Home > Articles > Hardware

  • Print
  • + Share This
Like this article? We recommend

Ring of Protection +3

Every modern processor has the concept of privileged instructions. These are reserved for use by the operating system, while non-privileged instructions are available to applications. A modern operating system provides applications with an isolated environment; they can pretend that they are the only application running on the system. Any instruction that breaks this isolation, for example by accessing physical memory directly, should be considered privileged.

Because some operations should not be executed by everyone, we get the idea of processor modes. In one mode, all instructions are available, while in the other only those available to applications should work. Of course, two privilege levels is only the minimum; x86 comes with four, known as rings.

The four-ring model is not unique to x86. The second most popular system to use it was the VAX. It was adopted by Intel in the hopes of persuading DEC to port VMS to x86. Ironically, OpenVMS now runs on VAX, Alpha and Itanium, of which only the VAX had more than two privilege modes. The Alpha was able to emulate arbitrary numbers of rings quite easily, however. The only way of entering privileged mode on an Alpha was to issue an instruction that would jump to an address in firmware and elevate privilege. Once in this mode, a sequence of standard Alpha instructions (plus some allowing direct access to physical memory) were executed atomically. These had access to some hidden registers, which shadowed some standard registers. Since these were not accessibly (or modifiable) from the unprivileged mode, they could be used to define a privilege mode for a running program and determine which instructions it was allowed to execute.

The four-ring model is not used on any operating system that is designed to be portable, because it is so unusual. Even NT does not use it, since the i860 for which it was originally developed had only two modes. This is something of a shame, since it can potentially provide a much more stable environment. On OS/2, drivers ran at a lower privilege than the kernel, so they were unable to write over the kernel's address space.

Another user of the four-ring model is Xen, which moves the kernel from ring 0 (the highest privilege) to ring 1, and installs itself in ring 0. This ought to be a really easy way of doing virtualization; if the kernel attempts to execute a privileged instruction, it should trap and allow the hypervisor to catch it. On any sane platform, this would be the case, but x86 has a small set of instructions that simply fail silently when run outside ring 0.

When AMD created x86-64, one of the things they "tidied" was the protection mechanism, removing rings 1 and 2. The entire x86 architecture can be summed up by the fact that the newest chips have two protection modes; ring 0 and ring 3. This caused some problems for people who happened to be using them, and is likely to cause more in the next few years when people start valuing stability a bit more than raw performance and wish there was somewhere safe to put device drivers outside kernel space.

Did I say new x86 chips have two privilege modes? Well, that's almost true. Actually, they added some more in the latest chips. Intel added a mode called VT-x, standing for Virtualization Technology for x86, not to be confused with VT-i, for Itanium. AMD, of course, has its own, very similar and yet completely incompatible, extensions for the same purpose. This mode allows you to set up traps for all privileged instructions executed in ring 0. This of course means that ring 0 is now, effectively, ring 1. In decreasing level of privilege, we now have VMX (a virtual "ring -1"), ring 0, and ring 3. Perfectly simple.

  • + Share This
  • 🔖 Save To Your Account