本文深入探讨了计算机保护机制的核心概念,包括类型检查、限制检查等五个方面。着重解释了段级保护,特别是特权级别的管理,通过段描述符中的DPL、选择器中的RPL以及内部寄存器中的CPL来实现对访问权限的控制。文中还详细阐述了影响系统数据结构的指令在CPL为零时才能执行,并在CPL非零时引发通用保护异常的情况。
1. Why protection?
Identify and detect bugs.
2. Overview: 5 aspects
Type checking
Limit checking
Restriction of addressable domain
Restriction of procedure entry points
Restriction of instruction set
Protection is a hardware mechanism, applies both to segment translation and to page translation.
3. Segment level protection.
Here we mainly talking about Privilege levels.
Segment descriptor contains a filed called DPL(descriptor privilege level)
Selectors contains RPL(requestor's privilege level)
An internal register contains CPL(current privilege level), usually CPL = DPL, it changes when controls transferred to different segments.
The processor automatically evaluates the right of a procedure to access
another segment by comparing the CPL to one or more other privilege levels.
The evaluation is performed at the time the selector of a descriptor is
loaded into a segment register. The criteria used for evaluating access to
data differs from that for evaluating transfers of control to
executable
segments; therefore, the two types of access are considered separately in
the following sections.
DPL >= max(CPL, RPL);
The instructions that affect system data structures can only be executed
when CPL is zero. If the CPU encounters one of these instructions when CPL
is greater than zero, it signals a general protection exception. These
instructions include:
CLTS
HLT
LGDT
LIDT
LLDT
LMSW
LTR
MOV to/from CRn
MOV to /from DRn
MOV to/from TRn
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
