Figure 4-15, call, In figure 4-15, a calling procedure in code – Intel IA-32 User Manual
Page 166
4-36 Vol. 3A
PROTECTION
Now assume that instead of setting the RPL of the segment selector to 3, the application program
sets the RPL to 0 (segment selector D2). The operating system can now access data segment D,
because its CPL and the RPL of segment selector D2 are both equal to the DPL of data segment D.
Because the application program is able to change the RPL of a segment selector to any value,
it can potentially use a procedure operating at a numerically lower privilege level to access a
protected data structure. This ability to lower the RPL of a segment selector breaches the
processor’s protection mechanism.
Because a called procedure cannot rely on the calling procedure to set the RPL correctly, oper-
ating-system procedures (executing at numerically lower privilege-levels) that receive segment
selectors from numerically higher privilege-level procedures need to test the RPL of the segment
selector to determine if it is at the appropriate level. The ARPL (adjust requested privilege level)
instruction is provided for this purpose. This instruction adjusts the RPL of one segment selector
to match that of another segment selector.
The example in Figure 4-15 demonstrates how the ARPL instruction is intended to be used.
When the operating-system receives segment selector D2 from the application program, it uses
the ARPL instruction to compare the RPL of the segment selector with the privilege level of the
Figure 4-15. Use of RPL to Weaken Privilege Level of Called Procedure
Passed as a
parameter on
the stack.
Access
allowed
Access
allowed
Application Program
Operating
System
Lowest Privilege
Highest Privilege
3
2
1
0
Data
Segment D
not
Segment Sel. D1
RPL=3
Segment Sel. D2
RPL=0
Gate Selector B
RPL=3
Code
Segment A
CPL=3
Code
Segment C
DPL=0
Call
Gate B
DPL=3
DPL=0