JPH05151088A - System and device for storage protection of storage system - Google Patents

Abstract

PURPOSE:To freely set the range of a protection area by adding a little hard ware. CONSTITUTION:In the storage system which has a data processor and a storage controller, sections constituting logic addresses are extracted by a section information extraction device 1, and storage protection information on respective identified sections is extracted by a storage protection information extraction device 12; and an instruction access permission signal generating circuit 14 generates a permission signal permitting access to an instruction according to storage protection information on respective sections that an instruction being executed has and the storage protection information on the respective sections and a data access permission signal generating circuit 15 generates a permission signal permitting access to data according to section identification information that the instruction being executed has, storage protection information on the instruction being executed, and the storage protection information on the respective sections.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a storage protection device for protecting a memory from unauthorized access in a storage system composed of a processor and a storage management device.

[0002]

2. Description of the Related Art Conventionally, a data processing device having a function of accessing an instruction and a data based on a logical address and a storage management for managing physical storage corresponding to a logical address output from the data processing device by partition information. In a storage system having a device, what is called an MMU is used as a storage management device to convert a logical address into a physical address and protect a memory area indicated by the physical address. This kind of protection of the memory area is necessary for multiple programs to share the physical memory when performing multiple programming, and means for limiting only correct access between different programs is required. Met.

In order to solve this, there has been a method of limiting access to certain data by using an identifier indicating from which program the data is accessed. In this method, the identifiers that can be used in advance are arranged between programs,
At the time of access, the identifier of the accessing side was compared with the identifier of the accessing side, and only the access with the correct identifier was permitted. As a memory protection device having this principle, a segmentation system and a ring protection system are known.

In the segmentation system, in order to secure an area peculiar to a certain program, an identifier that can be used only by the program is assigned, and in order to secure an area shared by the programs, a common identifier between the programs is assigned. It can be realized by assigning it, and can be obtained as a highly flexible protection mechanism. However, handling a plurality of identifiers requires a plurality of identifier storage registers and a plurality of identifier comparators. This necessitates the addition of a lot of special hardware to the data processing device or the storage management device, and when switching the segments, a lot of time is required to exchange a plurality of registers.

Further, in the segmentation method, as another method of handling a plurality of identifiers, a method of preparing a special instruction in the data processing device and designating the identifiers at the time of execution has been considered. Since this switching operation can reduce the number of identifier storage registers, the time required to replace the segment registers can be shortened. However, each execution of these instructions takes time, which is an obstacle to improving the throughput of the program. Therefore, in the segmentation method, it is easy to completely separate different programs, but sharing of data between programs requires a lot of hardware and complicated operations.

On the other hand, in the ring protection type,
The strength relationship is determined according to the permutation of the identifiers, and the transfer of control to the strong area is limited to those that have performed the correct procedure, and the access to the protected area is prohibited so that the data access to the strong area is prohibited. It became possible to give directionality to. In this method, since one identifier has a right to a plurality of areas, it is possible to reduce the number of identifiers which is a problem in the segmentation method, and it is possible to shorten the switching time of the identifier. The verification of the correctness of the identifier is performed, for example, as shown in FIG. 21, mainly by comparing the identifier of the accessing side with the identifier of the accessing side at the time of access, and a special instruction is given to the data processing device. You no longer need to add.

[0007] However, in this system, the part where the area represented by an identifier overlaps the area represented by another identifier is determined such that the area where the identifier is strong includes the area where the identifier is weak, and the protection area is set. It had the drawback of not being flexible.

Generally, in the ring protection system,
One kernel program is positioned as the strongest, and the protection strength of the target program is determined by the total order of strength based on the absolute strength relationship with the kernel program. However, in a server / client processing method in which a large number of programs collaborate to perform processing while requesting processing, the order relationship between programs may change from execution to execution. It was difficult to preset the protection strength.

FIG. 7B is a conceptual diagram showing the strength relation of the storage areas realized by the ring protection method. In this case, assuming that the partitions 1 to 4 correspond to the programs 1 to 4, respectively, if the programs 3 and 4 each have a data area unique to the program, the data areas can be hidden from each other. It is necessary to allocate the programs 3 and 4 to at least the same strength, and to provide a means for distinguishing the areas other than the ring protection system.

Further, in the figure, although four kinds of strengths are prepared for four programs, if the programs 3 and 4 have the same strength, there is a strength to which a program cannot be assigned. That is, this means that two programs having no order relation must be assigned to the same strength, while there is a strength to which an appropriate program cannot be assigned. This ordering conflict is more likely to occur as the number of programs allocated in the protection space increases,
There is a drawback that complicates the management of protection strength.

Therefore, such a ring protection system is well suited when the cooperative relationship between the programs is monotonous and fixed, but has a drawback that it lacks the ability to express the partial order relationship between the programs. This means that it is impossible to dynamically set the dynamic relationship between programs as the programs progress. Further, in the ring protection system, an area belonging to a certain strength can be accessed from an area stronger than that area, and the area unique to the program cannot be provided.

On the other hand, recently, a basic program (OS)
Has a tendency to bloat due to an increase in functions, and in the past,
What was one program was divided into multiple programs for each function, and they came to work in cooperation with each other. In addition, with regard to application programs, a method of constructing a combination of a plurality of hidden programs has come to be used in order to improve software productivity.

However, in the case of operating a plurality of cooperating programs, the context
A lot of time is spent in the process of switching and the process of copying the argument. In order to solve this problem, a method of allocating a plurality of programs to one logical space and omitting the processing required for program switching has been desired. In this method, since information that could not be accessed because it existed in different logical spaces in the past exists in the same space, it was necessary to provide means for accessing this information only by a valid instruction. Therefore,
When trying to realize this method, there is a problem that the segmentation method requires a lot of hardware and the switching of the access area is complicated, and the ring protection method dynamically changes the dynamic relationship between programs. There was a problem that it could not be changed and the protection range could not be freely set between programs. As described above, in order to protect the storage area between a plurality of programs, it is considerably difficult to provide a flexible and simple protection device in which the range of the protection area can be freely set.

[0014]

As described above, according to the conventional storage protection device, it is difficult to set a free range and dynamically change the strength in the system in which the identifier of the storage protection area has strength. In addition, there is a problem that a lot of hardware and special instructions are required to finely set the memory protection area.

The present invention has been made in view of the above circumstances. The range of the protection area can be freely set by adding a small amount of hardware, no special instruction is required, and the data processing time is not extended. It is an object of the present invention to provide a memory protection device capable of performing the above.

[0016]

A storage protection system of the present invention corresponds to a data processing device having a function of accessing an instruction and data based on a logical address and a logical address output from the data processing device. In a storage system having a storage management device that manages physical storage by partition information, partitions that compose a logical address are identified, access permission information is given to these identified partitions, and the command is issued based on the access permission information. And the access of the data are permitted.

Further, the storage protection device of the present invention partitions a data processing device having a function of accessing instructions and data based on a logical address and a physical storage corresponding to the logical address output from the data processing device. In a storage system having a storage management device managed by a partition information extraction unit that identifies partitions that form a logical address, and a unit that adds storage protection information for each partition identified by the partition information extraction unit as access permission information. A means for holding storage protection information for each partition of the instruction currently being executed, each of the storage protection information and the access permission information for the instruction currently being executed due to the access of the instruction by the data processing device Permission to grant access to commands based on said protected information for partitions Means for generating a signal, partition identification information in which an instruction currently being executed exists due to occurrence of access to data by the data processing device, the storage protection information for the instruction currently being executed, and each partition provided as access permission information. And a means for generating a permission signal for permitting data access based on the storage protection information.

Further, according to the present invention, the storage protection information for each section identified by the section information extracting means is a right permitter indicating a right of access to each section, and the right permitter is a permission for access of an instruction. The execute permission to represent,
A partition that is made up of a transition permitting element indicating that the instruction is allowed to access a different section, and the permission signal for permitting the access of the instruction is permitted by the right permitter of the section to which the instruction executed immediately before belongs and is accessed. Transition permitter of the partition that is accessed from the partition that indicates that the execution permittor of is the instruction storage area or the execution permission of the partition to which the previously executed instruction belongs is the instruction storage area Indicates a permission or a partition in which the execution permit of the partition to which the transition permit to which the instruction executed immediately before belongs belongs is an instruction storage area. It is limited to crabs.

Further, the permission signal for permitting access to data is limited to the case where the right permitter of the partition permits access from the partition that has issued the data access command.

[0020]

According to the present invention, the determination that the correct access is made to the storage protected area is made by granting the access permission to each partition. The means for granting this access permission is correct by using the identifier of the partition to which it currently belongs, the identifier of the access destination, and the information indicating whether the access made is an instruction access or a data access as arguments. Acts as a function to return access. Therefore, the means of granting access permission is
If an arbitrary return value can be set for an arbitrary combination of these three arguments, it is possible to express a partial order relation between two identifiers regardless of the order relation of the identifiers. Furthermore, for any combination of these three arguments, even if the storage protection information management program changes the return value during execution of the general program, the return value for the other combination of arguments is not changed.

Further, according to the present invention, as the memory protection information given by the means for giving access permission, the right permitter indicating the right of access to each partition and the right permitter are the permissions for the access of the command. There is an execution permit that represents that and a transition permit that represents that the access of an instruction to a different partition is permitted, and these act as a correspondence table of arguments and return values in the above functions. Further, the means for granting the access permission determines whether or not the access of the instruction is performed to the partition different from the partition in which the previous instruction exists every time the data processing device causes the access based on the correspondence table. It is possible to generate a signal indicating, a permission signal for permitting access of an instruction, and a permission signal for permitting access of data. The permitter, which is an element of the correspondence table, contains more information than the identifier used in the ring protection method because it has more flexibility than the identifier used in the ring protection method, and thus requires more storage area than the identifier in the ring protection method. However, accessing the correspondence table and applying it as the function can be realized almost in the same way as the function applying method used in the conventional ring protection method, does not require much hardware, and requires no special instruction. Don't need Here, the size of the storage area constituting the partition, which is the minimum unit of storage protection, will be referred to as an area hereinafter. The permitter, which is an element of the correspondence table, is set for each area. Since the area corresponds to one page in the page-type storage management device, the area may be referred to as a page, but the present invention can be applied to methods other than the page method.

According to the present invention, when the means for giving access permission gives the access for the instruction, the right permitter follows the information held by the right permitter of the partition to which the instruction currently being executed belongs. It works to only allow instruction access to authorized partitions. This limits the range in which instructions can be moved depending on the partition to which they belong, and programs with weak rights such as user programs can be
The execution section can be easily transitioned from a strong program to a weak program so that a part of a program with strong rights such as a program is not executed. on the other hand,
It is not possible to call a strong program from a weak program only by the limitation by the rights permitter. In order to avoid this, it is necessary to allow the right entrance address to the correct entry address even in the area where the instruction is not allowed to be executed. As described above, in the conventional method, a special instruction is prepared in the data processing device to determine whether or not the access is a correct instruction. According to the present invention, when it is desired to branch the execution of an instruction to a partition which is not permitted by the right permitter, the transition permittor branches to a region representing permission, and further from there to a target partition, thereby executing a special instruction. It is possible to limit the range of movement of instructions without providing them, realize that a lot of hardware is not required, and that the flow of execution that may occur with a special instruction is not disturbed. Here, a region in which the transition permitter represents permission is hereinafter referred to as a transition region. The transition area is protected so that the correct entry address of a program existing in another partition is usually set by a basic program and cannot be changed by a general program. Therefore, according to the present invention, it is possible to prevent an unauthorized program from branching to a routine other than the entry address of the branch destination partition and performing the processing without confirming the right to execute the program.

Further, according to the present invention, when the accessed partition can be determined to be data by the execution permit, the right permit can be used as information indicating the right to access the data. That is, in the present invention, the area to which the data is permitted to be accessed by the right permitter is independent of the area to which the instruction is permitted to access. It becomes possible to set an area that can be shared with other partitions. Therefore, the present invention can conceal data, which is effective in protecting a program.

Further, according to the present invention, when the partition identifier used for identifying the partition in the logical space is limited to be allocated to the upper bits of the logical address, only the change of the logical address is detected. , It is possible to detect that an access that crosses partitions has occurred. If the partition identifier is not assigned to the logical address, it can be realized by the storage protection method having information for each page of the managed partition, and the partition size can be made uneven, but since the information is stored and retrieved. Increase the amount of hardware. When allocating the partition identifier to the upper bits of the logical address, this hardware amount can be reduced.

[0025]

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS An embodiment of the present invention will be described below with reference to the drawings.

In this embodiment, the case where the logical address space is divided into eight partitions will be described as an example. However, the present invention is not limited to this, and the partition identifier and the right permitter are included in the number of partitions. The address space can be divided into any number as long as the size can be adjusted according to. Further, in this embodiment, a page system using a physical page as the minimum unit of protection constituting one partition will be described as an example, but the present invention is not limited to this, and the size can be managed by the storage management device. If so, any size can be applied as a unit.

FIG. 1 shows a schematic configuration of the same embodiment. In this case, the storage protection device is the partition information extraction device 1,
Storage protection information extraction device 2, current partition identifier 3, current transition permitter 4, current execution permitter 5, current right permitter 6, target partition identifier 7, objective transition permitter 8, objective execution permitter 9, objective right permit It includes a child 10, a read permitter 11, a write permitter 12, a partition transition signal generation circuit 13, an instruction access permission signal generation circuit 14, a data / access permission signal generation circuit 15, and a control circuit 16.

The partition information extraction device 1 generates a partition identifier from a logical address generated by a data processing device (not shown). In this case, when the partition identifier is assigned to the upper bits of the logical address, only the portion corresponding to the partition identifier is selected from the logical address and output. Also,
If the partition identifier is in the storage device along with other storage protection information, from the logical address and the table start address,
A table storing information is accessed to acquire and output partition identification information for a target logical address.
The partition identifier extracted from the partition information extraction device 1 is temporarily stored in the target partition identifier 7.

The storage protection information extraction device 2 generates storage protection information from a logical address generated by a data processing device (not shown). In this case, the storage protection information extraction device 2 uses the logical address to convert the TLB (Translation Look-aside Buffer)
Or by accessing the inside of the storage device from the logical address and the table start address, the storage protection information for the target logical address is acquired and output.

The current partition identifier 3 holds the partition identifier in which the instruction currently being executed exists, and is replaced with the partition identifier output from the control circuit 16 when the page in which the instruction exists changes.

The current transition permitter 4 holds the transition permittor of the instruction currently being executed, and is replaced by the transition permittor output from the control circuit 16 when the page in which the instruction exists changes. It

The current execution permit 5 holds an execution permit indicating that the area in which the instruction currently being executed exists is an instruction storage page. When the page in which the instruction exists changes, the control circuit is controlled. It is replaced with the execution permitter output from 16.

The current right permitter 6 holds the right permitter of the page in which the instruction currently being executed exists, and when the page in which the instruction exists changes, the right permit output from the control circuit 16 Is replaced by a child.

The purpose transition permitter 8 holds the transition permittor of the page indicated by the logical address in the storage protection information output by the storage protection information extraction device 2.

The purpose execution permitter 9 holds the execution permitter of the page indicated by the logical address in the storage protection information output by the storage protection information extraction device 2.

The target right permitter 10 holds the right permitter of the page indicated by the logical address in the storage protection information output by the storage protection information extraction device 2.

The read permittor 11 holds the read permittor of the page indicated by the logical address in the storage protection information output by the storage protection information extraction device 2.

The write enabler 12 holds the write enabler of the page indicated by the logical address in the storage protect information output by the storage protect information extraction device 2.

The partition transition signal generation circuit 13 is composed of a comparator 131 and an AND gate 132 as shown in FIG. 2, and compares the current partition identifier and the target partition identifier with the comparator 1.
The result of comparison in 31 does not match, and the partition transition generation signal is set to be true when the instruction is fetched. As a result, the partition transition generation signal is set to false when the same partition is being accessed or data access.

The instruction access permission signal generation circuit 14 has a selection circuit 141 and AND gates 142 to 142 as shown in FIG.
144 and an OR gate 145, an instruction access permission signal is generated from the storage protection information corresponding to the instruction currently being executed, the target partition identifier and the storage protection information of the target partition. In this case, the selection circuit 1 selects the target partition identifier from the current right permitter as a selection signal.
The bit selected by 41 is true and the target execute permit is true, or the current execute permit is true and the target transition permit is true, or the current transition permit is true and The instruction access permission signal is set to be true when either the target execution permit is true.

Data access permission signal generation circuit 15
Is a comparator 151 and a NAND gate 15 as shown in FIG.
2, a selection circuit 153, and AND gates 154 to 157, which read the current partition identifier, the memory protection information corresponding to the instruction currently being executed, the target partition identifier, the memory protection information of the target partition, and the data. A data access permission signal is generated from the indicated signal and the signal indicating the writing of data. In this case, it is the same partition as the partition currently being executed, or the target page is not executable, and the bit selected by the selection circuit 153 from the target right permitter using the current partition identifier as a selection signal is true, Further, the data access permission signal is set to be true when the read permission is true when reading the data or when the write permission is true when writing the data.

The control circuit 16 is composed of a gate 161 as shown in FIG. 5, and outputs the target partition identifier and the target storage protection information to the memory holding the current partition identifier and the current storage protection information. To control. In this case, the target partition identifier and the target storage protection information are stored in the gate 161 when the instruction access permission signal is true.
It is designed to be output via.

In the above structure, first, in the case of instruction access, that is, instruction fetch, a logical address and an instruction fetch signal are given to the memory protection apparatus shown in FIG. 1 from a data processing apparatus (not shown).

In this case, the logical address is input to the partition information extraction device 1 and the storage protection information extraction device 2. The partition information extraction device 1 generates a target partition identifier from the logical address, outputs it, and stores it in the target partition identifier 7. Also,
The storage protection information extraction device 2 generates and outputs target transition permitters, execution permittors, right permittors, read permittors, and write permittors from the logical address, and the target transition permittor 8 and the objective execution permitter, respectively. 9, the object right permitter 10, the object read permittor 11, and the object write permitter 12 are stored.

When the target partition identifier and the target storage protection information are generated by the partition information extraction device 1 and the storage protection information extraction device 2, the instruction access permission signal generation circuit 14
Generates an instruction access permission signal from the target partition identifier, the target storage protection information, the current transition permitter, the current execution permittor, and the current right permitter, and the partition transition signal signal generation circuit 1
3, a partition transition generation signal is generated from the target partition identifier, the current partition identifier and the instruction fetch signal.

In this case, when the instruction access permission signal is true, that is, when the partition executing the instruction is correctly changed by a branch instruction or the like, the control circuit 16 causes the target partition identifier, the target transition enabler, and the target execution enabler. And the target right permitter are output to the current partition identifier 3, the current transition permitter 4, the current execution permitter 5, and the current right permitter 6, respectively. That is, these current partition identifier 3, current transition permitter 4, and current execution permitter 5
And the current right permitter 6, when the instruction access permission signal is true,
The new value is replaced according to the output of the control circuit 16. If the page currently executing the instruction does not change, the current value is retained.

Here, FIGS. 6A and 6B show an example of allocation of each permitter in the embodiment. This allocation example realizes the protection strength relationship shown in FIG. 7A, and the operation will be described below using this example.

FIG. 8 shows an operation example in the case of executing an instruction in the same partition at the time of instruction fetch. In this example, the partition in which the instruction currently being executed exists is a partition (2 ), And the partition in which the newly generated instruction exists is the same partition (2), so partition transition does not occur. Further, since the execution of the instruction is permitted by the current right permitter in the section (2) which is currently being executed, the instruction access permission signal is asserted.

FIG. 9 shows an operation example when transitioning to a different partition at the time of fetching an instruction. In this example, the partition in which the instruction currently being executed exists is the partition (2) as indicated by the partition identifier. Since the partition in which the newly generated instruction exists is partition (1), a partition transition occurs, and the partition transition signal generation circuit asserts the partition transition signal.
In addition, the instruction access permission signal is asserted by the instruction access permission signal generation circuit because the execution of the instruction is permitted by the current right permitter of the currently executed division (2) in the access destination division (1). .. When the access of the instruction is permitted, the section where the instruction being executed exists is the section (2).
To partition (1), the current partition identifier is partition (1)
The current transition permitter, the current execution permittor, and the current right permitter are replaced with the values corresponding to the target page, respectively.

Here, according to the example of the storage management information shown in FIG. 6, the partition that can directly branch from the partition (1) is only the partition (1) and the transition page. FIG. 10 shows an operation example when branching to a transition page at the time of instruction fetch,
In this example, the transition page is in the partition (7 'and the transition enabler is asserted. Since the execution of the instruction transits from the partition (1) to the partition (7), the partition transition signal is asserted. Since the transition permitter of the partition (7) of (1) is asserted and the current execution permittor is asserted,
The instruction access permission signal is asserted.

Here, when the access of the instruction is permitted, the section in which the instruction being executed is present transits from the section 1 to the transition page, the current section identifier is the section (7), the current transition permitter, and the current execution permission. The child and the current right grantor are replaced with the values corresponding to the target page. Also, from the transition page,
You can branch to the execute permission page of any partition.

FIG. 11 shows an operation example when branching from the transition page at the time of instruction fetch. In this example,
The transition permission section branches to the execution permission page of section (3). Since the transition permission partition is in the partition (7) and the execution of the instruction transits to the partition (3), the partition transition signal is asserted. Since the current transition permitter is asserted and the target execution permittor is asserted, the instruction access permit signal is asserted.

The case where the access of the instruction is permitted has been described above. Next, FIG. 12 shows an operation example in the case where an attempt is made to transit to a section where the instruction is not permitted. In this example, when the partition in which the instruction currently being executed exists is partition (1), and the current right permitter permits only execution of partition (1), the branch to partition (3) is attempted. Is shown. The current right permitter does not permit branching to partition (3), and the target partition 3 is indicated by the target transition permitter to be not a transition page, and the area currently being executed transits by the current transition permittor. The instruction access grant signal is not asserted because it is shown to be not a page. Therefore, by seeing this signal, it is possible to know that an illegal instruction access has occurred.

Next, in the case of data access, a logical address, a data read signal and a data write signal are applied to the storage protection device shown in FIG. 1 from a data processing device (not shown).

In this case, the logical address is input to the partition information extraction device 1 and the storage protection information extraction device 2. The partition information extraction device 1 generates a target partition identifier from the logical address, outputs it, and stores it in the target partition identifier 7. Also,
The storage protection information extraction device 2 generates and outputs target transition permitters, execution permittors, right permittors, read permittors, and write permittors from the logical address, and the target transition permittor 8 and the objective execution permitter, respectively. 9, the target right permitter 10, the target read permitter 11, and the purpose write permitter 12 are stored.

When the partition information extraction device 1 and the storage protection information extraction device 2 generate the target partition identifier and the target storage protection information, the data access permission signal generation circuit 15 causes the target partition identifier and the target storage protection. A data access permission signal is generated from the information, the target read permission, the target write permission, and the current partition identifier.

Here, FIG. 6 shows an example of allocation of each permitter in the embodiment. This allocation example realizes the protection strength relationship shown in FIG. 7A, and the operation will be described below using this example.

FIG. 13 shows an operation example in the case of writing data to a partition with permission at the time of data fetch. In this example, the partition in which the instruction currently being executed exists is the partition (2), and a certain execution is performed. The case where the inside instruction writes data to the section (1) is shown. Here, the purpose-execution permitter indicates that the target page is not an execution-permitted page, that is, a data page, and the purpose-rights permitter permits access to the target page from the partition currently executing the instruction. And the write enabler allows writing to the data write signal,
The data access grant signal is asserted.

FIG. 14 shows an operation example when data is read from an unauthorized partition at the time of data fetch. In this example, the partition in which the instruction currently being executed exists is partition (2). Yes, there is a case where an instruction being executed reads data from the partition (4). Here, the purpose execution permission indicates that the target page is not the execution permission page, that is, the data page,
Moreover, the read permitter permits the data read signal to be read, but the target right permittor does not permit access to the target page from the partition currently executing the instruction. Is not asserted.
Therefore, by seeing this signal, it is possible to know that an unauthorized access to data has occurred.

Next, FIG. 15 shows the operation of the partition information extraction device 1, and FIG. 15A shows an example of the partition information extraction processing. In this example, part of the logical address is used as the partition identifier. Therefore, a part of the input logical address is output as the partition identifier. As a result, the target partition identifier can be extracted in a short time. On the other hand, FIG. 9B shows another example of the section information extraction processing. In this example, the partition identifier exists in a table on the storage device along with other storage protection information. Therefore, a part of the input logical address is used as an offset for storage device or TLB (Trans
Fetch the partition identifier from the (Look-aside Buffer) and output it. As a result, a partition independent of the logical address can be set and can be executed simultaneously with the storage protection information extraction processing.

In this case, the storage protection information exists in the table on the storage device. Therefore, the memory protection information extraction device 1
Fetches the storage protection information from the storage device or TLB using the part of the input logical address as an offset and outputs it. FIG. 16 shows an implementation example of one item of a table containing storage protection information. FIG. 16A shows an implementation example of one item of a table containing storage protection information, showing that the contents of this item are fixed. It is composed of the definite term shown, a read permitter necessary for the storage protection information, a write permitter, a transition permitter, an execution permittor, and a right permitter. Further, FIG. 6B is another example of realization of one item of the table including the memory protection information, and a definite term indicating that the content of this item is definite, a read permission required for the memory protection information, It shows that a partition identifier may be included in addition to the write permitter, the transition permitter, the execution permittor, and the right permitter.
Further, (c) and (d) of the same figure are other examples of realization of one item of the table including the memory protection information. It is shown that 5 bits of the write permitter, the execution permittor, and the transition permitter may be encoded into a 3-bit operation type code.

Since the storage protection information exists in the table on the storage device, the storage protection information is set by performing normal data access to the storage device, and the storage protection information is protected by this storage protection device. This can be realized by making a normal access permission judgment to the existing storage device. As described above, since the right grantor in the memory protection information represents the relationship between the current section and the target section, changing the relationship between two sections does not change the relationship between other sections. Therefore, changing the right permitter does not change the relationship between partitions other than the partition to be changed even during program execution, and normal data
It can be easily performed using an access command. Note that
When using the TLB, it is known that the rights permitter on the storage device and the rights permitter of the TLB match even if the rights permitter is changed.

FIG. 17 is a block diagram showing an example of a storage management device including the storage protection device of the above-mentioned embodiment. In this case, the storage management device 17 is composed of a storage protection device 171 and an address translation device 172. There is. 18 is a block diagram showing another example of the storage management device. The storage management device 18 in this example also includes an instruction address translation device 182 and an address translation device 18 in addition to the storage protection device 181.
However, this case is applicable not only to the case where the data processing device outputs a single logical address but also to the data processing device which outputs the instruction logical address and the data logical address separately. it can.

Therefore, in this way, the access right can be set for each of the logical address of the instruction and the logical address of the data based on the partial order relation between the partitions. For example, when the permitters shown in FIG. 6 are assigned, the range that can be directly branched from the section (2) is shown as in FIG. 19, and the range (1 ) And a branch to the transition page (2) and a branch to another section via the transition page (3). As a result, it is possible to limit the range in which it is possible to make a transition from one section to another section freely, and to limit the other sections so that only a fixed entrance address can be used to make a transition via the transition page.

The range in which data can be directly accessed from the partition 2 is shown in FIG. 20, and can be set independently of the range in which instructions can transition. This makes it possible to realize a page unique to each section and a page shared between sections. By limiting transitions between partitions and realizing a page unique to each partition, it is possible to realize a hidden partition even when a plurality of programs are allocated to one logical space and executed. Hidden partitions can be protected from unauthorized access by other partitions.

Further, it is not necessary for the data processing device to prepare a special instruction in order to control the memory protection device. For example, branching to a fixed entry address can be realized by a normal branch instruction because it is sufficient to go through the transition page. Also, for example, when changing the protection information when the partition is switched,
Since the storage protection information stored in the storage device is used, there is no need to provide a storage protection information replacement instruction. Further, for example, the storage protection information stored on the storage device can be changed by a normal data access command if the user has the right to access. Therefore, the present invention does not need to change the data processing device and can be applied to any data processing device.

The present invention is not limited to the above embodiment. As described above, the number of partitions in the address space may be divided into any number as long as the partition identifier and the right permitter can be sized according to the number of partitions.

In the above embodiment, the minimum unit of protection is the physical page unit, but any size can be used as long as it can be managed by the storage management device, and it can be changed like a segment. It may be the amount.

In addition, according to the present invention, as described above, if the partition identifier, execution permit, transition permit, and right permit can be acquired from the logical address and the storage management information storage table, how the information is stored. In addition to being applicable in each case, the configurations of the respective signal generating circuits and control circuits, the way of giving various control signals, and the like can be variously modified and implemented without departing from the scope of the present invention.

[0070]

As described above, according to the present invention, there are provided a function capable of setting each permitter so as to represent a partial order relation between two arbitrary programs and a function capable of easily changing each permittor at the time of execution. It becomes possible to realize the memory protection that it has. In other words, by appropriately setting the right permitter, execution permittor, and transition permitter, it is possible to realize memory protection with a total ordering relationship equivalent to ring protection, and to dynamically half-lock based on program call / return. Memory protection that changes the order relationship can also be realized.

Further, according to the present invention, as compared with the multiple logical space system in which a plurality of logical spaces are switched and accessed,
It becomes possible to realize a simple switching process, a simple hardware implementation, and a memory protection having the effect of not requiring a special instruction for the switching process. Therefore, by using the present invention, it is possible to group related programs into one logical space, reduce the time required for copying context switches and arguments, and improve the program throughput.

[Brief description of drawings]

FIG. 1 is a block diagram showing a main part of a storage protection device according to an embodiment of the present invention.

FIG. 2 is a block diagram showing a partition transition signal generation circuit used in the memory protection device shown in FIG.

3 is a block diagram showing a partition instruction access permission signal generation circuit used in the memory protection device shown in FIG.

FIG. 4 is a diagram showing a partition data access permission signal generation circuit used in the memory protection device shown in FIG. 1;

5 is a diagram showing a control circuit used in the memory protection device shown in FIG. 1. FIG.

FIG. 6 is a diagram showing an example of allocation of each permitter in the memory protection device shown in FIG. 1.

7 is a diagram showing a conceptual strength relationship between partitions realized by the memory protection device shown in FIG.

8 is a diagram showing an operation example in the case of executing an instruction in the same partition at the time of instruction fetch in the memory protection device shown in FIG. 1;

9 is a diagram showing an operation example in a case where the storage protection device shown in FIG. 1 transits to a different partition at the time of instruction fetch.

10 is a diagram showing an operation example when branching to a transition page at the time of instruction fetch in the memory protection device shown in FIG. 1;

11 is a diagram showing an operation example in the case of branching from a transition page at the time of instruction fetch in the memory protection device shown in FIG.

FIG. 12 is a diagram showing an operation example in a case where the storage protection device shown in FIG.

13 is a diagram showing an operation example in the case of writing data to a partition permitted in data fetching in the storage protection device shown in FIG. 1. FIG.

FIG. 14 is a diagram showing an operation example when the storage protection device shown in FIG. 1 attempts to read data from an unauthorized section at the time of data fetch.

FIG. 15 is a diagram showing an operation of partition information extraction processing in the memory protection device shown in FIG. 1.

16 is a diagram showing an implementation example of one item of a table including storage protection information used in the storage protection device shown in FIG. 1. FIG.

17 is a block diagram showing an implementation example of a storage management device including the storage protection device shown in FIG. 1. FIG.

18 is a block diagram showing another implementation example of a storage management device including the storage protection device shown in FIG. 1. FIG.

FIG. 19 is an address space diagram showing a range in which the storage protection device in the case of FIG. 6 can directly branch from the partition 2;

20 is an address space diagram showing a range in which data can be directly accessed from the partition 2 by the storage protection device in the case of FIG.

FIG. 21 is a block diagram showing a main part of a conventional storage protection device.

[Explanation of symbols]

1 ... Partition information extraction device, 2 ... Memory protection information extraction device, 3
... current partition identifier, 4 ... current transition permitter, 5 ... current execution permitter, 6 ... current right permitter, 7 ... purpose partition identifier, 8 ... purpose transition permitter, 9 ... purpose execution permitter, 10 ... purpose right Permit, 11 ... Read permit, 12 ... Write permit, 13 ...
Partition transition signal generation circuit, 14 ... Instruction access permission signal generation circuit, 15 ... Data access permission signal generation circuit, 1
6 ... Control circuit.

Claims (3)

[Claims] 1. A data processing device having a function of accessing instructions and data based on a logical address, and a storage management device for managing physical storage corresponding to a logical address output from the data processing device by partition information. In the storage system having, to identify the partitions that make up the logical address, grant access permission information to the identified partitions, and permit access of the instruction and access of the data based on the access permission information. A memory protection method characterized in that 2. A data processing device having a function of accessing an instruction and a data based on a logical address, and a storage management device for managing physical storage corresponding to a logical address output from the data processing device by a partition. In the storage system, partition information extracting means for identifying a partition forming the logical address, means for giving storage protection information for each partition identified by the partition information extracting means as access permission information, and currently executing Means for holding storage protection information for each section of an instruction, the storage protection information for the instruction currently being executed due to the access of the instruction by the data processing device, and the section for each section given as the access permission information Generates a permission signal that grants access to instructions based on memory protection information Means for identifying the partition in which the instruction currently being executed is present due to the occurrence of a data access by the data processing device, the storage protection information for the instruction currently being executed, and each partition provided as the access permission information. And a means for generating a permission signal for permitting data access based on the storage protection information. 3. The storage protection information for each partition identified by the partition information extracting means is a right permitter indicating the right of access to each partition, and an execution permitter indicating that the right permitter is a permission for access of an instruction. , A transition permitter indicating that the instruction is allowed to access a different partition, and the permission signal for permitting the access of the instruction is permitted and accessed by the right permitter of the partition to which the instruction executed immediately before belongs. Transition permission of the partition that the partition execution permission indicates that it is an instruction storage area or that the partition that the instruction executed immediately before belongs to is the instruction storage area If the execution permission of the partition whose child represents permission or the partition to which the transition permit to which the instruction executed immediately before belongs belongs is 3. The memory protection device according to claim 2, wherein the memory protection device is limited to one of the partitions representing the instruction storage area.