1. Field of the Invention
This invention relates to computer systems and, more particularly, to improving the security of operations performed utilizing input/output devices in a new input/output architecture for computer systems.
2. History of the Prior Art
In the 1960s, International Business Machines (IBM) and Control Data Corporation (CDC) produced mainframe computers with architectures in which a central processing unit (CPU) controlled program manipulation and separate input/output processors (called channel processors or peripheral processor units) controlled input/output operations. The input/output processors used instruction sets which allowed them to carry out the somewhat limited functions designated by commands placed in memory by the central processing unit. For example, the input/output processors knew how to access data on disk and place data on an output display. This form of architecture made, and in some cases still makes, a great deal of sense. At that time, central processing units were very expensive; and using the central processing unit to accomplish input/output operations was very wasteful. Neither the CDC nor the IBM input/output processors were as powerful as the central processing unit and thus could be produced relatively inexpensively. These architectures allowed individual computers to be built to emphasize operations by the central processing unit or operations by the input/output devices. By building a faster central processing unit, the main processing functions could be made to go faster; while by building faster input/output processors, the input/output operations could be accelerated.
As an example of this type of operation, in the IBM system, the central processing unit would signal which input/output operation it desired by writing channel commands to main memory and signaling a channel processor that there was something for it to do. The channel processor would read those commands and proceed to execute them without aid from the central processing unit. If an input/output processor was instructed to do something, it would do it. As long as the operation was safe, there was no problem. Unfortunately, if the operation was something prohibited like reformatting the hard disk which contained the basic operating system, the input/output processor would also do that.
These architectures were designed to allow programs to time share (multi-task) the central processing unit. With an operating system which allows multi-tasking, it is necessary to protect the resources allotted to one application program from operations conducted by other application programs so that, for example, one program cannot write to memory over the space utilized by another program. An important part of this protection is accomplished by keeping application programs from writing directly to portions of the system where they might cause harm such as main memory or the input/output devices. Since the input/output processors would do whatever they were instructed in the IBM and CDC systems, it was necessary to limit access to these input/output processors to trusted code, generally operating system code and device drivers, in order to preclude application programs from undertaking operations which would interfere with other application programs or issuing commands which would wreak havoc with the system. Apart from any other problems, writing directly to the input/output devices creates a security problem in a multi-tasking system because the ability to write to and read from input/output devices such as the frame buffer means an application program may read what other programs have written to the device. For these reasons, both the IBM and CDC architectures kept any but privileged operating system code from writing to operating system memory and to the input/output devices.
In 1971, the Digital Equipment Corporation (DEC) PDP11 computer appeared. In the original embodiment of this architecture, all of the components of the computer are joined to a system backplane bus. The central processing unit and any other component of the computer (except main memory) addresses each other component as though it were an address in memory. The addresses for the various hardware components including input/output devices simply occupy a special part of the memory address space. Only the address itself indicates that a component is a device such as an input/output device which is other than memory. When the central processing unit wants to accomplish an input/output operation, it simply writes or reads addresses assigned to the particular input/output device in memory address space. This architecture allows all of the operations available to the central processing unit to be utilized in accomplishing input/output operations and is, therefore, quite powerful. Moreover, this allows the input/output operations to be accomplished without the need for special commands or for special resources such as input/output processors. It also allows the use of very simple input/output controllers which typically amount to no more than a few registers.
As with the earlier IBM and CDC architectures and for the same reasons, writing to the input/output devices directly by other than trusted code is prohibited by the PDP11 operating systems. The PDP11 architecture, like some of its predecessors, incorporates a memory management unit designed to be used by an operating system to allow the addressing of virtual memory. Virtual memory addressing provides access to much greater amounts of memory than are available in main memory by assigning virtual addresses to data wherever it may be stored and translating those virtual addresses to physical addresses when the data is actually accessed. Since operating systems use memory management units to intercept virtual addresses used by the central processing unit in order to accomplish the virtual-to-physical address translation, operating systems may simply provide no virtual-to-physical translations of any input/output addresses in the memory management unit for application programs. Without a mapping in the memory management unit to the physical addresses of input/output devices, the application program is required to use a trusted intermediary such as a device driver in order to operate on an input/output device in the PDP11 architecture.
Thus, in a typical computer system based on the PDP11 architecture, only trusted code running on the central processing unit addresses input/output devices. Although this architecture allows all of the facilities of the central processing unit to be used for input/output, it requires that the operating system running on the central processing unit attend to all of the input/output functions. When an application program desires to accomplish an input/output operation, it executes a subroutine call into the operating system library code. This subroutine performs an explicit trap into the operating system kernel. As a part of the trap, the operating system changes the memory management unit to create mappings to the device registers. The operating system kernel translates the virtual name used for the input/output device by the application program into the name of a device driver. The operating system kernel does a permission check to ensure that the application is permitted to perform this operation. If the application is permitted to perform the operation, the operating system kernel calls the device driver for the particular input/output resource. The input/output device driver actually writes the command for the operation to the registers of the input/output hardware which are now mapped by the memory management unit. The input/output device responds to the command by conducting the commanded operation and then generates signals which indicate whether the operation has succeeded or failed. The input/output device generates an interrupt to the device driver to announce completion of the operation. The device driver reads the signals in the registers of the input/output device and reports to the operating system the success or failure of the operation. Then the operating system returns from the trap with the success or failure indication, restores the mappings for the application and thus removes the mappings for the device registers, and ultimately returns from the subroutine call reporting the success or failure of the operation to the unprivileged code of the application.
This sequence of steps must take place on each operation conducted using input/output resources. The process is inordinately long and slows the operation of the computer. Moreover, in contrast to earlier systems, in this architecture, there is no process by which the input/output performance of the system can be increased except by increasing the speed of the central processing unit or the input/output bus. This is an especial problem for programs which make heavy use of input output/devices. Video and game programs which manipulate graphics extensively and make extensive use of sound suffer greatly from the lack of input/output speed. Many games simply avoid multitasking operating systems such as windows systems. In general, games must be operated in single tasking systems such as Microsoft DOS which allows an unlimited form of writing directly to the input/output devices while sacrificing the integrity of the system.
It is very desirable to provide a new architecture which allows input/output operations to proceed at a faster speed so that application programs which make significant use of the input/output components may function in the advanced multi-tasking operating systems without sacrificing system integrity.
One of the important aspects of maintaining system integrity is that operations being conducted by one application program be clearly distinguishable from operations conducted by any other application program. If operations of different application programs are clearly distinguishable from one another, then the operations of different application programs may be kept from interfering with one another. Typically, the operating system provides the means by which the operations are distinguished. However, if in order to enhance the speed of operation of a computer system application programs are allowed to write directly to input/output devices, this method of distinguishing operations cannot be used.
It is desirable to provide new arrangements by which the operations of different application programs are made clearly distinguishable from one another and by which applications are kept from interfering with one another.