The present invention relates to a dual trust architecture. In particular, the present invention relates to an architecture for executing trusted and untrusted routines in a call stack.
In a multiuser single address space subsystem, such as IBM's CICS (CICS is a Registered Trademark of IBM Corporation), multiple threads are executed on behalf of different users within the same address space. The individual threads are usually represented by call stacks, also known as register save areas, where a state of a software routine is saved while execution passes to another routine, and restored on return. The state preserved on the stack includes the contents of processor registers and may also contain other processor state.
In such subsystems the contents of the stack may be open to modification by threads other than a current thread so that, when the contents of a stack element are restored, the restored state can cause accidental or malicious modifications to important system status. Such modifications can affect, inter alia: the address of the next instruction to be executed; the addresses of subroutines to be executed later; the base address(es) of a calling routine; tokens or addresses representing the identity of the user currently executing the thread.
With such modifications to the stack, the targeted thread can be made to execute an unintended function with unintended data under an unintended identity, leading to integrity and security violations such as Information Disclosure, Denial of Service, and Elevation of Privilege.
The IBM z/OS operating system (z/OS is a Registered Trademark of IBM Corporation) provides a secure stack, more usually identified as the Request Block chain. When operating system services are used to link between programs (for instance by using supervisor calls (SVCs), or the operating system LINK or SYNCH services) the calling program's state is saved in a secure storage area, the Request Block, where it cannot be manipulated by application code. The Request Blocks are protected by a protection mechanism called the Key-Controlled Protection mechanism of z/Architecture (z/Architecture is a Registered Trademark of IBM Corporation). Details regarding the z/Architecture are described in an IBM publication entitled “z/Architecture Principles of Operation,” IBM Publication Number SA22-7832-08.
Due to the involvement of operating system services, the Request Block chain mechanism described above is resource expensive, and its use will be necessarily limited in environments where high performance is required.
U.S. Pat. No. 5,745,676 describes a Branch and Set Authority instruction (BSA) of an operating environment that, when executed in a base-authority state, saves a return address and base authority in a secure data area and sets a reduced-authority state. When executed in the reduced-authority state, the BSA instruction branches to the saved return address, restores the saved base authority, and sets the base-authority state.
It would therefore be advantageous to provide a mechanism for protecting resources created and used by trusted software routines from access and modification by untrusted software routines executing within a multiuser single address space subsystem.