Path: utzoo!utgpu!attcan!uunet!husc6!uwvax!umn-d-ub!nic.MR.NET!shamash!raspail!bga From: bga@raspail.UUCP (Bruce Albrecht) Newsgroups: comp.arch Subject: Re: PEP: Page Execution Priviledge Summary: Multics, Control Data NOS/VE Keywords: access level, User/Supervisor. Message-ID: <936@raspail.UUCP> Date: 29 Sep 88 14:33:16 GMT References: <2550@sultra.UUCP> Organization: Control Data Corporation, Arden Hills, MN Lines: 43 In article <2550@sultra.UUCP>, dtynan@sultra.UUCP (Der Tynan) writes: > Rather than have a standard U/S bit in the CPU status register, it might make > more sense to assign it to each I-page in a paged-MMU system. The idea is that > certain functions within marked pages would carry a higher priviledge than the > rest. This could best be used to alter certain key variables in the UN*X > kernel. [ Examples deleted. ] > > My question is this: Does any system implement a scheme like this? What are > the problems with doing this? And is there anyone actually researching this? This scheme has been around for a long time. One of the first systems that I'm aware of that used this was Multics, which has been described in a book by Organick (MIT Press, not sure of exact title). Control Data's Cyber 180 architecture supports this, and its NOS/VE operating system uses it. I think the scheme is known as rings of protection. I'm most familiar with the Cyber implementation, so I will describe it. The Cyber has a 16 level ring heirarchy, with ring 0 the most privileged, and ring 15 the least. Most user tasks run in ring 11. The memory is segmented, with 2*12 segments of 2**31 bytes. Each segment has a 3 number ring attribute associated with it that is used to determine access. Processes running at a ring number less than or equal to the first memory ring number can read or write to the memory, processes running at a ring number less than or equal to the second memory ring number can read the memory, and if the segment is executable, processes running at a ring number less than or equal to the third memory ring number can call a subroutine in the segment. The second and third ring numbers are also used to determine whether the process ring number is lowered during a subroutine call. In NOS/VE, all of the operating system routines are known to your task, and therefore can be accessed by simple subroutine calls. Although it would be possible to make data that doesn't contain "secure" information (such as date and time) could be defined as externally available data and just reference them, NOS/VE usually requires you make a call to a subroutine to get it. Another interesting feature of NOS/VE is that all files are considered to be memory segments, and all I/O is done by paging. You can either access files through the record manager, or you can access the file as though it was just a part of your memory, and put (and modify) data structures in it using memory allocation and pointers. Bruce