1. Field of the Invention
The present invention relates generally to a data processing system which operates on a message basis, and more particularly to a message-based data processing system which includes client spaces and server spaces, wherein a processing request issued by a client space in the form of a message is sent to a server space through a communication facility to be processed by the server space. More particularly, the present invention is concerned with a message-based data processing system of client/server architecture in which a message request code is provided for each of the processing requests issued for the client spaces for the purpose of preventing the client space from accessing a kernel space having privileged functions by checking the request code in the communication facility to thereby ensure the security of the kernel space and hence that of the data processing system.
2. Description of the Related Art
In the field of the data processing system, there has recently been developed and used such an operating system (OS) which is implemented by dividing the function thereof into unitary functions or function units such as a file management function, a terminal management function, a fault management function and so forth. These OS functions resulting from the division are accommodated in spaces referred to as the server spaces, respectively, which are created in a memory space. On the other hand, the primitive part of the operating system or OS which operates in a privileged mode is accommodated in a space referred to as the kernel (or nucleus) space, which may be generally considered as one of the server spaces. In contrast, spaces provided for the application programs such as user programs are referred to as the client spaces to distinguish them from the server spaces. At this juncture, it should however be noted that although the kernel space is one of the server spaces, it may also be regarded to be a client space in the sense that the kernel space issues control messages to the other server spaces, as described later on. Hereinafter, the OS functions will simply be referred to as the server space, with the kernel of the operating system being referred to as the kernel space, while the application programs are termed the client spaces. When a client space desires service from a server space, the former issues a corresponding request in the form of a message to the server space. In response, the server space checks the request message issued from the client space as to whether the request has authorization as required and provides the services to the client space when the request thereof is decided as having the authorization. On the other hand, the kernel space is a specific server space which is imparted with privileged authorizations for fundamental or primitive functions of the operating system such as deletion of the other server space, creation of new server space and the like. The client spaces and the server spaces except for the kernel space are created and/or deleted by the function privileged to the kernel space, wherein disposition of these spaces are managed by a server referred to as a process server space.
In order that a client space can send a processing request message, the client space has to acquire beforehand the so-called capability (i.e. destination or sink of the message). The capabilities of the individual client spaces are supervised by a mediator server. Exceptionally, the capabilities to the mediator server and the process server are imparted to the client spaces upon creation thereof. These capabilities are referred to as the callable capability (C-CAP) and can not request any processing. Any client space having a request for service of the OS function from the server space has to send once a message to the mediator server by using the callable capability for thereby requesting the meditator server to check the authorization of the client server, and only the client space that has passed the authorization check is delivered with a resource capability which allows the client space to issue a request for the desired OS function such as file reference by using the resource capability.
For a better understanding of the present invention, a description will now be made of the problems of the data processing system which the present invention solves. Referring to FIG. 6 of the accompanying drawings which shows schematically in a block diagram a general arrangement of a message-based data processing system of a client/server space architecture, a reference numeral 20 generally denotes a processor module (PM) constituted by at least one CPU (Central Processing Unit) and a memory. Provided internally of to the processor module 20 are client spaces 11 which accommodate application programs and can issue a variety of processing requests in the form of messages, a kernel space 12 for controlling the whole data processing system, and a server space 17 which processes the requests issued by the client spaces 11 and accommodates therein programs 41a and 41b for executing the processing as requested. Further, a reference numeral 40 denotes a kernel of an operating system which incorporates a message communication facility 40. Messages sent from the client spaces 11 to the server space 17 are denoted by reference numerals 13a, 13b and 13c, respectively.
With the structure of the data processing system described above, transfer of the messages is performed on the presumption described below for realizing a variety of processing requests.
(a) The individual spaces are so created as to operate completely independent of one another, wherein each space constitutes a minimum unit for which security is to be ensured.
(b) Transactions of request and response between the client spaces 11 (inclusive of the kernel space 12) and the server space 17 are performed by using the messages 13a, 13b, 13c, etc. The server space 17 can accept the requests from a plurality of client spaces 11.
(c) To allow the server space 17 to discriminate the messages 13a, 13b and 13c from one another, the client space 11 adds an object operation code or OOC in abbreviation (hereinafter referred to as the request code) to each message as it is issued. The content of the request code OOC is previously determined so that the code serves as an interface agent between the server space 17 and the client space 11.
(d) The spaces can be classified into a public space which includes the client spaces and the intrinsic server space and which occupies one virtual address space and a kernel space 12 which shares a control table with a program of the kernel 40 for controlling the whole system.
In operation, when the client space 11 issues a message 13 having a request code OOC set therein to the destination server space 17, the message communication facility 14 serving as the mediator mentioned hereinbefore sends that message 13 to the server space 17. Upon reception of the message 13, the server space 17 identifies discriminatively the content or type of the request message by checking the request code OOC contained in the message 13 to thereby activate the program 41a or 41b, which is adapted to execute the processing requested by the message as identified.
The data processing system described above suffers from a problem, which will be elucidated below by referring to FIG. 7 of the accompanying drawings.
In the first place, it must be pointed out that the message 13 issued from the kernel space 12 which is destined to control the whole system has specific and important content or meaning in contrast to the messages issued from the public client space 11. Nevertheless, there may arise such situation in the case of the data processing system now under consideration that a request code (e.g. OOC=x) indicating a request message which is intrinsically allocated to the kernel space 12 is erroneously placed in the request message 13 issued from a client space 11 with malicious intent or inadvertently. In that case, the above-mentioned message will be interpreted as one originating from the kernel space 12 regardless of the fact that the sender of that message is actually a client space 11. Consequently a processing request which controls the whole system can be issued from the client space, thereby endangering the security.