A call gate is a mechanism in Intel's

x86 architecture x86 (also known as 80x86 or the 8086 family) is a family of complex instruction set computer (CISC) instruction set architectures initially developed by Intel, based on the 8086 microprocessor and its 8-bit-external-bus variant, the 8088. T ...

for changing the privilege level of a process when it executes a predefined

function call In computer programming, a function (also procedure, method, subroutine, routine, or subprogram) is a callable unit of software logic that has a well-defined interface and behavior and can be invoked multiple times. Callable units provide a p ...

using a CALL FAR instruction.

Overview

Call gates are intended to allow less privileged code to call code with a higher privilege level. This type of mechanism is essential in modern operating systems that employ

memory protection Memory protection is a way to control memory access rights on a computer, and is a part of most modern instruction set architectures and operating systems. The main purpose of memory protection is to prevent a process from accessing memory that h ...

since it allows user applications to use kernel functions and

system call In computing, a system call (syscall) is the programmatic way in which a computer program requests a service from the operating system on which it is executed. This may include hardware-related services (for example, accessing a hard disk drive ...

s in a way that can be controlled by the

operating system An operating system (OS) is system software that manages computer hardware and software resources, and provides common daemon (computing), services for computer programs. Time-sharing operating systems scheduler (computing), schedule tasks for ...

. Call gates use a special selector value to reference a descriptor accessed via the Global Descriptor Table or the Local Descriptor Table, which contains the information needed for the call across privilege boundaries. This is similar to the mechanism used for

interrupt In digital computers, an interrupt (sometimes referred to as a trap) is a request for the processor to ''interrupt'' currently executing code (when permitted), so that the event can be processed in a timely manner. If the request is accepted ...

Usage

Assuming a call gate has been set up already by the

kernel, code simply does a CALL FAR with the necessary segment selector (the offset field is ignored). The processor will perform a number of checks to make sure the entry is valid and the code was operating at sufficient privilege to use the gate. Assuming all checks pass, a new CS/ EIP is loaded from the segment descriptor, and continuation information is pushed onto the stack of the new privilege level (old SS, old ESP, old CS, old EIP, in that order). Parameters may also be copied from the old stack to the new stack if needed. The number of parameters to copy is located in the call gate descriptor. The kernel may return to the user space program by using a RET FAR instruction which pops the continuation information off the stack and returns to the outer privilege level.

Format of call gate descriptor

typedef struct _CALL_GATE CALL_GATE,*PCALL_GATE;

Previous use

Multics Multics ("MULTiplexed Information and Computing Service") is an influential early time-sharing operating system based on the concept of a single-level memory.Dennis M. Ritchie, "The Evolution of the Unix Time-sharing System", Communications of t ...

was the first user of call gates. The

Honeywell 6180 The Honeywell 6000 series computers were a further development (using integrated circuits) of General Electric's 600-series mainframes manufactured by Honeywell International, Inc. from 1970 to 1989. Honeywell acquired the line when it purchas ...

had call gates as part of the architecture, but Multics simulated them on the older

GE 645 The GE 645 mainframe computer was a development of the GE 635 for use in the Multics project. This was the first computer that implemented a configurable hardware protected memory system. It was designed to satisfy the requirements of Project M ...

OS/2 OS/2 is a Proprietary software, proprietary computer operating system for x86 and PowerPC based personal computers. It was created and initially developed jointly by IBM and Microsoft, under the leadership of IBM software designer Ed Iacobucci, ...

was an early user of Intel call gates to transfer between

application code This glossary of computer science is a list of definitions of terms and concepts used in computer science, its sub-disciplines, and related fields, including terms relevant to software, data science, and . A ...

running in ring 3, privileged code running in ring 2, and kernel code in ring 0. Windows 95 executes drivers and process switching in ring 0, while applications, including API DLL such as kernel32.dll and krnl386.exe are executed in ring 3. Driver VWIN32.VXD provides key operating system primitives at ring 0. It allows calling of driver functions from 16-bit applications (MSDOS and Win16). This address is obtained by calling INT 2Fh, with 1684h in the AX register. To identify which VxD an entry point is being requested for, the BX register is set to the 16-bit VxD ID. Upon return from the INT instruction, the ES.DI registers contain a far pointer that can be called to transfer control to the VxD running at ring 0. The descriptor pointed by ES is actually a call gate. 32-bit applications, however, when they need to access Windows 95 driver code, call undocumented VxDCall function in KERNEL32.DLL which essentially calls INT 30h, which changes ring mode.

Modern use

Modern x86 operating systems are transitioning away from CALL FAR call gates. With the introduction of x86 instructions for

(SYSENTER/SYSEXIT by Intel and SYSCALL/SYSRET by AMD), a new faster mechanism was introduced for control transfers for x86 programs. As most other architectures do not support call gates, their use was rare even before these new instructions, as software interrupts or traps were preferred for portability, even though call gates are significantly faster than interrupts. Call gates are more flexible than the SYSENTER/SYSEXIT and SYSCALL/SYSRET instructions since unlike the latter two, call gates allow for changing from an arbitrary privilege level to an arbitrary (albeit higher or equal) privilege level. The fast SYS* instructions only allow control transfers from

ring (The) Ring(s) may refer to: * Ring (jewellery), a round band, usually made of metal, worn as ornamental jewelry * To make a sound with a bell, and the sound made by a bell Arts, entertainment, and media Film and TV * ''The Ring'' (franchise), a ...

3 to 0 and vice versa.

Security issues

To preserve system security, the Global Descriptor Table must be held in protected memory, otherwise any program will be able to create its own call gate and use it to raise its privilege level. Call gates have been used in software

security exploit An exploit is a method or piece of code that takes advantage of Vulnerability (computer security), vulnerabilities in software, Application software, applications, Computer network, networks, operating systems, or Computer hardware, hardware, typic ...

s, when ways have been found around this protection. One example of this is the e-mail

worm Worms are many different distantly related bilateria, bilateral animals that typically have a long cylindrical tube-like body, no limb (anatomy), limbs, and usually no eyes. Worms vary in size from microscopic to over in length for marine ...

''Gurong.A'', written to exploit the

Microsoft Windows Windows is a Product lining, product line of Proprietary software, proprietary graphical user interface, graphical operating systems developed and marketed by Microsoft. It is grouped into families and subfamilies that cater to particular sec ...

operating system, which uses \Device\PhysicalMemory to install a call gate.Worm:W32/Gurong.A Description
F-Secure Labs

References

{{Reflist X86 architecture