Day 1 Part 4: Intermediate Intel X86: Architecture, Assembly, & Applications

at this point we know most of what we need to know in terms of segmentation right so we’ve seen the exact format of the segment descriptors we see that it’s got a twenty minute twenty bit limit thirty two-bit face then we’ve got other things like this al which we don’t care about which is sixty four-bit abl that just means available it’s not used anything right now but if you want to have some custom software property you can go ahead and do that as opposed to sometimes when it said like this is hard coded as zero it says a BL you can use it for whatever you want if your operating system needs a bit and the descriptor is DB we said that was about you know do all operations inside the segment are they considered 16-bit versus 32-bit DPL descriptive privilege level you know is this ring zero granularity that had to do with the limit we said granularity is zero the limit is invite granularity is one the limit isn’t four kilobyte chunks and therefore you can cover all of memory all three cubed space anyways is one big segment and that was pretty much everything on system and types of their system so you’ve got a bunch of different types of system descriptors and a bunch of different types of odor data and the type to figure that out so we saw the code and data ones and then system has much stuff we don’t know yet other than ldt i remember it will come back to that later and i didn’t look up any of the stuff all right so we’re off to the lab and so i had found a window bug plugin from this link and i think it was already printing out I didn’t teach you oh maybe it was just GD key Melanie he may have done ITP I don’t remember but I modified it for this class and that prints out all sorts information that we want this is much nicer again and so this lab we need to get cozy with window bug we’re going to do some kernel debugging because we’re going to actually get into the kernel because it’s that’s why we have to be obviously in order to look at some question there’s your sponsor market alright so this slide is for your own purposes the key points here is that what we’re going to do is we’re going to start the VM and we’re going to connect it with the kernel debugger there’s a little bit of a timing issue here ideally we want it to be the case that we start the VM it creates a virtual serial port and then the kernel debugger connects to that virtual Assyria 4 which is actually just a named pipe on the host and so you have to start the VM first more for a VM to create the virtual serial port and then you start wind a bug so that it can talk on the virtual 0 point and then when the VM boots it talks insides out ok is I need a bugger there is anything bugger there and then you want me to bug waiting at that point so on your desktop you should have a be a more plan thing yes yep what they’ll have to you’ll have to configure it differently but I believe there is only I don’t have a configuration for a physical serial cable but I do have hardware this is because you don’t want to be using cable open up VMware click on intermediate x86 class 2 and then edit the virtual settings you’re going to go to add and you’re going to add a serial port all right and then when you click next you get the next screen where you want to say in it the serial port should be output to a named pipe you go ahead and click Next and we want to name that name pipe and you see what I put in my slide dot dot slash our slash slash dot slash pipe whatever and then you want to say that the other end is an application and this end is server right so everyone should have slash slash slash pipe slash whatever this end is a server the other end is an application you connect come power all right hit finish but then before you go you have to click this little checkbox which becomes available you don’t CPU on poll so that that’s the bugger interrupting system all right so you should have something that looks like this right now connect on power on username fight slash slash dot slash whatever type slash whatever descendent server this other end is an application

no I didn’t it okay on that and then before we start this up we want to get Mindy bug ready to go I was having some problems with this in the other class if other people having problems there just the other way so open up window bug it should either be yeah it looks like it’s not on your desktop go to all programs and debugging tools for Windows and then wind the bug all programs bugging tools for windows window bug when you get into it and I go to file kernel the one and then we want the slash slash dot slash pipe whatever we want the pipe checkbox click to make sure we’re all synchronized at this point and then anyone on the end following along want me to wait at all they see wants me all right oh wait just a second here yeah so at this point we’re going to play the virtual machine and it’ll have 30 seconds it’s counting down or whether you want to accept this initial good thing while it’s sitting here counting down over an window bug go ahead and hit OK for the kernel debugging and then window bug will now be sitting there saying okay I’m waiting for someone to talk to me on the virtual serial port you can either hit return or just let this countdown for most 30 seconds enable the debugging gaining press return and it succeeds the window bug crashed and then you would have window bug just shut down on you like I just had yes we got one all right the alternative way that we can do this is we can just let the thing start booting and asking for window bug and then we’ll open up the book of that form so for anyone who had the crash anyone who’s following along as well if when the bug just stopped on you I think this is like there’s a VMware Player issues let’s just go ahead and power and shut power off the virtual machine power off yeah and so what I’m gonna do instead is I’m gonna get window bug ready to go but I’m not going to hit okay until we started together so if it crashed go again to start all programs debugging windows in debug the file kernel the bug and then just let it sit there and let me think yeah so now instead I’m just gonna say play virtual machine I’m gonna let it boot up and I’m going to Matt I’m gonna do here I’m gonna hit OK and let this thing boot and then hit OK and win the bug alright so I’m gonna say let it blue so I’m Windows normally breakout it ok then there we go this time miss caught it what you don’t work for you all right so this should let your windows VM should boot up as you see here don’t don’t worry about the formatting for now hold on we set up common format in a second all right so you should know I’ve window bug it should have had some number some number of whatever warnings and stuff you may or may not have it like expanded this entire window so you may have like a separate window here this grey window there so this is where we talked about we’re going to be all on the same page for formatting so all you want to take your main window and you’re gonna drag it around now if you drag it over itself if nothing’s going to happen but if you drag it over that’s great and you should see it expand to fill up this entire window so now you should have a command window which is expanded to fill up the entire window you’ll have the little icon bar at the top command window we’ll be taking a particle alright so is

everyone in here got that alrighty yeah anyone on the phone so where you have is yours connected or is it just not okay so in your case if if it didn’t work I’m gonna do this again we’re just gonna close my window bug it just go ahead and you know hard shut it down it should really matter power or the thing off all right so what you want to do is have the thing ready you’re going to open up window bugs and you’re gonna go to file run all the bug make sure you have slash slash dot slash pipe slash whatever and the same thing in here you know edit your settings on your VM side because you’re still poor to make sure you have / / / like / ever descendent server other end of application field NC beautiful alright and so now what you want to do though is just like boot the VM Tarly but right after you’ve let it boot that’s when you’re gonna hit okay between the box so like this you get to the booth screen and if you want to be debugging it’s counting down you say yes go ahead and boot debugging and they you don’t buy the BM go back to window bug and get okay and then pointing the VM will be pulling on this virtual serial port on dudes it’ll be saying like okay is anyone there is anyone there is anyone there and then it should be able to connect so give you one sec and then let me know if that works essentially if you’re waiting more than you know couple seconds so at the next break which will be in about 40 minutes or so and I’ll try to log on to the same one as you I don’t think that it works but to figure out something will maybe have you do like meeting place to share your screen in here so you can just watch for now and we’ll have you go through it later alright the point is when we get to here and we have the command window taking up the entire screen we’re going to start splitting this up so that we have new school information displayed at all times the first thing I’m going to do is I’m going to mouse over this little woman like punch lines a memory window or hit on five if you do that you should get a floatie memory window but now what we want to do is we want to drag it roughly speaking towards the top middle of that command window and it should split the window horizontally right you want to see your window split horizontally like this I drag it to the top again remember if you’re you know if you’re just dragging over yourself nothing’s going to happen you may have to move it off to the side and then move it back to the top middle get it all right then after that right next to it to the left a little one with like an ax on it the register windows so you can hit all the four pull that up and we’re going to drop that over here too the right of that memory is the memory window that we’re actually going to pull this all the way over so that it goes to the minimum size because our register values are not that big we don’t need all that experience tape all right so that’s fine for now so he should have memory window register window and one big command window at the bottom and then finally we’re going to split that command window and you’re gonna find the disassembly window which is oldest seventh or there’s anything with the 1.0 on it well mouse over till you find a disassembly window and drag that thing to the bottom right so now you should have sort of the four ways like your command window bottom left this assembly window bottom right memory at the top registers and so just for your own purposes you can overlap windows completely and get tab browsing so if I want to for this if I want to see two different windows of memory at once I go ahead and hit another memory window II don’t come up wherever it is I can drag that the middle of the other memory window completely overlap and now I can you know it’s have between these I want to see the call stack which I wanted to work with whatever and you do this yourself work with whatever arrangement suits you but last purpose is we’re using mine alright everyone okay I think that little slide there had a quick

description of it it typically is a little more hit or miss it took me a long time to get the stupid thing to work the first time when I was dealing with like VMware server on Linux but I do have configuration examples for like VMware server one point X the m to the M for Linux or Windows from wiki and I do have it working myself for VMware fusion on my Mac but I was never able to get it okay well obviously I can’t be bugged from my system to my guest system on my Mac I need to do one p.m. to 1 p.m ever got it working on three blocks it’s not possible but the instructions are off Rick you wonder if you’re on Linux obviously again all right so everyone here flat this point right now I hear it on the phone you all have your thing split four ways sound off anybody okay I guess we got a customize the registers a quick I can wind above just for simplicity purpose click on register is customized it’s going to them up they’re not known yet I have to break into the bugger I’ll go to debug window bug menu and break now that’s going you don’t stop the system let you inspect the memory center what we don’t want this sort of random assortment of variables our registers over here we want to customize it so let’s go ahead and I’m I’m just gonna go over like EAX EBX ECX edx right so ABCD and we’re gonna go EDI ESI and so you can just like copy whatever it’s at the beginning if there’s duplicates in this list it doesn’t matter it’ll just only show one of them so just get your general purpose registers EAX EBX di es i EBP ESP and then just for ever do yeah yeah yeah FS yeah all that good enough all right so a few be exp dia EDI ESI EBP ESP and then the second register CS SS yes yes that’s Jesus all right so everyone’s got that if you want I don’t ever really use it this long but certainly if you want you click this display of modified registers first I mean if you step one instruction whatever has changed will show up in red at the top of your register so sometimes that is use I usually just get all the registers I want where I can see them and then I can just whatever there we go got everything in order at the top alright so right now what we’re gonna do is well I’m even gonna say just for our purposes we don’t really care about any flags are yet create here let’s go have input in the GDP are after the GS that we can like just look at the GTR and then in window bug takes the GDP limit the 16-bit portion and it calls it that like it’s a different register we know that GDP register is really 48 bits wide for convenience window bug gives you GDP R which is the 32 bit base address and GDP L which is the limit of GDP L face and then now when you hit okay let’s see that okay my GDP is based at eight zero zero three F zero zero zero and my GDP L is 3 FF which is oh it is not using G alright so the point of this lab point of why we’re getting into the bugger right now is we want to go and look at the GD to look at those GDP descriptors in detail look at the eye yeah look at the LDP and prove that it’s not there right so I said I made a custom plugin for this we’re gonna go the pilot in visual studio and as a post compiled action it like copies it into the window bug folder for you make it easy so in Visual Studio pull that up and Mark rope mode access Kate as your startup project like Detective Mode I

guess remote xsk because I modified it as the startup project and she’s go bold and all that and then just go ahead and right click on it and hit build very much all right so I should say built succeeded did anyone have their build not succeed and you won’t see a failure in that output we know that all think of some of your window sir it didn’t come into a good statement disturbin okay so you may have to clean it and then build it again so it’s just a rebuild so just to make sure right click on it you go to rebuild that’s gonna clean and build it’ll dump away all the existing files it on it again and then yeah on the compilation within the VM this is compilation outside of the VM ethanoic because we want our window bug to have the plug-in and we’re wind debugging from outside probably oh is that that a deal warning yeah that’s just from Visual Studio running the first time I’m sorry where where’s the code that I’m come on you’ll have to double yeah I have that honor okay so we got that on your desktop from there in the desktop you flip the dot SLN solution alright and it’s just been figuring now right okay so once it’s done configuring what you’re going to do is you’re going to right click on throat mode xsk and you’re going to set us start a project as I’m currently showing on the screen and then after you’ve done that you’re going to again right click on promo tesak xsk and then click on rebuild and that it’ll just compile it inside of your virtualization so that the plugin is available to win to them so ping me again in a second if that doesn’t work x86 da so on that work click yes the intermediate x86 FSLN like so it’s in in the overall immunity of x86 folder there’s intermediate x86 code and then in that those intermediate Excel 86 SLN and one Visual Studio is done configuring and stuff like that you’ll see you’ll see that all of these projects and you just have to right click on como de SK and then instead of start the project and then right click again and click rebuild all right anyone else still waiting on the anyone else has not gotten to the rebuild don’t know xsk yet all right I’m going to continue on well after you’ve successfully built and it’s copied this dll which is a ring to bug plugin I’ll copy the DLL over to the window bug plugins folder so going back to window bug in the command window issue dot load safe mode capitalization doesn’t matter question in window bug in the command window yeah dot load period load a boatload the press return if it succeeds you should see nothing and then hid bang or exclamation point descriptor and you should be able to tab complete descriptor at this point exclamation point de tab and then if you can successfully tab complete descriptor it means you can install and just go ahead and return after that just return on the empty descriptor this will show you this in time all right so well what you’re going to see in here is a bunch of commands for descriptor it takes things like descriptor and then I DT and then information about latitude we don’t know about ITT yet we learn it later I should have reordered Boise so name descriptor gdt and then you give it a descriptor index in hex so index starts at 0 so if you give it bang GD t 0 you should see something about it invalid

claim descriptor capital gdp face 0 I’d say you know yeah you know you know if it doesn’t really say anything about it but it isn’t going fine it’s just something in the spec that GDP is 0 it’s never used and I assume that’s so that you don’t have segment lectures being 0 so another thing you can do more useful thing to know is Bing descriptor dump GDP types this goes through and it walks every single index and it pulls out the type information and it says system type or non system type and then it doesn’t tight so you bang the script third gdt underscore I’m sorry don’t miss for GDP D underscore types you press return it’s going to walk through all of the GDP entries and if we walk up here again to the beginning what we see is descriptors zero empty descriptor not supposed to be used gdt of one is 32 bits so that DB field was set the one is ring zero so here we’re saying the DPL was the descriptor per his level was set to zero he’s code because the system type is set to zero and so the code so except for one meaning code or data and then it goes and looks in the code the type field after it sees that it’s go to data and we have that table where you know when the first pieces were all data and the second pieces were all code right so went down and it took those last three bits from the type field it says for these three bits this is considered code execute read and it has been accessed and typically the access stuff is just automatically set by hardware it’ll it’ll take if you may set something as execute read but if the hardware ever accesses it it says okay you can work that as access now because sometimes do alright so GDP of one is saying it’s ring zero code GDP of two is saying it’s ring zero Dana that kind of makes sense with what we did before with that you know running out the segment registers we have that table and it said you know in user space we had like segment registers which had requested privilege levels of three and stuff like that in our code segment is whatever and are doing a second is whatever so if I take these values and I pull and I look at this sort of table if I go back to the few slides ago that’s when we’re just kind of comparing like this is what we saw right for the point is anyone you know in user space can go ahead and print out what their current you know segment selector is in a segment register but once you have the capability to go look at those data at those actual descriptors and you can say what does it mean that CS is index three in the GDP what does that mean what is the base of index three what is the limit of index 3 what is it privileges what is the 13 versus and so we can see here what was the next one in colonel data was indexed to both was indexed 3 and user space data was indexed for and so when we go back in and we have to keep really actually look at stuff we can you can see basically the same thing here their code and data there execute and read their read write etc all right so then we see there’s another thing called TSS that we don’t know about yet that’s going to be a system segment that we’re going to learn about to the minimum degree possibly later then we see there’s actually like a 16-bit segment in here so there’s a 16 minute agree on an empty one that’s not been used and we got some more PSS and we’ve got a bunch of 16 bits at the empty three cubed TSS and then eventually we have just a bunch of fu script so this gives us a high-level overview of what’s going on with all of our segments at this point now we can go ahead and once again reel down into each of them with bang descriptor well one point I want to make first here there is no LD t1 right I said we can walk through the entire thing and there should be a specific system segment type of type GDP our LD t and there either and I think I register there it is LD t register we said that’s really just a 16-bit register which is just a segment selector into the Det it’s at zero each entry zero is invalid so it’s definitely not using yelling all right so let’s dig into one or two of these quick so we do bang the scripter DDT and then let’s say one this is the kernel code segment if I move this over here’s what this

plugins telling me right now it says okay gdt bass equals 8 0 3 f 0 0 0 where did they get that from shut up or did this plug-in get that off yes the gdt arm right so we got those how do you find where the GDP base is GDP register specifically the upper 32 bits all right and then it says ok you asked me to look at index x1 and that descriptor is the actual linear address where that stored is for this for you know index 1 is 8 0 0 3 F 2 0 0 8 how did we get that address if we had a database and why do we have a to base that’s right so each descriptor is 8 bytes and we have index 1 yes Malou near address means as far as you’re concerned right now yes later on it’s virtual in reality on this system right now it is ritual but you got to learn about virtual memory yet so it’s just an aggressive physical livers like we got all this memory were like all the way up to 8 but it is these once you turn on paging once you do about aging alright so then this right here is dumping out the literal 8 bytes that are found at that location the actual literal bytes of the descriptor in order so this is the byte at 0 0 8 is the by 1000 9 so in order to interpret that right we’ve got we know what the structure looks like and we just need to remember that you know structures are well we just need to know what it says are the low order bit right so in this sort of picture right this right here is byte 0 this right here is bytes war and so this is bit 0 on Phi 2 0 that means if I have hex FF right the least significant bit is considered this part of the segment limit right so these first two bytes that’s got the first two bytes which were I believe F F and F F right that’s the lower order two bytes of this you know 20-minute segment limit and then if I go to the next two bytes there’s more order bytes of the base address so going back and looking at that alright so if F F F F are the bottom two bytes of the limit all right that works and then 0 0 0 0 are the bottom two bytes of the base address and then you know from this up here it gets a little more complexity figure out which one is but basically what that says is if we added all the things together it turns out this one this one this one this one and then so these three and then this one right here are the total base address and that base address is specifying a zero all right and now the literal 20 bits of limit our ffff and it turns out it’s like that app right there so it’s like five apps in order to have 20 bits and so that’s saying ffff I’ll know second and this part right here is printing out the segment size using four kilobyte pages where did it find that from anyone on the phone where did it find he does it know to tell me that it’s four kilobyte pages at a time the you write through your nose don’t know what it is but there’s a bit that says that yes it’s the jeep granularity thing I’m saying regularity is yep so this is good saying at the dress 0:08 is this a dress no zero nine is that just kind of an order hi Greedo could obviously be interpreted either way yeah all right so then it tells us some other helpful things you know it looks at the DB bit and it says okay that’s 32 bits because TV is set to one and then it says segment as presents and to check that P bit the present fit says okay yes present I’m gonna check those two bits for the DP Alan sighs the BPL those two bits are set to zero so when we consider this like a ring zero thing right we haven’t said we’re officially saying that these are art rings but they are and so DPL is zero so this is like a ring zero code thing the type is not a system segment that means it’s color data and specifically it’s a code

segment and it looks like a kept up fitness plugins actually say in this mode that it’s code read write or yeah lead I need execute read and accessible right so instead it in this in this part of the plug-in and said yeah hey that’s execute read access right now that’s what the type is set to code execute read access alright so and then segment is not conforming so I said by Paul non-conforming as the default II means when free can’t jump in and start executing rings their own code yes this right here segment is readable is readable so like I said when you put all of those bits together you get a base address of zero and you get a limit of F F F F F up in four kilobyte chunks so that means functionally you can go from zero to all apps right so you take those and you add on another you know three for maximum or kilobyte chunko zero to not that bad baby therefore altogether he’s saying this segment covers from 0 to 1 less than two to the 32 or covers it all over them right so code segment for kernel covers all of memory well that’s quick look at the code segment the data segment for Colonel I was indexed to because we saw earlier that the data segment richer and actually even if we won’t think in in the the registers window if you go look at these actual literal values for the registers like if we didn’t even if we haven’t even printed out the code segment in the stack segment before we could have went and said ok see s is 8 but okay sorry over to the board down bill right so again just a reminder write all segment registers are always holding segment selector segments like those are just a little 16-bit data structure that has three field equals literal pavement in 1608 CS holds literal feet right now all right but since we know CS like all the other cigarette shows is really just a segment selector structure you know that these few bits right there are right there he’s able indicator all right that says I’m talking about the GDP or the LDP even if we hadn’t printed everything out there before we could went home CS equals 8 like drop the last three bits shift it you know right by three bits oh that’s index one in the gdt so I know that CS the code segment is plenty any next one and SS which is 16 would have been like that right index 2 so I can find my quotient segment I’m in the kernel right now I’m in the kernel debugger and if I wanted to say for me in my kernel right now what segments am I using I’d say off index 1 and index to the GDP so turn out descriptor face GT space to back to me and we see a very similar looking thing you see a different descriptor address because now our index 2 8 bytes each right so 2 times 8 1 0 right we see a literal thing printed out again but it actually looks really similar here in fact the only thing that’s different is this was 9 V this is 93 and you’d have to go you know look at figure out which bits those are pretty sure it’s the type so this one is actually a data segment and as we saw before in the summary view is a data read right and it’s access right now so yes is pointing at a cone segment which is execute read yes is pointing at data sorry SS SS is pointing at data readwrite access and it also has a base address of zero and a limit of all memory so having investigated it we

now know that the kernel has one huge segment for cone starts at zero goes to maximum data starts at zero goes to maximum so for the earlier question about you know Ken segments on the lap yes they can overlap as I said before and in reality they’re always maximally overlap in the kernel let’s just do a quick investigation about those other cone and data for user space okay yep looks like zero to add that up again these are space data again we do see that the DPL is three again right the DPL change the nose so the user space ones are also zero to four billion right so what this means is functionally the OS is not using segmentation for any sort of protection because if all of Mike I think and then someone else has before and you overlap I think in the context of the previous overlap it was like you know can you overlap so that things are treated as code end data and the answer is yes oh it’s always working essentially you’re always just having one big blob of code one big blob of data and because of that that’s why you couldn’t like read in your code and like write to your code and stuff like that because you shouldn’t be able to write to your code based on segmentation permissions right you should not have soft modifying code if cone was kept in a code segment and data was kept in a data segment that code would be non writable right you can’t write two code segments but the other completely overlapped and because you’ll see us and see us and stuff when you do that right to memory it’s implicitly using the stack segment selector right because you’re just writing some data to memory and it just happens to be memory which is in the DS or SS segment right and which happens to be yes yeah no well we’ll talk about later reasons why this may be the case but you can certainly see that it’s simpler right you just have like one giant chunk of memory you don’t have so if you know about the things like in acts and stuff like that already that’s really just trying to get back what’s es but you know code segments had readable executable but not writable right segmentation already had that but no one’s using segmentation that way you can always write to you anything you know data can be executable code can be writable because it’s just one big overlap and when you write the data it’s if they’re all the same segments and they’re all the same linear addresses and they’re all the same logical addresses you can write next to it anywhere makes it so that all of memory is rewrite X later on once that became a problem they were trying to get back to having finer granularity so that they can mark data as not yes it’s probably the case that with Linux systems VST I know what I’m going to say that I’m gonna guess that most BSD is everything that’s it yeah we’ll get into the speculation for that day so that’s what we earned here we can you know pull her out of that with a GDP descriptor or this descriptor can let you look at like LVT and stuff like that but you know if we do a descriptor dump LDP pipes as we said we already see that there is no LDPE so to just say LDPR and zero uh news you’re not for anything anyways that’s there for what it’s worth alright so that was the point of the this lab was to get you a little bit of experience with window bugs we’ll just leave this here pronounced but also to get to the point of thing although Intel may have wanted you they were trying to give operating system designers to capability to do this right so that you can break the code up you can break data up and you’ve got that data is actually sack and this data is actually just regular data so that stack one maybe it’s expanding down picture but attendant was that sort of thing right that’s what they’re trying to achieve but that’s not how people actually used it well so at this point

we do know enough about to say you know some definitive things about what it means to be ring zero and rain-free we’ve seen requested privilege level that’s something that’s at least significant to bits in a segment selector you know those segment selectors are usually just in segment registers sometimes then things like the LDP register remember that is actually just trying to select something other to GDP you see RPL which can be 0 for 3 and stuff like that we see DPL inside the actual segment descriptor right so this describes a 0 to ffff chunk of memory and that’s considered a 0 that’s considered a 3 and so a final thing we need to understand this is that the notion of current privilege life whether I am right now in being 0 or ring free that is defined as well the protection level of the current executing code singer and what that means is whatever is in CS whatever is in the bottom two bits of the segment selector in CS that is whether you are in ring 0 or ring 3 in terms of your capabilities that’s where that’s from once all of the access control lives so the OS when it first loads up when it first sets up segmentation it turns on the first sets of segmentation and it turns on protected mode before it has that it creates some segments it sets some segments descriptors and specifically it sets the first CS segment descriptor have requested privilege level zero that means when they say okay are sorry don’t need actually pager to do that but anyways they said they’re basically an initially in a state where they’re considered liens zero right but once they once the OS is loaded and they want to start you know deep privilege in userspace code they want to let userspace code one but they don’t want to you know messing up everything what they have to do is when they you know context switch into the user space code they need to make sure that the CS register is set such that RPO equals 3 because if our PL is not equal degree at user space code or a user code is still in the ring zero okay so that’s why back here at the very beginning when we just printed stuff out this sort of cable and that’s why ICS had to be three there for the RPL the literal value is whatever but you take the bottom two bits and it’s three that’s what says this code which is running in you know outside of the kernel that’s ring three but when it transitions into the kernel there’s you know access control mechanisms and things like that that’s safe are you allowed to cheat transfer to CS which has you’re on the right look at the others is something that I’m not allowed to get correct yeah so she keyed um the key point here we just said user space in Perl space segments cover all of memory all the time all memory all there is nothing inherent in this memory access portion which prevents being free code from reading the stuff zero if you think of it like you know it goes zero if you think of these linear addresses like they’re just mapping directly it’s a physical ramp there’s nothing stopping ring three from just saying oh well my address is zero plus you know eight zero zero zero no that just happens to be cool right so technically under these sort of systems when you’re covering all of memory you absolutely should be able to go from the user space to everything and the reason why that’s not the case is because of pages right so the only way they can get away with this like making big blobs of things is by having additional access controls in the pages the virtual memory level permissions once you turn on virtual memory that’s where you can then start saying no no this is my data and my data is marked as supervisor level and therefore ring three can’t get it only one zero zero one or two talk about that when we get there but yes absolutely mega segments means no access control for memory access what it does give you though is the things like privileged instructions right so link free can still not set the GDP to whatever they want I defeated whatever they want and do any i/o and stuff like that depending I’ll call that I approve this level set so that’s where the ring zero Ling free first even when you have all of this you know completely overlapping memory it’s

still the hardware is still enforcing these you know can I jump to ring zero can I jump to a free stuff like that that is still enforced but actually that’s a good point you know maybe some of the stuff like the entire segment calls jumps and returns they might still be I don’t think you’ll probably be able to give that may be able to read therefore not actually next to you because I don’t think on the data access there’s RPL DPL kind of checks but I’ll have to check on that actually so now that I’m thinking about that I may have been too strong I’m saying you could access anything everywhere but that battery not eating all right but anyways so back to our hammer times dawn right so the point here is between the CPL rpm scale and stuff like that access control is automatically enforced by the hardware when you’re trying to do something yes I already said that if you’re trying to for instance do an entire segment jump which means like you know when I’m in user space I’m considered in you know segment segment index 3 and the GDP right so I’m in segment 3 and maybe I want to jump to segment 1 for instance right that’s kernel-space this is where actually this is one place where those access controls are enforced so this is at least why I don’t think you necessarily can get there by execution but you maybe can probably still like redo ways so it’s checking something like if Cpl is less than or equal to the descriptive privilege level then a lot so you can think of that like you know my Cpl is zero and I’m trying to you know jump into a ring 3 going zero is less than or equal to ring free if the you know segment is described in its DPL inside of the segment descriptor if it says I’m running three segments now the hardware will be doing these sort of checks which says in zero less than three if so go for it you’re more privileged but in point here if you’re in ring 3 and you’re trying to jump into the ring 0 1 right here 3 is 3 less than 0 no so access denied but I don’t think that is actually checked on data access all right and then yeah so the main thing is unnecessarily the important point is just that there are some instructions where it just says in the manual you must be Cpl equals zero you don’t have to do this what does that mean because if your bottom two bits of CSS are not zero you’re not allowed to access hardware says no by the execute instruction Hardware checks oh what’s your CSS like today and as I said before for those responsible so that the first time it lets some user space code run it better have you know a segment which has the PLO 3 in a better make sure that the CS gets updated to have our PLO 3 it’s pointing at you know a DPL and 3 in the segment set everything access control e works out there so you keep saying the hardware checks does then eat every time you try to read or write Ridley’s right to memory the CPU is going pulling that chunk of memory checking the see you checking your Cpl comparing I I would say that yes but he’s gonna have exactly keep in mind 2 cache endeavors there yes the point is you know it sounds like intensive and stuff like that but in reality lumber since we’re just you know adding a little extra circuitry they can paralyze and go through that secretary at the same time right so before you can get into the circuitry which you know starts executing a specific instruction it just has a little bit that says welcome that ready for programmatic so do a hand or whatever is doing Ryan check that bit yeah have that extra middle few nanoseconds every single memory access the hardware has to propagate through some sort of the create important to get my practice it’s not what that’s right you can to some degree but yeah and then right but then you have more complex penalties alright so if you want to parallelizing start like executing specular easy but oh wait you know turns out that I actually need to kick that out but that wasn’t allowed makes alright so then of course you’re saying you know well if the CPL is just lower bits of CS I’m just gonna go ahead and move you know whatever move eight two CS and therefore I will have you know on my code segment

will be ring zero in my people place Cpl will be zero and no move instruction first of all cannot be used to load the CS register so you can just go ahead and like move assets and move the S and everything like that but for the CS register even in kernel space there is no instruction to just do move value to CS right that only the setting of CS register only happens to very controlled interfaces which are the things like interrupts and stuff like that so you can transition things to interrupt the transition things through intro segment jumps and stuff like that but it’s definitely not the case that you just say oh I want to be green zero even kernel can’t say I want to be rings no not that kernel starts as ring zero that’s a but CPU when it initializes back to its default States you know the the CS registers and stuff like that that’s an appropriate oh there’s some initial segmentation as necessary I assume it’s just you know this is again where I don’t know it off say exactly what it is but I’m assuming that you know the CPU starts in the state where there’s some maximum 16-bit sized thing you know whatever one megabyte dishonest thing and from there code executing in that one megabyte segment has to set up new segment but you know key point would be that yeah music if you’re in wind zero you start the kernel that kernel has to do whatever it needs to be to stay where in this area make sure that rectly be privileged in users the question is about if you’re executing a system call and he already has a notion that maybe that effectors to do the interrupts and stuff like that I think it’s too early to say anything about that but yeah it’s just too early for that when we get to the interrupt descriptor table there will be things that look somewhat similar to these gdt descriptive table type things and it’s again just here someday in the structure and when I vector through this interrupt it’s allowed by this ring and vectors to this segment there is a being segment selector if you’re not and you can select oh this interrupt goes to that concept that’s how control interface where it’s like only whatever set and interrupt the table which you know can’t be sent by a user space only that can change yeah it’s pretty much interrupts all games in here are segmented so your segment control flow like jumps and calls they do it three or so ways that you could actually say oh yes register and returns like halls jumps in return like the colonel may set something up then you return into your space or connections all right so first anyone have any questions on what we’ve learned and to the overall tables anything like that we covered the actual format of these and we said that pointing it’s a surprise we already saw this in the lab right this is more like an intel says you know in the manual oh hey but if you really don’t want to you know get everything all set up complex here’s the flat and remodel instead of having a bunch of you know overlapping non-overlapping completely separate segments stacked like that first complex picture they say oh yeah but if you want you can just go ahead and set everything that point had a code and the data descriptor that cover everything yes yes you know create a question if you can’t set up CS with MOV how does the kernel set up user land process have to do with the lower privileges like I was just sort of saying because there’s only like three or so ways that you can sense yes there are things like intersegmental jump useful new or returns and that’s like a call instruction but where you specify I’m calling in to this or that segment and so when you do that then essentially you know because you’re you’re doing inner segment one that’s where so let’s say you’re in C I’m not actually sure even at the moment which way that the kernel uses like for that initially privilege in encode probably should think I haven’t feeling it’s just a won’t return from either you know it where it pretends that it’s returning from an interrupt or pretends like it’s returning to the call but basically in either calls or returns let’s pretend that it’s doing an intersected return and do you have all right oh I’ll skip

ahead to this quick just to give a sense of things alright this has to do with interrupts but we can pretend it’s the exact same case for inter segment calls in the church we know that when you do a normal call VIP automatically gets put onto the stack right when you do a intersegmental call so the part of the EIP is so that you can get back to wherever you came right when you do an intersect a call and you got to put some segment information there so you can get back to wherever you came up all right so in the inner segment call or an interrupt looks sort of like this this is what gets stuck onto the stack I don’t know if it’s like I don’t think he finds them actually therefore just all returned let’s pretend it is what if you said like I am in you know segment three I’m user space coded I want to jump to segment 1 which is kernel color you’d say you know call segment 1 and then actually I don’t think even there so you’re calling to a different segment and then automatically your VIPs gonna get saved but also your CS is gonna get saved and so that CS and e IP is a logical address so with these inner segment things you’re basically pushing a logical address onto the stack rather than just you know pushing a 32-bit offset and so that’s why all of those other calls and returns and stuff are really just intro segment calls and returns and stuff like that right you only need two you’re not jumping out to someone else’s segment and then needing to come back you’re just bouncing around inside the same made a 4 gigabyte segment right so you only need that 32-bit offset within the same segment to know where you came from where you’re going back up so essentially what I would expect happens with the kernel is that all it does is it sets up its stack like this so it pushes a CSS on to the stack which is the cs of the user space code it pushes the EIP on the stack which is the EIP of PL the runtime initialization code that runs before main and then it you know returns and there it the you know intersegmental return or interrupt return just pops that stuff off the stack puts it into the right register but when it’s doing that there is that privilege level check it says are you allowed to interrupt your turn are you allowed to ensure signet return only if you are returning from a current privilege level which is less than or equal to the privilege level you’re going through so it all works out for the colonel because it’s like I’m rain zero I’m returning back to a 3-0 less than or equal to three and so the hardware lets you set CSD this way right it doesn’t let you just move hey I want to be no rain three now you set something up and you pretend that you’re returning to where you came from it doesn’t access control check and then it let you go because right and that access control check is the key point there because otherwise user space can say oh yeah I would see s0 I would see us so you know eight which is ring ring zero code in next one how is the next one and I was a IP whatever curl function okay I want to interrupt return now into the kernel right but access control check I heard we’re at that point this oh look I see you’re trying to return intersegmental s3 which is not less than or equal to zero fail you know a lot to do it so an answer your question that’s basically how I’m expecting it works is the kernel sets up a stack these is one of these allowable mechanism you don’t know okay so there’s there’s three or so mechanisms that a command will return back to work I mean it could call into the user space but it really doesn’t matter because that initial jumping to user space code it’s not like the user space for the expecting to return back to filthy that means so the kernel could call into user space the eternal could return to user space the intersegmental in return or it could use this interrupt you haven’t learned about yet and still was up for that out sort of question for so this is the world as we know what this is some stuff I threw in here and help you out with the rootkit slacks later I guess I didn’t say about it at the beginning but when we have the rootlets class later I’m planning on running it is I’m going to distribute a VM that has a bunch of like people subscribe me kissing it as many as I can get to run at the same time and actually persist across reboots because some of them don’t seem to be persisting across looks like they could click with each other so they’ll install if I install them in the right order identify the even for the work anyways I’m gonna distribute a VM and I’m going to say find all the little kids you can play that right and mostly knows there’s something there which I know explicitly

tools will not help you find I don’t know how you’re gonna find them maybe gonna do some cool forensic analysis whatever but this is a topic hint hint which I threw in to the intermediate x86 class which wasn’t in there last year which is related to all the segmentation and stuff like that all right there’s this thing called a cold beef descriptor it goes in the GDP we’re still talking about GDP descriptors they don’t write that down what’s to forget I thought I had to call get the Scriptures to be plugging the descriptor plug in I should eventually be uploading version of the description plug-in which will parse this structure and just alright call gates are a type of thing which is meant to be a way that the kernel exports a way for the user space to call into a very specific location in kernel space this is where you just wear that right no space exploited for users so if kernel space kernel space wants to allow some API between user space and kernel space as it usually does there’s this whole question can be for pay attention to this if kernel space wants to explore it and interface between space and kernel space it can use something like a call gate descriptor where it puts this in the GDP and then people can use a call instruction and they can specify they can say call segment selector and that segment selector selects from the GDP any of that segment select our selects a call gate then it’ll go ahead and we’ll do you know a DPL check and stuff like that and I’ll say ok well you can call this index and this song gate is basically going to have two components one a segment selector and two 32-bit offset so it’s basically the kernel setting this thing in the in the GDP that’s saying all right so I want you the space to call to one specific offset I don’t want them to just like jump anywhere into the kernel they can call to this one location which I’ve specified and I’m gonna you know put some kernel code there which handles whatever they’re doing maybe they’re passing these parameters and I’m going to like have code there which checks their parameters and does the division all gates are the basis for your typical system call capabilities so whether you’re UNIX and unix-like the system call table we know they call the system service descriptor table previously they were in or they were in implemented with interrupts nowadays they’re implemented with the separate instructions this college we don’t talk about I think it’s going to be in the root K class but the point here is kernel typically restricts it so that it’s the only one who’s allowed to access hardware right you don’t want the user space going going out there and you’ll scribbling all over your video buffer you don’t want it scribbling all over your hard drive stuff like that so one of them any points of kernel space separation and use of space kernel space an inner process operation all that one of the many points is that the colonel wants to be the guy who’s in charge of talking the hardware right it will let many processes run in parallel and let them think that they’re special in half you know exclusive use of the system but when it gets time to start accessing hardware for instance the file system you call the kernel function open file or whatever write that open file is exported from kernel through user space and you know it’s it’s somewhere buried in a user space see library it eventually you know gets down to the point where the user space library calls into the kernel and says oh the federal export open file function and then eventually there’s for instance an interrupt where on linux you may be seen in 280 in the past so interrupts x80 will call a specific call gates which then allows the code to jump to a specific location in kernel and that kernel thing says okay your parameters are you know EAX EBX ECX whatever they’ll say okay if you put EI x equal to you know 5200 or whatever then I see that you want me to jump to the open file and I’ll you know I’ll pull the name of the file you want to open the one your other so call gates are basically the way that the colonel says no user space you may jump to one specific location you may pass some parameters and then you know based on that I’ll go ahead and you know have some code at that location and I will execute whatever you’re asking for with this exported API and so that’s typically you know the core system API has begun and those they they called it

the native API and stuff like that because it’s like the API the kernel exports and when it comes all down to it one way or the other if you want to access the process and you gotta work with the kernel it has this service descriptor table okay all right so getting into the actual details of this is much simpler than the other ones really the point like I said is there is a 32 bit segment offset and then there’s a segment selector so really the bulk of it is a logical address right it’s saying I’ve got a logical address that points that you can learn code for any system call right so if you want to call a system call it’s always pointing only at this location you know user space can update the GTT therefore the kernel sets at once the user space calls to this gate using into a tea or on windows it used to be institute league unlike Windows 2000 and earlier you see wouldn’t in to eat and that’s how you’re you’re actually saying Oh see I completely subscribed it alone it’s actually using interrupts ah yeah very similar to interrupt is a college yeah the point of a point the reason they put in the Colgate was so that you could do system called table but everyone ended up implementing them interrupts instead so weather alert interrupts descriptors look very much like this no there’s so there’s new more optimized instructions that are dedicated to system calls like okay so after like Windows 2000 they stop using it anyway so the point of the call descriptors was so that you could have these sort of interfaces between user space and kernel space the kernel can set a call gate and rather than doing you know it’s 80 it would do like a call to the segment select next call with the segment selector which selects the specific call gate so we just say you know call whatever X 20 or something like that that hex 20 would be used as segments like that you clear out the index to point out a call me the hardware would say okay well I see that this has a DPL of let’s say 3 it says ok this can be called by people who are ring 3 and if it’s called by people who rain-free transfer to this segment it’s got a different segment selector and that can point at ring 0 segment and then this offset into that segment so it’s kind of a way to get the users face-to-face to a very specific location very controlled right we said there’s very controlled ways to get from one place the other interrupt someone their segment calls are another and trying to remember it was actually different to theirs then I call there is a difference between intersegmental calls on this this is yeah so you can do intersect with calls what’s one thing you can bounce around between different segments but normally you know you’re not going to be able to intersect the call from you know thing 3 1 through link 0 this is a controlled interface that allows you to essentially do an inter segment call through a higher privilege great but it’s only set up because the kernel is you expecting specific specific influence and it’s going to only go to one location that’s meant to handle these are used yes I still put them in there another parameter how you actually told me to see if I have another next slide right like that yeah I don’t know if that instruction actually works about I feel like it does but then I was having some weirdness I think it looks roughly like this you say call F word which is our pointer word I guess and so it’s saying column F word pointer and then you have a logical address for PowerPoint or logical address and then it’s got a far pointer which is a segment selector which is eight so it’s saying you know I want to call we know that there’s not a call gate at index eight so I should change that something whatever okay all right so really it’s saying I’m going to call to segment index you know whatever twenty-eight shift is I 3 is gonna pull the in the harbor is gonna pull the index out of that twenty-eight segment selector go to that index if it’s a call gate then it’ll go ahead and check is the DPL acceptable you know chemists call gape you called my ring three typically you would only set up Colgate if you’re trying to or you know the point is maybe call gates in the way that you get from ring zero or ring three to wing one then from wing one to ranging right in the you know using all the rings case maybe you want these very controlled interfaces like this right that’s the only way you can get from

ring three doing to do any cheating one is through one tiny little you know people between the religious right this is basically how you call it using light assembly a network pointer you specify a segment selector which gets you to your call game and then this offset right here it doesn’t even matter so there’s one two three four five six seven eight and where doesn’t care so it’s just making you give it far with our pointer but in reality it’s all about the segment I think the reason for this is because this can be like a calling right so I said before you can call inner segment at the same privilege level and that would look like the same way right you’d say I want to call to that segment but you know I know that it’s gonna work say for this level but in this case if it sees that you know that segment turns out to instead of just being you know some chunk of memory and that second it turns out to be a Colgate and the hardware is going to do something else we’re functionally this doesn’t matter I think this is just a case where this is an overloaded operator right you can call between segments and you need a far corner for sure for that but if you’re calling to a higher privilege you don’t need that that offset in there because the offset is stored right here you’ve only got one choice of offset whatever but for us that’s basically I think it would essentially be just you know when you write a see library for a given operating systems like how does the library know that it’s in to me versus it dating right the library when written you know most of it’s on the same for normalcy library right they could just say here’s all the excitation system suicide when it comes to things like hardware access right you need to start knowing os you mention that the OS has to have somewhere where they safe library writers hey if you want to open files here’s how you do it is somewhere deep down in their specification the OSS and you actually do it by calling in Katy you actually do it by calling to a call gate at index you know 28 that’s really just you know a specific convention that we set up but that is pretty much everything we’re way over on a break but that is pretty much everything we’ll come back and we’ll kind of describe why we’re learning segmentation some of that after you know after the revelation that you know all of memory is just one big segments read/write/execute was the point of it