flat assembler
Message board for the users of flat assembler.

Index > OS Construction > Privilege Levels 1 and 2 and Page Translation

Author
Thread Post new topic Reply to topic
Nistix



Joined: 10 Jan 2012
Posts: 6
Nistix
Hello.

Please, help me clarify one thing.

Example of linear address space for some operating system:

high part (FFFF:8000:0000:0000 - FFFF:FFFF:FFFF:FFFF) - kernel code and very important data structures for all system

low part (0 - 7FFF:FFFF:FFFF) - user-space

Entries in PML4, PDPTs, PDTs, PTs for low part we have U/S flags are 1s, for low part they are zeroes.

So, any code with CPL=3 can't access any data/code in higher half linear memory.

But !!!

Code with CPL=1 and CPL=2 has access to them !!!

In Intel Architectures Software Developer Manuals (Chapter 4. Page Translation , 4.6 Access rights) :

"all accesses performed while the CPL is less than 3 are supervisor-mode accesses"

So, for example, if I want to make some drivers in my own operating systems working with CPL=1 for more security and stability, it will be no result,

because any driver with CPL=1 or 2 can access ALL system structures and can read/write to them.

What reason for using levels 1 and 2 ?
Post 12 Jun 2012, 20:15
View user's profile Send private message ICQ Number Reply with quote
Bargest



Joined: 09 Feb 2012
Posts: 79
Location: Russia
Bargest
IA-32 is very... strange architecture. There is no reason for using 1 and 2 rings. Windows, Linux don't use them at all. There is no sense in using them just because if driver has access to I/O ports (it must have), it controlls system. For example, system memory can be overwritten using DMA-mode of different devices.
I wanted to use protection, based on read-only pages (read-only protection checks for supervisor is controlled by a bit WP in CR0, this register can be changed only from 0-ring), but I realized it is too slow: frequently switching CR0 will kill performance.
Post 12 Jun 2012, 20:32
View user's profile Send private message Reply with quote
Nistix



Joined: 10 Jan 2012
Posts: 6
Nistix
Oops. This bug completely destroys my dreams. I've already made so much in my own system, but too late noticed it.
Post 12 Jun 2012, 21:27
View user's profile Send private message ICQ Number Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17624
Location: In your JS exploiting you and your system
revolution
It is always possible that external hardware can bypass the internal CPU privilege checks. Search for firewire hacks to see it in full force. But this is no fault of the CPU.

Rings 1 and 2 were designed for a different era of OSes. The (now) old 80286 was the first x86 CPU to incorporate protection and at that time rings 0-3 made sense for the type of uses that the CPU was being used for.

Today things are different.
Post 13 Jun 2012, 01:20
View user's profile Send private message Visit poster's website Reply with quote
edfed



Joined: 20 Feb 2006
Posts: 4240
Location: 2018
edfed
the reason for os to don't use rings 1 & 2 can be more the fact that not every cpu architectures support them, and maybe because OS companies don't design their systems with the same security model than intel does.

then, if you want, you can try to design using the 4 levels. i think it will give pretty good security results if it is well made.
Post 13 Jun 2012, 08:20
View user's profile Send private message Visit poster's website Reply with quote
Nistix



Joined: 10 Jan 2012
Posts: 6
Nistix
Using 4 privilege levels has a reason only in 32-bit Protected Mode, because we can use DPL field in code and data-segment descriptors, also we can set base address and limit for this descriptors.
But !
AMD64 Architecture complety removes segmentation:
"A data-segment-descriptor DPL field is ignored in 64-bit mode, and segment-privilege checks are not performed on data segments."
(http://support.amd.com/us/Processor_TechDocs/24593_APM_v2.pdf , page 89)
We cannot set Base, Limit, DPL for any data descriptor in 64-bit Long Mode !
All processes in Long Mode (64-bit) use only one selector, because there are no differences in its content.
That's why no reason use CPL=1 or 2 in fully 64-bit OS. Code with CPL=1,2 will use the same data-descriptor as code CPL=0, so access to pages while translation will be identical.
Post 13 Jun 2012, 10:07
View user's profile Send private message ICQ Number Reply with quote
shutdownall



Joined: 02 Apr 2010
Posts: 518
Location: Munich
shutdownall
Nistix wrote:

So, any code with CPL=3 can't access any data/code in higher half linear memory.


I think, that's what you wanted. Wink


Nistix wrote:

But !!!

Code with CPL=1 and CPL=2 has access to them !!!

But only why you have choosen CPL2 for your system/kernal.
Any Task with DPL <= CPL can access ressources.
That's the sense of it.
You need a more hierachical structure.
If you choose to start your system (kernel) with CPL0 the tasks with CPL1 or CPL2 will have no more access to it.


Nistix wrote:

In Intel Architectures Software Developer Manuals (Chapter 4. Page Translation , 4.6 Access rights) :

"all accesses performed while the CPL is less than 3 are supervisor-mode accesses"

Just a convention what supervisor mode is.
The rule is, DPL <= CPL for access.


Nistix wrote:

So, for example, if I want to make some drivers in my own operating systems working with CPL=1 for more security and stability, it will be no result,

because any driver with CPL=1 or 2 can access ALL system structures and can read/write to them.

What reason for using levels 1 and 2 ?

Not any driver can access CPL0. CPL1 or CPL2 can not. Intel could have been more clear in the documents. The reason for Level 0-3 is a finer granularity in the system software. So could do a concept like this:

CPL0 => Kernel
CPL1 => General System Services
CPL2 => More Specific System Drivers
CPL3 => User tasks/programs

But up to you.
Can also use only CPL0 and CPL3. Or CPL1 and CPL2.

I can advise following book for planing operating systems based on x86 architecture:

Echtzeit-Multitasking - Memory Management und System Design im Protected Mode der x86/Pentium-Architektur
from Klaus-Dieter Thies
But is in german language written.
Post 13 Jun 2012, 13:14
View user's profile Send private message Send e-mail Reply with quote
Bargest



Joined: 09 Feb 2012
Posts: 79
Location: Russia
Bargest
Some systems have User-mode drivers. For exmaple, in Win8 some long-lasting drivers moved from the kernel-mode to user-mode. These dirivers have special interface for reading/writing system structures. This provides more security and easier way of writing drivers (system does not crash after any small bug occurs).
But many small and time-critical drivers still in 0-ring.
Post 13 Jun 2012, 15:02
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.