privilege levels 80386
DESCRIPTION
Privilege levels_80386TRANSCRIPT
![Page 1: Privilege levels 80386](https://reader034.vdocuments.mx/reader034/viewer/2022052117/54be698e4a7959c9398b4574/html5/thumbnails/1.jpg)
Privilege Levels
![Page 2: Privilege levels 80386](https://reader034.vdocuments.mx/reader034/viewer/2022052117/54be698e4a7959c9398b4574/html5/thumbnails/2.jpg)
Computer system security measures prevent
Users from interfering with one another Users from examining secure data Program bugs from damaging other programs Program bugs from damaging data Malicious attempts to compromise system
integrity Accidental damage to data
![Page 3: Privilege levels 80386](https://reader034.vdocuments.mx/reader034/viewer/2022052117/54be698e4a7959c9398b4574/html5/thumbnails/3.jpg)
Privilege protection 80386 protection mechanism
Memory management Privilege protection
4 privilege level protection PL0 (highest) PL1 PL2 PL3(lowest)
A numerically Smaller PL means aHigher privilege.
![Page 4: Privilege levels 80386](https://reader034.vdocuments.mx/reader034/viewer/2022052117/54be698e4a7959c9398b4574/html5/thumbnails/4.jpg)
When running in protected mode, the 80386 continually checks that the application is privileged enough to
Execute certain instructions. Reference data other than its own. Transfer control to code other than its
own.
![Page 5: Privilege levels 80386](https://reader034.vdocuments.mx/reader034/viewer/2022052117/54be698e4a7959c9398b4574/html5/thumbnails/5.jpg)
Executing privileged instructions
Privilege instructions Modify interrupt flag Alter segmentation Affect protection mechanism
They are allowed only if the program is running at PL0
![Page 6: Privilege levels 80386](https://reader034.vdocuments.mx/reader034/viewer/2022052117/54be698e4a7959c9398b4574/html5/thumbnails/6.jpg)
References to other data
Shared data
Programs are not allowed to read or write data items that have a higher privilege level.
![Page 7: Privilege levels 80386](https://reader034.vdocuments.mx/reader034/viewer/2022052117/54be698e4a7959c9398b4574/html5/thumbnails/7.jpg)
Transferring control to other code
Programs are not allowed to CALL or JMP to
code that does not have exactly the same
privilege level that they do.
![Page 8: Privilege levels 80386](https://reader034.vdocuments.mx/reader034/viewer/2022052117/54be698e4a7959c9398b4574/html5/thumbnails/8.jpg)
Defining privilege levels
Privileges are assigned by segment. Everything contained in a segment have
same privilege. The privilege level is defined in the segment
descriptors. The privilege level of the code segment
determines the current privilege level(CPL).
![Page 9: Privilege levels 80386](https://reader034.vdocuments.mx/reader034/viewer/2022052117/54be698e4a7959c9398b4574/html5/thumbnails/9.jpg)
A numerically smaller PL
means a higher privilege level
Privileged instructions
19 instructions
Privilege instructions are those That affect the segmentation
and protection mechanism CPL=0 Alter interrupt flag Perform peripheral I/O CPL <IOPL numerically
![Page 10: Privilege levels 80386](https://reader034.vdocuments.mx/reader034/viewer/2022052117/54be698e4a7959c9398b4574/html5/thumbnails/10.jpg)
Privileged instructions
HLT (Halts the processor) CLTS (Clear task switch flag) LGDT,LIDT,LLDT(Loads GDT,IDT,LDT register) LTR (Load task register) LMSW (Load machine status word) Mov CRn,…. (moves to control register) Mov DRn,.. (moved to debug registers) Mov TRn,…. (moves to test registers)
![Page 11: Privilege levels 80386](https://reader034.vdocuments.mx/reader034/viewer/2022052117/54be698e4a7959c9398b4574/html5/thumbnails/11.jpg)
IOPL sensitive instructions
CLI Disables interrupts STI Enables interrupts IN Inputs data from I/O port Out Outputs data to output port
![Page 12: Privilege levels 80386](https://reader034.vdocuments.mx/reader034/viewer/2022052117/54be698e4a7959c9398b4574/html5/thumbnails/12.jpg)
Privildged Data References
Second type of privilege checking DPL of code segment descriptor must have
smaller value (higher privilege)than DPL of data segment descriptor.
![Page 13: Privilege levels 80386](https://reader034.vdocuments.mx/reader034/viewer/2022052117/54be698e4a7959c9398b4574/html5/thumbnails/13.jpg)
After u have placed each descriptor in a descriptor table, you need to inform the processor
U can place theses tables anywhere in the processor’s address space and u need not keep them together.
To allow processor to locate the GDT, IDT and current LDT, u load three special purpose registers, GDTR, IDTR,LDTR resply.
![Page 14: Privilege levels 80386](https://reader034.vdocuments.mx/reader034/viewer/2022052117/54be698e4a7959c9398b4574/html5/thumbnails/14.jpg)
GDTR,IDTR,LDTR contains
Base address of table Limit
![Page 15: Privilege levels 80386](https://reader034.vdocuments.mx/reader034/viewer/2022052117/54be698e4a7959c9398b4574/html5/thumbnails/15.jpg)
Segment Selectors
Once the descriptors are defined , how does the processor make use of them?
Any 16 bit value that u write into a segment register is called a selector, because it selects a segment descriptor from a descriptor table.
15 2 1 0
INDEX RPLTI
![Page 16: Privilege levels 80386](https://reader034.vdocuments.mx/reader034/viewer/2022052117/54be698e4a7959c9398b4574/html5/thumbnails/16.jpg)
80386 segment registers
80386 has 6 segment registers One for current code segment(CS) One for current stack segment (SS) Four for general data segments (DS, ES,FS,GS)
Segment registers select segment descriptors: Thirteen bits select descriptors One bit selects descriptor table Two bits privilege checking
![Page 17: Privilege levels 80386](https://reader034.vdocuments.mx/reader034/viewer/2022052117/54be698e4a7959c9398b4574/html5/thumbnails/17.jpg)
Loading Segment Selectors
Any given selector value selects one and only one descriptor
When loading segment selector ,the 80386 check that The selector index is within the descriptor table limit The selector references the correct descriptor table The descriptor is of correct type The selector uses the correct privilege level
![Page 18: Privilege levels 80386](https://reader034.vdocuments.mx/reader034/viewer/2022052117/54be698e4a7959c9398b4574/html5/thumbnails/18.jpg)
GDT
GDT 0GDT 1GDT 2
GDTR
Offset
Index
2 1 0
TI RPL
![Page 19: Privilege levels 80386](https://reader034.vdocuments.mx/reader034/viewer/2022052117/54be698e4a7959c9398b4574/html5/thumbnails/19.jpg)
SEGMENTATION
Addressing
Index
2 1 0
TI RPL
GDT
GD 0
GD 1GD 2
GDTR
Offset
Prog
GDT
Main Memory
![Page 20: Privilege levels 80386](https://reader034.vdocuments.mx/reader034/viewer/2022052117/54be698e4a7959c9398b4574/html5/thumbnails/20.jpg)
Addressing
Index
3 2 1 0
TI RPL
GDT
GD 0GD 1
GD 2
GDTR
Main Memory
Base AddressSeg Limit
Attrib
Offset
![Page 21: Privilege levels 80386](https://reader034.vdocuments.mx/reader034/viewer/2022052117/54be698e4a7959c9398b4574/html5/thumbnails/21.jpg)
GD 0
GD 1
GD 2
GDTR
Index
2 1 0
TI RPL
GDT
Base AddressSeg Limit
Attrib
+
Offset
![Page 22: Privilege levels 80386](https://reader034.vdocuments.mx/reader034/viewer/2022052117/54be698e4a7959c9398b4574/html5/thumbnails/22.jpg)
Local Descriptor Tables(LDT’s)
LDT’s act like extension to GDT Are assigned to individual tasks when task
switching is done. While running, any program can assess
descriptors from GDT and LDT The way in which the processor locates
LDT’s is much different, however.
![Page 23: Privilege levels 80386](https://reader034.vdocuments.mx/reader034/viewer/2022052117/54be698e4a7959c9398b4574/html5/thumbnails/23.jpg)
Descriptor
LDT Descriptor
Descriptor
Descriptor
Data Descriptor
Descriptor
GDT
LDT
GDTR
LDTR
1DS
ESI
![Page 24: Privilege levels 80386](https://reader034.vdocuments.mx/reader034/viewer/2022052117/54be698e4a7959c9398b4574/html5/thumbnails/24.jpg)
Local Descriptor table
Hold segment descriptors May be used in addition to the global descriptor
table Are defined by special “system descriptor” in
GDT. May be larger or smaller than GDT. May not be define other LDTs