What is the default operating mode when you initially log in to a router?

12.2 AArch64 execution and exception states

The AArch64 processor provides two major modes of operation, referred to as execution states. They are 32-bit AArch32 state, and 64-bit AArch64 state. Both of these execution states provide privileged modes and a user mode. The AArch32 execution state allows the processor to execute code written for the ARMv7 and older processors.

12.2.1 AArch64 exception levels

In the AArch64 execution state, there are three privileged modes and one user mode. These are referred to as exception levels. The higher the exception level, the more privilege the code has. Typically, the system uses the exception levels as follows:

EL0

User applications,

EL1

OS kernel and other privileged code,

EL2

Hypervisor (support for virtual machines), and

EL3

Secure monitor (manage security contexts).

The major difference between EL0 and the higher levels is that code executing in EL0 cannot access system registers. EL1 can access most system registers, EL2 has additional privileges, and EL3 has all privileges. The only way that the processor can change from one exception level to a higher level is when an exception occurs. The only way that the processor can move to a lower exception level is by executing an exception return instruction. When changing the exception level, it is also possible to switch between AArch64 and AArch32 execution state. The processor also supports two security states: Secure and non-secure. EL3 is meant to manage the security state, and EL2 is meant to provide virtual machine capabilities. In many situations, only EL0 and EL1 are required, and some processors may not provide EL2 and/or EL3. On power-up and on reset, the processor enters the highest available exception level.

Each exception level has its own stack pointer, link register, and saved process state register (SPSR). Table 12.1 shows the names of these banked registers. When the exception level changes, the corresponding link register and stack pointer become active, and “replace” the user stack pointer and link register. Also, when an exception occurs, the current PSTATE register is copied into the SPSR for the exception level that is being entered. When an exception occurs:

Table 12.1. The ARM User and System Registers.

EL0EL1EL2EL3Stack PointerSP_EL0SP_EL1SP_EL2SP_EL3Exception Link RegisterELR_EL1ELR_EL2ELR_EL3Saved PSTATESPSR_EL1SPSR_EL2SPSR_EL3

1.

The current PSTATE is copied to SPSR_ELn where n is the exception level being entered,

2.

the PSTATE register is updated,

3.

the exception level stays the same or gets higher,

4.

the return address is stored to ELR_ELn,

5.

the program counter (PC) is set to the appropriate vector address, and

6.

if it is a synchronous or SError exception, ESR_ELn is updated with the cause of exception.

To return from an exception, the

instruction is executed. This instruction:1.

restores the

from

, and2.

restores the program counter (PC) from

.

Software executing in an exception level higher than EL0 can select whether to use the default SP_ELx stack pointer or the SP_EL0 stack pointer by executing an

instruction. This allows privileged code to access and modify the user mode stack. For example, when an exception occurs, registers can be saved on the user mode stack, then restored before going back to user mode.

12.2.2 System control and status registers

The PSTATE flags were introduced in Chapter 3. The PSTATE register also contains other fields that are used by system (or bare metal) code. Fig. 12.3 shows all of the fields in the PSTATE register. These fields are briefly described below:

TCO

Tag Check Override is available in ARMv8.5 and above with the MemTag extension.

DIT

Data Independent Timing is available in ARMv8.4 and above with the DIT extension.

UAO

User Access Override is available in ARMv8.2 and above with the UAO extension.

PAN

Privileged Access Never is available in ARMv8.1 and above with the PAN extension.

SS

Software Step.

IL

Illegal Execution state.

SSBS

Speculative Store Bypass is available in ARMv8.0 and above with the SSBS extension.

BTYPE

Branch Type Indicator is available in ARMv8.5 and above with the BTI extension.

D

Debug exception mask.

A

SError interrupt mask.

I

IRQ interrupt mask.

F

FIQ interrupt mask.

M[4]

Execution state (Mode bit 4). A zero in this bit indicates AArch64 state. One indicates AArch32 state.

M[3:0]

AArch64 Exception level and selected Stack Pointer. The values for this field are shown in Table 12.2

Table 12.2. Mode bits in the PSTATE register.

M[3:0]ELSP0000EL0SP_EL00100EL1SP_EL00101EL1SP_EL11000EL2SP_EL01001EL2SP_EL21100EL3SP_EL01101EL3SP_EL3

The most important fields are the Mode bits, which can be examined to determine which stack pointer is currently selected, which execution state the processor is in, and the current exception level. Some of the fields can also be changed by code running in privileged mode. Table 12.2 shows valid values for the Mode bits.

Figure 12.3. The PSTATE register.

For exception levels other than EL0, the execution state (AArch32 or AArch64) is determined by one or more control register configuration bits. These bits can be set only in execution states higher than EL0. For EL0, the execution state is determined as part of the exception return to EL0, under the control of the exception level that the execution is returning from. Higher exception levels can change the execution state, but EL0 cannot.

There are some additional configuration and status registers available in higher exception levels. They include:

SCTLR_ELn

The System Control Register controls architectural features. For example the Memory Management Unit (MMU), caches, and memory alignment checking.

ACTLR_ELn

The Auxiliary Control Register controls processor specific features.

SCR_EL3

The Secure Configuration Register controls secure state and trapping of exceptions to EL3.

HCR_EL2

The Hypervisor Configuration Register controls virtualization settings, and trapping of exceptions to EL2.

MIDR_EL1

The Main ID Register describes the type of processor the code is running on.

MPIDR_EL1

The Multiprocessor Affinity Register contains the core and cluster ID of the core/cluster that the code is running on, in multi-core/cluster systems.

CTR_EL0

The Cache Type register contains information about the integrated caches.

System-Level Instruction-Set Extensions

To do this, we need the system-level facilities found in microarchitectures that support operating systems and privileged mode. We must protect the operating system from user processes; we must distinguish between processes; we must translate virtual addresses; we need an exception-handling facility; the operating system needs some control registers and would do well to have a set of general-purpose registers that it can use without disturbing user processes (otherwise, it would have to save/restore the entire register state on every exception, interrupt, or trap); etc. Briefly, the extensions to the base pipeline include the following:

Addition of a privileged kernel mode that is activated upon handling an exception or interrupt or upon handling a TRAP instruction, which raises an exception.

Addition of a TLB to translate addresses. The TLB should have the same number of ports as the number of memory ports: i.e., if there is a separate instruction-fetch port that is distinct from the data read/write port, then there should be two TLB ports. The trade-off is cost for speed. Fewer ports in both the TLB and memory access translates to a less expensive implementation, but it can also translate to a significant overhead in time spent waiting for a port to free up. Clearly, this choice would be made through an architectural design study.

The ability for software to enter an exceptional state directly, for example, via trap instructions. Note some “exceptions” that hardware supports are actually privileged instructions that the machine handles at the time of instruction execution, instead of vectoring to a software handler routine. This includes TLB handling routines, mode instructions (e.g., sleep, doze), etc. Table 31.2 gives examples of both instructions (“sys”) and system-level instructions such as TLB-write and return-from-exception.

TABLE 31.2. System-level instructions added to the instruction set

Assembly Code FormatMeaningtlbw regA, regBWrite TLB entry (held in regA and regB) to the TLB: regA holds the page table entry, and thus the bottom bits of regA contain the PFN; by construction, regB contains both the ASID and VPN (see discussion for details); all other bits in regA and regB are ignoredrfe regA, regB or rfe regA

Return from exception: waits until write-back stage to jump (without link) through a register; simultaneously returns processor to previously stored K mode

Note: the pipeline may also place a return value into the user-visible register file; this can represent the result of a system call, for example

Addition of control registers available in privileged mode, e.g., those shown in Figure 31.28. “GPR” refers to a general-purpose register, of which there may be several. The processor status register (PSR) contains mode bits that directly influence processor operation. The interrupt service register (ISR) indicates interrupts that have been received by the processor. The interrupt mask register (IMR) allows software to ignore selected interrupts. The exceptional program counter (EPC) register is filled by hardware when vectoring to a handler and indicates the return address for the exceptional instruction. Even if using a shadow register file of the same size as the user-visible register file while in kernel mode, access to the GPR file may still be possible through special register-move instructions.

The definition of a memory map that delineates portions of the virtual space as being mapped through the TLBs, accessible in kernel mode only, etc. This is also illustrated in Figure 31.28; the illustrated map resembles both MIPS and VMS architectures. For the example architecture, in user mode all of the address space is mapped through the TLB. All virtual addresses are first translated by the TLB before being used to reference memory locations. Note that this implies that all virtual addresses are valid in user mode. This is similar to VMS, but unlike many other operating systems. In kernel mode, the top half of the address space is mapped through the TLB, and the bottom half is not. This means that addresses in this region, while the computer is in privileged kernel mode, will be sent directly to the memory system without first being translated. This is MIPS-like in design.

Addition of the concept of an address-space identifier. The ASID distinguishes different processes that run on the machine, and its use allows state from many different processes to reside in the TLB and cache at the same time (otherwise, the TLB and potentially the cache as well would have to be flushed on context switches). In this architecture, ASID 0 is interpreted by the hardware to indicate the kernel executing in privileged mode. When the processor is in kernel mode (i.e., when the K bit in the processor status register is set), instruction fetch must use ASID 0; this overrides whatever value may be in the ASID portion of the processor status register. In contrast, data memory access in the memory stage will use whatever ASID is in the PSR. This last mechanism allows the operating system to read and write locations within different user address spaces (i.e., “masquerade” as different processes), but it prevents the operating system from executing instructions belonging to unprivileged processes, which might otherwise constitute a security hole.

Creation of memory-management constructs including the user page table organization. Having hardware define this structure is beneficial in that the hardware can quickly generate the address that the TLB-miss handler needs to locate the PTE. Though this could limit flexibility by having the hardware dictate a page table format to the operating system, software can always ignore this address (treat it as a “hint” that need not be followed) to implement whatever page table it wants. However, it would then have to generate its own PTE addresses.

Privileged Exec Mode

Privileged Exec mode is an escalated operating mode. It is also called Enable mode. This is because to enter Privileged Exec mode, you must enter the command enable at the IOS prompt. You will be able to tell that you are in privileged mode because the IOS prompt will now end with #. Once you are in privileged mode and want to return to user mode, you must enter the command disable at the IOS prompt. A user with Privileged Exec mode access can basically do almost anything on the device.

CONFIGURING AND IMPLEMENTING…

9.2.3.1 Enabling and Disabling FIQ and IRQ Exceptions

The ARM processor core has a simple procedure to manually enable and disable interrupts that involves modifying the cpsr when the processor is in a privileged mode.

Table 9.5 shows how IRQ and FIQ interrupts are enabled. The procedure uses three ARM instructions.

Table 9.5. Enabling an interrupt.

cpsr valueIRQFIQPrenzcvqjIFt_SVCnzcvqjIFt_SVCCodeenable_irqenable_fiqMRSr1, cpsrMRSr1, cpsrBICr1, r1, #0x80BICr1, r1, #0x40MSRcpsr_c, r1MSRcpsr_c, r1PostnzcvqjiFt_SVCnzcvqjIft_SVC

The first instruction MRS copies the contents of the cpsr into register r1. The second instruction clears the IRQ or FIQ mask bit. The third instruction then copies the updated contents in register r1 back into the cpsr, enabling the interrupt request. The postfix _c identifies that the bit field being updated is the control field bit [7:0] of the cpsr. (For more details see Chapter 2.) Table 9.6 shows a similar procedure to disable or mask an interrupt request.

Table 9.6. Disabling an interrupt.

cpsrIRQFIQPrenzcvqjift_SVCnzcvqjift_SVCCodedisable_irqdisable_fiqMRSr1, cpsrMRSr1, cpsrORRr1, r1, #0x80ORRr1, r1, #0x40MSRcpsr_c, r1MSRcpsr_c, r1PostnzcvqjIft_SVCnzcvqjiFt_SVC

It is important to understand that the interrupt request is either enabled or disabled only once the MSR instruction has completed the execution stage of the pipeline. Interrupts can still be raised or masked prior to the MSR completing this stage.

To enable and disable both the IRQ and FIQ exceptions requires a slight modification to the second instruction. The immediate value on the data processing BIC or ORR instruction has to be changed to 0xc0 to enable or disable both interrupts.

2.2.1 PROCESSOR MODES

The processor mode determines which registers are active and the access rights to the cpsr register itself. Each processor mode is either privileged or nonprivileged: A privileged mode allows full read-write access to the cpsr. Conversely, a nonprivileged mode only allows read access to the control field in the cpsr but still allows read-write access to the condition flags.

There are seven processor modes in total: six privileged modes (abort, fast interrupt request, interrupt request, supervisor, system, and undefined) and one nonprivileged mode (user).

The processor enters abort mode when there is a failed attempt to access memory. Fast interrupt request and interrupt request modes correspond to the two interrupt levels available on the ARM processor. Supervisor mode is the mode that the processor is in after reset and is generally the mode that an operating system kernel operates in. System mode is a special version of user mode that allows full read-write access to the cpsr. Undefined mode is used when the processor encounters an instruction that is undefined or not supported by the implementation. User mode is used for programs and applications.

Detecting You Are in a Hypervisor Environment

Another interesting form of virtualization for malware analysis is the hypervisor environment. These environments are created using features of recent processors from Intel and AMD. These processors support going into a privileged mode known as hyper-visor mode. The hypervisor process has control of the virtualized machine. It gains control on certain operations performed by the guest machine such as memory paging operations. When the guest operating system makes a page request to access a segment of memory that has not been accessed recently, the hypervisor process can intercede. While the guest is paused, the hypervisor can inspect and modify the state of the guest machine. Methods have been created that allow the researcher to catch system library calls, and to manipulate the results of those calls.

The hardware of the guest is the actual hardware of the machine so the methods discussed earlier regarding detecting virtualization in general don't apply. It is very difficult (and some argue impossible) to detect a virtualized environment from the guest machine. In an interesting twist there has also been research on malware that puts the victim into a virtual environment. The malware then becomes the entity attempting to prevent the host from discovering that it's been “virtualized.” It's really a race to be the first to “initialize” the virtualization. If a second attempt at entering hypervisor mode is attempted, the hypervisor process can “convince” the victim that it has attained hypervisor mode when in actuality the victim is not in control.

The Command-Line Interface

The command-line interface (CLI) used on the PIX is very similar to that used on routers. Three modes exist to perform configuration and troubleshooting steps. These three modes are:

Unprivileged mode

Privileged mode

Configuration mode

When you first initiate a console or Telnet session to the PIX, you will be in user mode. Virtually no commands will be available in user mode. Only the enable, pager, and quit commands are permitted. Once in privileged mode, commands such as show, debug, and reload are available. From privileged mode, configuration tasks may take place by entering the configure command, followed by where the PIX will accept configuration commands from. For example, when you first connect to the PIX, either through a Telnet or console session, you will be in user mode (the user mode password must be entered when accessing the PIX by Telnet). User mode is represented by the following prompt:

Pixfirewall >

In order to access privileged mode, you must type enable at the prompt. After providing the required authentication, you will enter privileged mode. Privileged mode is represented by the following prompt:

Pixfurewall>enable

Password: ********

Pixfirewall #

If the system did not request a password after typing enable, it means no enable password has been configured as described in the Basic Configuration section. It is very important that an enable password be configured.

Finally, in order to perform configuration tasks, you must be in configuration mode. This mode is represented by the following prompt:

Pixfurewall #configure terminal

Pixfirewall(config) #

Table 3.2 lists some of the shortcut key combinations available on the PIX CLI.

Table 3.2. Key Combination Shortcuts

CommandResultTABCompletes a command entryCtrl+ATakes cursor to beginning of the lineCtrl+ETake cursor to end of the lineCtrl+RRedisplayes a line (useful if command gets interrupted by console output)Arrow up or Ctrl+PDisplays previous lineArrow up or Ctrl+nDisplayes next lineHelp or ?Displays help

IP Configuration

Once the interfaces on the PIX have been named and assigned a security value (additional interfaces only), the IP must be configured on the interfaces in order to allow traffic to pass through the PIX.

IP Addresses

Once the interfaces have been named and are activated, an IP address needs to be assigned to them. To assign an IP address to an interface, use the command:

ip address interface-name netmask

To further explain:

■

Interface-name The name assigned to the interface using the nameif command.

■

Netmask The network mask assigned to the interface.

pixfirewall (conflg) #interface ethernet0 auto

pixfirewall (config) #interface ethernet1 auto

pixfirewall (config) #ip address inside 172.16.0.1 255.255.255.0

pixfirewall (config) #ip address outside 207.139.221.1 255.255.255.0

pixfirewall (config) #show interface ethernet1

interface ethernet1 "inside" is up, line protocol is up

 Hardware is i82559 ethernet, address is 0050.54ff.2aa9

 IP address 172.16.0.1, subnet mask 255.255.255.0

 MTU 1500 bytes, BW 100000 Kbit full duplex

 147022319 packets input, 3391299957 bytes, 0 no buffer

 Received 12580140 broadcasts, 0 runts, 0 giants

 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0

abort

 166995559 packets output, 1686643683 bytes, 0 underruns

 0 output errors, 0 collisions, 0 interface resets

 0 babbles, 0 late collisions, 0 deferred

 0 lost carrier, 0 no carrier

Once the interfaces have been configured, test them to make sure they have been configured properly. A simple connectivity test is to ping another interface on your network or test lab environment. To do this:

Ping interface ip_address

In this case, the following is true:

■

Interface The interface in which you want the ping to originate from (similar to an extended ping on a router).

■

Ip_address The target IP address to ping.

pixfirewallt#ing inside 172.16.0.2

 172.16.0.2 response received – 0ms

 172.16.0.2 response received – 0ms

 172.16.0.2 response received – 0ms

If no response is received, confirm that the network cables are connected to the interfaces and the interfaces have been configured correctly.

pixfirewall#ping inside 172.16.0.4

 172.16.0.4 No response received – 940ms

 172.16.0.4 No response received – 900ms

 172.16.0.4 No response received – 920ms

Default Route

Now that all the interfaces have been configured, a default gateway must be assigned. A typical implementation will have a PIX firewall positioned between the ISP and company’s networks (Figure 3.3).

Figure 3.3. Default Route

A default gateway must be assigned to the outside interface to allow traffic to reach the ISP. To do this, use the command:

route interface_name ip_address netmask gateway_ip [metric]

To further explain:

■

Interface_name The internal or external network interface name.

■

Ip_address ID of the internal or external IP address. Use 0.0.0.0 to specify a default route. The 0.0.0.0 can be abbreviated as 0.

■

Netmask Specifies a network mask to apply to ip_address. Use 0.0.0.0 to specify a default route. The 0.0.0.0 can be abbreviated as 0.

■

Gateway_ip The IP address of the gateway router (the next hop address for this route).

■

Metric Specifies the number of hops to gateway_ip.

 pixfirewall>enable

 pixfirewall#configure terminal

 pixfirewall (config) #route outside 0 0 207.139.221.1

If different networks are present on the inside or outside interface, the PIX will need information about how to reach those networks. Since the PIX is not a router, it does not support the different routing protocols a router does.

Currently, the PIX only supports RIP as its routing protocol. Since PIX it is not a router, it is not recommended to use RIP. Instead, add static routes to the PIX to make other networks reachable. To add a static route:

pixfirewall>enable

pixfirewall#configure terminal

pixfirewall (config) #route inside 192.168.1.0 255.255.255.0 172.16.0.2 1

Functions of a Router, Its Architectures, and Components

Routers, switches, and transmission equipment form the backbone of the Internet, yet most auditors do not understand how they work and how they fit into the bigger picture of security and functionality.

A router is designed to transmit packets between different networks. In addition, a router can also act as a control point, filtering unwanted protocols, networks, and other security concerns. Routers also act as a gateway between local and wide area networks. Routers are often used as relays for network attacks. Privileged access to the router may be used to reconfigure it or cause a Denial of Service (DoS) attack. Controlling interactive logons to the router helps prevent these and other conditions from occurring.