Protection is related to system structure and can not not be
discussed sensibly out of context. I propose to to use IBM OS360 and
EMAS2900 for examples as I am not sufficiently familiar with VMS.
Early uni-programming operating systems had user and supervisor
co-resident in separate worlds protected by base and limit registers.
This simple approach worked well although it was difficult to locate
user parameters to operating system calls without adddress computation.
IBM elected to put parameters in code after the SVC, an insanitary
method that has cost them dear. These techniques were extended to multi
tasking and then further distorted to handle virtual memory (with the
operating system remaining in real addresses). The price of the IBM
technique of passing parameters to the system increased sharply. The
code was impure and could not be shared; also code pages were made dirty
by writing in the parameters and had to be paged out. Further the
supervisor had to cope with page boundaries within and between
parameters.
Now that systems have become larger and more complex it is
deirable to use virtual addressing within the operating system and the
simple model fails to cope. The IBM-XA manual has pages of description
of instructions designed to overcome the deficiences of dual address
spaces. Five special instructions (move to primary, move to secondary,
program call, program transfer and load real address) are provided! They
are all complex and mean that parameter passing to the operating system
is quite different from parameter passing between unprivileged
procedures.
An alternative stategy is to put the system into the users virtual
memeory. This enables parameter passing to be unified with normal
procedure calls and enables a hierarchical structure to be imposed. Each
layer can see the next more privileged layer only as a set of procedures
which can be called normally. Page faults on the parameters are handled
transparently (except possible on calls to the innermost layer). The
EMAS structure is:-
a) (Innermost). The Global Controller.
This allocates real resources primarily store & cpus.
b) The Local Controller.
This supervises one user process handling errors interrupts
and page faults.
c) The Director.
This provides sytem facilities particularly a file system.
d) (Outermost). The Subsystem.
This module is user specified and provides a command language,
compilers and user facilities.
Ideally the subsystem itself should have a hierarchical structure.
The advantage of the more structured approach is that it easier to
write and debug. Communication between the levels is restricted to
calling with parameters so the complex interconnections that make a
system complicated and bug prone are reduced.
Protection requirements depend on the structure. The IBM strucure
assumes and evolved out of a simple binary system. Adding rings to this
would be easy, but pointless. In the hierarchical structure rings are
useful. They prevent any level from seeing or damaging any of the tables
or data of more privileged layers. Ideally, one would also like to
prevent also the supervisor damaging less privileged layers except via
parameters but the ring does not do this. However the ring structure is
cheap, and in spite of the reservations described in my earlier note, it
has speeded the debugging, testing and integrity of EMAS2900.
Particularly valuable is the common procedure call. Without any of the
complications or overheads of the IBM VM approach it has proved possible
to modify and test large parts of the system concurrently with service.
We are about to transport the 2900 system back to IBM hardware and
I am sure this will provide new insights. I will report on progress in
due course.