5-26 Vol. 3A

PROTECTION

5.10.4 

Checking Caller Access Privileges (ARPL Instruction)

The requestor’s privilege level (RPL) field of a segment selector is intended to carry the privilege level of a calling 
procedure (the calling procedure’s CPL) to a called procedure. The called procedure then uses the RPL to determine 
if access to a segment is allowed. The RPL is said to “weaken” the privilege level of the called procedure to that of 
the RPL. 
Operating-system procedures typically use the RPL to prevent less privileged application programs from accessing 
data located in more privileged segments. When an operating-system procedure (the called procedure) receives a 
segment selector from an application program (the calling procedure), it sets the segment selector’s RPL to the 
privilege level of the calling procedure. Then, when the operating system uses the segment selector to access its 
associated segment, the processor performs privilege checks using the calling procedure’s privilege level (stored in 
the RPL) rather than the numerically lower privilege level (the CPL) of the operating-system procedure. The RPL 
thus insures that the operating system does not access a segment on behalf of an application program unless that 
program itself has access to the segment.
Figure 5-15 shows an example of how the processor uses the RPL field. In this example, an application program 
(located in code segment A) possesses a segment selector (segment selector D1) that points to a privileged data 
structure (that is, a data structure located in a data segment D at privilege level 0). 
The application program cannot access data segment D, because it does not have sufficient privilege, but the oper-
ating system (located in code segment C) can. So, in an attempt to access data segment D, the application 
program executes a call to the operating system and passes segment selector D1 to the operating system as a 
parameter on the stack. Before passing the segment selector, the (well behaved) application program sets the RPL 
of the segment selector to its current privilege level (which in this example is 3). If the operating system attempts 
to access data segment D using segment selector D1, the processor compares the CPL (which is now 0 following 
the call), the RPL of segment selector D1, and the DPL of data segment D (which is 0). Since the RPL is greater than 
the DPL, access to data segment D is denied. The processor’s protection mechanism thus protects data segment D 
from access by the operating system, because application program’s privilege level (represented by the RPL of 
segment selector B) is greater than the DPL of data segment D.

Figure 5-15.  Use of RPL to Weaken Privilege Level of Called Procedure

Passed as a 

parameter on

the stack.

Access

allowed

Access
allowed

Application Program

Operating

System

Lowest Privilege

Highest Privilege

3

2

1

0

Data

Segment D

not

Segment Sel. D1

RPL=3

Segment Sel. D2

RPL=0

Gate Selector B

RPL=3

Code

Segment A

CPL=3

Code

Segment C

DPL=0

Call

Gate B

DPL=3

DPL=0