1. Field of the Invention
This invention relates generally to data processing systems, and more particularly to a method and apparatus for protecting information.
2. Description of the Prior Art
Computer systems have grown from the simple batched systems, wherein the valuable resource of random access memory was allocated to a single program, to the present-day multiprogramming multiprocessing systems wherein information is shared among a community of users. In this type of shared environment, protection of shared information is required not only to maintain user security and privacy and restrict access of information to those users entitled to it, but to guarantee system integrity and reliability by limiting the propagation of errors through intentional or unintentional altering of shared information. Several schemes have been utilized in the past in order to protect information. Some of them are detailed by Robert M. Graham in a paper entitled "Protection in an Information Processing Utility", published in CACM (May 1968).
Key to the protection of information has been to restrict access to procedures that can execute on a processor to those entities having the right to use those procedures. One such concept groups the sets of procedures into rings that can unambiguously be ordered by increasing the power or level of privilege. By assigning a collection of sets of procedures to a collection of concentric rings, and assigning numbers to each ring with the smallest ring having the smallest number, and each succeeding larger ring having a progressively greater number, different levels of privilege can be unambiguously assigned to the user of a segment of a computer system. Under this concept, the innermost ring having the smallest number assigned to it has the greatest privilege. Hence it can be postulated that users in the lowest ring number can access information having higher ring numbers, but users in the higher ring number cannot access information having lower ring numbers or can access information in the lower ring number only in a specified manner. The ring concept of information protection was used by the MULTICS operating system (Multiplexed Information and Computing Service) and was implemented in Honeywell's 635 and 645 computers. The MULTICS philosoply utilizes 64 rings of protection numbered as rings 0-63. It is described in Chapter 4 of a book entitled "The MULTICS System: An Examination of its Structure" by Elliott I. Organick, published by MIT Press, and also by the MULTICS System Programmer's Manual, 1969, MIT Project Mack. Briefly, the MULTICS system does not utilize a pure ring protection strategy, but rather employs the ring bracket protection strategy, wherein a user's access rights with respect to a given segment are encoded in access-mode and a triple ring number (R1, R2, R3), called the user's ring brackets for a given segment. This technique is implemented wholly in software. Because the MULTICS and Honeywell's 645 version of ring protection was implemented mainly in software, considerable operating system supervisor overhead was entailed, particularly when calls to greater or lesser power were made by trapping to a supervisor procedure. This made the system relatively slow. Accordingly later versions implemented the ring protection concept in hardware. In one such system data and procedure segments were grouped into a hierarchy of four rings or classes. The four rings of privilege levels are identified by entities 0-3, each ring represents a level of privilege in the system with level 0 having the most privilege and level 3 having the least. Level 0 is known as the innermost ring and level 3 is the outer ring. The basic notion is that a procedure belonging to an inner ring has free access to data in an outer ring. Conversely a procedure in an outer ring cannot access data in an inner ring without incurring a protection violation exception. Transfer of control among procedures is monitored by a protection mechanism, such that a procedure executing in an outer ring cannot directly branch to a procedure in an inner ring. This type of control transfer is possible by the execution of a special call instruction. To gain speed the instruction was implemented mainly in hardware or firmware. In order to protect this instruction against misuse certain conventions were set up. This has the disadvantage of inflexibility in calling procedures. Since the call instruction is designed to be wholly in firmware or hardware, the rules of procedure must be adhered to even though the system architecture evolves into a type not contemplated by the designer.
What was needed was a call instruction for calling procedures that had the flexibility of the MULTICS system to change algorithms just by changing the software programs, and the speed and efficiency of the hardware/firmware protection means that will meet the criteria of functional capability, economy, simplicity in programming generality.