Segmented memory protection is one of the options for implementing memory protection in x86 architecture processors . It can be used in protected mode processors starting with Intel 80286 and compatible.
When using a flat memory model ( English flat model , used by many modern operating systems), each segment describes the entire amount of virtual memory. In this model, memory protection is implemented additionally by page memory . [one]
Content
Definitions
There are four privilege levels (PL) segments (0-3). Privilege increases with decreasing number (that is, zero - the most privileged). Levels 0-2 correspond to the supervisor (Supervisor), 3 - to the user (user). At level zero, privileged instructions are allowed.
The segment descriptor Privilege Level (DPL) corresponds to the value of the DPL field in the segment descriptor .
The current Privilege Level (CPL) corresponds to the privilege level of the code segment whose selector is loaded into the CS register (that is, the privilege level of the running code segment).
The requested Privilege Level (RPL Eng. Requested Privilege Level ) is located in the two lower bits of the selector (set by the program).
Terms and principle of protection
When the selector is loaded into the segment register and when accessing the memory, the conditions for segment protection are checked, and if not observed, the #GP exception handler is called .
The protection conditions are as follows:
- You can not go beyond the segment indicated by the limit [2] ;
- In the segment registers ES, CS, SS, DS, FS, GS, you cannot load selectors pointing to system segments (in which bit S = 0);
- In registers ES, DS, FS, GS, you can load selectors of such segments for which DPL> = Max (CPL, RPL);
- In registers ES, DS, FS, GS, you can load only selectors of data segments or code segments for execution / reading;
- You cannot load a data segment selector in the CS register;
- In the CS register, you can load the code segment selector only with CPL = DPL;
- Only the data segment selector for reading / writing with DPL = CPL can be loaded into the SS register;
- You cannot write to a code segment;
- You cannot write to a read-only data segment;
- Only LDT and TSS segment selectors can be loaded into the LDTR , TR system registers, respectively;
Interaction of privilege levels
The interaction of the four levels with each other is carried out through gateways. The gate descriptor , like the segment descriptor, has a PL field. The access to the gateway is subject to the above rules, but there are additional rules that impose natural restrictions on the code segment / TSS specified in the gateway:
- The DPL of the called segment should not be numerically larger than the CPL;
- The DPL of the gateway should not be numerically smaller than the DPL of the segment indicated in it;
- Only the code segment or TSS should be specified in the gateway (if this is the task gateway);
If through a gateway an appeal is made to an unsubscribed segment with the same privilege level, or to a subordinate code segment with the same or numerically lower privilege level, then a simple transition occurs:
Push flags For interrupt and trap gateways only
Push cs
Push ip
Jmp FAR Gate_Address
Switch Stack
If there is a transition to an unsubordinated code segment with a numerically lower privilege level, then the stack switches to avoid overflowing it at the upper (numerically lower) levels. E.g. if a stack error occurs at level zero, then the processor stops.
The TSS segment contains three distant stack addresses — for privilege levels 0–2.
When moving from higher to lower levels through gateways, privileges change, and, accordingly, stacks switch. [3]
The switching algorithm looks a bit more complicated:
- From the corresponding TSS fields, new values of SS, (E) SP are loaded;
- The previous SS, (E) SP values (before the call) are saved on the new stack;
- If the gateway is a call gateway, then WC words / double words from the stack of the calling program are copied to the new stack;
- If it is an interrupt or trap gateway, the value (E) Flags is stored;
- The current CS value is stored, (E) IP;
- From the gateway descriptor to the CS: (E) IP registers, the new far address specified in the corresponding descriptor fields is loaded;
When executing the RetF / IRet command :
- The processor fetches the distant return address (and flag register) from the stack;
- If the RetF command has a parameter, it increases the value of (E) SP by its value (removes the parameters passed to the procedure from the stack);
- It analyzes the RPL of the CS selector [4] : if it is numerically larger than the CPL, it extracts the far address of the previous top of the stack from the stack and loads it into SS: (E) SP. Thus, a return to the old stack occurs;
Notes
- ↑ The Unabridged Pentium 4 IA32 Processor Genealogy, Addison Wesley, 2004 ISBN 0-321-24656-X Chapter 13. The Flat Model "It should be noted that virtually all modern OSs utilize the Flat Model.", "There is no way to disable the IA32 processor's segmentation logic. However, if all segments are described (in the GDT) as read / writable, starting at location 00000000h and as 4GB in length, segmentation is effectively eliminated. " "If segmentation is eliminated and Paging is used, the Paging Unit can provide complete protection, ... the following checks on each memory access attempt"
- ↑ There are two kinds of segments: growing up and growing down . The valid range of segment addresses for growing up segments is from zero to the limit inclusive. For growing down : from the limit (inclusive) to $ FFFFF at G = 0 or to $ FFFFFFFF at G = 1.
- ↑ Whenever there is a transition from a higher to a lower level, the stack of a lower level is reinitialized.
- ↑ RPL loaded in CS is always equal to CPL
See also
- Segmented memory addressing
- Segment descriptor