a hardware architecture for implementing protection rings
DESCRIPTION
My take on this famous paper on protection rings made for my graduate OS classTRANSCRIPT
![Page 1: A Hardware Architecture For Implementing Protection Rings](https://reader033.vdocument.in/reader033/viewer/2022061120/546d0b11af79595e658b823b/html5/thumbnails/1.jpg)
I <3
Cornell
A Hardware Architecture for Implementing Protection Rings
Schroeder & Saltzer: Mighty Institute of Terminology (m.i.t.)
Brought to you by: Chris Sosa
![Page 2: A Hardware Architecture For Implementing Protection Rings](https://reader033.vdocument.in/reader033/viewer/2022061120/546d0b11af79595e658b823b/html5/thumbnails/2.jpg)
Overview Introduction of Protection Rings
Allows multiple domains to be associated with a process and process domain movement during execution
Hardware a.k.a. Computer Architecture Implementation of Protection Rings for Multics
![Page 3: A Hardware Architecture For Implementing Protection Rings](https://reader033.vdocument.in/reader033/viewer/2022061120/546d0b11af79595e658b823b/html5/thumbnails/3.jpg)
Motivation Basic access control mechanisms only
allow one set of access permissions (a domain) for a user per resource
Intrinsic need to change access capabilities of a user as his/her process runs User A may wish to allow user B to
access sensitive data but only through a special program
![Page 4: A Hardware Architecture For Implementing Protection Rings](https://reader033.vdocument.in/reader033/viewer/2022061120/546d0b11af79595e658b823b/html5/thumbnails/4.jpg)
Four Sets of Criteria to Judge Protection Mechanisms Functional Capability Economy Simplicity Programming Generality
![Page 5: A Hardware Architecture For Implementing Protection Rings](https://reader033.vdocument.in/reader033/viewer/2022061120/546d0b11af79595e658b823b/html5/thumbnails/5.jpg)
What is a Protection Ring?
This does not meet our economy criteria!
… let’s try again
![Page 6: A Hardware Architecture For Implementing Protection Rings](https://reader033.vdocument.in/reader033/viewer/2022061120/546d0b11af79595e658b823b/html5/thumbnails/6.jpg)
Protection Rings Each process
associated with 0 -> r-1 of domains called rings Concentric = subset
of privileges of n for m when m > n
Ring 0 =
![Page 7: A Hardware Architecture For Implementing Protection Rings](https://reader033.vdocument.in/reader033/viewer/2022061120/546d0b11af79595e658b823b/html5/thumbnails/7.jpg)
Protection Rings (cont’d) Typical R/W/E
privileges divided into brackets
R/W brackets must start at ring 0, why?
Allows for lowest-numbered ring of execution to be specified (not necessarily 0). Why might this be a good thing?
![Page 8: A Hardware Architecture For Implementing Protection Rings](https://reader033.vdocument.in/reader033/viewer/2022061120/546d0b11af79595e658b823b/html5/thumbnails/8.jpg)
Moving Between Protection Rings Downward movement restricted to
“gates” Specific program locations During execution allows a process to
enter a lower domain Example of gates?
Upward movement is unrestricted (but you must use a special call to do it)
![Page 9: A Hardware Architecture For Implementing Protection Rings](https://reader033.vdocument.in/reader033/viewer/2022061120/546d0b11af79595e658b823b/html5/thumbnails/9.jpg)
Revisiting Gate Extension
Bracket that defines from which rings gate movement is allowed
Possible use of this in Windows?
![Page 10: A Hardware Architecture For Implementing Protection Rings](https://reader033.vdocument.in/reader033/viewer/2022061120/546d0b11af79595e658b823b/html5/thumbnails/10.jpg)
Call and Return Procedure transfer = subroutine call Easy to validate protection rings If Call goes through gate => validate
caller’s ring w.r.t. gate extension Return restores caller’s ring
![Page 11: A Hardware Architecture For Implementing Protection Rings](https://reader033.vdocument.in/reader033/viewer/2022061120/546d0b11af79595e658b823b/html5/thumbnails/11.jpg)
Three Issues with Downward Calls1. Find new stack area
Each process has a stack segment per ring
2. Argument validation Procedure assumes more
restricted access capabilities of caller when accessing operand references
3. Knowledge of caller’s ring Processor leaves this in a read-
only register
![Page 12: A Hardware Architecture For Implementing Protection Rings](https://reader033.vdocument.in/reader033/viewer/2022061120/546d0b11af79595e658b823b/html5/thumbnails/12.jpg)
Other calls? Dealing with a call and return that
doesn’t change rings is trivial … duh! Upward calls are hard
Their solution, let’s not support it! What’s wrong with keeping the
protection ring of the caller? Internet Explorer bugs anyone?
![Page 13: A Hardware Architecture For Implementing Protection Rings](https://reader033.vdocument.in/reader033/viewer/2022061120/546d0b11af79595e658b823b/html5/thumbnails/13.jpg)
Computer Architecture Support
Hot or Not?
![Page 14: A Hardware Architecture For Implementing Protection Rings](https://reader033.vdocument.in/reader033/viewer/2022061120/546d0b11af79595e658b823b/html5/thumbnails/14.jpg)
Quick Review of the Multics before Protection Rings Each user has individual VM A segment is the unit of Access Control Users has R/W/E privileges defined per
segment (flags) Flags stored in with segment descriptor in
H/W
… for more information of hardware: see paper (for those Clint’s out there)
![Page 15: A Hardware Architecture For Implementing Protection Rings](https://reader033.vdocument.in/reader033/viewer/2022061120/546d0b11af79595e658b823b/html5/thumbnails/15.jpg)
Quick Review of Multics AFTER Protection Rings Eight Rings Modification of SDW to include three 3-bit
values for bracket management R0 -> SDW.R1 = Write SDW.R1 -> SDW.R2 = Execute SDW.R2+1 -> SDW.R3 = Gate Extension Read = Execute, loses some flexibility
Other modifications that only involve adding a 3-bit ring field denoting required or current ring
![Page 16: A Hardware Architecture For Implementing Protection Rings](https://reader033.vdocument.in/reader033/viewer/2022061120/546d0b11af79595e658b823b/html5/thumbnails/16.jpg)
An Example Retrieval of Next
Instruction to be executed
![Page 17: A Hardware Architecture For Implementing Protection Rings](https://reader033.vdocument.in/reader033/viewer/2022061120/546d0b11af79595e658b823b/html5/thumbnails/17.jpg)
Issues Complicated to design user programs with
rings Rare to see more than two rings used
We have seen some exceptions … see Xen Implementation lacked some features
Execution end bracket same as read bracket Didn’t implement upward movement in terms of
ring movement
![Page 18: A Hardware Architecture For Implementing Protection Rings](https://reader033.vdocument.in/reader033/viewer/2022061120/546d0b11af79595e658b823b/html5/thumbnails/18.jpg)
Questions?