JPH08212140A - Memory protection system - Google Patents

Abstract

PURPOSE: To provide memory protection without depending on the memory protection mechanism of a central processing unit in a memory protection system for a computer. CONSTITUTION: The access strength of a program is expressed by (n) stepwise levels and an address translating means equipped with a program managing table 103, conversion table 105 composed of (n) tables uniquely corresponding to the program access levels and access possibility deciding means 106 is provided in an operating system 101. Therefore, since the information on the possibility of access to a memory is provided in the operating system 101, the memory protection system can be provided without depending on the memory protection mechanism of the processor.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a memory protection system for electronic computers.

[0002]

2. Description of the Related Art One of memory protection methods is a ring protection method. This subdivides the main memory into units called pages or segments (hereinafter, simply referred to as pages), and gives a ring number to each page. The execution program and data are
Each is placed on a different page. This is a method of permitting access when the ring number of the page where the execution program is located is greater than or equal to the ring number of the page where the data is located when accessing data from the execution program. Regarding the ring protection method, for example, "Functions and configurations of operating system" (Nobutaka Takahashi, Norihisa Doi, Takashi Masuda, Iwanami Information Science 1
6, Iwanami Shoten, pp. 242-244, 1983. ).

[0003]

In the above prior art, the memory protection system depends on the mechanism of the central processing unit.

An object of the present invention is to realize a ring protection system without depending on the mechanism of the central processing unit and to improve the reliability of the memory.

[0005]

A feature of the present invention for achieving the above object is that an address conversion table of a plurality of surfaces is provided inside an operating system, and a ring number is assigned by a combination of write enable / disable flags in them. To express.

That is, when the memory protection information cannot be set in the central processing unit of the computer, the memory protection information is set in the operating system, and this is used as an input to determine whether access is possible. To realize the memory protection means.

The memory protection means comprises a program execution condition input means, a program management table, a conversion table, and an access permission means.

Further, these means may be provided with access permission / prohibition information changing means.

Furthermore, access level changing means may be provided.

By realizing the operating system having the above memory protection means,
The above problems are solved.

[0011]

The operating system of the electronic computer having the address converting means of the present invention has a logical address space, and when the central processing unit attempts to access the storage area in the storage device, the continuous area of this logical address space is set. to access. Therefore, in order to realize the access to the storage device of the central processing unit, the access to the logical address space must be converted into the access by the physical address to the storage areas distributedly arranged on the storage device.

The conversion to the physical address may be performed by converting the logical page frame number into the physical page frame number and matching the physical page frame number and the page offset.
The conversion of the logical page frame number into the physical page frame number is performed by selecting one of the plurality of entries in the conversion table according to the logical page frame number. However, due to a program error, etc.
If the main storage device generates an illegal logical address, it is converted into an illegal physical address, and there is a risk of illegal access to the memory device, and the data in the memory device is protected from such illegal access. Should be protected.

In order to realize such protection, the address translation means has a translation table in the operating system. The conversion table has a number of tables equal to the maximum number of program access levels, and each table uniquely corresponds to the program access level. In each table entry, not only the converted physical page frame number but also the access permission / inhibition information according to the program access level corresponding to the table is recorded for the physical page indicated by the physical page frame number.

By providing the above-mentioned means for memory protection, the access level can be changed from within the program during execution, and detailed memory access conditions can be set for the program. .

[0015]

Embodiments of the present invention will be described below with reference to the drawings.

FIG. 1 shows an example of the configuration of the address conversion means. First, the configuration of the address conversion means will be described.
The address conversion means is a program execution condition input means (1
02), a program management table (103), a conversion table (105), and an access permission means (106).

First, the program execution conditions are input to the address conversion means by the user of the computer using the program execution condition input means (102). The program management table (103) inputs the program identification number and the program access level from the program execution condition input means (102). The program management table (103) is composed of a plurality of entries, and each entry has a PID (program identification number),
It is composed of a field of ALVL (program access level).

When the program is executed and an access to the storage area occurs, a logical address (104) of the access destination is generated in the central processing unit, is input to the address converting means, and a physical address (107) is obtained as an output. . Logical address (104) and physical address (1
07) is an upper bit indicating a page frame number (logical page frame number and physical page frame number)
And a lower bit indicating the page offset (page offset).

The conversion table (105) receives the program access level from the program management table (103) and the logical page frame number from the central processing unit. The conversion table (105) has a number of tables equal to the maximum number of program access levels,
Each table is composed of a plurality of entries.
Each entry includes AP (access permission information) and PPFN.
It consists of a field of (physical page frame number). The content of the AP field has only information indicating whether it is accessible or inaccessible. In general, it has a size of 1 bit, and indicates 0 is accessible and 1 is not accessible.

When the logical page frame number is input to the conversion table (105), the PID field of each entry in the program management table (103) is searched based on the program identification number of the program being executed. Select the matching entry. Further, the conversion table corresponding to the contents of the ALVL field of the selected entry is selected, the entry corresponding to the logical page frame number is selected from the entries, and the contents are output.

The access permission means (106) combines the contents of the PPFN field and the page offset in the logical address with the physical address obtained based on the contents of the AP field output from the conversion table (105). Enter. The access permission unit (106) outputs the input physical address only when the content of the AP field is 0 (accessible).

For example, consider a case where a program having a program access level of 3 is executed to access an arbitrary page of a storage device. Here, the smaller the numerical value of the level, the higher the level. First, the user uses the program execution condition input means (102) to instruct the program execution. At this time, it is assumed that 3 is specified as the program access level. The operating system (101) determines the program identification number when executing the program, searches the PID field of the program management table (103) and selects the matching entry, and sets the program access level 3 to the ALVL of the corresponding entry. Store in the field. The program management table (103) outputs the contents of the ALVL field of the relevant entry to the conversion table (105). At this time, in the conversion table (105), the table corresponding to ALVL = 3 is selected.

When the program is executed and an access to the storage area occurs, a logical address (104) of the access destination is generated in the central processing unit, and the logical page frame number is output to the conversion table (105). ALVL
= 3, select the entry corresponding to the logical page frame number from the table, and output the contents. The access permission means (106) is a conversion table (105).
Based on the contents of the AP field output from
Input the content of the N field and the physical address obtained by combining the page offset in the logical address. The access permission means (106) determines that the contents of the AP field are
Only when it is 0 (accessible), the input physical address is output.

Next, the structure and operation of the access permission / inhibition information changing means shown in FIG. 1 will be described. First, the structure of the access permission / prohibition information changing means will be described. The access permission / prohibition information changing means (108) is an operating system (101).
The AP (access permission information) field of each table in the conversion table (105) can be accessed.

In the access permission / prohibition information changing means, first, an access permission / prohibition information changing command is inputted from the program to the access permission / refusal information changing means (108) via the operating system (101). The access permission / inhibition information change instruction is composed of ALVL (program access level), a logical address, and the changed AP value. The access permission / prohibition information changing means (108), in accordance with the access permission / prohibition information change command, applies the corresponding ALV in the conversion table (105).
The L table is selected, the in-table entry indicated by the logical page frame number in the logical address is selected, and the value of the AP field of the entry is replaced with the changed AP value.

For example, consider a case where an ALVL program of 5 changes an arbitrary storage area of a storage device to be writable. First, when the program issues an access permission / prohibition information change command, the access permission / prohibition information change means (10
8) is based on the ALVL of the program that issued the instruction, the logical address of the storage area to be changed, and the AP value after the change,
The table of ALVL = 5 in the conversion table (105) is selected. Further, the logical page frame number is extracted from the upper bits of the change destination logical address, the corresponding entry in the table is selected, and the contents of the AP field in the entry are changed to writable. After that, the program whose ALVL is 5 can perform write access to the corresponding storage area of the storage device.

Next, an example of the configuration of the access level changing means will be described with reference to FIG. First, the configuration of the access level changing means will be described. The access level changing means (109) is provided in the operating system (101), and the ALV of the program management table (103)
Access to the L (access level) field is possible.

To the access level changing means, first, an access level changing instruction is input from the program to the access level changing means (109). The access level change instruction is composed of the PID (program identification number) of the instruction issue source program and the changed ALVL value. The access level changing means (109) selects the entry of the corresponding PID in the program management table (103) according to the access level changing instruction, and replaces the value of the ALVL field with the changed ALVL value.

For example, changing the ALVL of the program from 5 to 3
Consider the case of changing to. First, an access level changing instruction is issued from a program by an access level changing means (109).
Issued to the PI of the program that issued the instruction
Based on D and the changed ALVL value, the entry of the corresponding PID in the program management table (103) is selected, and the content of the ALVL field in the entry is changed to 3. After that, the corresponding program is converted into the conversion table (10
In order to select the table of ALVL = 3 in 5), AL
It is possible to access the storage device, which is allowed for a program having a VL of 3.

As described above, the address translation means of the present invention can protect the storage area from unauthorized access by using it. Further, by dynamically changing the access right of the memory by the access permission / prohibition information changing means, and by dynamically changing the access right of the program by the access level changing means, the protection condition of the storage area can be set spatially and temporally. It becomes possible to optimize it.

In summary, the program execution condition input means is used when the user instructs the operating system to execute the program, receives the program execution condition designated by the user, and outputs it to the operating system. .

The program management table inputs the output of the program execution condition input means. The program management table is made up of a plurality of entries, and one entry is selected according to the program identification number portion (program identification number) of the input program execution conditions, and the content of that entry is output. In each entry of the program management table, the program identification number that selects the entry and the access level portion (program access level) of the program of the input program execution conditions are recorded. The translation table receives the page frame number portion (logical page frame number) of the logical address input to the address translation means and the program access level output from the program management table. Further, the conversion table is composed of a number of tables equal to the maximum number of access levels. Each table is made up of a plurality of entries, and one entry is selected according to the input logical page frame number, and the contents of that entry are output. For each entry, the page frame number (physical page frame number) of the physical address, which is the result of address conversion of the logical page frame number that selects the entry, and the stored content of the page indicated by the physical page frame number are stored. Information indicating whether access is possible (access permission information) is recorded.

The access permission means obtains the physical page number after address conversion output from the conversion table and the page offset portion (page offset) of the logical address based on the access permission information output from the conversion table. The physical address to be output to the storage device.

Further, the provision of access permission information changing means will be described. The access permission / prohibition information changing means receives the access permission / prohibition information change command from the program being executed. Further, the access permission / prohibition information changing means dynamically changes the access permission / prohibition information in the conversion table according to the input.

Furthermore, the provision of access level changing means will be described. The access level changing means receives an access level changing command from the program being executed. Further, the access level changing means dynamically changes the access level in the conversion table according to the input.

The protection of the data in the storage device is realized by the following method. As shown in FIG. 1, when the program accesses an arbitrary address in the storage area, the program management table (103) outputs the program access level of the entry selected by the program identification information. The conversion table (105) inputs the output of the program management table (103) and selects the table of the corresponding access level. The table outputs the contents of the entry selected by the logical page frame number portion (logical page frame number) of the logical address (104). The access permission unit (106) synthesizes the access permission / prohibition information of the conversion table (105) and the page offset portion (page offset) of the physical page frame number logical address to generate a physical address, and the access permission / prohibition information is accessed. If yes, output the physical address.

By having the memory protection means as described above, even if the memory protection information cannot be set in the central processing unit, an equivalent memory protection function can be realized.

Further, when the access permission / prohibition information changing means (108) is provided in the operating system, when the access permission / prohibition information change command is issued to the operating system from the program being executed, the access permission / refusal information is changed. The means (108) uses the conversion table (1
05), the program access level to be changed, the logical page frame number, and the changed access permission / prohibition information are output. The conversion table (105) selects the table corresponding to the program access level to be changed, selects the entry indicated by the logical page frame number, and changes the access permission / prohibition information in the entry.

By having the memory protection means as described above, it is possible to change the access permission / prohibition information from within the program during execution, and it is possible to set fine memory protection information in the storage area.

Furthermore, as shown in FIG. 1, access level changing means (10
9) is provided, when an access level change command is issued to the operating system from the program being executed, the access level change means (109) causes the program to be changed to the program management table (103). The identification number and the changed access level are output. The program management table (103) selects the entry indicated by the program identification number to be changed, and changes the access level in the entry.

By having the memory protection means as described above, it is possible to change the access level from within the program during execution, and to set detailed memory access conditions for the program.

Next, referring to FIG. 2, a ring protection system of a comparative example will be described in which a central processing unit has a device for storing ring numbers for each page.

In the memory protection system as shown, the program execution condition input means (202) and the program management table are provided in the operating system (201).
Holds (203). In the central processing unit (204),
Conversion table (206), access condition comparison means (20
7) and access permission means (208).

The conversion table (206) is composed of a plurality of entries selected by the logical page frame number.
In each entry, the physical page frame number and the degree of protection of the contents of the storage area indicated by the physical page frame number are expressed by m stepwise levels, and the storage level indicating that the higher the level is, the stronger the protection is. (Hereinafter, referred to as page storage level) is recorded.

The access condition comparison means (207) inputs the page storage level output from the conversion table (206) and the program access level output from the program management table (203), compares them, and compares them.
When the access level is higher than or equal to the storage level, the determination result of permitting access is output.

The access permission means (208) and the access condition comparison means (207) with the physical address obtained by combining the physical page frame number and the page offset.
It is determined whether to output the physical address (209) based on the output of the access condition comparison means (207). For example, consider a case where a program having a program access level of 3 is executed to access an arbitrary page of a storage device. Here, the smaller the numerical value of the level, the higher the level. First, the user uses the program execution condition input means (202) to instruct the program execution. At this time, it is assumed that 3 is specified as the program access level. The operating system (201) determines the program identification number when executing the program, and the program management table (2
03) select the corresponding entry and store the program access level in the entry. The program management table (203) outputs the program access level of the relevant entry to the access condition comparison means (207) in the central processing unit (204).

On the other hand, in the central processing unit (204), in executing the instruction of the relevant program, in order to access an arbitrary page of the storage device, the logical address (20
5) is generated.

At this time, the logical page frame number is output to the conversion table (206) and the corresponding entry is selected. The conversion table (206) outputs the page storage level of the corresponding entry to the access condition comparison means (207). The access condition comparison means compares the program access level with the page storage level. At this time, since the program access level is 3, if the page storage level is 2 or less, the determination result of inaccessibility is output. If the page storage level is 3 or higher, the access permission determination result is output. Access permission means (20
In 8), the physical address obtained by combining the physical page frame number and the page offset and the output of the access condition comparing means (207) are input, and if the determination result of the access condition comparing means (207) is permitted. The physical address (209) is output, and if not, it is not output. This makes it possible to protect data from unauthorized access by increasing the storage level of highly important data.

[0049]

According to the present invention, by using the memory protection means, even if the computer does not have a means for storing special memory protection information such as a storage level in the central processing unit, the ring protection is performed. It is possible to realize the memory protection function by the method. Furthermore, in the access permission determination performed every time access is performed, the information required for the determination is set to the information that has only the content accessible or inaccessible. The processing time at the time of can be shortened. Further, by providing the conversion table with n (maximum number of access levels) surfaces, it is possible to finely set the access conditions at each access level. Therefore, for example, when a plurality of programs share an arbitrary storage area, by giving different access levels to each program, the access from the program A is prohibited, while the access from the other program B is prohibited. You can allow it. As a result, the access right to the storage area of each program can be set optimally, so that the performance of the computer system in terms of security can be improved.

Further, since the accessibility information can be changed from the program, it is possible to deal with the creation of a program for temporarily accessing the normally inaccessible storage area, and to protect the storage area. Conditions can be optimized spatially and temporally.

Furthermore, since the access level can be changed from within the program, it is possible to deal with the creation of a program for performing emergency access in the privileged mode, and to set the access conditions for the program storage area. It can be spatially and temporally optimized.

[Brief description of drawings]

FIG. 1 is a diagram for explaining an embodiment of the present invention.

FIG. 2 is a diagram for explaining a comparative example of the present invention.

[Explanation of symbols]

101 ... Operating system, 102 ... Program execution condition input means, 103 ... Program management table, 105 ... Conversion table, 106 ... Access permission means, 108 ... Access permission information change means, 109 ... Access level change means.

 ─────────────────────────────────────────────────── ─── Continuation of the front page (72) Toshimasa Saiga 5-2-1 Omika-cho, Hitachi-shi, Ibaraki Hitachi Process Computer Engineering Co., Ltd. (72) Yasuo Sekine 5-2, Omika-cho, Hitachi-shi, Ibaraki No. 1 in Hitachi Process Computer Engineering Co., Ltd. (72) Inventor Hidefumi Miyata 5-2-1 Omika-cho, Hitachi City, Ibaraki Prefecture In Hitachi Process Computer Engineering Co., Ltd. (72) Keiji Kuwahara Omi Mika, Hitachi City, Ibaraki Prefecture 5-2-1, Machi Incorporated company Hitachi, Ltd. Omika factory

Claims (3)

[Claims] 1. In a memory protection system of a computer in which a storage device is managed by a virtual storage system, a program execution condition inputted from a program execution condition input means is input, and the program execution condition is a program identification number part ( Hereinafter referred to as the program identification number.)
Has a plurality of first entries selected by
, The access right for the program to access the contents of the storage area in the program identification number for selecting the first entry and the program execution condition is represented by n stepwise levels. And a program management table for outputting the information recorded in the first entry selected by the program identification number. The program access level output from the table and the page frame number portion (hereinafter referred to as the logical page frame number) of the logical address output from the data transfer means of the central processing unit are input, and n number of access levels are selected. And multiple tables, and the multiple tables Page number of the physical address resulting from the conversion of the logical page frame number for selecting the second entry. Hereinafter, referred to as a physical page frame number) and access permission information (hereinafter referred to as access permission information) for accessing the contents of the storage area indicated by the physical page frame number recorded in the second entry thereof. A conversion table for outputting the information recorded in the second entry selected by the logical page frame number among the second entries recorded in the table selected by the access level, and a physical page It is obtained based on the frame number and the page offset part of the logical address (hereinafter referred to as page offset). The address translation means, which includes the physical address and the access permission / prohibition information output from the conversion table as input, and the access permission means for determining whether to output the physical address to the storage device based on the access permission / prohibition information, is operated. A memory protection method that is equipped in the system. 2. The memory protection method according to claim 1, wherein an access permission / inhibition information change command from a program being executed is input, and the access permission / inhibition information in the conversion table can be dynamically changed. A memory protection system characterized in that the operating system is provided with means. 3. The memory protection system according to claim 1, further comprising access level changing means for inputting an access level changing command from a program being executed and dynamically changing the access level in the program management table. A memory protection method that is equipped with an operating system.