40

Due to the Lenovo firmware ThinkPwn bug I'm trying to understand privileges and rings.

If the kernel is Ring 0 and SMM (System Management Mode) is Ring -2, what could be in between that is Ring -1?

Thomas Weller
  • 3,246
  • 3
  • 21
  • 39
  • 8
    I saw this question in the Hot Network Questions list and thought it was a question for the role-playing games site. – Cave Johnson Jul 05 '16 at 16:39

2 Answers2

71

The "rings" nomenclature (0-3) you usually see these days started with the requested privilege level field in segment selectors as part of the design of x86 protected mode.

Back in the day, it was possible to make exclusive sections of the memory space called segments. In "real mode" it was necessary since you only had 20-bit addressable memory. When protected mode came along it still offered segmentation, but also privilege levels. Levels 0-2 are "supervisor" level and can do most things. Rings 1-2 cannot run privileged instructions but this is the only real limit; otherwise they are as privileged as ring 0.

Ring 3 meanwhile is "user mode". If you have your segment selector set to point to this ring, you require the help of the kernel via some system call interface in order to do anything requiring privileged CPU or memory access.

These days, it's pretty much required in 64-bit x86 to not use segmentation. However, segment selectors are still there - all segments just overlap and cover the entire address space.

So, the original purpose of ring 0-3 was to isolate privilege between user mode code and the kernel and stop user mode code walking all over system control structures.

Then virtualization became a thing on x86 and Intel/AMD decided to add hardware support for it. This requires a piece of supervisor (hypervisor) code to set up some control structures (called VMCS) defining the virtual machines and then call vmenter and handle vmexit i.e. conditions on which the virtual machine needs help from the hypervisor.

This piece of code is referred to as "ring -1". There is no such actual privilege level, but since it can host multiple kernels all of which believe they have ring 0 access to the system, it makes sense.

System Management Mode is another beast with special instructions. Firmware (your BIOS) sets up a SMM handler to handle System Management Interrupts - configurable depending on what the firmware wants to be notified of. When these events are triggered, the OS (or even hypervisor) is suspended and a special address space is entered. This area is supposed to be invisible to the OS itself, while executing on the same processor. Hence "ring -2", since it is more privileged than a hypervisor would be.

You'll also hear "ring -3" mentioned here and there in reference to Intel ME or AMD's PSP. This is a second processor running a separate firmware (Intel I believe uses ARC SoC processors) capable of doing anything it likes to the primary system. Ostensibly this is to provide IPMI/remote management of hardware type functionality. It can run whenever there is power to the hardware regardless of whether the main system is powered on or not - its purpose, as I say, would be to power on the main system.

From a security perspective, the lower ring you can get yourself into, the more undetectable you can make yourself. The bluepill research was about hiding from an OS the fact it was truly running in a VM. Later research has been done on SMM persistence. SMM persistence for example would potentially allow you to reinstall your malware even on a complete wipe of the hard disk and reinstall. Intel ME potentially opens up an always on persistent networked chip to install malware on the main target.

I've stuck to Intel chips here but you should be aware other platforms work differently. For example, ARM chips have "supervisor" and "user" modes, amongst others.

diagprov
  • 2,074
  • 11
  • 12
  • 6
    ARM has modes which are very similar x86's rings: user (3), supervisor (0), VMM (-1) and TrustZone (-2). – nneonneo Jul 04 '16 at 19:01
  • 1
    @nneonneo I forgot to respond to this at the time. Yes, of course. Conceptually it needs to, to differentiate user and kernel space. I guess the meat of my answer is really this: ring 0, ring 3 etc are _actual numbers used in segment selectors_. My point is also that "-1", "-2" and "-3" are NOT actual bit values, and "ring -3" is not even on the same processor. I'm not sure what ARM uses specifically. POWER architecture, though, user mode is enabled via setting the ["problem bit"](https://en.wikipedia.org/wiki/Machine_state_register#Uses_of_the_machine_state_register_2), haha! – diagprov May 07 '17 at 00:01
9

Ring -1 is the hypervisor, implemented as Intel VT-x ("Vanderpool") [Wikipedia] or AMD-V ("Pacifica") [Wikipedia].

Thomas Weller
  • 3,246
  • 3
  • 21
  • 39
  • It could be said that ring -1 (real ring 0) is different from the other security rings because software running in ring 0 (virtual ring 0) doesn't know that it doesn't have real ring 0, whereas software in other security rings is aware of what ring it is in. – Alex Cannon Mar 31 '18 at 14:54