Instruction Set Architecture
- Instructions
- Addressing Modes
- Registers
- Model-Specific Register
- Assembly
- Interrupts
- Micro-Ops
- Timer
- Calling Convention
- Microarchitectures
- CPUID
User-Mode Instruction Prevention (UMIP) is an x86 security feature introduced in the Intel Cannon Lake, Goldmont Plus, and AMD Zen 2 microarchitectures. If enabled, execution of the SGDT, SIDT, SLDT, SMSW, and STR instruction while the Current Privilege Level (CPL) is greater than 0 causes a general-protection exception.
Overview
The SGDT and SIDT instructions store the contents of the Global Descriptor Table Register (GDTR) and Interrupt Descriptor Table Register (IDTR), respectively, in memory. SLDT and STR store the 16-bit segment selector field of the Local Descriptor Table Register (LDTR) and Task Register (TR), respectively, in memory or a general purpose register. These selectors reference segment descriptors in the GDT. SMSW stores the lowest bits (originally 16 bits, the Machine Status Word) of the CR0 control register in memory or a general purpose register. These instructions are intended for operating system use and date back to the Intel 80286 microarchitecture. SMSW was superseded by the privileged MOV CRn instruction but is still supported for software compatibility.
GDTR, LDTR, IDTR, and TR specify the location of various data structures which control segmented memory management. The IDT for instance contains gate descriptors for each exception and interrupt vector which in turn point to interrupt handler code. CR0 contains flags which control operating modes of the processor. User-mode code was never able to load values into these registers. Reading their value was considered uncritical, but it was realized this is sensitive information which can for instance aid malware in defeating address space layout randomization techniques which prevent it from reliably jumping to an exploited function.
Some applications use these instructions for legitimate purposes, so UMIP leaves the decision to enable this feature, or possibly trap and emulate some of these instructions with dummy values, up to the operating system.
References
- Intel 64 and IA-32 Architectures Software Developer’s Manual Volume 3: System Programming Guide
- Intel Architecture Instruction Set Extensions and Future Features Programming Reference, Ref. #319433-037
- Software Optimization Guide for AMD Family 17h Models 30h and Greater Processors