x86 控制转移权限检查精要

一、       直接转移（far call及 far jmp）

直接转移通过执行一条 call 或 jmp指令，在段内转移不需selector近跳转，段间转移通过selector（不带gate或 tss）远跳转，CPL不改变。

 

权限检查的4个要素：

★ CPL：当前运行级别（也就是CS.CPL）

★ RPL：门符选择子（RPL for code descriptor）

★ DPL：门符DPL（DPL of code descriptor）

★ nonconforming/conforming：目标代码段类型（C flag of code segment descriptor）

 

权限的检查：

●    当 nonconforming时：CPL == DPL且 RPL <= DPL

●    当 conforming时：仅需 CPL >= DPL

 

注意事项：

★可直接转移到conforming 类型的高权限代码。

★转移后CPL不会改变。

 

 

二、   使用call gate进行控制权的转移

使用call gate进行转移控制，目的是建立一个利用gate进行向高权限代码转移的一种保护机制。gate符相当一个进入高权限代码的一个通道。

 

权限检查的5个要素：

★ CPL：当前运行级别（也就是CS.CPL）

★ RPL：门符选择子（RPL for call gate descriptor）

★ DPLg：门符DPL（DPL of call gate descriptor）

★ DPLs：目标代码段DPL（DPL of descstination code segment descriptor）

★ nonconforming/conforming：目标代码段类型（C flag of descstination code segment descriptor）

 

1、             使用call访问门符时：

●    CPL <= DPLg 且 RPL <= DPLg

●    当 nonconforming时：CPL >= DPLs

●    当 conforming 时：CPL >= DPLs

 

2、             使用jmp访问门符时：

●    CPL <= DPLg 且 RPL <= DPLg

●    当nonconforming 时：CPL == DPLs

●    当 conforming 时：CPL >= DPLs

 

注意事项：

★仅有使用 call 才能转到高权限的nonconforming code segment

      ★仅有使用 call 转到高权限nonconforming code segment时，才改变CPL并且发生stack切换。

      ★当使用call或jmp转到高权限conforming code segment时，不会改变CPL并且不发生 stack切换。

 

 

 

 

----------------------------------------------------

Conforming and Non-Conforming Code Segments

Non-conforming code segments are far more common than conforming code segments. The definitions of both follow:

• Non-Conforming (you must match me). A code segment with C = 0 is a non-conforming code segment. Code in a non-conforming code segment can only be jumped to or called by programs whose CPL matches the target code segment's DPL (i.e., CPL = DPL).

• Conforming (I'll lower myself to your level). A code segment with C = 1 is a conforming code segment. Code in a conforming code segment can be jumped to or called by programs whose CPL is the same as or less privileged than the target segment's DPL. Furthermore, the processor then executes the code in the conforming code segment at the same privilege level as that of the program that called it. In other words, the code in the conforming code segment "conforms to" or assumes the privilege level of the program that called it. The CPL remains the same as that of the calling program.

As an example, if the CPL of the currently executing program = 2, it may successfully call or jump to one of the following:

• a non-conforming code segment with a DPL = CPL of the calling program (in other words, the DPL = 2).

• a conforming code segment with a privilege level (i.e., a DPL) of 0, 1 or 2.

It cannot jump to or call code in either of the following without causing a GP exception:

• a non-conforming code segment with a DPL | its CPL (in this case, privilege level two).

• a conforming code segment with a privilege level (i.e., a DPL) of 3.