80 × 86 privileged transfer in protection mode

This article Reprinted from http://xorrlei.blog.163.com/blog/static/163083449201131005615360/

The biggest feature of the 80386 protection mode is that it is added to the security check. It is no longer as if in the real mode, the program code can be JMP, called at will, and restricted by the privilege level, I have read countless materials about the concept of privilege-level, and I have repeatedly understood it many times. I will sort it out again this time.

CPL: the privilege level of the code segment currently being processed by the CPU, which is stored in the current CS register and SS register at the lower two bits;

DPL: the privileged level of the target code segment to jump to. It specifies the standard of the privileged level that can access the segment and stores it in the segment description;

RPL: the second criterion for determining whether a jump is legal at the request privilege level. It is also necessary and necessary. The following describes in detail the lower two places that are stored in the target segment selection subfield;

Data Segment stack segment: It is relatively simple to judge the access to these two segments, as long as the CPL and RPL privilege levels of the code segment being processed are higher than those of the target data segment or target stack segment, there is nothing to talk about.

Consistent code segment: it can be understood as the code in the kernel, but it belongs to the Code with a low Protection Level in the kernel. It is the code that the kernel provides for user programs to access and call, although it is the code in the OS kernel, it is highly privileged, but can be accessed by low-privileged user code. But it is only accessed. The current CPL is still the CPL of the user code segment. Do not expect the CPL of the kernel code. Haha.

Inconsistent code segment: This is the segment and Section/segment defined in common user programs. It only allows code at the same privileged level to jump to each other. That is, the user code can only jump to the user code, and the kernel code can only jump to the kernel code. Do not think that the kernel code can access user code and user data, so that it can be easily exploited by people, so that the kernel executes the disgusting code written by bad guys, resulting in kernel crash.


========================================================== ==========================================================
Below are some detailed answers to my questions during study
========================================================== ==========================================================
1. Is it okay to judge CPL and DPL? Why do we still need an RPL?
When low-Permission user code calls high-Permission OS kernel code to access a target segment, CPL becomes the operating system CPL because the CPU executes the OS kernel code, if RPL is not available, CPL has a higher permission than any user code, so that you can access any data, which is not safe. Therefore, RPL is introduced to indicate the access permission. Therefore, when CPL is checked, RPL is also checked. generally, if the number of RPL is greater than that of CPL (the permission is lower than that of CPL), RPL plays a decisive role.

2. What commands are used for code redirection?
Code redirection can be divided into two categories: direct jump or normal jump, and door descriptor jump. JMP and call can be used for redirection.

3. What is redirection and access?
Jump refers to the code that executes the target code segment. In addition to privileged-level checks to determine whether the code is valid, it also changes the CPL
Access only refers to retrieving data from the data segment or stack segment, or executing the current code. It only performs privileged-level detection without changing Cpl.

4. Features of direct redirect
Directly jump to the CPL without a privileged transition, as shown in the following code:

Code segment	Requirements	Privilege changes
Consistent code segment	Cpl> = DPL, RPL does not check, It is also said that the DPL rules in the consistent code segment descriptor can be transferred to the innermost privilege level of the consistent code segment (level 3 can be transferred to level 0, level 0 can only be transferred to level 0 ). This interpretation of DPL in the consistent code segment descriptor is exactly the opposite to that of the normal DPL. This is to provide shared support for applications without changing the privilege level.	CPL of the program after the jump = CPL of the program before the jump
Inconsistent code segment	Cpl = DPL & RPL <= DPL	CPL of the program after the jump = CPL of the program before the jump

5. Redirect using the gate Descriptor
In this way, CPL can be changed. Through the gate Descriptor and call command, the transfer from the low-privilege level to the high-privilege level can be realized, as follows:

Code segment	Requirements	Privilege changes
Consistent code segment	Cpl> = DPL, RPL does not check	Because RPL is cleared to 0, RPL <= DPL is always satisfied. This is consistent with normal redirection and is applicable to JMP and call. After the jump, the CPL of the program = the CPL of the program before the jump, so there is no transition in the privileged level.
Inconsistent code segment (JMP)	Cpl = DPL (RPL is cleared 0, not checked) If the requirements are not met, the program will cause an exception.	Cpl = DPL, Because the premise is CPL = DPL, after the jump, the CPL = DPL of the program does not change the CPL value, and the privileged level does not change. If CPL = DPL is not met during access, an exception is thrown.
Inconsistent code segment (call)	Cpl> = DPL (RPL is cleared 0, not checked). If the requirements are not met, the program causes an exception.	Cpl = DPL, When the condition CPL = DPL, CPL = DPL after the program jumps, the privileged level does not jump. When CPL> DPL, CPL = DPL after the program jumps, and the privileged level jumps, this is the only jump method we can see when the current position changes the current execution priority of the Program (CPL), that is, the call command + call the door method jump, and the target code segment is not consistent code segment.

When the inter-segment Transfer Instruction JMP and inter-segment Transfer Instruction call are followed by the target segment Selection Sub-points to a call gate descriptor, the jump is to use the call door jump. At this time, if the child is selected and followed by a 32-bit address offset, it will not be used by the CPU, because the call gate descriptor has recorded the offset of the target code. The redirection using a door adjustment is one more step than a normal jump, that is, when accessing the call door descriptor, the descriptor should be treated as a data segment to check the access permission, requiring that the caller's Selection Sub-
RPL is less than or equal to the gate descriptor DPL and the current code segment CPL is less than or equal to the gate descriptor DPL. Just like accessing the data segment, CPL of the program accessing the data segment is less than or equal to the DPL of the data segment to be accessed, at the same time, select the sub-RPL ≤ the data segment to be accessed or the DPL of the stack segment. Only when the preceding conditions are met can the CPU further read the selection and address offset of the target code segment from the call gate descriptor to perform the next step.

After reading the segment selection and address offset of the target code from the call door, the information we currently have returned to the previous step, it is on the same starting line as a normal jump (the normal jump gets the segment selection and address offset of the target code from the beginning). The difference is that, at this time, the CPU clears RPL from the target code segment to 0, which ignores the role of RPL in the code segment Selection Sub-in the call door. After this step is completed, the CPU starts CPL for the current program, and the target code segment selects the sub-RPL (in fact, it can always meet the requirements after being cleared) and DPL in the target code segment descriptor selected by the target code sub-indicator for privileged level check, and jump according to the situation.