hardware privilege levels, interactions with privileged software instructions Flashcards
An operating system is a powerful and usually extensive program that controls and manages the hardware and other software on a computer.
All computers and computer-like devices require operating systems, including your laptop, tablet, desktop, smartphone, smartwatch, and router.
hierarchical protection domains/ protection rings
protect data and functionality from faults by improving fault tolerance and malicious behavir by providing computer security.
A protection ring is one of two or more hierarchical levels or layers of privilege within the architecture of a computer system. This is generally hardware-enforced by some CPU architectures that provide different CPU modes at the hardware or microcode level. Rings are arranged in a hierarchy from most privileged (most trusted, usually numbered zero) to least privileged (least trusted, usually with the highest ring number).
On most operating systems, Ring 0 is the level with the most privileges and interacts most directly with the physical hardware such as certain CPU functionality (e.g. the control registers) and I/O controllers.
Special call gates between rings are provided to allow an outer ring to access an inner ring’s resources in a predefined manner, as opposed to allowing arbitrary usage. Correctly gating access between rings can improve security by preventing programs from one ring or privilege level from misusing resources intended for programs in another.
For example, spyware running as a user program in Ring 3 should be prevented from turning on a web camera without informing the user, since hardware access should be a Ring 1 function reserved for device drivers. Programs such as web browsers running in higher numbered rings must request access to the network, a resource restricted to a lower numbered ring.
supervisor mode
hardware-mediated flag that can be changed by code running in system-level software.
System-level tasks or threads may have this flag set while they are running, whereas user-level applications will not. This flag determines whether it would be possible to execute machine code operations such as modifying registers for various descriptor tables, or performing operations such as disabling interrupts. The idea of having two different modes to operate in comes from “with more power comes more responsibility” – a program in supervisor mode is trusted never to fail, since a failure may cause the whole computer system to crash.
Supervisor mode is “an execution mode on some processors which enables execution of all instructions, including privileged instructions.
It may also give access to a different address space, to memory management hardware and to other peripherals. This is the mode in which the operating system usually runs.”
In a monolithic kernel, the operating system runs in supervisor mode and the applications run in user mode.
Other types of operating systems, like those with an exokernel or microkernel, do not necessarily share this behavior.
Most processors have at least two different modes. The x86-processors have four different modes divided into four different rings. Programs that run in Ring 0 can do anything with the system, and code that runs in Ring 3 should be able to fail at any time without impact to the rest of the computer system.
Ring 1 and Ring 2 are rarely used, but could be configured with different levels of access.
To gain performance and determinism, some systems place functions that would likely be viewed as application logic, rather than as device drivers, in kernel mode; security applications (access control, firewalls, etc.) and operating system monitors are cited as examples.
At least one embedded database management system, eXtremeDB Kernel Mode, has been developed specifically for kernel mode deployment, to provide a local database for kernel-based application functions, and to eliminate the context switches that would otherwise occur when kernel functions interact with a database system running in user mode
Functions are also sometimes moved across rings in the other direction. The Linux kernel, for instance, injects into processes a vDSO section which contains functions that would normally require a system call, i.e. a ring transition. Instead of doing a syscall these functions use static data provided by the kernel.
This avoids the need for a ring transition and so is more lightweight than a syscall. The function gettimeofday can be provided this way.
A privilege level in the x86 instruction set controls the access of the program currently running on the processor to resources such as memory regions, I/O ports, and special instructions. There are 4 privilege levels ranging from 0 which is the most privileged, to 3 which is least privileged.
Most modern operating systems use level 0 for the kernel/executive, and use level 3 for application programs. Any resource available to level n is also available to levels 0 to n, so the privilege levels are rings. When a lesser privileged process tries to access a higher privileged process, a general protection fault exception is reported to the OS.
It is not necessary to use all four privilege levels. Current operating systems with wide market share including Microsoft Windows, macOS, Linux, iOS and Android mostly use a paging mechanism with only one bit to specify the privilege level as either Supervisor or User (U/S Bit).
Windows NT uses the two-level system. The real mode programs in 8086 are executed at level 0 (highest privilege level) whereas virtual mode in 8086 executes all programs at level 3
The IOPL (I/O Privilege level) flag is a flag found on all IA-32 compatible x86 CPUs.
It occupies bits 12 and 13 in the FLAGS register. In protected mode and long mode, it shows the I/O privilege level of the current program or task. The Current Privilege Level (CPL) (CPL0, CPL1, CPL2, CPL3) of the task or program must be less than or equal to the IOPL in order for the task or program to access I/O ports.
The IOPL can be changed using POPF(D) and IRET(D) only when the current privilege level is Ring 0.
Besides IOPL, the I/O Port Permissions in the TSS also take part in determining the ability of a task to access an I/O port.
In x86 systems, the x86 hardware virtualization (VT-x and SVM) is referred as
ring - 1
the System Management Mode is referred as
ring - 2
the Intel Management Engine and AMD Platform Security Processor are sometimes referred as
ring - 3
Proper use of complex CPU modes requires very close cooperation between the operating system and the CPU, and thus tends to tie the OS to the CPU architecture.
When the OS and the CPU are specifically designed for each other, this is not a problem (although some hardware features may still be left unexploited), but when the OS is designed to be compatible with multiple, different CPU architectures, a large part of the CPU mode features may be ignored by the OS. For example, the reason Windows uses only two levels (ring 0 and ring 3) is that some hardware architectures that were supported in the past (such as PowerPC or MIPS) implemented only two privilege levels
Transitions between modes are at the discretion of the executing thread when the transition is from a level of high privilege to one of low privilege (as from kernel to user modes)
transitions from lower to higher levels of privilege can take place only through secure, hardware-controlled “gates” that are traversed by executing special instructions or when external interrupts are received.
Microkernel operating systems attempt to minimize the amount of code running in privileged mode, for purposes of security and elegance, but ultimately sacrificing ________
performance
Fault tolerance
property that enables a system to continue operating properly in the event of the failure of one or more faults within some of its components. If its operating quality decreases at all, the decrease is proportional to the severity of the failure, as compared to a naively designed system, in which even a small failure can cause total breakdown.
Fault tolerance is particularly sought after in high-availability, mission-critical, or even life-critical systems. The ability of maintaining functionality when portions of a system break down is referred to as
graceful degradation
fault-tolerant design
enables a system to continue its intended operation, possibly at a reduced level, rather than failing completely, when some part of the system fails.
term most commonly used to describe computer systems designed to continue more or less fully operational with, perhaps, a reduction in throughput or an increase in response time in the event of some partial failure. That is, the system as a whole is not stopped due to problems either in the hardware or the software.
fault-tolerant design
Computer security, cyber security , digital security or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, theft of, or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.
The field is significant due to the expanded reliance on computer systems, the Internet, and wireless network standards such as Bluetooth and Wi-Fi. Also, due to the growth of smart devices, including smartphones, televisions, and the various devices that constitute the Internet of things (IoT). Cybersecurity is one of the most significant challenges of the contemporary world, due to both the complexity of information systems and the societies they support. Security is of especially high importance for systems that govern large-scale systems with far-reaching physical effects, such as power distribution, elections, and finance.
CPU modes (also called processor modes, CPU states, CPU privilege levels)
operating modes for the central processing unit of some computer architectures that place restrictions on the type and scope of operations that can be performed by certain processes being run by the CPU. This design allows the operating system to run with more privileges than application software.
Ideally, only highly trusted kernel code is allowed to execute in the unrestricted mode; everything else (including non-supervisory portions of the operating system) runs in a restricted mode and must use a
system call via interrupt to request the kernel perform on its behalf any operation that could damage or compromise the system or other programs or the computing system
