1. Field of the Invention
The present invention pertains to techniques for limiting access to certain addresses in the memory of a computer system. The guarded region is a protection mechanism which allows protected access to code and data without involving the operating system or without involving the supervisory state of the processor. The guarded region gives quick access to protected resources, provides a form of dynamic linking of routines to manipulate these resources and provides a protected access path to a resource on a need-to-know basis.
2. Description of the Prior Art
Hardware-based protection schemes have become necessary in producing reliable software. Protection mechanisms allow software errors to be detected earlier in the development cycle, and can prevent errant software from corrupting properly running software neighbors. Protection schemes may be complex and difficult to use, but most schemes seek to restrict access to portions of an address space.
Virtual memory management hardware contains a mapping mechanism that translates "virtual addresses," issued by the processor, into the physical addresses of the RAM. If the virtual to physical translation cannot be made (because the required data is still resident on disk), the processor is interrupted (even if in the middle of an instruction) and forced to enter the operating system memory management routine. This routine initiates a transfer from the disk to RAM. If necessary, it will first move blocks from RAM to disk to make space. Once started, these disk transfers take place under program control while the processor also executes other instructions.
There are many ways to map the virtual to physical addresses. In order to reduce the size of the mapping table, this is not done at a word level but in groups of consecutive words. Two main schemes are popular. The first maps a fixed-length page. A typical page, which is essentially a trick by the hardware to subdivide artificially the address space, consists of 512 to 4096 consecutive bytes that are mapped, as a whole, onto a location on the disk or into the RAM.
The alternative scheme is to use segments. A segment is a variable length section of the address space that is a logical entity to the programmer and is mapped as a whole onto the disk and/or the RAM address space Typical segment sizes vary from a few bytes to the whole address space.
Some system architectures (e.g. an IBM 370) allow the programmer to divide logical segments to separate logically distinct entities (a module of code, a stack, data etc.) but the granularity of segment length is fairly large, around 2K bytes. The segment is physically split into pages that are individually mapped onto the various memory hierarchies. This allows easy placement of pages in memory while providing the programmer with a method of dividing the address space into logically distinct segments.
While segments allow subdivision of programs and data into intellectually manageable chunks, a known division of the address space between the program and the operating system has to be defined. Ideally, one would like to embed this division into two separate address spaces. The 68010 (Motorola) processor allows this to be done by hardware using the FC2 pin. However, this arrangement slows down operating system calls because all parameters have to be transferred between the two spaces by means of a special instruction.
Computers such as the VAX (Digital Equipment Corporation) use a different solution. They divide the address space into "regions," each with its own translation table so it can be managed individually. The operating system kernel has access to all regions and can thus easily get at the process-dependent data. However, user-generated programs do not have access to the system address space for security reasons. The 32-bit address space of a VAX is divided into three fixed size regions.
A memory management unit (MMU) provides mechanisms which include memory mapping and protection of access. A user's program may be protected in a number of ways. Each address may be tagged with an indication of the address space it is associated with. Accessing an address space without permission causes a system error; e.g. accessing the supervisor data space without having supervisor permission. In general, the whole system address space may be broken up into subspaces, where permission is necessary to access a subspace. Permission may be associated with a processor mode, and processor mode change instructions used to change permission levels. Typically, a trap instruction is used to change a processor's mode from user to supervisor. Once in supervisor mode, supervisor permission is granted.
Operating systems use this technique to implement system calls. The trap amounts to a controlled jump into the supervisor space, while at the same time changing processor mode. Processor modes, then, provide a coarse-grained form of access protection. Access protection via processor modes has its drawbacks which include: (1) changing and restoring processor state, (2) mapping or moving arguments in the calling address space to the called address space, and (3) validating the size and composition of arguments. For instance, implementing a supervisory call in a typical operating system would involve invoking a trap instruction, determining the trap type, getting the supervisory call arguments, and validating those arguments. This application details a new mechanism for access protection that is more general than the typical processor mode protection, simpler to use, and more efficient, particularly when protection capabilities are not uniform across user processes.
Address spaces must first be delimited in order to be protected. One standard technique is to partition an address space into segments--variable--sized sections of memory. A related group of segments determines an address space. Typically, a segment is identified by a segment descriptor, and an address space is identified by a table made up of segment descriptors; i.e. a segment table. A process's address space can be partitioned into variable-sized regions, each having its own segment table. One region might contain the operating system kernel, another the user's code, and yet still another library code common to all processes. Regions allow sharing of code. Each region has associated with it a segment table pointer and a segment table length. Typically, these values are present in special registers.
In most existing system implementations today, hardware does not contain any provision for altering such protection mechanisms. All protection is done by the software. Calls to protected routines cause a hardware trap or supervisor call. The context or state of the current instruction running in the processor is stored and new context is loaded. This new program examines the request, and, if it is granted, a new context is created that permits entry to the requested routine. Typically, this takes up to 300 microseconds.
Existing systems with additional protection facilities divide the address space into a set of hierarchical concentric rings, where the radius of each ring is an address. In any given ring, a program has access to the address space of its own ring and the address space of all the rings outside itself. Ring crossing through inside rings is controlled by gates that give the entry points at which rings may be entered. Though rudimentary and hierarchical, this technique clearly works, and allows protected systems to be built.
The guarded region technique presented herein not only restricts access to a portion of an address space, but also allows its re-definition. Depending on the associated system software, multiple definitions may exist for the same software routine. An embodiment of this scheme can be found in the Signetics Memory Access Controller (MAC). This present disclosure seeks to detail the general idea behind guarded regions and to discuss its embodiment in the Signetics Memory Access Controller (MAC), designated SCC 68910 and SCC 68920.