Hardware Reference
In-Depth Information
A program loads an IA-32 segment register with an index to the table
and
a bit saying which
table it desires. The operation is checked according to the atributes in the descriptor, the phys-
ical address being formed by adding the offset in the processor to the base in the descriptor,
provided the offset is less than the limit field. Every segment descriptor has a separate 2-bit
field to give the legal access level of this segment. A violation occurs only if the program tries
to use a segment with a lower protection level in the segment descriptor.
We can now show how to invoke the payroll program mentioned above to update the year-
to-date information without allowing it to update salaries. The program could be given a
descriptor to the information that has the writable field clear, meaning it can read but not write
the data. A trusted program can then be supplied that will only write the year-to-date inform-
ation. It is given a descriptor with the writable field set (
Figure B.26
). The payroll program
invokes the trusted code using a code segment descriptor with the conforming field set. This
setting means the called program takes on the privilege level of the code being called rather
than the privilege level of the caller. Hence, the payroll program can read the salaries and call
a trusted program to update the year-to-date totals, yet the payroll program cannot modify the
salaries. If a Trojan horse exists in this system, to be effective it must be located in the trusted
code whose only job is to update the year-to-date information. The argument for this style of
protection is that limiting the scope of the vulnerability enhances security.
Adding Safe Calls from User to OS Gates and Inheriting Protection Level for
Parameters
Allowing the user to jump into the operating system is a bold step. How, then, can a hardware
designer increase the chances of a safe system without trusting the operating system or any
other piece of code? The IA-32 approach is to restrict where the user can enter a piece of code,
to safely place parameters on the proper stack, and to make sure the user parameters don't get
the protection level of the called code.
To restrict entry into others' code, the IA-32 provides a special segment descriptor, or
call
gate
, identiied by a bit in the atributes ield. Unlike other descriptors, call gates are full phys-
ical addresses of an object in memory; the offset supplied by the processor is ignored. As
stated above, their purpose is to prevent the user from randomly jumping anywhere into a
protected or more privileged code segment. In our programming example, this means the only
place the payroll program can invoke the trusted code is at the proper boundary. This restric-
tion is needed to make conforming segments work as intended.
What happens if caller and callee are “mutually suspicious,” so that neither trusts the other?
The solution is found in the word count ield in the botom descriptor in
Figure B.26
.
When a
call instruction invokes a call gate descriptor, the descriptor copies the number of words spe-
ciied in the descriptor from the local stack onto the stack corresponding to the level of this
segment. This copying allows the user to pass parameters by first pushing them onto the local
stack. The hardware then safely transfers them onto the correct stack. A return from a call gate
will pop the parameters of both stacks and copy any return values to the proper stack. Note
that this model is incompatible with the current practice of passing parameters in registers.
This scheme still leaves open the potential loophole of having the operating system use the
user's address, passed as parameters, with the operating system's security level, instead of
with the user's level. The IA-32 solves this problem by dedicating 2 bits in every processor seg-
ment register to the
requested protection level
. When an operating system routine is invoked, it
can execute an instruction that sets this 2-bit field in all address parameters with the protec-
tion level of the user that called the routine. Thus, when these address parameters are loaded
into the segment registers, they will set the requested protection level to the proper value. The
Search WWH ::
Custom Search