topic Re: Ring Architecture in Software Archive

Ring Architecture

shankarkolli — Wed, 08 Nov 2006 11:11:43 GMT

I've been recently exploring the x86 security mechanism(ring architecture). Unfortunately I've hit a few roadblocks to further progress, and I'm having a hard time finding any of the answers. I apologize if this isn't the place to field such questions.

The only mechanism to access a higher privilege level code from a
lower privilege level is through Call Gate. When we use a call gate,
it points to a Descriptor Table and then you do some comparisons between
RPL, CPL , DPL before giving access to that code. I understand that this
Descriptor Table resides in memory.What i am confused is about the 
protection of this Descriptor Table. If this Descriptor Table resides in
a lower privilege level, then we could modify that using any 
MOV instruction right. So i guess it has to reside in a higher privilege 
level(may be level 0) to be sure that we donot modify that. Correct me 
if i am wrong.

I have been looking at the Intel Architecture Software Developer?s Manual
about this protection mechanism. But they doesnot precisely state the
privilege level of the Descriptor Table.So i am wondering what are the
mechanisms that prevent modification of the Descriptor Table.

Any help would be greatly appreciated.

Thanks,

Re: Ring Architecture

Intel_Software_Netw1 — Thu, 09 Nov 2006 02:18:07 GMT

Weforwarded your question toour application engineering team. One engineer responds:

Youshould re-read Section 4.8, 4.8.3 and 4.9 of "Intel 64 and IA-32 Architectures Software Developer's Manual, Volume 3A: System Programming Guide, Part 1". I presume thatyou are IA-32 and using Call Gates SYSENTER/SYSEXIT and not IA-32e and using SYSCALL/SYSRET. A call-gate descriptorwill reside in the GDT or in a LDT and the only way to affect these arethrough use of privileged instructions, LGDT and LLDT,which are protected from use by application programs.

"The privileged instructions control system functions (such as the loading of system registers). They can be executed only when the CPL is 0 (most privileged). If one of these instructions is executed when the CPL is not 0, a general-protection exception (#GP) is generated."

"To access a call gate, a far pointer to the gate is provided as a target operand in a CALL or JMP instruction. The segment selector from this pointer identifies the call gate; the offset from the pointer is required, but not used or checked by the processor. When the processor has accessed the call gate, it uses the segment selector from the call gate to locate the segment descriptor for the destination code segment. This segment descriptor can be in the GDT or the LDT. It then combines the base address from the code-segment descriptor with the offset from the call gate to form the linear address of the procedure entry point in the code segment."

So while you can munge together any GDT/LDT of yourchoosing,one cannot load the table and thus affect privileged state unless you were already at ring 0.

Lexi S.

IntelSoftware NetworkSupport

http://www.intel.co m/software

Re: Ring Architecture

shankarkolli — Fri, 10 Nov 2006 03:23:44 GMT

Thanks a lot for the reply. I think i didn't make my point clear.

I will try to explain the problem with the help of a simple example.

Lets assume GDT starts at memory address, say 100(to make things simple) and it is already loaded into GDTR.

Lets say i am currently at ring 3 and need access to higher privilege level. Then i should access this GDT via a call gate and do some privilege checking. If the privilege checking fails then the access is denied.

What i am wondering is we could always do a hack like the following and pass the privilege cheking -

MOV some_value, appropriate_entry_inGDT

We can modify the GDT in memory with the above instruction and hack the appropriate entry and then i can follow it with a call gate access now with the right privilege levels to access a higher privilege level.

What i am wondering about is the mechanisms that prevent this MOV instruction from being executed.

Hope i made my problem clear.

Thanks,

Re: Ring Architecture

Intel_Software_Netw1 — Fri, 10 Nov 2006 03:45:36 GMT

Hi,

Another of our engineers asked us to relay the following to you:

As far as I see, you confusion is about where the Descriptor Table is stored ('in which privilege level') and what the chances are for your application to modify it.

If so, I will try to give a simple answer, which is related to memory management in protected mode, which was introduced in x386 and has in principle remained the same up to EM64T - 64-bit processor in fact.

The term 'Ring Architecture' is a logical concept, and is implemented by Intel micro-architecture in the following way:

Any code has a given privilege level (Intel calls it ring 0-3, and now -1 for VT server - to remain the same ring 0 for host OS highest privilege). Physically, this ring number is a property of a code segment and is stored in Segment Descriptor in that descriptor table.

Thus, the processor always knows the ring level while running the piece of the code, and the privilege level of data it accesses, and can preserve different violations with generating an exception (interruption) - and call some OS callbacks (see details in chapter 4).

'Call Gate' is, as you mentioned, the mechanism to call procedures with a higher privilege level in some safe way.

Descriptors' tables are stored in 'Main Memory'. The processor has registers where it stores the LINEAR address of those tables: GDTR and LDTR (if not paging - linear address equal to physical address, with paging - its address in virtual memory space).

At system boot - and this is the responsibility of the OS (on x386 this stuff was executed in real mode before switching to protected mode, now I am not sure what it's called, but I would say in real addressing-mode), OS code at first does all initialization/resets of hardware, including to create descriptor's tables and set the linear addresses into GDTR and LDTR. Before this, any addressing in protected mode is not possible.

As already replied, the set of instructions which are limited to ring 0, includes but the instructions to load those registers - you cannot call them from lower privilege level code.

Thus, you cannot reload these registers, you can call 'kernel' code which sets them, and you cannot directly access that memory where descriptor tables are - just because there is no such descriptor which will point you in protected (segmented address) mode to those tables, but the processor already has access to them via linear address in registers

Does it make sense?

If this is unclear, all details are in the manual in already-mentioned chapters. The only thing to note is that finally, the OS is responsible for right use of the processor's technology.

Lexi S.

IntelSoftware NetworkSupport

http://www.intel.com/software