DOCSLIB.ORG

Unit II : Memory Management

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Unit II : Memory Management Memory Management in 80386-Segment Translation, Page Translation, Combining Segment and Page Translation. Contents • Memory Management in 80386-Segment Translation, Page Translation, Combining Segment and Page Translation, • Operating in Real Mode, Virtual x86 Mode. • Protection: Need of Protection, Overview of 80386DX protection Mechanism, Privilege levels Address Spaces of 80386 • There are 3 address spaces of 80386: – Logical address space – Linear address space – Physical address space Machine language programs use logical address for both instruction and operand address. Segmentation unit translates logical address into 32-bit linear address space. When paging unit is enabled, paging unit translates the linear address space into physical address space. If the paging unit is disabled ,the linear address corresponds to the physical address. Logical & Linear Address • Logical Address: Consists of a) segment selector b) offset. The selector is available in segment register. The offset is calculated by the processor by adding base, index and displacement fields. The segmentation unit converts the logical address to linear address using the segment descriptor indicated by the segment selector. • Linear Address : o When the paging is disabled the linear address is actually the physical address . o When the paging is enabled the linear address is converted to physical address through paging . Memory Address Translation SELECTOR OFFSET Logical Address DIRECTORY TABLE OFFSET Linear Address Physical Address Segment Translation • To perform this translation, the processor uses the following data structures: – Descriptors – Descriptor tables – Selectors – Segment Registers Segment Selector – 16 bit A segment selector is loaded into a segment register (cs, ds, etc.) to select one of the regular segments in the system as the one addressed via that segment register. Segment Descriptor • Describes a segment • Must be created for every segment • Is created by the programmer • Determines a base address of the segment • Determines a size of the segment • Determines a type of the segment • Determines a privilege level of the segment Segment Descriptor Defines followings • Base address (32-bits) • Segment limit (20 bits) • Type of segment (4 bits) • Privilege level of segment (2 bits) • Whether segment is physically, present (1 bit) • Whether segment has accessed before (1 bit) • Granularity of limit field (1 bit) • Size of operands within segment (1 bit) • Intel reserved bit (1 bit) • AVL bit (1 bit) • Default size (1 bit) Segment Descriptor 15 0 Segment Limit ( 0 – 15 ) Base Address ( 0 – 15 ) P DPL S TYPE Base Address(16 – 23) D A Segment Base Address G / 0 V Limit ( 24 – 31 ) B L ( 16 – 19 ) 1 – SegmentDescriptor0- System is present PrivilegeType Segment of Descriptor 0 – data read-only unused in MemoryLevel1 - Code/Data Segment Available to 1 – data readGranularity-only, accessed bit for limit 1 - 32 bit operationsProgrammer 2 – data read/writefield 8 – code execute0 - only16 bit operations 9 – code execute0 – segment only, accessed size 64kB A – code execute/read1 – no. of 4KB pages Segment Descriptor Base Address: Starting address of the memory segment Limit: •Length of the segment minus 1. •20-bits allows segments up to 1 MB. •This value is shifted by 12 bits to the left when the G (Granularity bit) is set to 1. G (Granularity) Bit: When G=0, segments can be 1 byte to 1MB in length. When G=1, segments can be 4KB to 4GB in length. Segment Descriptor U bit: User (OS) defined bit. X Bit: Reserved by Intel D bit: Indicates how the instructions (80386 and up) access register and memory data in protected mode. .When D=0, instructions are 16-bit instructions, with 16-bit offsets and 16-bit registers. Stacks are assumed 16-bit wide and SP is used. .When D=1, 32-bits are assumed. Allows 8086- 80286 programs to run. GDT and LDT • Two types of descriptor tables are used by processor when working in protected-mode. • GDT (Global Descriptor Table) is used for holding descriptor entries of operating system segments. • LDT (Local Descriptor Table) contains entries of normal application segments. • During initialization, the kernel creates a single GDT which is kept in memory until either the operating system terminates or until the processor is switched back to real-mode. • Whenever new application starts, the operating system creates a new LDT to hold the descriptor entries which represent the segments used by new task. This makes it possible for operating system to isolate each task's address space by enabling a different LDT whenever a task switch occurs. • GDT – Unique – Hold segments – System , non system. LDT • Is optional • Extends GDT • Individual task • IDT – Descriptors for ISR • GDTR- – 48 bit reg. – LIMIT of GDT –(16bits) – Max size of GDT-65536 bytes – IDTR (Same as GDTR) – LDTR – 16 bit Reg. – Specifies address of LDT descr. In GDT Hidden Part of Segment Selector Segment Base Limit Access Selector Address Information GDTR is a 48 bit Register 32-bit Linear Base Address 16 bit Table Limit LDTR Segment 32-bit Linear Base 16 bit Table Selector Address Limit 2) Local Descriptor Table (LDT): • Defined on a task basis in a multitasking system. • Each task has its own LDT, but tasks can also share a few different LDTs. 3) Interrupt Descriptor Table(IDT): • It defines interrupt or exception handling routine. • It is a direct replacement for the interrupt vector table used in 8086 systems. • Exactly one GDT and one IDT must be defined for the 80386 to operate in protected mode. Segment Translation University Questions Q1) What are different types of descriptors? [3] Q2) What is TSS descriptors? [3] Q3) Types of Segment Descriptors Access Rights for Segments Expansion Direction for data and stack segment Code Segment Descriptor Access Right Byte Configuration Non System Descriptor S=1 Non System System Descriptor S=0 Type Defines Type Defines System 0 Reserved by Intel 8 Reserved by Intel Descripors 1 Available 80286 TSS 9 Available Intel 80286 TSS 2 LDT A Undefined 3 Busy 80286 TSS B Busy Intel 80386DX 4 80286 Call Gate C Intel 80386DX Call gate 5 Task Gate D Undefined 6 80286 Interrupt Gate E 80386DX Interrupt Gate 7 80286 Trap Gate F 80386DX Trap Gate System Segment Descriptor • LDT Descriptors (S = 0, Type = 2): • The LDT descriptors are present only in the Global Descriptor Table (GDT). • They contain the information about the local descriptor tables. • The local descriptor table contains the segment descriptors, which are unique to a particular task. • The DPL (Descriptor privilege field) of this descriptor has ignored because it can be access with only privilege level 0. System Segment Descriptor • TSS Descriptor (S = 0, Type = 1, 3, 9, B) : • In a multitasking environment computer performs more than one task at a time, and it also switch between the task. • A task can be a single program, or it can be a group of related programs. • When it switches from task1 to task 2, it stores all the information necessary to restart the task 1. • It involves saving the contents of all of ‘the processor registers as well as any read/write memory variables and the address of next instruction to be executed. Such information is called state of the task or context of the task. • The 80386 uses a special segment called task state segment (TSS) to store the state/context of the task. • This segment can be address with the help of task state segment (TSS) descriptor. The TSS descriptor contains information about the location, size, and privilege level of a TSS. System Segment Descriptor • Gate Descriptors(S=0, TYPE=4-7, C, F): • A gate is a special of the descriptor. It allows the 80386, which automatically performs the protection checks. There are following types of gate descriptors as follows: • Call Gates: – It has used to change privilege levels. • Task gates: – It has used to perform a task switch. • Interrupt and trap gates: – Both have used to specify interrupt service routines. PAGING • A memory-management scheme that permits the physical address space of a process to be non-contiguous. • Physical memory broken into fixed-sized blocks called FRAMES and break logical memory into blocks of the same size called PAGE • Every address generated by the CPU is divided into two parts: Page number and Page offset • Paging translates Linear address to physical address Physical address space with paging • Supporting data structures • PDBR • PDE descr. • Page directory table • PTE descr. • Page table • Page frame Page Directory Entry Page Frame Address Avail 0 0 0 A P P U W P (12-31) C W D T PresentWritable Base Address of Page TableAvailable for user AccessedPage Wright through Cache Disable User Page/System Page • Accessed bit : Manually resettled • User/supervisor`: if set : pages covered by this entry are accessible to all users if clear : only for PL0,1,2 Read/Write bit : If U/S` is clear R/W` has no effect But if U/S`=1 then pages covered by this entry will be write protected. If R/W` is set : write privileges are allowed from PL3 code U/S` R/W` Permitted level Permitted access levels 0,1,2 0 0 None Read/Write 0 1 None Read/Write 1 0 Read-Only Read/Write 1 1 Read/Write Read/Write (PL0) Page Table Entry Page Frame Address Avail 0 0 D A P P U W P (12-31) C W D T Dirty Paging 10 10 12 Page Directory Page Table 4KB Page PDBR Translation Lookaside Buffer or Page translation Cache: • The 80386DX paging mechanism has designed to support demand paged virtual memory systems. • Performance would degrade substantially if the processor was required to access two levels of tables (Page directory and page table) for every memory access. • To solve this problem, the 80386DX stores the most recently used page table entries in an on-chip cache.
Recommended publications
  • Allgemeines Abkürzungsverzeichnis

    Allgemeines Abkürzungsverzeichnis

    Allgemeines Abkürzungsverzeichnis L.
  • Understanding the Microsoft Office 2013 Protected-View Sandbox

    Understanding the Microsoft Office 2013 Protected-View Sandbox

    MWRI PUBLIC UNDERSTANDING THE MICROSOFT OFFICE 2013 PROTECTED-VIEW SANDBOX Yong Chuan, Koh (@yongchuank) 2015/07/09 mwrinfosecurity.com | © MWR InfoSecurity MWRI PUBLIC MWRI PUBLIC Table of Contents 1. Introduction .................................................................................................................... 3 2. Sandbox Internals ............................................................................................................. 4 2.1 Architecture .............................................................................................................. 4 2.1.1 Interception Component ......................................................................................... 4 2.1.2 Elevation Policy Manager ........................................................................................ 4 2.1.3 Inter-Process Communication ................................................................................... 5 2.2 Sandbox Restrictions.................................................................................................... 6 2.2.1 Sandbox Initialization ............................................................................................ 6 2.2.2 File Locations .................................................................................................... 12 2.2.3 Registry Keys ..................................................................................................... 12 2.2.4 Network Connections ..........................................................................................
  • Chapter 3 System Calls, Exceptions, and Interrupts

    Chapter 3 System Calls, Exceptions, and Interrupts

    DRAFT as of September 29, 2009: Copyright 2009 Cox, Kaashoek, Morris Chapter 3 System calls, exceptions, and interrupts An operating system must handle system calls, exceptions, and interrupts. With a system call a user program can ask for an operating system service, as we saw at the end of the last chapter. Exceptions are illegal program actions that generate an inter- rupt. Examples of illegal programs actions include divide by zero, attempt to access memory outside segment bounds, and so on. Interrupts are generated by hardware de- vices that need attention of the operating system. For example, a clock chip may gen- erate an interrupt every 100 msec to allow the kernel to implement time sharing. As another example, when the disk has read a block from disk, it generates an interrupt to alert the operating system that the block is ready to be retrieved. In all three cases, the operating system design must range for the following to happen. The system must save user state for future transparent resume. The system must be set up for continued execution in the kernel. The system must chose a place for the kernel to start executing. The kernel must be able to retrieve information about the event, including arguments. It must all be done securely; the system must main- tain isolation of user processes and the kernel. To achieve this goal the operating system must be aware of the details of how the hardware handles system calls, exceptions, and interrupts. In most processors these three events are handled by a single hardware mechanism.
  • Protected Mode - Wikipedia

    Protected Mode - Wikipedia

    2/12/2019 Protected mode - Wikipedia Protected mode In computing, protected mode, also called protected virtual address mode,[1] is an operational mode of x86- compatible central processing units (CPUs). It allows system software to use features such as virtual memory, paging and safe multi-tasking designed to increase an operating system's control over application software.[2][3] When a processor that supports x86 protected mode is powered on, it begins executing instructions in real mode, in order to maintain backward compatibility with earlier x86 processors.[4] Protected mode may only be entered after the system software sets up one descriptor table and enables the Protection Enable (PE) bit in the control register 0 (CR0).[5] Protected mode was first added to the x86 architecture in 1982,[6] with the release of Intel's 80286 (286) processor, and later extended with the release of the 80386 (386) in 1985.[7] Due to the enhancements added by protected mode, it has become widely adopted and has become the foundation for all subsequent enhancements to the x86 architecture,[8] although many of those enhancements, such as added instructions and new registers, also brought benefits to the real mode. Contents History The 286 The 386 386 additions to protected mode Entering and exiting protected mode Features Privilege levels Real mode application compatibility Virtual 8086 mode Segment addressing Protected mode 286 386 Structure of segment descriptor entry Paging Multitasking Operating systems See also References External links History https://en.wikipedia.org/wiki/Protected_mode
  • A+ Certification for Dummies, 2Nd Edition.Pdf

    A+ Certification for Dummies, 2Nd Edition.Pdf

    A+ Certification for Dummies, Second Edition by Ron Gilster ISBN: 0764508121 | Hungry Minds © 2001 , 567 pages Your fun and easy guide to Exams 220-201 and 220-202! A+ Certification For Dummies by Ron Gilster Published by Hungry Minds, Inc. 909 Third Avenue New York, NY 10022 www.hungryminds.com www.dummies.com Copyright © 2001 Hungry Minds, Inc. All rights reserved. No part of this book, including interior design, cover design, and icons, may be reproduced or transmitted in any form, by any means (electronic, photocopying, recording, or otherwise) without the prior written permission of the publisher. Library of Congress Control Number: 2001086260 ISBN: 0-7645-0812-1 Printed in the United States of America 10 9 8 7 6 5 4 3 2 1 2O/RY/QU/QR/IN Distributed in the United States by Hungry Minds, Inc. Distributed by CDG Books Canada Inc. for Canada; by Transworld Publishers Limited in the United Kingdom; by IDG Norge Books for Norway; by IDG Sweden Books for Sweden; by IDG Books Australia Publishing Corporation Pty. Ltd. for Australia and New Zealand; by TransQuest Publishers Pte Ltd. for Singapore, Malaysia, Thailand, Indonesia, and Hong Kong; by Gotop Information Inc. for Taiwan; by ICG Muse, Inc. for Japan; by Intersoft for South Africa; by Eyrolles for France; by International Thomson Publishing for Germany, Austria and Switzerland; by Distribuidora Cuspide for Argentina; by LR International for Brazil; by Galileo Libros for Chile; by Ediciones ZETA S.C.R. Ltda. for Peru; by WS Computer Publishing Corporation, Inc., for the Philippines; by Contemporanea de Ediciones for Venezuela; by Express Computer Distributors for the Caribbean and West Indies; by Micronesia Media Distributor, Inc.
  • Chapter 3 Protected-Mode Memory Management

    Chapter 3 Protected-Mode Memory Management

    CHAPTER 3 PROTECTED-MODE MEMORY MANAGEMENT This chapter describes the Intel 64 and IA-32 architecture’s protected-mode memory management facilities, including the physical memory requirements, segmentation mechanism, and paging mechanism. See also: Chapter 5, “Protection” (for a description of the processor’s protection mechanism) and Chapter 20, “8086 Emulation” (for a description of memory addressing protection in real-address and virtual-8086 modes). 3.1 MEMORY MANAGEMENT OVERVIEW The memory management facilities of the IA-32 architecture are divided into two parts: segmentation and paging. Segmentation provides a mechanism of isolating individual code, data, and stack modules so that multiple programs (or tasks) can run on the same processor without interfering with one another. Paging provides a mech- anism for implementing a conventional demand-paged, virtual-memory system where sections of a program’s execution environment are mapped into physical memory as needed. Paging can also be used to provide isolation between multiple tasks. When operating in protected mode, some form of segmentation must be used. There is no mode bit to disable segmentation. The use of paging, however, is optional. These two mechanisms (segmentation and paging) can be configured to support simple single-program (or single- task) systems, multitasking systems, or multiple-processor systems that used shared memory. As shown in Figure 3-1, segmentation provides a mechanism for dividing the processor’s addressable memory space (called the linear address space) into smaller protected address spaces called segments. Segments can be used to hold the code, data, and stack for a program or to hold system data structures (such as a TSS or LDT).
  • Intel 64 and IA-32 Architectures Software Developer's Manual

    Intel 64 and IA-32 Architectures Software Developer's Manual

    SYSTEM ARCHITECTURE OVERVIEW Physical Address EFLAGS Register Code, Data or Linear Address Stack Segment Control Registers Task-State CR4 Segment Selector Segment (TSS) Task CR3 Code CR2 Register CR1 Data Stack CR0 Global Descriptor Task Register Table (GDT) Interrupt Handler Segment Sel. Seg. Desc. Code Current Interrupt TSS Seg. Sel. TSS Desc. TSS Stack Vector Seg. Desc. Interrupt Descriptor Task-State Segment (TSS) Table (IDT) TSS Desc. Task Code Interrupt Gate LDT Desc. Data Stack Task Gate GDTR Trap Gate Local Descriptor Exception Handler Table (LDT) Code Current TSS Stack IDTR Call-Gate Seg. Desc. Segment Selector Call Gate Protected Procedure Code XCR0 (XFEM) LDTR Current TSS Stack Linear Address Space Linear Address Dir Table Offset Linear Addr. Page Directory Page Table Page Physical Addr. Pg. Dir. Entry Pg. Tbl. Entry 0 This page mapping example is for 4-KByte pages CR3* and the normal 32-bit physical address size. *Physical Address Figure 2-1. IA-32 System-Level Registers and Data Structures Vol. 3 2-3 SYSTEM ARCHITECTURE OVERVIEW 31 22 21 20 19 18 17 16 15 1413 12 11 10 9 8 7 6 5432 1 0 I V V I A V R N O O D I T S Z A P C Reserved (set to 0) I I 0 0 0 1 D C M F T P F F F F F F F F F P F L ID — Identification Flag VIP — Virtual Interrupt Pending VIF — Virtual Interrupt Flag AC — Alignment Check VM — Virtual-8086 Mode RF — Resume Flag NT — Nested Task Flag IOPL— I/O Privilege Level IF — Interrupt Enable Flag TF — Trap Flag Reserved Figure 2-4.
  • Chapter 1: Introduction

    Chapter 1: Introduction

    Access Control in Practice CS461/ECE422 Fall 2009 1 Reading • Computer Security – Chapter 15 2 Outline • Evolution of OS • Object Access Control – Access control lists – Capabilities 3 In the Beginning... • The program owned the machine – Access all power of the hardware – Could really mess things up • Executives emerged – Gather common functionality • Multi-user systems required greater separation – Multics, the source of much early OS development 4 Protecting objects • Desire to protect logical entities – Memory – Files or data sets – Executing program – File directory – A particular data structure like a stack – Operating system control structures – Privileged instructions Access Control Matrix • Access Control Matrix (ACM) and related concepts provides very basic abstraction – Map different systems to a common form for comparison – Enables standard proof techniques – Not directly used in implementation 6 Definitions • Protection state of system – Describes current settings, values of system relevant to protection • Access control matrix – Describes protection state precisely – Matrix describing rights of subjects – State transitions change elements of matrix 7 Description objects (entities) o1 … om s1 … sn • Subjects S = { s1,…,sn } s1 • Objects O = { o1,…,om } s 2 • Rights R = { r1,…,rk } ⊆ • Entries A[si, oj] R subjects … • A[si, oj] = { rx, …, ry } sn means subject si has rights rx, …, ry over object oj 8 Practical object access control • Can slice the logical ACM two ways – By row: Store with subject – By column: Store with object
  • Paging and Segmentation Memory Addressing Memory Paging

    Paging and Segmentation Memory Addressing Memory Paging

    Systems Design & Programming Paging and Segmentation CMPE 310 Memory Addressing Memory Paging: Available in the 80386 and up. Allows a linear address (virtual address) of a program to be located in any portion of physical memory. The paging unit is controlled by the microprocessors control registers: 31 12 11 0 CR4(Pentium and up) DE PVI PSE TSD MCE VME Page Directory Base Address CR3 PCD PWT Most recent Page Faulting Linear Address CR2 Reserved CR1 CR0 ET PE TS PG AM WP NE MP NW CD EM 1 Systems Design & Programming Paging and Segmentation CMPE 310 Memory Addressing Memory Paging: The paging system operates in both real and protected mode. It is enabled by setting the PG bit to 1 (left most bit in CR0). (If set to 0, linear addresses are physical addresses). CR3 contains the page directory 'physical' base address. The value in this register is one of the few 'physical' addresses you will ever refer to in a running system. The page directory can reside at any 4K boundary since the low order 12 bits of the address are set to zero. The page directory contains 1024 directory entries of 4 bytes each. Each page directory entry addresses a page table that contains up to 1024 entries. 2 Systems Design & Programming Paging and Segmentation CMPE 310 Memory Addressing Memory Paging: 31 22 21 12 11 0 Directory Page Table Offset Linear or Virtual Address 31 12 Physical Address P A U W D PCD PWT Page Directory or Page Table Entry Present Writable User defined Write through Cache disable Accessed Dirty (0 in page dir) The virtual address is broken into three pieces: P Directory: Each page directory addresses a 4MB section of main mem.
  • Downloads/Kornau-Tim--Diplomarbeit--Rop.Pdf [34] Sebastian Krahmer

    Downloads/Kornau-Tim--Diplomarbeit--Rop.Pdf [34] Sebastian Krahmer

    CFI CaRE: Hardware-supported Call and Return Enforcement for Commercial Microcontrollers Thomas Nyman Jan-Erik Ekberg Lucas Davi N. Asokan Aalto University, Finland Trustonic, Finland University of Aalto University, Finland [email protected] [email protected] Duisburg-Essen, [email protected] Trustonic, Finland Germany thomas.nyman@ lucas.davi@wiwinf. trustonic.com uni-due.de ABSTRACT CFI (Section 3.1) is a well-explored technique for resisting With the increasing scale of deployment of Internet of Things (IoT), the code-reuse attacks such as Return-Oriented Programming concerns about IoT security have become more urgent. In particular, (ROP) [47] that allow attackers in control of data memory to subvert memory corruption attacks play a predominant role as they allow the control flow of a program. CFI commonly takes the formof remote compromise of IoT devices. Control-flow integrity (CFI) is inlined enforcement, where CFI checks are inserted at points in the a promising and generic defense technique against these attacks. program code where control flow changes occur. For legacy applica- However, given the nature of IoT deployments, existing protection tions CFI checks must be introduced by instrumenting the pre-built mechanisms for traditional computing environments (including CFI) binary. Such binary instrumentation necessarily modifies the mem- need to be adapted to the IoT setting. In this paper, we describe ory layout of the code, requiring memory addresses referenced by the challenges of enabling CFI on microcontroller (MCU) based the program to be adjusted accordingly [28]. This is typically done IoT devices. We then present CaRE, the first interrupt-aware CFI through load-time dynamic binary rewriting software [14, 39].
  • Segmentation, Protected Mode

    Segmentation, Protected Mode

    Copyright Notice CS 410/510 • These slides are distributed under the Creative Commons Languages & Low-Level Programming Attribution 3.0 License • You are free: Mark P Jones • to share—to copy, distribute and transmit the work Portland State University • to remix—to adapt the work • under the following conditions: Fall 2018 • Attribution: You must attribute the work (but not in any way that suggests that the author endorses you or your use of the work) as follows: “Courtesy of Mark P. Jones, Portland State University” Week 3: Segmentation, Protected Mode, Interrupts, and Exceptions The complete license text can be found at http://creativecommons.org/licenses/by/3.0/legalcode !1 2 General theme for the next two weeks Diagrams and Code • In a complex system … • There are a lot of diagrams on these slides • Many of these are taken directly from the “Intel® 64 and App App App App App IA-32 Architectures Software Developer’s Manual”, Operating System Operating System particularly Volume 3 Microkernel • There is a link to the full pdf file in the Reference section Hardware • There is also a lot of code on these slides • Remember that you can study these more carefully later if • Question: how can we protect individual programs from you need to! interference with themselves, or with one another, either directly or by subverting lower layers? • General approach: leverage programmable hardware features! 3 4 Taking stock: Code samples ... so far vram video RAM simulation vram.tar.gz hello boot and say hello on bare metal, via hello.tar.gz GRUB simpleio a simple library for video RAM I/O Segmentation bootinfo display basic boot information from (or: where do “seg faults” come from?) GRUB baremetal.tar.gz mimg memory image bootloader & make tool example-mimg display basic boot information from mimgload example-gdt basic demo using protected mode segments (via a Global Descriptor Table) prot.tar.gz example-idt context switching to user mode (via an Interrupt Descriptor Table) 5 6 BASIC EXECUTION ENVIRONMENT • General-purpose registers.
  • Diving Into Ie10'

    Diving Into Ie10'

    DIVING INTO IE 10’S ENHANCED PROTECTED MODE SANDBOX Mark Vincent Yason IBM X-Force Advanced Research yasonm[at]ph[dot]ibm[dot]com @MarkYason (v3) ABSTRACT With the release of Internet Explorer 10 in Windows 8, an improved version of IE’s Protected Mode sandbox, called Enhanced Protected Mode (EPM), was introduced. With the use of the new AppContainer process isolation mechanism introduced in Windows 8, EPM aims to further limit the impact of a successful IE compromise by limiting both read and write access and limiting the capabilities of the sandboxed IE process. As with other new security features integrated in widely-deployed software, it is just prudent to look at how EPM works internally and also evaluate its effectiveness. This presentation aims to provide both by delving deep into the internals and assessing the security of IE 10’s Enhanced Protected Mode sandbox. The first part of this presentation will focus on the inner workings of the EPM sandbox where topics such as the sandbox restrictions in place, the inter-process communication mechanism in use, the services exposed by the higher-privileged broker process, and more are discussed. The second part of this presentation will cover the security aspect of the EPM sandbox where its limitations are assessed and potential avenues for sandbox escape are discussed. Finally, in the end of the presentation, an EPM sandbox escape exploit will be demonstrated. The details of the underlying vulnerability, including the thought process that went through in discovering it will also be discussed. IBM Security Systems | © 2014 IBM Corporation DIVING INTO IE 10’S ENHANCED PROTECTED MODE SANDBOX > CONTENTS |2 CONTENTS Contents ...............................................................................................................................................................