Path: utzoo!utgpu!water!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!bloom-beacon!apple!amdcad!light!bvs From: bvs@light.uucp (Bakul Shah) Newsgroups: comp.arch Subject: Re: PEP: Page Execution Priviledge Message-ID: <1988Oct4.100511.16783@light.uucp> Date: 4 Oct 88 17:05:09 GMT References: <2550@sultra.UUCP> <1988Sep30.170503.19191@utzoo.uucp> <1988Oct1.115519.11020@light.uucp> <1988Oct3.173955.9075@utzoo.uucp> Reply-To: bvs@light.UUCP (Bakul Shah) Organization: Light Systems, Mountain View, CA Lines: 59 [Henry Spencer:] >>>... how do you prevent a user from >>>branching to some well-chosen place in the *middle* of a privileged >>>routine? ... [Me:] >>Hardware-enforced entry points are not needed if you >>use indirection. Make sure only privileged jump >>tables are accessible from a non privileged place. [Henry Spencer:] >Ah, but now we need three levels of protection: user, jump table, and >privileged. Your privileged jump tables *are* hardware-enforced entry >points. (P.S. the jump-indirect instruction is going to have to be >careful that it can't be fooled. Consider a machine like the 68020 >that will do unaligned fetches: jump indirect via an unaligned address >in the jump table, that picks up some bytes from one address and some >from the next and treats the combination as a privileged address.) No, we don't! I should have used the term ``a table of jump instructions'' instead of `a jump table'. Call TO an address in this table will be allowed because the table is eXecutable from user mode. Jump FROM the table is allowed to land in any executable privileged page because the table is privileged. Yes, this scheme is tricky and may not work if you can jump into middle of an instruction. On a RISC processor where the jump delay slot is exposed to the software, the table contains nops in addition to jumps. Example: ; user mode code ... call lr0, foo nop ; delay slot instruction ... ; privileged table, executable from user mode privileged_table: ... foo: jmp real_foo nop bar: jmp real_bar nop ... ; privileged code, not executable from user mode real_foo: ... jmpi lr0 real_bar: ... jmpi lr0 ---- Bakul Shah <..!{ucbvax,sun,uunet}!amdcad!light!bvs>