CA1181180A - Computer system key and lock protection mechanism - Google Patents

Computer system key and lock protection mechanism

Info

Publication number
CA1181180A
CA1181180A CA000415041A CA415041A CA1181180A CA 1181180 A CA1181180 A CA 1181180A CA 000415041 A CA000415041 A CA 000415041A CA 415041 A CA415041 A CA 415041A CA 1181180 A CA1181180 A CA 1181180A
Authority
CA
Canada
Prior art keywords
key
value
lock
segment
memory
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired
Application number
CA000415041A
Other languages
French (fr)
Inventor
Richard J. Chueh
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Control Data Corp
Original Assignee
Control Data Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Control Data Corp filed Critical Control Data Corp
Application granted granted Critical
Publication of CA1181180A publication Critical patent/CA1181180A/en
Expired legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1458Protection against unauthorised use of memory or access to memory by checking the subject access rights
    • G06F12/1466Key-lock mechanism
    • G06F12/1475Key-lock mechanism in a virtual system, e.g. with translation means

Abstract

ABSTRACT OF THE DISCLOSURE
A computer virtual memory system key-lock mechanism providing for a variety of key-lock tests and key changes depending on the type of in-struction involved. This key-lock mechanism provides the opportunity for users to share use of programs and data in conjunction with the keys and locks assigned to individual users by the facility manager. The mechanism prevents unauthorized access to data and programs simultaneously present within the computer. The invention is mechanized by use of tables which record the keys and locks associated with each segment of data or code. Hardware tests each data or code segment access for compatibility between the keys and locks and causes the memory reference to be rejected if disagreement exists. The keys and locks are short digit sequences associated with the user and referenced segments.

Description

This invention relates to a computer virtual memory systern key-lock mechanism.
In modern, large scale computer installations, it is typical that users will alternately receive processing o-f portions of their project :for short periods of time. For example, a single computer servicing many video terminals will skip from terminal to terminal on a demand basis. It is thereore ine:f-ficient to remove the code and data -for all but the current user from the machine. In addition, not infrequently several users will be sharing cer-tain code or data. In the video terminal example, the users may all be setting type 1~ or may be interacting with a single educational program. Or, all programmers in a computer installati.on may be using at times one or more of the compiling programs available. If a data base has been created, all users may have access to at least portions of this data base, and thus it will never be removed from the system. Even very large data bases and programs can be held constantly within the computer's memory through the use of virtual addressing.
Through the use of virtual addressing, literally the entire mass storage of the installation is made available to each individual user on a de-mand basis. The requirements o-f users o-f large computer installations are typically substantially less than the entire capabilities of the installation.
Therefore, each user's private code and data are always present in the system and theoretically available -to other users.
In most situations, this is not a desirable condition. The users may be direct competitors of each other in a service bureau environment. Some users may dishonestly wish to gain access to other users' information. In-dividual users may have untested code which can unintentionally destroy other users' information. Some users may have classified information in the system which must not be available to users without the requisite classification level " ~

and need to know. There is, there-fore, substantial motivation for providing computational facilities which can provide service to large numbers of users and at the same time isolate each user from all others.
An additional complication is the situation where a plurality of users will be sharing the same code. That is, at different times in the pro-cessing duties of the machine, different users will be executing the identical code with, perhaps, different data. The compiler is one example where each user's input data has different source code, and each user's object code :Eorms the output.
Digital keys and locks are being used as at least a partial solution to these problems. A digital kcy is simply a unique sequence of bits assigned to a particular user or program. A lock is a similar sequence o:E bits assigned to a resource of the computing system. This resource may be a peripheral device, data tables, program code or memory area within the central processor. Before access to a particular resource is permitted, the key assigned to the requesting user is compared with the lock assigned to the resource, and if unequal the requesting user is denied use of the requested resource. The central processor contains hardware and/or software which prevents any user from subverting the key-lock testing process by, for example, altering a key or lock or by dis-abling the testing process.
United States Patent No. 3,938,100 explains the basics of lock and key implementation. This patent teaches the use of a register which contains several keys, and a page table ~which corresponds approximately to the segment tables of this description) containing a lock valwe for each active page in the memory. A memory reference is permitted only if one of the key codes matches the lock code associated with the referenced page. In this manner, a super-visory routine which alone has access to the lock and key values, can exclude any user from referencing or executing within all pages except for those whose locks correspond to one of the four key values. I.ockout bits select the type of memory operations permit-ted for those pages whose locks match the keys associated with each lockout bit collection.
BRIEF DESCRIPTION OF T~IE INNENTION
It is particularly use-ful to incorporate this invention in one type of virtual addressing scheme which employs a two-step address conversion pro-cedure. In the first step, a process virtual address ~PVA) is converted ~o a system virtual address ~SVA). The SVA may be identical for dlfferent PVAs i-f different users (each having their own process) are attempting to use the same code or data. In this context, the operation of keys and locks according to the instant invention provides a different key for each user which is assigned at the time the user is allowed to begin operation within the system. A user's key is tested for equality with the lock of each segment to which access is requested, at the time the PVA is converted to the SVA. Inequality causes the hardware to refuse access to the requesting process. As certain users make reference to other users' segments in the various ways possible, the key values and lock values are tested and changed according to the type of reference made, so as to permit access by authorized users and to prevent unauthorized users' access to other users' information. This prevents those users which are to be governed by key and lock safeguards from subverting the intended protection when called by users who have been granted the right to operate with a master key. (Users' references with a master key are not subjected to key-lock testing).
By software convention users will be allowed to operate with master keys in only carefully controlled situations.
In this implementation, the key with which a sequence of instructions is operating, is made a portion of the P, or instruction counter register.

With the memory organi~ed in segments, each segment is provided with its own lock which is applicable for all of the addresses within that segment. :[n fact, it is convenient to have ~wo keys, a global and a local, assigned -for each instruction sequence, although only a single numeric lock value is prefer-red for the individual segments. This value can be either global or local or both depending on selector bits associated with the segment's descriptor.
Whenever the segment supplying instructions is changed, the keys contained in the P register may also be changed according to algorithms and conditions de-pendent on the key and lock values and the way the segment change occurs. In fact, ho~ these keys are selected is an important distinguishing factor of my invention. Depending on the instruction being executed, the global or local key in the P register may be changed.
Accordinglyg one purpose of this invention is to isolate the various users of a computer system from each other.
A second purpose is to provide such isolation during execu~ion of various control-transferring instructions.
Another purpose is to provide various levels of isolation between users, dependent on assignments made by the facility manager.
Still another purpose for this invention is to permit such isolated users to employ the same code sequences and data bases within the system.
Thus, in accordance with a broad aspect of the invention, there is provided, in a data processing system of the type including:
a) a memory comprising a plurality of addressable cells and a data port, said cel]s grouped into a plurality of segments, each segmen-t having a unique number forming a portion oE the addresses of the cells in the segment, said memory accessed by externally supplied address signals each encoding the address of the cell to be referenced and specifying the memory function, said memory accepting data For storage at and supplying stored da-ta at the data port responsive to, respectively write address signals and read address signals, said memory further having when in use, at least one instruction sequence stored in a first segment and including memory re-ferences to at least one sec-ond segment; and b) an instruction processor supplying read address signals encoding the addresses of the ins-truction sequence to the memory and responsive thereto receiving at the data port -the acldressed instructions Erom the memory and executing them, and responsive to execution of certain ones of the instructions, generating address signals encoding cell addresses in at least one second seg-ment, an improvement comprising means for selecting and for storing in the memory for at least each referenced second segment, a numeric key/lock value stored in a cell having a preselected location associated with the second segment involved, and wherein the instruction processor further includes the improvement of:
a) means for extracting at least one numeric key value associated with the first segment, and for storing each said key value; and b) key retrieval and comparison means :Eor receiving address signals encoding the addresses of cells in at least one second segment, and responsive thereto supplying to the memory a read address signal encoding the address of the cell containing the numeric key/lock value for the specified second seg-ment, and receiving that key/lock value on the data port from the memory, and for receiving the key value stored by the key selecting and storing means and comparing said key value with the key/lock value, and if not valid generating an access violation signal, bu-t if valid transmitting the address signal to the memory.
Other objects and purposes will become apparent during the following discussion and dcscription.
BRIEF DESCR~PTION OF THE DRAWINGS
Figure 1 is a map of the organization of the main memory.
Figures 2a and 2b comprise a block diagram of apparatus implementing the invention.
Figure 3 is a block diagram of the instruction decoding apparatus pertinent to the explanation of this invention.
Figures 4a and ~b in combination form a detailed logic diagram of the apparatus implementing a major portion of this invention.
Figure ~c is a block diagram of the specialized P register forming a portion of the invention's preferred embodiment.
DESCRIPTION OF THE PREFERRED EMBODIMENT
Introduction The understanding of the following description requires one first to grasp some general principles and conventions involved in the implementation of the large scale computers in which this invention is intended to play a role.It is the custom to provide large portions of the function within such com-puters through the use of microprocessor circuitry which is micro-programmed (i.e., controlled with microcode) to provide these functions. It is also not unusua] to provide a portion of these functions in hardwired circuitry which is not capable of being microprograrnmed. Both approaches are used for substantial portions of the preferred embodiment OT^ this invention. This leads to problems of accurately displaying the preferred embodiment in an understandable and logical fashion. I choose to represent the microprogrammed portions of this invention in functional block diagram form. Since the microprogramming portion of the implementation of this invention in the actual embodiment is employed for simple interface and signal transfer between the other portions of the computer and this inventlon, it seems that one of ordinary skill in the art wlll have no need to experiment in applying this invention to a different computer design, avoiding the necessity of a more detailed exposition of the micro-programming. The larger and more complex portion of the invention is in fact implemented in hardware, and this hardware is disclosed and explained at the logic element level.
Memory Organization Turning first to Figure 1, the map of main memory 10 shown the-rein comprises, for the purposes of this invention, two distinct portions, the ASID
(active segment identifier) and the key/lock information. The aforementioned SVA comprises the so-called ASID and a byte number. The SVA is the "real"
virtual address of the machine7s instructions. Each user's process is assigned its own set of PVAs, each PVA in turn comprising a segment number and a byte number. In the memory 10 shown in Figure 1, the segment numbers are in every case values from O through n, where n can ba some preselected maximum value.
By using the segment number o-f a PVA as an index into the process's segment table, the ASID, K/L, and other information as well can be ex-tracted.
Thus, in Figure 1, one segment table 11 is that table which is assigned to a hypothetical process 1. Each segment table 11 comprises a series of segment descriptor entries 12, each assigned to one segment and one of which is shown in expanded form in Figure 1. In addition to the ASID field 13, the segment descriptor entry (SDE) 12 also includes a read test enable code ~TEC) 1~, a write test enable code 22, both of which in the preferred embodiment are
2 bits, and a K/L or key/lock field 15 of 8 bits. K/L field 15 is further sub-divided into a one bit G designator field 16, a one bit L designator field 17 and a 6 bit value field 18. The read and write TECs 14 and 22 each have only a single meaning relevant here. A code of 01 (binary) in each case specifies
3~

that Icey-lock testlng shall occur For each reference to the segment. ~very other bit pattern disables key-lock testing, The K/L field 15 specifies the actual bit pattern which forms the two locks which are encoded within each segment descriptor entry 12. The rami-fications and implementation of these two lock values will be discussed later, but for purposes of explaining the segment table organization~ it is necessary to simply understand that a global lock and a local lock are associated with each segment. The global lock value is 0 if either value field 18 is 0 or -the G designator field 16 is 0, and equal to the value field otherwise. Similarly, the local lock value is either that bit pattern contained in value field 18, or regardless of the contents of value field 18, 0 if L designator field 17 is 0.
In each segment table 11 (which need not be, as shown, contiguous with one another) a series of segment descriptor entries 12 are arranged in sequential order and indexed with the number of the segment to which they are assigned. There can be any number of segment tables up to a maximum preselected value shown as N in ~lgure 1.
A second portion of main memory 10 is devoted to actual storage of the data and instructions which ~he actual processor uses in performing its tasks. As in all virtual memories, this portion of the memory is arranged in segments 23 which are again sequen~ially numbered from 0 through some preselect-ed value S, which is dependent on the "size" of the virtual memory involved and the size of the individual segments. Memory port 19 for this virtual main memory corresponds to the actual physical port for the real memory. The contents of memory 10 can be written and read through data paths 20 and 21 in the usual fashion~ with read and write address signals specifying the function and address also being sent to memory lO on path 20. Depending on the organization o:E a particular computing system, the memory 10 and memory port 19 may be explicit and well defined, with a location on a separate board, chassis or cabinet, or may be very tightly entwined with the computer hardware devo~ed to instruction decoding, arithmetic and logic operations, and input/output opera-tions.
Key-Lock Descriptio It is useful at this point to discuss the operation of this key-lock mechanism in a purely verbal manner before describing the operation oE the invention with reference to the remaining Figures. At any given time wi-thin a computer employing a preferred version of this invention, there are a single global key and a single local key which have been selected by previous operations and which pertain to all instructions executed by the computer. rhese keys form a portion of P register 130 ~Figure 4c), although P register 130 in the preEerred hardware embodiment does not simply contain the address of the next sequential instruction, but contains other control and isolation information in addition to these keys. The general principle is that if the SDE :Eor the segment which contains the operand specified by a particular instruction does not contain a global lock and a local lock which is identical to the global key and local key respectively of the current P register, then an access violatioll has occurred and the processing of that instruction and the process containing it is aborted.
There is, however, a provision For a "master" key, both global and local, for the P register, and an inoperative lock condition for the segment involved. A master key is denoted when the key value is 0. An inoperative or "no" lock condition is denoted i.n the K/L field 15 of Figure 1 by a bit pattern representing 0 for the lock type involved. Thus, if the G field lG of SDE
entry 1~ is 0, the ~ field 17 is l, and the value field 18 is 3, then the global ¢~
lock value is O, and the local lock value is 3. If both G (global) and L
(local) -fields 16 and 17 are 1 and the value field 18 contains O, then both global and local locks would be O and the segment would be "no-locked." The master key value, either global or local implies that the key-lock restriction mechanism cannot prevent access to a segment having respectively a nonzero global or local lock. Similarly, even though the keys being employed at any given time are nonzero, i.e. not master keys, yet if the corresponding l~/L
field of the referenced SDE is O, i.e. has an inopera-tive lock, then access to such a segment is still available.
If a particular segment is associated with a nonzero lock field which does not equal a corresponding nonzero key, then an access violation occurs and the proposed memory reference is rejected. Both global and local keys must pass $he equivalency tests to establish the right of access. It should be noted that even if one key or lock is O, the other ~global or local) nonzero key-lock set is tested in this preferred embodiment. Another system may well adopt a different convention.
When analyzing the operation of the key and lock mechanism within the preferred computing system, it is useful to divide the types of instructions which can be executed by the processor into two different groups. On the first hand, there are the read and write class instructions which straight-forwardly make references to the virtual memory, extracting data and instructions from and transmitting data to the memory 10. These instructions are implemented for purposes o~ this invention, by simply testing the global and local key against the global and local locks in the SDE for each referenced segment.
The second and more complex type of instruction causes an actual change in the global and/or local keys forming a part of P register 130. Full-fledged key-lock equivalency tes-ts may or may not be performed depending on the particular instructi.on being executed. :[n the case oE the ~xchange instructlon, the P register value is replaced with an entirely new P register value; hence the old global and local keys are replaced by the new global and local keys.
Because execution of an Exchange instruction by a user's program is care:Eully controlled by the operating system, the user is not able to improperly exploit the change of keys involved.
Other second-type instructions also alter one or both of the keys in the P register. The alterations will always be to make the key affected by such instructions no more powerful (i.e. change master to non-master) than it was previously. One source for the values to which these keys may be changecl by these instructions is the K/L field 18 in segment descriptor entry 12, hence the "key/lock" terminology. These operations do occur with some key to lock equivalency tests so an attempt to improperly gain a key for access to off limits segments will still cause an access violation signal to occur.
Thefirst of these instructions are the Call and its complementary function, Return. The Call instruction is employed when an executing program wishes to trans~er control to a separate, unrelated program and then receive control back from it at a later time. The Call instruction includes a mechanisln for transferring the address within the program containing it to which the called routine shall return control when the called routine's processing has been completed. The Return instruction simply transfers control back to the routine from which the Call instruction was executed. The Inter-Segment Branch (ISB) instruction is quite similar to the Call instruction with respect to manipulations and tests involving the keys and locks. Because there is no re-turn address, there are differences in operation involving this aspect.
Block Diagram With this background, the apparatus represented by the remaining Figures can be more easily understood. Figure 3 dep:icts in block diagraTn form the standard operation decoding function performed by the microprocessor portion of the central processor here involved. The decoding results are unchanged by the manncr in which the decoding is performed. The distinction is simply that when a microprocessor is employed for such tasks, the very same logic elements which perform one task at one time may~ when operating under control of dif-:Eerent microcode at a different time, perform different tasks.
In the implementation of instruction decoding, instruction register 60 (which may be a portion of the microprocessor) comprises an OP code field 61 and an address code 62. No further notice of the address field need be taken at this time. The 8 bit OP code field 61 is transmitted by data path 63 to the microprocessor 29 (Figures 2a and 2b) symbolically represented as instruction decoder 6~. The output of decoder 6~ is a set of operation code flag signals, only one at a time of which may be a logical l. Thus for the execution for a Call instruction, a logical 1 flag signal will be placed on path 65. The Exchange instruction causes a logical 1 flag signal on path 66. The Return and ISB instructions cause similar logical 1 flag signals on paths 67 and 68 res-pectively. The hexadecimal codes beneath each alphabetic label in Figure 3 are simply the codes which must be placed in OP code field 61 to cause the associat-ed output signal on path 65-68 to occur. Segments containing instructions will be referred to as first segments. Those containing data will be called second segments.
There are many instructions which cause the memory 11 to be read Any one of these cause a logical 1 read class flag signal to be placed on path 69, and the "REAU CLASS" caption placed beneath the representation of that signal path indicates this. Similarly, a "WRITE CLASS" caption is placed ad-jacent path 70 to indicate that path 70 carries a logical 1 signal when a write .3 class operatlon is present in instruction register 60.
In Figures 2a and 2b, the block diagram representation of the pre-ferred embodiment of this invention employs certain conventions which must be understood in order to understand the invention itself. The use of these con-ventions is deemed necessary again, because of the difficulty in depicting the operation of the microprocessor control functions and the constant references to memory 10 required by this invention and performed under microprocessor con-trol. The hexagonal boxes 30, 33, etc. represent data transfer to or from memory port 19 on data paths 20 and 21 respectively. The content or meaning of the data transferred for a particular aspect of the implementation is statecl within the hexagonal box. Those hexagonal boxes which are connected by dotted lines wi-thin the rectangle representing processor 29 are related in some fashion.
These relationships will be described in the following discussion.
Hexagonal box 30 indicates the transfer of the initial test enable codes and K/L selection data to the segment tables 11. This information ulti-mately is supplied by the manager of the computing system facility. This is necessary, because the philosophy for protecting users from themselves and each other is based on the concept that there exists some ultimate authority which cannot be subverted. If this is not true, if there is not discipline and authority reposing in some trusted individual, one cannot expect any of the benefits explained herein to occur. The data represented by hexagonal box 30 is transmitted by processor 29 back to the segment tables 11 in memory 10, where they are inserted in the appropria-te segment descriptor entries 12 by the operating system. When -the appropriate values have been inserted in the segment tables 11, then normal processing can begin.
Hexagonal box 33 contains a description of the data transferred dur-ing an ~xchange instruction. Recall -that this is signaled by a logical 1 on path 66 in Elgure 3. Execut:ion oE-the Exchangc lnstructlon causes the new 1' register values specified by ~.he Exchange instruction to be read from memory and transmitted directly on paths 120 and 121 to the new P register rank 123 of P register 130.
Key validity testing during the Exchange instruction is not necessary.
The computing system preferred for use with this invention has two different machine modes, monitor and job. Job mocle is the normal state for user opera-tions. Monitor mode is the normal state for the operating system. Execution of the Exchange instruction changes mode, from job to monitor or from monitor to job. When mode changes from monitor to job, the operand is transmitted to the new P register rank 123 (Figure 4c) of P register 130. Execution then con-tinues within the segment and at the instruction within the segment specified by the Exchange instruction operand. Contrarywise, when an Exchange instruction is executed during job mode, mode changes to monitor, and the new P register is loaded from a location which is inaccessible to processes operating in job mode, and which will undoubtedly be loaded by the facility manager with an address which transfers control to the operatlng system. Therefore, any attempt by the user to alter the key assignments through the use of Exchange instructions results in transfer of control to the operating system. If the operating syst0m uses an Exchange instruction to transfer control to the user, it is appropriate that this device be used to alter the keys, since in essence the operating system is the facility manager's alter ego in its function of assigning keys to a particular user.
Execution of a typical sequence of instructions in a user program results in a series of indivldual lnstructlon executlons of the read or write class. Each such instruction execution begins with a memory reference which causes the particular instruction to be read from memory on path 21 and as symboli7ed by hexagonal box 34, to processor 29. Each such instruction-Eetching memory reference need in general not be subjected to key-lock validity testing.
One characteristic of the read and write class instruction is that their execu-tion cannot change the segment :Erom which instructions to be executed are drawn.
Therefore, it is necessary to perform a key-lock validity test only when first entering a segment to begin executing instructions therefrom.
In the general case, each read or write class instruction which is transmitted to processor 29 during normal instruction execution contains one or more operand addresses. These addresses must be subjected to key-lock validity tests to prevent users from altering or extracting data from segments forbidden to them. It is convenient to re-fer to segments containing operands specified by instructions as second segments, to distinguish them from the first segments which are considered to contain executable code. ~It is possible of course for a segment to contain both executable code and operands, but the possibility for programming errors to result in difficult debugging problems causes one to avoid this arrangement.) Each such read or write reference to a second segment, however defined, results in the key-lock validity checks. In the case of Call, ISB, and Return instructions, however, this terminology breaks down, since these instructions in effect change a second segment to first ~O segment status. For clarity of explanation, I will use the term "new first segment" interchangeably with "secorld segment" when discussing these instructions.
The segment speci:Eied by each operand places the segment number on path 23, as indicated by the contents of hexagonal box 49. As explained earlier, the K/L field 15 of each segment is stored in that process's segment table in the index location for that particular segment. When the segment is a second segment and so intended to furnish operands for use during instruction execution, the K/L field functions as a lock value.

;3~
It is certaln]y possible to reEerence main memory 10 for each lock and PV~ involved in the execution of a series of instructions. Such a multi-tude of main memory references3 however~ results in excessively slow instruction execu*ion. Therefore 9 it is instead useful to employ a bank of segment map buffers 41 which contain for associative reference the segment descriptor entries 12 for the second segments which have been most recently re-ferenced.
The segment map bu~fers 41 are ultra high speed registers which cause no appreciable delay in instruction execution. Therefore in this embodiment, the execution of a read or w~ite class instruction generates a segment map search enable on signal path 40 which causes segment map buffers 41 to be searched :Eor the appropriate segment descriptor entry 12. If the SDE 12 is not presen*
within segment map buffers 41, then a "no hit" signal on path 44 is generated.
The no hit signal on path 44 enables gate 45 which allows the segment number on path 23 to be transmitted as a read request to memory 10 as shown in hexagonal box 36. This in turn generates the transmission of the segmen* descriptor entry 12 specified thereby3 on path 21 as symbolized by hexagonal box 35. The entire segment descriptor entry 12 including the K/L field 15 and test enable codes 14 and 22 is transmitted on path 51 to segment map buffers 41 and stored therein. Path 51 is labeled as the SDE, hexagonal box 55, Eor completeness sake but in fact only the K/L and TEC fields are of interest in the explanation oE this invention.
Once the segment descriptor entry 12 corresponding to the second segment referenced by the instruction operand is placed in segment map buffer 41, then the segment number symboli~ed by hexagonal box 49 and carried on path 23 to segment map buffers 41 will reference this SDF.. Buffers 41 are caused by the segment number on path 23 to transmit the contents of its K/L :Eield 15 and TEC fields 14 and 22 on paths 43 and 102-105 respectively to the test key-lock validity logic ~6a,b. In addition, the global and local keys :Erom old P
register 12~ are swpplied to test logic 46a,b on paths 131 and 132 respectively.This logic performs the appropriate tests for implementing the earlier explana-tion and the keys either fail the tests in which case an access violation signalon path ~7 is generated, or they pass the test, which causes an enable signal on path 48 to be generated which permits the operand address whose original receipt was symbolized by hexagonal box 3~ to be supplied to memory, as sym-bolized by hexagonal box 37. The dotted line extension of signal path ~8 symbolizes the gating of the operand address to path 20 by the signal on path 48, as interpreted in the processor 29 microcode.
Asmentioned earlier, the three instructions in addition to the Exchange, which cause a change in the segment functioning as the first segment, i.e. the segment containing the instructions being executed, are the Call, the Inter-Segment Branch (ISB), and Return instructions. Figure 2b comprises the block diagram of the portion of the computing system which executes these in-structions. A substantial portion of the hardware involved in their execution is identical to that used for the execution for the read and write class instructions, and is therefore replicated symbolically in Figure 2b. When an instruction fetch extracts one of these instructions from memory 10 on path 21, as symbolized by hexagonal box 52, the instruction is decoded within processor 29 by decoder 64 (Figure 3) and the segment number for the new first segment (i.e., second segment) specified by the operand (PVA) of the instruction, and symbolized by hexagonal box 53, is supplied on path 23 to segment map buffers 41, as before. A similar series o:E operations occurs by which the K/L field 15 and TECs 14 and 22 from the segment descriptor entry 12 for the specified new first segment is again supplied to buffers 41 if the segment descriptor entry 12 for the new first segment is not already in buffers ~1. Once the K/L

f:ield 15 and TECs 14 and 22 are available in buffers 41, -they are supplied res-pectively on paths 43 and 102~105 to the test key-lock validity hardware 46a.
Path 58 represents certain in-termediate logic results available from the key select logic 46b, and useable in testing key-lock validity. So using these results reduces the total amount of logic required in testing and selecting the keys. These three instructions are tested in much the same fashion as are the read and write class instructions. Access violations are flagged by a signal on path 47 and operand fetch enabled by the signal on path 48.
There is for this second class of instructions the additional step, however, of selecting the newkey values for the P register 130. The source for the new keys depends on the insfruction flags 65, 67, and 68 which function as key selection signals; on the keys from old P register 128 on paths 131 and 132; and on the K/L field 15 from segment descriptor entry 12 available from the active process's segment table, and as explained earlier supplied on path 43 The key select logic 46b produces on path 56 a control word which is dependent on the inputs to logic 46b. The control word on path 56 controls the key select multiplexers 57. These multiplexers 57 can select keys from any one of several sources: old P register 128; special tables in memory 10 containing Return and Exchange instruction operands available on paths 111, 112~ and the segment descriptor entry key/lock field available on path 43 from segtnent map buffers 41. The PVA specified by or a portion of the instruction being executed is supplied to memory on path 20 as the operand address and the memory returns the actual operand containing the key values applied to -the input oE multi-plexers 57 on paths 111, 112. Depending on the control word carried by path 56, multiplexers 57 transmit one of the global keys carried on the inputs or O, and one of the local keys supplied to its inputs or 0, to the global and local key fields 124 and 125 of new P register 12~ on paths 120 and 121 respectively.

~ A~

Call, Return and ISB Instructions ______ _ Before explaining the operation of the key validity -testing and selection apparatus wi-th reference to the detailed logic diagrams of Figures 4a, 4b, and 4c, it is useful to explain the operations and tests generated by the execution of each of these three instructions. Since the ISB and Call i.nstruc-tions are quite similar to each other, it is useful to discuss them together.
In each case, the global key 129 (Figure 4c) of the old P register 128 is compared with the global lock value 15 of the segment descriptor entry 12 associated with the new first segment (second segment), with interpretation of the G field 16 and consideration of the presence or absence of a master global key (0 or nonzero, respectively) included, to determine an access viola~ion.
Further, the K/L field 15 of segment descriptor entry 12 for the new first seg-ment is interpreted to yield the new local key, which is transmitted to local key field 125 of new P register 123. Finally, the i.nterpreted global lock value from segment descriptor entry 12 and the global key value from old P
register 128 are both examined, and if both are not 0, then the nonzero value is transmitted to the new P register 123 global key field 124. Recall that if the global key value in field 129 of old P register 128 and the interpreted K/L
field 15 value from segment descriptor entry 12 are both nonzero, they mus-t equal each other in order to avoid an access violation which stops further exe-cution o the instruction. These provisions p-revent any user, by the artifice of executing an ISB or Call instruction, from defeating the key-lock protection restrictions imposed on him.
The Return instruction is essentially the complement of the Call instruction. The operands of all Return instructions are stored in a separate Return instruction push-down stack or table in memory 10, each containing the global key and local key from the P register 130 contents existing when -the Call instruction for which the current Return instruction ;s the complement, was executed. The global and local Iceys from this pre-existing P register content are inserted in the global and local key fields 12~ and 125 respectively of new P register 123. The local lock only from the Return instruction table is com-pared to the lock of the segment descriptor of the new first segment (second segrnent) and if not equal an access violation occurs. In essence, these steps, as far as the keys are concerned, restores the original condition of the keys prior to the Call to which this Return is paired.
Key and Lock Logic ..
In understanding the de-tailed logic diagrams shown in Figures ~a and - 4b, it is useful to refer Erom time to time to the legend -forming a portion o-E
Figure ~a for the meaning of certain ab~reviations on signal pa-ths and certain conventions implied in identifying -the logic elements within these diagrams. Inaddition, small circles within which numerals are shown re-fer to a parallel -transmission of data of the specified number of bits. All other paths carry logic signals. Circles containing letters are connectors and indicate continuity, le~ter to similar letter, in the signal path. The arrows affixed thereto indicate the direction of signal flow. Shor-t captions placed adjacent many of the signal paths identify the meaning of the presence of a logical 1 thereon.
Since these diagrams are at the logic level, all logic signals are binary, com-prising logical O's or l's in every case.
The loglc elements themselves are labeled with the function represent-ed "~" for logical AND~ and _ for equality. A logical 1 output represents a "true" output. A small circle on the input or output represents a signal inversion.
Turning first to the diagram of Figure ~a, the logic shown performs the key selection specified for the second class instructions viz. Call, ISB, Return and Exchange. Th~ -fivo equality test elements 75-79 -tes-t th~ equality of the pairs of six bit quantities applied to each of -their inputs. If equa:L, the output is a logical O (because of the signal inversion symbol at the right hand, output side). If the two input quantities are unequal, the output is a logical 1.
Equality tester 75 receives a 6 bit O value on one input terminal and the old P register global key from field 129 (Figure 4c) on path 131, and if this global key is O (i.e. the input pair is equal) produces a logical O and if not, a logical 1. Equality tester 76 receives the same global key from old P
register 128 and the SDE 6 bit K/L value 18 available from segment map buffers 41 on a portion of path 43. If these two quantities are equal the output is a logical O and if not, a logical 1. Equality tester 77 also receives a 6 bit O
quantity and the SDE 6 bit K/L value 18 from a portion of path 43 and produces a logical O output if these two quantities are equal, and a logical 1 otherwise.
In similar fashion, equali.ty tester 78 tests SDE K/L value 18 with the old P
local field 133 on path 132 key for equality and equality tester 79 tests the old P local key on path 132 against O.
AND gates 80 and 81 each receive at one input the output of equality tester 77 which, as stated earlier is a logical O if the segment descriptor key lock value is O and logical 1 otherwise. The SDE global (G) and local (L) bits from fields 16 and 17 respectively of the segment descriptor entry 12 for the second or des~ination (new first) segment are available also on data path 43, and are applied respectively to -the other of AND gate 80 and 81 inputs. The outputs of AND gates 80 and 81 are thus respectively a logical 1 if the global and local key/locks from the associated segment descriptor entry~ with inter-pretation involving their global and local bit fields 16 and 17, are unequal to 0, as the caption show on the respective outputs.

IE eithcr the ;nterpreted segment descriptor entry K/L value or the old P register global key on path 132 is unequal to 0, ~hen OR ga~e 8~, which receives the outputs of AND gate 80 and equality tester 75, supplies a logical 1 signal to AND gate 85. AND gate 85 also receives an input from the OR gate 82 output. OR gate 82 produces a logical 1 output if the instruction flags 65 and 68 applied to its inputs respectively indicate that the current instruction under execution is either a Call or an ISB instruction. The output of AND
gate 85 forms the high order bit (bit 1) of the control word for the 2 bit multiplexer 57a.
The low order control word bit ~bit O) of multiplexer 57a is supplied in the following fashion: OR gate 83 receives the Return and Exchange instruc-tion flags on paths 67 and 66 respectively and produces a logical 1 output if either of these instructions is being currently executed. This output is applied to one input of OR gate 86; and if a Return or Exchange instruction is being executed, the low order control bit of multiplexer 57a thus becomes a 0. ~Note outpu~ signal inversion for gate 86.) This low order bit can also be set to 0 by satisfying both inputs to AND gate 87. The outputs of AND gate 80 and OR
gate 82 are supplied to AND gate 87, satisfying it and producing a logical 1 output applied to the other input of OR gate 86 in case of the following conditions: either a Call or ISB instruction is being executed, and the global key/lock, with interpreta~ion of the SDE G field 16 output, all from segment descriptor entry 12~ is not 0. If these conditions all exist, then OR gate 86 supplies a logical 0 output to the low order bit of multiplexer 57a. If nei~her of these sets of input conditions to gate 86 are satisfied, then the output of OR gate 86 is a logical 1.
The two bits of the control word of multiplexer 57a specify four different possible sources for the output of multiplexer 57a on path 120. If outputs of AND ga-te 85 and OR gate 86 are both log:ical 0's, then the operand as specified by multiplexer 108(29) becomes the output on path 120. If the output of AND gate 85 is 0, and the output of OR gate 86 is 1, then O's are gated to path 120. If the output of ~ND gate 85 is a logical 1 and OR gate 86 produces a logical O on its output terminal, then the segment descriptor entry K/L value in field 18 for the new first segment is gated to path 120. Finally, if both AND gate 85 and OR gate 86 produce logical l's on their outputs, the global key field 129 in old P register 128 available on path 131 (connector L, Figure ~c) is gated to output path 120. That is, the global key in the old P
register is gated into the global key field 12~ of new P register 123, in essence leaving the G key of P register 130 unchanged.
A similar analysis can be performed for the selection of the local key for the new P register 123. If AND gate 81 produces an output logical 1 (indicating that the local key/lock from the segment descriptor entry 12 for the new first segment, as interpreted by the associated L bit in field 17, is not equal to O) and the instruction being executed is either a Call or an ISB
instruction (OR gate 82), then AND gate 88 produces a logical 1. In any other case, AND gate 88 produces a logical 0. The output of AND gate 88 forms the high order bit of the control word for multiplexer 57b.
Th- low order control word bit for multiplexer 57b is supplied by OR gate 89. If the output of AND gate 88 is a logical 1 or the instruckion is either a Return or Exchange instruction (as determined by OR gate 83 and carried its output), then OR gate 89 produces a logical 0. In all other cases, it produces a logical 1. Note that the outputs of gates 88 and 89 cannot simul-taneously be logical 1. Therefore, there is no input needed for input port 3 of multiplexer 57b.
As with multiplexer 57a, which of the data inputs of multiplexer 57b ¢..~

is gated to path 121 depends on the control word bit pattern. If both AND
gate 88 and OR gate 89 produce logical 0's, then the output of multiplexer 108(29) is gated to data path 121. If the output of AN~ gate 88 is 0 and that of OR gate 89 is 1, then 0's are transmitted to data path 121. If AND gate 88 output and OR gate 89 output are respectively 1 and 0, then the segment des-criptor K/L value field 18 becomes the output on path 121.
Two-input multiplexer 108(29) supplies one global and one local key pattern respectively to the inputs of multiplexers 57a and 57b, under the con-trol of the Exchange instruction flag on path 66. The parenthetical 29 in this Tnultiplexer's reference number is simply to indicate that in the preferred embodiment shown here, its function is implemented in microcode by processor 29.
The Exchange instruction flag on path 66 is supplied to the control terminal of multiplexer 108(29). Recalling that only one o:E the instruction flags on paths 65-68 can be a logical 1 at a time, this provides a logical 1 input to the control bit of multiplexer 108(29) when the Exchange instruction is being executed, and a logical 0 otherwise.
The source for the output of multiplexer 108(29) when its control bit is 0, is the global and local l<ey supplied by memory 10 on path 112, and associated with the Call instruction which the current Return instruction com-plements. The OlltpUt of multiplexer 108(29) is split into the global key on path 110 for input port 0 of multiplexer 57a and the local key on path 109 for input port 0 of multiplexer 57b. Wllen the Exchange instruction flag on path 66 is a logical 1, then the global and local keys stored for the Exchange instruc-tion are supplied from memory 10 on path 111, and are transmitted on paths 110 and 109 respectively to multiplexers 57a and 57b.
Turning next to Figure 4b, this logic diagram implements the valid-ity testing necessary to determine access violations. Additional testing of key and K/L values occurs by -the operation oE equality testers 90-92. The segment descriptor entry K/L value 18 on path 43 is applied to one each of the input terminals of equality testers 90 and 91. If the new P register 123 global key available on path 120 from the apparatus of Figure ~a equals the un-interpreted segment descriptor entry K/L value on path ~3 (field 18 of SDE 12), then equality tester 90 produces a logical 0. If the new P register local key available on path 121 equals the segment descriptor entry key/lock value from path ~3, then equality tester 91 produces a logical 0. And finally> if the new P register local key on path 121 is 0, then equality tester 92 produces a logical 0 at its output. Naturally) if any of the above specified conditions do -not occur, then the corresponding output of the associated equality tester is a logical 1.
If the new P register 128 local key (Figure ~a, path 121) does not equal the segment descriptor entry K/L fie]d 18 contents for the new first segment and a Return instruction is being executed, and either the interpreted segment descriptor local lock value or the new P register local key (field 125, path 121) are unequal to 0 (OR gate 106), then AND gate 100 is satisfied and OR
gate lOl produces ~ logical 1 output indicative of an access violation. Note connector D's role in symbolically connecting the OtltpUt of Figure ~a's AND
gate 81 to the input of OR gate 106.
If the output of equality tester 90 is a logical 1~ the SDE global key with interpretation by the associated G bit 16 is not equal to 0~ and a Return instruction is being executed as indicated by a logical 1 on path 67 (Figure 3), AND gate 99 produces a logical 1 output which OR gate 101 places on path ~7, again indicating an access violation.
There are also certain circumstances where key-lock validity testing is not to happen. This occurs with respect to read and write class instructions.

As explained earl:ier, assume that when ~he read test enab:Le code (IF~) bits in field 1~ or the write TEC bits in field 22 of a segment descriptor entry 12 for the operand of an instruction being executed are a binary 01, then key testing is enabled respectively for read and write class instructions. When read class key-lock testing is enabled by this bit pattern, then a logical 0 is applied to path 102 and a logical 1 is applied to path 103, forming inputs for AND gate 94. Similarly, if key-lock testing is specified for write class instructions, then paths 104 and 105 respectively are assumed to carry a logical 0 and logical 1 to the AND gate 93 inputs shown. AND gates 94 and 93 also respectively receive at a third input the read class instruction flag on path 69 and the write class ;.nstruction flag on path 70, both produced by the apparatus of Figure 3. A logical 1 output from AND gate 9~ means that key-lock testing is to occur for read class instructions. A logical 1 at the output of AND gate 93 means that key-lock testing shall occur for the execution of each write class instruction.
OR gate 95 receives the outputs of AND gates 94 and 93 and supplies its output to one input each of OR gate 96 and AND gate 98. The output of OR
gate 95 is a logical 1 when read or write key-lock testing is to occur, as in-dicated by the caption adjacent. If in addition: the interpreted segment des-criptor entry local key/lock value is unequal to 0 (output of AND gate 81, Figure 4a); the old P register local key (field 133, path 132) is unequal to 0 (equality tester 79 output) and is also unequal to the segment descriptor entry key/lock value field 18 available on path 43 (that is, without interpretation by the local or global bit fields associated therewith); then all four inputs of AND gate 98 are set to logical 1 and a logical 1 is applied by AND gate 98 to OR gate 101. This constitutes another condition designating an access violation producing a logical 1 on path ~7.

rhe last condition comprising an access violation involves the global key-loc]c tests. If the instruction is a Call or ISB type or OR gate 95 output is a logical 1 then testing of -the global key against the segment descriptor key/lock value, field 18~ is specifiedJ as indicated by a logical 1 output from OR gate 96. Additionally, if the interpreted global key/lock value is unequal to 0 (AND gate 80 output equal to logical 1), the old P register global key on path 132 is equal to O (output of equality tester 75 equal to logical 1), and the old P register global key is unequal to the segment descriptor key/lock value as interpreted by the global key field 16 of the segment descriptor entry ~output of equality tester 76), then the conditions for failure of the global key-lock test have been established and -the output of AND gate 97 is set to a logical 1. OR gate 101 again produces a logical 1 output on path 47 indicating an access violation.
In Figure 4c, the gating of the contents of new P register 123 to old P register 128 occurs under processor 29 microcode control, hence the reference number for OR gate 126(29). P register gate 134 is integral with the double rank structure preferred for P register 130, where old and new P registers 123 and 128 comprise the two ranks. When a logical 1 is applied on path 135 to the control terminal of gate 13~1, then the contents of old P register rank 123 is transmitted to new P register rank 128. Processor 29 implements the OR
gate 126(29) function, receiving the read and write class instruction flags on paths 69 and 70 respectively, and the access violation signal on path 47. If any of these conditions are present, no such transmission can occur. (Since read and write class instructions do not affect keys, no transmission of the old to the new P register is necessary.) In addition, there are a myriad of other conditions, as symbolically indicated on path 127, which may also result in preventing any transmission from new P register 123 to old P register 128.

Once all conditions have been satisfied :For this transmission, -then a clock pulse allows gate 13~ to allow the data in new P register 123 to move into old P register 128, at the very end o:E the execution of the current instruction.
This prepares the machine for the execution of the next instruction in sequence, or as designated by the curren-tly executing instruction if it is one which is of the type interrupting the execution sequence. Global key field 129 and local key field 133 receive the output multiplexers 57a and 57b have respec-tively placed on paths 120 and 121 and loaded into new P register 123 global and local key fields 124 and 125, all respectively.
In this fashion key testing occurs and keys are selected to provide a useful means for protecting the data and instructions within a computing system employing my invention.

Claims (8)

THE EMBODIMENTS OF THE INVENTION IN WHICH AN EXCLUSIVE
PROPERTY OR PRIVILEGE IS CLAIMED ARE DEFINED AS FOLLOWS:
1. In a data processing system of the type including:
a) a memory comprising a plurality of addressable cells and a data port, said cells grouped into a plurality of segments, each segment having a unique number forming a portion of the addresses of the cells in the segment, said memory accessed by externally supplied address signals each encoding the address of the cell to be referenced and specifying the memory function, said memory accepting data for storage at and supplying stored data at the data port responsive to, respectively write address signals and read address signals, said memory further having when in use, at least one instruction sequence stored in a first segment and including memory references to at least one sec-ond segment; and b) an instruction processor supplying read address signals encoding the addresses of the instruction sequence to the memory and responsive thereto receiving at the data port the addressed instructions from the memory and executing them, and responsive to execution of certain ones of the instructions, generating address signals encoding cell addresses in at least one second seg-ment, an improvement comprising means for selecting and for storing in the memory for at least each referenced second segment, a numeric key/lock value stored in a cell having a preselected location associated with the second segment involved, and wherein the instruction processor further includes the improvement of:
a) means for extracting at least one numeric key value associated with the first segment, and for storing each said key value; and b) key retrieval and comparison means for receiving address signals encoding the addresses of cells in at least one second segment, and responsive thereto supplying to the memory a read address signal encoding the address of the cell containing the numeric key/lock value for the specified second seg-ment, and receiving that key/lock value on the data port from the memory, and for receiving the key value stored by the key selecting and storing means and comparing said key value with the key/lock value, and if not valid generating an access violation signal, but if valid transmitting the address signal to the memory.
2. The system of claim 1, wherein the processor further comprises means for comparing the key/lock value received from the memory and the key value stored by the key selecting and storing means and if either equals a preselected master value, inhibiting the generation of the access violation signal.
3. The system of claim 2, wherein the means for comparing the key and key/lock values with a preselected master value comprise means for comparing the key and key/lock values to a preselected master key value of 0.
4. The system of claim 2, wherein the key value selecting and storing means further comprises means responsive to a key selection signal for comparing each of the current key value and the key/lock value for the second segment, with the preselected master value and whenever only one of said key/lock and current key values are equal to the predetermined master value, storing the one of the key/lock and current key values unequal to the predetermined master key value as a new key value;
and wherein the instruction processor further includes means for sensing preselected ones of the instructions and issuing key selection signals to the key storing means responsive thereto.
5. The system of claim 4, wherein the key value selecting means further comprises means for comparing the key and key/lock values to a preselected master key value of 0.
6. The system of claim 2, wherein the key/lock storing means includes means for storing with each key/lock value, a global designator flag and a local designator flag; wherein the key selecting and storing means includes means for selecting and storing global and local key values, and wherein the key retrieval and comparison means comprises means for comparing at least one of the global and local key values to the key/lock value for the second segment, and if said key/lock value is unequal to at least one of the key values and the designator flag corresponding to each unequal key value is unequal to 0, issuing an access violation signal.
7. The system of claim 6, wherein the key retrieval and comparison means further comprises means for comparing the key/lock value for the second segment to both the global and local key values stored by the key selecting and storing means, and if the key/lock value for the second segment is unequal to the pre-selected master value and to at least one of the global and local key values unequal to the preselected master value, and the corresponding designator flag stored with the key/lock value is unequal to 0, issuing an access violation signal.
8. The system of claim 2 wherein the key selecting and storing means further comprises segment call means responsive to a call flag signal for com-paring the key/lock value at the data port from the memory with the preselected master value, and when said key/lock value is unequal to the preselected master value, for setting the key value to said key/lock value; and wherein the processor further comprises means for supplying a call flag signal responsive to execution of certain ones of the instructions.
CA000415041A 1981-11-09 1982-11-08 Computer system key and lock protection mechanism Expired CA1181180A (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US319,338 1981-11-09
US06/319,338 US4439830A (en) 1981-11-09 1981-11-09 Computer system key and lock protection mechanism

Publications (1)

Publication Number Publication Date
CA1181180A true CA1181180A (en) 1985-01-15

Family

ID=23241830

Family Applications (1)

Application Number Title Priority Date Filing Date
CA000415041A Expired CA1181180A (en) 1981-11-09 1982-11-08 Computer system key and lock protection mechanism

Country Status (6)

Country Link
US (1) US4439830A (en)
EP (1) EP0079133B1 (en)
JP (1) JPS58137200A (en)
AU (1) AU550871B2 (en)
CA (1) CA1181180A (en)
DE (1) DE3279802D1 (en)

Families Citing this family (45)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4525780A (en) * 1981-05-22 1985-06-25 Data General Corporation Data processing system having a memory using object-based information and a protection scheme for determining access rights to such information
JPS58116571A (en) * 1981-12-29 1983-07-11 富士通株式会社 Instruction coding method for microcomputer and microcomputer used for execution thereof
AU542447B2 (en) * 1982-02-27 1985-02-21 Fujitsu Limited System for controlling key storage unit
JPS6047624B2 (en) * 1982-06-30 1985-10-22 富士通株式会社 Address conversion control method
JPS5914062A (en) * 1982-07-15 1984-01-24 Hitachi Ltd Method for controlling duplicated shared memory
US4698752A (en) * 1982-11-15 1987-10-06 American Telephone And Telegraph Company At&T Bell Laboratories Data base locking
US4580217A (en) * 1983-06-22 1986-04-01 Ncr Corporation High speed memory management system and method
GB2149944A (en) * 1983-11-14 1985-06-19 Softnet Inc Software distribution
US4740890A (en) * 1983-12-22 1988-04-26 Software Concepts, Inc. Software protection system with trial period usage code and unlimited use unlocking code both recorded on program storage media
US4584639A (en) * 1983-12-23 1986-04-22 Key Logic, Inc. Computer security system
US4628479A (en) * 1984-08-30 1986-12-09 Zenith Electronics Corporation Terminal with memory write protection
US4888798A (en) * 1985-04-19 1989-12-19 Oms, Inc. Modular software security
US4777589A (en) * 1985-06-28 1988-10-11 Hewlett-Packard Company Direct input/output in a virtual memory system
JPS6286407A (en) * 1985-10-11 1987-04-20 Omron Tateisi Electronics Co Programmable controller
JPH0658649B2 (en) * 1985-10-28 1994-08-03 株式会社日立製作所 Area management method in virtual memory device
JPS62262175A (en) * 1986-05-08 1987-11-14 Omron Tateisi Electronics Co Transaction processor
JPS6376034A (en) * 1986-09-19 1988-04-06 Hitachi Ltd Multiple address space control system
US5202971A (en) * 1987-02-13 1993-04-13 International Business Machines Corporation System for file and record locking between nodes in a distributed data processing environment maintaining one copy of each file lock
US5291581A (en) * 1987-07-01 1994-03-01 Digital Equipment Corporation Apparatus and method for synchronization of access to main memory signal groups in a multiprocessor data processing system
US5317717A (en) * 1987-07-01 1994-05-31 Digital Equipment Corp. Apparatus and method for main memory unit protection using access and fault logic signals
US4937736A (en) * 1987-11-30 1990-06-26 International Business Machines Corporation Memory controller for protected memory with automatic access granting capability
NL8801275A (en) * 1988-05-18 1989-12-18 Philips Nv RECORDING SYSTEM AND REGISTRATION CARRIER AND WRITING DEVICE FOR APPLICATION IN THE SYSTEM.
US5023773A (en) * 1988-02-10 1991-06-11 International Business Machines Corporation Authorization for selective program access to data in multiple address spaces
US4975870A (en) * 1988-02-25 1990-12-04 Data General Corporation Apparatus for locking a portion of a computer memory
WO1990005340A1 (en) * 1988-11-04 1990-05-17 Lama Systems Inc. Personal computer access control system
US4962532A (en) * 1988-12-22 1990-10-09 Ibm Corporation Method for providing notification of classified electronic message delivery restriction
US5027317A (en) * 1989-03-17 1991-06-25 Allen-Bradley Company, Inc. Method and circuit for limiting access to a RAM program memory
US5127098A (en) * 1989-04-12 1992-06-30 Sun Microsystems, Inc. Method and apparatus for the context switching of devices
US5016166A (en) * 1989-04-12 1991-05-14 Sun Microsystems, Inc. Method and apparatus for the synchronization of devices
US5016161A (en) * 1989-04-12 1991-05-14 Sun Microsystems, Inc. Method and apparatus for the flow control of devices
WO1990013864A1 (en) * 1989-04-28 1990-11-15 Christopher William Cowsley Improved security for machine-writeable data storage systems
CA2053261A1 (en) * 1989-04-28 1990-10-29 Gary D. Hornbuckle Method and apparatus for remotely controlling and monitoring the use of computer software
EP0478571B1 (en) * 1989-04-28 1996-09-25 Softel, Inc. Method and apparatus for remotely controlling and monitoring the use of computer software
US5153909A (en) * 1989-05-25 1992-10-06 At&T Bell Laboratories Resource control and data handling for central office based automatic call distributors
EP0432075B1 (en) * 1989-11-09 1997-02-26 International Business Machines Corporation Multiprocessor with relatively atomic instructions
US5263147A (en) * 1991-03-01 1993-11-16 Hughes Training, Inc. System for providing high security for personal computers and workstations
US5274824A (en) * 1991-03-01 1993-12-28 Bull Hn Information Systems Inc. Keyring metaphor for user's security keys on a distributed multiprocess data system
US5471526A (en) * 1994-02-28 1995-11-28 Telefonaktiebolaget L M Ericsson (Publ.) Tracing with keys and locks on a telecommunication network
US6526512B1 (en) * 1996-05-20 2003-02-25 Ncr Corporation Access key codes for computer resources
JPH1093914A (en) * 1996-09-18 1998-04-10 Sony Corp Data transmitting method, data transmitter, parameter setting method of data receiver, data receiver, data transmitting system, reproducing method and reproducing device
US6768993B2 (en) 2001-06-28 2004-07-27 International Business Machines Corporation System and method for file system cooperation in a multi-threaded environment
US8407159B2 (en) 2010-11-17 2013-03-26 Microsoft Corporation Automatic batching of GUI-based tasks
US20120131456A1 (en) * 2010-11-22 2012-05-24 Microsoft Corporation Capture and Playback for GUI-Based Tasks
US8918885B2 (en) * 2012-02-09 2014-12-23 International Business Machines Corporation Automatic discovery of system integrity exposures in system code
US10310916B2 (en) * 2017-09-14 2019-06-04 Intel Corporation Scalable spinlocks for non-uniform memory access

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB1309647A (en) * 1970-04-10 1973-03-14 Robotron Veb K Circuit arrangement for carrying out store protection
US3825903A (en) * 1973-04-30 1974-07-23 Ibm Automatic switching of storage protect keys
US3839706A (en) * 1973-07-02 1974-10-01 Ibm Input/output channel relocation storage protect mechanism
US3938100A (en) * 1974-06-07 1976-02-10 Control Data Corporation Virtual addressing apparatus for addressing the memory of a computer utilizing associative addressing techniques
US4104718A (en) * 1974-12-16 1978-08-01 Compagnie Honeywell Bull (Societe Anonyme) System for protecting shared files in a multiprogrammed computer
US4038645A (en) * 1976-04-30 1977-07-26 International Business Machines Corporation Non-translatable storage protection control system
US4096568A (en) * 1976-09-24 1978-06-20 Sperry Rand Corporation Virtual address translator
US4096561A (en) * 1976-10-04 1978-06-20 Honeywell Information Systems Inc. Apparatus for the multiple detection of interferences
US4356549A (en) * 1980-04-02 1982-10-26 Control Data Corporation System page table apparatus

Also Published As

Publication number Publication date
AU8947282A (en) 1983-05-19
DE3279802D1 (en) 1989-08-10
EP0079133B1 (en) 1989-07-05
EP0079133A3 (en) 1985-10-09
AU550871B2 (en) 1986-04-10
JPS58137200A (en) 1983-08-15
US4439830A (en) 1984-03-27
EP0079133A2 (en) 1983-05-18

Similar Documents

Publication Publication Date Title
CA1181180A (en) Computer system key and lock protection mechanism
EP0040702B1 (en) Authorization mechanism for transfer of program control or data between different address spaces having different storage protect keys
US4430705A (en) Authorization mechanism for establishing addressability to information in another address space
CA1199124A (en) System for controlling key storage unit
EP0028817B1 (en) Secure implementation of transition machine computer
CA2064640C (en) Storage protection utilizing public key control
CA1158781A (en) Mechanism for control of address translation by a program using a plurality of translation tables
US5469556A (en) Resource access security system for controlling access to resources of a data processing system
EP0319134B1 (en) Protected memory accessing
EP0306702B1 (en) Virtual input/output commands
US4945480A (en) Data domain switching on program address space switching and return
US5845129A (en) Protection domains in a single address space
US5023773A (en) Authorization for selective program access to data in multiple address spaces
EP0026590B1 (en) Improved memory protection system using capability registers
US5317717A (en) Apparatus and method for main memory unit protection using access and fault logic signals
EP0058844A2 (en) Address generator for multiple virtual address spaces
US5210832A (en) Multiple domain emulation system with separate domain facilities which tests for emulated instruction exceptions before completion of operand fetch cycle
US4782443A (en) Main storage control system for virtual computing function system with plural address modes in main storage access operations
JPS6022377B2 (en) Address control method
AU600040B2 (en) Implied domain addressing
EP0260433A2 (en) Multi-address space control method
EP0297891B1 (en) Apparatus and method for main memory unit protection using access and fault logic signals
EP0327839B1 (en) Information handling system
EP0040703B1 (en) Enhancements in system/370 type of data processing apparatus
JPH0612333A (en) Storage protection system of information processor

Legal Events

Date Code Title Description
MKEC Expiry (correction)
MKEX Expiry