Protection ring (Operating Systems)

From Bauman National Library
This page was last modified on 8 October 2016, at 09:37.

Protection rings are mechanisms to protect data and functionality from faults (by improving fault tolerance) and malicious behaviour (by providing computer security). This approach is diametrically opposite to that of capability-based security. The structure of privileges can be represented as a series of concentric circles. In this case, the system mode (supervisor mode or no ring, so-called "Ring 0") providing maximum access to resources is the inner circle.

Levels of Privilege program

Pic. 1 Rings privileges x86 architecture in protected mode

How to distribute the programs privileges in the operating system? You can use, for example, such a distribution (see Pic. 1.).

  • Ring 0 - operating system kernel, system drivers
  • Ring 1 - equipment maintenance programs, drivers, programs that work with the ports of the computer I / O
  • Ring 2 - database management system, the expansion of the operating system
  • Ring 3 - applications, user-run

Privilege levels also often called protection rings, shown as nested circles. The most preferred level corresponds to a circle with the greatest degree of nesting. Most modern kernels for the x86 architecture using only two privilege levels - 0 and 3.

Execution of the order of 15 instructions (and a total of several tens) is only possible in ring 0. Other instructions are limitations associated with the valid operands. If these limitations do not exist, then it would be impossible to ensure the functioning mechanisms of protection, since mentioned instructions can avoid them or lead to other negative consequences. Instructions for which there are restrictions, can ispolzovatsja only in kernel code. Trying their performance outside the zero-ring would eliminate #GP (general-protection exception). Exactly the same exception occurs, for example, when a program tries to access invalid memory addresses. Similarly, depending on the level of privilege is used to restrict access to memory and I/O ports.

Implementation

Pic. 2 Protection in x86 at the segment level

Support for multiple rings of protection was one of the revolutionary concepts included in the Multics operating system, the predecessor of today's UNIX-like operating systems. However, most UNIX-systems use only two of the ring, even if the hardware support more CPU mode. Many modern CPU architectures (including the popular x86 architecture) include some form of protection. But despite this, the operating system Windows NT, as well as the UNIX, do not fully use these opportunities.

Mechanism rings severely limits the ways in which control can be passed from one ring to another, and also requires restrictions on the memory access operations that can be made inside the ring. Usually there is some instruction (gateway), which transfers control of the less protected in a more secure (with a lower number) ring; this is known as supervisor query across multiple operating systems using a ring architecture. This mechanism is designed to limit the possibility of accidental or intentional security violations.

Protection rings can be combined with a processor modes (master / kernel / privileged mode against the regime of slave / user / unprivileged) in some systems. Operating system running on the hardware that supports such regimes can use both methods of protecting or only one of them. (See. Pic. 2) Effective use of the architecture of protection rings requires close collaboration between the hardware and the operating system. Operating system is designed so that they have worked on a lot of platforms, may have a different implementation mechanism rings on each platform. security model is often simplified to two levels of access: the level of "core" and the level of "user", even if the hardware providing greater granularity of performance levels.

Kernel mode

Supervisor mode - a privileged processor mode, typically used to execute the operating system kernel. In this mode the processor available privileged operations, such as input-output operations to peripherals, memory protection parameters change, the virtual memory settings, the system parameters and other configuration parameters. Typically, in supervisor mode or no valid memory protection limit, or they may be arbitrarily changed, so the code running in this mode, generally has full access to all system resources (address space and processor registers configuration and so Further). In many types of processors is the most preferred mode of all available modes.

One known exception to this rule: some modern processors may be present even more privileged hypervisor mode is usually used for the purpose of virtualization, that is, parallel operation of multiple operating systems on a single processor. In this case, the settings made from the hypervisor mode, may make some restrictions on direct access to system resources and the periphery of the supervisory regime in order to give the opportunity to the hypervisor arbitration and restricting access to system resources and peripheral unnoticed by operating in parallel operating systems.

Hyperviros

The hypervisor or a virtual machine monitor (on computers) - a program or a hardware circuit that provides or allows simultaneous, parallel execution of multiple operating systems on the same host computer. The hypervisor also provides isolation of operating systems from each other, defense and security division of resources between the various operating systems running and management. The hypervisor can also be (and must) provide working under its control on the same host computer OS communication and interaction with each other (for example, through the exchange of files or network connections), as if these operating systems run on different physical machines. The hypervisor itself is in some way is the minimum operating system (or microkernel nanokernel). It provides a running under its operating system, virtual machine service, virtualizing or emulating the real (physical) hardware specific machine. And manage virtual machines, resource allocation and release them. The hypervisor allows independent "incorporation" reboot "off" any of the virtual machines to a particular operating system. At the same operating system running in a virtual machine running a hypervisor, may, but is not required to "know" that it is running in a virtual machine, rather than on real hardware.

OS on x86

Pic. 3 Protection rings in modern OS

Popular operating systems for x86 (including DOS (with EMM386.EXE -Speichermanager), Linux and Windows,) use only two of the four possible CPU-rings. In Ring 0, the kernel and device drivers all performed while the application software in the non-privileged ring 3 works. Thus, there remains the operating system also provides portability on the processor architecture, which can be identified only two rings. OS / 2, however, used the ring 2 for graphics drivers. [1] specially adapted MMU version of EMM386 supplied with the development of the DOS protected operation of services mode (for the Novell DOS 7, OpenDOS 7.01 DR-DOS 7.02 and above) allows DPMS on the ring 1 instead of working on the ring 0, thereby contributing to the elimination of software problems software that uses DPMS.

Increasingly used solutions also use virtualization ring 1. In this case, the operating system kernel is shifted from the 0 rings in the ring 1, is a hypervisor Then, as the top layer, in ring 0, and controls one or more operating in the kernel of the operating system 1 Ring. However, it can also be used for rootkits malicious code injection to be unnoticed by the user on the ring 0 (see also virtual machines on the basis Rootkit).

Segments type

The field TYPE descriptor defines the way in which it is possible to use one or the other segment. Separating segments types helps protect against accidental or intentional use segments for other purposes.

A code segment can be closed by setting a bit for R read in byte access. These segments can only perform, but can not be read. The code segment can not record any data. In such case only the CS can load selectors which are code segments.

The data segments may be closed to entry by setting a bit in a byte access W. Segment data can not pass control by downloading it to the register selector CS. Descriptors Some types, such as describing the location of the LDT table or segment of task state, which we will discuss later, can not be used to read or write, even if the program is carried out in a zero priority ring. In such a case it is necessary to create additional (aliasnye) descriptors in which the same segments as data segments are described.

Boundaries of segments

Real-mode programs always work with segments of 64 Kbytes. If the program consists of several segments, some segments may overlap. There is a potential danger that as a result of a programming error (such as an array index is out of range) will occur post in another segment.

i80286 processor allows you to create segments of any size within a 64 kilobyte (processors i80386 and i80486 can work with the segments of 4 gigabytes). In addition, it ensures that when addressing memory did not occur going beyond segment boundaries.

The boundaries of the segment limit specified field in the descriptor segment. We have already said that the value of this field must be equal to the size of the segment in bytes minus one. Interpretation of the field limit depends on the D bit field access. For segments stacks must be installed D field to 1. In this case, an attempt to write to a stack overflow will cause interruption of the program. In response to this interrupt the operating system can, for example, to allocate more memory for the stack. In the real mode stack overflow and is not controlled can lead to destruction of the program or operating system.

Sources

  • Blue pill/red pill - the matrix has windows longhorn (рус.). InsidePro Software.
  • Ousterhout, J. K. 1990. Why aren't operating systems getting faster as fast as hardware? In Usenix Summer Conference, Anaheim, CA, pp. 247-256.