Call gate
Encyclopedia
A call gate is a mechanism in Intel's x86 architecture
for changing the privilege level
of the CPU when it executes a predefined function call using a CALL FAR instruction.
since it allows user applications to use kernel functions and system call
s in a way that can be controlled by the operating system
.
Call gates use a special selector value to reference a descriptor accessed via the Global Descriptor Table
or the Local Descriptor Table
, which contains the information needed for the call across privilege boundaries. This is similar to the mechanism used for interrupt gates.
operating system, which uses \Device\PhysicalMemory to install a call gate.
kernel, code simply does a CALL FAR (LCALL in AT&T Syntax) with the necessary segment selector (the offset field is ignored). The processor will perform a number of checks to make sure the entry is valid and the code was operating at sufficient privilege to use the gate. Assuming all checks pass, a new CS/EIP is loaded from the segment descriptor
, and continuation information is pushed onto the stack of the new privilege level (old SS, old ESP, old CS, old EIP in that order). Parameters may also be copied from the old stack to the new stack if needed. The number of parameters to copy is located in the call gate descriptor.
The kernel may return to the user space program by using a RET FAR (LRET) instruction which pops the continuation information off the stack and returns to the outer privilege level.
For information on the exact format of the call gate descriptor, please see the IA-32
manuals.
Call gates are more flexible than the SYSENTER/SYSEXIT and SYSCALL/SYSRET instructions since unlike the latter two, call gates allow for changing from an arbitrary privilege level to an arbitrary (albeit higher or equal) privilege level. The fast SYS* instruction only allow control transfers from ring 3->0 and vice versa. Upon comparing call gates to interrupts, call gates are significantly faster.
X86 architecture
The term x86 refers to a family of instruction set architectures based on the Intel 8086 CPU. The 8086 was launched in 1978 as a fully 16-bit extension of Intel's 8-bit based 8080 microprocessor and also introduced segmentation to overcome the 16-bit addressing barrier of such designs...
for changing the privilege level
Privilege level
A privilege level in the x86 instruction set controls the access of the program currently running on the processor to resources such as memory regions, I/O ports, and special instructions. There are 4 privilege levels ranging from 0 which is the most privileged, to 3 which is least privileged...
of the CPU when it executes a predefined function call using a CALL FAR instruction.
Overview
Call gates are intended to allow less privileged code to call code with a higher privilege level. This type of mechanism is essential in modern operating systems that employ memory protectionMemory protection
Memory protection is a way to control memory access rights on a computer, and is a part of most modern operating systems. The main purpose of memory protection is to prevent a process from accessing memory that has not been allocated to it. This prevents a bug within a process from affecting...
since it allows user applications to use kernel functions and system call
System call
In computing, a system call is how a program requests a service from an operating system's kernel. This may include hardware related services , creating and executing new processes, and communicating with integral kernel services...
s in a way that can be controlled by the operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
.
Call gates use a special selector value to reference a descriptor accessed via the Global Descriptor Table
Global Descriptor Table
The Global Descriptor Table or GDT is a data structure used by Intel x86-family processors starting with the 80286 in order to define the characteristics of the various memory areas used during program execution, including the base address, the size and access privileges like executability and...
or the Local Descriptor Table
Local Descriptor Table
The Local Descriptor Table is a memory table used in the x86 architecture in protected mode and containing memory segment descriptors: start in linear memory, size, executability, writability, access privilege, actual presence in memory, etc....
, which contains the information needed for the call across privilege boundaries. This is similar to the mechanism used for interrupt gates.
Security issues
To preserve system security, the Global Descriptor Table should be held in protected memory, otherwise any program will be able to create its own call gate and use it to raise its privilege level. Call gates have sometimes been used as a vector for software security exploits, when ways have been found around this protection. One example of this is the E-mail worm Gurong.A written to exploit the Microsoft WindowsMicrosoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
operating system, which uses \Device\PhysicalMemory to install a call gate.
How to use
Assuming a call gate has been set up already by the operating systemOperating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
kernel, code simply does a CALL FAR (LCALL in AT&T Syntax) with the necessary segment selector (the offset field is ignored). The processor will perform a number of checks to make sure the entry is valid and the code was operating at sufficient privilege to use the gate. Assuming all checks pass, a new CS/EIP is loaded from the segment descriptor
Segment descriptor
In memory addressing for Intel x86 computer architectures, segment descriptors are a part of the segmentation unit, used for translating a logical address to a linear address...
, and continuation information is pushed onto the stack of the new privilege level (old SS, old ESP, old CS, old EIP in that order). Parameters may also be copied from the old stack to the new stack if needed. The number of parameters to copy is located in the call gate descriptor.
The kernel may return to the user space program by using a RET FAR (LRET) instruction which pops the continuation information off the stack and returns to the outer privilege level.
For information on the exact format of the call gate descriptor, please see the IA-32
IA-32
IA-32 , also known as x86-32, i386 or x86, is the CISC instruction-set architecture of Intel's most commercially successful microprocessors, and was first implemented in the Intel 80386 as a 32-bit extension of x86 architecture...
manuals.
Modern use
Modern X86 operating systems are transitioning away from CALL FAR callgates. With the introduction of SYSENTER/SYSEXIT and SYSCALL/SYSRET, a new faster mechanism was introduced for control transfers for x86 programs. And as most other architectures do not support call gates, their use was rare even before these new instructions as software interrupts/traps were preferred for portability.Call gates are more flexible than the SYSENTER/SYSEXIT and SYSCALL/SYSRET instructions since unlike the latter two, call gates allow for changing from an arbitrary privilege level to an arbitrary (albeit higher or equal) privilege level. The fast SYS* instruction only allow control transfers from ring 3->0 and vice versa. Upon comparing call gates to interrupts, call gates are significantly faster.
See also
- Computer insecurityComputer insecurityComputer insecurity refers to the concept that a computer system is always vulnerable to attack, and that this fact creates a constant battle between those looking to improve security, and those looking to circumvent security.-Security and systems design:...
- Software interrupt
- Interrupt gate
- System callSystem callIn computing, a system call is how a program requests a service from an operating system's kernel. This may include hardware related services , creating and executing new processes, and communicating with integral kernel services...
- SYSCALL instruction
- Global Descriptor TableGlobal Descriptor TableThe Global Descriptor Table or GDT is a data structure used by Intel x86-family processors starting with the 80286 in order to define the characteristics of the various memory areas used during program execution, including the base address, the size and access privileges like executability and...