5.1.13 · D4 · HinglishInstruction Set Architecture (ISA)

ExercisesSystem vs user mode and privilege levels

2,673 words12 min read↑ Read in English

5.1.13 · D4 · Hardware › Instruction Set Architecture (ISA) › System vs user mode and privilege levels

Shuru karne se pehle, ek convention jo poore page mein use hogi:

Figure — System vs user mode and privilege levels

Level 1 — Recognition

Recall Solution 1.1

(a) P. Interrupts disable karna ek program ko machine freeze karne de sakta hai — kernel-only. (b) U. Pure arithmetic kuch bhi dangerous nahi chhuti. (c) P. CPU halt karna sabko rok deta hai — kernel-only. (d) P. cr3 mein page-table base hota hai; ise change karna puri memory re-map kar deta hai — kernel-only. (e) U. Program ka apna stack mein likhna theek hai.

Count: 3 privileged (a, c, d), 2 unprivileged (b, e).

Recall Solution 1.2

Galat. Privilege inverted hoti hai: chhota number zyada trusted hota hai. = kernel (sabse zyada power), = user (sabse kam). Parent ka mnemonic yaad karo: "Ring 0 = King."


Level 2 — Application

Recall Solution 2.1
  1. Decode: instruction decoder cli ko privileged recognize karta hai (dekho Instruction encoding and decoding).
  2. Compare: required level , current level . Kyunki aur instruction sabse privileged level maangti hai, yeh ek violation hai.
  3. Trap: hardware ek #GP (General Protection Fault) raise karta hai — ek exception. Yeh cli execute nahi karta.
  4. Transfer: control atomically kernel ke fault handler par jump karta hai (mode→kernel, PC→OS vector).
  5. Outcome: OS typically process terminate kar deta hai (signal jaise SIGSEGV/SIGILL).

Key number: required , actual , difference fault.

Recall Solution 2.2

Levels ko numerically encode karo: . Yahan rule hai "aap ek instruction run kar sakte ho agar aapka level required level se kam se kam utna ho."

  • Required . U mein (): fault hoga (ek illegal-instruction trap).
  • M mein (): allowed hai (Machine mode Supervisor se bhi zyada privileged hai).

Lesson: compare karne se pehle hamesha named levels ko numbers mein convert karo, machine ki apni convention ke saath. x86 mein "smaller = stronger" hota hai; RISC-V mein "bigger = stronger" hota hai. Logic (current vs required compare karo) identical hai.


Level 3 — Analysis

Recall Solution 3.1

Attack:

mov  mode_bit, 0     ; user CPL = 0 set karta hai  (allowed, by hypothesis)
cli                  ; ab "kernel" hai, toh yeh succeed hota hai -> interrupts off
hlt                  ; poori machine freeze

Kyunki mode bit set karna privileged nahi tha, user ne ek instruction mein khud ko kernel promote kar liya, phir jo chahiye woh privileged op chalaya. Referee ko bypass kiya ja sakta tha.

Conclusion: mode bit likhna khud privileged hona chahiye. Yeh parent ke Step 3 ka fixed point hai — ek safe promotion sirf hardware-defined syscall doorway hai, jo kernel mode aur PC ko OS-chosen vector pe simultaneously set karta hai.

Recall Solution 3.2

Privileged resource hai hardware timer. Trace:

  1. Pehle process dispatch karne se, kernel ne timer ko kuch quantum ke baad fire karne ke liye program kiya (maan lo ). Timer ko program karna privileged hai, isliye user ise cancel nahi kar sakta.
  2. User while(1){} chalaata hai — woh interrupts block karne ke liye cli (privileged) bhi execute nahi kar sakta.
  3. Jab timer tak count karta hai, woh ek timer interrupt raise karta hai. CPU atomically mode→kernel switch karta hai aur PC→timer handler par jump karta hai.
  4. Scheduler run karta hai, koi doosra process pick kar sakta hai, aur iret/sret se return karta hai.

Do independent locks ise protect karte hain: (i) user timer disable nahi kar sakta, (ii) user interrupts disable nahi kar sakta. Koi bhi ek todo aur pre-emption khatam — isliye dono privileged hain.

Figure — System vs user mode and privilege levels

Level 4 — Synthesis

Recall Solution 4.1
Step Mode Kya hota hai Kyun
1 user library syscall number + fd, buf, n registers mein load karti hai fast, ABI-defined, koi memory nahi chahiye
2 user syscall/ecall execute karta hai direct disk I/O privileged hai; user khud nahi kar sakta
3 → kernel HW atomically: mode→kernel, PC→fixed OS entry vector user yeh choose karta hai ki enter kare, kahan nahi
4 kernel validate karo ki fd is process ka ek open file hai ise doosre process ki files padhne se roko
5 kernel validate karo ki buf..buf+n is process ki mapped memory mein hai kernel ko apni memory mein likhne ke liye fool karne se roko
6 kernel privileged disk read karo, bytes buf mein copy karo actual service
7 → user sret/iret: mode→user, PC→syscall ke baad wali instruction return karne se pehle atomically privilege drop karo

Do privilege transitions: user→kernel (step 3) aur kernel→user (step 7). Puri cheez safe hai kyunki entry point OS-chosen hai (step 3) aur arguments validate kiye jaate hain (steps 4–5) kisi bhi privileged action se pehle.

Recall Solution 4.2

Maan lo yeh separate hote:

step A:  mode <- kernel
step B:  PC   <- OS entry vector

Ek attacker ek interrupt (ya simply natural sequencing) arrange karta hai jo A aur B ke beech control de. Ab CPU kernel mode mein hai lekin PC abhi bhi attacker-chosen code ki taraf point kar raha hai. Attacker full privilege ke saath apne instructions run karta hai — game over.

A aur B ko ek single uninterruptible transition mein fuse karke, CPU kabhi bhi "kernel mode + user-controlled PC" state mein observable nahi hota. Atomicity precisely wahi hai jo us dangerous intermediate state ko forbid karti hai. Isliye doorway ek single hardware instruction hai, software sequence nahi.


Level 5 — Mastery

Recall Solution 5.1

Minimal privileged set aur agar har ek ko unprivileged bana diya jaaye toh collapse:

  1. Mode/CPL bit likhna — agar user-writable ho: self-promotion (Exercise 3.1), puri scheme dead.
  2. Page-table base register load karna (cr3/satp) — agar user-writable ho: ek process memory re-map karta hai kernel ki ya doosre process ki pages padhne ke liye; memory isolation khatam.
  3. Interrupts disable/enable karna (cli/sti) — agar user-writable ho: ek rogue loop timer mask karta hai aur kabhi yield nahi karta; pre-emption khatam (Exercise 3.2).
  4. Hardware timer / interrupt controller program karna — agar user-writable ho: user apna khud ka quantum cancel karta hai; pre-emption interrupts enable hone ke bawajood khatam.
  5. Direct device I/O (port/MMIO to devices) — agar user-accessible ho: ek process raw disk padh sakta hai aur har file steal kar sakta hai, file permissions bypass karke.
  6. hlt / power / reset control — agar user-accessible ho: koi bhi process machine halt kar sakta hai; availability khatam.

Har item ek distinct invariant guard karta hai (identity, memory isolation, pre-emptibility, timing, I/O confidentiality, availability). Kyunki invariants independent hain, koi bhi item drop nahi kiya ja sakta — koi bhi ek remove karo aur uska invariant directly user code se violable ho jaata hai. Isliye yeh set sufficient (saare invariants cover karta hai) aur minimal (koi redundancy nahi) dono hai.

Recall Solution 5.2

Ladder ko ek aur, zyada-privileged level ke saath extend karo: x86 pe yeh VMX root / non-root split hai (informally "Ring "); ARM pe yeh EL2 hai jo OS ke EL1 ke upar baitha hai (dekho Protection rings (x86) / Exception Levels (ARM)).

Hypervisor ko exclusively second-level (nested) page tables ka maalik hona chahiye — guest-physical se real-physical memory ka mapping. Reasoning: guest OS legitimately apni khud ki page tables control karta hai (guest-virtual → guest-physical), toh woh kya nahi ho sakta jo guests ko isolate kare. Jo guest ke liye off-limits hona chahiye woh outer translation hai, warna ek guest OS doosre guest se belong karta real RAM map kar sakta hai. Toh naya privileged operation hai nested/extended page-table base register load karna, hypervisor level ke liye reserved.

Yeh wohi pattern hai ek level upar: jo bhi neeche wale tenants ke beech isolation enforce karta hai, use exclusively woh resource own karna chahiye jo un tenants ki boundaries define karta hai.


Recall Poore ladder ka ek-line summary (click)

Har privilege level ek invariant protect karne ke liye exist karta hai jo neeche wala level break nahi kar sakta; referee hamesha hardware hota hai, upar jaane ka ek hi legal tarika hai ek hardware-defined doorway (syscall/trap/interrupt) jo naye mode aur naye PC dono ko atomically fix karta hai.