flat assembler
Message board for the users of flat assembler.

Index > OS Construction > RPL? why?

Author
Thread Post new topic Reply to topic
asmmsa



Joined: 06 Feb 2010
Posts: 45
asmmsa
what is the role of RPL in protection?

i can load CS with DPL only when CPL = DPL, or if segment is conforming, CPL => DPL (cpl stay unchanged in this case /*executing code at lower level*/).

i can load data selectors with DPL >= CPL, if my CPL is 3 i can load selector with RPL 0, and it will go. they are auto reset to prevent me from using them when i return from privileged code.


interrupts/exceptions? they have DPL. if i match it, they load me with selector. exceptions ignore dpl and im always loaded new CS.

returns? return can be only to higher privileged segment, this way i cant execute ring3 iret/retf and get to CPL = 0.


so whats the idea behind rpl?
when i want to call segment with diffrent DPL, i have CPL indicating my current level, and DPL indicating access rights and possibly my new level.


RPL is ULTRA ANNOYING! why they made it? im reading manual 3rd time, and i cant catch it!
Post 11 Feb 2010, 19:22
View user's profile Send private message Reply with quote
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr
asmmsa,

In basic flat PM memory model RPL is almost unused. Consider multi-segment PM memory model.
Post 11 Feb 2010, 21:35
View user's profile Send private message Reply with quote
DOS386



Joined: 08 Dec 2006
Posts: 1901
DOS386
baldr wrote:
basic flat PM memory model RPL is almost unused. Consider multi-segment PM memory model


So a relict from 80286 Shocked
Post 12 Feb 2010, 15:02
View user's profile Send private message Reply with quote
asmmsa



Joined: 06 Feb 2010
Posts: 45
asmmsa
please better explanation, how RPL helps segmentation.


when i load segment register, formula for checking access is (data segments, conforming code):

MAX(CPL, DPL) <= DPL = ACCESS GRANTED

so if i setup RPL high, i wil fuck myself for no reason.
if i setup it lower, oh, i cant do that! that means CPL is guarding privilege escalation!

only thing i can think of, is returning. when im in ring0, and return to ring2, ring0 and 1 selectors are nullified, 2 and 3 stays. but thats crappy explanation.

I wont escalate because CPL is guarding it, but i can set RPL higher, just to make an error, no reason!

HELP ME I MUST UNDERSTAND IT! IT ANNOY ME DAY AND NIGHT, CANT SLEEP!
Post 12 Feb 2010, 15:32
View user's profile Send private message Reply with quote
baldr



Joined: 19 Mar 2008
Posts: 1651
baldr
DOS386,

So why do we need XD bit to prevent various exploits? Basic flat memory model is simple, that's why it is often being choosed. Is it "protected mode" memory model? I think, no. It uses protected mode features to disable protection. "Darwin's Blade: All other things being equal, the simplest solution is usually stupidity." — Darwin Minor (Dan Simmons, actually Wink)

__________
asmmsa,

When memory model is multi-segmented, pointers are far. They are passed between various parts of system and user code, access checks are being made based on RPL of their selector part. See also subchapter "5.10.4 Checking Caller Access Privileges (ARPL instruction)" in Intel SDM vol. 3A: "System Programming Guide, Part 1"
Post 12 Feb 2010, 18:13
View user's profile Send private message Reply with quote
asmmsa



Joined: 06 Feb 2010
Posts: 45
asmmsa
checks are made by CPL.
if my cpl <= DPL of segment is sufficient, i can load it into CS/DS/EE/SS and others.
if not, i cant load them.

if i return with loaded segment registers, they are set to 0.


at least thats how i understand it. there is no place for RPL. i still dont get it.

AND WE ARE SPEAKING ABOUT DATA SEGMENTS!!!
code is the same but i want easier picture to compare.


can you give me example?

RPL is said to weaken CPL. ok thats the only 1 part i understand and can agree on. but why? who needs it?
Quote:
Then, when the operating system uses

what a bullshit. what is an operating system, dpl = 0? what!

Quote:
Operating-system procedures typically use the RPL to prevent less privileged application
programs from accessing data located in more privileged segments.

YEAH BUT ITS CALED DPL!

Quote:
When an
operating-system procedure (the called procedure) receives a segment selector from
an application program (the calling procedure),

ok how do it recive it?
i pass on stack, or in segment register? lets assume that in segment register. call > segment register is unchanged, points to ring3 segment.
now if OS wants to use it, it must save a copy on stack.

push ds
mov ax,ring0_data
mov ds,ax
... code
pop ds

where is the RPL?

if cpu wants to use ring3 segment, it must low.... NO it can just access it because CPL (0) < DPL (3). whats the problem?!

ring3 app cant pass in DS ring0 segment, only ring3 and it has to fuill that stupid RPL.





Quote:
They are passed between various parts of system and user code, access checks are being made based on RPL

do you mean situation like that:
. ring3 code
. divide exception
. ring0 code
. call to other code ring0
. call to other code ring0
. found pointer to ring3 data on stack, RPL = 3
if pointer is on stack that means its valid and i have not maker any checks.
now in cpl=0, loading pointer with rpl=3.
if i load it to DS it will work. when i return to ring1 or 2, i wouldnt be able to load this pointer, because of RPL, so i think im gettin somewere.

RPL is to protect agnist multi-RING bugs, right?

ring2 created a selector. its valid, RPL = 2.
code passed to ring1. ring1 wants to load this selector. cpl = ok, rpl = too high. error. ring1 cant load it.

so what, cpu doesnt pass selectors except CS.
why prevent more privileged ring accessing less one?
i cant understand it now.
Post 12 Feb 2010, 19:06
View user's profile Send private message Reply with quote
asmmsa



Joined: 06 Feb 2010
Posts: 45
asmmsa
Here the segment selector passed to the operating system is placed in the destination operand and segment selector for the application program's code segment is placed in the source operand. (The RPL field in the source operand represents the privilege level of the application program.) Execution of the ARPL instruction then insures that the RPL of the segment selector received by the operating system is no lower (does not have a higher privilege) than the privilege level of the application program.


what passing its about?

push 0x18?
passing in DS?

what?!
Post 12 Feb 2010, 19:19
View user's profile Send private message Reply with quote
edfed



Joined: 20 Feb 2006
Posts: 4240
Location: 2018
edfed
Quote:

asmmsa



Joined: 06 Feb 2010
Posts: 18


as i can see, you are a beginner, then, you should better focus on beginner's stuff instead of driving you crazy with advanced features.
...
before to ask bolded oversized Not A Question.

Quote:
no its usless. application CANT LOAD FUCKING POINTER UNLESS ITS PRIVILEGED TO DO SO! AND EVEN THEN IT HAS TO RPL IT! WHY


just have a deep look at IA programmer manual. Wink
Post 12 Feb 2010, 19:33
View user's profile Send private message Visit poster's website Reply with quote
Coddy41



Joined: 18 Jan 2009
Posts: 384
Location: Ohio, USA
Coddy41
Whoa... someone seems to be using allot of "power" words...
asmmsa wrote:

HELP ME I MUST UNDERSTAND IT! IT ANNOY ME DAY AND NIGHT, CANT SLEEP!

I, recently found a solution to this problem I like to call "Drink less coffee" Very Happy

I think edfed is right, to some case... Beginers should play in the BIOS sandbox... Much more mun Wink And ranting does not get things done any sooner.

_________________
Want hosting for free for your asm project? You can PM me. (*.fasm4u.net)
Post 12 Feb 2010, 19:51
View user's profile Send private message Visit poster's website Reply with quote
asmmsa



Joined: 06 Feb 2010
Posts: 45
asmmsa
got it, finally.

rpl is hardware enforced privilege check.

when ring0 recive far pointer, to wich its supposed to write (for example ISR function just write to far pointer hello world), it must ensure that SEGMENT ACCESS wil be made with REQUESTORS privilege.

it gets CPL from stack (far call > cpl on stack), and ARPL it agnist selector passed on stack as argument to some abstract hello_world_write function.
selector gets ring3 CPL, and now kernel can load segment register with passed pointer, with adjusted RPL to match CPL of origin.

if load will fail - access denied. this way ring0 can use hardware instead of checks (wich i relaize now would bi unpleasant, check DPL, then CPL, blah.) to to this job.

very abstract, no wonder it didnt came to me sooner.




i hope im not wrong...
Post 12 Feb 2010, 20:28
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.