Browse Prior Art Database

Use of Process-Scoped Address Translation for Access Control

IP.com Disclosure Number: IPCOM000111132D
Original Publication Date: 1994-Feb-01
Included in the Prior Art Database: 2005-Mar-26
Document File: 2 page(s) / 70K

Publishing Venue

IBM

Related People

Corrigan, MJ: AUTHOR [+5]

Abstract

A method is disclosed for supporting access control (such as that defined by the Department of Defense (DoD) C2 and B1 criteria) on a processor that supports both process local storage addressing and direct addressing. Direct addressing refers to the ability to address shared, persistent memory using addresses which are the same for all processes for the lifetime of the direct segments (as opposed to having each process map to the shared memory with a different address, which would only be valid for the lifetime of the process). Direct addressing is used in the AS/400*.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 52% of the total text.

Use of Process-Scoped Address Translation for Access Control

      A method is disclosed for supporting access control (such as
that defined by the Department of Defense (DoD) C2 and B1 criteria)
on a processor that supports both process local storage addressing
and direct addressing.  Direct addressing refers to the ability to
address shared, persistent memory using addresses which are the same
for all processes for the lifetime of the direct segments (as opposed
to having each process map to the shared memory with a different
address, which would only be valid for the lifetime of the process).
Direct addressing is used in the AS/400*.

      To support access control efficiently with direct addressing,
when running user code direct address translations will go through a
process local segment table.  This can be the same table which is
used for address translation of process local addresses.  The details
of such tables vary (and are beyond the scope of this disclosure),
but may include a hardware lookaside buffer, a fixed number of table
entries supported in hardware, and support for more table entries in
software.  When translating a direct address, if a matching entry is
not found in the process local segment table, an interrupt occurs and
a software interrupt handler is invoked.  This interrupt handler can
do whatever access control or auditing is necessary (e.g., mandatory
access control can be enforced by looking at the user, the data
referenced, and whether the reference is a l...