DPL, RPL, and CPL

This article is too good !! This is a complete permission check in the protection mode. In fact, today's operating systems won't be so complicated ......

 

Privilege level is the next important concept of protection mode. CPL, RPL, and DPL are the core concepts. There are numerous materials available, which are summarized as follows:
Simple explanation:

--------------------------------------------------------------------------------

CPL is the current privilege level of the current process. It is the privilege level of the segment where the code currently being executed is located and exists in the lower two Cs registers.
RPL indicates the request privilege level for the process to access the segment. For the segment Selection Sub-, each segment Selection Sub-has its own RPL, it indicates the process's request permissions for segment access, a bit like function parameters. In addition, RPL is not fixed for each segment. When two accesses to the same segment, RPL can be different. RPL may weaken the role of CPL. For example, the current CPL = 0 process needs to access a data segment, which sets the RPL in the segment selection operator to 3, in this way, only 3 is allowed to access this segment.
DPL is stored in the segment descriptor and specifies the permission level for accessing the segment (descriptor privilege level). The DPL of each segment is fixed.
When a process accesses a segment, the process requires a privileged check. Generally, DPL> = max {CPL, RPL} is required}
For example, Chinese officials are divided into 6 levels: President 1, Prime Minister 2, Governor 3, Mayor 4, county magistrate 5, and village chief 6. Suppose I am the current process, level 1 Prime Minister (CPL = 2), I went to Liaocheng (DPL = 4) for an investigation (haha), and I used the level of the Governor (RPL = 3) to visit, yes. If I use the county magistrate's level, people will ignore me (you can watch the WeChat private visit on TV, huh, huh! Why is RPL secure? It seems that you have the write permission on a file. Why is it not safe to open it in read-only mode!

Full explanation:
--------------------------------------------------------------------------------

RPL is the value obtained from the combination of Bit 0 and bit 1 in the segment Selection Sub-, but here we need to figure out what is the segment Selection Sub, according to Intel's file (IA-32 intelr architecture software developer's manual, Volume 3 system programming guide) It is a 16bit identifier (original: A segment selector is a 16-bit identifier for a segment ). but what is identifier. identifier can be a variable name (an identifier is a name for variables). Simply put, it can be a variable of the general meaning. here, 16-bit identifier for a segment can be a 16-bit variable in the general sense, but it must be followed when interpreting its value. Intel rules-that is, the combination of Bit 0 and bit 1 is RPL, etc... Therefore, if necessary, you can declare one or more variables to represent these segments and select Sub-segments. In this way, your program can have many sub-segments at a certain time, of course, there are so many RPL in the multi-segment selection sub-categories. it can be said that the number of RPL variables in the program is what you think of your own declarations. |
The CPL (CS. RPL) of the program is the value obtained from the combination of Bit 0 and bit 1 in CS register. At a certain time point, only this value uniquely represents the CPL of the program.
　　
DPL is the privileged level in the segment descriptor. It is intended to represent the privileged level of the segment it describes. A program can use many segments (data, code, stack) or only one code segment. under normal circumstances, when the program environment is set up, the segment descriptor does not need to be changed ----- of course, DPL does not need to be changed.

I. Privileged Access Control for data and stack segments:

CPL of the program requesting access to the data segment or stack segment is less than or equal to the DPL of the data segment or stack segment to be accessed, and the DPL of the sub-RPL is less than or equal to the data segment or stack segment to be accessed, that is to say, the program must follow the rule that only code with the same or higher privilege level can access the corresponding data segment. Here, RPL may weaken the role of CPL. when accessing a data segment or stack segment, the minimum privilege level in the CPU and RPL is used to access the data segment by default, so max {CPL, RPL} ≤ DPL, otherwise, access fails.

2. privileged level control over code segment access (privileged transfer of code execution right ):

Let's first record some "Laws ":
The CPU does not assign the RPL of the sub-segment to the CS. RPL ..

The CPL (CS. RPL) of the program after the jump only has the following two possibilities:
Cpl (CS. RPL) = CPL (CS. RPL) of the program before the jump)
Or
Cpl (CS. RPL) = codedescriptor. DPL

Take call as an example (you can only jump to a segment equal to or higher than the current privilege level ):
To determine the two options, we first need to know whether the program segment is consistent or inconsistent after the jump. In fact, it is also very simple. The rules are as follows:
If you can successfully jump to the consistent code segment, the CPL (CS. RPL) = CPL (CS. RPL), (the CPL of the program after the jump inherits the CPL of the program before the jump)
If you can successfully jump to a non-consistent code segment, the CPL (CS. RPL) of the program after the jump = descriptor. DPL of the program after the jump. (After the jump, the CPL of the program becomes the privileged level of the code segment. as I mentioned earlier, DPL is the privileged level in the segment descriptor. It is intended to represent the privileged level of the segment it describes.) How can it be switched successfully?

There are four important concepts:

1 ). the protection concept of CIDR block is that at the high level, the high level does not look for services at the low level of privilege, and the low level does not look for help at the high level of privilege. (The logic is correct. I don't know the truth .) that is to say, the county magistrate does not look for the village magistrate, and the village magistrate does not ask for the peasants. In turn, the peasants seek the village magistrate and the county magistrate. this concept is the most important.
2) Significance of the consistent code segment: it makes it easy for the guests to take advantage of the owner (consistent code segment. but the identity of the guest has not changed newcs. RPL = oldcs. RPL can only help you. For example, if a village chief has a cow, a farmer can borrow it to help his own farm, but not others. But if you are a village chief, you can certainly plant all the farms in the village.
3) The significance of a non-consistent code segment: the owner (non-consistent code segment) can help the guests but must use his own identity newcs. RPL = destinationdescriptorcode. DPL may have security issues, but it is difficult for farmers to become county leaders. If the master is too stubborn, he must stick to his identity. Is there any way to change it? Is it a compromise. Okay, it is the use of RPL.
4) RPL: it allows the program to express a privileged identity max (RPL, CPL) when needed without losing its own privileged CPL (CS. RPL), when necessary, refers to the time to check the identity. In fact, RPL has nothing to do with the privileged DPL of the segment itself and the current privileged CPL, because the RPL value is not assigned to the CS. RPL after the successful jump.
I still want to ask how to successfully jump to the next hop? There are two situations:

Normal jump (without going through the gate): that is, after JMP or call, follow the 48-bit full pointer (16-bit segment Selection Sub + 32-bit address offset ), the segment Selection Sub-points to the segment descriptor. Such a jump is called a direct (normal) Jump. A normal jump does not cause a jump of the privileged level, that is, it does not cause CPL changes. For details, refer to the following description:

The target is a consistent code segment:
Requirement: CPL (CS. RPL)> = destinationdescriptorcode. DPL. Other RPL do not check.
Cpl (newcs. RPL) = CPL (oldcs. RPL) of the program before the jump)
The above arrangement refers to the concept 1, 2. At this time, CPL has not changed, even if it executes code with a higher privilege level (DPL. If the access fails, an exception occurs.
The target code segment is inconsistent:
Requirement: CPL (CS. RPL) = destinationdescriptorcode. DPL and RPL ≤ CPL (CS. RPL)
Cpl (newcs. RPL) = destinationdescriptorcode. DPL
The above arrangement is the meaning of concept 3 and the meaning of Part 1 ---- the master (consistent code segment) only helps the guests with the same privilege level. Because the premise is CPL = DPL, the CPL (newcs. RPL) = destinationdescriptorcode. DPL of the program after the jump will not change the CPL value, and the privilege level (CPL) will not change. If CPL = DPL is not met during access, an exception is thrown.

Redirect by calling the door: When the inter-segment transfer command JMP and inter-segment transfer command call are followed by the target segment Selection Sub-pointing to a call door descriptor, this is the jump of the calling door. At this time, if the child is selected and followed by a 32-bit address offset, it will not be used by the CPU, because the call gate descriptor has recorded the offset of the target code. One more step to redirect using a door adjustment than a normal jump, that is, when accessing the door descriptor, the descriptor should be treated as a data segment to check the access permission, the RPL that indicates the Selection Sub-of the call door is required to be less than or equal to the gate descriptor DPL, and the current code segment CPL is less than or equal to the gate descriptor DPL, just like accessing the data segment, CPL of the program requesting access to the data segment is less than or equal to the DPL of the data segment to be accessed, and the sub-RPL is less than or equal to the DPL of the data segment or stack segment to be accessed. Only when the preceding conditions are met can the CPU further read the selection and address offset of the target code segment from the call gate descriptor to perform the next step.
After reading the segment selection and address offset of the target code from the call door, the information we currently have returned to the previous step, it is on the same starting line as a normal jump (the normal jump gets the segment selection and address offset of the target code from the beginning). The difference is that, at this time, the CPU clears RPL from the target code segment to 0, which ignores the role of RPL in the code segment Selection Sub-in the call door. After this step is completed, the CPU starts CPL for the current program, and the target code segment selects the sub-RPL (in fact, it can always meet the requirements after being cleared) and DPL in the target code segment descriptor selected by the target code sub-indicator to perform a privileged level check and redirect based on the situation, as shown below:

The target is a consistent code segment:
Requirement: CPL (CS. RPL) ≥ destinationdescriptorcode. DPL and RPL are not checked. Because RPL is cleared to 0, RPL is always satisfied with RPL ≤ DPL. This is consistent with normal redirection and is applicable to JMP and call.
Cpl (newcs. RPL) = CPL (oldcs. RPL) of the program before the jump. Therefore, no transition occurs at the privilege level.

The target code segment is inconsistent:
When the JMP command is used to redirect:
Requirement: CPL (CS. RPL) = destinationdescriptorcode. DPL and RPL <= CPL (CS. RPL) (in fact, RPL is always satisfied because RPL is cleared by 0, so the relationship between RPL and CPL is not checked here ). If the requirements are not met, the program will cause an exception.
Cpl (newcs. RPL) = destinationdescriptorcode. DPL
Because the premise is CPL = DPL, the CPL (newcs. RPL) = destinationdescriptorcode. DPL of the program after the jump will not change the CPL value, and the privilege level will not change. If CPL = DPL is not met during access, an exception is thrown.
When the call command is used to redirect:
Requirement: CPL (CS. RPL) ≥ destinationdescriptorcode. DPL (RPL is cleared 0, not checked). If the requirements are not met, the program will cause an exception.
Cpl (newcs. RPL) = destinationdescriptorcode. DPL
When the condition CPL = DPL, CPL = DPL after the program jumps, the privileged level does not jump; When CPL> DPL, CPL = DPL after the program jumps, the privileged level jumps, this is the only jump method that we can see when the current position changes the current execution of the Program (CPL), that is, using the Call Command + call the door to redirect, the target code segment is a non-consistent code segment.

Summary: The above two types of redirection are described, namely normal jump and call door jump. The redirection can be subdivided into JMP jump and call jump, whether the jump is successful depends on CPL, RPL, and DPL. All redirects are from low-privilege-level code to the same level or higher-level privileged level (DPL), but keep the current execution privileged level (CPL) unchanged, it is a little difficult to tell why the jump to the high-privilege level is not changed, and the "high-privilege level" here refers to the DPL of the target code segment descriptor, it specifies the highest privilege level that can jump to the code segment. The CPL remains unchanged, which means that the privilege level does not jump. We can see that CPL changes will occur only when the call command + call door method is used to jump and the target code segment is inconsistent, that is, the Code Execution privilege-level transition, this is currently the only way to change the execution privilege level. If you know other methods, please leave a message to me.

The above explanations refer to the post of the oldlinux BBSHttp://www.oldlinux.org/cgi-bin/... topic = 73 & show = 0

Note: CS. RPL indicates the register privilege level in the CS register, not the request privilege level.