Intel 80386 manual Privileged Instructions, Segment Protection

3.4.2 Privileged Instructions

In addition to defining which segments and pages it can use, a task's privilege level defines the instructions it can execute. The 80386 has a number of instructions whose execution must be tightly controlled to prevent serious system disruption. All of the instructions that load new values into the system registers are examples of privileged instructions. Only a task running at privilege level 0 can execute privileged instruc- tions,

3.4.3 Segment Protection

The descriptors in a task's LDTand GDT define the task's logical address space. The segments defined in these tables are theoretically addres- sable, because the descriptor tables provide the information necessary to compute a segment's address. However, an addressable segment may not be accessible to a particular operation because of the additional protection checks made by the 80386. The 80386 checks every segment reference (whether generated by the execution of an instruction or an instruction fetch) to verify that the reference is consistent with the protection attributes of the segment as described below.

Privilege To access a segment, a program must be at least as privileged as the segment. For example, a program running at level 3 can only refer- ence segments whose privilege level is also 3, while a program running at level 0 can access all segments in its logical address space.

Limit A reference to a segment must fall within the segment's limit. Segment limits enable the processor to trap common programming errors such as stack overflow, bad pointers and array subscripts, and bad call and jump addresses. In cases where the operating system can determine that

a reference outside the bounds of a segment is not an error (stack over- flow is an example in some systems), the operating system can extend the segment (for example, by adding a page to it) and restart the instruction.

Type Each descriptor contains a type field that the processor checks for consis- tency with the instruction it is exccut- ing. Ordinary segments have a type of code or data, ena bling the proces- sor to catch an attempt to over- write code, for example, the segment types manipulated directly by applica- tions are code and data. System descriptors are also typed so the processor can verify when it is switch- ing tasks, for example, that the segmcnt named in Jump TSS in- struction is in fact a Task State Segment.

Rights A segment descriptor can be marked with rights that restrict the operations permitted on the associated segment. Code segments can be marked exe- cutable or executable-and-readable. Data segments can be marked read- only or readable-and-writable.

All ofthe checks described above depend on the integrity of descriptors. If a task executing its application code could change a descriptor, the checks would guarantee nothing. For this reason, an operating system can restrict access to descrip- tor tables to privilege level 0 code.

Note that for sharing, different descriptors for the same segment (that is, aliases) may have different protection attributes, allowing, for ex- ample, one task to read and write a segment while another can only read it. Aliases also permit the operating system to override the protection system when necessary, for example, to move a code segment.