JPH0133857B2 - - Google Patents

Description

DETAILED DESCRIPTION OF THE INVENTION The present invention relates to a storage protection system in a storage processing device, and more particularly to an access keyed base address storage protection system.

When executing an instruction in an information processing device, there are the following two steps in the process until a storage area is accessed.

The first stage is the generation of an effective address, which consists of the address stored in the register specified by the instruction (register for address modification) and the deviation component (the deviation held during the instruction). ) and the contents of the modified register specified by the instruction) to generate the real address to be accessed. When a real address is generated, the address modification register specified by the instruction is called the base address register.
Indicates the start address of data.

The second stage is the access stage to the real storage device, which associates the effective address generated from the instruction with the logical address assigned to the storage area.
The real storage device is accessed through the address translation mechanism.

Although the storage area is accessed in this way, there are restrictions on writing to the storage area, restrictions on the execution of instructions to prevent program runaway, and restrictions on reading to protect confidential information.
Memory protection has traditionally been practiced.

Conventionally, the commonly used memory protection method is the key protection method, which protects the storage area, for example.
Divide it into 2K bytes and assign key information to each. On the other hand, a key is also set in the program status word (PSW) that indicates the status of the processing unit, and when the processing unit accesses the storage area, , the storage area is protected by comparing the key in the PSW with the key assigned to the storage area to be accessed.

Figure 1a shows the bit configuration of PSW.
Bits 8 to 11 of the 2 words and 64 bits store an access key KY that protects the memory by comparing it with the protection key.

Figure 1b shows the storage state of the protection key in the main memory.The main memory is divided into blocks of a certain number of bytes (for example, 2048 bytes).
The protection key shown in Figure 1b for each block
A key is provided.

That is, bits 0 to 3 are set to PSW when reading and writing information to the corresponding block.
The access protection bit KEY is compared to see if it matches the access key KY, and bit 4 is
This is a read protection bit F that applies memory protection only to write to "0" or to read and write to "1".

When the main memory is accessed from the processing unit, the access key KY of the PSW is compared with the protection key KEY for each block of the main memory.
For example, control as shown in FIG. 1c is performed depending on the contents of the protection keys KEY and F and the access key KY.

In FIG. 1c, under each condition (CND), when read (RD) and write (WT) are permitted, OK is shown, and when they are not permitted, NO is shown.

The assignment and comparison of these keys is performed under the control of the operating system (OS). For example, as shown in Figure 1d, the key K="0" is stored in the area where the OS that performs the basic functions of the software is stored, and the programs F0 to F2 for each user are stored under it. Different keys K=“1”, “2”, and “3” other than “0” are assigned to the areas where
As the PSW access key, the key "0" is assigned when the OS is executed, and when the user programs F0, 1, and 2 are executed, the same keys as the respective areas are assigned. A program whose key of the processing device is K="0" can access any area, so a program that manages the system can access user programs.

In this way, in conventional storage protection methods, the storage area of the logical address used in the second stage described above is divided into certain sections, and each partition is configured with information such as the ring level, access rights, and storage protection key. etc., while separate from the base address used in the first step above when executing the instruction.
For example, PSW has ring level, memory protection key,
and other access keys. And these 2
Memory protection is performed based on the relationship between two elements (keys).

In other words, conventional storage protection is performed by checking the relationship between the access destination storage partition and the protection information given to each storage partition in which the access command exists.

However, the protection system based on the relationship between these two elements protects a program or a set of instructions such as a set of programs as a unit.
In other words, the PSW is rewritten for each block within a program, and the access key is written each time, so storage is protected in units of sets.

Therefore, there are the following drawbacks.

(1) Even if you try to create a program to manage access rights information (access keys), it is difficult to effectively manage it because it is not possible to determine what program units or which partitions access rights information should be given to. It is difficult to create a program.

(2) Since the program creator must know the protection information (protection key) of the access target and control the access right information, the burden of programming is heavy and errors are likely to occur in the created program.

(3) Even if protection information is assigned to each specific section, if different types of information are stored within that section, protection for each piece of information will not be performed. Furthermore, in order to provide protection tailored to the size of each piece of information processed by a program, it is necessary to create a complex management program or to provide partitions of different sizes in the storage area, which tends to reduce processing performance.

Now, when one program accesses multiple different areas, such as when a certain area K is shared by program A and program B and program A also accesses another area J, in order to perform protection, Each time you change the access area,
It is necessary to request a procedure to change the access key, and to avoid this, it is necessary to give the program in advance a valid access key that corresponds to the protection keys of all areas that it may access. There is a need to.

As described above, in conventional storage protection systems, the units to be protected tend to be large, making it difficult to perform strict protection, and in addition to managing protection keys, controlling access keys is complicated.

An object of the present invention is to provide a memory protection method that strictly limits the range of programs that are allowed to access information and that simplifies processing when accessing and granting access right information, in order to eliminate these drawbacks. It is about providing.

The storage protection method of the present invention is based on the instructions.
As an address, in addition to location information indicating the location of the access area, an access key is added,
By treating both as one, the system is characterized by restricting access to areas outside the area on a command-by-command basis, without being aware of the existence of protected information.

Embodiments of the present invention will be described below with reference to the drawings.

FIG. 2 is a diagram showing the structure of the base address of the present invention.

The base register of the program
By storing the address (the reference address) and adding this address to the address of the instruction word, the absolute address can be obtained. When moving programs,
It is sufficient to adjust the value of the base register by the change in address. When the entire program consists of one continuous block, only one base address is required, but when it consists of a plurality of distributed blocks, as many base registers as that number are required.

The base address for a program is called the processor base address. If the base register has the number of bits that can express up to the maximum capacity of the main memory, the address part (displacement) of the instruction word can address all of the main memory even with a small number of bits, so the instruction word can be shortened. It is possible.

In the present invention, as shown in FIG. 2, a base address 1 is composed of a location component 2 and an access key 3, which are treated as one.

FIG. 3 is an explanatory diagram of the process of generating an effective address using the base address of the present invention.

Base address 1 is stored in base register 4. Further, instruction 7 is composed of instruction code f, register number r ₁ , index register number x ₂ , base register number B ₂ , and displacement D ₂ .

The effective address 9 to be accessed is calculated by adding the contents of base register 4 specified by instruction 7, the contents (deviation) of index register 6 specified by instruction 7, and deviation 5 held in instruction 7. generate.

The front part of the effective address 9 generated in this way, which corresponds to the access key 3 of the base address 1, is treated as the key component 21, and the rear part is treated as the address component 8.

In this embodiment, the access key 3 is the target of the address calculation, but even in the case where the access key 3 and the key component 21 are different as a result of this calculation, the protection key assigned to the storage area and this Since it is rare for the key component 21 to match, there is no problem if a method of checking the matching relationship between the two is used. FIG. 3-1 is an explanatory diagram of the process of generating an effective address using the base address of the present invention in which the access key 3 is not the target of address calculation.

Base address 1 is stored in base register 4. Further, instruction 7 is composed of instruction code f, register number r ₁ , index register number x ₂ , base register number B ₂ , and displacement D ₂ .

The effective address 9 to be accessed is calculated by adding the contents of base register 4 specified by instruction 7, the contents (deviation) of index register 6 specified by instruction 7, and deviation 5 held in instruction 7. address component 8 is generated. An effective address 9 is determined from the generated address component 8 and the base address access key 3.

In this way, in generating the effective address 9,
Separating and handling the key component 21 has the following effects compared to the embodiment shown in FIG.

(1) Carry of address components caused by addition of index registers can be detected, and memory protection can be performed more strictly.

(2) Since the contents of the access key 3 are saved as the key component 21, memory protection can be performed more strictly.

(3) It is possible to replace the hardware that holds the key component 21 with the hardware that holds the access key 3, and the number of hardware can be reduced. Note that in this embodiment, the location component 2 and the access key 3 may be arranged in reverse.

FIG. 4 is an explanatory diagram of the protection information check operation when the address component of the effective address of the present invention is a logical address.

First, the page table address is read from the segment number S10 of the address component 8 of the effective address 9 by referring to the segment table (ST) 13, and the page table (PT) 14 of this segment is obtained. Next, from page number (P) 11 of address component 8, page table 1
Get 4 entries.

This entry consists of an intra-page protection unit division display bit F, a division factor α, and an XPT address. When the split display bit F is “0”, it indicates that there is no split, and it is set to “1”.
indicates that it is divided. Also,
The division factor α is the number of protection units that can be used by dividing one page, and this value differs depending on the page. Depending on this value, the size of the field indicating the mini page number (mP) 12 of the address component 8 changes. Control table (XPT) 1 for dividing one page and registering protection key β15 for each division unit
6 is determined from the entries in page table 14. After the control table (XPT) 16 for that page is obtained, the protection key β15 of the target partition is determined from the mini page number mP12 of the address component 8 of the effective address 9.

Next, protection is performed by comparing the key component 21 and the protection key β15.

Note that there are two methods for comparing and checking the key component 21 and the protection key 15: one based on a magnitude relationship, and the other based on a matching relationship.

FIG. 5 is an explanatory diagram of a memory partition request and base address delivery process showing an embodiment of the present invention.

When a storage area division request 19 is made to the management program 17 from the request source program 18 using a method of checking based on key consistency,
After the management program 17 performs partitioning and generates protection keys in steps 21 to 23, it registers these in entries in the management table 16, generates access keys in step 24, and sends them to the requesting program 18. Notification of base address 20
I do.

That is, in response to a request 19 for dividing a storage area, the management program 17 sets the start address of the given partition as location component 2, generates a key according to a certain logic, and uses it as protection key 1.
5, and then register it in the entry corresponding to the given section in the protection key management table XPT16. On the other hand, using this key as access key 3, base address 1 is generated and base address 1 is notified to the requesting program.

A program that accesses this divided partition uses the base address 1 notified by the storage area management program 17 and uses the base address 1 as shown in FIG.
It is used as shown in instruction 7 in Figure 1 to generate an effective address and perform access.

Next, key generation will be explained.

The access key assigned to base address 1 has the functions of discontinuing the effective addresses for adjacent partitions and invalidating the old effective address when the use of the same partition changes. have Therefore, it is most desirable to create keys using logical, time-varying values. This can be generated from the value of a timer or by counting and counting each time a space request is allocated.
This can be easily achieved by using a cycle counter that increases.

Now, in FIG. 5, it is assumed that program 18 is user A's program A, and user B's program B also exists. First of all,
When program A requests a storage area, the management program 17 assigns partitioned area C indicated by base address ad1 (access key is 805, for example).
is given, and after program A uses the divided area C, it returns it to the management program 17.

Then, when program B requests storage space,
Base address ad2 from management program 17
Assume that the partition area C returned by the program A is given as the partition indicated by (the access key is 910, for example). In this case, address ad1
and ad2 have different keys (805 and 910), so even if there is a bug in program A and program A accesses partition C using base address ad1, it will be detected by the check mechanism of the present invention and program B The information of partition C used by is protected.

In this way, since the base address is created at the time of area allocation for the language processing program or management program, the program that uses this address is not aware of the components of the base address.

Note that an information processing system with such an address structure is equipped with a switch that disables the protection key check circuit for programs such as information gathering programs that want to operate without regard to the data structure, and also has a switch that disables the protection key check circuit. can be provided.

In the memory protection method of the present invention, (1) a program that uses divided partitions of a storage area does not need to be aware of the existence of protection information, but only needs to be aware of the area address, making it extremely easy to create a program. Become.

(2) By assigning a chronological value as a key value, access to the area can be restricted over time, so if a used partition is returned to the management program, it may be returned due to a bug in the program. It is possible to prevent users from accessing or re-accessing the information, and strict protection is possible.

(3) Information is exchanged and shared between programs through the exchange of information storage area addresses, so when information is exchanged and shared between programs, protected information is also exchanged at the same time. Protection that goes beyond programs can also be easily achieved.

(4) Conventionally, the address key was included in the PSW that was rewritten for each block in the program, but in the present invention, the base key specified by the instruction is
Since the address includes an address key, the address key can be rewritten on a per-instruction basis, allowing strict protection by restricting access to areas outside the partitioned area on a per-instruction basis. .

(5) The space indicated by the effective address is apparently expanded by the key information in the base address, and the probability that a logical address corresponding to a mistaken effective address exists can be sufficiently reduced. Sufficient protection can also be provided against base address setting errors. For example, if the location component of the base address is 16 bits and the access key is 4 bits, the probability of an incorrect effective address is conventionally 1/2 ¹⁶
In contrast, in the present invention, it is 1/2 ²⁰ ,
be small enough.

(6) By transferring the right to use an area to another program, the owner waives the right to use the area, and only the transferee has the right to use the area. In that case, create a transfer function macro (program). Security can be easily and strictly secured by changing the key using the program and reassigning it as a new base address. For example, after transferring a partitioned area C from program A to program B, even if program A accesses partitioned area C, the key has been changed, so it will be checked and cannot be read or written, making it confidential. is not leaked.

(7) When the base address is used as the processor base address of the operating program, it is extremely effective because the key can be used to check the range to which control such as branches is transferred.

As described above, according to the present invention, the key information and the start address information of the storage area are collectively treated as the address of the storage area and compared with the key information assigned to the partition on the storage area side, so access is permitted. It provides various effects, such as being able to strictly limit the scope of a program and simplifying processing when accessing and granting access right information.

[Brief explanation of drawings]

FIG. 1 is an explanatory diagram showing an example of a conventional storage protection system, FIG. 2 is a configuration diagram of a base address showing an embodiment of the present invention, and FIG. 3 and FIG. FIG. 4 is an explanatory diagram of the process of generating an effective address from an instruction using an address. FIG. 4 shows the protection key storage control table and protection key check operation when the effective address is a logical address according to FIG. 3 and FIG. The explanatory diagram, FIG. 5, is a diagram showing the process of requesting a memory partition and passing a base address according to the present invention. 1: Base address, 2: Location component, 3: Access key, 4: Base register, 5: Displacement, 6: Index register, 7: Instruction, 8: Address component of effective address, 9: Effective address , 10: Segment number, 11: Page number, 12: Mini page number, 13: Segment table (ST), 14:
Page table (PT), 15: Protection key, 1
6: Protection key registration control table (XPT), 17: Management program, 18: Request source program, 19: Split partition request, 20: Base address notification, 21:
Key component of effective address.

Claims (1)

[Claims] 1 In an information processing device in which a storage area is divided into partitions, a protection key is assigned to each partition, and an instruction to access the storage area specifies a storage location of a base address, the base address is a location component. and an access key, and calculates the address component of the effective address from the sum of the contents of the base address, the contents of the index register specified by the instruction, and the deviation held during the instruction, and also calculates the address component of the base address. The access key is added as an access key to the effective address, and on the other hand, a protection key assigned to the storage area is obtained based on the address component of the effective address, and the protection key and the protection key are added to the effective address. A memory protection method characterized by comparing and checking key components.