1

Tutorial 9 Paging, Call Gates, Protection 2

Paging – cont. 3

Logical address (or Far Pointer)

Segment Linear Address Offset Selector Space

Linear Address (GDT) Dir Table Offset

Segment Physical Address Page Table Space Segment Page Descriptor Page Directory

Lin. Addr. Entry Phys. Addr.

Entry

Segment Base Address Page

Segmentation Paging 4 System Memory Map for Windows NT

0xFFFFFFFF Processor Control Processor Control Region 0xFFDFF000 0xFFDFEFFF System Drivers, Kernel Thread Stacks, Non Paged System NonPageable Pool, Pageframe Database 0xFB000000 0xE57FFFFF Paged Pool Pageable Pool 0xE1000000 0xD8FFFFFF System Cache Windows NT Cache Manager Mapping Area 0xC1000000 0xC0FFFFFF System Tables Page Directory and Page Tables 0xC0000000 0xBFFFFFFF System View Space Win32 GDI Object Table, Win32 USER Object Table 0xA0000000 0x9FFFFFFF System Code Boot Drivers, NT OS Kernel, HAL, TSS, GDT, IDT 0x80000000 5 Windows NT Page Tables

Page 4K Table

Process 1’s Physical Page Page CR3 Memory Directory Table pages

Page 4K Table

Page 4K Table Process 2’s CR3 Page Page Directory Table 4K

Page Table 4K System Page Table 6 Translation Lookaside Buffers (TLBs)

• The processors stores the most recently used page- directory and page-table entries in on-chip caches called TLBs. • The P6 family and Pentium processors have separate TLBs for the data and instruction caches. • Translates the linear address to physical address for all memory load and store. • Lookups in a cache array for the physical address of the page being accessed. • Caches page attributes with the physical address, and uses this information to check for page protection faults and other paging related exceptions. 7 Invalidating the TLBs

• INVLPG instruction - invalidates the TLB for a specific page (is not affected by the state of the G flag in PDE or PTE).

• The following operations invalidate all TLB entries except global entries: ▫ Writing into control register CR3. ▫ A task switch that changes control register CR3. 8

Protection

• Designed to provide a mechanism protecting code and data from being corrupted by user applications.

• Elements: ▫ Segmentation ▫ Paging ▫ Privilege levels ▫ Privilege instructions

9 10 Protected Mode Bit in Control Registers 3 1 9 8 7 6 5 4 3 2 1 0 1 0

P P M P P T P V D C G C A S S V M Reserved (set to 0) E CR4 E E E E E D I E

OSXMMEXCPT OSFXSR 3 1 1 5 4 3 2 0 1 2 1

P P Page-Directory Base C W CR3 D T

3 0 1

Page-Fault Linear Address CR2

3 0 1

CR1

3 3 2 2 1 1 1 1 1 6 5 4 3 2 1 0 1 0 9 8 9 8 7 6 5

P C N A W N E T E M P G D W M P E T S M P E CR0 11

Switching to Protected Mode

• Real Mode

• Set CR0.PE=1 ▫ Protected 16-bit mode

• Set CR0.PG=1 ▫ Protected Mode with Paging 12 Protection Checks

• Loading Segment Register ▫ Privilege level checks ▫ Segment type checks

• Memory Accesses ▫ Segment level protection ▫ Page level protection

• Instruction Execution ▫ Restriction of instruction set

• Transfer Execution Control ▫ When transforming control between code segments ▫ Type checks  Far CALL and JMP ▫ Limit checks

• All protection violation results in an exception being generated. 13 Privilege Levels Lower number => higher privilege Code can access data of equal/lower privilege levels only Protection Rings Code can call more privileged data via “call gates” Each level has its own stack! Some instructions and I/O operations are restricted to certain privilege levels Operating System Level 0 Also referred to as: Kernel

“Rings” Operating System Level 1 Services Level 2

Applications Level 3 14 Privilege Level Flags CPL – Current Privilege Level Privilege level of the currently executed program or task Stored in bits 0 and 1 of the CS and SS segment registers

DPL – Descriptor Privilege Level Privilege level of a segment or gate Stored in the DPL field of the segment or gate descriptor

RPL – Requested Privilege Level Override privilege level that is assigned to segment selectors Stored in bits 0 and 1 of the segment selector Used by OS to protect against user Trojan Horses – user code calls OS code and passes a pointer to a privileged data area Call Gate 3 1 1 1 1 1 1 8 7 6 5 4 0 1 6 5 4 3 2 1

D Type Param. Offset in Segment 31:16 P P 0 0 0 4 Count L 0 1 1 0 0

3 1 1 0 1 6 5

Segment Selector Offset in Segment15:00 0

• Call Gate specifies ▫ The code segment to be accessed ▫ An entry point for a procedure in the specified code segment ▫ The privilege level required for a caller trying to access the procedure ▫ If a stack switch occurs, the number of optional parameters to be copied between stacks ▫ The size of values to be pushed onto the target stack: 16-bit or 32- bit ▫ Whether the call-gate descriptor is valid 15 16

Accessing a Code Segment Through a Call Gate Far Pointer to Call Gate

Segment Selector Offset

Required but not used by processor

Descriptor Table

Offset Call-Gate Segment Selector Offset Descriptor

Base Base Code-Segment + Base Descriptor

Procedure Entry Point Privilege Check Rules for Call Gate

CS Register

CPL

Call-Gate selector Privilege Check RPL max{CPL,RPL} <= call gate DPL

Nonconforming Code Segment:

Call Gate (Descriptor) DPL <= CPL for CALL DPL = CPL for JMP DPL Conforming Code Segment:

DPL <= CPL

Destination Code Segment Descriptor DPL

17 18 Examples of Accessing Call Gates

Gate Selector RPL = 3 Call Code A Segment A Gate A DPL = 3 Gate Selector CPL = 3 RPL = 3 3 B3

Code Call Segment B Gate Selector RPL = 2 Gate B B1 2 CPL = 2 DPL = 2

Code Segment C Gate Selector RPL = 1 B2 CPL = 1 1 No Stack Stack Switch Switch Occurs Occurs

Code Code Segment D Segment E

DPL = 0 DPL = 0 0 Conforming Nonconforming Highest Privilege Code Segment Code Segment