I <3
Cornell
A Hardware Architecture for Implementing Protection Rings
Schroeder & Saltzer: Mighty Institute of Terminology (m.i.t.)
Brought to you by: Chris Sosa
Overview Introduction of Protection Rings
Allows multiple domains to be associated with a process and process domain movement during execution
Hardware a.k.a. Computer Architecture Implementation of Protection Rings for Multics
Motivation Basic access control mechanisms only
allow one set of access permissions (a domain) for a user per resource
Intrinsic need to change access capabilities of a user as his/her process runs User A may wish to allow user B to
access sensitive data but only through a special program
Four Sets of Criteria to Judge Protection Mechanisms Functional Capability Economy Simplicity Programming Generality
What is a Protection Ring?
This does not meet our economy criteria!
… let’s try again
Protection Rings Each process
associated with 0 -> r-1 of domains called rings Concentric = subset
of privileges of n for m when m > n
Ring 0 =
Protection Rings (cont’d) Typical R/W/E
privileges divided into brackets
R/W brackets must start at ring 0, why?
Allows for lowest-numbered ring of execution to be specified (not necessarily 0). Why might this be a good thing?
Moving Between Protection Rings Downward movement restricted to
“gates” Specific program locations During execution allows a process to
enter a lower domain Example of gates?
Upward movement is unrestricted (but you must use a special call to do it)
Revisiting Gate Extension
Bracket that defines from which rings gate movement is allowed
Possible use of this in Windows?
Call and Return Procedure transfer = subroutine call Easy to validate protection rings If Call goes through gate => validate
caller’s ring w.r.t. gate extension Return restores caller’s ring
Three Issues with Downward Calls1. Find new stack area
Each process has a stack segment per ring
2. Argument validation Procedure assumes more
restricted access capabilities of caller when accessing operand references
3. Knowledge of caller’s ring Processor leaves this in a read-
only register
Other calls? Dealing with a call and return that
doesn’t change rings is trivial … duh! Upward calls are hard
Their solution, let’s not support it! What’s wrong with keeping the
protection ring of the caller? Internet Explorer bugs anyone?
Computer Architecture Support
Hot or Not?
Quick Review of the Multics before Protection Rings Each user has individual VM A segment is the unit of Access Control Users has R/W/E privileges defined per
segment (flags) Flags stored in with segment descriptor in
H/W
… for more information of hardware: see paper (for those Clint’s out there)
Quick Review of Multics AFTER Protection Rings Eight Rings Modification of SDW to include three 3-bit
values for bracket management R0 -> SDW.R1 = Write SDW.R1 -> SDW.R2 = Execute SDW.R2+1 -> SDW.R3 = Gate Extension Read = Execute, loses some flexibility
Other modifications that only involve adding a 3-bit ring field denoting required or current ring
An Example Retrieval of Next
Instruction to be executed
Issues Complicated to design user programs with
rings Rare to see more than two rings used
We have seen some exceptions … see Xen Implementation lacked some features
Execution end bracket same as read bracket Didn’t implement upward movement in terms of
ring movement
Questions?