENT REGISTER
Data protection OPERAND SEGMENT DESCRIPTOR Base 31:24 G D B A V Limit 19-16 P L S Type Base 23:16 Limit 15:00 Base 15:00 CODE SEGMENT REGISTER CPL INDEX T OPERAND SEGMENT REGISTER INDEX RPL T (DS for instance) CHECK The check occurs when the program tries to load the descriptor in the segment register Data can be accessed if the descriptor PL has the same privilege level (or lower) that is its PL is greater or equal to the value of the EPL

7 EPL=2 (max val between CPL=1 e RPL=2)
An example: DS Let’s suppose that in CS the CPL is 1 mov ax, 4F36 ; load in ax the selector ( LDT RPL=2 ) ; mov ds, ax ; and in ds (privilege check !) mov al, [0100] ; read the 257-th byte (do not forget zero..)… mov [2100], al ; ….and write it in segment location location 2100h 09E6 HEX The selector index points to slot 09E6h= (the 13 MSBits of the selector) in the LDT (max val 8192). Base 31:24 G D B A V Limit 19-16 P L S Type Base 23:16 Limit 15:00 Base 15:00 Descriptor Template 00 1 2 3 08H 7B3EH 3EA0H Content Descriptor number 09E6 Base = 00083EA0 (virtual) Size =07B3E Granularity=0 =>byte DB=1=Parallelism= Segment present Privilege=2 S=1= User Notice 2100<7B3C: access within the boundaries C/D E W A EPL=2 (max val between CPL=1 e RPL=2) access granted C/D=0=data E=0 (expand up/down – only for stack segments) W=1=writable A=1=segment already used (set to 1 by the system)

8 An example: DS The segment can be accessed since EPL<=DPL and therefore the selector can be loaded in the sement register Upon the DS load the small cache (8 bytes – segment descriptor ) linked to the DS is loaded with the segment descriptor and the privilege check is made During the execution of the third instruction the system checks that the address is within the segment size boundary (100< 7B3E). The byte is therefore read at address 83FA0H (83EA ). During the execution of the fourth instruction the system checks not only the boundary but also whether the segment is writable. The byte is then witten at linear address 00085FA0H (83EA= ). The physical address depends on the paging mechanism (if any)

9 To be noticed In the previous example selector value 09E6 is the number which is produced after compilation and load. It could be a selector trasferred as a parameter on the stack or a selector pointing to a segment defined in the context of the program Possibly it could be a constant pointing to a GDT segment. But all GDT segments have normally (not necessarily) privilege level higher that 3 and if the segment privilege level were 0 or 1 a General Protection fault would be triggered since the requestor privilege level is 2 (although the CPL is 1)

10 Example: SS Here it is assumened that CPL is 3
mov ax, 02FF ; load in ax 02FF (LDT; RPL=3) …. ; … mov ss, ax ; in SS (selector index =05Fh=9510) (protection check) mov esp, 07B3E ; 00007B3E in ESP push bx ; save bx -16 bit (stack word oriented) mov bx,[0100] ; in bx a 16 bit data read at address 100 of the ; segment pointed by DS add cx, bx ; the sum cx pop bx ; restore bx Base 31:24 G D B A V Limit 19-16 P L S Type Base 23:16 Limit 15:00 Base 15:00 00H 1 3 08H 7B3EH 3EA0H Descriptor Template Content selector number 05F C/D E W A Base 0=00083EA Size=07B3E Granularity=0 =>byte DB=1=max size FFFFFFFF Segment present Privilege level=3 S=1= User EPL=3 access granted C/D=0=data E=0=downward expansion W=1=writable A=1=used (set to 1 by the sstem) Per each POP and PUSH the processor checks the stack superior limit (07B3E) and inferior limit (0000)

11 Segment and page level protection
Not used in the first protected processors. Page Table Entry Avail 0 0 D A P C D P W T U W P Page base address 31:12 Software usable Dirty (written) Used Page cache disable Page write through User/Supervisor Writable Present The system checks first the privilege in the descriptor and then the page level protection. A data segment could be of level 3 (and therefore accessible by programs at levels 0,1,2 and 3) but one of its pages could be of supervisor type (for instance because of a sharing or if the page is aliased and updated by the OS. In this case fault).

12 Jump/Branch protection
A jump (branch) within the same procedure (intrasegment) is always allowed (provided the destination address is within the segment boundary) A segment can use only code of the same or higher privilege (never lower privilege) (higher is the privilege – smaller the value – safer is considered the code) A jump (JMP o CALL) to a procedure of the same privilege level is always possible directly (without CALL GATE - see later) A direct call to a higher privilege conforming procedure is always possible A call to a higher level non conforming procedure requires the use of a CALL GATE (i.e. OS call) A jump or call to a same privilege level procedure too can use a CALL GATE In all other cases fault A call to a higher privilege procedure is possible only by means of a call gate or an interrupt

13 Call protection CALLED CODE SEGMENT DESCRIPTOR
Base 31:24 G D B A V Limit 19-16 P L 1 Type Base 23:16 Limit 15:00 Base 15:00 Calling code segment selector CPL INDEX T Called segment selector INDEX RPL T CHECK

14 CALL GATES A CALL GATE is a particular segment descriptor which doesn’t correspond to any data structure in memory but which stores all security information which allows the change of the code privilege level A CALL GATE has its own privilege level and the code change to a higher privilege level is allowed only if DPL_destination £ EPL £ DPL_gate (numerical values) that is Destination privileges³ calling privilege ³ call gate privilege NB:There is an automatic transfer to a lower privilege level (after the transfer to a higher privilege level) only through a RETURN from a higher level routine (RET from subroutine or IRET in case of interrupts)

15 Call gates PL0 PL1 PL2 PL3 Procedure Procedure Procedure Procedure
The CALL GATE is used to define the called code segment and the specific procedure entry-point

16 Call gate Offset 31.16 P L S Type Dword count Offset 15:00 Selector 15:00 000 X N.B. The RPL of the selector of a Call Gate (which points to the destination descriptor ) has no meaning in this context P: present in memory (not used) PL: protection level S: must be 0 (supervisor) X: indicates if this is a 16 or 32 bit CALL GATE Type must be 100 Dword count: it is the number (max. 31) of DWORDS (data) which must be copied from the stack of the calling procedure onto the stack of called procedure (see tasks – each task has four stacks, one for each privilege level for security purposes). When a larger number of data must be transferrent a pointer to the data area is loaded onto the stack The CALL GATE stores the selector of the descriptor of the segment which includes the called procedure. The offset in this case is the called procedure entry point The called procedure PL value must smaller or equal to that of the calling procedure while the Call Gate PL value must be greater or equal to that of the calling procedure

17 (This is the selector within the CALL address)
Call gate SEGMENT DESCRIPTOR OF THE CALLED PROCEDURE Base 31:24 G D B A V Limit 19-16 P L 1 Type Base 23:16 Limit 15:00 Base 15:00 CALL GATE DESCRIPTOR Offset 31.16 P L S Tipo Dword count Offset 15:00 Selector 15:00 000 X CODE SEGMENT REGISTER CPL INDEX T CALL GATE POINTING SELECTOR INDEX RPL T (This is the selector within the CALL address) CHECK DPL_ target £ MAX (CPL, RPL) £ DPL_gate

18 An example (part 1) 11 It is assumed that in CS the CPL is 1
Call 0063 : ;call request level 3 to a level 0 ;procedure (see its segment descriptor ; next page ) through a call gate located at ;thirteenth slot (value 1210) of the GDT Not used 0CH=1210 00C 11 Index GDT RPL=3 63H N.B. A segment can include multiple procedures, for each one of them a CALL GATE must exist. But even the same procedure can have multiple entry points and therefore in this case too a CALL GATE for each one of them must exist!! The Call Gate in this case must have PL=3 (since the requestor RPL is 3)

19 An example (part 2) Offset 31.16 P L S Tipo Dword count Offset 15:00 Selector 15:00 000 X Call Gate Template Call Gate in slot 12 of the GDT 0000H 1 11 100 00010 3400H 0150H 000 P = 1 segment present (although without meaning) PL = 3 Privilege level 3 S = 0 always for a CALL GATE (Supervisor) X = bit CALL GATE Type = 100 always for a CALL GATE Dword Count=2 two dwords must be copied between the stacks Offset= H Selector=150H => index 2AH = 42d 2A 00 Index GDT RPL=0 (no meaning)

20 An example (part 3) Target segment descriptor pointed by the Call Gate
Descriptor Template Base 31:24 G D B A V Limit 19-16 P L 1 Type Base 23:16 Limit 15:00 Base 15:00 Actual descriptor slot 42d della GDT 00H 1 00 1001 13H EE3DH 1BCCH C/D C R A G=0 ganularity->byte P=1 present D=1 -> 32 bit PL=0 level Base = 00131BCCH Size= 1EE3DH C/D=1 code Conforming=0 (not conforming) R=0 execution only A=1 used

21 Call gates + OFFSET DPL OFFSET BASE DPL BASE BASE 31 SELECTOR
SELECTOR OFFSET (not used) OFFSET DPL COUNT GATE SELECTOR OFFSET + BASE DPL BASE CODE BASE Entry Point

22 Interrupt descriptor table Max 256 Interrupt Gates -> 2KB (256*8)
Interrupts The interrupts handling mechanism is identical to that used in When an interrupts is acknowledged the processor send a double INTA* and during the second INTA* the Interrupt Type is read The interrupt type is multiplied by 8 (number of bytes of a descriptor) and used as a selector of a descriptor table where the CALL GATES for the response subroutines are stored. The table is pointed by a register (Interrupt Descriptor Table Register). Interrupt descriptor table Max 256 Interrupt Gates -> 2KB (256*8) Data are stored into the IDTR by means of privileged instruction (LIDT). The interrupt gates table is not any more stored in the lower memory addresses The interrupts can be software triggered (instruction INT n)

23 Interrupts + Interrupt Descriptor Table Interrupt type * 8 31 0 15 0
IDTR register IDT base address IDT limit Interrupt Descriptor Table Gate interrupt 255 + Interrupt type * 8 Gate interrupt n Gate interrupt 2 Gate interrupt 1 Gate interrupt 0

24 Interrupts + External interrupts, Faults, Traps Interrupt Gate IDT
INT. PROC. DESTINATION CODE SEGMENT OFFSET + Interrupt Gate INTERRUPT type SEGMENT DESCRIPTOR GDT O LDT External interrupts, Faults, Traps

25 Interrupt Gate P: Present (not used) PL : Protection level
Offset 31.16 P L S 110 Reser. Offset 15:00 Selector 15:00 000 X P: Present (not used) PL : Protection level S : must be 0 (system) X :whether it is a 32 bit INTERRUPT GATE Type : must be 110 RESERVED: not used The INTERRUPT GATE stores the handler segment selector and entry point. In case of hw interrupt the PL has no meaning. In case of sw interrupt, trap etc. PL must be greater or equal than that of the calling procedure TRAP gates are identical but the IF is not reset upon the interrupt acknowledge If the handler privilege level is smaller than that of the calling procedure CPL fault Instead of the interrupt gate a task gate can be used (see later) A task can trigger a software interrupt which in turn activates another higher priority task

26 Task What is a TASK ? Each application program is made of several segments (code, data, stack etc.) During the execution the segments are dynamically used. Their set is called task. A TASK can be executing or waiting (for instance because of a page fault ), or ready (waiting for its time slot). The handling of this information depends on the OS. In the last case all information needed for the execution restart must be available (for instance all registers). This means that they must have been saved beforehand. For each task, therefore, a Task State Segment (TSS) is set by the OS which has its own descriptor residing in the GDT. The creation of the TSS is achieved by means of the aliasing mechanism. When a task is suspended the state vector is automatically saved in the TSS via hardware

27 Task In all systems a task executes only temporarily and then is suspended in order to achieve a “parallel” execution of all system tasks. The lenght of the execution time slot (unless blocking events occur – I/O, page/segment fault, exceptions etc.) is an OS parameter. The ready tasks are inserted in a round robin list (normally – but there are cases of high priority tasks). The OS scheduler activates the top of the list after each time slot . The task switch saves automatically via hardware in the TSS all information needed for the task restart A task is activated by means of a JMP or a CALL to a TSS descriptor. In the TSS (not in its descriptor !) the entry point is stored (that is the pointer to the first not yet executed instruction)

28 (In the shadow register associated to TR)
Task State Segment A bit for each I/O address > 8Kbyte=65536 bit max. Where a 1 is stored the corresponding device can be used no matter what is the value of the IOPL (see later). in bytes (In the shadow register associated to TR) 68H Level 3 Stack 16 bit Selectors Paging ! Higher level Stacks Link Field – selector of the task suspended because of this task (i.e. an interrupt) which will be restarted by an IRET

29 TSS The TSS is not of fixed size and is at least 67h bytes long: locations with 0s are reserved. The number of I/O permissions is given by the segment size Among other information the TSS stores the pointer to be stored in CR3 (physical address of the Ist level page table For security reasons (for instance the calling procedure stack could be too small for the following CS:IP push -> stack overflow) upon a call to a more privileged procedure a specific level stack is used

30 I/O access protection In 8086 any program can use the I/O instructions: this is the basis of a possible «I/O anarchy». For instance: the running task needs to access a disk and sends OUT commands to define the sector, the cylinder and the number of byte to be transferred. During this phase it could be interrupted by another task which alters these parameters. When the supendended task resumes is unaware that these parameters were changed and the outcome is unpredictable It follows that the I/O operations must be queued and coordinated by the OS

31 FLAGS 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 10 9 8 7 6 5 4 3 2 1 11 ID Identification VIP Virtual Interrupt Pending VIF Virtual Interrupt AC Alignment check A task was interrupted and must be therefore resumed after the IRET of the interrupting task task VM Virtual 8086 Mode RF Resume flag Nested Task NT IOPL Input/Output Privilege Level OF Overflow DF Direction IF Interrupt Enable TF Trap SF Sign Zero ZF Auxiliary AF Parity PF 1 Carry CF Flags are saved in the TSS upon an interrupt and restored when the task is resumed

32 CLI (Clear interrupt flag) STI (Set interrupt flag)
I/O protection If the running task CPL is lower (or equal) than the IOPL (that is the task is more privileged) it can execute the following instructions IN (I/O input) OUT (I/O output) INS (Input String OUTS (Output String) CLI (Clear interrupt flag) STI (Set interrupt flag) otherwise fault … unless a permit for the specific address is present in the task I/O permission bit map. This TSS map stores a bit for each of the possible I/O addresses: if it is set, one of the previous instructions can be executed for that address (but not CLI e STI) even if CPL > IOPL Theoretically 8K (64K/8) would be necessary for each TSS in order to store the entire Bit Permission Map. But is is necessary to store this map up to the maximum address whose bit is set since this is automatically defined by the TSS size which is present in the TR descriptor ! The Bit Permission Map is not necessary if CPLis always lower than IOPL (i.e. OS) or the task never needs I/O instructions.

33 Task State Segment Descriptor
X B 1 G= granularity (byte/page) P=1 presente S= system/user PL= protectione level(no meaning – it is however zero) Base 31:24 G A V Limit 19-16 P P L S Type Base 23:16 Base 15:00 Limit 15:00 X= 16 or 32 bit TSS B=busy bit Busy bit!! When set the task was triggered by another task and its TSS stores in its LINK field the pointer to the calling task. This prevents the called task to call in turn the calling task otherwise a deadlock would occur (a fault – the return chain would be interrupted). This is not the case if a JUMP is used to trigger a task (Busy Bit reset – no return)

34 Descriptor table index
Task activation The OS builds through the aliasing a descriptor in the GDT. A task activation (trigger) occurs by means of a JUMP or a CALL selecting one of the following elements: A CALL GATE which points to a TSS descriptor A TASK GATE (see. later) which points to a TSS descriptor The architecture has a TR (task register) which stores the TSS selector. Its base address and size are automatically stored in the register cache when the task is activated. Descriptor table index 00 (visible part) Initial address (invisible part) Size Attributes

35 TASK gate P : Present (no meaning) P : Protection level
Reserved P P L Type Reserved TSS (15:00) selector Reserved P : Present (no meaning) P : Protection level S : must be 0 (no meaning) X : whether a 16 or 32 bit CALL GATE Type : 101 A TASK GATE is a CALL GATE pointing to task instead of a procedure. The offset in this case has no meaning.

36 Events which trigger a context switch
A direct jump or a call “far” pointing to a TSS descriptor in the GDT (possible only if CPL = DPL of the TSS descriptor – that is only if the originating call/jump is at level 0 since the PL of a TSS descriptor is always 0!) A jump or a call “far” to a Task Gate pointing to a TSS descriptor in the GDT (same rules of the Call Gates but the DPL of the TSS descriptor which is always 0 is ignored). This means that only the Task gate PL is checked Hardware interrupt (or exception). If in the IDT a Task Gate is selected, the task is activated without further privilege level check In any case the TR is loaded with the TSS selector and the invisible registers with the corresponding values of the TSS

Download ppt "Electronic Computers M"

Similar presentations

Memory Management Unit

Memory Management Unit
Types of Code Segments Conforming Code Segment

Types of Code Segments Conforming Code Segment
1/1/ / faculty of Electrical Engineering eindhoven university of technology Memory Management and Protection Part 3:Virtual memory, mode switching, 80286.

1/1/ / faculty of Electrical Engineering eindhoven university of technology Memory Management and Protection Part 3:Virtual memory, mode switching,
The Microprocessor and its Architecture

The Microprocessor and its Architecture
Unit 4 Chapter-1 Multitasking. The Task State Segment.

Unit 4 Chapter-1 Multitasking. The Task State Segment.
Microprocessors system architectures – IA32 real and virtual-8086 mode Jakub Yaghob.

Microprocessors system architectures – IA32 real and virtual-8086 mode Jakub Yaghob.
X86 segmentation, page tables, and interrupts 3/17/08 Frans Kaashoek MIT

X86 segmentation, page tables, and interrupts 3/17/08 Frans Kaashoek MIT
1 Process Description and Control Chapter 3. 2 Process Management—Fundamental task of an OS The OS is responsible for: Allocation of resources to processes.

1 Process Description and Control Chapter 3. 2 Process Management—Fundamental task of an OS The OS is responsible for: Allocation of resources to processes.
Introduction to Interrupts

Introduction to Interrupts
16.317 Microprocessor Systems Design I Instructor: Dr. Michael Geiger Fall 2012 Lecture 15: Protected mode intro.

Microprocessor Systems Design I Instructor: Dr. Michael Geiger Fall 2012 Lecture 15: Protected mode intro.
UNIT 2 Memory Management Unit and Segment Description and Paging

UNIT 2 Memory Management Unit and Segment Description and Paging
Intel IA32 OS Support -Refresh

Intel IA32 OS Support -Refresh
An Introduction to 8086 Microprocessor.

An Introduction to 8086 Microprocessor.
Interrupts. What Are Interrupts? Interrupts alter a program’s flow of control  Behavior is similar to a procedure call »Some significant differences.

Interrupts. What Are Interrupts? Interrupts alter a program’s flow of control  Behavior is similar to a procedure call »Some significant differences.
80386DX.

80386DX.
Microprocessor system architectures – IA32 segmentation Jakub Yaghob.

Microprocessor system architectures – IA32 segmentation Jakub Yaghob.
The Pentium Processor.

The Pentium Processor.
Multitasking Mr. Mahendra B. Salunke Asst. Prof. Dept. of Computer Engg., STES SITS, Narhe, Pune-41 STES Sinhgad Institute of Tech. & Science Dept. of.

Multitasking Mr. Mahendra B. Salunke Asst. Prof. Dept. of Computer Engg., STES SITS, Narhe, Pune-41 STES Sinhgad Institute of Tech. & Science Dept. of.
1 Fundamental of Computer Suthida Chaichomchuen : SCC

1 Fundamental of Computer Suthida Chaichomchuen : SCC
80386DX.

80386DX.

Similar presentations

Ads by Google