Conventional computing facilities normally include a central processing unit, a random-access main memory, and an assortment of peripheral devices such as magnetic tape and disc secondary storage devices, card readers and punches, line printers, and communication terminals. The instructions and data utilized by a given data processing operation are often obtained from files stored on secondary storage volumes (tape reels, disc packs, card decks, etc.) and the library of files, like the hardware devices themselves, accordingly represents a valuable system resource.
In order to efficiently utilize the resources of a given computing facility, arrangements have been devised for automatically scheduling tasks which represent the system's workload and for allocating the system resources necessary to carry out these tasks. Such a job management system normally operates under the general control of the system operator who issues directives to the system in an interpretable job control language [see, for example, OS Job Control Language by Shelley & Cashman (Anaheim Publishing Co. -- 1972)].
One important function of such a job management system is the assignment of specified files to job steps at the time they are loaded for individual execution. This permits general purpose programs to be written which are capable of manipulating a variety of files of the same general class, the particular file being specified by job control language directives at the time the job step is loaded. Thus, for example, a source language payroll program may operate upon a file relating to one company at one time and the same program may manipulate another company's payroll records at a later time. By the same token, it may be desirable to utilize a single file during the execution of different programs, and files may thus be thought of as shared resources.
While it is desirable to make the sharing of files as easy as possible, the ability to share files raises the possibility that they may be inadvertently or maliciously destroyed by an unauthorized user. In a computing facility shared by many users, it is essential that the privacy, security and integrity of each user's file be preserved. Unauthorized access to files must therefore be made not merely difficult -- it must be made practically impossible.
In multiprogrammed computing systems in which many processes are concurrently active within the system on behalf of different users, an indirect addressing mechanism called "segmented addressing" has proven to be a valuable technique for isolating the address space in memory accessible to each process. One such system is described in The Multics System: An Examination of its Structure by E. I. Organic (The MIT Press -- 1972).
Briefly, in segmented addressing systems, all instructions and data relating to a given process are placed in variable sized blocks (called "segments") and the beginning address (called the "base address") of each segment is placed in a directory (called a "segment table"). The base addresses of a set of segment tables may then be located in a more comprehensive directory. This ordered set of directories is created in main memory at the time the instructions and data relating to a given process is being loaded into memory and the directories are then updated from time to time as necessary when segments are created, deleted, modified, or moved.
Instructions making up a procedure then specify the location of operands by means of a logical address which identifies the number of a segment table and the number of an entry in that segment which contains the base address of the target segment. The logical address also specifies the offset (displacement) which is to be added to this base address to locate the desired operand. Because each process is able to address main memory locations only through its own directory tables, it is thus incapable of addressing information contained in segments created for another process.
In the Multics System, noted earlier, the segment directory structure is extended to embrace not only active segments stored in the system's virtual memory but to collections of records on secondary storage devices (normally called "data sets" or "files," but treated as segments in Multics). Thus, a procedure may directly address a record on secondary storage by means of a logical address and, in response, system procedures will automatically transfer the segment containing the record addressed from secondary storage into virtual memory.
Unlike the Multics segment management system in which segments on secondary storage are directly addressable by the executing procedure, more conventional "file management" systems manipulate information on secondary storage by dealing with files and buffers. The programmer furnishes a description of the needed file (which may be supplemented by a job control language directive at the time a specific file is assigned when the procedure is loaded by the system operator) to form a file control information structure. System procedures (called "access methods") are then employed to bring the needed records from secondary storage into a buffer area in main memory. A more detailed description of a widely used file management system appears in Data Structure and Management by Ivan Flores (Prentice-Hall 1972).