Unit3

Protection & Multitasking

 Agenda
• Protection
• Multitasking

12/18/2019 2
 Protection
• Points covered
– Need of Protection,
– Overview of 80386DX Protection Mechanisms,
– Segment Level Protection,
– Page Level Protection,
– Combining Segment and Page Level Protection

12/18/2019 3
 Need of Protection
• to help detect and identify bugs
• 80386 supports sophisticated applications with
hundreds or thousands of program modules
• In such applications, the question is how bugs can be
found and eliminated as quickly as possible and how
their damage can be tightly confined
• To help debug applications faster and make them more
robust in production, the 80386 contains mechanisms
to verify memory accesses and instruction execution
for conformance to protection criteria.
• These mechanisms may be used or ignored, according
to system design objectives.

12/18/2019 4
 Overview of mechanism
Protection in the 80386 has five aspects:
1. Type checking
2. Limit checking
3. Restriction of addressable domain
4. Restriction of procedure entry points
5. Restriction of instruction set
• The protection hardware of the 80386 is an
integral part of the memory management
hardware.
• Protection applies both to segment translation
and to page translation.
12/18/2019 5
 Overview continued…

• Each reference to memory is checked by the

hardware to verify that it satisfies the
protection criteria.
• All these checks are made before the memory
cycle is started; any violation prevents that
cycle from starting and results in an exception.
• Since the checks are performed concurrently
with address formation, there is no
performance penalty.
12/18/2019 6
 Overview continued…

• Invalid attempts to access memory result in an

exception.
• The concept of "privilege" is central to several
aspects of protection.
• Applied to procedures, privilege is the degree to
which the procedure can be trusted not to make
a mistake that might affect other procedures or
data.
• Applied to data, privilege is the degree of
protection that a data structure should have from
less trusted procedures.

12/18/2019 7
 Segment-Level Protection
• All five aspects of protection apply to segment
translation:
1. Type checking
2. Limit checking
3. Restriction of addressable domain
4. Restriction of procedure entry points
5. Restriction of instruction set

12/18/2019 8
• The segment is the unit of protection, and
segment descriptors store protection
parameters.
• Protection checks are performed
automatically by the CPU when the selector of
a segment descriptor is loaded into a segment
register and with every segment access.
• Segment registers hold the protection
parameters of the currently addressable
segments.
12/18/2019 9
Protection fields of Segment Descriptors

12/18/2019 10
• The protection parameters are placed in the
descriptor by systems software at the time a
descriptor is created.

12/18/2019 11
12/18/2019 12
• When a program loads a selector into a
segment register, the processor loads not only
the base address of the segment but also
protection information.
• Each segment register has bits in the invisible
portion for storing base, limit, type, and
privilege level; therefore, subsequent
protection checks on the same segment do
not consume additional clock cycles.

12/18/2019 13
 Type Checking
• The TYPE field of a descriptor has two functions:
– It distinguishes among different descriptor formats.
– It specifies the intended usage of a segment.
• The type fields of data and executable segment
descriptors include bits which further define the
purpose of the segment
• W: writable in data segment descriptor specifies
whether instructions can write into the segment,
• R: Readable bit in an executable-segment
descriptor specifies whether instructions are
allowed to read from the segment.
12/18/2019 14
• A readable, executable segment may be read
in two ways:
– Via the CS register, by using a CS override prefix.
– By loading a selector of the descriptor into a data-
segment register (DS, ES, FS, or GS).
• Type checking can be used to detect
programming errors that would attempt to
use segments in ways not intended by the
programmer.

12/18/2019 15
The processor examines type information on two kinds of occasions:
– When a selector of a descriptor is loaded into a segment register.
Certain segment registers can contain only certain descriptor types;
for example:
• The CS register can be loaded only with a selector of an executable
segment.
• Selectors of executable segments that are not readable cannot be
loaded into data segment registers.
• Only selectors of writable data segments can be loaded into SS.
– When an instruction refers (implicitly or explicitly) to a segment
register. Certain segments can be used by instructions only in certain
predefined ways; for example:
• No instruction may write into an executable segment.
• No instruction may write into a data segment if the writable bit is
not set.
• No instruction may read an executable segment unless the
readable bit is set.

12/18/2019 16
 System and Gate Descriptor types

12/18/2019 17
 Limit Checking
• To prevent programs from addressing outside the
segment.
• interpretation of the limit depends on the setting
of the G (granularity) bit
– When G= 0, the actual limit is the value of the 20-bit
limit field as it appears in the descriptor.
– In this case, the limit may range from 0 to 0FFFFFH
(220 - 1 or 1 megabyte).
– When G= 1, the processor appends 12 low-order one-
bits to the value in the limit field.
– In this case the actual limit may range from 0FFFH (212
- 1 or 4 kilobytes) to 0FFFFFFFFH (232 - 1 or 4
gigabytes).
12/18/2019 18
• For data segments, the processor's interpretation
of the limit depends also on the E-bit (expansion-
direction bit) and the B-bit (big bit)
• The processor causes a general protection
exception in any of these cases:
– Attempt to access a memory byte at an address> limit.
– Attempt to access a memory word at an address
>=limit.
– Attempt to access a memory doubleword at an
address >=(limit-2).

12/18/2019 19
• For expand-down data segments, the limit has
the same function but is interpreted
differently.
• In these cases the range of valid addresses is
from limit + 1 to either 64K-1 or 232 -1 (4
Gbytes) depending on the B-bit.
• An expand-down segment has maximum size
when the limit is zero.

12/18/2019 20
• The limit field of descriptors for descriptor
tables is used by the processor to prevent
programs from selecting a table entry outside
the descriptor table.
• The limit of a descriptor table identifies the
last valid byte of the last descriptor in the
table.
• Since each descriptor is eight bytes long, the
limit value is N * 8 - 1 for a table that can
contain up to N descriptors.
12/18/2019 21
 Privilege Levels
• The concept of privilege is implemented by
assigning a value from zero to three to key
objects recognized by the processor. This value
is called the privilege level.
• The value zero represents the greatest
privilege, the value three represents the least
privilege.

12/18/2019 22
Processor-recognized objects containing
privilege levels
• Descriptors contain a field called the descriptor
privilege level (DPL).
• Selectors contain a field called the requestor's
privilege level (RPL). The RPL is intended to
represent the privilege level of the procedure
that originates a selector.
• An internal processor register records the current
privilege level (CPL). Normally the CPL is equal to
the DPL of the segment that the processor is
currently executing. CPL changes as control is
transferred to segments with differing DPLs.
12/18/2019 23
• The processor automatically evaluates the right
of a procedure to access another segment by
comparing the CPL to one or more other privilege
levels.
• The evaluation is performed at the time the
selector of a descriptor is loaded into a segment
register.
• The criteria used for evaluating access to data
differs from that for evaluating transfers of
control to executable segments

12/18/2019 24
 Rings of Protection

12/18/2019 25
• The center is for the segments containing the
most critical software, usually the kernel of the
operating system. Outer rings are for the
segments of less critical software.
• It is not necessary to use all four privilege levels.
Existing software that was designed to use only
one or two levels of privilege can simply ignore
the other levels offered by the 80386.
• A one-level system should use privilege level zero;
a two-level system should use privilege levels
zero and three.
12/18/2019 26
 Restricting Access to Data
• To address operands, an 80386 program must
load the selector of a data segment into a
data-segment register (DS, ES, FS, GS, SS)
• The processor automatically evaluates access
to a data segment by comparing privilege
levels.
• The evaluation is performed at the time a
selector for the descriptor of the target
segment is loaded into the data-segment
register.
12/18/2019 27
 Privilege Level Checking
• Three different privilege levels enter into this
type of privilege check

12/18/2019 28
• Instructions may load a data-segment register
(and subsequently use the target segment)
only if the DPL of the target segment is
numerically greater than or equal to the
maximum of the CPL and the selector's RPL
(i.e. EPL).
• In other words, a procedure can only access
data that is at the same or less privileged
level.

12/18/2019 29
 Accessing Data in Code Segments
• Less common than the use of data segments is the use
of code segments to store data.
• Code segments may legitimately hold constants; it is
not possible to write to a segment described as a code
segment.
• The following methods of accessing data in code
segments are possible:
– Load a data-segment register with a selector of a
nonconforming, readable, executable segment.
– Load a data-segment register with a selector of a
conforming, readable, executable segment.
– Use a CS override prefix to read a readable, executable
segment whose selector is already loaded in the CS
register.
12/18/2019 30
 Restricting Control Transfers
• JMP, CALL, RET, INT, and IRET, the exception and interrupt
mechanisms
• The "near" forms of JMP, CALL, and RET transfer within the
current code segment, and therefore are subject only to
limit checking.
• no extra clock cycles
• The operands of the "far" forms of JMP and CALL refer to
other segments; therefore, the processor performs
privilege checking.
• There are two ways a JMP or CALL can refer to another
segment:
– The operand selects the descriptor of another executable
segment.
– The operand selects a call gate descriptor.

12/18/2019 31
• Two different privilege levels enter into a
privilege check for a control transfer

12/18/2019 32
• Normally CPL = DPL of the segment that the processor
is currently executing
• CPL may, however, be greater than DPL if the
confirming bit is set in the descriptor of the current
executable segment.
• The processor keeps a record of the CPL cached in CS
register; this value can be different from the DPL in the
descriptor of the code segment
• Processor permits a JMP or CALL directly to another
segment only if one of the following privilege rules is
satisfied:
– DPL of the target is equal to CPL
– The conforming bit of the target code-segment descriptor
is set, and the DPL of the target is less than or equal to CPL
12/18/2019 33
Conforming & Nonconforming Segments
• An executable segment whose descriptor has the conforming
bit set is called a conforming segment.
• The conforming-segment mechanism permits sharing of
procedures that may be called from various privilege levels but
should execute at the privilege level of the calling procedure.
• E.g. math libraries and some exception handlers.
• When control is transferred to a conforming segment, the CPL
does not change. This is the only case when CPL may be
unequal to the DPL of the current executable segment.
• For nonconforming segments, control can be transferred
without a gate only to executable segments at the same level
of privilege.
• There is a need, however, to transfer control to (numerically)
smaller privilege levels; this need is met by the CALL
instruction when used with call-gate descriptors
12/18/2019 34
Gate Descriptors Guard Procedure Entry
Points
• Gate Descriptors are used to provide
protection for control transfers among
executable segments at different privilege
levels.
• Four kinds of gate descriptors
– Call gates (We will focus on call gate)
– Trap gates
– Interrupt gates
– Task gates

12/18/2019 35
 Call Gate
• Call gate has two primary functions
– To define an entry point of a procedure.
– To specify the privilege level of the entry point.
• Call gate descriptors are used by call and jump
instructions in the same manner as code
segment descriptors.
• When the hardware recognizes that the
destination selector refers to a gate descriptor,
the operation of the instruction is expanded
as determined by the contents of the call gate
12/18/2019 36
• The selector and offset fields of a gate form a
pointer to the entry point of a procedure.
• A call gate guarantees that all transitions to
another segment go to a valid entry point
• The far pointer operand of the control transfer
instruction does not point to the segment and
offset of the target instruction; rather, the
selector part of the pointer selects a gate, and the
offset is not used.
12/18/2019 37
 Indirect transfer via call gate

12/18/2019 38
• Four different privilege levels are used to check
the validity of a control transfer via a call gate
• The CPL
• The RPL
• The DPL
(gate descriptor)
• The DPL
(descriptor of target
Executable segment)

12/18/2019 39
 Restriction of instruction set
• Instructions that have the power to affect the
protection mechanism or to influence general
system performance can only be executed by
trusted procedures.
• The 80386 has two classes of such
instructions:
– Privileged instructions-those used for system
control.
– Sensitive instructions-those used for I/O and I/O
related activities.

12/18/2019 40
 Privileged Instructions
CLTS -Clear Task-Switched Flag
HLT -Halt Processor
LGDT -Load GDT Register
LIDT -Load IDT Register
LLDT -Load LDT Register
LMSW -Load Machine Status Word
LTR -Load Task Register
MOV to/from CRn -Move to Control Register n
MOV to/from DRn -Move to Debug Register n
MOV to/from TRn -Move to Test Register n

12/18/2019 41
 Page Level Protection
• Two kinds of protection are related to pages
– Restriction of addressable domain
– Type checking
• Protection fields of page table entries

12/18/2019 42
 Restricting addressable domain
• Supervisor Level U/S=0: for OS, Sys Software and
related data
• User Level U/S=1: for applications procedures
and data
• The current level (U or S) is related to CPL.
• If CPL is 0, 1 or 2, the processor is executing in
supervisory level (i.e. all pages are addressable)
• If CPL is 3, the processor is executing in user level
(i.e. only pages that belongs to the user level are
addressable)

12/18/2019 43
 Type Checking
• Read-only access (R/W = 0)
• Read/Write access (R/W = 1)
• When processor is executing at supervisory
level, all pages are both readable and writable
• When the processor is executing at user level,
only pages that belong to user level and are
marked for R/W access are writable (Pages
that are belong to supervisor level are neither
readable nor writable from user level.
12/18/2019 44
12/18/2019 45
Combining Page and Segment Protection
• When paging is enabled, the 80386 first
evaluates segment protection, then evaluates
page protection.
• If the processor detects a protection violation
at either the segment or the page level, the
requested operation cannot proceed; a
protection exception occurs instead.

12/18/2019 46
 Multitasking
• Multitasking?
• To provide efficient, protected multitasking, the
80386 employs several special data structures
and registers
– Task state segment
– Task state segment descriptor
– Task register
– Task gate descriptor
• With these structures the 80386 can rapidly
switch execution from one task to another, saving
the context of the original task so that the task
can be restarted later
12/18/2019 47
• In addition to the simple task switch, the 80386
offers two other task-management features:
• Interrupts and exceptions can cause task switches
• With each switch to another task, the 80386 can
also switch to another LDT and to another page
directory. Thus each task can have a different
logical-to-linear mapping and a different linear-
to-physical mapping. This is yet another
protection feature, because tasks can be isolated
and prevented from interfering with one another

12/18/2019 48
 Task State Segment
• All the information the
processor needs in
order to manage a task
is stored in a special
type of segment, a
task state segment
(TSS)

12/18/2019 49
 The fields of a TSS
• A dynamic set that the processor updates
with each switch from the task
– General purpose registers, segment registers,
EFLAGs, EIP, selector of the TSS of the previously
executing task (if return expected)
• A static set that the processor reads but does
not change
– Selector of task’s LDT, PDBR, Pointers to the stacks,
T-bit, I/O map base

12/18/2019 50
• Dynamic Set:
– The general registers (EAX, ECX, EDX, EBX, ESP,
EBP, ESI, EDI).
– The segment registers (ES, CS, SS, DS, FS, GS).
– The flags register (EFLAGS).
– The instruction pointer (EIP).
– The selector of the TSS of the previously executing
task (updated only when a return is expected).

12/18/2019 51
• Static Set
– The selector of the task's LDT.
– The register (PDBR) that contains the base address
of the task's page directory (read only when
paging is enabled).
– Pointers to the stacks for privilege levels 0-2.
– The T-bit (debug trap bit) which causes the
processor to raise a debug exception when a task
switch occurs.
– The I/O map base
12/18/2019 52
 TSS Descriptor

• Like all other segments, TSS is defined by a

descriptor.
• B bit indicates whether the task is busy (Type
code 9: Non-busy task & 11: busy task)
• Tasks are not reentrant
• The BASE, LIMIT, and DPL fields and the G-bit and
P-bit have functions similar to their counterparts
in data-segment descriptors.
12/18/2019 53
• The LIMIT field, however, must have a value equal to or
greater than 103. An attempt to switch to a task whose TSS
descriptor has a limit less that 103 causes an exception.
• A larger limit is permissible, and a larger limit is required if an
I/O permission map is present.
• A larger limit may also be convenient for systems software if
additional data is stored in the same segment as the TSS.
• A procedure that has access to a TSS descriptor can cause a
task switch.
• TSS descriptors may reside only in the GDT. An attempt to
identify a TSS with a selector that has TI = 1, results in an
exception.

12/18/2019 54
 Task Register
• The task register (TR)
identifies the currently
executing task by
pointing to the TSS.
• Figure shows the path
by which the processor
accesses the current
TSS.

12/18/2019 55
• The TR has both a "visible" portion and an
"invisible" portion.
• The selector in the visible portion selects a TSS
descriptor in the GDT.
• The processor uses the invisible portion to cache
the base and limit values from the TSS descriptor.
• Holding the base and limit in a register makes
execution of the task more efficient, because the
processor does not need to repeatedly fetch
these values from memory when it references
the TSS of the current task.

12/18/2019 56
• The instructions L TR and STR are used to
modify and read the visible portion of the task
register.
• Both instructions take one operand, a 16-bit
selector located in memory or in a general
register.
• LTR is a privileged instruction
• STR is not privileged instruction

12/18/2019 57
 Task Gate Descriptor

• A task gate descriptor provides an indirect,

protected reference to a TSS.
• The SELECTOR field of a task gate must refer
to a TSS descriptor. The value of the RPL in this
selector is not used by the processor.
• The DPL field of a task gate controls the right
to use the descriptor to cause a task switch.
12/18/2019 58
• A procedure may not select a task gate
descriptor unless the maximum of the
selector's RPL and the CPL of the procedure is
numerically less than or equal to the DPL of
the descriptor.
• This constraint prevents untrusted procedures
from causing a task switch.
• Note: that when a task gate is used, the DPL of
the target TSS descriptor is not used for
privilege checking.
12/18/2019 59
Task Gates Indirectly Identifies Task

12/18/2019 60
 Task Switching
• Four cases:
– The current task executes a JMP or CALL that
refers to a TSS descriptor.
– The current task executes a JMP or CALL that
refers to a task gate.
– An interrupt or exception vectors to a task gate in
the IDT.
– The current task executes an IRET when the NT
flag is set.

12/18/2019 61
 Steps involved in task switching
• Checking that the current task is allowed to
switch to the designated task
• Checking that the TSS descriptor of the new task
is marked present and has a valid limit
• Saving the state of the current task.
• Loading the task register with the selector of the
incoming task's TSS descriptor, marking the
incoming task's TSS descriptor as busy, and
setting the TS (task switched) bit of the MSW
• Loading the incoming task's state from its TSS and
resuming execution

12/18/2019 62
 Task Linking
• The back-link field of the TSS and the NT (nested task) bit of
the flag word together allow the 80386 to automatically
return to a task that CALLed another task or was
interrupted by another task.
• When a CALL instruction, an interrupt instruction, an
external interrupt, or an exception causes a switch to a new
task, the 80386 automatically fills the back-link of the new
TSS with the selector of the outgoing task's TSS and, at the
same time, sets the NT bit in the new task's flag register.
• The NT flag indicates whether the back-link field is valid.
• The new task releases control by executing an IRET
instruction. When interpreting an IRET, the 80386 examines
the NT flag. If NT is set, the 80386 switches back to the task
selected by the back-link field.

12/18/2019 63
 Busy Bit Prevents loops
• The B-bit (busy bit) of the TSS descriptor ensures the integrity
of the back-link.
• A chain of back-links may grow to any length as interrupt tasks
interrupt other interrupt tasks or as called tasks call other
tasks.
• The busy bit ensures that the CPU can detect any attempt to
create a loop.
• The processor uses the busy bit as follows:
– When switching to a task, the processor automatically sets the busy
bit of the new task.
– When switching from a task, the processor automatically clears the
busy bit of the old task if that task is not to be placed on the back-
link chain
– When switching to a task, the processor signals an exception if the
busy bit of the new task is already set

12/18/2019 64
 Modifying Task Linkages
• Any modification of the linkage order of tasks should
be accomplished only by software that can be
trusted to correctly update the back-link and the
busy-bit.
• Such changes may be needed to resume an
interrupted task before the task that interrupted it.
• Trusted software that removes a task from the back-
link chain must follow one of the following policies:
– First change the back-link field in the TSS of the
interrupting task, then clear the busy-bit in the TSS
descriptor of the task removed from the list.
– Ensure that no interrupts occur between updating the
back-link chain and the busy bit.
12/18/2019 65
 Task Address Space
• The LDT selector and PDBR fields of the TSS give
software systems designers flexibility in utilization
of segment and page mapping features of the
80386
• The ability for tasks to have distinct address
spaces is an important aspect of 80386
protection.
• The flexible memory management features of the
80386 allow systems designers to assign areas of
shared address space to those modules of
different tasks that are designed to cooperate
with each other

12/18/2019 66
Task Linear-to-Physical Space Mapping
• The choices for arranging the linear-to-
physical mappings of tasks fall into two
general classes
– One linear-to-physical mapping shared among all
tasks.
– Several partially overlapping linear-to-physical
mappings.

12/18/2019 67
 Task Logical Address Space
• By itself, a common linear-to-physical space
mapping does not enable sharing of data among
tasks.
• To share data, tasks must also have a common
logical-to-linear space mapping; i.e., they must
also have access to descriptors that point into a
shared linear address space.
• There are three ways to create common logical-
to-physical address-space mappings:
– Via the GDT
– By sharing LDTs
– By descriptor aliases in LDTs

12/18/2019 68