Privileged mode commands in FreeBSD processes

Kostik Belousov kostikbel at gmail.com
Wed Aug 31 21:06:45 UTC 2011 

On Wed, Aug 31, 2011 at 11:41:29PM +0400, Victor wrote:
> Is it possible to write and start a program in FreeBSD, which could 
> execute processor commands of previleged modes (protection rings), 
> commonly prohibited to a process in the user mode?
> 
> For example we could permit the process direct access to i/o ports (IN 
> and OUT commands on PC architecture), execution of the software 
> interrupt command with any operand (INT), access to descriptor tables 
> registers (GDT, LDT, etc.) with capability of changing content of both 
> these registers and descriptor tables themselves (situated in the RAM).  
> We could also allow the process to change flag bits in the registers of 
> CPU, responsible for processor modes (memory addressing modes, 
> transition from protected to real mode and vice versa, etc.) In fact, if 
> this feature exists in FreeBSD, it must switch the processor for the 
> time of execution this process to the mode with higher privileges (to 
> the protection ring from 2 to 0, not 3 in x86). I would like to ask the 
> FreeBSD community, does this possibility exist in FreeBSD?
> 
> I understand the problem can be easily solved by deviding the program 
> into two parts: the process (COFF or ELF file) and the driver. All the 
> code, containing privileged commands, could be placed in the driver, as 
> the rest of the code (its unprivileged part) could be contained in the 
> process. As far as I understand, the driver code is executed in the 0 
> ring mode, so it has no restrictions. On the other hand it would be 
> interesting to have such an opportunity for common processes in both 
> educational (e. g. studying assembler privileged mode commands) and 
> technical purposes. Of course this feature is a great threat for system 
> safety, and besides programs, using it, can easily completely destroy 
> the system, however it could be useful for some aims.
> 
> Does anything of such kind exist in FreeBSD? If it does, please give me 
> a reference in the FreeBSD documentation.

You can try to jump into userspace address from the ring 0 (kernel) mode,
but there are several reasons already why it will not work on x86 now,
and there will be more reasons why it will not work in the future.

Kernel often uses the ring bits of the saved %cs to distinguish the source
of the trap as being user or kernel mode. This would prevent any trap
from being correctly handled by kernel, if the trap happens in this
mode of execution. You probably need to wire all the pages that can be
accessed by this mode, but other traps cannot be eliminated that easy.

Newest Intel CPUs has so-called SMEP facility, that disables execution
in ring 0 from any page that has ring-3 access enabled. That will prevent
the future exploits and your mode from working.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-arch/attachments/20110831/61a841cc/attachment.pgp

More information about the freebsd-arch mailing list