Ring Zero

The Intel x86 family of microchips use a concept called rings for access control. There are four rings, with Ring Zero being the most privileged and Ring Three being the least privileged. Internally, each ring is stored as a number; there aren't actually physical rings on the microchip.

All kernel code in the Windows OS runs in Ring Zero. Therefore, rootkits running in the kernel are considered to be running in Ring Zero. User-mode programs, those that don't run in the kernel (for example, your spreadsheet program), are sometimes called Ring Three programs. Many operating systems, including Windows and Linux, take advantage of only Rings Zero and Three on the Intel x86 microchips; they do not use Rings One and Two.^[1] Since Ring Zero is the most privileged and powerful ring on the system, it's a sign of pride for rootkit developers to claim that their code runs in Ring Zero.

^[1] Although Rings One and Two may be used, the architecture of Windows does not require their use.

The CPU is responsible for keeping track of which software code and memory is assigned to each ring, and enforcing access restrictions between rings. Usually, each software program is assigned a ring number, and cannot access any rings with lower numbers. For example, a Ring Three program cannot access a Ring Zero program. If a Ring Three program attempts to access Ring Zero memory, the CPU will throw an interrupt. In most such cases, the access will not be allowed by the OS. The attempt might even result in the shutdown of the offending program.

Under the hood, quite a bit of code controls this access restriction. There is also code that allows a program to access lower rings under special circumstances. For example, loading a printer driver into the kernel requires that an administrator program (a Ring Three program) have access to the loaded device drivers (in the Ring Zero kernel). However, once a kernel-mode rootkit is loaded, its code will be executing in Ring Zero, and these access restrictions will cease to be of concern.

Many tools that might detect rootkits run as administrator programs in Ring Three. A rootkit developer should understand how to leverage the fact that her rootkit has a higher privilege than the administrator tool. For example, the rootkit can use this fact to hide from the tool, or render it inoperative. Also, a rootkit is typically installed using a loader program. (We covered loader programs in Chapter 2.) These loader programs are Ring Three applications. In order to load rootkit into the kernel, these loader programs use special function calls that allow them to access Ring Zero.

Figure 3-1 shows the rings of Intel x86 processors and where user-mode and kernel-mode programs execute within those rings.

In addition to memory-access restrictions, there are other security provisions. Some instructions are considered privileged, and can be used only in Ring Zero. These instructions are typically used to alter the behavior of the CPU or to directly access hardware. For example, the following x86 instructions are allowed only in Ring Zero:

• cli stop interrupt processing (on the current CPU)

• sti start interrupt processing (on the current CPU)

• in read data from a hardware port

• out write data to a hardware port

There are many advantages to having a rootkit execute in Ring Zero. Such a rootkit can manipulate not only hardware, but also the environment in which other software operates. This is critical for employing stealth operations on the computer.

Now that we have discussed how the CPU enforces access controls, let's examine how the CPU keeps track of important data.