- Call gate
A call gate (or callgate) is a mechanism in Intel's
x86 architecture for changing theprivilege level of the CPU when it executes a predefinedfunction call using a CALL FAR instruction.Overview
Call gates are intended to allow less privileged code to call code with a higher privilege level. This type of mechanism is essential in modern operating systems that employ
memory protection since it allows user applications to use kernel functions andsystem call s in a way that can be controlled by theoperating system .Call gates use a special selector value to reference a descriptor accessed via the
Global Descriptor Table or theLocal Descriptor Table , which contains the information needed for the call across privilege boundaries. This is similar to the mechanism used forinterrupt gate s.Security issues
To preserve system security, the Global Descriptor Table should be held in protected memory, otherwise any program will be able to create its own call gate and use it to raise its privilege level. Call gates have sometimes been used as a vector for software
security exploit s, when ways have been found around this protection. One example of this is theE-mail worm "Gurong.A" written to exploit theMicrosoft Windows operating system, which uses DevicePhysicalMemory to install a call gate.How to use
Assuming a call gate has been set up already by the
operating system kernel, code simply does a CALL FAR (LCALL inAT&T syntax) with the necessarysegment selector (the offset field is ignored). The processor will perform a number of checks to make sure the entry is valid and the code was operating at sufficient privilege to use the gate. Assuming all checks pass, a new CS/EIP is loaded from thesegment descriptor , and continuation information is pushed onto the stack of the new privilege level (old SS, old ESP, old CS, old EIP in that order). Parameters may also be copied from the old stack to the new stack if needed. The number of parameters to copy is located in the call gate descriptor.The kernel may return to the user space program by using a RET FAR (LRET) instruction which pops the continuation information off the stack and returns to the outer privilege level.
For information on the exact format of the call gate descriptor, please see the
IA-32 manuals.Modern use
Modern X86 operating systems are transitioning away from CALL FAR callgates. With the introduction of SYSENTER/SYSEXIT and SYSCALL/SYSRET, a new faster mechanism was introduced for control transfers for x86 programs. And as most other architectures do not support call gates, their use was rare even before these new instructions as software interrupts/traps were preferred for portability.
It should be noted that call gates are more flexible than the SYSENTER/SYSEXIT and SYSCALL/SYSRET instructions since unlike the latter two, call gates allow for changing from an arbitrary privilege level to an arbitrary privilege level. The fast SYS* instruction only allow control transfers from ring 3->0 and vice versa. Upon comparing call gates to interrupts, call gates are significantly faster.
See also
*
Computer insecurity
*Software interrupt
*Interrupt gate
*System call
*SYSCALL instruction
*Global Descriptor Table External links
* [http://www.windowsitlibrary.com/Content/356/10/1.html Using callgates to execute privileged code]
* [http://www.f-secure.com/v-descs/gurong_a.shtml F-Secure Virus Information Pages: Gurong.A]
Wikimedia Foundation. 2010.