Page 1 of 1
Priviledges for Ring 3
Posted: Tue Dec 02, 2003 1:32 pm
by Therx
I was wondering how I could restrict ring 3 access to things such as cli, out, in etc. As any of these could slow the system or crash the hardware. Do I have to use a TSS as my multitasking is software based?
Pete
Re:Priviledges for Ring 3
Posted: Tue Dec 02, 2003 1:39 pm
by Pype.Clicker
according to Intel Manuals, i think that you cannot do a CLI/STI in DPL3 without triggering a GPF. IN/OUT instructions will also be restricted (the CPU will first test the IOPL in flags and then lookup for a 'go' bit in the IOMAP of the TSS (if any))
There is, however, an extension that allows you to fake interrupts clearing/setting through VIF: when a DPL3 program do "CLI", the VIF bit is cleared, and when an interrupt is received, the system may decide to check the VIF bit and set VIP (Virtual Interrupt Pending).
If the usermode code now do a STI while VIP is set, something will happen (i guess it'll be a GPF again -- check manuals to be sure)
I don't have my SPG digest here ... so everything comes directly from /dev/brain
Re:Priviledges for Ring 3
Posted: Tue Dec 02, 2003 1:43 pm
by mr. xsism
correct, ring3 automatically cannot do certain opcodes. There was a list in the docs or on a web site i was reading recently. i think it was vol3 of intel docs, but i could be mistaken.
ring0 can do anything ;D muhahahaha
Re:Priviledges for Ring 3
Posted: Tue Dec 02, 2003 2:12 pm
by Therx
The restricted instructions are the following according to Intel. But CLI/STI aren't there.
? LGDT?Load GDT register.
? LLDT?Load LDT register.
? LTR?Load task register.
? LIDT?Load IDT register.
? MOV (control registers)?Load and store control registers.
? LMSW?Load machine status word.
? CLTS?Clear task-switched flag in register CR0.
? MOV (debug registers)?Load and store debug registers.
? INVD?Invalidate cache, without writeback.
? WBINVD?Invalidate cache, with writeback.
? INVLPG?Invalidate TLB entry.
? HLT?Halt processor.
? RDMSR?Read Model-Specific Registers.
? WRMSR?Write Model-Specific Registers.
? RDPMC?Read Performance-Monitoring Counter.
? RDTSC?Read Time-Stamp Counter.
I've found the IOPL flag in EFLAG register. It says that this can only be modified by popf and iret. Does this mean that I have to fiddle the stack. Would the following work?
Code: Select all
pushf
mov eax, [esp]
and eax, 00111111111111b ;Or what ever its bits 12+13
mov [esp], eax
popf
Sorry my assembly's poor.
pete
Re:Priviledges for Ring 3
Posted: Tue Dec 02, 2003 2:38 pm
by Pype.Clicker
actually, only the DPL0 code will be allowed to change the IOPL ... And usually, it will do so only once at thread startup.
Re:Priviledges for Ring 3
Posted: Tue Dec 02, 2003 3:01 pm
by Therx
Yeh I understand EFLAGS can't be modified by Ring 3 in any way. I was more concerned about my assembly code. Would it have worked? and also how can I restrict cli/sti usage?
Pete
Re:Priviledges for Ring 3
Posted: Wed Dec 03, 2003 3:26 am
by Pype.Clicker
well,
Code: Select all
pushf
pop eax
and eax,IOPL_MASK
or eax,IOPL_VALUE
push eax
popf
should be fine, no ?
As a generic rule, i discourage the [esp] addressing because you may have surprises with the content of [esp] as your code is fixed/updated, etc.
Re:Priviledges for Ring 3
Posted: Wed Dec 03, 2003 7:07 am
by Candy
If I may connotate this some more, there's a small thing wrong
Code: Select all
pushf -> pushfd
pop eax
and eax,IOPL_MASK
or eax,IOPL_VALUE
push eax
popf -> popfd
eax is a 32-bit register, flags are generally 16-bit, not sure whether it makes any difference in bytecode terms, but this is at least logically the same size.
Re:Priviledges for Ring 3
Posted: Wed Dec 03, 2003 10:03 am
by Pype.Clicker
oops ... did i said "pushf" ?...
Well, pushfd is more likely to work on any Intel-like assembler
btw, "bytecode" is for virtual machines. For real machines, one usually refers to "opcode" :p