TW200807273A - A fast system call implementation - Google Patents

Abstract

A method of fast system call implementation is provided. A user mode program requests for a mode change from a user mode to a kernel mode. First, perform a logical operation on content of a relevant kernel service routine. For example, a starting address or content of the starting address of the kernel service routine. The result from the logical operation is compared with a ciphertext of a key register. If the result of the logical operation is equal to the ciphertext, the user mode program is allowed to access the kernel mode. Otherwise, an exceptional handler routine is executed.

Description

200807273 IX. Description of the Invention: [Technical Field] The present invention relates to a method for system call, and in particular to a method for using a ciphertext to limit a system call of a core entry point. [Prior Art] The user mode program is switched from user mode to kernel mode, usually with hardware assistance to obtain complete hardware control. The operating system can be divided into operating systems that are executed on a virtual machine or operating systems that are directly executed on hardware. Operating systems that execute on virtual machines, for example, JavaOS, rely entirely on dynamic checking of software to limit the use of metrics and hardware resources. But its main drawback is the poor implementation efficiency. In addition, the use of operating systems that are directly implemented on hardware is heavily dependent on the protection provided by the hardware. Therefore, some special instructions and actions can only be performed by certain components in the system (usually kernel). Today, most central processing units and operating systems use A system call based on software interrupt. It uses the software's dispatch mechanism to call the correct kernel service routine. For example, the instruction int 0x80 series that Linux uses on the Intel 5 200807273 x86 series processor will break the software interrupt, and then the kernel will follow the service requested by the user and execute a relative core service. formula. Brother 1 is the Linux system call step six goods 'display operation

The steps of the Linux system on the Pentium. ^Main Referring to Figure 1 'Complete the Linux system call, there are five steps (step to step 118). First, in step 11〇, the user mode = formula generates a system call (for example, ' int 〇χ 8〇) ^ Then, in step ^2, the Pentium processor will interrupt the description table (the first in the interrupt descript〇r) The content of address 0x80 is loaded into the core space and the program counter is frozen. After loading this new address in the program counter: "Continue in step 114 will be specified by the user (usually " _ The value of the AX register in the stack is different from the core service routine that exists in the core space. Then, in step 116, the core space is returned from the core service routine. Finally, in step 118, 'switch from core mode back to user mode. ^第! Figure is a software-based system call, because the software of the required software is called to call the correct core service. Spear force type. Therefore, the program for the time female platform core ride must be transferred to the core 1 (for example: the job ke reward module). And, because most of the core is a single entry (min/ / try P 〇1nt). Therefore, Need _ complicated 呼叫 call step (step (4) 〇 to step 118). Efficiency therefore 'needs-simplified system call steps, and then improve execution 6 200807273 [Inventive content] Therefore, the object of the present invention is to provide a system of beer The method is used to simplify the steps of the system call. Therefore, the present invention (4) (4) is to provide a process of encrypting the core service routine to limit the entry point of the core, thereby simplifying the flow of the operating system in handling system calls. For the above purpose, a method for fast system call is proposed. Firstly, the '❹-logical operation calculation—the nuclear money type is used to generate the _! series: the result. Then the result of comparing the logical operation with the key register is The input of the logical operation method is at least one data related to the core service, for example, the starting address or core of the core service f, the content of the starting address of the routine, or a combination thereof. If the result of the logical operation is equal to the ciphertext of the key register, then it is allowed to switch from the user mode to the core mode to read the core service routine. The central processing system will execute the corresponding exception handling routine. Moreover, in the exception processing, the operating system will reject the request for mode conversion and report the error to the operating system. [Embodiment] Please refer to Figure 2, A schematic diagram of the encryption of a core service routine proposed by the present invention. 2 〇 2 system core is added to a ciphertext, because the user program of the two-way user (user mGde prQgram) cannot know that the poor text is generated. The required key (the protection of this key is required in the system), because 7 200807273 This core (kernel) can only produce this ciphertext. The invention can guarantee the robustness of the system core, for example The malicious program can use the system call to disguise the program as data to enter the data buffer in the core. If the malware knows the address of the data buffer (assuming the address of the data buffer is 0xCF00044), the malware can use the instruction jmp 0xCF00044 (ie, jump to the address of this data buffer) to execute this section. Illegal code. The present invention utilizes ciphertext 202 located before all core service routines to filter the entry point of the core. Traditionally, the core has to distinguish all pages into data pages and codepages to avoid security holes. Referring to FIG. 2, the present invention uses the method of adding ciphertext to limit the entry point of the core, thereby increasing the security protection, allowing the data segment and the code segment of the core service routine 200 to be directly stored in The same page of the core 204 is used to reduce internal fragmentation, thereby increasing the usage of the core memory. And, since the code segment and the data segment exist in adjacent addresses, the compiler can use the PC relative addressing in a large amount, thereby improving the efficiency of the core service routine. Referring to Figure 3A, a flow chart of the fast system call proposed by the present invention is shown. As shown in step 3 of Figure 3A, the user mode program needs to do mode switching to obtain complete hardware control. First, the logic calculates the relevant data for the core service to be used. In an example of 200807273, step 302 logically operates the address of the system call with the instruction stored in the address [eg, AND, OR, NOT, OR (AND-) NOT ), mutual exclusion or (exclusive OR, Xo〇, anti-mutual or (NOTXor) operation or other more complex encryption operations such as Data Encryption Standard (DES), etc.] The input of this logical operation method is At least one data related to the core service that the user wants to use. For example, the logical operation method may use the content of the starting address of the core service routine or the starting address of the core service routine or a combination thereof. Then, compare the result of the logical operation with the ciphertext of the key register. The ciphertext of the golden record register is randomly specified by the core or specified at the time of core compilation, and the method for specifying the ciphertext is timely. It can vary from system to architecture (for example, ciphertext is generated by a core, and there is no limit to the algorithm used to generate the ciphertext and the timing of the generation). If the result of the logical operation is equal to the key The ciphertext of the device, step 304 will allow switching from the user mode to the core mode to obtain hardware control. Otherwise, in step 306, the central processing system will execute the corresponding exception handler routine (exception handler routine) Moreover, in the exception handling routine, the operating system will abort the request for mode change and report the error to the operating system. Please refer to FIG. 3B, which illustrates one of the fast system calls proposed in accordance with the present invention. A schematic diagram of a preferred embodiment. In step 310, the user mode program executes an instruction stored at address 0X00FE0000, the content of which is jmp 0xC00FF004 (ie, jumps to address 0xC00FF004). However, the address 0xC00FF004 is located in the core space. Central Processing Unit (CPU) 9 200807273 The method of the fast system call proposed by the present invention is used to process this requirement. Step 312 of Figure 3B, logically computing the relevant data of the core service to be used. In one example, it will be stored. Perform logical operations on the instruction contents 0XFF0788FF and address 0X00FE0004 of the address 〇x〇〇FE〇〇〇4 [eg: AND (AND), (OR), NOT (NOT), or NAND (AND_N〇T), mutually exclusive or (exclusive OR, Χ〇Γ), anti-mutex or (ΝσΓχ〇〇 operation or other more complex cryptographic operations such as data encryption calculus Method (DataEm^ypti^ Standard, DES), etc. The input of the logic operation method is at least one data related to the core service that the user wants to use. For example, the logic operation method can make the (4) money routines pure. Address or nuclear payment routine: The content of the original address or a combination thereof. The result of the logical operation is then compared with the ciphertext of the transcript register. The ciphertext system of the gold transfer register ^ The method of randomly specifying the core or the ciphertext indicated at the time of core compilation = the timing may vary depending on the system architecture. If the result of the logical assignment is equal to the ciphertext of the key register, the central processing system can switch to the core mode (step 314). Or, if the result of the logical operation is not equal to the ciphertext of the gold register (step 316), the central processing system will generate an exception (excepti〇n) and begin to execute the exception processor routine. Port "More than Figure 4, a step diagram of the fast system calling method proposed by the present invention. Because of the data related to the core services that the logical operation wants to use, and compare the ciphertext in the gold-plated register and the result of this operation to limit the entry point of the core. If the result of this operation is equal to the ciphertext of the key register, the central processing line can switch _ heart, mode 1 and remove the concerns on security 200807273 and directly execute the corresponding core service routine (step 4 (eight)) . And, after executing the core service routine, return directly to the user mode (step 4〇2). Therefore, its management burden (〇verhead) is smaller than the Linux system call on the 2 Pentium processors described in Figure i. It will be apparent from the above-described preferred embodiments of the present invention that the present invention has the advantages of: 1. The fast system call of the present invention employs an encryption method to control the entry point of the core. This simplifies the process of the operating system in handling system calls. 2. Use the encryption method to control the entry point of the core. Allowing the system core to share the code and data on the same page without prejudice to system security. Therefore, the internal fragmentation becomes less severe and the core can be made smaller. Although the present invention has been described above in terms of a preferred embodiment, it is not intended to limit the invention, and various modifications and changes may be made without departing from the spirit and scope of the invention. The scope of the present invention is defined by the scope of the appended claims. BRIEF DESCRIPTION OF THE DRAWINGS In order to make the above and other objects, features, advantages and embodiments of the present invention more obvious and obvious, the detailed description of the drawings is as follows: FIG. 1 is a step diagram of a system call of Linux 200807273 密密核图 2 is a schematic diagram showing a kind of centering service routine according to an embodiment of the present invention; FIG. 3A is a diagram showing a quick catching system according to another embodiment of the present invention; FIG. 3B is a schematic diagram showing one of fast system calls according to another embodiment of the present invention; and FIG. 4 is a diagram showing one of fast system calls according to another embodiment of the present invention. Step chart. Main component symbol description 110, 112, 114, 116, 118, 300, 302, 304, 306, 310, 312, 314, 316, 400, 402 Step 200: Core service routine 202: ciphertext

204 ·•Core 12

Claims (1)

200807273 X. Patent application scope: 1 · A method for fast system call, comprising: generating the system call; using logical operation calculation _ core service routine to generate - logic calculation result; and logic operation than rut 4 The result is - ciphertext in the - 鍮 鍮 register. The ί = 糸 call includes the execution-user mode program, which is required to execute the core service routine. The method is as follows: 3. The method of fast system call as described in item 1 of the patent application scope is transferred to the logical operation result using the related data operation of the core service routine. The third line of the law is the party of the call. The algorithm: The scope of the patent, the fast line call mentioned in the item. The gossip system exists in the core service routine. As stated in the patent system scope 5, the fast system call party 13 200807273, the palace tube to and / factory, H generation, and used to generate the ciphertext, the opening method and the timing of production are not limited, only this The ciphertext key needs to be properly protected in the system. The gold 7 basin is used as the party of the quick call system described in the special (4) item = the comparison logic operation result and the (4) text further include the following steps: Γ Γ = Γ Γ = = = = = = = = = The core service exception == the transport result is not equal to the ciphertext, then the implementation (4) should be - 8. The method of fast system call, including: generating a system call; the heart service routine to generate a logical operation using a logical operation Calculating the result of a nuclear nose; and comparing the result of the logical operation with one of the key registers of the key register; the logical operation result and the ciphertext further comprise the following steps: The result of the logical difference of the data is equal to the secret If the text is allowed to read the core service routine, and the child does not equal the ciphertext, the corresponding exception handling routine is executed. 9. The fast system described in item 8 of the patent scope, called the party, ', the inspection text is generated by the core, and the 200807273 algorithm used to generate the ciphertext is different and the timing is not limited. Only the use of the ciphertext needs to be properly protected in the system. In the case of the quick system described in claim 8, the system call further includes executing a user mode program. The program requires execution of the core service routine. System call party ‘this user 11 · If the scope of patent application is 8th, go to 'where the logic operation uses the core to get the result of the logic operation. The fast system call side of the service routine related data operation one or NAND operation, the secret algorithm. Mutually exclusive or arithmetic, unmutually exclusive or arithmetic or data plus 15