A Hardware Architecture For Implementing Protection Rings

I <3

Cornell

A Hardware Architecture for Implementing Protection Rings

Schroeder & Saltzer: Mighty Institute of Terminology (m.i.t.)

Brought to you by: Chris Sosa

Overview Introduction of Protection Rings

Allows multiple domains to be associated with a process and process domain movement during execution

Hardware a.k.a. Computer Architecture Implementation of Protection Rings for Multics

Motivation Basic access control mechanisms only

allow one set of access permissions (a domain) for a user per resource

Intrinsic need to change access capabilities of a user as his/her process runs User A may wish to allow user B to

access sensitive data but only through a special program

Four Sets of Criteria to Judge Protection Mechanisms Functional Capability Economy Simplicity Programming Generality

What is a Protection Ring?

This does not meet our economy criteria!

… let’s try again

Protection Rings Each process

associated with 0 -> r-1 of domains called rings Concentric = subset

of privileges of n for m when m > n

Ring 0 =

Protection Rings (cont’d) Typical R/W/E

privileges divided into brackets

R/W brackets must start at ring 0, why?

Allows for lowest-numbered ring of execution to be specified (not necessarily 0). Why might this be a good thing?

Moving Between Protection Rings Downward movement restricted to

“gates” Specific program locations During execution allows a process to

enter a lower domain Example of gates?

Upward movement is unrestricted (but you must use a special call to do it)

Revisiting Gate Extension

Bracket that defines from which rings gate movement is allowed

Possible use of this in Windows?

Call and Return Procedure transfer = subroutine call Easy to validate protection rings If Call goes through gate => validate

caller’s ring w.r.t. gate extension Return restores caller’s ring

Three Issues with Downward Calls1. Find new stack area

Each process has a stack segment per ring

2. Argument validation Procedure assumes more

restricted access capabilities of caller when accessing operand references

3. Knowledge of caller’s ring Processor leaves this in a read-

only register

Other calls? Dealing with a call and return that

doesn’t change rings is trivial … duh! Upward calls are hard

Their solution, let’s not support it! What’s wrong with keeping the

protection ring of the caller? Internet Explorer bugs anyone?

Computer Architecture Support

Hot or Not?

Quick Review of the Multics before Protection Rings Each user has individual VM A segment is the unit of Access Control Users has R/W/E privileges defined per

segment (flags) Flags stored in with segment descriptor in

H/W

… for more information of hardware: see paper (for those Clint’s out there)

Quick Review of Multics AFTER Protection Rings Eight Rings Modification of SDW to include three 3-bit

values for bracket management R0 -> SDW.R1 = Write SDW.R1 -> SDW.R2 = Execute SDW.R2+1 -> SDW.R3 = Gate Extension Read = Execute, loses some flexibility

Other modifications that only involve adding a 3-bit ring field denoting required or current ring

An Example Retrieval of Next

Instruction to be executed

Issues Complicated to design user programs with

rings Rare to see more than two rings used

We have seen some exceptions … see Xen Implementation lacked some features

Execution end bracket same as read bracket Didn’t implement upward movement in terms of

ring movement

Questions?