Browse Prior Art Database

Architecture for Improved System Integrity

IP.com Disclosure Number: IPCOM000085121D
Original Publication Date: 1976-Feb-01
Included in the Prior Art Database: 2005-Mar-02
Document File: 4 page(s) / 19K

Publishing Venue

IBM

Related People

Coleman, CD: AUTHOR [+3]

Abstract

A set of architectural extensions may substantially improve the integrity of a system running under a conventional operating system. Integrity is enhanced by locking the user into a high-level language program, whose execution-time actions are disciplined and restricted by the architectural extensions. Access by application programs, written in this high-level language, to a secure data base, can then be restricted to only legal data requests. The extensions use as reference the specific architecture of the IBM S/370 series, but they would apply with minor changes to analogous architectures.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 31% of the total text.

Page 1 of 4

Architecture for Improved System Integrity

A set of architectural extensions may substantially improve the integrity of a system running under a conventional operating system. Integrity is enhanced by locking the user into a high-level language program, whose execution-time actions are disciplined and restricted by the architectural extensions. Access by application programs, written in this high-level language, to a secure data base, can then be restricted to only legal data requests.

The extensions use as reference the specific architecture of the IBM S/370 series, but they would apply with minor changes to analogous architectures.

User processes or tasks must be prevented from executing certain instructions which will give them access to any data in the system, thus defeating the purpose of the storage (internal and external) protection mechanisms. This is the reason in the great majority of computers for having a two-state structure: a privileged mode of operation, where all instructions can be executed, and a problem mode, where execution is restricted to a subset of all the possible instructions.

System/370 is a two-state machine, whose states are called Supervisor and Problem. The state of a process is explicit in its Program Status Word (PSW). Transition from problem state to supervisor state is performed by issuing a supervisor call (SVC) instruction. Transition from supervisor state to process state is done by a Load PSW (LPSW) instruction.

The extensions include introduction of a new state, called "application state" where user programs will execute. The present problem state becomes "system state", and programs executing in application state must make calls to system state to request system services.

A semisymmetrical scheme is used to change state, which makes use of system call instructions to go to states of higher privilege, and LPSW instructions to go in the direction of lower privilege. Transitions between system and supervisor states are the same as before, only the transitions between system and application states are new. These new transitions can be performed using the current instructions, i.e., SVC and LPSW, but interpreting them differently according to the state from which they are issued. Identification of state is done through the PSW, which contains now a pair of bits to indicate the state in which the CPU is operating.

A fundamental aspect with respect to integrity and security in state transfers is the concept of protected entry points. Valid entry points must be established prior to any change from application to system state, load time being probably the most appropriate moment. They must be stored in a protected area of memory, and the software must specify them when task-switching.

Association of entry points with tasks requires a table containing a state transfer vector, that can be maintained by the software, in a way analogous to page tables. This table contains also a portion of the old PSW,...