How is virtual system space protected against access?










1















On Microsoft Docs I read:




In 64-bit Windows, the theoretical amount of virtual address space is 2^64 bytes (16 exabytes), but only a small portion of the 16-exabyte range is actually used. The 8-terabyte range from 0x000'00000000 through 0x7FF'FFFFFFFF is used for user space, and portions of the 248-terabyte range from 0xFFFF0800'00000000 through 0xFFFFFFFF'FFFFFFFF are used for system space.




Since I have 64 bit pointers, I could possibly construct a pointer that points to some 0xFFFFxxxxxxxxxxxx address.



The site continues:




Code running in user mode has access to user space but does not have access to system space.




If I wereable to guess a valid address in system virtual address space, what mechanism prevents me from writing there?



I know about memory protection but that doesn't seem to offer something that distinguishes between user memory and system memory.










share|improve this question



















  • 2





    you need read about Paging (x86/x64) and PTE format. the Bit 2 (U/S) is the User/Supervisor flag - controls access to the page based on privilege level. If the bit is set, then the page may be accessed by all; if the bit is not set, however, only the kernel mode (0) can access it.

    – RbMm
    Nov 15 '18 at 15:31











  • @RbMm: great. If you cite a bit from some resource, that's enough for me to accept the answer

    – Thomas Weller
    Nov 15 '18 at 15:32






  • 2





    look for intel or amd manuals - paging. or in brief - Paging or cs.hadassah.ac.il/staff/martin/Micro_Modern/slide03.pdf

    – RbMm
    Nov 15 '18 at 15:35






  • 2





    HARDWARE_PTE - if Owner == 1 user mode (privilege level 3 by cpu view) can access page (of couse Valid must be set). otherwise cpu generate exception

    – RbMm
    Nov 15 '18 at 15:43















1















On Microsoft Docs I read:




In 64-bit Windows, the theoretical amount of virtual address space is 2^64 bytes (16 exabytes), but only a small portion of the 16-exabyte range is actually used. The 8-terabyte range from 0x000'00000000 through 0x7FF'FFFFFFFF is used for user space, and portions of the 248-terabyte range from 0xFFFF0800'00000000 through 0xFFFFFFFF'FFFFFFFF are used for system space.




Since I have 64 bit pointers, I could possibly construct a pointer that points to some 0xFFFFxxxxxxxxxxxx address.



The site continues:




Code running in user mode has access to user space but does not have access to system space.




If I wereable to guess a valid address in system virtual address space, what mechanism prevents me from writing there?



I know about memory protection but that doesn't seem to offer something that distinguishes between user memory and system memory.










share|improve this question



















  • 2





    you need read about Paging (x86/x64) and PTE format. the Bit 2 (U/S) is the User/Supervisor flag - controls access to the page based on privilege level. If the bit is set, then the page may be accessed by all; if the bit is not set, however, only the kernel mode (0) can access it.

    – RbMm
    Nov 15 '18 at 15:31











  • @RbMm: great. If you cite a bit from some resource, that's enough for me to accept the answer

    – Thomas Weller
    Nov 15 '18 at 15:32






  • 2





    look for intel or amd manuals - paging. or in brief - Paging or cs.hadassah.ac.il/staff/martin/Micro_Modern/slide03.pdf

    – RbMm
    Nov 15 '18 at 15:35






  • 2





    HARDWARE_PTE - if Owner == 1 user mode (privilege level 3 by cpu view) can access page (of couse Valid must be set). otherwise cpu generate exception

    – RbMm
    Nov 15 '18 at 15:43













1












1








1








On Microsoft Docs I read:




In 64-bit Windows, the theoretical amount of virtual address space is 2^64 bytes (16 exabytes), but only a small portion of the 16-exabyte range is actually used. The 8-terabyte range from 0x000'00000000 through 0x7FF'FFFFFFFF is used for user space, and portions of the 248-terabyte range from 0xFFFF0800'00000000 through 0xFFFFFFFF'FFFFFFFF are used for system space.




Since I have 64 bit pointers, I could possibly construct a pointer that points to some 0xFFFFxxxxxxxxxxxx address.



The site continues:




Code running in user mode has access to user space but does not have access to system space.




If I wereable to guess a valid address in system virtual address space, what mechanism prevents me from writing there?



I know about memory protection but that doesn't seem to offer something that distinguishes between user memory and system memory.










share|improve this question
















On Microsoft Docs I read:




In 64-bit Windows, the theoretical amount of virtual address space is 2^64 bytes (16 exabytes), but only a small portion of the 16-exabyte range is actually used. The 8-terabyte range from 0x000'00000000 through 0x7FF'FFFFFFFF is used for user space, and portions of the 248-terabyte range from 0xFFFF0800'00000000 through 0xFFFFFFFF'FFFFFFFF are used for system space.




Since I have 64 bit pointers, I could possibly construct a pointer that points to some 0xFFFFxxxxxxxxxxxx address.



The site continues:




Code running in user mode has access to user space but does not have access to system space.




If I wereable to guess a valid address in system virtual address space, what mechanism prevents me from writing there?



I know about memory protection but that doesn't seem to offer something that distinguishes between user memory and system memory.







windows security kernel






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 15 '18 at 15:27







Thomas Weller

















asked Nov 15 '18 at 15:21









Thomas WellerThomas Weller

29.1k1068138




29.1k1068138







  • 2





    you need read about Paging (x86/x64) and PTE format. the Bit 2 (U/S) is the User/Supervisor flag - controls access to the page based on privilege level. If the bit is set, then the page may be accessed by all; if the bit is not set, however, only the kernel mode (0) can access it.

    – RbMm
    Nov 15 '18 at 15:31











  • @RbMm: great. If you cite a bit from some resource, that's enough for me to accept the answer

    – Thomas Weller
    Nov 15 '18 at 15:32






  • 2





    look for intel or amd manuals - paging. or in brief - Paging or cs.hadassah.ac.il/staff/martin/Micro_Modern/slide03.pdf

    – RbMm
    Nov 15 '18 at 15:35






  • 2





    HARDWARE_PTE - if Owner == 1 user mode (privilege level 3 by cpu view) can access page (of couse Valid must be set). otherwise cpu generate exception

    – RbMm
    Nov 15 '18 at 15:43












  • 2





    you need read about Paging (x86/x64) and PTE format. the Bit 2 (U/S) is the User/Supervisor flag - controls access to the page based on privilege level. If the bit is set, then the page may be accessed by all; if the bit is not set, however, only the kernel mode (0) can access it.

    – RbMm
    Nov 15 '18 at 15:31











  • @RbMm: great. If you cite a bit from some resource, that's enough for me to accept the answer

    – Thomas Weller
    Nov 15 '18 at 15:32






  • 2





    look for intel or amd manuals - paging. or in brief - Paging or cs.hadassah.ac.il/staff/martin/Micro_Modern/slide03.pdf

    – RbMm
    Nov 15 '18 at 15:35






  • 2





    HARDWARE_PTE - if Owner == 1 user mode (privilege level 3 by cpu view) can access page (of couse Valid must be set). otherwise cpu generate exception

    – RbMm
    Nov 15 '18 at 15:43







2




2





you need read about Paging (x86/x64) and PTE format. the Bit 2 (U/S) is the User/Supervisor flag - controls access to the page based on privilege level. If the bit is set, then the page may be accessed by all; if the bit is not set, however, only the kernel mode (0) can access it.

– RbMm
Nov 15 '18 at 15:31





you need read about Paging (x86/x64) and PTE format. the Bit 2 (U/S) is the User/Supervisor flag - controls access to the page based on privilege level. If the bit is set, then the page may be accessed by all; if the bit is not set, however, only the kernel mode (0) can access it.

– RbMm
Nov 15 '18 at 15:31













@RbMm: great. If you cite a bit from some resource, that's enough for me to accept the answer

– Thomas Weller
Nov 15 '18 at 15:32





@RbMm: great. If you cite a bit from some resource, that's enough for me to accept the answer

– Thomas Weller
Nov 15 '18 at 15:32




2




2





look for intel or amd manuals - paging. or in brief - Paging or cs.hadassah.ac.il/staff/martin/Micro_Modern/slide03.pdf

– RbMm
Nov 15 '18 at 15:35





look for intel or amd manuals - paging. or in brief - Paging or cs.hadassah.ac.il/staff/martin/Micro_Modern/slide03.pdf

– RbMm
Nov 15 '18 at 15:35




2




2





HARDWARE_PTE - if Owner == 1 user mode (privilege level 3 by cpu view) can access page (of couse Valid must be set). otherwise cpu generate exception

– RbMm
Nov 15 '18 at 15:43





HARDWARE_PTE - if Owner == 1 user mode (privilege level 3 by cpu view) can access page (of couse Valid must be set). otherwise cpu generate exception

– RbMm
Nov 15 '18 at 15:43












0






active

oldest

votes











Your Answer






StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53322606%2fhow-is-virtual-system-space-protected-against-access%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























0






active

oldest

votes








0






active

oldest

votes









active

oldest

votes






active

oldest

votes















draft saved

draft discarded
















































Thanks for contributing an answer to Stack Overflow!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53322606%2fhow-is-virtual-system-space-protected-against-access%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







這個網誌中的熱門文章

How to read a connectionString WITH PROVIDER in .NET Core?

In R, how to develop a multiplot heatmap.2 figure showing key labels successfully

Museum of Modern and Contemporary Art of Trento and Rovereto