Ring (computer security)

From Wikipedia, the free encyclopedia

You have new messages (last change).

In computer science, hierarchical protection domains, often called protection rings, is a mechanism to protect data and functionality from faults (fault tolerance) and malicious behaviour (computer security). This approach is diametrically opposite to that of capability-based security.

Computer operating systems provide different levels of access to resources. A protection ring is one of two or more hierarchical levels or layers of privilege within the architecture of a computer system. This is generally hardware-enforced by some CPU architectures, that provide different CPU modes at the firmware level. Rings are arranged in a hierarchy from most privileged (most trusted, usually numbered zero) to least privileged (least trusted, usually with the highest ring number). On most operating systems, Ring0 is the level with the most privileges and interacts most directly with the physical hardware such as the CPU and memory.

Special gates between rings are provided to allow an outer ring to access an inner ring's resources in a predefined manner, as opposed to allowing arbitrary usage. Correctly gating access between rings can improve security by preventing programs from one ring or privilege level from misusing resources intended for programs in another. For example, spyware running as a user program in Ring 1 should be prevented from turning on a web camera without informing the user, since hardware access should be a Ring0 function reserved for device drivers. Programs such as web browsers running in higher numbered rings must request access to the network, a resource restricted to a lower numbered ring.

Contents

[edit] Implementations

Hardware supported rings were among the more revolutionary concepts introduced by the Multics operating system, a highly secure predecessor of today's UNIX family of operating systems. However most general-purpose UNIX systems use only two rings, even if the hardware it runs on provides more CPU modes than that.

Many modern CPU architectures (including the popular Intel x86 architecture) include some form of ring protection. Although the Windows XP operating system, like Unix, does not (fully) exploit this feature; its predecessor: OS/2 did to some extent, as it used three rings.

There has been a renewed interest in this design structure, with the proliferation of the Xen VMM software, ever ongoing discussion on monolithic- vs micro-kernel (particularly in Usenet newsgroups and Web forums), Microsoft's ring -1 design structure as part of their NGSCB initiative and hypervisors embedded in firmware such as Intel's Vanderpool technology.

The original Multics system had eight rings, but many modern systems have fewer. The hardware is aware of the current ring of the executing instruction thread at all times, thanks to special machine registers. In some systems, areas of virtual memory are also assigned ring numbers in hardware, and/or the most privileged ring is given special capabilities (such as real memory addressing that bypasses the virtual-memory hardware).

The hardware severely restricts the ways in which control can be passed from one ring to another, and also enforces restrictions on the types of memory access that can be performed across rings. Typically there is a special gate or call instruction that transfers control in a secure way towards predefined entry points in lower-level (more trusted) rings; this functions as a supervisor call in many operating systems that use the ring architecture. The hardware restrictions are designed to limit opportunities for accidental or malicious breaches of security.

Ring protection can be combined with processor modes (master/kernel/privileged mode versus slave/user/unprivileged mode) in some systems. Operating systems running on hardware supporting both may use both forms of protection or only one.

Effective use of ring architecture requires close cooperation between hardware and the operating system. Operating systems designed to work on multiple hardware platforms may make only limited use of rings if they are not present on every supported platform. Often the security model is simplified to "kernel" and "user" even if hardware provides finer granularity through rings.

[edit] Supervisor mode

This article may require cleanup to meet Wikipedia's quality standards.
Please discuss this issue on the talk page or replace this tag with a more specific message. This article has been tagged since September 2006.

In computer terms, supervisor mode (sometimes called kernel mode) is a hardware-mediated flag which can be changed by code running in system-level software. System-level tasks or threads will have this flag set while they are running, whereas user-space applications will not. This flag determines whether it would be possible to execute machine code operations such as modifying registers for various descriptor tables, or performing operations such as disabling interrupts. The idea of having two different modes to operate in comes from "with more control comes more responsibility" - a program in supervisor mode is trusted to never fail, because if it does, the whole computer system may crash.

Definition from foldoc.org, an execution mode on some processors which enables execution of all instructions, including privileged instructions. It may also give access to different a address space, to memory management hardware and to other peripherals. This is the mode in which the operating system usually runs.

In a monolithic kernel, the kernel runs in supervisor mode and the applications run in user mode. Other types of operating systems, like those with an exokernel or microkernel do not necessarily share this behavior.

Some examples from the PC world:

Linux and Windows are two operating systems that use supervisor/user-mode. To perform specialised functions, user-mode code must perform a system call into kernel-space (running in supervisor mode) where trusted code in the operating system will perform the needed task.
DOS, other simple operating systems, and many embedded devices run in supervisor mode permanently, meaning that drivers can be written directly into software.

Most processors have at least two different modes. The x86-processors have four different modes divided into four different "rings". Programs that run in ring0 can do anything with the system and code that runs in ring3 should be able to fail at any time without any impact to the rest of the computer system. Ring1 and ring2 are rarely used, but could be configured with different levels of access.

[edit] Hypervisor Mode

Recent CPUs from Intel and AMD offer x86 virtualization instructions for a hypervisor to control ring0 hardware access. Although they are mutually incompatible, both Intel's "Vanderpool" (or VT) and AMD's "Pacifica" create a new "ring -1" so that a guest operating system can run ring0 operations natively without affecting other guests or the host OS.[1]

[edit] Interoperation between cpu and OS levels of abstraction

Many CPU hardware architectures provide far more flexibility than is exploited by the operating systems that they normally run. Proper use of complex CPU modes requires very close cooperation between the operating system and the CPU, and thus tends to tie the OS to the CPU architecture. When the OS and the CPU are specifically designed for each other, this is not a problem (although some hardware features may still be left unexploited), but when the OS is designed to be compatible with multiple, different CPU architectures, a large part of the CPU mode features may be ignored by the OS. For example, Windows NT was designed to be portable and many architectures at the time only supported user and kernel mode.

Multics was an operating system designed specifically for a special CPU architecture (which in turn was designed specifically for Multics), and it took full advantage of the CPU modes available to it. However, it was an exception to the rule. Today, this high degree of interoperation between the OS and the hardware is not often cost-effective, despite the potential advantages for security and stability.

Ultimately, the purpose of distinct operating modes for the CPU is to provide hardware protection against accidental or deliberate corruption of the system environment (and corresponding breaches of system security) by software. Only "trusted" portions of system software are allowed to execute in the unrestricted environment of kernel mode, and only then when absolutely necessary. All other software executes in one or more user modes. If a processor generates a fault or exception condition in a user mode, in most cases system stability is unaffected; if a processor generates a fault or exception condition in kernel mode, most operating systems will halt the system with an unrecoverable error. When a hierarchy of modes exists (ring-base security), faults and exceptions at one level of privilege may destabilize higher levels of privilege, but not lower levels of privilege. Thus, a fault in ring0 (the kernel mode with the highest privilege) will crash the entire system, but a fault in ring 2 will only affect rings 3 and beyond and ring 2 itself, at most.

Transitions between modes are at the discretion of the executing thread when the transition is from a level of high privilege to one of low privilege (as from kernel to user modes), but transitions from lower to higher levels of privilege can take place only through secure, hardware-controlled "gates" that are traversed by executing special instructions or when external interrupts are received.

Microkernel operating systems attempt to minimize the amount of code running in privileged mode, for purposes of security and elegance. Some suggest that they may lose in performance what they gain in security, however.

[edit] See also

[edit] Further reading

Retrieved from "http://en.wikipedia.org../../../r/i/n/Ring_%28computer_security%29.html"