Call Gate Article Index for
Call 		Website Links For
Call 		 

Information About

Call Gate
  CATEGORIES ABOUT CALL GATE
   
security exploits
   
APPAREL
BABY
BEAUTY
BOOKS
CAR TOYS
CELL PHONES
DVD'S
ELECTRONICS
GOURMET FOOD
GROCERIES
HEALTH & PERSONAL
HOME & GARDEN
JEWELRY
MUSIC
MUSIC INSTRUMENTS
OFFICE PRODUCTS
SOFTWARE
SPORTING GOODS
TOOLS & HARDWARE
TOYS
VIDEO GAMES
SHOPPING HOME
MORE SHOPPING...




OVERVIEW

Call gates are intended to allow less privileged code to call code with a higher privilege level. This type of mechanism is essential in modern operating systems that employ memory protection since it allows user applications to use kernel functions in a way that can be controlled by the operating system.

Call gates use a special selector value to reference a descriptor accessed via the Global Descriptor Table or the Local Descriptor Table , which contains the information needed for the call across privilege boundaries. This is similar to the mechanism used for Interrupt Gate s.


SECURITY ISSUES

To preserve system security, the Global Descriptor Table should be held in protected memory, otherwise any program will be able to create its own call gate and use it to raise its privilege level. Call gates have sometimes been used as a vector for software Security Exploit s, when ways have been found around this protection. One example of this is the E-mail Worm ''Gurong.A'' written to exploit the Microsoft Windows operating system, which uses \Device\PhysicalMemory to install a call gate.


HOW TO USE

Assuming a call gate has been set up already by the Operating System Kernel , code simply does a CALL FAR (LCALL in AT&T syntax) with the necessary segment selector (the offset field is ignored). The processor will perform a number of checks to make sure the entry is valid and the code was operating at sufficient privilege to use the gate. Assuming all checks pass, a new CS/EIP is loaded from the descriptor, and continuation information is pushed onto the stack of the new privilege level (old SS, old ESP, old CS, old EIP in that order). Parameters may also be copied from the old stack to the new stack if needed. The number of parameters to copy is located in the call gate descriptor.

The kernel may return to the user space program by using a RET FAR (LRET) instruction which pops the continuation information off the stack and returns to the outer privilege level.

For information on the exact format of the call gate descriptor, please see the IA-32 manuals.


MODERN USE

Very few modern operating systems use call gates. With the introduction of SYSENTER/SYSEXIT and SYSCALL/SYSRET, a new faster mechanism was introduced for control transfers for x86 programs. And as most other architectures do not support call gates, their use was rare even before these new instructions as software interrupts/traps were preferred for portability.

  • instruction only allow control transfers from ring 3->0 and vice versa. Upon comparing call gates to interrupts, call gates are significantly faster.



SEE ALSO



EXTERNAL LINKS