1. Field of the Invention
This invention relates generally to data processing systems and, more particularly, to a method and apparatus for protecting information.
2. Description of the Related Art
Computer systems have grown from the simple batched systems, wherein the valuable resource of random access memory was allocated to a single program, to the present-day multiprogramming and multiprocessing systems wherein information is shared among a community of users. In this type of shared environment, protection of shared information is required not only to maintain user security and privacy and restrict access of information to those users entitled to it, but to guarantee system integrity and reliability by limiting the propagation of errors through intenetional or unintentional altering of shared information. Several schemes have been utilized in the past in order to protect information. Some of them are detailed by Robert M. Graham in a paper entitled "Protection in an Information Processing Utility", published in CACM (May 1968).
Key to the protection of information has been the restriction of access to procedures that can execute on a processor to those entities having the right to use those procedures. One such concept groups the sets of procedures into rings that can unambiguously be ordered by increasing the power or level of privilege. By assigning a collection of sets of procedures to a collection of concentric rings, and assigning numbers to each ring with the smallest ring having the smallest number, and each succeeding larger ring having a progressively greater number, different levels of privilege can be unambiguously assigned to the user of a segment of a computer system. Under this concept, the innermost ring having the smallest number assigned to it has the greatest privilege. Hence, users in the lowest ring number can access information having higher ring numbers, but users in the higher ring number cannot access information having lower ring numbers or can access information in the lower ring number only in a specified manner. The ring concept of information protection was used by the MULTICS operating system (Multiplexed Information and Computing Service) and was implemented in Honeywell's 635 and 645 computers. The MULTICS philosophy utilizes 64 rings of protection numbered as rings 0- 63. The MULTICS system is described in Chapter 4 of a book entitled "The MULTICS System: An Examination of its Structure" by Elliott I. Organick, published by MIT Press, and also by the MULTICS System Programmer's Manual, 1969, MIT Project MAC. Briefly, the MULTICS system does not utilize a pure ring protection strategy, but rather employs the ring bracket protection strategy, wherein a user's access rights with respect to a given segment are encoded in access-mode and a triple ring number (R1, R2, R3), called the user's ring brackets for a given segment. For purposes of understanding the present invention, R1 designates the level of privilege required to write data into the associated segment. R2 designates the level of privilege required to read the data in the associated segment (the privilege range between and including R1 and R2 being generally referred to as the execute range). R3 designates the level of privilege required to access or call the associated segment. This protection technique can be implemented wholly in software.
Because the MULTICS and Honeywell's 645 version of ring protection was implemented principally in software, considerable operating system supervisor overhead was entailed when call procedures or trap procedures and the subsequent return procedures attempted to utilize a supervisor procedure. This operating system supervisor overhead made the system relatively slow. Accordingly, later versions implemented the ring protection concept in hardware. In one such system, data and procedure segments were grouped into a hierarchy of four rings or classes. The four rings of privilege levels are identified by entities 0-3, each ring representing a level of privilege in the system with level 0 having the most privilege and level 3 having the least. Level 0 is known as the innermost ring and level 3 is the outer ring. The basic notion is that a procedure belonging to an inner ring has free access to data in an outer ring. Conversely, a procedure in a outer ring cannot access data in an inner ring without incurring a protection violation exception. Transfer of control among procedures is monitored by a protection mechanism, such that a procedure executing in an outer ring cannot directly branch to a procedure in an inner ring. This type of control transfer is possible only by the execution of a special call instruction or trap handling procedure. To increase execution speed, the instruction is implemented mainly in hardware or firmware. In order to protect this instruction against misuse, certain conventions were set up. The hardware implementation has the disadvantage of inflexibility in calling or trap handling procedures. Because the call instruction is designed to be wholly in firmware or hardware, the rules of the various procedures must be adhered to even though the system architecture evolves into a type not contemplated by the designer.
A need has therefore been felt for a call instruction, trap handling procedure, along with the associated return procedures, that have the flexibility of the MULTICS system to change algorithms just by changing the software programs, and the speed and efficiency of the hardware/firmware protection means that will meet the criteria of programming functional capability, economy and simplicity.