Call gate

From Wikipedia, the free encyclopedia

A call gate (or callgate) is a mechanism in Intel's x86 architecture for changing the privilege level of the CPU when it executes a predefined function call using a CALL FAR instruction.

Contents 1 Overview 2 Security issues 3 How to use 4 Modern use 5 See also 6 External links

[edit] Overview

Call gates are intended to allow less privileged code to call code with a higher privilege level. This type of mechanism is essential in modern operating systems that employ memory protection since it allows user applications to use kernel functions and system calls in a way that can be controlled by the operating system.

Call gates use a special selector value to reference a descriptor accessed via the Global Descriptor Table or the Local Descriptor Table, which contains the information needed for the call across privilege boundaries. This is similar to the mechanism used for interrupt gates.

[edit] Security issues

To preserve system security, the Global Descriptor Table should be held in protected memory, otherwise any program will be able to create its own call gate and use it to raise its privilege level. Call gates have sometimes been used as a vector for software security exploits, when ways have been found around this protection. One example of this is the E-mail worm Gurong.A written to exploit the Microsoft Windows operating system, which uses \Device\PhysicalMemory to install a call gate.

[edit] How to use

Assuming a call gate has been set up already by the operating system kernel, code simply does a CALL FAR (LCALL in AT&T syntax) with the necessary segment selector (the offset field is ignored). The processor will perform a number of checks to make sure the entry is valid and the code was operating at sufficient privilege to use the gate. Assuming all checks pass, a new CS/EIP is loaded from the segment descriptor, and continuation information is pushed onto the stack of the new privilege level (old SS, old ESP, old CS, old EIP in that order). Parameters may also be copied from the old stack to the new stack if needed. The number of parameters to copy is located in the call gate descriptor.

The kernel may return to the user space program by using a RET FAR (LRET) instruction which pops the continuation information off the stack and returns to the outer privilege level.

For information on the exact format of the call gate descriptor, please see the IA-32 manuals.

[edit] Modern use

Modern X86 operating systems are transitioning away from CALL FAR callgates. With the introduction of SYSENTER/SYSEXIT and SYSCALL/SYSRET, a new faster mechanism was introduced for control transfers for x86 programs. And as most other architectures do not support call gates, their use was rare even before these new instructions as software interrupts/traps were preferred for portability.

It should be noted that call gates are more flexible than the SYSENTER/SYSEXIT and SYSCALL/SYSRET instructions since unlike the latter two, call gates allow for changing from an arbitrary privilege level to an arbitrary privilege level. The fast SYS* instruction only allow control transfers from ring 3->0 and vice versa. Upon comparing call gates to interrupts, call gates are significantly faster.

[edit] See also

• Computer insecurity
• Software interrupt
• Interrupt gate
• System call
• SYSCALL instruction
• Global Descriptor Table

[edit] External links

• Using callgates to execute privileged code
• F-Secure Virus Information Pages: Gurong.A