@h(Protection in EMAS 2900) [This document is in the form of an addendum to Reference 1.] 2900 Architecture provides a variety of methods to enable an operating system to maintain its own integrity. a) @b(Privilege). A bit in the PSW is required to execute privileged instructions. b) @b(Activate). A privileged instruction to start executing a less trusted program at a lower ACR level and on a new stack. c) @b(Out). An instruction exactly comparable to the IBM @b(SVC). Enables an untrusted program to return to Supervisor in a controlled and secure way. d) @b(ACR levels). Four bits in the @b(PSW) define the @b("Access) @b(Control") status of the running program. All store accesses (except to the current stack segment) are preceded by a check of the current ACR level against the read or write permission in the segment table. An untrusted program can not read or damage system data. e) @b(System calls). Procedure calls normally go via a descriptor but leave the stack and ACR unchanged. If a system call descriptor is supplied, the caller's ACR and PRIV are validated via a table and the call continues at a new ACR and PRIV. Calls may be made up or down the privilege hierarchy and may specify the same or a new (empty) stack, in which case firmware copies the parameters. EMAS 2900 hoped to perform all its protection using the 15 ACR levels and the System call - this proved impossible since:- 1) The stack is unprotected, so calls down the hierarchy must specify new stacks; although a return will set the stack back a system call does not and this leaves Supervisor without its global variables. 2) The system call does not check stack space - it is possible to construct a program that system calls a privileged procedure leaving it exactly 0 bytes of stack - which is catastrophic! This does not normally happen since compilers require a margin of 4096 stack bytes before compiling a call. The scheme implemented is to use System Call between User at ACR 10 and Director where failure is user-unfriendly but does not impair system integrity. The ACR checks allow system processes at ACR 5 to have access to the complete Director interface while user processes can only access a subset; this latter feature is very hard to reproduce on IBM architecture. @b(Director) at ACR 2 uses @b(Out) to enter its Local Controller in a secure manner. @b(Local Controller) exits via the @b(Activate) instruction. @b(Local Controller) and @b(Global Controller) both run at ACR1; there is one Global Controller stack which forks if there is more than one CPU. Each Local Controller incarnation has its own stack. Transitions between Local and Global are made by a machine code sequence that is effecively a PSW swop. This enables the Global Controller tables to appear as Global variables to each and every Local Controller. Since Local Controller is compiled as a subroutine of Global Controller this is very elegant and consistent. @b(Supervisor) and @b(Director) tables are normally set with the write permission equal to the owner's ACR and read permission of 5. Tables may thus be read by privileged users and system processes but not by normal users. One data segment may be read at all ACR levels and contains the time of day and other public information. @s(Retrospect on Yesterday's Design) When EMAS 2900 was designed it was not realised that firmware assistance for @b(System Calls) would not be available on the smaller models, e.g. 2946 and 2950. If firmware is missing (or present but enabling checks fail) a jump is made to a nominated PC. Recovery from this is difficult but it is possible to perform the System Call by software. Since any System Call can be made to fail by specifying ridiculous ACRs it would have been possible to do all System Calls by software and provide calls onto existing stacks as well as inserting the missing checks on stack space. The original ring based scheme could be implemented; however, soft calls cost about 2000 instructions - a formidable overhead. @s(Conclusion) IBM-type protection consisting of 2 states and an SVC to communicate between them is simple and well understood. Rings are superior if they are well thought out and free from logical flaws. Regrettably 2900 has a deficiency in its ACR scheme and the Kernel of EMAS has to protect itself with the old rather than the new technology. @s(Reference) 1. D.J.Rees and P.D.Stephens: "The Kernel of the EMAS 2900 Operating System", Software - Practice and Experience, 12, 655-667 (1982). P.D. Stephens