Vol. 3A 5-27
PROTECTION
Now assume that instead of setting the RPL of the segment selector to 3, the application program sets the RPL to
0 (segment selector D2). The operating system can now access data segment D, because its CPL and the RPL of
segment selector D2 are both equal to the DPL of data segment D.
Because the application program is able to change the RPL of a segment selector to any value, it can potentially use
a procedure operating at a numerically lower privilege level to access a protected data structure. This ability to
lower the RPL of a segment selector breaches the processor’s protection mechanism.
Because a called procedure cannot rely on the calling procedure to set the RPL correctly, operating-system proce-
dures (executing at numerically lower privilege-levels) that receive segment selectors from numerically higher
privilege-level procedures need to test the RPL of the segment selector to determine if it is at the appropriate level.
The ARPL (adjust requested privilege level) instruction is provided for this purpose. This instruction adjusts the RPL
of one segment selector to match that of another segment selector.
The example in Figure 5-15 demonstrates how the ARPL instruction is intended to be used. When the operating-
system receives segment selector D2 from the application program, it uses the ARPL instruction to compare the
RPL of the segment selector with the privilege level of the application program (represented by the code-segment
selector pushed onto the stack). If the RPL is less than application program’s privilege level, the ARPL instruction
changes the RPL of the segment selector to match the privilege level of the application program (segment selector
D1). Using this instruction thus prevents a procedure running at a numerically higher privilege level from
accessing numerically lower privilege-level (more privileged) segments by lowering the RPL of a segment selector.
Note that the privilege level of the application program can be determined by reading the RPL field of the segment
selector for the application-program’s code segment. This segment selector is stored on the stack as part of the call
to the operating system. The operating system can copy the segment selector from the stack into a register for
use as an operand for the ARPL instruction.
5.10.5 Checking
Alignment
When the CPL is 3, alignment of memory references can be checked by setting the AM flag in the CR0 register and
the AC flag in the EFLAGS register. Unaligned memory references generate alignment exceptions (#AC). The
processor does not generate alignment exceptions when operating at privilege level 0, 1, or 2. See Table 6-7 for a
description of the alignment requirements when alignment checking is enabled.
5.11 PAGE-LEVEL
PROTECTION
Page-level protection can be used alone or applied to segments. When page-level protection is used with the flat
memory model, it allows supervisor code and data (the operating system or executive) to be protected from user
code and data (application programs). It also allows pages containing code to be write protected. When the
segment- and page-level protection are combined, page-level read/write protection allows more protection granu-
larity within segments.
With page-level protection (as with segment-level protection) each memory reference is checked to verify that
protection checks are satisfied. All checks are made before the memory cycle is started, and any violation prevents
the cycle from starting and results in a page-fault exception being generated. Because checks are performed in
parallel with address translation, there is no performance penalty.
The processor performs two page-level protection checks:
•
Restriction of addressable domain (supervisor and user modes).
•
Page type (read only or read/write).
Violations of either of these checks results in a page-fault exception being generated. See Chapter 6, “Interrupt
14—Page-Fault Exception (#PF),” for an explanation of the page-fault exception mechanism. This chapter
describes the protection violations which lead to page-fault exceptions.