Hi folks,
Unless the kernel of your Operating System uses the "follow the bouncing kernel" scheme, kernel and user environment share the same address space. So the following doubt may arises: If the user is sharing its address space with the kernel, which security policies/mechanisms are used to ensure safety? That's what I will be addressing here, so fasten your seat belt :)
MMU (Memory Management Unit) uses both
paging and segmentation as mechanisms of protection.
I will focus on paging here, so if you want to understand how paging relates with segmentation, take a look at:
I will focus on paging here, so if you want to understand how paging relates with segmentation, take a look at:
MMU performs
checking based on the CPL (Current Privilege Level)[1].
Each physical
page has a correspondent page entry that tells the hardware which
operations are allowed and who can access it.
When user programs are
being executed, the CPL is always 3, thus pages marked as system-only
aren't available. There are a lot of flags stored in each 'page descriptor', but I will present the two ones more relevant due to the purpose of this post.
[1]: CPL is an essential feature to the protection mechanism of the x86.
It prevents processes running with a lower-privileged level from doing things that would halt the entire system.
By the way, CPL is stored in the bottom two bits of the CS register.
Write and Present are flags that determine the current
state of a page. If the write flag is turned on, then write
operations are allowed. Otherwise, the page is read-only.
The present flag basically tells MMU whether or not the underlying page is present in physical memory. If it is not, the page was probably swapped to some other place due to some event, e.g. out of memory.
The present flag basically tells MMU whether or not the underlying page is present in physical memory. If it is not, the page was probably swapped to some other place due to some event, e.g. out of memory.
When the
system traps into the kernel-level e.g. syscall, the processor
itself switches the mode from user to system (from CPL 3 to 0). From
this moment on, pages marked as system-only are available.
By knowing
that, we readily understand that processes running under CPL 3 (user
programs) will never be able to access the kernel address space.
Unless there is some exploitable code in the kernel itself, user
space will not be able to peek into the kernel space.
Hope you enjoyed it,
Raphael S. Carvalho.
No comments:
Post a Comment