Let's talk about their meaning and storage location first! Pl: privilege level. Privileged CPL (current): privileged level of the current task! In kernel mode, CPL = 0, CPL = 3 in user mode, and Linux only uses these two! The value of Cs or SS is two lower! DPL (descriptor): descriptor privileged! It exists in the segment descriptor. Specifies the permission level for accessing this section. RPL (request): Request privilege level! There are two lower parameters than the segment separator.
What is RPL used? The intel manual explains that the RPL can be used to insure that privileged code does not access a segment on behalf of an application program unless the program itself has access privileges for that segment. (RPL can be used to ensure that privileged code does not represent another application accessing a segment, unless that application has the permission to access that segment .) for example, the DPL of process a is 0, and the DPL of Process C is 1. Now there is a process B whose DPL is 2. This process B wants to entrust process a to access data of Process C, without RPL, such a delegated access can be successful, but this is very insecure. With RPL, the process will be subject to RPL constraints when accessing C. In this case, you can set the RPL sub-Access to C as the DPL of B, in this way, the access permission of a is equivalent to EPL = max (RPL, DPL) = 2, so that B cannot access C without excessive permissions.
Post a reprinted post, and read it later.
3. What are the relationships and differences between DPL, RPL, and CPL? Must RPL and CPL be the same? If they are the same, why should I use two instead of one?
A:Privilege level is the next important concept of protection mode. CPL, RPL, and DPL are the core concepts. There are numerous materials available, which are summarized as follows:
Simple explanation:
CPLIs the permission level of the current process (Current privilege levelIs the privilege level of the segment where the code is currently being executed, which exists in the lower two of the CS register.
RPLIt indicates that the process's access request permissions to the segment (Request privilege levelFor the segment Selection Sub-, each segment Selection Sub-has its own RPL, which indicates that the process has the permission to access the segment, a bit like a function parameter. In addition, RPL is not fixed for each segment. When two accesses to the same segment, RPL can be different. RPL may weaken the role of CPL. For example, the current CPL = 0 process needs to access a data segment, which sets the RPL in the segment selection operator to 3, in this way, only 3 is allowed to access this segment.
DPLStored in the segment descriptor, specifying the permission level for accessing the segment (Descriptor privilege level), The DPL of each segment is fixed. When a process accesses a segment, it requires a process privilege-level check. GenerallyDPL> = max {CPL, RPL}
For example, Chinese officials are divided into 6 levels: President 1, Prime Minister 2, Governor 3, Mayor 4, county magistrate 5, and village chief 6. Suppose I am the current process, level 1 Prime Minister (CPL = 2), I went to Liaocheng (DPL = 4) for an investigation (haha), and I used the level of the Governor (RPL = 3) to visit, yes. If I use the county magistrate's level, people will ignore me (you can watch the WeChat private visit on TV, huh, huh! Why is RPL secure? It seems that you have the write permission on a file. Why is it not safe to open it in read-only mode!
Full explanation:
RPLIt is the value obtained from the combination of Bit 0 and bit 1 in the segment Selection Sub-, but here we need to figure out what is the segment Selection Sub, according to Intel's file (IA-32 intelr architecture software developer's manual, Volume 3 system programming guide) It is a 16bit identifier (original: A segment selector is a 16-bit identifier for a segment ). but what is identifier. identifier can be a variable name (an identifier is a name for variables). Simply put, it can be a variable of the general meaning. here, 16-bit identifier for a segment can be a general 16-bit variable, but at the same time, it must be interpreted with int The rule set by El-that is, the combined values of Bit 0 and bit 1 are RPL, etc... Therefore, if necessary, you can declare one or more variables to represent these segments and select Sub-segments. In this way, your program can have many sub-segments at a certain time, of course, there are so many RPL in the multi-segment selection sub-categories. it can be said that the number of RPL variables in the program is what you think of your own declarations. |
ProgramCpl (CS. RPL) is the value obtained from the combination of Bit 0 and bit 1 in CS register. At a certain time point, only this value uniquely represents the CPL of the program.
Note: CS. RPL indicates the register privilege level in the CS memory, not the request privilege level.
WhileDPLIt is the privileged level in the segment descriptor. It is intended to represent the privileged level of the segment it describes. A program can use many segments (data, code, stack) or only one code segment. under normal circumstances, when the program environment is set up, the segment descriptor does not need to be changed ----- of course, DPL does not need to be changed.
I. Privileged Access Control for data and stack segments:
CPL of the program requesting access to the data segment or stack segment is less than or equal to the DPL of the data segment or stack segment to be accessed, and the DPL of the sub-RPL is less than or equal to the data segment or stack segment to be accessed, that is, the program must follow the following guidelines to access the data segment or stack segment:Only code with the same or higher privilege level can access the corresponding data segment(In this way, the data cannot be changed at will. Note that this is only the data segment and stack segment !). Here, RPL may weaken the role of CPL. When you access a data segment or stack segment, the minimum privilege level of the CPU and RPL is used by default to access the data segment.Max {CPL, RPL}≤DPL,Otherwise, access fails.
2. privileged level control over code segment access (privileged transfer of code execution right ):
Let's first record some "Laws ":
The CPU does not assign the RPL of the sub-segment to the Cs of the program after the switch. RPL. (The segment Selection Sub-function is just a "Guide" for the CPU. For more information, see the previous section.Addressing in Protected ModeAfter the segment Selection Sub-completes the guiding function, the process is related to the new segment. the CPU and code have nothing to do with how to select the sub-segment, so the RPL of the segment Selection Sub-will not give Cpl. Remember, the segment Selection Sub-has only one guide !)
The CPL (CS. RPL) of the program after the jump only has the following two possibilities:
Cpl (CS. RPL) = CPL (CS. RPL) of the program before the jump)
Or CPL (CS. RPL) = codedescriptor. DPL
Take call as an example (you can only jump to a segment equal to or higher than the current privilege level ):
To determine the two options, we first need to know whether the program segment is consistent or inconsistent after the jump. In fact, it is also very simple. The rules are as follows:
If you can successfully jump to the consistent code segment, the CPL (CS. RPL) = CPL (CS. RPL), (the CPL of the program after the jump inherits the CPL of the program before the jump, consistent, consistent meaning during translation !)
If you can successfully jump to a non-consistent code segment, the CPL (CS. RPL) of the program after the jump = descriptor. DPL of the program after the jump. (After the jump, the CPL of the program becomes the privileged level of the code segment. as I mentioned earlier, DPL is the privileged level in the segment descriptor. It is intended to represent the privileged level of the segment it describes)
How can I switch to another one?
There are four important concepts:
1 ). the protection concept of CIDR block is that at the high level, the high level does not look for services at the low level of privilege, and the low level does not look for help at the high level of privilege. (The logic is correct. I don't know the truth .) that is to say, the county magistrate does not look for the village magistrate, and the village magistrate does not ask for the peasants. In turn, the peasants seek the village magistrate and the county magistrate. this concept is the most important.
2) Significance of the consistent code segment: it makes it easy for the guests to take advantage of the owner (consistent code segment. but the identity of the guest has not changed newcs. RPL = oldcs. RPL can only help you. For example, if a village chief has a cow, a farmer can borrow it to help his own farm, but not others. But if you are a village chief, you can certainly plant all the farms in the village.
3) The significance of a non-consistent code segment: the owner (non-consistent code segment) can help the guests but must use his own identity newcs. RPL = destinationdescriptorcode. DPL may have security issues, but it is difficult for farmers to become county leaders. If the master is too stubborn, he must stick to his identity. Is there any way to change it? Is it a compromise. Okay, it is the use of RPL.
4) RPL: it allows the program to express a privileged identity max (RPL, CPL) when needed without losing its own privileged CPL (CS. RPL), when necessary, refers to the time to check the identity. In fact, RPL has nothing to do with the privileged DPL of the segment itself and the current privileged CPL, because the RPL value is not assigned to the CS. RPL after the successful jump.
I still want to ask how to successfully jump to the next hop? There are two situations:
Normal jump (without passing through gate ):That is, after JMP or call, follow the 48-bit full pointer (the 16-bit segment selects the child + 32-bit address offset), and the segment selects the child pointing to the segment descriptor, such a jump is called a direct (normal) Jump.Normal jumps do not cause a jump to the privileged level, that is, they do not cause CPL changes., See the following detailed description:
The target is a consistent code segment:
Requirements:Cpl (CS. RPL)> = destinationdescriptorcode. DPL, other RPL do not check.
Cpl (newcs. RPL) = CPL (oldcs. RPL) of the program before the jump)
The above arrangement is the meaning of the concept 1, 2 (CPL of the basic privilege finds the DPL of the high privilege circle to handle the affairs, is it consistent, naturally CPL will not change), at this time, CPL has not changed, even if it executes code with a high privilege level (DPL. If the access fails, an exception occurs.
The target code segment is inconsistent:
Requirements:Cpl (CS. RPL) = destinationdescriptorcode. DPL and RPL ≤ CPL (CS. RPL)
Cpl (newcs. RPL) = destinationdescriptorcode. DPL
The above arrangement is the meaning of concept 3 and the meaning of Part 1 ---- the master (consistent code segment) only helps the guests with the same privilege level. Because the premise is CPL = DPL, the CPL (newcs. RPL) = destinationdescriptorcode. DPL of the program after the jump will not change the CPL value, and the privilege level (CPL) will not change. If CPL = DPL is not met during access, an exception is thrown.
Redirect by calling the door:When the inter-segment Transfer Instruction JMP and inter-segment Transfer Instruction call are followed by the target segment Selection Sub-points to a call gate descriptor, the jump is to use the call door jump. At this time, if the child is selected and followed by a 32-bit address offset, it will not be used by the CPU, because the call gate descriptor has recorded the offset of the target code. One more step to redirect using a door adjustment than a normal jump, that is, when accessing the door descriptor, the descriptor should be treated as a data segment to check the access permission, the RPL that indicates the Selection Sub-of the call door is required to be less than or equal to the gate descriptor DPL, and the current code segment CPL is less than or equal to the gate descriptor DPL, just like accessing the data segment,CPL of the program requesting access to the data segment is less than or equal to the DPL of the data segment to be accessed, and the sub-RPL is less than or equal to the DPL of the data segment or stack segment to be accessed.. Only when the preceding conditions are met can the CPU further read the selection and address offset of the target code segment from the call gate descriptor to perform the next step.
After reading the segment selection and address offset of the target code from the call door, the information we currently have returned to the previous step, it is on the same starting line as a normal jump (the normal jump gets the segment selection and address offset of the target code from the beginning). The difference is that, at this time, the CPU clears the target code segment to RPL 0, that isThe role of selecting the sub-RPL for the code segment in the call door is ignored.. After this step is completed, the CPU starts CPL for the current program, and the target code segment selects the sub-RPL (in fact, it can always meet the requirements after being cleared) and DPL in the target code segment descriptor selected by the target code sub-indicator to perform a privileged level check and redirect based on the situation, as shown below:
The target is a consistent code segment:
Requirements:Cpl (CS. RPL) ≥ destinationdescriptorcode. DPL and RPL are not checked. Because RPL is cleared to 0, RPL is always satisfied with RPL ≤ DPL. This is consistent with normal redirection and is applicable to JMP and call.
Cpl (newcs. RPL) = CPL (oldcs. RPL) of the program before the jump. Therefore, no transition occurs at the privilege level.
The target code segment is inconsistent:
When the JMP command is used to redirect:
Requirements:Cpl (CS. RPL) = destinationdescriptorcode. DPL and RPL <= CPL (CS. RPL) (in fact, RPL is always satisfied because RPL is cleared by 0, so the relationship between RPL and CPL is not checked here ). If the requirements are not met, the program will cause an exception.
Cpl (newcs. RPL) = destinationdescriptorcode. DPL
Because the premise is CPL = DPL, the CPL (newcs. RPL) = destinationdescriptorcode. DPL of the program after the jump will not change the CPL value, and the privilege level will not change. If CPL = DPL is not met during access, an exception is thrown.
When the call command is used to redirect:
Requirements:Cpl (CS. RPL) ≥ destinationdescriptorcode. DPL (RPL is cleared 0, not checked). If the requirements are not met, the program causes an exception.
Cpl (newcs. RPL) = destinationdescriptorcode. DPL
When the condition CPL = DPL, CPL = DPL after the program jumps, the privileged level does not jump; When CPL> DPL, CPL = DPL after the program jumps, the privileged level jumps. This isWhen the current position is the only jump method that changes the current execution priority (CPL) of the program, that is, the call command + call the door method jump, and the target code segment is not consistent code segment.
Summary:The above describes the two types of redirection, namely normal jump and call door jump, which can be subdivided into JMP jump and call jump. Whether the successful jump is by CPL, determined by the combination of RPL and DPL. All redirects are from low-privilege-level code to the same level or higher-level privileged level (DPL), but keep the current execution privileged level (CPL) unchanged, it is a little difficult to tell why the jump to the high-privilege level is not changed, and the "high-privilege level" here refers to the DPL of the target code segment descriptor, it specifies the highest privilege level that can jump to the code segment. The CPL remains unchanged, which means that the privilege level does not jump. We can see that CPL changes will occur only when the call command + call door method is used to jump and the target code segment is inconsistent, that is, the Code Execution privilege-level transition, this is currently the only way to change the execution privilege level. If you know other methods, please leave a message to me.