Windows Background Knowledge 2 interruptions, exceptions, and Windows protection mechanisms

Windows privileged protection

Windows privileged protection is inseparable from processor hardware support. The division of priorities, command permission checks, and Exception Handling for access beyond permissions constitute the basis for privileged protection.

 

What is interruption?

Moderate disconnection refers to the process of real-time processing when there are more important things in the Program Execution Process (if data arrives in the serial port, data will be lost if it is not processed in time, the serial Controller submits an interrupt signal to the processor for processing), and the hardware notifies the processor through the interrupt controller. The processor temporarily suspends the currently running program and transfers it to the interrupt processing program. After the interrupt processing program completes processing, it returns to the originally interrupted program through the iret command for further execution.

 

What is an exception?

An exception is an error that cannot be ignored during command execution (for example, an invalid instruction code or division instruction division by zero ), the same operating method as the interrupt processing method is used to suspend the currently running program and transfer it to the exception handling program. The exception handling program determines whether to go back to the original place to continue execution after the error is corrected.

 

The interrupt and exception handling methods are the same.

Real ModeInterrupt or Exception Handling: the interrupt and abnormal service program addresses in real mode are stored in the interrupt vector table. The interrupt vector table is in the physical memory. Each interrupt vector is an address in the format of xxxx: yyyy, which occupies 4 bytes. When an exception occurs on N, N is interrupted, or the int n command is executed, the CPU first fetches the address AAAA: BBBB of the service program from the place where the memory is n × 4; then, the mark register, Cs and IP address at the time of interruption are pushed into the stack, and then transferred to AAAA: BBBB for execution (step 2). When the service program finally encounters iret, the CPU restores the flag register from the stack, extracts CS and IP addresses, and returns the result.

Protection ModeUnder, interrupt or exception handling is often switched from user code to operating system code for execution. Because the code in the protection mode has different priorities, there is a problem that the system code is transferred from a low-priority application to a higher-priority system code. If the code with a lower priority can call code with a higher priority, it is equivalent to having permissions for high-priority code. In order to ensure that high-priority code can be safely called by low-priority code, the concept of "Gate" is added in the protection mode. The "Door" points to the entry point specified by a program with a higher priority. All programs with a lower priority call a program with a higher priority can only redirect through the door to enter the entry point specified by the door. This prevents low-level program code from entering programs with higher priority from any location. In protection mode, service programs, such as interruptions and exceptions, also need to enter from the "door". 80386 of the doors are divided into several types: interruption door, self-trap door, and task door.

In protection mode, it takes 8 bytes to indicate the information of an interrupted or abnormal service program, including the type of the door and the entry address in the format of xxxx: yyyyyyyy. This set of information is called the "Interrupt Descriptor ". In this way, the interrupt vector table cannot use the same 4-byte format in real mode. In protection mode, all interrupt descriptors are put together to form an "Interrupt Descriptor Table" IDT (Interrupt Descriptor Table ). IDT is no longer placed at a fixed address of H, but is configured in a programmable manner. The number of interrupts supported can also be set. For this reason, the 80386 processor introduces a new 48-bit register idtr. The high 32-bit value of idtr specifies the IDT base address (linear address) in the memory, and the low 16-bit value specifies the IDT length, which is equivalent to the number of interrupts that can be supported.

As shown in 1.8, when an exception or interruption occurs in protection mode, the processor obtains the address of the Interrupt Descriptor Based on the idtr register, and then obtains the gate descriptor of the N number interrupt/exception, then, the XXXX: yyyyyyyy address of the interrupted service program is obtained from the descriptor. After the segment address is converted, the 32-bit linear address of the service program is obtained and transferred and executed.

In the protection mode, the user program cannot write the Interrupt Descriptor Table because the user program can call the high-priority code from the lower-priority code, otherwise, security issues may occur (and CIH virus is also considered ). In this way, the window is closed to block the fly and the breeze is blocked, and the user's system expansion program cannot provide services in the same way as in DOS. Because the user program has no permission to direct the interrupt address to its own code.

In Windows, the operating system uses a dynamic link library to provide system functions in place of the interrupted service program. Therefore, int commands in Win32 compilation are meaningless. This is why int commands cannot be seen in Win32 Assembly source code. In fact, commands that call APIs are originally implemented using int commands.

The above section is really wonderful. When I was studying the digital logic in college, I clearly remembered that there was an interruption of service calling. I felt that there was something missing from the interruption to the later Windows dynamic link library. I learned it in a confused way. Now I understand the source of the dynamic link library.

 

80386 Protection Mechanism

The processor earlier than 80286 only supports single tasks, and the operating system has no security. All computer resources, including the internal resources of the operating system, can be called by programmers. However, for multi-task operating systems, a messy program cannot run any program as needed. Therefore, 80286 or more processors introduce the priority concept. 80386 processors have a total of four priorities (0 ~ 3 ). Level 0 is the highest level (privileged level); Level 3 is the lowest level (user level); level 1 and level 2 are between them. Privileged-level code is generally the code of the operating system and can access all system resources. Other-level code is generally a user program, and the resources that can be accessed are restricted.

80386 the protection mechanism is mainly used to check and prevent unauthorized operations on low-level code, such as access to data and ports that should not be accessed, and to call high-priority code. The protection mechanism consists of the following aspects:

• Segment type check-the segment type is specified by the segment descriptor. The main attributes are executable, readable, and writable. However, there are limits on whether the CS, DS, and SS segments can be loaded into certain types of segment descriptors. If unfeasible segments cannot be loaded into CS, unreadable segments cannot be loaded into data segment registers such as DS and es, and unwritable segments cannot be loaded into ss. If the segment type check fails, the processor will generate a general protection exception or a stack exception.
• Page type check-in addition to specifying whether the entire segment can be read or written at the segment level, you can also specify whether to write for each page in the page table. For code execution at the privileged level, all pages are writable. However, for code at level 1, 2, and 3, you must determine whether the code can be written based on the R/W items in the page table. If you attempt to write a read-only page, a page exception will occur.
• Check the data access level-code with lower priority cannot access data segments with higher priority. The segment descriptor in section 80386 has a DPL domain (descriptor priority), which indicates the lowest priority that this segment can be accessed. The segment selector contains the RPL domain (Request priority), which indicates the priority of the currently executed code. This segment is accessible only when the DPL value is greater than or equal to the RPL value. Otherwise, a general protection exception occurs.
• Control Transfer check-in the processor, there are many commands that can implement control transfer, such as JMP, call, RET, int and iret. However, code with a lower priority cannot be transferred to code with a higher priority. When these commands are executed, the processor must check whether the destination location of the transfer is valid.
• Instruction Set check-two types of commands can affect the protection mechanism. The first type is commands that change key registers such as gdt, LDT, IDT, and control register, which are called privileged commands; the second type is the commands used to operate the I/O port and the commands allowed to change the interrupt, such as CLI and STI, which are known as sensitive commands. Imagine that if user-level programs can use STI to prohibit all interruptions (including clock interruptions), the entire system will not be able to run normally, so the running of these commands will be limited. Privileged commands can only run on priority 0, and sensitive commands depend on the iopl bit in the eflags register. The command can be executed only when the iopl bit indicates that the priority is higher than or equal to the priority of the current Code segment.
• I/O operation protection-I/O addresses are also protected objects. Because I/O operations can bypass the system to control a lot of hardware. 80386 protection can be provided for the I/O space separately. Each task has a TSS (Task status segment) to record the task switching information. There is an I/o allowed bitmap in the TSS to indicate whether the corresponding I/O port can be operated. If the corresponding data bit of an I/O address in the bitmap is 0, the operation can be performed. If it is 1, The ipol bit in eflags should also be viewed, only when the iopl bit indicates that the priority is higher than or equal to the priority of the current Code segment can access this I/O port.

Windows Protection Mechanism

In Windows, the operating system runs at level 0 and applications run at level 3. The Alpha computer only supports two priorities. To facilitate application porting to the Alpha computer, Windows does not use level 1 or level 2.

The Windows operating system makes full use of the 80386 protection mechanism. Everything closely related to the operating system is protected. There are many restrictions on user programs running on Priority 3. All resources can be used only when writing drivers such as VxD.

In Win32 assembly programming, avoid the following unauthorized operations (of course, the write driver is not included in this column ):

• Obviously, all privileged commands are not executable, such as lgdt, lldt, LIDT, and assign values to CRX and TRX registers. However, commands that read important registers can be executed, such as sgdt, sldt, and sidt.
• Windows assigns different attributes to the memory page in the code segment and data segment in the page table. The code segment cannot be written, and only the pages of the Variable Section in the Data Segment can be written. Therefore, although it can address all 4 GB space, access beyond the permission limit will still cause protection exceptions.
• In Windows 98, the I/O ports used by the system hardware are protected, but other ports can be operated. If a user inserts a card of his or her own in the machine and uses a port undefined by the system such as H, the user can directly operate in the application, but needs to operate 3f8h (Serial Port) and 1f0h (Hard Disk port) and other system-defined ports will not work. In Windows NT, any port operation is not allowed.

If you violate the "Protection Regulations" stipulated by windows, protection exceptions will be thrown, and the processor will not hesitate to transfer control to the corresponding exception handling program. Windows will use a cool "illegal operation" dialog box in the processing program to sentence the user's program to death, there is no room for maneuver! In Windows 9x, the system sometimes uses a blue screen to notify the user program to try to access non-existent memory pages.

If the DLL called by the program is incorrect, the error is still calculated on the application header, because the DLL address space is mapped to the application space. Windows 9x itself is a 32-bit and 16-bit mixed operating system. To be compatible with DOS and Win16 programs, many protection measures are insufficient. As a result, unauthorized operations often occur inside the system, so that the blue screen continues, which is not a problem of the user application itself.

 

From "Win32 compilation tutorial" by Luo yunbin