JPS6221140B2 - - Google Patents

Description

DETAILED DESCRIPTION OF THE INVENTION The present invention relates to a memory security system, and more particularly to a memory security system during execution of an emulation program.

When unauthorized writing or reading is performed on the main memory due to a hardware or software error, the memory protection device detects this and prevents the contents of the main memory from being destroyed. , to prevent programs from running out of control.

A program status word (PSW) is provided to define the operation and status of the arithmetic processing unit (hereinafter referred to as CPU) and is stored in a specific location in the main memory.
When executing an instruction, it is controlled by this PSW.

There are two types of PSW formats depending on the CPU's basic control mode and extended control mode, and both are two-word formats.
It is formed from 64 bits. FIG. 1 shows the configuration of each bit in the PSW in the basic control mode. Channels that control input/output interrupts
Mask CH MSK, interrupt code INTCD that indicates the type of interrupt when an interrupt occurs, word length ILC of the last instruction read when an interrupt occurs, condition code CC when executing the instruction, first byte address NIA of the next instruction to be executed, etc. In addition, PSW bit 8~
A protection key KY is stored in 11, which protects the memory by comparing it with the main memory key when the CPU reads or writes to the main memory.

On the other hand, for input/output operations, a protection key is assigned to the upper 4 bits of the 32-bit channel address word (hereinafter referred to as CAW). Compare with key.

When an input/output interrupt occurs, a CSW (channel status word) is provided to indicate the cause and the end state of the operation, and is stored in a specific location in the main memory. CSW is also formed from two words and 64 bits, and bits 0 to 3 store the protection key used during input/output operations.

On the other hand, the main memory is divided into blocks each having a certain number of bytes (for example, 2048 bytes), and a main memory key is provided for each block. The main memory key is
As shown in Figure 2a, when reading or writing information to the corresponding block, the access protection bit KEY is compared to see if it matches the protection key of PSW and CAW, and the memory protection is set to ``0'' for writing only or for reading and writing. It consists of a read protection bit F applied to "1", a reference bit R and a change bit C, which are related when writing or reading to a block.

When the main memory is accessed from the CPU or channel, the protection key KY of PSW or CAW is compared with the main memory key KEY of each block of the main memory. For example, the main memory key KEY and F and Depending on the contents of the protection key KY, control as shown in FIG. 2b is performed. In Figure 2b, read RD and write
OK when WT is allowed, NO when not allowed
is shown.

Incidentally, in recent years, so-called emulation, in which a program on one computer is converted to a virtual address on another computer to execute a job by making full use of both software and hardware, has been widely used.

That is, when a new computer is developed and replaced with an old model, and it is necessary to carry over the programs developed and used in the old model to the new model, emulation is performed with the help of hardware. Normally, an emulator operates by switching between a native mode in which it operates as a host computer, that is, a new computer model, and an emulation mode in which it operates as a target computer, that is, an old model computer. In this case, the emulation job is processed as one job in the same manner as other jobs under the operating system of the new computer, and multiple programming including multiple emulation jobs is possible. That is, as shown in Figure 3b, in native mode, processing programs B, C, and D run directly under the new computer's operating system OS, but in emulation mode, they run as shown in the dotted line. Under program A that controls emulation, processing programs BG, F1, F2 are executed.
will operate, and from the OS's perspective, there will be three layers.

In a computer system that does not perform emulation, as shown in Figure 3a, the operating
Each user program under system DOS
BG, F1, and F2 are executed.

In that case, for memory security, the operating system DOS has a protection key K=0.
and each user program BG, F1, F2
are assigned K=1, K=2, and K=3, respectively.

In other words, in this case, 16 types of protection keys K can be assigned by combinations of 4 bits "0" and "1", and only K = "0000" is specially allowed to access any area of the main memory. Ru.

Therefore, the operating system
Access from other users other than DOS can be prevented, and the confidentiality of the memory can be effectively protected.

On the other hand, in a computer system that emulates the system shown in Figure 3a, as shown in Figure 3b, the key management for memory protection performed by the emulated operating system DOS, Since all memory management is controlled by the upper operating system OS, the emulated operating system DOS will be treated as one user job A. Therefore, as shown within the dashed line in Figure 3b, there is generally one protection key,
Here K=1 is assigned and the emulated
The protection keys of the operating system DOS and other user programs BG, F1, and F2 are all the same.

In other words, when multiple programs are executed under the emulated operating system DOS, only one key is assigned to programs BG, F1, and F2, which should originally be independent from each other. - The contents of other emulated programs can be referenced or rewritten due to a program error or intentionality, and confidentiality cannot be protected.

It should be noted that the explanation of how the emulation operation is performed in FIG. "Microprogramming" (written by Hiroshi Hagiwara) published by Co., Ltd. pp.143
~165).

An object of the present invention is to provide a method for reliably protecting memory security even when a plurality of programs are executed under an emulated operating system, in order to eliminate such drawbacks. It is in.

In the present invention, the emulated operating system performs key management and memory management for memory protection independently of the upper operating system as in the past, and all emulated programs The above objectives are achieved by being subject to the security control of the upper operating system.

Embodiments of the present invention will be described below with reference to the drawings.

In FIG. 4, the emulated operating system DOS manages memory protection keys for the emulated programs BG, F1, and F2 of FIG. 3b.

In this case, the emulated system A,
BG, F1, and F2 constitute a virtual computer, which is controlled by an operating system OS.

As microprogramming methods have evolved, emulation has come to be interpreted more broadly, and an emulator refers to a complete set of microprograms that define a computer when stored in control memory. . Then, the computer realized by the emulator (that is, the target computer) is converted into a virtual computer (Virtual computer).
Machine).

A virtual computer accesses virtual memory, and after the virtual address is converted into a real address by a real computer, the real memory is accessed.

In the present invention, a virtual memory key is newly assigned to the virtual memory of the virtual machine, and a virtual address protection key is newly assigned to the program of the virtual machine. That is, the protection key K'=0 is set for the emulated operating system DOS, and the protection key K'=0 is set for the emulated programs BG, F1, and F2.
Assign K'=1, K'=2, K'=3. This allows user programs BG, F1,
Access to each F2 from other users can be prevented, and the confidentiality in the virtual memory is protected.

Furthermore, in the present invention, keys for real memory are managed by the operating system OS at the same time, and the emulated operating system DOS has K=1 and K'=0.
The emulated program BG has K=1.
K'=1, similarly for F1, K=1 and K'=2, F2
are assigned K = 1 and K' = 3, and these 2
The contents of each key are compared in real memory and virtual memory, and if the two do not match, access to the memory will not be permitted.

FIG. 5 is a diagram showing the correspondence between real memory and virtual memory in the present invention.

Emulated program EML PGM and other programs PGMA, PGMB are virtual memory VM
In the above, a contiguous area is given, but the real memory
The real address on the RM is divided into units called pages (for example, 2 kilobytes) and loaded as needed.

A computer realized by an emulator is a virtual computer, and the virtual computer has a virtual address for the virtual memory VM and a corresponding real address for the real memory (VM REAL MEM) of the virtual computer. In this case, the real address for the virtual machine cannot directly become the real address on the real memory RM of the real computer. Since the real address for each virtual computer is a virtual address for the real computer, if this address is converted once again, it becomes a real address on the real memory RM. In this way, there are three levels of addresses in the virtual machine. Address conversion from a virtual address of a virtual computer to a real address of a real computer is generally performed using a shadow table. In the shadow table, values obtained by converting a virtual address of a virtual machine into a real address of a virtual machine, which is further converted into a real address of a real computer, are stored in direct correspondence. Further, a computer having a virtual memory system is equipped with an address translation buffer (TLB) of an associative memory that stores a plurality of pairs of virtual addresses and their corresponding real addresses.
The virtual address of the virtual computer is set by adding a larger number of digits to the number of digits of the real address of the real computer, and is expressed by a segment number, a page number, and a displacement within the page. The segment number indicates the number of the segment in the virtual space, and the page number indicates the number of the page of the segment. Therefore, if you allocate the corresponding pages on the real memory RM of the real computer, the RM in Figure 5
Assigned as indicated by the diagonal line.

Conventionally, a first key memory RKS that stores a main memory key corresponding to the real memory RM has been provided, but in the present invention, an area in which the emulate program EML PGM on the virtual memory VM is stored is further provided. Correspondingly, a second key memory VKS for storing a virtual memory key is installed.
These key memories RKS and VKS are real memory RM
Or, it is prepared for every 2 kilobytes of virtual memory VM, and when referencing or writing to real memory RM, first and second key memories corresponding to the corresponding real address and virtual address are used.
RKS and VKS are read.

FIG. 6 is a block diagram of a memory security scheme according to the present invention.

If emulation is not performed, only the real memory needs to be protected, so only the real address protection key register 3, first key memory 14, comparator circuit 12, and OR gate 10 are required, as in the conventional case. A comparator compares the contents of the protection key in the PSW and CAW with the main memory key in the main memory, and when they do not match, the output is sent to the protection exception detection line 1.
1 to prohibit access and generate a program interrupt INT, or display a memory protection check on CSW.

When performing emulation, the upper virtual memory check section is activated at the same time, and only when the two match, access to the real memory RM is permitted.

First, when starting emulation,
Emulator latch 8 is set via emulator latch input line 7, and its set output is input to AND gate 9 to activate AND gate 9. Furthermore, at the end of emulation, the emulator latch 8 is reset via the emulator latch input line 7, the AND gate 9 is inactivated, and the output of the comparator circuit 6 is prohibited from being input to the OR gate 10.

In a virtual computer, a virtual storage area is provided in the main storage device, and virtual hardware information, ie, PSW, control registers, operation registers, etc. are held there, and these are loaded from external memory by a load instruction.

The key part of the PSW, which is the operand of the load PSW (LPSW) instruction issued by the emulated operating system, is set in the emulator protection key register 2 via the emulator protection key input line 1. Similarly, when a storage key setting (SSK) instruction is issued in the emulated operating system, the corresponding virtual address VA of the virtual memory VM assigned to the emulator by the upper operating system is sent via the virtual address line 5 to update the second key memory 4 corresponding to the VM.

On the other hand, if an LPSW instruction is issued from the upper operating system while the emulator latch 8 is reset, the key part of the PSW, which is the operand of that instruction, is transmitted via the real address protection key input line 13 to the LPSW instruction. Set in address protection key register 3. Furthermore, when an SSK command is issued from the upper operating system, the corresponding address RA of the real memory RM is sent out via the real address line 15, and the first key memory 14 corresponding to the RM is updated. .

During emulation, the output of the emulator protection key register 2 and the output of the second key memory 4 corresponding to the accessed virtual address VA are compared in the comparison circuit 6, and if they do not match, the output is generated. , are input to AND gate 9. During emulation, the emulator
Since latch 8 is set and AND gate 9 is activated, the mismatch signal is input through AND gate 9 to OR gate 10. As a result, a protection exception program interrupt request INT is generated on the protection exception detection line 11, and the real memory is referenced.
Suppresses updates and generates a program interrupt.

At the same time, the output of the real address protection key register 3 and the output of the first key memory 14 corresponding to the real address RA to be accessed are compared in the comparison circuit 12, and if they do not match, the output is ORed. A protection exception detection line 11 is generated through a gate 10, and a protection exception program interrupt INT is generated.

Next, the operation of the operating system that controls this hardware will be explained with reference to FIGS. 4 to 6.

The upper operating system OS is the emulated operating system DOS
By assigning exclusive protection keys K=1, K=2, K=3, and K=4 to other programs B, C, and D that are running simultaneously, the Provide confidentiality.
These can be done by managing only the protection key of the real memory RM, which allows the emulated
Even if an error occurs in the operating system DOS, it can be prevented from entering the areas of other programs B, C, and D.

Emulated operating system
In addition to the key K=1 of the real memory RM assigned by the upper operating system OS, DOS also controls the emulated program groups BG, F1, and F2 under the control of the emulated operating system DOS. Since the protection keys K = 1, K' = 2, and K' = 3 are exclusively assigned to the virtual memory VM, the emulating program
Mutual security protection between BG, F1, and F2 can be performed.

Activation of emulation is performed by an emulator activation command from the upper operating system OS, and is terminated by an interrupt such as an input/output interrupt or a program interrupt.

LPSW and SSK instructions are privileged instructions,
It can only be used by the operating system OS, and if issued by a user program, it will be detected as a program interrupt and will not be executed. However, the LPSW command issued by the emulated operating system DOS during emulation captures the key part of the PSW into the emulator protection key 2 and then generates a program interrupt.

Further, the SSK instruction sets a specified value in the corresponding second key memory 4 and then generates a program interrupt. The upper operating system, the system OS, identifies that it is a program interrupt from the emulator, simulates a privileged instruction, and passes control to the emulated operating system, DOS, with an emulator startup instruction.

As explained above, according to the present invention, by newly providing the second key memory corresponding to the virtual memory and the virtual address protection key holding register, it is possible to transfer data between the emulated programs and the data even when the emulation program is executed. By using the comparison result of the first key memory corresponding to the conventional real memory and the protection key holding register for the real address, the emulated operating system and the Security can be maintained between programs that are running at the same time.

[Brief explanation of the drawing]

Fig. 1 is a diagram of the bit configuration of the PSW in basic control mode, Fig. 2 is a condition explanatory diagram showing the bit configuration of the main memory key and an example of memory protection, and Fig. 3 is an allocation diagram of the protection key during emulation.
FIG. 4 is an explanatory diagram showing the principle of the present invention, FIG. 5 is a correspondence diagram between real memory and virtual memory in the present invention, and FIG. 6 is a block diagram of a memory security system showing an embodiment of the present invention. 1: Emulator protection key input line, 2: Emulator protection key register, 3: Real address protection key register, 4: Second key memory (virtual key memory), 5: Virtual address line, 6,1
2: Comparison circuit, 7: Emulator latch input line, 8: Emulator latch, 9: AND gate, 10: OR gate, 11: Protection exception detection line, 13: Real address protection key input line, 14: No. 1 key memory (real key memory), 15: real address line, VA: virtual address, RA: real address, VM: virtual memory, RM: real memory, K=0
~4: Real address protection key, K'=0~3: Emulator protection key.

Claims (1)

[Claims] 1 A processing device that converts a program into a virtual address and emulates it, comprising a first key memory corresponding to the real memory, a real address protection key holding means, and a first comparing means for comparing each of the above contents, and a second key memory corresponding to the memory and virtual address protection key holding means;
A memory security system comprising: a second comparing means for comparing each of the above contents, and permitting access to the real memory when the contents match between the first and second comparing means.