 |
Claims  |
|
|
What is claimed is:
1. An electronic computing system having a hierarchical security mechanism
incorporated therein, said system including a memory for storing both
instructions and data, an instruction execution unit for extracting series
of instructions from the memory and executing same, and a processing unit
for performing the data operations required by said instructions, said
hierarchical security mechanism being dynamically actuable by application
programs and including
means actuable by an application programmer for assigning a hierarchical
protection level for each program instruction sequence included in an
overall running program, wherein successive hierarchical protection levels
have successively reduced privelege to access storage locations in said
memory,
means for assigning a unique protection field to each such instruction
sequence,
means for storing the particular protection field assigned to each
instruction sequence in every storage location in said memory to which it
is intended that access by said instruction sequence is to be permitted,
and
means actuable during the running of a program for ascertaining that the
protection field of each memory access matches the protection field of the
instruction sequence which initiated said access, which comprises means
for comparing the protection field of a requesting instruction with the
stored protection field of the accessed location in memory and predicating
access on a successful comparison, said comparison being a function of the
hierarchical protection level of the requesting instruction.
2. A hierarchical security mechanism as set forth in claim 1, including
means for detecting the magnitude of the hierarchical protection level
assigned to each instruction sequence and means for examining a portion of
the protection field whose size is directly dependent on such hierarchical
protection level magnitude and means for causing a security violation
indication if the required degree of protection field matching does not
occur.
3. A hierarchical security mechanism as set forth in claim 2, including
means for requiring that any application instruction sequence subjected by
it to security validation requirements, cannot under any circumstances
invoke any sub-application instruction sequence not subject to precisely
the same security validation requirements as the calling sequence, but can
nevertheless impose upon such sub-application instruction sequence
additional security validation requirements.
4. A hierarchical security mechanism as set forth in claim 2, including
means for specifying that a given instruction sequence is to branch to
another instruction sequence or sub-application including means for
automatically assigning a lower hierarchical protection level to the
sub-application than the originating instruction sequence, and means for
assuring that the protection field for the sub-application matches that of
the calling instruction sequence and further requires that any memory
access must match an additional portion of the protection field as
specified by the hierarchical protection level indicator for that
sub-application.
5. A hierarchical security mechanism as set forth in claim 4, including
means for allowing a plurality of sub-application instruction sequences to
be called within a single instruction stream including means for always
assigning a lower hierarchical protection level to each sub-application
than the calling instruction sequence and means for providing that, at
termination of the sub-application instruction sequence, the system
returns to the specific location in the original instruction stream where
the sub-application sequence began.
6. A hierarchical security mechanism as set forth in claim 5, including
means operable when a sub-application sequence request is detected to
automatically store the hierarchical protection level for the calling
instruction sequence and also store the precise location in memory where
the next instruction of the original calling instruction sequence may be
obtained upon termination of the called sub-application instruction
sequence.
7. A hierarchical security mechanism as set forth in claim 6, including
means operable when a sub-application sequence request is detected to
automatically store the protection field for the calling instruction
sequence whereby said protection field of the original calling instruction
sequence may be obtained upon termination of the called sub-application
instruction sequence.
8. A hierarchical security mechanism as set forth in claim 7, wherein said
means for storing the protection field for the calling instruction
sequence comprises a plurality of linking registers forming a link stack
wherein each register contains a storage location for 1) a hierarchical
protection level indicator, 2) a branch-back address and 3) a protection
field and means for assigning such a register to each predetermined
security level within said hierarchical security mechanism, and further
including means to return to the branch-back address contained in one
register of said link stack pointed to by another register in said link
stack when a given sub-application instruction sequence is completed.
9. A hierachical security mechanism as set forth in claim 8, including a
separate linking register in said link stack for each of the permitted
levels of the security hierarchy and means for determining the
hierarchical protection level field for any particular instruction
sequence to automatically indicate the member of the link stack into which
specific linking information is to be stored when it is required to link
to that sub-application instruction sequence.
10. A hierarchical security mechanism as set forth in claim 9, including
means operable when said computing system is operating in a
multiprogramming mode to store the entire contents of the link stack at a
predetermined location in memory whenever the time slot for a particular
program running on the system terminates, or the said program is for any
other reason interrupted, and means for recovering said entire link stack
information from memory and restoring same to the linking registers
whenever a time slot for said particular program is again allocated.
11. A hierarchical security mechanism as set forth in claim 9, including
means for reserving the highest protection level to the operating system
of the computing system, and means for utilizing the linking register
location for said highest protection level as the working storage register
for the hierarchical protection level indicator and the protection field
against which all memory fetches must be checked.
12. A hierarchical security mechanism as set forth in claim 11, including
means for preventing a sub-application program for returning to a
hierarchical protection level of equal or less privilege than the level of
the sub-application program from whence said return is being effected.
13. A hierarchical security mechanism as set forth in claim 12, including
means for detecting that at least two sub-application programs are being
specified by a given calling program at the same hierarchical level and
means for assigning protection fields to each of said sub-application
programs of said same hierarchical protection level whereby the memory
space of each sub-application program will be protected from the other.
14. In an electronic computing system wherein said system includes a main
memory for storing both instruction and data, an instruction execution
unit for accessing and executing instructions from said main memory, an
arithmetic and logic unit, and input/output devices selectively
connectable to said system, wherein said system utilizes a data word
format having a width including at least n bits which may be selectively
utilized for security control purposes, the improvement which may be
selectively utilized for security control purposes, the improvement which
comprises a hierarchical security mechanism for controlling all memory
accesses in said system, said mechanism including means for accessing an
assigned predetermined hierarchical protection level and protection field
for an instruction sequence currently running on the system wherein
successive hierarchical protection levels have successively reduced
privelege to access storage locations in said memory,
means for accessing the protection level and protection field assigned to a
called instruction sequence, means for checking the protection level and
protection field of said called instruction sequence to determine if 1)
the called protection level is less than the calling protection level and
2) a specified portion of the two protection fields match before the
called instruction sequence can proceed and means for producing a security
violation if either the protection level or protection field do not match.
15. A hierarchical security mechanism as set forth in claim 14, including
means for selectively assigning as many hierarchical security levels to
instruction sequences to be run on said system as there are security
control bits in the said protection field.
16. A hierarchical security mechanism as set forth in claim 15, including a
hierarchical security mechanism link stack wherein said stack includes a
plurality of linking registers wherein each linking register is dedicated
to a particular hierarchical protection level and means for storing in
each such register in a specified field, thereof, the level from which a
particular running instruction sequence branched, the previously
designated protection field for the calling instruction sequence, and the
address in memory at which the next instruction in said calling
instruction sequence is located.
17. A hierarchical security mechanism as set forth in claim 16, wherein the
linking register for the highest protection level within said system is
dedicated for use as a storage mechanism for the protection level and
protection field of the instruction sequence currently running in the
system, and means for comparing the contents of this register against the
protection field of any memory access made to the main memory.
18. A hierarchical security mechanism as set forth in claim 17, including
means for inserting a specified binary protection field in said highest
level register of said link stack whenever a new instruction sequence
begins to run on the system, said protection field being that of said new
instruction sequence.
19. A hierarchical security mechanism as set forth in claim 18, including
means operable to access a predetermined number of words in said main
memory at an address specified by the operating system and inserting the
protection field currently stored in said highest level register of said
link stack in the security control bit field of such specific word in said
memory.
20. A hierarchical security mechanism as set forth in claim 19, including
means for allowing a programmer to request a particular security level and
protection field from the operating system and for causing the operating
system to assign said requested protection level and protection field to a
particular instruction sequence and means for storing said protection
level in the level and protection fields of said highest level register in
said link stack and means for storing said protection level and protection
field information in memory at an address specified by the operating
system to become a necessary part of the instruction sequence for a
particular program.
21. A hierarchical security mechanism as set forth in claim 20, including
means for initiating a sub-application instruction sequence request by a
calling instruction sequence including means for accessing the protection
level of the sub-application instruction sequence, means for comparing
said protection level with the level of the calling instruction sequence,
means for producing a security violation if the protection level of the
sub-application instruction sequence is equal to or greater than the
protection level of the calling instruction sequence, means for continuing
with the branch instruction if the protection level of the sub-application
sequence is less than the level of the calling instruction sequence, means
for accessing the register of said link stack to which said
sub-application protection level points, means for storing the protection
level of the calling instruction sequence in the level field of said
register, and means for storing the branch-back address and the protection
field of the calling instruction sequence in said specified register of
said link stack.
22. A hierarchical security mechanism as set forth in claim 21, including
means actuable upon the termination of a sub-application instruction
sequence to access the particular link stack register to which the level
indicator for the currently running sub-application instruction sequence
points, means for comparing the current protection level indication with
the protection level indication in said pointed to link stack register and
providing an interrupt if said called protection level is equal to or less
than the protection level of the currently running sub-application
instruction sequence, and means operable upon an indication that the level
stored is larger than the current protection level to branch-back to the
calling instruction sequence at the branch-back address stored in said
link stack for storing the security level and protection field also stored
in said pointed to link stack register in the level and protection fields
of said highest level register of said link stack.
23. A hierarchical storage mechanism as set forth in claim 22, including
means operable whenever a system interrupt occurs to load the entire
contents of said link stack into main memory at a predetermined address
and further means for recalling said entire link stack and reloading same
into said linking registers when said particular instruction sequence
which was interrupted is returned to by the system for execution. |
|
 |
|
 |
Claims |
|
|
|
Description |
|
|
BACKGROUND OF THE INVENTION
There is an ever increasing need in the data handling industry for data
privacy and/or security. This industry includes in a larger sense the
communications industry, as well as the actual electronic data processing
industry including, of course, large scale computers. In the
communications field, data being transmitted via radio communication or
telephone lines is susceptible of interception and unauthorized user
alteration or appropriation for some unproper purpose. Various
cryptographic systems have been offered to reduce, eliminate or somewhat
control this vulnerability of data to an unauthorized user or penetrator.
In the field of electronic computers the unauthorized access of data is a
far more complicated problem. The problem becomes even more complex in a
large, modern, sophisticated time sharing computer system utilizing a
plurality of remote access terminals any one of which has access to the
central computer facilities including computational capabilities as well
as all the memories containing data, programs, etc. In such systems data
or programs may be obtained in an unauthorized fashion by accessing
various storage devices within the system such as memories or intercepting
messages being transmitted between terminals or between terminals and the
host of a remote access computer network.
The problem becomes still more complicated when provisions are made for one
program to call another program to perform tasks for it. Offsetting the
advantages of having such a versatile structure are the disadvantages of
sometimes inadvertently making data and/or programs of the calling program
accessible to the called program and/or any operators who may be using
such called program. This is an undesirable feature for many reasons. For
example, the higher level or calling program may have data stored in its
own memory locations which is considered of a highly confidential nature,
which should have only extremely limited dissemination paths. Thus, if
such confidential data of a higher level program were somehow made
available to the lower-level program, such confidentiality would be
seriously compromised. As a further example, someone wishing to commit
some sort of fraud or simply to cause problems for an employer, for
example, might obtain access to some highly confidential programs or data
and deliberately cause them to malfunction or be destroyed with a
resulting great financial loss. In any event, coupled with the desire to
have the flexibility of allowing one program to call other programs
resident within a system, is the considerable problem of maintaining the
relative security of the program and especially the security of the
higher-level or invoking program.
Current privacy laws also place an increasingly greater burden upon the
computer manufacturer and user to guard the privacy of the data of
individuals or businesses from unauthorized penetration and use. Such
unauthorized access to the computer can have ramifications too numerous to
mention, going from the mere access of the confidential business or
personal data as outlined above by someone who has no real need to know
this information, to the unauthorized access of bank or payroll records
which in an exaggerated case could cause money to be improperly dispensed
and/or incorrectly credited to the wrong person's account, resulting in
great potential financial losses.
Among the many schemes proposed in the past for preventing unauthorized
access to computer facilities is the security password interrupt. In a
conventional multi-programmed, time-shared computer system as is commonly
in use today, given users are assigned areas of memory to which they are
allowed access, and they are further given special identifier keys or
`passwords` which are used to request that a range of memory addresses be
made accessible to that particular user. In normal operations, if the user
attempts incorrectly to access a portion of memory not assigned him the
system will cause a `security` interrupt. For this form of protection, the
operating system architecture assumes that a program attempting
incorrectly to access a portion of memory, would be operating in the
"problem" or non-privileged state. When in the supervisory or privileged
state the system, in normal usage, would be allowed access to any portion
of the computer for any purpose, including modification of the operating
system itself. Hardware systems have been suggested in the past for
controlling the inadvertent or deliberate attempt to gain unauthorized
access to such supervisory state. An example of such a hardware attempt to
prevent unauthorized supervisory state penetration is co-pending
application Ser. No. 701,058 filed June 30, 1976 of C. R. Attanasio
entitled, "Location Dependence for Assuring the Security of System-Control
Operations."
The present invention is not directed towards the specific problem of
preventing inadvertent access to supervisory state as a means of improving
computer security, but deals with the more generalized problems of
providing the flexibility within a system to allow a given program to
readily call other programs to perform tasks for the originating program,
while at the same time maintaining the security or privacy of data of the
originating program which it does not desire to expose to the called
program. For such a mechanism to be feasible and practical in a system
environment it must be relatively easy to use, such that the functions are
easily accessible and the protection required must be automatic or
inherent in the system. It is further necessary that such a system in
order to be acceptable to the industry must maintain the basic concept of
the protection field or masks.
SUMMARY AND OBJECTS OF THE INVENTION
It has now been found that a greatly improved program and data-integrity
system may be realized in more or less conventional CPU architecture, by
utilizing the concept of hierarchical security levels. A given program's
security level determines how much of its assigned protection field must
match the protection criteria established by the system for that program.
Thus, the protection level for the program establishes a window having a
level-determined width through which the protection field is examined for
security check purposes.
It is accordingly a primary object of the present invention to provide a
hierarchical security mechanism which allows an object programmer to
estabish quite arbitrarily a security level for the primary program as
well as any sub-applications or called programs.
It is also an object of the present invention to provide such a security
mechanism or supervisory-state application, to switch it off as desired.
It is another object to provide such a security mechanism which utilizes
the protection field `password` concept in determining successful security
checks.
It is still another object of the invention to provide such a security
mechanism wherein the programmer may keep the originating program and any
and all called programs completely secure with respect to each other.
It is a still further object to provide such a security mechanism wherein
the calling program is always secure from any penetration by a called
program.
It is another object of the invention to provide such a security mechanism
in a modular, or hierarchical, fashion such that whenever a program at any
security level calls a lower-level program, the security checks to which
memory accesses of the called program will be subjected must always
include those which are applied to the calling program.
It is a further object of the invention to provide such a security
mechanism wherein programs of any security level other than the lowest
level may in turn specify and call other programs at a lower level and
maintain complete security with respect thereto.
It is yet another object to provide such a system having the high security
inherent with supervisor-assigned protection codes but at the same time
having the facility of easily setting up an equally secure hierarchy for a
running program.
It is a further object to provide such a security mechanism which is
readily adaptable to existing computer architecture and data formats.
It is yet another object to provide such a system which is readily
adaptable to a multi-programming environment.
It is a still further object to provide such a system which is readily
adaptable to straightforward and available hardware implementation.
Other objects, features and advantages of the invention will be apparent
from the following description of the preferred embodiment of the
invention as set forth in the drawings and claims.
DESCRIPTION OF THE DRAWINGS
FIG. 1 is a functional block diagram of the herein-disclosed Hierarchical
Security Mechanism.
FIG. 2 comprises an organizational diagram for FIGS. 2A through 2F. FIGS.
2A through 2F comprise a combination logical schematic and functional
block diagram, illustrating the structure of a preferred embodiment of the
present system.
FIG. 3 comprises an organizational diagram for FIGS. 3A through 3D.
FIGS. 3A through 3D comprise a combinational logical schematic and
functional block diagram of the Link Stack block shown on FIG. 2C.
FIG. 4 is a logical schematic diagram of the Protection Logic shown at the
bottom of FIG. 2C.
FIG. 5 is a logical schematic drawing of the Insert Protection Logic which
is shown at the bottom of FIG. 2D.
FIG. 6 comprises an organizational diagram for FIGS. 6A through 6B.
FIGS. 6A and 6B show the instruction formats for the eight (8) unique
instructions required by the operation of the system.
GENERAL DESCRIPTION OF THE DISCLOSED EMBODIMENT
The objects of the present invention are accomplished in general by a
computing system having a hierarchical security mechanism included therein
which permits programs running at given hierarchical levels to call
sub-applications at lower levels, including means for preventing any
program running at any given level from ever calling a sub-application at
a level equal to or higher than its own. Means are included in the system
for automatically allowing a program to progress from a higher-level
software application to a lower level and allow the sub-application to
return back to the originating higher-level application which called same.
The system includes means for assigning a protection field or password of a
given maximum length to any program running on the system and further
includes means for assigning a hierarchical security level to each
program, which level determines how much of a particular protection field
will be examined in order to satisfy the security requirements of the
system. Stated differently, the hierarchical level of the program
determines the size of the window or number of bits of the protection
field to be examined upon each memory access. The system includes the
necessary controls and hardware for allowing for a multiple set of
sub-application programs to occur in a given program, wherein each new
sub-application will run at a lower level than the one which called same.
Level checking means are specifically provided so that at the end of a
particular sub-application when the system is to return to the originating
spot in the job instruction stream both a hierarchical level check and a
protection field check is made to ascertain that the sub-application does
in fact return to the proper link-back point in the overall instruction
stream.
The system further includes a unique set of storage registers for storing
linking information for each of the hierarchical levels allowable in the
security mechanism, whereby a complete linking list is kept to permit the
system to sequentially link to lower levels and successively return back
to the higher levels from which the given sub-application originated.
A further feature of the system includes hardware and instruction sequences
for permitting the entire contents of the special storage registers to be
stored en masse in back-up storage whenever a problem is running on a
multiprogramming machine and the time slot for the particular problem or
program has terminated, or a higher-priority task intervenes. Further
means are provided for recalling all of the required linking data from
memory and returning it to the special linking storage registers when a
time slot for the program is again made available to the system.
The herein-disclosed hierarchical security mechanism is disclosed in detail
in FIGS. 2A through 2F. FIG. 1 discloses the major functional components
of the system. Referring to FIG. 1 it will be clearly understood that the
control of the present embodiment centers around the CPU Instruction Unit
and the Memory. As any instruction is accessed from memory and placed in
the instruction unit or stored in memory, or conversely when any data
operation occurs in memory certain security checks are necessary. The
first and most basic is the conventional security password check which
determines whether a particular memory storage or fetch operation meets
the protection field or password requirements for the currently running
program. This security check is basically conventional, however, the
difference in the present system over conventional protection checks or
keys is that only as much of the protection field as necessary for the
currently running program is looked at. The amount looked at is contingent
upon the current security level. As will be apparent from subsequent
description, the higher the security level (the lower the number n) the
smaller the protection field or window which is looked at. Thus, the
program has a higher priority.
While the just-described feature is absolutely necessary for any such
security mechanism to work, the more unique feature of the present
invention is the portion which allows the setting up of the various
hierarchical security levels and providing for the automatic storage of
the hierarchical security information with each sub-application in memory,
and for providing the mechanism which allows the protection portion of the
instruction unit to permit branches from one sub-application to another at
the user's option so long as certain security requirements are met.
As stated previously the most basic operating concept of the present
invention is that any given program which has a given security level
assigned to it by the operating system, which assignment is purely within
the control of the password portion of the program which is resident in
the operating system, can in turn call a sub-application which must by
definition be given a lower hierarchical security level. In addition, this
mechanism must obtain and keep track of the new protection field which
must be assigned to the particular sub-application and which must also
satisfy the protection field requirements of the calling program. The
basic block which performs this function is the Insert Protection Logic
Block shown on FIG. 1 and also on FIGS. 2D and 5. It should of course be
noted that this is a great over simplification of the function, as the
actual data which is sent to this particular block comes from many places
in the system, under control of the specific `insert protection`
instructions and circuitry shown on FIGS. 2E and 2F.
The block on FIG. 1 labeled Protection Logic performs the various
protection field comparison functions under control of the current
hierarchical level requirement for the particular running program. In
other words, the protection field which a particular memory operation must
match, i.e., the protection criteria, comes into the top of FIG. 4 on
cable 108 and the protection field of the memory location being accessed
is brought in on cable 170 at the top of FIG. 4. Simultaneously the
particular hierarchical security level information comes in on one of the
eight lines designated by the reference number 185 at the left of FIG. 4,
which information comes from the protection field over the cable 130 and
out of the decoder at the bottom left-hand portion of FIG. 2C. An output
on line 106 from the Protection Logic Block indicates whether or not the
proper protection field is present. In the event that it is not, a
security violation interrupt will occur.
The final major functional block shown on FIG. 1 is the Link Stack which
together with its associated control circuitry and functional units shown
both on FIGS. 2C and 2D perform the heart of the control functions
permitting the operation of the present hierarchical security mechanism.
It is the link stack which is shown in detail on FIGS. 3A through 3D which
allows a given running program to call up to eight hierarchical security
levels within a given program stream (at one time) while maintaining
complete memory security for all jobs at any level to which a given
running program should not have access. The link stack serves as the
mechanism for saving the link return addresses as well as assuring that
the integrity of the security hierarchy control is maintained.
Having generally described the overall objects and features of the
invention together with the just preceding general description of the main
components of the operational hardware, there will follow a more detailed
description of the operating philosophy followed by a description of eight
novel instructions necessary to the operation of the present embodiment.
It is the use of these special purpose instructions by the programmer
running the system which allows the present hierarchical security
mechanism to function properly as will be understood by those skilled in
the art. While the particular instruction format and functions have been
chosen to be the most direct method of accomplishing the objects of the
present invention, it will be understood that many changes could be made
by those skilled in the art without changing the basic function and
concepts of the present hierarchical security mechanism.
The present invention permits selective access to sensitive data, by
requiring that a clearance validation be passed for each access to memory.
In contrast to other memory protection mechanisms, this invention enables
the fineness of control to be as small as the fetch width of the storage
medium. Usually a large memory block, consisting of 1000 bytes or more is
controlled as a unit; either all words of the block are accessible or none
are, in previous protection mechanisms. In addition, an application,
constrained to certain areas of memory can itself control sub-applications
and use the same protection mechanism to constrain a sub-application's
ability to access the main application's memory. Hence, a hierarchy of
access controls can be established.
To a very minor degree, a two-level hierarchy exists on today's hardware
with respect to parity and/or ECC-bits. In "diagnostic-state" (available
only to hardware maintenance engineers), the parity (or ECC) bits are
accessible for reading and writing. In "non-diagnostic" states, these bits
are not under program control, but if the hardware detects an incorrectly
set parity or ECC bit, an error exception occurs.
For example, a "word" in an IBM Model 168 memory consists of 72 bits -- 64
data bits and 8 ECC bits; a "word" or byte on tape or in an IBM Model 20
memory consists of 9 bits -- 8 data bits and a parity bit.
Additional non-data bits (called a protection field) are included with each
storage word, and a hierarchy of control states is utilized. Non-negative
integers (levels) are assigned to the control states, and a special
register (level register) is provided to indicate the level at which the
program controlling the CPU is running. For a program running at level n,
all but the leading n bits of the protection field are accessible to the
program for writing (for protection code purposes). The leading n bits of
the protection field must agree with the leading n bits of a protection
register for a memory access to be valid. Thus level 0 is the most
privileged, since 0 bits are checked, and all protection bits may be
modified. In addition, all bits except the leading n bits of the
protection register may be modified by a program running at level n.
If the level register is k bits long, then (2.sup.k) control levels are
possible, and the protection fields and protection register can be up to
(2.sup.k)-1 bits long. As many as (2.sup.k)-1 different protection field
patterns are possible. A program running at level n can distinguish
between as many as 2.sup.(m-n) subprograms running at level m, where
m.ltoreq.k.
A program running at level n may initiate a subprogram at level m, provided
that m>n. Before doing so, it sets bits n through m-1 of the protection
field at each memory word to match that pattern in all words in which that
subprogram is to have access. Other data words would have a different
pattern in those protection field bits. If a subprogram at level m
attempts to access a word for which the leading m protection field bits do
not match the leading m bits of the protection register, a security
violation occurs.
A subprogram at level m cannot return control in an arbitrary fashion to
level 1, with 1 < m. A standardized linking mechanism is provided, which
insures that when a subprogram at level m relinquishes control to a higher
level, control returns to the program which initiated the given
terminating subprogram, at the same level as that which the initiating
program had had when it gave control to the lower-level subprogram.
The control hierarchy may be viewed as presenting different size windows
through which memory words can be seen. At the higher levels, (smaller
values of n) the view is wider. The unseen bits determine whether access
to a given word should be permitted at all.
The above concepts are made more concrete by describing an extension of the
IBM System/370 which would easily accommodate the present security control
hierarchy.
To avoid using more memory space than is used at present (there is 1
"redundancy bit" for every 8 data bits, or 8 "ECC bits" for every 64 data
bits in a 72-bit word), and so as still to have space for a protection
field, a memory organization is assumed in the present embodiment which
uses a bandwidth of 144 bits, of which 128 are data bits. (This retains
the 8/9 fraction of data bits which the IBM System/370 currently uses.)
Now, ECC for a 144-bit word requires only 9 bits, (Peterson, "Error
Correcting Codes," MIT Press, 1961) thus leaving a 7-bit protection field
for the security control hierarchy.
In addition to the 144-bit word, the following is required: There is a link
stack consisting of eight registers, corresponding to integers 0-7. Each
link stack register consists of two fields: a level field (3 bits) and an
address field (24 bits).
Link stack register 0, however, is treated differently;
(a) the level field is "hard-wired" to 000.
(b) the low order 7 bits of the address field of link stack register 0 are
treated as the 7-bit protection register.
(c) bits 5,6, and 7 of the address field of link stack register 0 are
treated as the 3-bit level register.
A description follows of a set of eight instructions to be added to the
operation repertoire of the computer to facilitate the manipulation of
these registers in order to realize the control hierarchy.
It is emphasized that the control hierarchy is designed to give an
application running in problem state the ability to control its storage.
Thus, most of the instructions are available in problem state. A small
number of additional instructions are needed so that an operating system
can switch use of the control hierarchy from one user program to another
user program.
Note that the checking of the protection bits on data fetch takes place
only in problem state. If the level register contains the integer n, where
0 .ltoreq. n .ltoreq. 7, then the leading n bits of the protection field
of a data word must match the leading n bits of the protection register.
On store operations, the leading n protection bit of the target of the
store must match the leading n bits of the protection register for the
store to be valid.
GENERAL DESCRIPTION OF THE EIGHT SPECIAL INSTRUCTIONS
As stated previously the special hardware of the present hierarchical
security mechanism as set forth in FIGS. 2A throuth 2F, 3A through 3D, 4
and 5 operates automatically when a particular program is running in
problem state. During such normal problem-state running the protection
field of any and all memory operations is automatically checked in much
the same way as in any conventional password-type security system. A
significant exception of course is that, depending upon the particular
level at which a particular program is running, a greater or lesser number
of protection bits will be checked by the system.
It is the original writing and entering of the program or set of
hierarchical programs onto the system that requires the use of the special
purpose instructions which set up the necessary security data and specify
the operations required to activate the present hierarchical security
mechanism.
It will be apparent from the following description that some of the
instructions are available only to the supervisor, i.e., during supervisor
state, and that other instructions are available in both supervisory and
problem state. One instruction has somewhat different effects in the two
states.
It will of course be obvious to those skilled in the art that those
instructions available only during supervisor state form part of the
privileged set of operating instructions of the system which are not
available to the problem programmer and that to make the same available
would in all probability allow such problem programmer to bypass the
present security mechanism.
It will further be noted in the following specific description of the
operation of the hardware that the present security mechanism comprises
eight separate subsystems or hardware sequences which correspond exactly
to these eight special instructions. Similarly the operation sequence
charts, appearing subsequently in the specification, set forth the
sequence of hardware operations which occurs when any of the eight special
purpose instructions is encountered in the instruction decoder. A typical
sequence of operation of the system utilizing the instructions is included
in the example which will follow subsequently.
The order in which the instructions are described corresponds to their
order on FIGS. 6A and 6B, but does not necessarily correspond to their
invocation in a particular sequence of operations of the system. The
following description of the instructions is functional in nature, in that
it describes in functional format what happens in the system. For a
detailed step-by-step operational description of the hardware, reference
should be made to the subsequent detailed description of the operations
and the operational sequence chart.
#1. STORE PROTECTION IN MEMORY
This instruction specifies that beginning at the 16-byte word specified by
the field of the instruction entitled, "Address in Memory" and for as many
immediately subsequent 16-byte words as are specified by the field
indicated as "Number of Words," the following operations occur. If the
leading n bits of the protection field and protection register match
(where n is the contents of the level register if in problem state, or 0
if in supervisor state) then the protection field in memory is replaced by
the contents of the protection register. No special test is made for this
match, as the appropriate test is precisely the one applied to | | |
