








The Naval Postgraduate School
SECURE ARCHIVAL STORAGE SYSTEM
Part I - Design -




proved for public release; distribution unlimited
epared for:






Rear Admiral J. J. Ekelund Jack R. Borsting
Superintendent Provost
The work reported herein was supported in part by the Foundation
Research Program of the Naval Postgraduate School with funds provided
by the Chief of Naval Research.
Reproduction of all or part of this report is authorized.
This report was prepared by:
iJ O X i. x cvj,
SECURITY CLASSIFICATION OF THIS PAGE (When Data Entered)
REPORT DOCUMENTATION PAGE READ INSTRUCTIONSBEFORE COMPLETING FORM
I. REPORT NUMBER
NPS52-80-002
12. GOVT ACCESSION NO 3. RECIPIENT'S CATALOG NUMBER
4. TITLE (and Subtitle)
The Naval Postgraduate School
SECURE ARCHIVAL STORAGE SYSTEM
Part I - Design -
5. TYPE OF REPORT & PERIOD COVERED
Technical Report
6. PERFORMING ORG. REPORT NUMBER
7. AUTHORfj;
Roger R. Schell and Lyle A. Cox, Jr.
8. CONTRACT OR GRANT NUMBERS)
9. PERFORMING ORGANIZATION NAME AND ADDRESS
Naval Postgraduate School
Monterey, CA 93940
10. PROGRAM ELEMENT, PROJECT, TASK
AREA & WORK UNIT NUMBERS
61152N; RR000-01-10
Noool480WR00Q54





13. NUMBER OF PAGES
325
U. MONITORING AGENCY NAME 4 ADDRESSf// dl Iterant from Controlling Office)
Chief of Naval Research
Arlington, Virginia 22217
15. SECURITY CLASS, (ot thia report)
Unclassified
15«. DEC LASSIFI CATION/ DOWN GRADING
SCHEDULE
16. DISTRIBUTION STATEMENT (ot this Report)
Approved for public release; distribution unlimited,
17. DISTRIBUTION STATEMENT (ot the abstract entered In Block 20. It dltterent trom Report)
18. SUPPLEMENTARY NOTES






20. ABSTRACT (Continue on reverae aide It neceeemry and Identity by block number)
There is an increasing need for systems which provide controlled access
to multiple levels of sensitive data and information. This report comprises
the first phase of the realization of such a system: the comprehensive design
of a multilevel secure file storage system. This is the focus of an ongoing
research project, which is currently in the early implementation phases. The
design is based upon security kernel technology as applied to modern multiple
microcomputer arrays.
This design is intended to interface with other (distributed) processing i
DD FORMWU
1 JAN 73 1473 EDITION OF 1 NOV 65 IS OBSOLETE
S/N 0102-014- 6601 1 Unclassified
SECURITY CLASSIFICATION OF THIS PAGE (When Date Bntetad)
Unclassified
-IJ^ITY CLASSIFICATION OF THIS PAGEfWhon Data Entered)
elements, perhaps forming the central hub of a data secure network of
computers. The design would provide archival shared storage while insurin
that each interfacing processor accessed only that information appropriate
The design phase of the project is presented in a series of three research!
reports (Masters Degree theses) . These reports, reprinted in their entire;
here are: (1) O'Connell and Richardson's definition of a secure multi-
microprocessor family of operating systems; (2) Coleman's detailed securi
kernel design for a member of this family; and (3) Parks' hierarchical fill
system designed to run under the control of Coleman's security kernel.
Unclassified
SECURITY CLASSIFICATION OF THIS P AGE(TWi«n Data Ent>
The Maval Dostgraduate School
SECURE \RCHIVAL SmORACE SYSTEM
Dart I - design -
by
Roger R. Scheii and Lyle A. Ccx
editors





There is an increasing need tor systems which Drovide controlled
access to multiple levels ot sensitive data and intormaticn. This
rencrt comorises the first phase ot the realization ot such a system:
the comprehensive design ot a multilevel secure tile storage system.
This is the tocus ot an ongoing research oroject, which is currently in
the early implementation phases. The design is based uocn security ker-
nel technology as applied to modern multiple microcomputer arrays.
This design is intended to interface with other (distributed)
Drocessing elements, perhaps torminq the central hub ot a data secure
network ot computers. The design would orovide archival shared storage
while insuring that each interfacing processor accessed only that infor-
mation appropriate. The design ohase of the orcject is presented in a
series of three research reports (Masters Oegree theses) . These
reports, reorinted in their entirety here are: (1) Capt, O'Conneli and
Lt. Richardson's definition ot a secure multi-microprocessor family of
operating systems; (2) Cant- Coleman's detailed security kernel design
tor a member ot this family; and (3) Lt. Parks' hierarchical tile system
designed to run under the control ot Capt. Coleman's security kernel.
BACKGROUND
The Secure 'krchivai Storage System (SASS) system was first con-
ceived as a research project at the Naval Postqraduate School in late
1978. Crowing out of the requirements for unifying multiDle computer
systems' data bases in a secure environment, tor example the diverse
resources of the Naval Postgraduate School and its Ccmouter Center, its
Computer Laboratory, and its Microcomputer facility, a research program
was initiated to aopiy existing techniques to state of the art microcom-
puter architectures. Requirements and exoerience were drawn from a
number ot orograms, including the security kernel design of Multics [1]
,
the network storage of several systems including OCTOPUS [2] , the tile
structure of several timesharing systems including UNIX [3] , and the
current operational Navy programs of SMAP2 (the shipborne administrative
processing system) and the Navy Laboratory Computer Network (NALCON)
.
The requirements definition and design chase of this research
are just being completed. Prototype implementation of a demonstration
system is beqinning, and will be the subject of a second reoort.
The S\SS is designed as a member of the family of
secure, multi-microcomputer operating systems described by Caot.
O'Connell and Lt. Richardson Appendix A) . It is a rather restricted
subset with a uniprocessor , a static set ot processes, non-demand memory
management, and no application programs besides the supervisor itself.
However, a strong tamily tie is maintained since this project is just
one part ot research in secure operatim systems tor multi-
microcomputers.
The S^iSS design ettort tccuses on what are perceived to be the
key research issues and therefore does net include all the features that
might be desired for a production version. The design has made a cons-
cious effort to be extendable, and seme of these capabilities will be
addressed in the future.
A security kernel [41 is used to provide an extended virtual
machine supporting asynchronous Processes and a segmented virtual
memory. The security kernel is responsible tor ncn-discretioninq secu-
rity. It must be capable of enforcing ot the OcD classification and
clearance policy, but is applicable to other policies such as privacy.
Particular attention has been given to minimizing the size and complex-
ity ot the kernel. Each host is connected to the S\SS with its own
bidirectional digital link tor the transmission of commands and files.
The SASS provides each host with a hierarchical tile system. The host
can store and retreive tiles, and can share tiles with other hosts. The
SASS is self sufticient in the sense that any host can effectively use
it, even if the host has no independent knowledge of its contents.
OVERVIEW OF STRUCTURE AMD ORGANIZATION
The following sections summarize the salient features and struc-
ture of NPS-SASS. Design details tor each area are found in Appendices
A thru C.
STORAGE SYSTEM <ynyjcrtJRE
To minimize the security kernel, the storage svstem structure is
created entirely in the supervisor domain that is "outside of" the ker-
nel, as described by Lt. Parks (Appendix C). The tile system supervisor
builds en the primitive process and segment objects created by the ker-
nel.
Internal Organization
The file system supervisor creates a single, tree structured
tile system using only the primitive segments provided by the kernel.
Seme segments are used to create directories whose contents are managed
by the tile system itselt. These directories define the hierarchical
file structure. The underlying kernel has no explicit knowledge of this
file structure.
The files trom a host are stored as a strings of bits that are
never interpreted in any way within the SASS. One or more segments, as
required, is used to store each tile.
^vo processes are associated with each host link and access that
portion of the tile structure associated with that host. An I/O process
orovides tor the transmission of information over the link to the host.
This process communicates with a tile manager orccess that is responsi-
ble tor the tile system structure.
Host Interface
The I/O process ccrnmunicates with its host using fixed length
packets. The physical I/O coerations are performed by the kernel, in
response to requests trcm the supervisor. Packet exchange with the host
is on an asynchronous (send/acknowledge) basis with a limited -''send
ahead", errcr checking, and retransmission it required.
There are two classes of packets: data and commands. Each com-
mand to the SASS is an "atomic" operation and addresses a single tile.
The commands are actual Iv executed by the file manager orccess. The
design specifically addresses the orcblem of retaining a valid tile,
even it the SASS is interrupted (e.g. a power failure) in the middle of
a command.
Host Storage
A SASS tile manager process creates a virtual tile system for
each host link. The host accesses tiles by means ot ccmmands, e.g., tc
create, delete, store or retrieve tiles. Sach host virtual tile system
is essentially a subtree of the total SASS hierarchy.
In addition, the virtual tile system can include a tile link to
a tile of another host. This is used tor sharing tiles. The SASS pro-
vides conflict tree sharing, even if a shared file is retrieved by one
host while it is being undated by another host. The retrieved file will
be some complete and valid version of the file that existed between the
time of the retrieval command and the time of the command completion
acknowledgement by the SASS.
SECURITY KST3NEL OR^AMIZ ?\TIQN
All the physical hardware resources are managed by the kernel of
the operating system, as described by Cant. Coleman (Appendix B) . The
initial design tor the SASS uses a serial, RS232 link to each host. It
contemplates a hard (Winchester) disk as the actual storage medium,
although care has been taken to avoid device dependence outside the dev-
ice driver itself. The kernel transforms the physical resources into
virtual resources for the use of each supervisor process.
Segmented Memory
The kernel produces a segmented (virtual) memory. This is done
through the use of memory management hardware, such as the memory
management unit of the Zilcg Z3000 [5] or the contemplated Intel VLSI
follow on [61 to the 308^.
This is a non-random access virtual memory. There is no demand
memory management. A supervisor orocess must request that the kernel
swap specific segments into or out of memory. Each process is allocated
a bounded, linear quantity of virtual memory into which it can swap seg-
ments. All communication between processes is accomplish using shared
seqments.
Asynchronous Processes
As noted before, there are two suoervisor processes tor each
host link. The kernel includes synchronization primitives to facilitate
communication between the I/O and file manager processes of a host. In
addition the file manager processes of different hosts use these syn-
chronization primitives to control race condition when accessing shared
files. The I/O process also uses this to synchronize with the physical
transmission of packets over the host link.
There is also a memory management kernel nrccess. This orocess
dees the actual I/O needed tcr the swapoing of segments between secon-
dary storage and memory.
SECURITY
The most distinctive feature of the SASS is its methodical
treatment of security. The security kernel technology is applied, an^
this has strongly influenced both hardware and software decisions. The
security kernel is organized as a distributed operating system for the
supervisor processes; that is, its functions are distributed in all
processes.
Each orocess has two domains: suoervisor and kernel.
Protection of the Kernel
Since it is included in the address space of every process the
security kernel orocedures and data are to be protected from tampering
by the supervisor. This means there must be some form of hardware
enforced domains. Since there is a strictly hierarchical relationship
(kernel more privileged than supervisor)
,
protection rings (as defined
for Baltics) are a satisfactory domain implementation. In fact, for
only two domains, simple user and supervisor processor modes can be used
along with memory management hardware to realize two rings.
The design includes a software gatekeeper to manage the entry of
a process into the kernel, viz., when the supervisor calls on a kernel
function - this gatekeeper also provides parameter validation for these
cross-ring calls.
Non-Discretionary Security
A. security policy may require enforcement of access limitations
that are established external to any computer. The noO classification
and clearance policy is a common example of such a non-discretionary
policy. The security kernel is responsible for this enforcement. In
fact, a major design goal has been to simplify the kernel as much as
possible by including only those functions necessary to enforce non-
discretionary security.
The link to each host is for a single access class (e.g. , single
10
level ot DcD classification) . This access class is authenticated by a
physical connection, that nay include an encryoted communication oath.
If a host is multilevel secure, then it nay have multiple host links to
the SASS. Sach SASS orocess, of course, is assigned the access class ot
its corresponding host- link. An examole ot the inoact of secutitv is
that process synchronization must be done with eventcounts [7] rather
than more traditional mechanisms such as Pand V.
Discretionary Security
In addition to the non-discretionary limitation, file access can
be further controlled based on individual user identification. This
discretionary security is enforced outside the kernel by the file
nanagement orccesses. H!ach tile has an access control list specifying
its authorized users.
The user is identited (by the host) as oart ot each command to
the SAS^. Clearlv the reliability ot this control is limited by the
ability of a host to reliably authenticate users and pass their identitv
to the SASS. However, no host weakness can impact the reliable enforce-
ment of the non-discretionary controls by the kernel.
Verif iability
The research goals of this project do not include verification
methodology that is being addressed by several other qroups. Use ot the
SASS in a hostile environment would most likely be preceeded by a formal
verification ettor thet tor kernel. The security kernel is designed to
11
the formal non-discretionary security model, and thus is considered
"verifiable. " By this we do not mean that the verification would
immediately succeed. Rather, we are confident that the problems
discovered by verification would not require any basic changes to the
desiqn.
SUMMARY
We have attempted to summarize the salient features of the Naval
Postgraduate School Secure Archival Storage System Design. We have
found this project to be an interesting and exciting experience in
applying state of the art security and operating system techniques to
the architecture of modern microcomputers. We hope the reader has been
encouraged to examine the design details as presented in the following
aopendices. Finally we would solicit any comments or suggestions the
readers might have for our consideration as we continue with implementa-
tion.
AC^1QT.\LF/TGSN1ENTS
The editors would like to acknowledge the many long hours of dedicated
effort on the parts of Capt. 7. O'Connell, Lt. L. Richardson, A. Cant.
Coleman, and Lt. S. Parks which was certainlv "'above and beyond the
call" of their academic requirements, additionally, we would like to
thank Professor TJno r<odres of the Maval Postqraduate School tor his sup-
port, advice and interest which in many ways enabled us to begin and
12
pursue this research.
This research was partially supported by grants trorn the Office ct Maval
Research Project Mumber MR 332005 monitored by Mr. 7oel Trimble, and
from the Maval Postgraduate School Research foundation.
REFERENCES
[11 Schroeder, M . O. et al, "The ^ultics Kernel Design D roject,'' Proc.
Sixth \CA Symposium on Operating Systems Principles, November 19*77,
on 43-55.
[2] Schneider, ThcmDson and Whitten, "Users Guide to the OCTOP'JS Corn-
outer Uetwcrk" University of California ^eocrt UOID-30043-R3
,
October 1975.
[3] Ritchie, 0. M. , and Thompson, K. , "The UNIX Time-Sharing System,"
Ccmm. ACM 17,7 (ju iy 1974), 3^5-3^5.
T4] Schell, R. R. , "Security Kernels: A Methodical Oesign ct System
Security," USE Technical Paoers (Spring Conference, 1079) , March
1979, pp. 245-250.
[51 Peuto , B. L. , "Architecture of a Mew Microorocessor ," Comnuter , 12,
2 (February 1979) , 10-21.
[51 Markcwitz, R. , and Pohlman, W. R. , "The Evolution nath of the °03^
Microprocessor Architecture for Operating System Environments,"
13
Intel Corporation, 19*30.
[7] Reed, D. P., and Xanodia, R. K. , "Synchronization with FVentcounts
and Sequencers," Conn. AC* 22, 2 (February 1970), 115-123.
14
NPS52-80-002 APPENDIX A
Approved for public release; distribution unlimited
DISTRIBUTED, S2CUR3 DISIGN FOR A
MULTI-MI CRQPRCC3S SOP. OPERATING SYSTEM
oy
James Steven O'Connell
Captain, United States Marine Corps
B.S., University of Utah, 1971
Larry Don Richardson
Lieutenant, United States Navy
B.S., University of Nebraska, 1373
Submitted in partial fulfillment of th<
requirements for the degree of





Dean of Information and PAlicy Sciences
A-l
A3STHACT
This thesis applies the state of the art techniques for
methodical design of secure operating systems to a
distributed, multi-microprocessor environment. Explicit
process structure and utilization of virtual environments
are the fundamental concepts that form a basis for the
design presented. The primary design techniques utilized in
the design are segmentation, distributed operating system,
security kernel, multiprocessing, "cache" memory strategy
and multiprogramming. The resulting design is for a family
of distributed operating systems that can provide the power
of yesterdays large computer in a microprocessor
environment. Security, configuration independence, and a
loop free stricture are the primary characteristics of the
design. The design, although hardware independent, was





I. INTRODUCTION a- 6
A. MOTIVATION a- 7
3. BASIC ELEMENTS 07 DESIGN a- 8
a. STRUCTURE 0? THE THESIS a-12
II. FUNDAMENTAL CONCEPTS A-13
A. PROCESS STRUCTURE a-13
1. Definition of a Process a-13
2. Multiple domains A~14
3. Communication and Synchronization A' 15
£. System Processes A-ia
5. Process Switching a-18
B. SEGMENTED VIRTUAL MEMORY a-19
1. Segmentation a-21
2. Loading a-22
3. Dynamic Linking a-23
4. Information Sharing a-24
5. Access Control a-26
6. Functional Subsets a-26
C. SECURITY a-27
1. Computer Security Problems a-28
2. Mathematical Model A-32
3. Properties and Conditions a-34
4. Segmentation a-38




1. Resource Visualization a-4i
2. Distributed System a-42
3. Multiple Protection Domains a-43
4. Multiprocessing a-44
5. "Cache" Memory Strategy a-45
6. Multiprogramming a-46
?. Family of Operating System a-47
3. Levels of Abstraction a-49
PROPOSED DESIGN A-51
1. Notation a-51
2. System Overview a-52
3. Supervisor A-eo
a . Linker A-eo
b. Searcher A-ei
c. Segment Handler a-62
d . Memory Handler a-64
e. Discretionary Security a-65
4i. Distributed Kernel a-66
a . Segment Manager * a-66
b. Non-Discretionary Security a-70
c. Taffic Controller A~7i
d. Inner Traffic Controller a-75
5. Non-Distributed Kernel a-79
a. Memory Manager a-79
b. I/O Manager a-82









The microprocessors available today are affordable and
powerful computing devices. Applying these resources to
various applications r especially those requiring multiple
microprocessors, presents a formidable problem. The solution
to this problem is a family of operating systems to
effectively orchestrate processor and memory management
across a wide range of applications. However, such systems
have not come from the specialized microprocessor operating
systems in use today. Such an operating system family could
provide a major reduction of overall system software cost in
the microprocessor environment.
In this thesis the substantial body of operating system
design principles are applied to a methodical design of an
operating system for the microprocessor environment. Tor
realism the Zilog Z8000 microprocessor [lj is considered
representative of modern features. Configuration
independence, distributed processing, multiple protection
domains, multiprocessing and multiprogramming are addressed
in the design of a secure operating system suitable for a
family of operating systems: ranging from a specialized
tactical system to a multi-user time sharing system.
The thesis will also identify meaningful subsets of the
design (viz., smaller members of the family) for potential
use, and state hardware needed (future development) to
A-
6
implement the design to its fullest capabilities. The
operating system designed in this thesis will he referred to
as the SYSTEM throughout the thesis.
A. MOTIVATION
The processing power of microprocessors is increasing.
If this power could he effectively coordinated hy an.
operating system it could provide a more affordable and
powerful product. In addition, there is a growing emphasis
on the protection of information stored and processed in
computers; hence, the requirement for a system that also
provides information security.
The multi-microprocessor systems in use today suffer
performance degradation as more processors (generally a
maximum of *• to 5) are added to the system. Sophisticated
crossbar interconnections between processors and memories
can reduce this problem. However, there is still a need for
a combination of microprocessors and memory that dc not
suffer massive degradation as more processors are added.
The ability to configure a system to meet a variety of
capacity needs is an important feature; however as software
becomes an increasing portion of system cost, the ability to
reconfigure the system as requirements change without major
re-design effort is often an even more valuable feature. For
this reason the design technique of resource visualization





B. 3ASIC ELEMENTS OF DESIGN
The SYSTEM is composed of a supervisor and a security
kernel [2]. The supervisor supports user services (dynamic
Linking, discretionary security, demand memory management
and a hierarchical file system). The security kernel
controls the physical system resources (processors ,> memory,





A process within the computer system is an internal
representation of the computational task of a user utilizing
the system. Each process is characterized by an execution
point and an address space. Attributes of each process
include a security class authorization and a unique
identifier that corresponds to the user. 3y supporting
distinct, explicit processes the operating system allows an
application to be divided into several cooperating parts.
Such a process structure leads to simpler more effective
software
.
2. Segmented Virtual Memory
Segmentation involves separating all stored
information into discrete packages called segments. Each
segment has attributes such as security class and access
(read or write) permissions. A process' address space is a
collection of segments. Segmentation is used by the
*-8
supervisor to present the user a random access virtual
memory. Copies of all segments are kept on secondary storage
until actually referenced, at which time room is made for it
in main memory, possibly "by removing another segment from
memory. This demand memory management is done within the
supervisor. The supervisor views a non-random access virtual
memory. 3y presenting the supervisor and the user with
virtual environments the kernel establishes configuration
independence for them.
3. Distributed Operating Srstem
The address space of each process has three domains
(user, supervisor and kernel). The domains form sub-sets of
the address space by limiting the segments that can be
accessed when the process' execution point is within a given
domain. The operating system is part of each process. It is
distributed throughout all the processes in protected
domains (supervisor domain and kernel domain). Maximum
access is in the kernel domain. It is the most priviledged,
and the traditional "privileged instruction* can be executed
only in the kernel domain. Only the kernel domain has access
to system wide data bases.
The kernel domain creates an extended machine for
the supervisor and is supported by system processes. The
supervisor is less priviledged but provides the user domain
with certain common services such as discretionary security
and virtual memory. It should be noted that by distributing
A-9
the operating system throughout all processes, services are
independent 1/ (and simultaneously) available to each
process.
4. Processor-Local Memory
The operating system is designed to support a
multi-processor configuration with a local memory in close
proximity to each processor. The local memory is addressable
only* by that processor. In addition there is a global memory
that is addressable by all processors (Figure 1).
Segmentation is the key to effective allocation of
information between local and. global memory. Problems can
arise in the use of a local memory. If a process is allowed
to execute on any processor then each time the process is
switched from one processor to another the contents of local
memory must also be switched. Thus the use of local memory
implies that general multiprogramming should not be allowed.
This problem can be alleviated by allowing multiprogrammed
processes to be semi -dedicated,, that is make an effort to
restrict the process to a certain processor.
5. Security Kernel
Security cannot in general be built around a present
system (i.e., added to) but rather a system must be built
around security. Tet today there are a limited number of
"secure" systems. One of the main obstacles in providing



























developed security kernel [2] technology has made it possible
to solve this problem. By keeping all the things that
provide the security in the security kernel and keeping the
things that do not involve security out, the security kernel
can be kept relatively small and verifiable. The desire to
keep the security kernel small (to simplify the verification
procedure) is one of the goals driving several design
choices
.
C. STRUCTURE 0? THE THESIS
First, the fundamental concepts (process structure,
virtual memory and security) and their relationships to the
SYSTEM are discussed. Second, the design of the SYSTEM is
presented. This includes a discussion of the design
techniques utilized as well as an explanation of the




By dividing a job into asynchronous parts and executing
these parts as seperate entities significant benefits can he
realized. '#ithin a single processor system, the partitioning
into asynchronous parts provides 'only" design simplicity
(and thus software economy). In a multi-processor system the
partitioning into asynchronous parts is essential if the
parallel processing potential of the system is to he
realized .
1 . Definition of a Process
A process is characterized by an execution point and
an address space. Saitzer[3] defines a process as a program
in execution on a pseudo-processor. Each process is assigned
a unique identifier and is an explicit entity that requires
management. In a distributed operating system, those
portions of the operating system that are logically part of
the sequential flow of control (viz., locus of execution)
are within the address space of the user process. This is
made possible by dividing the operating system into
procedures which are called Hie any other procedure. It
should be noted that in a distributed operating system there
is no "master" assigning processes to processors. Rather,
each running process "hands off" its processor to the next
A- 23
process that is to ran.
2. Multi-Die Domains
-
To protect these procedures from the user, the
process' address space is divided into hierarchical domains:
user, supervisor, and kernel. The kernel domain is the most
privileged. Only the security kernel executes in this domain
and can access all segments within the address space. All
system wide data bases are restricted to access "by the
security kernel to prevent any exchange of information
"between processes, in violation of confinement [4j . There
could he more than three domains, and all domains need not
he hierarchical, hut three is minimum for this design.
The supervisor domain is less priviledged and
excludes segments representating the management of the
shared resourses. The supervisor domain is separated from
the user to protect the user from inadverently destroying
the operating system services. The user domain is the least
priviledged. The data oases utilized by the supervisor
contain only "process local" information - that is,
information that is required by this process alone.
Proper controls and checks are utilized when
switching the domains (flow of control) so that the security
policies are not violated. The hierarchy could be
implemented with rings [5] in hardware. Since hardware rings
are not available in microprocessors, separate segment
descriptors for each domain can be used, with software ring
A-14
changes as was done in the original Multics design[5] . The
Zilog ZS0£0 can use multiple memory management units (MMU)
to provide the separate descriptor for each domain.
Operating system procedures generally are permitted
to reside within the local memory (possibly ROM) of each
processor. In the cases of the security kernel, some of the
data bases of these procedures are shared by all processors
and therefore will reside in global memory. To prevent
undesired intervention by simultaneous accesses to these
data bases a locking scheme must, of course, be provided.
Choosing to put the operating system procedures in each
local memory will "waste* memory but may well provide a
higher performance by keeping most memory references to
local memory where there is no contention for the BUS to
global memory. In a specific instance the choice will be
determined by whether or not the cost of memory is
significant when compared to the value of the increase in
performance
.
3 . Communication and Synchronization
For parallel processing, a job that is composed of a
mixture of sequential and non-sequential tasks is explicitly
divided into an appropriate structure of processes that can
run concurrently. Inter-process communication and
synchronization are necessary for parallel processing.
Inter-process communication provides synchronization to
coordinate the exchange of data between processes. The
A-15
actual exchange is realized by use of a shared writable
segment. This segment acts like a mailbox in that messages
(data) can he delivered by any process that has the
appropriate access (both discretionary and
non-discretionary) .
The synchronization between processes is supported
by the 3L0CI and WAKEUP, which are kernel calls to the
traffic controller. It should be noted that the P and 1
semaphores [7] are useable for synchronization but were not
chosen. The traffic controller concept is taken from
Saltzer[3], and his block and wakeup have demonstrated their
usefulness in his design for Multics. The traffic controller
is the operating system (kernel) module that manages
processes. The traffic controller has the job of scheduling
user processes. The traffic controller does this by
multiplexing the users processes onto a limited number of
virtual processors.
The 3L0CK and WAK3U? are primitives of the traffic
controller that provide synchronization for the user
processes. How the user's procedures invoke the BLOCK and
WAKZUP primitives will, of course, determine the actual
process structure. These primitives can be used to provide
simple cooperation, such as mutual exclusion, or complex
interactions when required by the application. A process can
only block itself and cannot block another process. The
block invokes the traffic controller and the traffic
controller puts that process in the blocked state and then
A-16
schedules another process to run on that virtual processor.
The process that is scheduled next is based on the specific
scheduling policy of the traffic controller.
The wakeup is used to provide asynchronous processes
a synchronization signal* The parameter passed with the
wakeup is the process ID of the process for which the wakeup
is intended. The wakeup invokes the traffic controller. The
traffic controller checks the state of the process specified
by the parameter. If that process is not in the blocked
state the traffic controller returns, otherwise he will put
that process in the ready state and determine if there is
another process running with a lower priority. If this is
the case the traffic controller will send the virtual
processor that the lower priority process is running on a
pre-empt interupt, and then return. The process that
receives the pre-empt interupt will transfer control to the
traffic controller who will in turn schedule the ready
process with the highest priority.
Another STST2M module concerned with synchronization
is the inner traffic controller. This manages the hardware
(real) processors to create the virtual processors that are
managed by the traffic controller. The inner traffic
controller provides the interface between the virtual and
physical (real) processors. The inner traffic controller is
responsible for assigning the small, fixed number of virtual
processors to physical processors. "Each physical processor
has associated with it several virtual processors. Some
A-17
virtual processors are multiplexed between users processes
by the traffic controller. The remaining virtual processors
are allocated to the system processes. Each system process
is assigned a virtual processor. The inner traffic
controller determines which virtual processor will run on
the physical processor based on the priority assigned to
each virtual processor. The primitives SIGNAL a^.<i WAIT are
used by the inner traffic controller to provide
communication and synchronization between the virtual
processors. SIGNAL and WAIT are very similar in form and
function to 3L0C1 and WAKSUP, except for the fact that they
relate to virtual processors rather than user processes.
4. System Processes
System processes are used to perform operating
system functions that are asynchronous to each user process.
System processes are typically responsible for the shared
resources. The system processes are in the kernel and
therefore permitted to access information of any access





Process switching is the removing and assigning of
processes to virtual processors. When a process switch
occurs the execution point (internal registers) and address
space of the process being removed must be saved (unloaded),
A- 18
and then the execution point and address space of the new
process must be loaded.
Some systems utilize a descriptor base register
(D3R) [6, p. 12] , which is a pointer to multiple descriptor
lists in memory - one list for each process. To change the
address space you only need to switch the T3R in the
physical processor. However, in microprocessor systems a
descriptor list is implemented as registers in the memory
management unit (MMU). Process switching can be costly when
MMU registers are saved and restored for each change in
address space. Alternatively, it is possible to increase the
number of MMCs and then the address space could be changed
by just switching control to another MMtJ.
3. SEGMENTED VIRTUAL MSMCRT
In many memory handling" schemes a user process cannot
run until there is sufficient memory available to load its
entire address space. This requires large main memory and
restricts the size of the process's address space. An
alternative is to use the operating- system to produce the
illusion of an extremely large memory. Since the large
memory is merely* an illusion, it is called virtual memory.
Demand segmentation is a memory management scheme which is
used to realize the concept of virtual memory in this
design.
Memory has three different views which corresponds to
the three different domains (user, supervisor, kernel)
A-19
within tile computer system. Starting- with the user, each
view is derived from the previous view by means of an
"extended machine" view. The user sees a practically
unlimited segmented virtual memory. The user is no longer
involved in memory management. Demand memory management is
utilized to interface between the user view and the
supervisor view.
The supervisor views a fixed amount of virtual memory.
The memory is fixed by the physical memory allocated to each
process by the kernel. The kernel establishes a mapping
between the supervisor memory and the kernel memory. The
memory is virtual because there are only absolute addresses
in the kernel. The supervisor multiplexes the user's
segments onto this fixed virtual memory in response to a
hardware fault when the process references a segment that is
not in memory. The demand memory management was placed in
the supervisor because it is not involved with security and
we want to keep the security kernel as simple and small as
possible.
The kernel views a fixed physical memory. The physical
memory is limited by the local memory available to the
processor for use by the user processes. There is some
minimum amount of memory required by the operating1 system
for each processor. 3efore a process is elgible to run, its
fixed virtual memory (of the supervisor) must be mapped into
the fixed physical memory of the processor. We then call the
process "loaded". The kernel's memory manager is responsible
A-20
for the proper mapping as the processes address spaces are
multiplexed onto the processor's physical memory.
The idea is to require that a limited amount of the joe
be resident in memory. When the user requests a portion of
the process that is not currently in memory, a fault will
occur. The supervisor, using the demand memory manager, must
find the requested segment and decide where it wishes to
place the requested information in virtual memory. The
supervisor then sends a reauest to the kernel to bring this
information into memory, thereby repairing the fault so that
normal processing can resume..
1. Segmentation
In most micro systems, the user cannot effectively
share memory because the different uses of memory can not be
specified. The inability to specify the memory use makes
memory management difficult, especially when there is memory
local to each processor. The different uses are denoted by
shared/unshared and writeable/ron-writeable (read). The









If the memory can be divided by uses and each part has
attributes which distinguish the uses, then the management
of memory is made reasonable.
A- 21
Segmentat ioa provides the ability to divide the
memory into parts (segments). A segment is a collection of
information important enough to be given a name. Each
segment is distinguished from others by its logical
attributes,, that provide the basis for the desired control.
Segmentation provides a mechanism for a limited portion of a
processes' information to reside in memory at any one time.
This also facilitates easy movement of information by
segment in and out of memory. The collection of all segments
that a process may access (whether or not in physical
memory) is what composes its address space.
2 . Leading
The loading of a segment consists of finding a
segment and making it known (discussed later) to the
requesting process (viz., adding the segment to the address
space). It is the added feature of segmentation that this
loading may be delayed until the segment is actually needed.
At that time a segment name can be transformed into a file
system pathname. The pathname can then be resolved into the
unique identifier for a segment. Then the supervisor
requests a segment number be assigned by the kernel, which
makes the segment known to the process. If the segment is
then required for execution it is physically loaded into
memory when actually referenced.
Each segment has associated with it a segment
descriptor[6] which contains its attributes (address in
A-22
memory, size, access allowed). Since this descriptor is
referenced by the hardware at each access request to this
segment, then the memory uses can be distinguished. The
different segment descriptors of a process can then be
contained in a descriptor list. This design utilizes the MMU
(memory management unit) which consists of a set of
registers to implement the descriptor list. Each register
(segment descriptor) contains the descriptor of a particular
segment. The ^KU registers retain the distinct attributes of
each segment at execution time and, therefore, makes it
possible for another process to share selected segments, if
desired.
The dynamics of a segment fall into two classes,
physical and logical. An example of the physical dynamics is
the request of a user for write access to a currently used
segment. The operating system can physically move the
segment from local to global memory so the segment can be
shared without the user's knowledge. A stack segment whose
size varies is an example of logical dynamics.
3. Dynamic Linking
When a procedure segment makes an external reference
to another segment, the address of the later segment must be
determined. This is called linking, the constructing of
executable instructions that achieve references to externel
objects (segments). Linking nee<i not be completed at load
time* It can be nostooned until the actual reference is
A-23
encountered. This waiting to Liai, until referenced, is
called dynamic linking[3] . Segmentation is not necessary to
achieve dynamic Linking, but it helps. When a process begins
execution, it should not have to find and bring into memory
any more of its segments than is absolutely necessary to
begin running. The mere presence of a reference to an
external segment in a segments text is no guarantee that the
flow of control will touch this reference. Therefore, there
is little point to undertake the expense of finding a
segment and making it known unless there is some significant
expectation that that segment will be referenced during the
time allotted to that process. Dynamic linking permits
unnecessary linking to be eliminated.
Once the segment has been made known to the process
(assigned a segment number), even though it may be moved in
and out of memory, the references to this segment need not
be changed since the segment number remains the same. The
segment descriptor is used to reflect the presence of a
segment in memory and the current address in memory. The
segment looses none of its attributes by virtue of having
been made known to this process.
4. Information Sharing
Segmentation allows direct addressability >ij the
process to any segment within the process' address space.
The basic advantage of direct addressability is that the
copying of data is no longer mandatory. A segment is also a
A-24
unit of sharing. This eliminates the need to duplicate a
segment for each requesting process and saves memory. Even
more important is the idea that sharing provides a means of
inter-process communication. This is important for realizing
the power of the explicit process structure, that is
essential to an effective multi-processor environment.
In general each procedure segment must he pure to
ensure sharing- is implemented correctly. A pure procedure
operates on variables in registers or in separate data
segments associated with the process. It never stores data
internally, nor does it alter itself. The linkage segment is
such a data segment used, to support the pure procedure. A
linkage segment is associated with each process. The linkage
segment is composed of linkage sections. There is one
linkage section for each procedure segment. The linkage
section is used to place all alterable information (linkage
faults, segment numbers, other static temporary variables)
for the pure procedures- Thus, the processes' segments which
are pure may be shared while linkage sections must be unique
to each process. The fact that the linkage segments are not
shared makes it possible to assign different segment numbers
to the same procedure in different processes since segment
numbers occur explicitly only in linkage segments, that may
be different for each process.
The approach in this design is to place the copies
of requested segments into local memory, thereby reducing
the data bus traffic. If the read-write access reauirements
A-25
are such that a segment must he physically shared, then It
is placed in Global memory and every process that is given
access will access it there. The key to this memory
management is segmentation that keeps a segment's attrihutes
explicit. The kernel can properly manage placement in local
and global memory with no intervention from the supervisor
or the user to "declare" that the sharing is needed.
5. Access Control
The access control in this design is separated into
discretionary (supervisor) and non-discretionary (security
kernel). When a segment is requested the supervisor
references the access control list attribute for that
segment and the access authorized for that process (subject)
is determined. The supervisor then passes this to the
security kernel sa that a non-discretionary check can be
made.. The kernel compares the access class of the segment
with that of the process and the appropriate access is
allowed. This access authorized is always the lesser of that
requested by the supervisor and that permitted by the
kernel. The access one process has for a segment is
independent of the access another process has for that same
segment.
6. Functional Subsets
Some members of the family of operating- systems will
not include all of the functions made available by this
A-26
design. As an example, consider a family member (e.g. for
tactical system) supporting applications that are entirely
resident in memory and pre—linked. It would require none of
the virtual memory functions provided by the supervisor.
This design readily allows this sort of functional
subsetting "because of its loop free structure [9] .
C. SSCURITT
The increased capability of the computer system in the
last decade has dramatically increased its possible uses.
^any users have actively allowed the computer system to
assume an increasing number of jobs upon which the user
depends to successfully function. As more dependence was
placed on the computer it became evident (regrettably by
example) that a knowledgeable user (employee of a user) who
has access to the computer also has access to all the
information contained within the system. Users such as the
government (classified information), banking facilities
(transfer of funds), corporations (trade secrets) have a
need to protect certain information from specific users?
therefore, there is an increasing demand for a secure
computer system. Designating a specific computer to only run
at a specific security class or only running certain
security classes at specific times has proven unsatisfactory
for the user who has information at many access classes.
What is commonly called a "multilevel" environment is one in
which information and users at different security classes
A-27
can exist simultaneously on the same computer system without
permitting a user to access information he is not authorized
to use. One goal is to design a system which will allow
secure operation in a multilevel environment.
1. Computer Security Problems
The initial attempts to provide a secure system
involved adding security onto existing systems. This proved
largely "useless for" designers were intuitively trying to
block: methods of would-be-penetrators rather than providing
a technically sound system design. These futile attempts [10]
led to the emerging technique of methodically designing a
secure system based on a security kernel derived from a
mathematical model (discussed later).
Information security can be provided by external
and/or internal control. External control includes guards,
watch dogs, door ciphers or anything which would prevent an
unauthorized penetration of the compound. Once the
penetration is made, the pot of gold is exposed. The
internal control is concerned with preventing unauthorized
penetration of the computer system. This involves insuring
the effectiveness of internal mechanisms in the operating
system so that only authorized exchanges of information in a
multilevel environment can occur. This includes providing no
information to unauthorized users and consistent replies to
security violations. The latter is necessary to insure no
inadvertant leakage of information [4l concerning the
A- 28
internal mechanisms. External control is expensive and
human-prone. It does not provide for the secure sharing of
information needed by many applications, thus forcing users
to forego many of the capabilities of modern computers. A
goal of this thesis is to design an operating system that
provides information security by utilizing internal control.
External controls are, of course, still required to
physically protect the computer system's information.
The reference monitor is an abstraction created to
present the conceptual idea of providing a secure computer
system. The reference monitor is composed of subjects,
objects r and an access matrix. Subjects are system entities
such as a user or a process that, can access system
resources. Objects are system entities such as data,
programs and peripheral devices that can be accessed by
subjects. The access matrix represents the permitted
accesses between subjects and objects. The reference monitor
must support the ability of subjects to reference objects as
per the access matrix and it must also support the ability
to alter the access matrix.
The security kernel [2] is a relatively recent
technical breakthrough, for computer security. The security
kernel is that portion of the computer's hardware and
software which enforces the authorized access relationships
between subjects and objects. It is the realization of the
abstract concept of a reference monitor. The software
portion of the kernel acts as an interface between the rest
A-29
of the system and the hardware. The software content of the
security kernel is influenced by the hardware features of
the processor. The underlying idea is that if the hardware
is proven correct and if the software is kept small and it
can be proven correct, then we can provide internal security
controls that are effective against all possible internal
attacks. Global variables such as the unique identifier have
been excluded from the supervisor. This has been done to
prevent undesired leakage of information. The global
variables are placed in the kernel where their proper use
can be verif ied[ll]
.
The security kernel must meet three essential design
requirements. First, the kernel must be tamperprocf. Second,
the kernel must be invoked on every attempt to access
information. Every reference must be checked by either
software or hardware that is provided with sufficient
information to make correct decisions on granting or denying
access. Finally, the kernel must be subject to
certification. "Subject to certification" implies that the
kernel's correctness must be proveable in a rigorous manner
using- a mathematical model as the basis for the criteria to
be met.
In developing a secure system the approach to be
followed should consist of the following: determine the
security policy to be enforced, develop a mathematical model
consistent with desired security policy, design a security
kernel based on the mathematical model, implement the design
A-30
using available hardware and required software. A computer
system is said to be "secure" with respect to some specific
security policy. A security policy consists of the external
laws, rules and regulations that establish what access is to
be permitted. There are two distinct types of security
policy: non-discretionary and discretionary.
N0N-DISC3JBTI0NAar POLICT involves checking the
requested (viz., the object's) access class (oac) with the
access class of the (subject) requestor (sac) to insure they
are compatible- Each system contains a lattice structure [12]
that defines the relationships between different access
classes. The following defines the access permitted:
sac=oac, read/write permitted
sac>oac, read permitted
sac<oac r no access
The lattice can be totally ordered (all classes related) or
it can be partially ordered (not all classes related). An
example of a policy with totally ordered classes would be
the government classification (unclassified, confidential,
secret, top secret) of information, oac and the access class
of its' users, sac, called the user's clearance. Tor such a
lattice policy the system must insure that access to
classified information is always confined to cleared users.
DISCH5TI0NA3.T POLICT involves checking an access
control list (ACL). If the user requesting access is not
included on the ACL then the access is not permitted. This
allows users to specify who can access their files. This
A-31
policy really lies within the non-discretionary structure
and provides further refinement. This policy would reflect
the "need to know ' rule of DOD.
There are many distinct system designs which
correspond to the almost endless number of policies?
however, the current state of the art allows a simple,
uniform mechanism for nearly all practical policies. The
implication is that the kernel designer does not have to
concern himself with the particular security policy of a
specific customer. He must, however, consider the two broad
classes of policy: discretionary and non-discretionary.
2- Mathematical Model
.i mathematical model [13] is a powerful design tool
for formally translating the requirements of security policy
into a precise representation of the behavior of the
corresponding security kernel. The mathematical model is a
finite state machine model that gives a set of rules of
operation for making a state transition. If the system is
initialized to a secure state, then the rules of operation
guarantee that all subsequent states are secure. Previous
research [14] has proven that security kernels whose design
is based on mathematical models can be certified correct.
Two of the basic elements of the model are subjects
and objects. The model defines types of accesses that a
subject may have to an object. These access types are read
and/or write. The state of the system with respect to
A-32
non-discretionary and discretionary security is represented
by four sets (b, m, f, h). This design implements
non-discretionary security policy in the kernel (sets b, f)
and the discretionary policy in the supervisor (sets m, h).
The folowing discussion pertaias to non-discretionary
securi ty.
b - represents the current access relationships that
exists between all subjects and objects. This set is
represented by the segment descriptor list, viz., the
contents of the hardware registers in the MMU (memory
management unit ) .
f - gives the access class of all subjects and
objects in the system. This set is distributed in this
design: the process's access class is founi in the active
process table (APT) and the segments access class is in the
active segment table (AST).
The desired properties of the system are then
realized in the form of rules. These rules enforce the
desired security policy by manipulating *he sets which may
or may not change the state of the system. If the state of
the system is changed it must guarantee that the new state
is secure.
The discretionary security policy is enforced in the
supervisor. This design decision was made because cf the
lesser importance of "need to Irnow" controls to the
military, and to 'seep the iernel small for ease of
verification .
A-33
The sets which, are used to enforce the discretionary
policy are m and h.
m - corresponds to an access matrix which represents
the potential access of the subjects to objects (implements
the "need to '-mow" security policy). This set is represented
by the access control list for the segment (object).
h - indicates how the objects are hierarchically
organized, in a directory tree structure. The hierarchical
tree structure consists of nodes, leaves, and a root from
which the tree eminates. The nodes represent a directory
segment (list of attributes for other segments) and the
leaves represent non-directory segments (data or procedure).
A user is free to create either directory or non-directory
segments. The ability to add directories implies that a
user, if he chooses, can add to the overall system hierarchy
a subtree of arbitrary depth.
3 . Properties And Conditions
There are a few basic security properties which
need to be considered:
SIMPLS SECURITT CONDITION- this condition addresses
the problem of security compromise. If in set b all subjects
have an access class greater than or equal to the access
class of their objects, this condition is satisfied. This
insures the subject only reads information at or below the
class for which it is cleared.
CONFINEMENT - this property addresses ootential
A-34
(rather than actual) security compromises. If all subjects
could be trusted to perform in a proper manner (with respect
to security) , then this property would not be needed. The
fact is that unless a program is proven to behave in a
certain fashion as described by the mathematical model or
formal specification, we cannot make any statements
concerning its behavior. We must therefore make the
assumption that the programs will attempt to violate
security regulations. Subjects are therefore assumed to be
untrustworthy. The potential for a security compromise
occurs when a subject has simultaneous read access which is
at class a and write access at class b (class a >ciass b).
For example, the potential for compromise is realized if two
events occur: (1) the subject reads secret information from
the secret object and writes it into the unclassified
object. (2) a second subject whose access class is
unclassified gains access to this (nominally unclassified)
object and reads the secret information. There are two ways
of preventing this type of situation from occurring: high
water mark and confinement property.
High Water Mark - upgrade the class of the file to
the highest class requested. This solution, while
technically correct, would over classify information so that
it would not be available to normally cleared subjects.
Confinement Property (^-Property) - this property
requires that all objects to which a subject has write
access have the same access class as the subject and that
A-35
all objects to which it has read access have an access class
less than or equal to the access class of the subject. Since
a subject will always have write access to some object if it
is to perform a computation, we define the current access
class to be that class at which the subject wishes to have
wnte access. Since all subjects are assumed untrustworthy
with respect to security requirements, the confinement
property eliminates the certification requirement outside
the security kernel. This eliminates the immense job of
certifying the supervisor and the user programs. This
property is enforced in the kernel by not allowing any
subject write access to an object with a lower access class.
COMPATIBILITY PR0P2RTT - If an object in the
hierarchical structure is inferior (child) to an object
(parent) and the access class of the parent is greater than
that of the child, then a subject with an access class the
same as the child can never access that information since it
can not access the access control list which is kept in the
parent. In order to avoid this problem we introduce the
concept of "compatibility". A hierarchy is compatible if
access classes are non-decreasing as one moves down the
hierarchy from the root. The access class of an object in
the hierarchy must always be greater than or equal to the
access class of its parent. Since the root has no parent its
security attributes are implied (viz., are the "lowest" of
any object). In this design, compatibility is enforced in the
kernel, but not in the traditional sense of enforcing the
A-36
access relationship of the parent/child hierarchical
structure. There is no hierarchical structure in the kernel.
When the segment is created the compatibility is implicitly
enforced before the request is allowed.
The reference monitor is an abstraction of the
hardware and software mechanisms that mediate all attempts
by subjects to access objects. The decision to permit or
deny access is determined by the security kernel. The
mathematical model is an interpretation of the reference
monitor abstraction and describes the behavior of a secure
system in terms of four component data bases (b, m, f, h)
and rules of operation* These rules specify how the data
base may be charged, they represent an "authorize"
operation. The security kernel can only allow subjects to
access objects as permitted by its representation of the
model's set b. The data base of the security kernel must
correspond to the model's lata base and can only change as
permitted by the model's rules.
The reference monitor of a physical computer system
is realized by a combination of software and hardware. The
portion required in software depends on the capabilities and
limitations of the hardware. There may be objects to which
the hardware can not properly control access and there may
be alternative representations of the same security state.
Either one of these situations require a kernel function
that does not change the security state. In the former case
there would be one or more functions to permit interpretive
A-37
access to an object; in the latter there would he functions
for changing- the representations of the security state
without changing the actual state.
Thus the functions of the security kernel
software [21 fall into three classes that correspond to the
fundamental operations of authorize, access, and null: (1)
functions that correspond to the rules of the model, thus
changing the security state; (2) functions that implement a
part of the reference monitor by allowing interpretive
access to objects as permitted by the current security
state, thus complementing the hardware access controls and
(3) functions that change the representation of the current
security state .
£ Segmentation
The mathematical model addresses abstract subjects
and objects. In this design subjects are the processes and
the principal information objects are segments. Processes
(subjects) can only access segments (objects) as permitted
by the access controls. Svery segment has associated with it
logical attributes (access class, size, read/write
permission) which are made visible at the time of actual
reference to the information. By including access control as
part of the logical attributes, a way to control access to
the information in the system has been provided. Only
"authorized" accesses are allowed.
Segmentation provides the mechanism so that all
A-38
online information stored in the system is directly
addressable by a processor and hence available for direct
reference by any computation. A basic advantage of direct
addressability is that users can physically share a single
copy. A concern which arises from sharing is that
information may be passed illegally between users. This is
prevented by the enforcement of the confinement property and
the simple security condition. The copying of data is no
longer mandatory as many users can share a single copy with
controlled access.
5 . Hardware Requirements
There are no absolute hardware requirements for
secure computer systems, any hardware is theoretically
acceptible. Given the current state of the technology,
however, certain hardware features are essential if we are
to build efficient secure systems [2]. These essential
features reduce and simplify the software portion of the
security kernel . Reduction and simplification of software at
the expense of additional hardware is necessary because
producing proveably correct software and hardware in the
security kernel is a necessity to achieve computer security.
One of the essential features is support for a
segmented memory. Segmentation allows all information in the
system to be stored in one type of object, the segment.
Saving1 to support only a single object type simplifies the
kernel. Segmentation allows all information in the system to
A- 39
be ccmpartmentallized into individual packages called
segments. Every segment has associated with it access
controls as previously ment loned. Only authorized accesses
as delineated in the access control list and allowed by the
access class are permitted. The address of information is
composed of two parts (segment *, offset). It is necessary
to efficiently resolve the two dimensional address into an
absolute address, therefore segmentation should be
implemented in hardware.
The other essential hardware feature is multiple
execution domains. This feature is used in most contemporary
systems -to protect operating systems from applications
programs. Strictly speaking only two execution domains are
necessary (one for the kernel and one for everything else),
but in practice it will still be desireabie to continue to
protect the operating system from applications software so





When designing an operating system there are several
approaches to consider: top down, bottom up and middle out.
Although most designs begin as top down or bottom up they
generally end up as middle out. In the design there are
several design choices available to the designer. In some
cases a certain design choice will preclude the ability to
utilize a specific design later on in the system design,
while in other cases a specific design choice could be a
driving force to dictate other design choices. Tor example
in the SYSTEM the design choice was made to ieep the kernel
relatively small to reduce the verification process. This
particular choice became a heavily weighted factor when, for
example, deciding where to support the demand memory
management which ended up in the supervisor. Following are
some of the design techniques that contributed to the
SYSTEM.
1. Resource Virtualiza tion
By using virtual processors and virtual memory
throughout the upper levels of the design, most of the
design is independent of the physical configuration. The
SYSTEM provides the virtual to real binding in the kernel.
This permits changing the configuration to ^eet user or
A-41
maintenance requirements without major changes to the
system. Since the processes are assigned virtual processors
there is no effect on the user when real processors are
added or deleted (except for the change in performance). Of
particular interest was the ability to add and delete
processors to the SYSTEM. More important was to develop a
design that allowed good capacity growth with the addition
of processors. In general, configuration independence
implies that the hardware (processors, memory and
peripherals) can he reconfigured without causing any
problems visible to the user.
2. Distributed System
The SYSTEM is distributed logically and physically.
Logically, portions of the operating system are distributed
within the address space of the users process within the
supervisor and iernel domains. The use of domains permits
the process to maintain its security attributes while
interacting with the operating system.
The physical distribution of segments among the
individual local memories provides performance (provides
high speed memory access and limits 3US contention). The
physical distribution allows the tradeoff of memory (viz.,
multiple copies) for performance. Although one of the
potential benefits of segmentation is sharing of pure
procedures the choice was made to disregard this benefit
when possible (no user has write access). This allows the
A-42
segment (viz., a copy) to reside in local memory to reduce
3US contention. The initial hypothesis is that the memory
wasted (much of it possibly ROM) is a small price to pay to
allow performance to grow well with the addition of
processors. This addresses the problem that in typical
multiprocessor systems capacity scales poorly because of
increase load on the BUS. However, this choice is not
fundamental to the design and could "be changed to eliminate
multiple copies.
Similarly for processors, processing is distributed
to processors to eliminate the dependency on a single
controlling unit. The system wide data bases are kept in
global memory providing access to all processors.
3. Multiple Protection Domains
The foremost consideration in the design of the
SYST2M was security. This is acheived by use of the security
fcernel technology, and segmentation provides one of the keys
to providing security* within the system. The set of segments
that are accessible is defined as a domain. The conventional
two state system does not provide the desired support for a
secure system. For this reason the 2-state (and associated 2
domains) is generalized to a hierarchical n-domain
system[6] . In the design, of the SYSTEM (a minimum of)
3-domains were considered adequate - user, supervisor and
fcernel. In addition,, the design permits that, based on user
application, a number of user domains could be supported.
A-43
Each domain is in concept similar to a ring[6]. The
authorized access of a process is determined by the current
ring of execution. The access within the different rings
form a set of nested domains. Ring (kernel) is the largest
set and ring n-1 is the smallest.
The ring- structure with the associated controls
provides a means for regulating the information that passes
between domains (rings). Cross-ring calls and parameter
passing are well def ined[15] . When the proper controls are
used they allow outer rings to make requests to inner rings,
but also protect the inner rings from unintentional or
intentional tampering. The ring structure when combined with
segmentation provides mechanism for the design of an
effective secure system by protecting the secure kernel.
4* Multiorocessing
The process structure provides the essentials for
parallel processing: support for a set of assynchroncus
processes that can communicate with each other. Parallel
processing does not require a multi-processor environment.
However, in a mul ti -processor environment parallel
processing can provide faster completion of a job.
There are many applications for parallel processing
within tactical as well as non-tactical systems. Whenever a
job depends on a mixture of asynchronous and synchronous
tasks and time is a factor, parallel processing is a
possible solution to getting the job done in the allocated
A-44
time. By using several processors working on the same job,
each doing seperate tasks, the overall time required to io
the job can he reduced (provided the job has been structured
into explicit processes). In microprocessors where
processors are relatively inexpensive and slow, parallel
processing may be the answer to keeping the cost down while
still being able to complete the job in the required time.
The above discussion provides some of the major reasons why
the SYSTEM was designed to support parallel processing on
multiple processors.
5 . 'Cache' Memory Strategy
A cache memory is generally thought of as a small
amount of high speed memory that is utilized with a large
low speed main memory in a system tc construct a memory
system that appears to be a larger high speed memory. This
appearance of a high speed memory is generally possible as a
result of locality of reference [15
,
p. 301] .
In a multiprocessor environment, where each
processor has its own cache memory, problems arise when
accessing shared memory. The main problem being that shared,
writable memory cannot be put in a cache. Segmentation
allows the assignment of attributes to segments, which
provides a way to identify cacheable segments (those
segments that are not writable and shared).
In a multi-microprocessor system where 3US
contention can become a problem a cache memory strategy
A-45
could be quite effective in reducing the number of requests
to the main memory, even though the cache and shared memory
are the same speed. The main advantage is avoiding access to
the system BUS rather than the increase in speed of the
actual memory access. The SYSTEM uses the strategy of a
cache in the form of a local memory per processor. Now
rather than being a copy of what is in global memory the
local memory (cache) becomes the place where the data is
stored instead of global memory (note that with a cache,
global memory need not contain a copy while the information
is in the cache)
.
Each processor has its own local memory which is
relatively large in size where cacheable segments are
stored. This means that large blocks of data will be moved
when a process is removed from one processor and
(subsequently) loaded on another processor. In addition a
global memory is utilized for shared writable segments
(unencacheable segments). Segmentation allows the STSTEM to
utilize the concept of caches and main memory but in the
form of local and global memory. The overall reason is the
same (speed up memory access), but in the STST3M this is
achieved by reducing the BUS contention through directing
most access to local memory.
6 . Multiprogramming
In a system where there are more processes than
processors there must be a means of switching processors
A-46
from process to process. Some reasons for switching process
are: current process completes, a higher priority process is
ready, current process is blocked, or current process is
waiting I/C. Whatever the reason for switching, there are
certain things that must he done in performing the switch:
first, save the address space of the old process as well as
the current execution point represented by a portion of the
processor state, and secondly, reloading the address space
and previous execution point of the new process. The process
svitch must occur in a specific sequence to insure the new
process resumes execution at the same point and in the same
logical state as when it was previously switched. In the
STSTZi* re-establishing the local memory to its previous
state becomes part of the process switch (when switching
user processes ) .
Eecause of the overhead (unloading and loading ail
the MMU registers) associated with process switches,
provisions are included to make the processes semi-dedicated
to a processor and thus make the requirement for memory
switches infrequent. In order to make the process switch
totally hidden outside the kernel r the segments that were in
memory the last time the process was executing must be
loaded in memory prior to allowing tne process to resume
execution. The lack of a "DSR" [5, p. 12] is a problem, cut
saving copies of the MMU, that can be reloaded when required
reduces the severity of the problem.
7. Family of Operating Systems
A-47
The design in this thesis is not really for a single
operating system, out rather for a whole family of operating
systems. For anj specific system the family member chosen
depends on the functions required. A tactical system which
is static in nature does not require many of the user
services supported by the SYSTEM. For this reason the family
member that consists of only the kernel could be the
specific operating system chosen for a tactical system. A
general purpose time sharing system, on the other hand, is
very dynamic in nature, utilizing large address spaces,
variable number of users, etc. The family member that
supports dynamic linking, a hierarchical file system and
demand memory management cculd be the specific operating
system for the general purpose time sharing system.
Operating system sub-setting refers to she ability
to form meaningful sub-sets of an operating system. In the
design of the S7STIM a sub-setting capability was one of the
goals. The structure is such that many of the services
provided by the SYSTEM can be eliminated without effecting
the usefulness of the remaining system. That is the SISTSM
can be tailored to fit a number of specific requirements.
This is made possible primarily by utilizing a loop free
structure^] within the design. For explanation purposes
consider the operating system to be composed of modules. In
a loop f-ree structure the dependency is inward or downward
(toward the hardware), depending on your point of view. A
module only depends on another module at a lower level.
A- 48
Recuiring a loop free dependency structure allows system
correctness to be established one module at a time.
Modifying a module would only effect the modules above which
depend on it.
The design choice to keep the kernel relatively small
and put the common user services in the supervisor lends
itself to sub-setting. The security kernel would not be
changed in any of the sub-sets ani thus would not require
re-verification. The supervisor supported services (dynamic
linking, discretionary security, demand memory management,
hierarchical file system) could be removed to meet the needs
of the specific use of the system. This makes the sub-sets
of the SYSTEM suitable for tactical application, where there
is generally no need for demand memory management or dynamic
linking (static environment), as well as for general purpose
application where all the features can be utilized. It
should be noted that any of these meaningful sub-sets would
be a secure system since the kernel remains unchanged in
every sub-set. Sub-sets of the kernel can also be
constructed; however, this would require reverif icat ion of
the kernel.
5. Levels Of Abstraction
Abstraction is a way of avoiding complexity and a
tool by which a finite piece of reasoning can cover a myriad
of cases [17]. The purpose of abstracting is not to be vague,
but to create a semantic level in which one can be
A-49
absolutely precise. Levels of abstraction have been
demonstrated to be a powerful design methodology for complex
systems. In general, the use of levels of abstraction leads
to a better design with greater clarity and fewer errors. A
level is defined not only by the abstraction that it
supports (for example, a segmented virtual memory) but also
by the resources employed to realize that abstraction. Lower
levels (closer to the machine) are not aware of the
abstractions or resources of higher levels? higher levels
may apply the resources of lower levels only by appealing to
the functions of the lower levels. This pair of restrictions
reduces the number of interactions among parts of a system
and makes them more explicit.
Each level of abstraction creates a virtual machine
environment. Programs above some level do not need to know
how the virtual machine of that level is implemented. For
example, if a level of abstraction creates sequential
processes and multiplexes one or more hardware processors
among them, then at higher levels the number of physical
processors in the system is not important. 3y the rules of
abstraction calls to a procedure at a different level must
always be made in a downward direction and the corresponding
return in the upward direction. Note that at least two of
the levels (kernel and supervisor) define virtual machines
with rigidly enforced (via hardware) invocation of 'extended
instruction", i.e. the kernel and supervisor calls.
A- 50
3. PROPOSED DESIGN
The SYSTEM is composed of two parts, the supervisor and
the kernel. The supervisor provides operating system
services while the kernel manages physical resources. This
division also contributes to the ability to sub-set without
affecting the kernel. The supervisor, which consists of
procedures, is distributed and exists within the supervisor
domain of each user process. The kernel is male up of both
procedures and system processes. The procedures are part of
the distributed operating system and exist within the kernel
domain of each user process. The system processes are not
distributed but are separate processes-
1 . Notat i on
The following is an explanation of the notation used
in the following discussions. When a CALL is used the name
of the module is given followed by the parameters within
parenthesis. When a name in quotes appears as the first
parameter in the parantheses it is used to specify the entry
within the module. 7or example CALL INNER_TC ( 'UNLOAD '
,
SEGMENT,*, WRITTEN) the module name is INNSR_TC, 'UNLOAD'
specifies the entry point and SEGMENT,* and WRITTEN are the
parameters. When a SIGNAL is used the first name in quotes
specifies the process for whom the signal is intended, the
second name in quotes (optional) specifies the specific
function requested of that process and the remaining names
represent parameters. For example SIGNAL ( 'MEMORY_MANAGER '
A- 51
'OUT', SEGMENTJ*, WRITTEN) the signal is meant for the
memory manager process, 'OUT' is the requested function and
SEGPENT_* and WRITTEN are parameters. WAIT is used when a
process cannot continue execution until it receives a signal
from another process. WAIT( ?E0CESS_ID , MSG). The return
parameters ?R0CESS_ID and MSG are used to indicate the
process that sent the signal and the message sent. It should
he noted that the above notation is only used to simplify
the understanding of what is happening. In an actual
implementation the parameters need not be passed in
precisely this fashion.
2 . System Overview
The following is an overview of the SYSTEM'S modules
and processes and how they function. Figure 2 represents the
modules that exist in the distributed supervisor and the
distributed kernel. The levels are used to indicate the
dependencies that exist between these modules. The
supervisor is made up of four levels of abstraction. It
should be noted that all data within the supervisor is per
process .
The linker, a level 1 module called LINKER, exists
in a segmented virtual memory and provides the mechanisms of
dynamic linking. He is invoked by CALL
LINOR(SYM30LIC_NAME). It should be noted that the call
could be by link fault as in MULTICS [6] . The linker keeps









The linger utilizes the CALL S3AF.CE(SYMB0LIC_NAMS,
SEGtvENT_#) to obtain the segment number for unsnapped links.
The searcher, a level 2 module called SCARCE, is
invoked by SEASCH(SYt*BOLIC_WAME, SEGMENT^*) and is required
to return the segment number of the segment specified by the
symbolic name. By applying- the 'search rules' the symbolic
name is converted to a path name in the hierarchical file
system. The searcher gets the desired segment number by the
CALL SEG_5ND(?ATE_NAME, 5 EG<MENT_* ) .
The segment handler, a level 3 module called
SEG_HND, is invoked by CALL SEG_HND ( ?ATH_NAMS , SEGMENTJ*)
and is responsible for returning the appropriate segment
number. The segment handler utilizes the Segment Table
(figure 4) as its data base. To maintain the data base he
uses the CALL SEG_MGR( 'MAIBJCNOVN* , ?AR_5EG_*, ENTRY_*,
ACCESS, SEGPENT_*, SIZE) to the kernel to obtain a segment
number tor a segment and the CALL DISC_SEC( SEGMENTJ*
,
ENTRY_#, ACCESS) to determine the authorized access
(discretionary). The segment handier is also invoked by the
virtual faults, SEG_HND( 'SEG_EA*JLT' , S3GMENT_#) and
SEG_SND( >SM_?AUL?' r SEGMENTJ*) . The 'SEG_FAULT' is a
discretionary security access check and is handled by a CALL
DISC_SEC(SEGMEMT_£ f ENTRY_#) . The 'MSM_JAULT' is a request
to bring a segment into memory and is handled by a CALL
f*IM_END(SEGMEN?_*, SIZE).
The memory handler and discretionary security, level


































invoiced by HSM_HND(SEGMENT_#- f SIZE) and DISC,SEC( SEGMENT,* ,
ENTRY,*, ACCESS) respectively. The memory handler provides
the dynamic memory management utilizing- the Memory Map data
base (figure 5). The memory handler uses the CALL
SEG_MGR( 'SWA?_IN', SEGMENT,*, BASE,ADDRESS ) in the kernel to
brin* a segment into memory and the CALL SEG_MGR( 'SVAP,0UT '
,
SEGMENT,*) to remove a segment. The discretionary security
checks the access control lists to determine the authorized
access of the process (discretionary).
The distributed kernel is composed of three levels*
The segment manager, a kernel level 1 module called SEG_MGR,
is invoked by the CALL SEG_MGR( 'MAKE_KNOWN', ?AR_SEG,*-,
SNTRT,*, ACCESS, SEGMENT,*), CALL SEG_MG?.( 'SWAP_IN '
,
SEGMENT,*, BASE_ADDRSSS) and CALL SSG,MGR( 'SWAP,0UT'
SEGMENT,*). The segment manager maintains the Known Segment
Table (figure 6) as a per process data base. The segment
manager determines allowable access by the CALL
NON,DISC_SEC(UNIQUE,ID, ACCESS) and assigns segment numbers
by the CALL INNER_TC( 'ASSIGN ' , SEGMENT,*, ACCESS). The
segment manager brings segments into memory by
SIGNAL( 'MEMORY,MANAGER', 'IN', SEGMENT,*, UNIQUE, ID,
5ASE,ADDRESS) and removes segments from memory by
SIGNAL( 'MEMORT,MANAGER', 'OUT', SEGMENT,*).
The non-discretionary security, a kernel level 2
module called NON,DISC_SEC, is responsible for determining
the authorized access for a given segment. Non-discretionary
security is invoked by the CALL NON_DISC,SEC (UNIQUE, ID
A- 56
UNIQUE ID 5EGM3NT_#
KNOWN SEGMENT TAELS (KST) ENTRY
FIGURE 5
PROCESS ID STATE AFFINITY PRIORITY LCC EX STATS VIRTUAL
PROCESSOR #
ACTIVE PROCESS TABLE ENTRY
FIGURE 7











The traffic controller, a kernel level 2 module
called TRAE?IC_CONT, is responsible for multiplexing user
processes to virtual processors. The traffic controller
utilizes the Active Process Table (figure 7) as its data
base. traffic controller is invoked by the CALL
TRAFPIC_CONT( 'BLOCK', MSG, WA£ING_ID) and CALL
TRAF?IC_CONT( 'WAOUP*, ??.0CESS_ID, MSG). The traffic
controller uses the S IGNAL ( 'MEMORY_MANAGER' , 'LOAD',
7IRT_tfEM_MAP) and SIGNAL ( 'MEMORY_MAN4GER ' , 'UNLOAD',
WRIT_3IT_MAP) to load and unload the processes' segments in
memory on the virtual processors. The traffic controller
uses the CALL INNSR_TC( 'L0AD_MMU' f ?RCCESS_ID) AND CALL
INNER_TC( 'UNLOAD_M^CT') to load or unload the memory
management registers of the virtual processors. The traffic
controller uses the CALL INNER_TC ( 'IDLE') to remove a
virtual processor from contention for rescources. Actually
the virtual processor is assigned the lowest priority
available and the idle process is loaded.
The inner traffic controller, a kernel level 3
module called INNER_TC, provides the multiplexing of virtual
processors to real processors. The inner traffic controller
uses the Processor Table (figure 3) as its data base.
The non-distributed kernel consists of two system
processes. The memory manager process maintains the Active
Segment Table (figure 9) and Global Memory Map (figure 10)















SSGMSNT_* UN I QUE _ ID ACCESS A3S ADDRESS






















memory manager process is responsible for putting segments
in local/global memory based on user's access.
The I/O manager process processes all the external
I/O, this includes I/O to and from the user terminals. The
terminals can be thought of as being hard wired. Specific
terminals have specific access classes? therefore no kernel
passwords are required to determine access class.
The next three sections provide a detailed
discussion of the design.
3. Supervisor











The linker exists in a segmented virtual memory
environment. It is only aware of symbolic names and segment
numbers. The choice was made to provide dynamic linking and
not assign segment numbers to segments at compile or load
time,* therefore there is a requirement to resolve external
references at run time. In general it is the linker's job to
A- 60
intervene on a procedure's external references and direct
the reference to the appropriate segment. To accomplish this
the linker utilizes a "linkage segment" (each process has a
linkage segment). The linkage segment contains an entry for
each segment known to the process.
Each external reference results in a call to the
linker with a parameter that on first reference permits
finding the symbolic name of the desired segment.
LINK2R(SYM3CLIC_NAME) The linker searches for
the entry corresponding to the symbolic name. If found it
transfers to the segment number and offset specified in the
linkage segment. If not found (first reference) it must
first determine the segment number and offset. To obtain the
segment number the linker calls the searcher passing as a
parameter the symbolic name. S3A?.CH( SYMBOLIC_NAMS,
3EGtf2NT_*) The parameter returned is the segment number. The
linger completes the entry in the linkage segment and
transfers control to the desired segment,
b. Searcher (Supervisor)
The searcher is aware of the hierarchical file
system and a set of search rules. It is involked by
SEARCH(SYM30LIC_NAMS, SEGMENT^*) . The searcher has the task
of resolving a symbolic name into a path name. The searcher
recieves as a parameter a symbolic name which is processed
and eventually the segment number of the symbolically named
segment is returned. To accomplish this the searcher applies
the 'search rules '[6]. The search rules are a list of path
A-61
names and a simple technique that convert the symbolic name
to a path name (note that this is independent of security).
The searcher utilizes a calling directory and working
directory [6, p. 230], Once the path name is determined the
searcher calls the segment handler passing the path name as
a parameter. S3G_END(PATH_NAtfS, SEGMENT^*) The parameter
returned is the segment number. The searcher returns passing
the segment number as a parameter to the linker,
c. Segment Handier (Supervisor)
The segment handler understands the hierarchical
file system, parent, entry number, access control lists, and
segment numbers. The segment handler deals with virtual
segment faults (access checks) and virtual memory faults. He
is involked by the call SIG_HND(?ATH_NAME, SEGMENT.*) . The
segment handler gets assistance in performing his tasks by
utilizing the following calls: MEM_HND( SEGMENTJ*, SIZE) to
request a segment be put in virtual memory,
DISC_SEC(SEGMENT_#-, SNTRYJ*) a function to determine the
authorized access (discretionary security) to a segment,
S2G_MGR( 'MAKS_INCWN', ?AR_S3G_#, 3NTRY_tf, ACCESS, SEGMENTJ*)
a kernel call used to determine the segment number and size
of the segment indicated by the parent segment number and
entry number.
The segment handler maintains a segment table
with information that is necessary to control segments at
the supervisor level (figure ±) . The segment number is
unique within the process. Parent segment number is the
A- 62
segment number of the parent and entry number is the entry
within the parent for the segment. Access is that access
authorized by the discretionary security policy. Size is the
memory required by the segment. The segment handler is
required to convert path names to segment numbers as well as
to handle virtual segment faults (discretionary security
checks) and virtual memory faults. To accomplish these tasks
the segment handler has three entry points: SEG_HND
,
r*2.M_FAULT and S2^_?AULT.
S2G_HND(?ATH_NAM2, S3GMENTJ*) The segment
handler receives as a parameter the path name of the desired
segment. One -of the design characteristics of the
hierarchical file system is that access to a segment
requires read access to every segment on the path of the
segment. One by one the segments on the path name must be
made known and the access established. To do this a
recursive algorithm can be utilized that will process each
entry within the path name until the path name is resolved.
The segment number assigned to the desired segment is
returned
.
SEG_SND( 'MEM_7AULT', SEGMENTjt) A virtual memory
fault is utilized to support the dynamic memory management
outside the kernel. When a segment that is not in memory is
referenced a virtual memory fault (hardware initiated, the
kernel provides the software interpretation of the fault and
provides a transfer vector to the supervisor) is generated
to the segment handier. The segment handler uses the Segment
A- 63
Table to determine the SEGMENT,* and the SIZE of the
segment. The memory handler is called, MEM_HND( SEGMENTJ*
,
SIZE) .
SEG_HND( 'SSG_?AULT', SEGMENT,*) A virtual
segment fault is used to tell the supervisor that the ACL
for the segment referenced has "been changed since the last
time the segment had "been referenced. The segment handler
must re-establish the discretionary security. This is done
by checking the Segment Table for the parent's segment
number and entry number, calling DISC_SEC ( SEGMENT,*
ENT3T,*, ACCESS), check the new access, update the Segment
Table and return.
d. Memory Handler (Supervisor)
It is the job of the memory handler to provide
the dynamic memory management within a filed size linear
virtual memory. The memory handler utilizes two kernel calls
'SWAP_IN' and 'SWAPJ3UT' to perform his tasks.
SEG,MGR( 'SWA?_IN', SEGMENT,*, BASE_ADDRESS ) is used to
request that a segment be brought into memory.
SEG_MGR( 'SWAPJ3UT', SEGMENT,*) is used to remove a segment
from memory.
The memory handler is tasked by the segment
handler to put a segment into memory and provided with the
SEGMENT,* and SIZE of this segment. The data base utilized
is a Memory Map (figure 5) which indicates free areas and
allocated areas. Each process has a memory map which is used
to keep track of the virtual memory allocated to the
A-64
process .
To provide the demand memory management there
are many suitable algori thms [16, p .155] . First fit, best fit
and worst fit are among the possible choices for allocating
free areas. A least recently used algorithm is generally
used for deallocating memory. The used bit is available to
provide information to the dealocation scheme. The CALL
INN2R_TC('(JSTJJSED_BITS' t US2D_3ITS) returns an array of the
status of all the used bits. The CALL
INN2R_TC( 'SET_tJS2D_3ITS ', US£D_BITS) provides an array of
the desired value of the used bits. This provides the
mechanism for an approximating efficient Least Recently Used
algorithm for dealocation [15] . Allocated areas (figure 5)
are identified by (32ar*2NT_*, 3AS2_ADDRESS , SIZE). When
tasked, the memory handler searches for a free area large
enough for the segment. If there is no free area large
enough, the memory handler must utilize the CALL
5ZG_MOH( 'SVA?_0UT', SEGMENT_#) to establish a large enough
free area. The memory map is updated and the CALL
SEG_MGE( 'SWAP_IN'„ SIGMEMT_* t 3A32_ADDR3S3 ) is generated.
The memory map is updated and the memory handler returns.
e. Discretionary Security (Supervisor)
This module is only aware of access control
lists (figure 11) and how to search one to determine the
access to be given the current process. The input parameter
is the segment number (of the directory) and entry number of
the ACL for the desired segment. The discretionary security
A-65
searches the ACL for the ?ROCESS_ID of the calling process
and thereby determines the access, which is returned.
4. Distributed Kernel
There is a gate mechanism (domain change) through
which all kernel and supervisor calls pass. Checks are made
to determine proper (complete) parameters and the call is
directed to the proper module. The kernel is the
"priviledged mode" and can execute priviledged instructions.
Calls coming from outside the kernel are:


















a- Segment Manager (Kernel)
The segment manager's environment is a segmented
A- 66
physical memory. The segment manager assigns segment numbers
and is responsible for maintaining the status of all
segments known to a process. The segment manager's primary
data base is the Inown Segment Table (1ST) (figure 6). The
unique_ID is a unique, system wide identifier assigned to
each segment. They are assigned from an available list of
integers (can be reused when a segment is deleted). Each
segment also has an alias that is the unique_ID of and the
entry number in its parent. This provides a means of
determining the unique_ID of a segment from the segment
number of and entry number in the parent.
It should be noted that the reason for the alias is
to prevent the unique_IS from leaving the kernel. The alias
chosen is derivable from information known to the
supervisor, because it relates to the hierarchical file
system. This information is per process and not system wide
in nature. Although the hierarchical structure of the file
system can be derived from the kernel's alias data base, the
contention is that the file system in the kernel is a flat
one. This method also eliminates the confinement problem.
The kernel only requires that the access class of a segment,
when created must be at or above the access class of the
process creating1 the segment.
Tne segment manager can be invoiked by several
calls
:




SEG_MGR( 'S»AP_IN', SEGMENT,*, BASS_ADDRSSS
)
SEG_MGR( 'SWAP_OUT\ SEGMENT,*)
The CALL SEG,MGR( 'MAKE_KNOWN ' , ?AR_SEG_*,
ENTRY,*, ACCESS, SEGMENT_*) . The tasic is to assign a segment
number to the segment specified. ?AR,SEG_* and ENTRY,* are
the segment number of the parent directory and the entry
within that directory. The parent segment number is used to
determine the unique_ID of the parent from the 1ST and this
combined with the entry number forms an alias for the
desired segnent. The segment manager searches the KST to
determine if the segment has already been assigned a segment
number (already known). If this is the case the segment
number already assigned is returned. If the segment is not
known then a 1ST entry must be made. The procedure is as
follows: use the ?AR,SEG,* and the SST to determine the
unique_ID of the parent. Combine the unique_ID of the parent
and the entry number to derive the alias of the segment. CTse
the alias to determine the unique_ID of the desired segment
from the alias table (figure 12). CALL
NON,DISC_SEC(tJNIQu*E_ID, ACCESS) to determine the authorized
access. The access granted is the desired access or the
authorized access, whichever is less. Assign a segment
number. Fill in KST entry. CALL INNSR_TC ( 'ALD_SSG
'
,
SEGMENT,*, ACCESS). Return assigned segment number.
The CALL SEG_MGR( 'SET,SEG__TAULT ' , SEGMENTJ*) .
This call is used when the access control list for a segment
A- 68
il: ACL
'CCONNELL'ULL ACCESS), 'RICHARDSON '( ALL ACCESS)





























is changed. The segment manager determines the urique.ID of
the segment specified and does a SIGNAL ( 'MEMORY.MANAGER'
,
'SET.SEG.EAULT', UNIQUE.ID).
The CALL SSG_MGR( 'SWAP.IN ' , SEGMENT.*,
BASE.ADDRESS ) . A request to load the specified segment into
memory at the indicated base address (relative). The segment
manager locates the appropriate KST entry and does a
SIGNAL ( 'MEMORY.MANAGER', 'IN', SEGMENT.*, UNIQUE.ID,
BASE.ADDRESS) and a WAIT ( PRCC2SS_ID , A3S.ADD, BOUND). The
memory manager process loads the segment in memory and
returns the absolute address and bound of the segment. The
segment manager notifies the inner traffic controller of the
update in segment information CALL INNER.TC ( 'LOAD '
,
SEGMENT.*,. A3S.ADD, 30UND). The segment manager returns.
The CALL SEG_MGR( 'SWA?_0UT' , SEGMENT.*). The
segment manager is tasked with removing the segment from
memory. He does a CALL INNER.TC ( 'UNLOAD
'
, SEGMENT.*,
WRITTEN) to obtain the value of the written bit and then to
unload the segment from memory a S IGNAL [ 'MEMORY.MANAGER '
'OUT', SEGMENT.*, WRITTEN), WAIT( 'MEMORY.MAN AGER
' ) and then
returns.
b. Non-Discretionary Security (Kernel)
The purpose of the non-discretionary security is
to enforce the non-discretionary security policy by checking
the access class of the process against the access class of
the desired segment. The access is determined as a result of
this comparison. The non-discretionary security module is
A-IO
invoiced by the CALL NON_DISC_SEC(UNIQUS_ID ) . An algorithm is
used for interpreting the lattice for comparing the access
classes and determining the authorized access. The
non-discretionary security module returns passing the
access .
C. Traffic Controller (Kernel)
The job of the traffic controller is to schedule
and control processes. The traffic controller utilizes an
Active Process Table (system vide) (figure 7) and a Virtual
Processor Table (figure 8) to maintain the necessary
information about each process. Each virtual processor has a
priority (this priority is used by the inner traffic
controller when the virtual processors are multiplexed on
the physical processors). PHOCSSS_ID is a unique identifier
for each process, which can be napped to the user. STATS
refers to the present state of a process (ready, block,
stop, run). AF7INITT is used to specify a binding of a
process to a virtual processor either ^oy virtue of
dissimilar processor characteristics (strong) or the process
has segments in local memory of a processor (weak). PRIORITY
is used to determine a scheduling behavior. L0C_2X_STATE
provides the means for keeping track of the execution state
of the process and is a pointer to a storage area that
contains information about the execution state (figure 13).
The traffic controller schedules the processes
to run on virtual processors. There is a virtual processor
for every loaded process. Each virtual processor has a low
A- 71
priority process (IDL2) so that the processor is never
stopped. The traffic controller provides the BLOCK and
WAKEUP functions as a means of providing inter-process
communication. -
The traffic controller would have a priority
driven scheduling algorithm to determine what process to
schedule. This could he a simple first come first served
algorithm or it could he a complex time sharing algorithm to
dynamically change process priority. The method utilized in
this thesis is that the traffic controller works on the
premise of scheduling the ready process with the highest
priority and the proper affinity whenever a virtual
processor is available.
Whenever a process blocks itself it is in fact a
call to the traffic controller. The traffic controller
changes the state of the process to blocked. The traffic
controller now has the option of reassigning the virtual
processor to another user process or scheduling the idle
process (CALL INN22_TC( 'IDL3') ) . In the latter case there is
no loading or unloading of the process involved and this can
he beneficial to control thrashing. Since there are other
virtual processors competing for the processor the traffic
controller scheduling algorithm will try to leave the
process loaded'. When the process is put back in the run
state it will be in contention for the processor. If another
process is to be assigned to the virtual processor then the
old process must be unloaded. First the status of the
A-72
written bits are determined (CALL INNSR_TC ( 'VRITTEN_3ITS ' ) )
.
The execution state of the old process is unloaded (CALL
INNER_TC( 'UNLOAD_MMU', PROCESSED, LOC_EX_STATE ) ) .
SIGNAK 'MEMORT_MANAGER', 'UNLOAD', WRIT_BIT_MA? ) and
WAIT( 'MEMORY_MANAGER', VIRT_MEM_MA? ) are generated, the
virtual memory map of the process is returned "by the manager
process process. The execution state and the virtual memory
map of the old process are saved. Nov the new process can he
loaded. The virtual memory map of the new process is passed
to the memory manager process, a S IGNAL( 'h"EMORY_MANAGER '
,
'LOAD', VIRT_M2M_*AP) and WAIT ( 'MEMORY ^MANAGER '
,
ABS_ADD_MAP) are generated. A map indicating the absolute
address of the loaded segments is returned by the memory
manager process. The execution state of the new process is
loaded (CALL INNERJTC( 'LOAD ' , LOC_EX_STATE , A3S_ADD_MA? ) ) .
This completes the process of switching user processes on a
virtual processor.
The TRAF7IC_C0NT( "rfAOUP", PROCESSED) is also
a call to the traffic controller. If the process specified
by ?R0CESS_ID is in the blocked state the traffic controller
puts that process in the ready state, he checis the
priorities of the running processes and if there is a lower
priority process in the run state the virtual processor it
is running on is sent a pre-empt interupt CALL
INNSR_TC( '?R3_IMPT_INT', VIRT_?RO_ID) and the traffic
controller returns. The pre-empt interupt forces the
ore-emuted virtual nrocessor to transfer control to the
A-73
traffic controller. The traffic controller puts this process
in the ready state and then schedules the highest priority
process, subject to affinity, as indicated above. If the
idle process was running on the virtual processor and if the
process loaded in that virtual processor is in the ready
state it could be assigned the virtual processor by the CALL
INNER_TC('UNIDLE', VIRJ>R0_ID). This has the effect of
unloading the idle process and loading the process that was
previously loaded. It should be noted that except for the
special case of the idle process, switching processes is
lengthy and, if done too frequently, could lead to thrashing
problems .
The traffic controller can be invoiced by the
calls: 'ST0P_PR0CSSS', 'CREATE_?RGCSSS ' , 'START_?ROCESS '
,
and 'DESTR0Y_?50CESS '.
'CREATE_?ROCESS ', ?ARAMETER_LIST is used to
begin a new process. An entry for the process is made in the
active process table.
'3TOP_?ROCESS ' is used to put a process in the
STOPPED STATE and the process is removed from the active
process table and put in the stopped process table (SPT).
The SPT is similar to the APT but it is referenced
infrequently.
'START_?EOCESS' is used to move a process from
the stopped process table (ST?) to the active process table
and also from the stopped state to the ready state.
'DESTROY_?ROCESS' is used to terminate the life
A-74
of a process. The process is removed from the APT or S?T and
the memory manager process is signaled to disconnect the
process from any connected segments.
d. Inner Traffic Controller (Kernel)
The inner traffic controller multiplexes the
virtual processors with the physical processors [18] . There
is a many to one correspondence from the virtual processors
of the traffic controller to the physical processors. In
addition there are the virtual processors assigned the
system processes. The inner traffic controller uses the data
case shown in figure 14. He is also responsible for the
mapping registers (hardware segment descriptors) which
contain the information shown in figure 15. Sach physical
processor has only specific virtual processors that can be
multiplexed on it. Sach virtual processor has a priority and
a state (running, ready and wait). The inner traffic
controller allows the virtual processor with the highest
priority in the ready state to run on the processor. The
wait pending bit[3,p.30] is used to avoid a race condition
between the signal and wait primitives. The inner traffic
controller is able to swap the virtual processors in and out
of the processors by loading and unloading the appropriate
execution state and mapping registers.
The inner traffic controller provides
inner-process as well as intra-process services. Ee is
invoked by a number of calls requesting information






















to update the mapping registers. To supplement the hardware
fault within the memory management registers the inner
traffic controller maintains a set of software faults for
each segment (segment fault, memory fault). This allows the
inner traffic controller to interpret the hardware fault and
generate an appropriate virtual fault.
INNER_TC('ASSIGU', SEGMENT_#, ACCESS) - a new
segment number has been assigned with the indicated access.
Load the appropriate register with the access, set the fault
hit and the software memory fault.
INNERJECl'LOAD', SEGMENT,*, A3S_ADD, 3CUND) - a
segment has been loaded into memory, load the appropriate
addresses in the mapping register and reset the memory
software fault and fault bit if appropriate.
INN3R_TC( 'UNLOAC', SEGMENTJ*, WRITTEN) - the
segment is being removed from memory, set the memory
software fault and the fault bit and return the value of the
written bit.
INNER_TC( 'VRITTEN_3ITS', BITS) - an array
reflecting the value of the written bits is returned.
INNSR_TC('GET_'JSED_3ITS' t USED_3ITS) - an array
reflecting the value of the used bits is returned.
INNER_TC( 'SET_US3D_3ITS', US3D_3ITS) - an array
is received reflecting the desired value of the used bits.
The inner traffic controller sets the used bits to the
desired values. The hypothesized hardware used bits are also
set by hardware whenever a segment is referenced.
A- 77
INNE?._TC('LOAD_MMU', LOC_EX_STATE, AES_ADD_tfAP)
- a request to load a virtual processor with a new process
and create the memory management unit registers.
INNSR_TC( 'UNLOAD_MMU', LOC_EX_STATE) - a request
to unload a virtual processor and save the execution state
in the indicated location.
INNER_TC('SET_SSG_FAULT', PROCESSED, SEGMENT_#)
- a request to set the software segment fault in the data
case (figure 14)
.
INNER_TC( 'IDLE') - a request to load the idle
process and reduce the priority of the virtual processor to
the lowest possible.
INNER_TC( 'PRE_2MPT_INT', YIRT_?R0_ID) - a
request to generate a virtual pre_empt interupt to the
indicated virtual processor* The inner traffic controller
determines which physical processor the virtual processor is
in and sends an appropriate hardware interrupt to that
processor. If the virtual processor is in the wait state the
interupt is held pending until the virtual processor is put
in the ready state*
INNE2_TC('UNIDLE', 7IRT_P?.0_ID ) - a request to
unload the idle process, reinstate the loaded process and
restore the priority of the virtual processor.
The inner traffic controller is also invoked by
the signal and wait. Signal and wait provide the
synchronization between the system processes and the user
processes. The inner traffic controller utilizes the signal
A- 78
and wait primitives to change the state of the virtual
processors and thereby control the multiplexing of the
virtual processors to the real processors, based on their
priorities .
5 . Non-Distributed Kernel
The non-distributed kernel consists of the system
processes. These processes have the characteristic that they
function asynchronous to each user process. The system
processes, as they are called, can reside in the local
memory of each processor but their shared data bases will
reside in global memory.
a. Memory Manager (System Process)
The memory manager process utilizes the Active
Segment Table (figure 9) as a data base. The portion of the
AST that contains system wide information will reside in
global memory. The portion of the AST that only relates to a
single processor can be distributed and will reside in local
memory.
The memory manager process is responsible for
two basic tasks: requests to brins- segments into memory and
requests to remove segments from memory. Other processes
task him by use of the signal and wait primitives. The
memory manager process has four tasks (entries): IN, OUT,
LOAD, and UNLOAD. The IN and OUT are requests to load and
remove a single segment. The LOAD and UNLOAD are requests to
load and unload a number of segments.
A-79
The task to load a segment requires several
considerations. Is the segment currently active (AST entry)?
If it is, is it presently residing in global memory? If it
is not in global memory does the access of the added process
reauire that it be moved to global memory? How to alert the
processes with copies? The AST provides all the necessary
answers to render the proper decision as to where to load
the segment
.
At this time a better look: at the AST is called
for. It should be noted that every segment that presently
resides in memory is active and its address can be
determined from the AST. The virtual processo-r that it is in
can also be determined as well as the segment number by
which it is known within that virtual processor.
When a segment must be loaded into global memory
(based on user access) there is a need to notify processors
with a copy, of the segment, of the segments relocation.
After the segment has been loaded in global memory, the
memory manager process, tasked to load the segment, can
determine form the AST in which processors the segment is
presently loaded. These processors are sent
SIGNAL ('MSMORT_rtANAGER*, 'MOVE', UNIQUE_ID, ABS_ADD) where
ABS_ADR is the global address of the segment. Each memory
manager process that receives the signaK 'move') will check
his local AST to determine which processes have the segment
loaded and the segment number assigned and then CALL
INNER_TC( 'CHANGS_ADD', ?R0CSSS_ID, SEGFfENTj*, A3S_ADD) for
A- 80
each process that has the segment in local memory. The inner
traffic controller will update the mapping register to
reflect the new absolute address.
- If a user requests access, and another user
already has write access, there is a need to get the current
copy moved to global memory. In this case the memory manager
process attempting- to load the segment must
SIGNAL! 'WEMORTJ1ANAGER', 'MCV2_IT' , UNIQUE_ID) and
WAIT(PROCE5S_ID, MSG). The processor with the current copy
of the segment was determined from the AST. The memory
manager process with the current copy, after receiving the
signal! 'move_i t ') , will relocate the segment in global
memory, CALL INNERJTC ( 'CHANGE_ADD', ?R0CZSS_ID, S2Gf«2NT_*,
ABSJLDD) and SIGNALC 'MEM0RY_MANAG2R' , 'MOVED', UNIQUE_ID,
ABS_ADD). It should be noted that there is some
synchronization required between the memory manager process
and the inner traffic controller to insure the segment had
not been written in during the time it toolc to move it and
change the address.
As segments are loaded and unloaded the AST is
updated appropriately. When a segment is removed from memory
if it has been written in the segment is copied bacic to
secondary storage.
The AST also provides a method of notifying
processes of segment faults. If the memory manager process
(for each processor connected with a loaded connected
process) is notified when the access control list for a
A- 81
segment is changed by SIGNAL
(
'MEM0RT_MANAG2R',
'SET_SEG-_FAULT ', UNI0U5_ID) then every loaded connected
process can be notified by CALL INNER_TC ( 'SST_SEG_FAULT '
,
PR0C3SS_ID, SEGM1!NT_#). For processes that are not loaded,
the traffic controller is similarly called to set the
software segment fault (figure 13). This means that the
software segment fault will have to be set for connected
processes when a segment is removed from the AST.
b. I/O Manager
The T/C manager is responsible for the external
I/O. There could be more than one I/O manager process,
conceivably one for each external device? corresponding
kernel calls must be provided. For example there could be an
I/O manager that handles all the external I/O to and from
the user terminals. It is sufficent, at this point, to say
that the I/O manager exists and handles external I/O.
6. Follow On Work:
It should be re-emphasized that this is a design
and not an implementation. Although the detail is left for
further work, the design proposed forms a substantial basis
upon which an implementation can be realized. The system
process structure is provided for in the design? however,
the system processes have been treated lightly and require
additional work. The user interface (supervisor calls)
presented is by no means an exhaustive list and could use
further extension for additional supervisor services.
A- 82
17. CONCLUSION
The state of the art techniques and design methodology
used to design secure operating system for multiple mini and
mail processors have been found applicable to the multiple
microprocessor environment. The principal conclusion is that
the operating system design in this thesis will make it
possible to more effectively use modern microprocessors than
has been possible in the past.
One question that is addressed concerns the operating
system's ability to scale. Systems now available can support
four or five microprocessors. Increasing that number of
microprocessors quietly brings serious degradation because
of the increased bus contention. The expected scaling factor
is much better for this design. The bus contention has been
significantly reduced - segmentation permits effectively
using local memory instead of global memory.
This design supports a family of operating systems, not
just one designed for a specific application. Sub-sets of
this system can be constructed to provide the desired
functions because the design used a loop free structure.
Included family members range from a core resident tactical
system to a virtual memory time sharing system.
Configuration independence is supported in this design.
One or many physical processors can be added or subtracted
from the system without affecting the workability of the
A-83
system. Similarly memory can be added or subtracted.
Security has been designed into this system. It was not
added on as an afterthought. This design used a security
kernel based upon a mathematical model to insure the
security. A secure multilevel environment is provided by
this system.
Commercial devices will soon be widely available to
implement this operating system. The Zilog Z3000 series,
microprocessor, for example will provide the segmentation
and multiple domains necessary for an effective system. The
present data buses are compatible and when used with this




1. 'Architecture of a New Microprocessor', Computer , v. 12
No 2, p. 10, 'February 1979.
2. Mitre Corporation Report 2934, The Design and Specifi-
cation Of A Security Kernel for the PDP-11/45 .
by w'.L. Schiller, May 1975.
3. Saltzer, J.H., Traffic Control in a Multiplexed Computer
System
.
Ph.D. Thesis, Massachusetts Institute of
Technology, 1966.
4. Lipner, S.3., "A Comment Cn The Confinement Property",
Operating System Review , 7.9, p. 192-195, November
1975.
5. Schroeder, M.D., **A Hardware Architecture for Implement-
ing Protection Rings", Communications of the AC.*) .
v.15 No. 3, p. 157-170, March 1972.
6. Organictc, E.I., The Multics System: An Txamina
t
ion of
Its Structure . MIT Press, 1972.
7. Dijkstra, B.W», "The Structure of the 'THE' Multi-
programming System", Communications of the ACM
.
v.ll, p. 341-346, May 1963.
3. Janson, P.A., "Dynamic Linking And Environment Initial-
ization In A Multi-Domain Process", Operating
System Review , v. 9 No. 5, p. 43-50, November 1975.
9. Schroeder, M.D., Clark, D.D., and Saltzer, J.H., The
^ulti^s kernel Design P^o *ect . paper presented at
ACM Symposium, November 1977.
10. LtCol Schell, R.R., "Computer Security: The Achilles'
Heel of the Electronic Air Force? , Air University
Review , v. XXX No. 2, January 1979.
11. Millen, J.K., "Security Kernel 7alidation In Practice',
Communications of the ACM, v. 19, p. 244-250, May 1975
12. Denning, D.F., 'A Lattice Model Of Secure Information
Flow", Communications of the AC.M . v. 19, o. 236-242,
May 1976.
13. Mitre Corporation Report 2SD-TR-73-27S , v. 2. Secure
Computer Systems: a Mathematical Model, by L.J.
Lapadula and D.3. Bell, November 1973.
V-85
14. Mitre Corporation MTR-2932, A Software 7a Illation
Technique for Certification, Part I: The
Methodology
, by 3ell, D.S. and Burke, E.L.,
November 1974.
15. Honeywell, Multics Processor Manual , d .6-1 , Order
Number AL39-, Rev. 0, April 1976.
16. Madnlck, S.2. and Donovan, J.J., Operating Systems ,
McGraw Hill, 1974.
17. Dijkstra, E.W., 'The Humble Programmer', Commrmi cations
of the ACM , v.15, p. 359-866, October 1972.
13. Reed, D.P., Processor Multiplexing In g Layered
Operating System . Master's Thesis, Massachusetts
Institute of Technology, MIT/LCS/TR-164, 1976.
19. Janson, P. A., Using Type Extension To Organize Virtual
Memory Mechanisms
. Ph.D. Thesis, Massachusetts
Institute of Technology, MIT/LCS/TR-167, 1976.
A-86
NPS52-80-002 APPENDIX B
Aooroved for oublic release; distribution unlimited
SECURITY KERNEL DS5ICJN




Captain, United States Army
3AM t Auburn University, 1972
Submitted in partial fulfillment of the
reouirements for the degree of




Dean of Inf ormat io/iand Policy Sciences
B-l
ABSTRACT
This thesis is a detailed design of a security kernel
for an archival file storage system. Microprocessor
technology is used to address a major part of the problem
of information security in a distributed computer system.
Utilizing multiprogramming techniques for processor
efficiency, segmentation for controlled sharing, and a
loop-free structure for avoiding intermodule dependencies,
the Archival Storage System is designed for implementation
on the Zilog Z8?01 microprocessor with a memory management
unit. The concepts of a process structure and a
distributed kernel are used in providing management of the
shared hardware resources of the system. The security
kernel primitives create a virtual machine environment and





A. BACKGROUND B- 9
3. BASIC CONCEPTS b-10
1. Definition of a Process b-ii
2. Multiple Protection Domains b-12
3. Segmentation b-13
4. Information Security b-14
C. STRUCTURE 0? THE THESIS b-18
DETAILED DESIGN B-22
A. HARDWARE REQUIREMENTS B-22
3. PROPOSED KERNEL DESIGN B-25
1. Notation B~ 25
2. Kernel Overview B-2€
3. Gate Keeper Module b-33
4. Segment Manager Module B~ 3€
a. Known Segment Table B~ 36
b. Creation and Deletion of Segments .b-39
c. Managing the Segmented Address
Space b-45
d. Moving Segments into Memory B-51
5. Traffic Controller Module b-55
a. Active Process Table b-5E
b. Interprocess Communication
Primitives b-59
c. Process Scheduling Algorithm b-63
d. Message Queue Operators b-67
b-3
6. Non-Discretionary Security Module b-69
7. Inner Traffic Controller Module B-73
a. Virtual Processor Table b-74
b. Kernel Interprocess Communication
Primitives b-74
c. Service Functions b-80
8. Memory Manager Module b-81
a. Memory Management Scheme b-82
b. Active Segment Table b-85
c. Aliasing Scheme b-90
d. Storage Allocation B-92
9. Input-Output Manager b-93
III. CONCLUSION AND FOLLOW ON VOHS B-95
APPENDIX A - GATE KEEPER LISTING B-98
APPENDIX 3 - SUCCESS AND ERROR CODES B-102
LIST OF REFERENCES B-104
B-4
LIST 0? FIGURES
1. Process View £-20
2. Hierarchical View 3-27
3. Process States 3-29
4. Program Status Area 3-35
5. Parameter Table b-37
6. Known Segment Table b-40
7. Create Segment Procedure b-42
S. Delete Segment Procedure b-44
9. Make Known Procedure b-46
10. Terminate Procedure b-50
11. Swap In Procedure 3-52
12. Swap Out Procedure b-53
13. Active Process Table 3-56
14. 31oc'rC Procedure 3-60
15. Wake Up Procedure b-62
16. Enter P.eady Queue Procedure b-64
17. Schedule Heady Process Procedure b-65
18. Ready Queue b-66
19. Message Queue b-68
20. Insert Message Procedure b-70
21. Get First Message Procedure b-71
22. Non-Discretionary Security Procedure b-72
23. Virtual Processor Table b-75
24 . MMU Image .b-76
25 . S ignal Procedure b-78
26. Wait Procedure b-79
b-5
27. Memory Allocation Map b-84
28. Global Active Segment Table b-8€
29. Local Active Segment Table b-8€




This research is sponsored in part by Office of Naval
Research Project Number NR 337-005, monitored by Mr. Joel
Trimble.
There are several persons who have aided me greatly in
the preparation of this thesis whom I expressly want to
thanfc. My thesis advisor, Lt. Col. Roger Schell, tutored
me in many long sessions and used many hours of his time
reading my drafts. My mother-in-law, Iva Jewel Tucker,
edited and styled every word I wrote and forced me to
consider the exact meaning of each word.
Finally, and most importantly, I want to than'i my
wife, JoAnn. She assisted me in more ways than I can




This detailed design of a security kernel provides a
basis for implementation of an archival file storage
operating system. The system is intended to store files
for an array of computer hosts at multiple information
security levels. The design presents algorithms and data
structures which can be implemented on microprocessor
hardware available today, to provide economical and secure
storage. Controlled sharing of information and multilevel
security were the key design goals. Multiprogramming is
the technique used to improve efficiency of the system
which is primarily performing input and output operations.
A loop-free structure is used to avoid undesirable
dependency loops [1] . This allows modules to be changed
without introducing changes in other modules.
There are two components of the Archival Storage
System: 1) the Supervisor and 2) the Security Kernel [2].
The Supervisor (the subject of separate research [3])
supports all user services: 1) hierarchical file system,
2) discretionary access controls, and 3) protocols for
communication. The Supervisor operates outside the Kernel
domain on a virtual machine created by the Kernel
primitives. The Supervisor's privilege-restricted domain
has access only to a subset of the machine instructions,
thus needing the Kernel primitives to accomplish tasks
such as input or output.
The Security Kernel described in this thesis manages
B-8
the real resources of the hardware system: 1) memory, 2)
microprocessor, 3) external devices, and 4) input/output
ports. It is also responsible for mediating all
non-discretionary access to information. The Kernel
operates in the most privileged domain of the machine and
therefore has access to all machine instructions.
A. BACKGROUND
Microprocessors have become affordable, prolific, and
powerful computing resources. The result of these
attributes is the use of microprocessors in applications
previously requiring much larger and more expensive
processors. Additionally, new applications which can now
be economically computerized are being seriously explored.
Conversely, software has become more costly.
Microprocessor operating systems and applications programs
continue to be highly specialized, thus failing to
reasonably exploit the potential of the microprocessor.
The specialization of software for microprocessors also
perpetuates problems such as I/C format incompatibilities
which occur when information exchange among processors is
desired.
Information security on microprocessors has been
completely ignored to date, or handled with ad-hoc
attempts at a solution. However, this issue is becoming
increasingly important as the uses of microprocessors
continue to be expanded. 7or example, the Department of
the Navy is investigating the use of microprocessors on
B-9
small ships for automating shipboard administrative
functions [4] . Information security for such functions is
a major requirement which cannot presently he met.
Proposing a solution to the above problems, a
high-level design for a secure operating system for
microprocessor-based systems has been outlined by
O'Connell and fiichardson [5]. The design goals of that
operating system were configuration independence,
distributed processing, multiple protection domains,
multiprocessing, and multiprogramming. 3ecause such a
broad, general operating system is not always required,
the design provided for a family of operating systems. A
family member could use a subset of functions for a
specific application while allowing later extensions. This




The Archival Storage System can be the nucleus of a
secure, distributed multiprocessor system. It provides
"data warehouse' facilities for multiple host computers in
the network. A host may be operating at a single security
level, or simultaneously at several security levels
without affecting the Archival Storage System. Information
storage with multilevel security is provided for each host
connected to a port of the warehouse. Additionally, the
data warehouse is the mechanism for providing controlled
sharing among the hosts. Thus, we can apply microprocessor
B-IO
technology to address a significant part of the larger
multilevel security problem [6] for distributed systems.
A subset of the O'Connell and Richardson design has
been selected as the basis for the detailed design of the
Archival Storage System. (The subset chosen omits the
provisions for multiprocessors, dynamic linking, demand
segmentation, "transient" processes, and a user domain.)
The Supervisor, protocols, and interfaces to the host
computers are presented in a parallel thesis by Paris [3]
while detailed design of the Security Kernel is presented
In this thesis.
There are two components of the Archival Storage
System Security Kernel which reside in the privileged
domain of the machine: l)the distributed kernel and 2) the
kernel processes. ?rom a logical view, some kernel
procedures are distributed among all the Supervisor
processes in the system, with the remaining procedures
forming kernel processes. These kernel processes perform
functions that are asynchronous to the supervisor
processes and are responsible for the shared resources of
the system (processes, processor, memory, input/output).
1 . Definition of a Process
A sequential process can be conceptualized as an
execution point and an address space which is a logical
rather than physical entity. All procedures that are in
the flow (or locus) of control are in the address space.
In a distributed operating system, the locus of execution
B-ll
includes those operating system functions which are
logically part of the user process. The distributed
operating system is divided into procedures which are
called in normal fashion, hut are located in the
privileged domain.
2. Multiple Protection Domains
One requirement for design of a security kernel is
isolation of the kernel procedures to make them
tamperproof. A way this can be achieved is to arrange the
process address space into hardware or software protection
domains. Domains need not be hierarchical, but in this
case they are. Hierarchical domains are commonly called
protection rings [7].
2ach level in the hierarchy is more privileged
than the preceding level. In the Archival Storage System
only two domains are necessary. Other levels must be added
to protect the Supervisor if the design is extended to
include user applications. The distributed lernel resides
in the most privileged domain and may access any segment
within the address space of a process. All systemwide
databases are in the kernel domain. Violation of the
confinement principle described by Lampson [9] and Lipner
[9] would occur if such information could be passed to
other domains.
The Supervisor operates in the outer or least
privileged protection domain where access to segments and
external devices is restricted. Only those databases which
B-12
are "process local" may be accessed. This does not prevent
sharing since different segment numbers and access rights
for each process can be interpreted and enforced by the
kernel. Sach Supervisor process is required to remain at a
specified security level within its domain.
Protection domains may be created by either
hardware or software. Software implementations of
protection domains (as in the early Multics [10] ) are
feasible, but result in a degradation of efficiency. This
performance loss is unacceptable in many applications. In
large processors a hardware ring mechanism is sometimes
used to provide the implementation [7] . This general ring
mechanism is not available in current microprocessors, but
two domain machines are available. When supplemented by
ring-crossing software, this will provide the desired
multiple domains .
3 . Segmentation
A segment is defined as a logical grouping of
information [ill , while segmentation is a technique for
managing segments within an address space. A process's
address space consists of a collection of procedures and
data segments. All address specifications require the
segment specification and the offset within the segment
'.i.e., a two-dimensional address). Segments are therefore
distinctly visible to the user. Unliie pages, segments are
arbitrarily sized and logical units with logical
attributes to describe them.
B-13
Attributes of segments are contained in a
structure called a segment descriptor. The descriptor
associates segments with address in memory, size, and
access allowed. Maintaining all of the descriptors of the
segments of a process in a descriptor list allows the
address space of the process to he easily managed.
Segmentation offers benefits as a memory
management scheme. The key advantage is the ability of
multiple processes to share segments without the
requirement of maintaining multiple copies in memory.
Other favorable characteristics of segmentation are
control of memory waste due to fragmentation, creation of
user virtual memory, dynamic linking of modules, and
enforcement of controlled segment access.
Segmentation eliminates the need to duplicate a
segment when shared. Havinar only one copy saves memory and
eliminates the problem of conflicting data which occurs
when multiple copies are maintained. Even more central to
segmentation is the ability of cooperating processes to
communicate with each other through shared segments.
Inter-process synchronization and communication are
necessary functions in a multiprogramming environment.
4. Information Security
Most users of computer systems are required to
safeguard information from unauthorized access. Examples
abound: government (classified information), corporations
(trade secrets), banking (electronic funds transfer), and
B-14
all users of personal data (privacy act). This reauirement
is not relaxed when microprocessors are used instead of
(or in support of) large computer systems. Dedicating a
device to a specific security level (dedicated mode) [6]
is a method commonly used to meet the security
requirement. This solution is unsatisfactory for any user
with a reauirement to utilize data at more than one access
class .
Another solution to the problem of accessing
information at different security levels is to operate in
the multilevel mode. In this case both users and
information at different security classes exist
simultaneously on the same computer system. Users are not
permitted to access information unless authorized by the
security policy in effect.
In the dedicated mode ail security measures are
external to the computer system (e.g., perimeter fencing,
guards, door locks, etc.). When a multilevel mode
environment is used, controls must be internal as well as
external. Attempts at internal controls have been tried by
adding security measures to existing- systems with
unsatisfactory results. Numerous cases are documented of
penetrations (i.e., unauthorized access) of these systems
[5] . Intuition rather than sound design was the
methodology used in these unsuccessful attempts at
securi ty
.
Internal controls must be designed into a system
B-15
from its conception. The approach to designing these
controls is the security kernel methodology- The first
step using the security kernel methodology is to define
the security requirements. From this definition a
conceptual design is created. The conceptual design is
actually a mathematical model which can he rigorously
proven and provides the oasis for testing (certifying) [2]
all subsequent implementations.
Three things are reauisite before a system can he
secure using the security kernel concept: 1) The kernel
must he isolated or tamperproof. Obviously if a penetrator
can change the kernel software, then the behavior of the
kernel can be modified. 2) The kernel must be invoked on
every attempt to access information. This requirement can
be met by initial software interpretation of access on the
first call to a segment. Thereafter, hardware can enforce
the access criteria. 3) The kernel must be subject to
certification. Proof of the mathematical model must be
followed by thorough testing of the implementation to
insure that each input yields the desired output. Since
hardware and software are involved, both must be tested
before the kernel car. be certified.
As previously stated, the first step in the design
of the secure computer system is to define the security
requirements. A properly designed computer system is then
secure with respect to that definition or policy. A
security policy consists of the external laws, rules, and
B-16
regulations that establish what access is to be permitted.
Two distinct types of security policy eiist: 1)
non-discretionary and 2) discretionary.
Non-discretionary policy involves comparing the
requested (i.e., the information object's) access class
(oac) with the access class of the requestor (i.e., the
subject) (sac) to insure that they are compatible. 7or
example, in the Department of Defense security policy a
secret cleared individual (subject) may have access to
documents (objects) which are classified as secret,
confidential, or unclassified.
The relationships between different access classes
can be represented by a lattice structure [12] . This
lattice structure is totally ordered if all classes are
related. #hen the classes are either related or disjoint
the lattice is partially ordered. The lattice structure
interprets the authorized access based on the
relationships between two labels. The lattice structure
abstraction is important because it seems to represent
most practical security policies. 3y changing the
interpretation of labels in the non-discretionary security
module, a different policy can be implemented so that, for
example, Privacy Act requirements are as enforceable as
Department of Defense security policies.
The following interpretation defines the access
permitted in a computer system (where "%" is defined to
mean unrelated) in terms of subject access class (sac) and
B-17
object access class (oac):
sac = oac, read/write permitted
sac > oac, read permitted (read down)
sac < oac, write permitted (write up)
sac % oac, no access
DOD security policy is represented by a partially ordered
lattice since security classifications are composed of a
classification level and a category (e.g., secret,
cryptographic or confidential, nuclear).
Discretionary controls provide a refinement of the
non-discretionary access. A common example of
discretionary controls involves checking an access control
list before allowing an access. This allows authorized
subjects ; users) to specify who may use that segment
within the confines of the non-discretionary policy. The
DOD "need-to-know" rule is an example of discretionary
policy. In the Archival Storage System non-discretionary
policy is enforced by the Supervisor, based on both the
host and the user.
C. STRUCTURE C? THE THESIS
This thesis presents the detailed design of a portion
of the security kernel for an archival file storage
facility (distributed kernel procedures and memory manager
process). Levels of abstraction are used to reduce the
complexity of the hierarchical Archival Storage System.
Level 2 contains the Supervisor and operates in the
virtual environment created by the lernel. The Supervisor
B-18
does not control the hardware of the system hut applies
the hardware resources only by appealing to the functions
of the Kernel. Calls to procedures at different levels may
only he made in a downward direction and corresponding
returns only in an upward direction (i.e., the Kernel may
not call upon the Supervisor tc accomplish any task). This
restriction, rigidly enforced at all levels of atstraction
in the design, reduces the number and type of interactions
of the system.
Figure 1 shews the process structure of the system
with the distributed and non-distributed kernel. The
asynchronous Memory Manager and I/O Manager are kernel
processes. The remaining kernel procedures are distributed
in all the supervisor processes.
In the next chapter the details of the design are
presented. Although this is not an implementation, the
Zilog ZS001 Microprocessor [13] with the ZS010 MMU Memory
Management Unit is used as the hardware base for this
research. Choices made during the design process were
often influenced by the hardware features available. The
ZS020 family of devices is not mandatory for implementing
the Archival Storage System. Cther microprocessors exist
which are capable of supporting a secure system.
Algorithms and data structures are presented in tne
high level language PLZ/ST5 [14] . PLZ/SY5 is a
Pascal-like, block-structured language. Designed by Zilog,




Figure 1. Process View
B-20
PLZ/ASM [15] is used where .machine level instructions for
direct hardware manipulation are required. These two
languages for the Z8000 are used "because of the capability
of linking modules of either language to the other.
Additionally, PLZ/ASM has the same high level data
structures and structured control mechanisms present in
PLZ/STS.
The conclusions reached during this research are
presented in the last chapter. Topics for further research
and implementation are identified, including those in the
area of secure systems. With this multilevel data-store, a
secure distributed microprocessor system can he
implemented using communications lines to interface






Theoretically any processor hardware is usable for
secure computer systems. However, in practice certain
hardware features are essential for efficiency. In
addition, complexity of the software portion of the
security kernel is highly dependent upon the capabilities
of the hardware. Because simplification of the kernel
results in an easier proof of correctness, it is
worthwhile to use additional hardware to achieve security.
One essential hardware feature is a segmentation
mechanism. Segmentation allows the use of one uniform type
of information object, the segment. Kernel software which
deals with logical objects is then simplified. Paging
hardware without segmentation does not provide a correct
structure for objects, since pages are physical objects
with physical attributes. For example, an access right is
a logical attribute. Applying an access right to a
physical object fas is the case for ISM 370 protection
"locks" [11]) obscures the purpose of the attribute, is
out of context, and adds complexity to the supporting
mechanism.
A segment address consists of a segment name and an
offset within the segment. This logical address must be
transformed into an absolute address before it can be
used. While software is capable of making this
transformation, hardware can perform the mapping more
B-22
efficiently and simultaneously check access while doing
the mapping.
Multiple execution domains are also considered
essential in hardware. This feature is used in current
computer systems to protect the operating system from
applications programs, hut until recently this feature has
not been available in microprocessor hardware. In the
initial Archival Storage System implementation only two
domains are necessary since applications programs do not
exist inside the boundaries of the system. Protecting the
Kernel from the Supervisor is the only domain protection
required. If user utilities are added to the design, then
another domain will he necessary to protect the Supervisor
from user tampering.
With the introduction of Zilog's Z3000, the above
hardware features are available in the microprocessor
category. The design of the Archival Storage System is
targeted toward a hardware system based upon the Z8001
segmented microprocessor [16] and the ZS010 MMU Memory
Management Unit [1?"!. The ZS001 is a 16-bit two-domain
microprocessor which produces a 23-bit segmented address.
The ZS010 MMU maps the 22-bit logical address into a
24-bit absolute address and allows the capability of
addressing up to 128 segments of 64K bytes each in the
two-dimensional memory space.
In addition to the address mapping hardware, the MMU
also provides memory access protection. Segment access may
B-23
be set to write (read implied), read, or execute only.
When an unauthorized access is attempted, the MMU prevents
the access, then sends a trap (or fault) signal to the
microprocessor. A trap is an internal interrupt which is
synchronous rather than asynchronous to the cycling of the
processor and must be resolved by the processor before
processing can continue.
The microprocessor also supports two protection
domains. The MMU provides the implementation of two
hardware rings by checking for system or user status on
each access to a segment. The bit in the MMU which
specifies system or normal mode, thus specifies which
segments are accessible in just the Kernel ring and which
segments are also accessible in the Supervisor ring. Thus
a process must cross into the Kernel ring to access the
Kernel primitives. If more than two rings are rea.uired, an
additional MMU (up to eight total) may be employed per
ring.
The hardware also supports resource control by
limiting the use of certain machine instructions. In the
system mode all machine instructions can be executed. When
in user mode, the hardware will not allow the use of
input/output instructions, certain machine control
instructions, or special input/output instructions (used
to load and control the MMU). Thus the Kernel can control
the microprocessor, the main memory (through the MMU), and
all external devices.
B-24
Hardware features other than those described above are
indicated from a performance standpoint. For instance, a
direct memory access (DMA) device could make memory to
memory, memory to port, or port to memory transfers faster
than similar transfers under direct CPU control. This
would allow the CPU to continue with other tasks while the
DMA is processing the data transfers. Protection of memory
can still "be realized by routing the DMA through the MMU.
The DMA would have to be "smart" enough to handle an
access violation trap or the Kernel would have to
guarantee, by MMU set-up, that the DMA would not violate
the security policy. This type of hardware is not crucial
to the design at this level, and the decision on its use
is left to the implementor.
The MMU does lack a descriptor base register
capability [10]. Process switches without this facility
require at least selective unloading and loading of the
descriptor registers in the MMU, and a process switch
would take roughly two (2) milliseconds to accomplish in
this manner. It is evident that process switching may lead
to thrashing problems if done too often. There are ways
the implementor might avoid this problem (e.g., dedicating
an MMU to each process, then switching MMUs rather than
leading/unloading a single MMU).
3. PROPOSED S25MEL DESIGN
1. Notation
Notation is important in making algorithms
B-25
understandable. It should not, however, require more
thought to understand the notation than the central
concept. Since this thesis presents a detailed design, a
notation as close as possible to an actual language which
can compile to ZS000 machine code was desired. PLZ
languages are used as a notation to illustrate the data
structures and procedures. However, the code as shown in
the figures cannot be directly implemented. Among other
changes, procedure order has been rearranged to make
explanation of the modules more logical. This change would
violate a PLZ/STS implementation rule that procedures must
be declared before they can be invoked.
The details of the actual PLZ/STS language
implementation may be different from that assumed in this
thesis. In particular, the specific method of parameter
passing between PLZ/ASM and PLZ/STS is unknown at this
time. The implementor should carefully investigate how
passing of parameters in the actual language
implementation affects the interfaces between modules.
Because of the terminology used in the Z3000
Microprocessor specifications, the Supervisor may be
referred to as operating in the normal or user mode. If
the term system mode is used, it refers to the Kernel
domain of execution.
2 . Kernel Overview
The distributed Kernel modules exist on three




























Figure 2. Hierarchical View
B-27
of abstraction [191 . At level 1 or the innermost level is
the InnerJTraff ic_Controller . Its primary task: is the
control of virtual processors and the multiplexing of
virtual processors onto the real processor. The
Inner_Traff ic_Controller uses the Virtual Processor Table
as a management tool for this multiplexing of virtual
processors .
At level 2 is the Traf
f
ic_Controller . The
Traff ic_Controller creates the sequential process
abstraction [17] . A process can be in one of two states:
1) blocked or 2) unblocked. ¥hen blocked, it must wait for
the occurrence of some event. Since the process cannot
proceed until that event occurs, the virtual processor is
freed and then allocated to another process. When
unblocked a process is either ready or running. In the
ready state, the process can run when a virtual processor
is assigned to it. The readv state can be entered from
either the running or blocked state (figure 3).
The Non_Discretionary_Securi ty Module is also on
level 2. This module is charged with interpretation of the
security policy in effect. It compares the two labels
which are passed to it and determines the relationship of
the labels based on a lattice structure known to the
module. This relationship is then used by the kernel to
determine authorized access to objects (segments or
parts). It is emphasized that the Kernel makes decisions














Figure 3. Process States
B-29
and not on the labels themselves. The
Non_Discretionary_Security Module is the only module in
the Kernel which makes any interpretation of security
labels. This allows most of the practical security
policies to be implemented simply by changing the
Mon_Discret ionary_Security Module.
At level 3 is the Segrent_Manager . Using the MMU
mapping to real memory provided by the hardware, the
Segment_Manager creates a segmented virtual memory for the
process. 3ecause of the limitations of the hardware (lack
of a paging mechanism), segments are not dynamically
allocated real memory. The size of a requested segment is
fixed (or determined) at the time it is created and may
not change. The Supervisor has several options in order to
handle the problem of growing segment size: 1) Allocate
the maximum size to every segment which is wasteful of
memory, 2) copy the segment into a larger segment whenever
the size changes which is wasteful of processor cycles, 3)
create a "super-segment" as a collection of segments, or
4) some combination of the above. 3y requiring the
Supervisor to handle this problem, the initial Kernel
implementation is simpler.
The whole segment must be swapped into main memory
in order to be used. The MMU supports segments ranging in
size from 256 bytes to 64S bytes in multiples of 256
bytes. Additionally, the hardware forces another
constraint on the design. Without paging, two allocation
B-30
schemes are available to the designer: 1) a demand
segmentation memory management scheme (load the segment in
response to a fault) or 2) a partitioned allocation
scheme. In this design a partitioned allocation scheme is
used to make the Kernel less complex. Part of the burden
of memory management is then forced on the Supervisor. The
Supervisor of each process is given a fixed amount of
linear "virtual core*. Linear 'virtual core" is
distinguished from the two-dimensional virtual memory
created by the segmentation. The Supervisor, by requests
to the Kernel, may fill virtual core with segments as it
chooses. The Supervisor of each process must manage its
own virtual core and fit any segments it uses within the
boundaries of this virtual core. The partitioned
allocation portion of the memory management scheme is
supported by the Memory_Manager process of the
non-distributed Kernel.
The non-distributed portion of the Kernel resides
in two kernel processes: 1) Memory_Manager and 2)
I/0_Manager. These two processes are responsible for
actions which are not logically part of the supervisor
processes because they can function asynchronously to the
processes. The Memory_Manager moves segments within the
physical memory space of the system. These transfers may
be nain memory to main memory, mam memory to secondary
storage, or secondary storage to main memory. Main memory
to main memory moves are made because of a design decision
B-31
to restrict sharing of the sane copy of a segment unless
at least one of the sharing processes has write permission
to the segment. Whenever two processes share a segment and
neither has write access, two copies of the segment will
exist—one in each virtual processor local memory. This
trade-off results in less complexity in the kernel and
when the design is expanded to a multiprocessor
implementation, bus contention is minimized [51 . The
problems associated with the existence of multiple copies
in memory are not present since the segment is not
writeable.
Whenever a segment is to be shared and is
writeable, then the segment must be moved to the real
processor global memory. Movement of the segment is easily
accomplished by updating the appropriate MMUs to reflect
the new location of the segment. This concept of a process
local and global memory is analogous to processor local
and global memories in multiprocessor systems. In those
systems, each real processor owns a local memory, while
the system controls the global memory used by all
processors for shared information.
The I/0_Manager is responsible for routing
segments across the system boundary, viz., moving data
between external ports of the system and main memory. The
I/0_Manager does not try to interpret the data, but simply
provides a transfer service. All the ports have specific
security classifications and are hard-wired. This allows
B-32
the I/C_Manager to function without requiring labels or
other security mechanisms to determine access class.
Having all Hosts at a fixed security level is a design
choice for the Archival Storage System. Hosts can be at
multiple levels if the design is modified to accept
"trusted" labels. In the present design the Host computer
is required to be at the level of the port and to handle
data consistent with the security policy in effect.
Since the hardware does not completely support the
ring structure, software (Gate_Keeper ) is needed for the
ring-crossing mechanism and thus isolation of the Kernel.
All calls to the distributed Kernel and interprocess
communication with the non-distributed Kernel from the
Supervisor must pass through the Gate_Keeper. The function
of the Gate_Keeper is to provide the sole entry point or
gate into the Kernel ring, validate the call and
arguments, and transfer the call to the appropriate kernel
rrodule. If a call is made incorrectly the Gate_Keeper sets
a return message to an error code, and returns without
further action. The Gatekeeper is the ring-crossing
mechanism of the Archival Storage System.
3. Gate Keeper Module
The Gate_Keeper Module (shown in Appendix A rather
than as a figure because of its length) consists of
procedures and primary data structures and is the sole
entry point into the Kernel from the Supervisor. The
Gate_Keeper Module is written in PLZ/ASM since it is a
B-33
trap handler. (The user registers must be saved when the
handler is invoked which requires access to the hardware.)
When the Supervisor wishes to invoke the Kernel it must
put the argument list and space for any return message in
a segment with read/write access in the Supervisor ring.
When the system call is made, the pointer to the arguments
is required to he in a double register. The system call
instruction is then executed, with the function-code .for
the requested Kernel procedure as a parameter within the
instruction. This causes the machine to save the program
counter, flags and control word, and the instruction
itself on the system (kernel) stack. An unconditional jump
(hardware initiated) is then made to the Program Status
Area (a vector table) (figure 4) where the machine state
for the system call instruction is fetched. The Program
Status Area is established at system generation and
consists of "frames" which contain the machine state and
location of the interrupt and trap handlers. The processor
then begins execution in the Kernel ring.
The Gate_Keeper first saves the user processor
registers and retrieves the pointer to the argument list.
If the argument list is located in a read/write segment of
the calling (Supervisor) ring, a copy of the argument list
is put onto the system stack. However, if the area
indicated by the calling ring is not in the read/write
address space of the process, the Gate_Keeper will not




























Figure 4 Program Status Area
B-35
The (Jate_Keeper restores the user environment and makes a
normal return.
The Gate_Keeper uses a table (figure 5) to check:
the range of the function code. If the Gate_Ieeper now
discovers an error during the validation process, it sets
the return message to an error code, copies the argument
list hack to the user area, and returns in the usual way.
If the call is valid, the Gate_Ieeper calls the
appropriate module (e.g., Segment_Manager ) at the
requested entry point into the module.
When the module has completed the requested task
it returns to the Sate_£eeper. The return message is then
copied to the user's return argument, and a return to the
user ring- occurs. All entries into and exits from the
Kernel are through the Gate_Keeper.
Parameter passing- to and from the Kernel is hy
value only. Since implementation details of how ?LZ
modules pass parameters are unknown, the decision on the
precise mechanism for argument passing is left for the
inplementor. It may he best to align the method of
parameter passing as closely as possible to the method
used by the PLZ/SIS language.
4. Segment Manager Module
The Segment_Manager is responsible for managing
the segmented physical memory and uses the
Inown_Segment_Table (KT) as its primary database. In























Figure 5. Parameter Table
B-37
Segment_Manager is the 011I7 module at level 3 of the
Kernel, only calls external to the Kernel domain may be
made to the Segment__Manager . There are six entries into







a. Known Segment Table
The data structure used by the Segment_Manager
to manage segments is the Known Segment Table (EST). The
KST is a "process local" data structure and contains an
entry for each segment which the process has declared an
intention to use (viz-, "made-known"). The segments may or
may not be located in main memory. If a segment has an
entry in the KST, then the segment is described as known
to the process. In this design it will also have an entry
in the Active Segment Table (AST—a Memory_Manager
database explained later) and can be described as active.
The KST (figure 5) is indexed by the segment numbers
(Segment_#) which are assigned by the Segment_Manager . The
Segment_# also corresponds to the MMU descriptor register
for the segment. The ASTI_* is the Active Segment Table
entry number and is obtained from the Pemo ry_Manager . The
AST2 # is the "handle" which is oassed to the
B-38
Memory_Manager when necessary to identify a particular
active segment. The Size field is an integer which is the
size of the segment in bytes divided by 256. All segments
are created in multiples of 256 bytes because of MMU
constraints. An upper bound ( Max_Segment_5 ize) is placed
on the segment Size by the design (explained later). A
flag known as In_Core is used to indicate whether the
segment is in main memory or on secondary storage.
The last field in the 1ST entry is the access
class of the segment. This is a label which indicates the
security classification of the segment. Interpretation of
the Class to determine an access mode (read or read/write)
is performed by the software (by a call to
Non_Discretionary_Security ) on first reference? thereafter
the access mode is enforced by the MMU.
Figure 6 shows both the logical view and the
?LZ variable declaration for the 1ST. Max_IST_Size is
hardware dependent and is equal to the maximum number of
segments which can be -napped by the MMU. To access an
element of the database the following notation is used:
KST [Segment,*]. A5TE_*
If Segment,* is equal to 103 then the above statement will
reference the AST!_* field of the KST entry for segment
number 103.
b. Creation and Deletion of Segments
Create_Segment and Delet=_Segment are two of









Known Segment Table Logical View
Type





Internal ! Internal to the Segnert (Manager !
KST Array [Max_KST_Size KST_Entry]
Known Segment Table Database Definition
Figure 5. Known Segment Table
B-40
Create_Segment (figure 7) is the function which adds a new
segment to the Archival Storage System after validating
the parameters which are passed. The creation of a segment
is accomplished by requesting the Memory_Manager process
to make an entry in the Alias Table and to allocate
storage on secondary media.
The Alias Table is a database which is
maintained by the Memory_Manager . It is a result of the
aliasing scheme used by the lemel to prevent passing
systemwide information (such as the unique identification
of a segment) out of the lernel [20]. The alias of a
segment is the segment number of a "mentor" segment (a
process local variable) and the entry number in the
Alias_Table. The principal implication of the aliasing
scheme is that a mentor segment must be inown before a
segment can be created. The Alias Table will be further
explained in a succeeding section.
The arguments which must be passed to
Create_Segment are the iMentcr_Segment_- , the desired
2ntry_* (in the Alias_Table ) , the Class of the segment (a
label), and the desired Size of the segment. The KST is
searched to insure that the Mentor segment is inown. Mext,
Non_Discretionary_Security nust be called to determine if
the segment is compatible [2]. (To be compatible, a mentor
segment classification must be less than or equal to the
created segment.) The compatibility chec£ can be performed
in the Sea:ment_Manager or the ^emory^Manager . In addition
3-41







If £ST[Mentor_Segment_#] .ASTE_# = Null
Then Success Code := Mentor Seg Not Found
Exit
Fi
If Non Disc Security(?rocess_Class
,
£ST [Mentor_Segment_#] .Class) <> Equal
Then Success Code := Not Allowed
Exit
Fi
Compat_Checlr := Non_Disc_Security( Class
,
KST[Mentor_Segment_#] .Class)
If Com?at_ChecJr - Less_Than
Orif Compat_Checlc = Not_Related
Then Success_Code := Not Compatible
Exit
Fi
If Size > Max_Segment_Size










Figure 7. Create_Segment Procedure
B-42
to the compatibility check, a check must be made to
determine if the process access class is equal to the
access class of the Alias_Table since adding an entry
implies write permission to the Alias_Table. A check is
then made on the Size parameter to insure that it is in
the range of 256 bytes to 321 bytes. The maximum size of a
segment is determined by the size of the design of the
secondary storage page table and the hardware constrains
the segment to multiples of 256.
If an error is discovered during any of the
preceding checks, then an appropriate error code is
returned (e.g., ?arent_Segment_Mot_?ound) . If there are no
errors, the Segment_Manager Signals the tfemory_^anager
with a request to make an entry in the Aiias_Table. The
Segment_Manager must Wait for a success code from the
Memoryj^anager sir.ce the 5ntry_* can only be checked for a
duplication by the Memory_Manager . When the Memory_Manager
Signals the Se«?ment_Manager that the task has been
completed, the Segment_Macager returns the 5uccess_Code to
the process. Mote that the segment has only been created
and if the Supervisor now wishes to reference the segment
it must first request the seg-nent be entered into the KST
(tfake_Known )
.
Delete_Segment (figure S) accomplishes the
reverse of Create_Segment , that is the removal of a
directory entry. The two input parameters for
Delete_Segment are Mentcr_Segment_* and 2ntry_*. Again,
B-43





If KST[Mentor_Segment_#] .ASTS_# = Null





KST[Mentor_Segment_#] .Class) = Equal
Then Signal (Memory Manager .Delete Entry,
1ST [Mentor_Segment_#] 7aSTI_#, 2ntry_#)
Success_Code := Wait




Figure 8. Delete_Segent Procedure
B-44
the mentor segment must be known before the
Segment_m"anager can honor the request. Since the mentor
segment must be known, compatibility was checked when the
segment was created. The process access class must also be
equal to the access class of the mentor segment since
deleting an entry implies write permission. When all
security checks have been made, the 3egment_Manager
Signals the Memory_Manager to delete the entry from the
Alias_Table. The Segment_Manager Waits for the
Memory_Manager to complete the task and it returns the
Success_Code from the Memory_Manager to the Supervisor
process. The Wait is necessary because an error occurs if
the Mentor_Sesrment is not empty prior to the deletion.
c. Managing the Segmented Address Space
A process must declare an intention to use a
segment before it can reference the segment. This
declaration introduces the segment into the address space
of the process. The way the Supervisor declares its
intention to use a segment is to ask that a Segment_# be
assigned. This results in an entry in the
£nown_Segment_Table. Make_Known is the entry point into
the Segment_Manager to accomplish an entry in the £ST.
A call to Make_Inown (figure 9) requires three
parameters: 1) Mentcr_Segment_* , 2) 3ntry_**, and 3)
Access_Mode_Desired. Segment_# is the value which the
Segment_Manager returns to the Supervisor process and is
the index to the KST entry and to the segment descriptor
B-45











Get Seg #: Do
If 1ST [Mentor Segment_#] .ASTS# = Null
Then Success_Code := Mentor_Not_Inovn
Exit From Get_SegJ*
Else Signal (Memory Manager .Activate
,
KST [Mentor_Segment_#] . ASTE_# ,Sntry_*)
ASTS_#, Class, Size, Success_Code~:= Vait"
If Success Code * Segment Found
Then Index":-
Search: Do
If KST [Index] .ASTE_# = ASTS_#




Exit From Get Seg #
Fi
Index * 1









If KST [Index] .ASTE # = Null
Then If Non_Disc_Security( Process_Class
,
Class! = Less_Than
Orlf Non Disc Security(Process Class,
Class) ~ Not_Related







Else Access Mode_Allowed :- Read
Pi
?i
If Access_Mode_Allowed <> Null
Then Segment #"": = Index
KSTTSegment #] .ASTE # :- ASTE #
KST [Segment**] .Class := Class"
KST[Segment~#] . AccessJIode :-
Access Mode Allowed
KST [Segment_#] .Size :=~5ize





Success~Code := Not Allowed
Fi
Exit From Find Entry
Fi
Index +» 1
If Index > Max_Number_Of_Segments
Then Segment_#~:= No_Segments_Avail






Figure 9. Maie_Known Procedure (Continued)
B-47
in the MMU hardware. Different processes using the same
segment will not have the same Segment_# for the segment,
since each process has its own KST. Three parameters are
returned from tfake_Known: 1) the assigned Segment_#, 2)
the Access_Mode_Allowed which may he less than
Access_Mode_Requested, and 3) a Success_Code. If the
Success_Code indicates an error the first two parameters
are Null.
Make_Known first Signals the Memory_Manager
and Waits for the ASTE_* of the segment. If more than two
rings were implemented, ring brackets would also be
reauired from the Memory_Manager [10] . A search of the KST
then will reveal if the segment is already known. If it is
known, the assigned Segment^* the Access_ttode_Allowed
(unchanged), and a Success_Code of Already_Known are
returned. Access_ fiode_Allowed cannot he changed for
segments in the address space. If there is no entry in the
KST, an entry is made by filling in the columns of the KST
at the first available Segment_#.
Non_Discretionary_Security is called to interpret the
security labels of the subject and the object. Access to
the segment is then granted with the access allowed equal
to the less privileged of Access_Mode_Desired or
Max_Access_Allowable
. If write access is requested but
security allows only read, read is the access granted. A
call must also be made to the Inner_Traf
f
ic_Controller to
add the segment descriptor to the hardware descriptor list
B-48
(MMTJ) and the software image of the descriptor list.
If the maximum number of segments is exceeded
Make_Known will return No_Segment_Available. The process
then has the option of terminating any other segment to
make room for the required segment. (Mote that the maximum
number of segments allowed by the hardware could be
exceeded without using- all of the linear "virtual core"
allocation or conversely.) Terminate is the entry point in
the Segment_tfanager to remove a segment from the 1ST.
Terminate (figure 13) is responsible for
removing the segment from the address space and reflects
this by removing the entry from the K3T. The only argument
which must be passed is the Segment^* to be terminated.
The return argument is a Success_Code . There are four
errors which can be found by the Segment_manager : 1) a
segment which is not known, 2) attempting to terminate a
segment still loaded in the process virtual core, 3)
attempting to terminate a Kernel segment, and 4) passing
an invalid Segment^* (too large). The Memory_Manager is
Signaled to Deactivate the segment (remove the AST entry)
and a Wait occurs until the Deactivate is completed. Note
that the Wait is to insure that a race condition between
the Kemory_Manager and Supervisor process [11] does not
occur. The 1ST entry is deleted by setting the AST_* of
the KST entry to null, calling the
Inner_Traf
f
ic_Controller to delete the segment from the
descriptor segment and returning.
B-49




If KST [Segmental .AST3_# = Null
Then Success Code := Segment Mot Known
Silt
Fi
If KST[Segment_#] ,In_Core = Tes
Then Success Code := Segment In Core
Sxit
Fi
If Segment_# <= Number_Kernel_Segments
Then Success Code := Kernel Segment
Sxit
Fi
If Segment^* > Max_Segment_#
Then Success Code 7= Invalid_Segment #
Exit
Fi
Signal(Memor7_Manager,Deactivate t KST [Segmental ,AST3_#)
Success Code 7= Wait
KST[Segment *] .ASTS # : Null
Inner TC (Delete Seg, Segment #)
Od
2nd Terminate
Figure 10. Terminate Procedure
3-50
d. Moving Segments into Memory
Sva?_In (figure 11) and Swap_0ut (figure 12)
are the two procedures in the Segment_Manager which move
segments between main memory and secondary storage.
(Secondary storage is used as a generic term in this
thesis to indicate all memory of a computer system other
than main or core memory. It includes "tertiary" or lower
order memory.) To move a segment from secondary storage to
main memory, a process must call Swap_In with the
Segment_# and 3ase_Address as arguments. 3ase_Address is
the location in the linear virtual core of the process
where the segment is to begin. This is a virtual core
address and does not correspond to a real address in
memory? in fact, memory cannot be addressed at all except
by addressing a segment. The Segment_Manager indexes to
the segment in the KST to retrieve the necessary
attributes for moving the segment. If the segment is not
found, Segment_Not_?ound is returned. After obtaining the
attributes of the segment, the Segment_Manager Signals the
Memory_Manager to do the transfer. A Wait is then executed
until the Memory_Manager can send the Absolute_Address in
real memory to the Segment_Manager . This information is
passed to the Inner_Traf
f
ic_Controller to update the
absolute address in the hardware and software descriptor
lists. This procedure only works because of the design
choice not to unload a process from a virtual processor.
If processes are unloaded the Memory_Manager would have to
B-51
Swap_In Procedure (Segment_# Integer
3ase_Address Word)
Returns ( Success_Code Integer)
Entry
If KST[Segment_#] .ASTE_# = Null
Then Success Code := Seg Not Found
Exit
Fi
Signal (Memory Manager , In, Segment_#,
EST [Segmental . ASTE_#,Base_Address ,
KST[Segment_i] >Access jMode
)~
Absolute_Address , Sue cess _C ode"": = Wait
If Success_Code * Svapped_In
Then Inner TC (Load, Segment #, Absolute Address,
1ST [Segment^*]". Size)
KST[Segment_#] .In Core :- Tes
Fi
End Swap_In
Figure 11. Svap_In Procedure
B-52
Svap__Out Procedure (Segment_# Integer)
Returns ( Success_Code Integer)
Entry
If KST[Segment_#l .AST3J_# = Null
Then Success_Code := Seg_Not_Found
Sxit
5 1
Written := Inner_TC (Unload, Segment.*)




Figure 12. Swap_0ut Procedure
B-53
call the Inner_Traff ic_Controller. The parameter returned
to the process indicates if the segment swap-in was
successful.
The move in the other direction—main memory
to secondary storage—is performed by Swap_0ut. The only
input argument is the Segment_# and Success_Code is the
only return argument. After validation of the Segment_#,
the Segment_Manager calls the InnerJTraf
f
ic_Controller to
obtain the status of the hardware changed bit. This is in
turn passed by Signal to the Memory^Manager to make the
change. Success_Code is set to Swap_0ut and the
Segment_Manager returns. If more than one processor is
used in the system, race conditions should be investigated
in this procedure of allowing the Segment_Manager rather
than the ^emory_Manager to call the
Inner_Traf f ic_C on
t
roller.
To this point the usual order for invoicing the
Segment_Manager functions has not been specified. There is
a usual sequence of events. In order: Create_Segment to
make an Alias_Table entry, Make_Known to introduce the
segment into the address space, and Swap_In to move the
segment into the process's virtual core are the steps
necessary before a process can make a reference to a
segment. Conversely, 5wap_0ut, Terminate, and
Delete_3egment is the order to move a segment from main
memory to secondary storage, remove the entry from the KST
and descriptor from the MP.O*, and remove the segment from
B-54
the address space. If the functions are called in any
other order, the usual result is an error condition and no






The Traffic-controller is responsible for
multiplexing processes onto virtual processors. A virtual
processor is an abstraction which describes a logical
processor. There are multiple virtual processors which
exist on a single physical processor. The
Traf
f
ic_Controller is also the Kernel module which
supports the interprocess communication primitives, Block
and Vake_'Jp. In the Archival Storage System, 31oc£ and
Wake_Up are the last two of the six user entries into the
lernel. There are four other procedures in the
Traff ic_Controiler which implement the scheduling
algorithm and provide message queue services for Block and
WakeJJp.
a. Active Process Table
The database of the Traf
f
ic_Controller is the
Active Process Table (APT) (figure 13). This is a
fixed-size table in the Sernel because of the decision not
to create or destroy processes. When the Archival Storage
System goes through system generation, each process will
be created and an entry made in the APT. The process will
then be active for the life of the system. Sach active













Figure 13. Active Process Table
B-56
is also the index to the APT. Note that if processes were
created and destroyed, then allowing Process_IDs to leave
the Kernel could create a communication path. In that case
the Process_ID should he "'virtualized" . The State field of
the APT indicates whether a process is blocked, ready, or
running.
An explanation of the interprocess
communication primitives is necessary here. Block and
Wake_0*p [19] are the interprocess communication primitives
used hy cooperating processes in the Supervisor domain.
Invocation of the primitives is actually a call to the
Traff ic_Controller and causes the Traf
f
ic_Controller to
execute the scheduling algorithm. A process calls Wake_tfp
when it has a message or task for another process. Wake_Up
will set the state of a blocked process to ready. If the
process is ready or running it will have no effect on the
status of the process. When a process cannot continue
execution until a reply to a Wake_Up is received, the
process must block itself. Block will set the process
status to blocked.
Within the Kernel Signal and Wait are the
primitives used for communication. They function in the
same manner as Block and Wake_up, but are calls to the
Inner_Traff ic_Controller instead of the
Traff ic_Controller . Signal and Wait are bounded in time
which indicates that they are guaranteed to return. Block
and Wake Up are not bounded since no claims can be made
B-57
about correctness of calls from outside the Kernel. It Is
possible for a user process to call Block erroneously and
never be heard from again.
The Wake-Up Waiting Switch is Saltzer's [19]
mechanism for synchronization' of interprocess
communication primitives. Without the switch a race
condition can occur. For example, the following sequence
of events could happen because processes can run
simul taneously:
1) Process A looks in its work queue
and finds it empty.
2) Process 3 puts a task in A's work queue.
3) B wakes up A.
4) A blocks itself.
At step 3, A was running, so the wake-up sent by B was
ignored. When A called block, a task is in the work queue,
but A missed the wake-up signal, so the task remains
uncompleted. In particular, if A was expecting some event
necessary for A to continue, A may never wake-up.
The Wake-Up Waiting Switch prevents the
occurrence of such a situation by requiring the following
sequence of actions:
Process 3:
1) Process 3 puts task in Process A's
work queue.
2) Wake-up A and turn wake-up waiting
switch on.
Process A:
1) Reset the wake-up waiting switch to off.
2) Look in the work queue and find it empty
3) Call Block, which returns if wake-up
waiting switch is on.
Now, the above sequences can occur in any time
relationship and the wake-up signal will have the desired
effect
.
The Traffic-controller uses the priority field
for determining what process to schedule to run on the
virtual processor. The Reauired_?irtual_?rocessor field is
used to hind a loaded process to a specific virtual
processor. Only two processes run on a virtual
processor— the loaded process and the "idle" process. This
is a direct result of the simplifying design choice (to
have all processes loaded) made for the Archival Storage
System. In general, processes must he loaded and unloaded.
The Idle process is put into the running state whenever
the loaded process clocks itself.
b. Interprocess Communication Primitives
Because the Archival Storage System does not
allow creation or destruction of processes except at
system generation, the only external entry points into the
Traf
f
ic_Controller are Block and Wake_"Jp. As previously
explained, Block and ¥ake_Up are the primitives used by
Supervisor processes for interprocess communication.







If APT [Process, ID] .VakeupJfaiting_Switch =
Then APT [Process ID] .Wakeup Waiting Switch
Else APT [?rocess~IDJ .State 1- Blocked
Sched_Read7 Process
?i




Figure 14. Block Procedure
B-60
cannot continue until the occurrence of some other event.
After going through the Sate_Keeper, the call enters the
Traffic_Controller. The Wake_Op_Waiting_Switch is
immediately checked. If the switch is on, the switch is
reset to off, and the first message in the Message_Cueue
for the process is retrieved. The Traf
f
ic_Controller then
returns through the Gate_Keeper.
If the Wake_0*p_Waiting_Switch was off then the
state of the process is set to Blocked.
Sched_Ready_Process is called to schedule the highest
priority ready process on the virtual processor. In the
Archival Storage System this is a trivial task, because
the only other process which is loaded on the virtual
processor is the idle process. The idle process can never
block itself, so it must always be either running or




ic_Controller could have been
collapsed into the I nner_Traf f ic_C oatrolier for this
design, but preservation of generality was a design goal.
Later extensions will be easier to implement since the
basic structure of the Traf fic_Controller is present.
The counterpart of Block is Wake_Up. Wake_'Jp
(figure 15) is used by processes in the Supervisor domain
to pass messages to other processes in the Supervisor
domain. Upon entry into Wake_Up, the message is placed in
the Message Queue of the awakened process. The
B-61






Success_Code := Insert_Message ( Wakeup_?rocess_ID Message)
If Success_Code - Queue_Overf low
Orif Succels Code = Not Allowed
Then Exit
Else APT [Wakeup_?rocess_ID] .Wakeup_Waiting_Switch := On
If APT [Wakeup_Process_IDl .State = 31ocked
Then APT [Wakeup_Process_ID] .State := Ready
Enter_Ready~Queue (Wakeup Process ID)
Fi






Figure 15. Wake-up Procedure
B-S2
Wake_Up_Waiting_Switch of the process to be awakened is
then set to On. Then if the process state is blocked it is
put into the ReadyJ5ueue and the State is set to ready.
Regardless of the state of the awakened process, the
waking process then puts itself into a Ready State and
Enters the Ready_Queue itself. This is necessary because
the process to be awakened may have a higher priority than
the waking process. Ivery time either Slock or 'Vake_Up is
called the scheduling algorithm is executed
(Sched_Ready_?rocess )
.
c. Process Scheduling Algorithm
inter_Ready_Queue (figure 16) and
Sched_Ready_?rocess (figure 17) are two internal functions
of the Traf
f
ic_Controller. 2n ter_Ready_Cueue is used for
placing a ready process into a first-in, first-out queue
which is organized by priority (figure IS). The
Ready^Queue is designed as a two-dimensional array indexed
by Priority and a top and bottom pointer. The algorithms
for all queue operations are taken from Knuth [21]. When a
Process_ID is to be added to the queue the bottom pointer
for the appropriate priority queue is incremented by one.
If the bottom pointer is at the bottom of the linear array
which implements the queue then it is set to the first
location of the array, thus wrapping around. The physical
length of each queue column is equal to the total number
of processes which can be entered into that queue at any
point in time so that the queue cannot overflow. The
B-63
Enter_Ready_Queue Procedure (Process_ID Integer)
Entry
If Ready_Queue_Bottom [APT [?rocess_ID] .Priority] *
Max_Queue_ Length
Then Ready_Queue_Bottom [APT [Process_ID] .Priority] :=
Else Ready Queue~Bottom [APT [Process ID] .Priori ty] «•» 1
Fi
Peady_Queue[A?T [Process_ID] .Priority, Ready_Queue_Bottom]
:- Proceis_ID
End Enter_Ready_Queue






If Ready_Queue Top [Priority] =
Ready~Queue~3ottom [Priority]
Then Priority -- 1
If Priority < Min Priority
Then Exit Prom Scan
Else Repeat From Scan
Fi
Else If Ready_Queue_Top [Priority] = Max_Queue_Length
Then Ready_Queue_Top [Priority] :=
Else Ready~Queue~Too[Priority] +- 1
Pi
Run: If APT [Ready_?rocess_ID] .Reqd_7irt_?rocessor
= ?rocessor_ID
















Figure 18. Ready Queue
B-66
?rocess_ID is placed into the array at the location
pointed to by the bottom pointer. The queue is always
entered at the logical bottom and removal takes place from
the logical top.
The procedure which removes the processes from
the top of the queue is Sched_Ready_?rocess. The function
of Sched_Ready_?rocess is to "pass" (as a baton in a relay
race) the current virtual processor to the highest
priority, ready process which can run on this specific
virtual processor. Starting with the ttax_?riority queue,
each queue is scanned until the first ready process that
can run on the virtual processor currently executing in
the Traf
f
ic_Controller is encountered. Each oueue is
tested in turn to determine if it is empty. If the queue
is empty, then the next lower priority queue is scanned.
The existence of an Idle process for each virtual
processor guarantees that a ready process is always found,
so the Traf
f
ic_Controller cannot exit without scheduling a
process. When a ready process is found, then the process
State is set to running (scheduled) and the
Inner_Traff ic_Controller is called to Swap_MMU. This
generally will load the process descriptor segments into
the Virtual_Processor_MMU, but in the design of the
Archival Storage System the MMU of the Idle process is
identical to the MMU of the loaded process.
d. Message Cueue Operators














Process ID Process ID
BOTTOM
Figure 19. Message Queue And Pointers
B-68
two-dimensional array of message "frames". It is indexed
in one dimension by the ?rocess_ID and in the other
dimension by a top and bottom pointer. Insert_Message
(figure 20) is the primitive used by WaseJJp to put a
message into another process' message queue. The design
only allows communication between processes of equal
security class since a Success_Code is returned to the
waking process. Get_?irst_Message (figure 21) is the
primitive used by Block to retrieve messages from the
message queue. If the queue is empty, the message
"Queue_2mpty" is returned.
6. Non-Discretionary Security Module
The key to implementing a particular
non-discretionary security policy is in one module. Ey
representing the policy as a partially ordered lattice, an
interpretation algorithm can be written to make a
comparison between two labels and return a relationship.
The relationship can be equal, less than, greater than, or
not related.
The Non_Discretionary_Security Module shown in
figure 22 will determine the relationship of three
categories of classification (Secret, Confidential,
Unclassified). As shown there are no checks for
compartments (e.g., crypto, nuclear, etc.). If a complete
DOD security policy interpretation is desired, the module
can be expanded. Since some DOD specifications require
provisions for eight categories and sixteen compartments,
B-69





If Non_Disc_Security ( APT[?rocess_ID] .Class
,




Then If Message_Queue~Top [Message_Queue_ID]
Then Success_Code := Queue_Overflow
Else Message_Queue 3ottom [Message Queue_ID] :-
Message~Queue [Message_Queue_Td
,
Mes s age_Queue_Bot torn [Message_Queue_ID]
]
:= Message, Process_ID
Success Code := Inserted
Ft
Else If Message_Queue_Bottom[Message_Queue_ID] + 1
Message_Queue_Top[Missage~Queue_ID]
Then Success_Code :- Queue_Overf low
Else Message~Queue Bottom [Message Queue_ID] += 1
Message~Queue"[Message_Queue_Il3
Message_Queue_3ottom [Message_Queue_ID]
:= Message, Process ID~
Success Code := Inserted
Fi
?i
Else Success Code := Not Allowed
Fi
End Insert__Message
Figure 20. Insert_Message Procedure
B-70









e If Message_Queue_Top [Message_Queue_ID] =
Max_Queue_Lingth
Then Message Queue Top [Message Queue ID] :=
1
Pi
Else Message Queue Top [Message Queue ID] +=
Fi




Figure 21. Get_First_Message Procedure
B-71



















Case Unclassified Then Relationship := Equal
Case Confidential, Secret Then Relationship
:= Less_Than




Case Unclassified Then Relationship := Greater_Than
Case Confidential Then Relationship := Equal
Case Secret Then Relationship := LessJThan
Else Relationship := Not_Related
Secret Then
Class,
Case Unclassified, Confidential Then
Relationship := Great er_Than
Case Secret Then Relationship := Equal





Relationship :- Not Related
End Non_Disc_Security
Figure 22. Non_Disc_Security Procedure
B-72
a longword was chosen as the data type for representing
the labels. The 32 hits of a longword are more than
sufficient to represent all possible combinations of
categories and compartments.
Similarly, Privacy Act requirements are easily
implemented in Non_Discretionary_5ecuri ty since they can
be represented by a lattice structure. Most other
practical non-discretionary security policies can be
implemented as well.
7. Inner Traffic Controller Module
The Inner_Traff ic_Controller provides the
multiplexing of virtual processors to the real processor
of the system. Zach loaded process will be allocated to a
virtual processor, implying that there is a many to one
correspondence. In order to manage these virtual
processors, the Inner^Traf
f
ic_Controller has direct access
to the machine hardware. The Memory Management Unit and
processor state are loaded and unloaded by the
Inner_Traff ic_Controller, thus accomplishing the
multiplexing to the physical processor.
In addition to managing ths virtual
processors, the Inner_Traff ic_Controller furnishes
inter-process services. Signal and Wait are used by
processes in the kernel ring to communicate with other
lernel rin^ processes and are primitives of the
Inner_Traff ic_Controller.
The main database used to handle the
Inner_Traff ic_Controller functions is the
7irtual_?rocessor_Table . additionally, a software image of
each MMU is maintained for every loaded process.
a. Virtual Processor Table
The Virtuai_Processor_Table (figure 23) is
indexed by the Virtual_Processor-ID. Each virtual
processor can be in one of three states: 1) Running, 2)
Heady, or 3) Waiting. These three states are analogous to
the state of a process and are used for processor
scheduling in the same manner as the Traffic-controller
used the state of a process for scheduling processes.
After the State field is the Signal_?ending_Switch which
functions precisely as the Waice_Up_Wai tiag_Swi ten for
preventing a race condition from occurring with the
interprocess communication primitives. Priority is the
next field which is also analogous to the APT priority.
Loc_Processor_S tate is a pointer to the area
in memory where the MMU software image is maintained as
well as the "save bloc*" for the machine state of the
virtual processor when it is ready or waiting. Figure 24
is an example of the format of the MMU image.
b. Kernel Interprocess Communication Primitives
Signal and Wait function in the same manner as
31oc£ and Walce-Up. The chief distinction between the pairs
is the degree of trust placed on the correctness of use.
Since Signal and Wait are Kernel primitives which are used

































Figure 24. MMU Image
B-76
can be guaranteed to return. The same trust cannot be
placed on the calls to Block and Wake_Up by processes in
the Supervisor ring. The loop free structure implies that
the Kernel neither knows nor cares what happens in the
outer domain (or domains, if present). let, the Kernel
must not allow the security state of the machine to change
except in accordance with the rules of the mathematical
model. Block is restricted to communication among
processes at the same level. The Kernel must call upon
processes operating at different security levels to
accomplish its task: and thus needs a different primitive
since systemwide information is being passed.
With one exception, Signal (figure 25) and
Wait (figure 25) function in the same manner as Waiee_Gp
and Block: do in the Traf f ic_Controller . Since the data
structures in the Inner_Traf
f
ic_Controller function with
virtual processors, the S ignaled_?rocess_ID or ?rocess_ID
(input parameters) must be translated into a
Signaled_?rocessor_ID or Processor_ID . A one-dimensional
table is maintained for this purpose. Because the
Inner_Traf
f
ic_Controller must complete its task before it
returns to the calling procedure and is synchronous to the
progress of the process, the table translation of process
to virtual processor works. The Idle processes will never
try to Signal or Wait and will never cause the scheduling
algorithm to be executed.
It is oossible for the Idle process to be
B-77





Signaled_Processor_ID : = Map(Process_ID)
Success_Code :- Insert_Message( Signaled_Processor_ID Messaa
If Success_Code = Queue_Overflov
Orif Success_Code Not~Alloved
Then Exit
Else VPT [Signaled Processor ID] .Signal Pending Switch := C
If VPT [Signaled Processor ID] .State Waiting
Then VPT [Signaled_Processor_ID] .State := Ready
Enter Ready Queue (Signaled_?rocessor_ID)
Ti












Processor ID := Ma?(Process ID)
If VPT [Processor ID] .Signal Pending Switch = On
Then VPT [?rocessor_ID] .Signal_?ending Switch := Off
Slse VPT [?rocessor"lDl .State 7= Waiting
Sched Ready_?rocessor
?i
Signal_Message :- Set _First_Sig_Mess (Sig_Queue[?rocessor_ID] )
End Wait
Pigure 26. Wait Procedure
B-79
scheduled on each virtual processor in the storage system.
'When that occurs the real processor will come to a
standstill, executing a Halt instruction. At first glance
this would seem to be an error condition, hut in reality
it is not. Since the Archival System is driven by external
events this may at times be a normal state. When a request
is made from a Host, the interrupt handler (an I/0_Manager
entry) will Signal (via the InnerJTraf
f
ic_Controller ) the
appropriate process and cause the scheduling algorithm to
be executed.
c. Service Functions
All of the functions of the
Inner_Traff ic_Controller are called from the Kernel ring.
Add_Seg, Delete_Seg, Load, and Unload are service calls to
support the Segment_Manager . These are hardware dependent
functions and the details of their design will be
influenced by the specific characteristics of the MMO and
CPU hardware. Add_Seg makes an entry into an MMU hardware
descriptor and also the MMU software image. This call is
made from Make_Inown and will only set up the descriptor.
Since the segment has not been Swapped_In at this point,
the address fields of the descriptor will be null and the
attribute field of the descriptor will be set to inhibit
the CPU from making access.
Delete_Seg is called from terminate and is
required to remove an entry from the MMU and the software
image. Load will place the absolute location of the
B-80
segment base address into the MMU and change the
attributes to allow the CPU access. Unload removes the
segment base address, inhibits CPU access again and also
retrieves the changed bit from the attribute field. This
changed bit is set when a segment is written and is used
by the Memory_Manager to decide if the segment can be
overwritten or if it must be written back to secondary
storage. A variant of Load and Unload is needed by the
Memory_Manager when doing a local to global move.
Swap_MMU is called from the Traf
f
ic_Controller
and is a result of the scheduling algorithm being
executed. In the general case a process swap would occur
on the virtual processor as a result of this call. In the
Archival Storage System, there are only two processes
which are allowed to run on a virtual processor: 1) the
loaded process or 2) the Idle process. An MMU swap will
still occur conceptually when the idle process is loaded
because it has an MMU image just as any other process.
Actually the idle process's MMU image is exactly the same
as the loaded process, so a physical swap does not take
place.
Other service calls will be made to the
Inner_Traff ic_Controller from the Memory_Manager and
I/C_Manager but are not detailed here. Software faults, as
discussed in O'Connell and Richardson [5], are not needed
in this design.
S. Memory Manager Module
B-81
The Memory_Manager is a non-distributed Kernel
process and is responsible for managing the real memory
resources of the system. The real memory of the system is
both main memory (random access) and secondary storage
(non-random access). The Memory_Manager could be part of
the distributed Kernel in the Archival Storage System
since it is designed for a single microprocessor? however,
the process abstraction is used to maintain the "family
member" character of the design.
a. Memory Management Scheme
The two main tasks of the Memory_Manager are
to bring segments into memory (In) or remove segments from
memory (Out). Partitioned allocation is the scheme
employed to manage the memory resource. Sach loaded
process is given a partition of linear contiguous real
core and is required to manage (via calls to Swap_In and
Swap_0ut ) the partition (its linear virtual core) in any
way it chooses. The Memory_Manager checks each 'In'
request against the process's allocation to insure that
the allocation is not exceeded and to insure that
previously allocated memory is not overlayed.
When a shared segment is not writeable (i.e.,
write permission has not been given to any process), the
design allows multiple copies (one per process) of the
segment to exist. This frees the Memory_Manager from the
task of moving the segment to "processor global' memory,
requesting that all MMU images be updated, and reserves
B-82
global memory for segments which are shared and writeable.
Furthermore, the space that can he saved by having one
copy would not be usable by the processes which are
sharing the segment, since each process's Supervisor would
still have the segment in its virtual core.
If a segment is to be shared and is writeable,
then the tfemory_Manager must move it to global memory [5]
.
This insures that all users are sharing the same
information. Again, the actual location of the segment is
invisible to the sharing processes. More memory is
allocated to the segment than it actually uses: viz., one
copy per sharing 'process. However, the alternative to
using memory is a complex algorithm for dynamically
reconfiguring the mapping of each partition whenever a
shared segment is relocated in memory. The tradeoff of
memory size for complexity is indicated in this
application. Segments are placed in memory within the
appropriate partition at the location specified by the
Supervisor call to 3wap_In. A simple bit map icnown as the
Memory_Allocation_Map (figure 27) is used to indicate
which parts of memory are available for use. Each bit of
the map corresponds to a 256-byte page of memory. The term
page is not used here in the classical sense, but is used
to indicate a block: of physical memory. Segments cannot be
divided into pages scattered through core, but must be
allocated to contiguous memory locations.












Jigure 27. Memory Allocation Map
B-84
the Active_Segment_Table. It provides the Memory_Manager
with the information necessary for managing all segments
in the system which are active.
b. Active Segment Table
There are two sections of the
Active_Segment_Table (AST). That portion of the AST which
contains systemwide information is known as the
Global_Active_5egment_Table (G_AST). Every active segment
in the system will have an entry in the G_AST. The
Memory_Manager also maintains a portion of the AST per
physical processor as the Local_Active_Segment_Table
(L_AST). Only those segments active within the 'physical
processor will he in the L_AST.
When a segment is *Made_£nown" it becomes
active and will have an entry in the G_AST (figure 29) and
in the appropriate LJLST (figure 29). The concatenation of
the segment's Uniaue_ID and the index to the segment's
entry in the G_AST form the AST3_* which is the "handle**
passed by the ^emory_Manager for identifying a specific
active segment. When the tfemory_Manager uses the "handle"
to enter the G_AST, it uses the 2ntry_# of the ASTS_#
portion as the index. In the general case (e.g., demand
activation/deactivat ion) , the Unique_ID of the "handle" is
then compared with the Unique_ID found in the G_AST entry.
If the identification check results in a mismatch, the
G_AST must be searched using the Unique_ID as a key to

































Figure 29. Local Active Segment Table
B-86
because it is possible that a segment's entry could be
moved in the G_AST before all processes could be notified
of the new AST5_#. If this occurred and a check was not
made, an unauthorized access could then take place. If the
match- is successful when first checked, the proper entry
has been found. In this design all known segments for all
processes are active so this problem cannot occur.
Since the G_AST is a systemwide resource a
lock must be used on the G_AST to prevent a race condition
from occurring [11]. The mechanism used in the design is a
locked/unlocked flag. Synchronization on the lock is
inherent in the functioning of the ttemory_Manager 's
Signal_Message_Queue . Note that this mechanism will not
work if the design is extended to include more than one
processor in the system sharing the single S_A3T.
The Global JLddress field is used only if the
segment is located in global memory. If it is null the
address can be found in the L_AST. The Connected_?rocesses
field is a bit map signifying which processes currently
have the segment active.
The Written flag is used to retain a written
bit when a process Swaps_0ut a segment which is shared and
writeable. For example: Processes A and 3 are sharing a
segment and Process A has write permission. A has written
in the segment and now wants to deactivate the segment.
Process 3 is still using the segment. When A requests the
Deactivate, the Written bit is passed to the
B-87
Memory_Manager . But since B continues to use the segment,
the Memory_Manager will only reset Process A's flag in the
Connected_Process field. The Written hit is then logically
ORed with the G_AST_Writ ten_Flag. When B then Deactivates
the segment, the Written hit it passes indicates that a
write has not taken place. An error would have occurred if
the Written hit from Process A had not heen saved since
the Memory_Manager does not write an unmodified segment
hack to secondary storage.
The Writeable flag is set whenever any process
has write access to the segment. This is the key flag for
deciding (at the time activation is requested) if the
segment must he placed in glohal memory. It cannot
conveniently he used to provide an alternative to the
scenario presented above for Written. Consider that
Processes A, 3, and C all have writeable shared access. If
A Deactivates after writing, the Memory_Mana<*er could
write back to secondary storage at that time, (assuming
the proper synchronization was used to prevent 3 or C from
writing while the transfer took place). Then when 3 or C
Deactivated after writing, another write to secondary
storage would take place. Thus at least one unnecessary
action took place.
The Alias_Table_AST:S_# will be null unless the
segment is a mentor segment. Whenever a mentor segment is
made active its AliasJTable segment is made active at the
same time and will be assigned an AST2_*. (The AliasJTable
B-88
is a Memory_Manager object. The Alias-Table is actually
implemented as a collection of segments.)
In the general case with. demand
activation/deactivation, the #_Entries_Active is a field
which is used for Alias_Table entries only. An Alias_Table
segment must remain active as long as any of its entries
are active, although it need not remain in main memory.
The #_Entries_Active is a counter which is incremented any
time an Alias_Table Entry is activated and decremented
when an Alias_Table Entry is deactivated. Thus the
AliasJTable frame can be deactivated only when the
Connected_Processor map of the mentor segment and the
#_Entries_Active both become zero or null. (Note that the
Connected Processor Map of the Alias_Table segment will
always show only the physical processors whose
Memory_Manager has the Alias_Table in its address space.)
In this design all known segments are active so these
explicit checks upon deactivation are not required.
The remaining field of the G_AST is the
?age_Table_Address . The ?age_Table_Address is the location
in secondary storage of the page table. The page table in
turn provides the location of the segment.
The L_AST portion of the AST is maintained per
physical processor and should not be confused with a
distributed data structure since the L_AST is a
Memory_Manager data structure and not part of the
distributed Kernel. It is searched by Virtual_Processor_ID
B-89
and segment Unique_ID. The remaining four fields are
Access, Absolute_Address , Size, and Segment_#. The Access
is the read or read/write access of the segment available
for use in moving between local and global memory. The
Absolute_Address is- the location of the segment in main
memory. If Absolute_Address is null, the segment is on
secondary storage and has not been moved to main memory,
c. Aliasing Scheme
The Memory_Manager also provides the aliasing
service for the system. Each segment which exists in the
Archival Storage System has a Unique_ID. This Unique_ID is
an integer which uniauely identifies each segment. It is
chosen from a large list of integers. Since the data type
is a longword, the list contains more than four billion
unique integers. To prevent a communication path from
existing when a segment identification must be passed out
of the Kernel, an alias is provided which srirtualizes the
Unique_ID. When a process wishes to create a new segment,
it must pass the Kernel a Mentor_Segment_# and a desired
2ntry_#. The mentor segment can be any segment the
Supervisor wishes, but an entry for the mentor must be in
the Known_Segment_Table of the process. The
Segment_Manager then looks up the ASTE_# of the segment
and Signals the Memory..Manager with the ASTE_# and
Entry_#. The Memory_Manager maintains a flat file system
known as the Alias_Table (figure 30) which is systemwide.














Figure 30. Alias Table
B-91
the Alias_Table. When the Memory_Manager receives a Signal
which requires use of the AliasJTable, the Memory_Manager
brings the appropriate Alias_Table segment into memory.
The Sntry__# is then used as an index into the Alias_Table
where the Memory_Manager can determine the Unique_ID and
physical attributes of the indexed segment. A segment
exists for each entry in the AliasJTable.
The attributes found in the Alias_Table are
the segment Size, the location of its secondary storage
Page_Table, the segment Access_Class, and the secondary
storage page table of its Alias_Table segment if it is a
mentor segment. AliasJTable storage is allocated when the
first reauest for an Alias_Table entry is made, and is
deallocated whenever the segment is empty. The
Memory_Manager will not honor a request to delete a
segment if it has an Alias_Table segment. If this deletion
were allowed, storage space would be lost forever since
the AliasJTable segment of the mentor segment and any
segments referred to by that AliasJTable segment would not
be recovered.
d. Storage Allocation
The Memory_Manager is responsible for
controlling storage media as well as main memory. The
storage hardware for this design is anticipated to be a
type cf hard disk using the Winchester technology.
However, the design may be initially implemented on an
eight-inch "floppy"* disk drive using the IBM standard,
B-92
single density format. Using this standard, a single disk
has 77 tracks of 26 sectors each available for storage.
Sach sector stores 123 bytes of information.
Since the Z8000 hardware allows segment sizes
in multiples of 256 bytes, it is convenient to establish a
"page" size as 256 bytes. Using this scheme, a ^age can
then be stored in two sectors of the disk. A page then
becomes convenient as the size of a page table. The page
table is used to record the location of each page of the
segment on the disk. If the location of each page is
stored in unpacked form, a total of 128 page locations can
be stored in a page. Mote, however, that this scheme uses
only 11 of the 16 bits which can contain information (7
bits for the track index, and 4 for the sector index), and
can easily be reduced to 10 bits since every other sector
is not explicitly indexed. This means that 1024 pages can
be addressed by one page of a ?age_Table and is adequate
to store the maximum size segment (256 pages) allowed by
the Z3000 hardware.
k free page bit map is needed in order to
record which pa^es on the disk are available and which are
allocated. This will also reouire one page on the disk.
This scheme allows the disk space to be allocated to
segments from the "free list" and does not require complex
compaction algorithms. If other forms of storage media are
used they can be easily adapted to this scheme.
9. Input_Output Manager Module
3-93
The I/C_Manager is the non-dis tribute! Kernel
process which is concerned with moving information across
the boundaries of the Archival Storage System. It manages
the input and output ports of the system as a resource in
much the same way' as the Memory_Manager handled the memory
resource. The I/0_Manager would use an Attach_Table to
virtualize the system ports. While the I/0_Manager is a
process in the general case, it can be designed and
implemented as a distributed Kernel function.
B-94
HI
. CONCLUSION AND FOLLOW ON WORK
The detailed design of the Security Kernel for a data
warehouse has been presented. This design is suitable for
implementation on a Zilog Z3000 microprocessor-based
system. A minimal subset of a family of secure operating
systems has been demonstrated to exist and can be
implemented on microprocessor hardware which is available
today. This design also shows the feasibility of an
Archival Storage System that can be the nucleus of a
distributed, multi-microprocessor computer system by
providing archival storage with multilevel security.
The design illustrates the utility of modern software
engineering techniques. A loop-free structure was
maintained as a design goal, preserving the ability to
modify a module without introducing change in any other
module. An explicit process structure simplifies the
design for asynchronous functions. Functionality of this
family member can be extended by including additional
primitives from the larger set of primitives described by
O'Connell and Richardson [51.
Security of information was a primary goal throughout
the design process. A. mathematical model was used as a
foundation for the Kernel to insure properly designed
security. A multilevel security capability is included for
the storage system. Furthermore, on this base a complete,
multilevel secure, distributed "system" can be constructed
with the storage system as the only component requiring
B-95
multilevel security.
While designed for a single microprocessor with, memory
management unit support, the structure of the high level
design which allows configuration independence was
preserved. The same concepts for reducing "bus contention
in a multiprocessor system while providing data sharing
were used and can he easily extended, e.g., for increased
processing capacity to serve a large number of higher
"bandwidth hosts .
Implementation of the Archival Storage System is an
area for further work. The distributed Kernel data
structures and procedures are described in this thesis.
Additional effort will produce compilable implementation
code and from this code generate a loadable system. The
Kernel non-distributed processes for I/O and physical
memory management have been briefly presented and more
detailed design will be needed prior to implementation.
The Archival Storage System design is a minimal family
member. Additional services to the Supervisor and
generalization of the simplifying assumptions (e. g., to
interface to multilevel hosts) are major areas where
continued research is indicated.
After implementation of the storage system,
substantial work is necessary in performance evaluation.
Hardware choices have been primarily left to the
implementor. Since many of the software design
implications on efficiency are unknown at the present
B-96
time, fine-tuning of both hardware and software will
result in "better system performance.
B-97
APPENDIX A - GATE KEEPER LISTING
Gate_Keeper Procedure
Type

























DI NVI.VI tDisaole interrupts!


















EI NVI,7I !Enables interrupts!
VALIDATE: DO (Check location of arguments for user
read/write access!
LDL <<DIST KERNEL ID>>ARGUMSNT POINTER, RR2
CALL CHECS~ADDRESS_S?ACE
!Get return'value!
LD3 RH0,«DIST_KERNEL ID>>VALIDITT CODS
LD3 RHl t VALID
CPE RH1,RE0
I? NE THEN EXIT PROM VALIDATE IReturn if invalid!




MOTS STACK: DO !Move argument list to Kernel work space!
CPB RH0,#0
I? SO TEEN POP R4,3RR2
PUSH QRR14: t R4
DEC RH0
ELSE EXIT FROM MOVE STACK
FI
REPEAT PROM MOVE STACK !Lood until all moved!
OD
CALL JUNCTION: DO
LD FUNCTION_CCDS,3RR14(*24) IRetrieved from system call
instruction on system stack!
LD R6, MAX FUNCTION CODE
C? R6,JUNCTIGN_CCDE
IP CT TEEN LD LDL RP.10,«DIST KERNEL ID»MESSA(J3 POINTER
LD R2,INVALID_FUNCTI0N_C0DS
LD 3RR10(0),R2 !Put"error code into message!
EXIT PROM CALL FUNCTION
ELSE LD R6,3RR2( NUMBER OF~*ARGUMENTS )
! Check number of uarameters!
CP R6, FUNCTION TABLE [FUNCTION CODS, NO OF ARGUMENTS]
IF EO THEN CALL FUNCTION TABLE [FUNCTION CODE, FUNCTION]
ELSE LDL RR10,«DIST KERNEL ID»MSSSAGE POINTER
LD R2 f INVALID ARGUMENT^ 1ST
LD ORR10(0),R2
EXIT FROM CAIL FUNCTION
FI
FI
OD !END OF CALL FUNCTION LOOP!
B-lOO
LDB RH1, INDEX !Zero aut user argument
ZERC)_OUl:: DO
C? RH1,#0








LDL RR8, <<DIST KERNE L ID>>MESSAGE POINT





MOVE RSIJ MSG: DO I Put message I acic ia
CP PHI ,#0










OD !END OF VALIDATE!
DI NMI.7I IDisable interrupts!


















SI MMI,7I ISnable interrupts!
I RET !Restore pre-call cpu state!
End Sate Keener
B-101






































1. Schroeder, M. D., Clark, D. D., and Saltzer, J. S., The
Multics Kernel Design Pro.iect . paper presented at
ACM Symposium on Operating System Principles, 6th,
November 1977.
2. Mitre Corporation Report 2934, The Design and Speci-
fication of a Security Kernel for the PDP-11/45 ,
by W. L. Schiller, May 1975.
3. Parks, E. J., A Design of a Secure, Multilevel,
Multlprogrammed File Storage System for a Micro-
processor Environment , MS Thesis (in preparation),
Naval Postgraduate School, 1979.
4. Smith, D. L., Method to Evaluate Microcomputers for
Non-Tactical Shipboard Use , MS Thesis, Naval
Postgraduate School, September 1979.
5. O'Connell, J. S., and Richardson, L. D., Pis tributed
Secure Design for a Multi-microprocessor Operating
System . MS Thesis, Naval Postgraduate School, June
1979.
6. Schell, Lt.Col. R. R.. "Computer Security: The
Achilles' Heel of the Electronic Air Force?," Air
University Review , v. XXX no. 2, January 1979.
7. Schroeder, M. D., "A Hardware Architecture for
Implementing Protection Rings," Communications of
the ACM, v. 15 no. 3, p. 157-170, March 1972.
8. Lampson, B. ¥., "a Note on the Confinement Problem,"
Communications of the ACM , v. 16 no. 10,
p. 613-615, October 1973.
9. Lipner, S. 3., "A Comment on the Confinement Property,"
Operating System Review , v. 9, p. 192-195,
November 1975.
12, Organic*, E. I., The Multics System: An Examination of
Its Structure. MIT Press, 1972.
11. Madnick, 5. E. and Donovan, J. J., Operating Systems
.
McGraw Hill, 1974.
12. Denning, D. E., "A Lattice Model of Secure Information
Flow,' Communications of the .a CM . v. 19,
p. 236-242, May 1976.
13. Peuto, B. L., "Architecture of a New Microprocessor,"
Computer
,
v. 12 no. 2, p. 10, February 1979.
B-104
14. Snook, T., and others, Report on the Programming
Language PLZ/SYS . Springer-Virlag, 1978.
15. Zilog, Inc., 28000 PLZ/ASM Assembly Language Pro-
gramming Manual . 03-3055-01, Revision A, April
1979.
16. Zilog, Inc., Z8001 CPU Z8002 CPU, Preliminary Product
Specification . March 1979.
17. Zilog, Inc., An Introduction to the Z8010 MMU Memory
Management Unit . Tutorial Information, August
1979.
13. Dijicstra, E. W., "The Structure of 'THE' Multi-
programming System," Communications of the
ACM., v. 11 no. 5, p. 341-346, May 1968.
19. Saltzer, J. H., Traffic Control in a Multiplexed
Computer System . Ph.D. Thesis, Massachusetts
Institute of Technology, July 1966.
20. Millen, J. £., "Security Kernel Validation in Practice,"
Communications of the ACM , v. 19 no. 5, ?. 243-250,
May 1976.
21. Enuth, D. E., The Art of Computer Programming:






Approved for public release; distribution unlimited
THE DESIGN OF A
SECURE FILE STORAGE SYSTEM
by
Edward James Parks
Lieutenant, United States Navy-
PS, United States Naval Academy, 1971
Submitted in partial fulfillment of the
requirements for the degree of




Dean of Information and Policy Sciences
c-i
ABSTRACT
A design for a secure, multi-user. File Storage System
is developed. This design, incorporating a concurrently
developed Security Kernel, provides a multilevel secure
flexible file storage serving a distributed system of
dissimilar computers. The Security Kernel is responsible for
non-discretionary [e.g., classification and clearance)
security and the Tile Storage System Supervisor is
responsible for discretionary [e.g., "need to know")
security. Multilevel security is achieved by the controlled
access to consolidated file storage for Host computer
systems. Multiprogramming of surrogate Supervisor processes
operating on behalf of the Host computer systems provides
for system efficiency. fl segmented memory at the Supervisor
level allows controlled data sharing among authorized users.
System integrity is in* epend ori t of the internal security
controls r ">n lark of them) in the iistnihuted systems; the
File Storage System prevents system-wide security side
effects. ^ loop free stnucture alons with system simplicity
and robustness ane design characteristics.
C-2
TABLE OF CONTENTS
I. INTRODUCTION c- 7










4 . Multiprogramming c-17
5. Protection Domains c-17
D. SYSTEM REQUIREMENTS C-18
II . DESIGN C-21
A. HARDWARE SELECTION c_21
B. SYSTEM STRUCTURE c" 22
1. System Levels c-22
2. System Protocol c-24
?. Host Environment c-25
a. Directory Files c-31
b. Data Files c-36
c. Multiple Segment File Directory c-36
4 . -est System Commands c-36
C. PROCESS STPUCTUKE c"45
1. Shared Segments Interaction c~47
2. File Management Process c-55
a. File Management Command Handler Module., c-55
t). Directory Control Module c-€l
c. Discretionary Control Module c-68
c-3
d . Segment Handler Module c-71
e. Memory Handler Module c-75
3. I p. put/Out put Process c-78
a. Input Output Command Handler Module c-87
b. File Handler Module c-88
c. Packet Handler Module c-92
III. CONCLUSIONS c-97
A. STATUS OF KE.ASFAECH c" 97
P. FOLLOW ON WORK c-98
APPENDIX A—SYSTEM PARAMETERS C-IOO
.APPENDIX B—SUCCFSS AND FRROR CODES c-101
APPENDIX C—FM/IO COMMAND HANDLER MODULES C-102




1. System Configuration c- 9
2. Protection Domains c-19
3. Abstract System View c-23
4. General Supprvisor File Hierarchy Example c-27
5. Virtual File Hierarchy c-30
6. Logical Directory Structure c-32
7. File Discretionary Access Control c-39
3. FM Process Modules c-56
9. Mail_Box Segment c-57
10. Comnand_Handler Module c-58
11. Direct ory_Cor.trol Module c-62
12. Discret i or.ary_Co"t rol Module c-7C
13 . FM_Knovn_ Segnen t_Table c-72
14. Segment_Ha rid ler Module c-72
15. Memory_Handler Module c-76
16. FM_Active_SegTert_Table c-76
17. Memory_Handler Memory Map c-76
18. IC Process Modules c-79
19. Packet Construction c-8i
2C. 1 0__C?mrrard_ Farrier Module c-89
21 . File_HandlPr Module c-89
22.' Packet _Ha*"5 ler v cdule c-93
23. Finit° State Diagram of Packet Transfer c-94
c-5
ACKNOWLEDGEMENT
This research is sponsored in part by Office of Naval
Research Project Number NR 337-005, monitored by Mr. Joel
Trimble.
Special thanks £0 to Lt. Col. Roser Schell and Prof.






Lack of data security is a central issue in computer
science today. Data security car. be divided into external
physical asppcts (i.e., guards, fences, etc.) and irt«rnal
system asDects 'i.e., Internal software and hardware
operations)? both of which are necessary for effective
system security. The physical aspect is understood and does
not pose a significant problem today. Continued loses (vi?.,
money, data) die to computer 'error', illustrate that the
second aspect of data security, viz., internal security, has
not been solved and continues to be a problem.
This shortcoming results from the fact that internal
computer security has not been a mandatory desien objective
during hardware and/or software selection and/or production
in most (if net all) contemporary computer systems. This
renders them prone to security violations from accidential
or malicious penetrations [SchelK 1)1 . Ad hoc attempts tc
provide the necessary system security in the later stages of
the system design or implementation have rot generally met
with success.
In contrast, this th c sis presents a design for a
multilevel secure computer operating system, the File
Storage System 7 SS ) in which internal com^utPr security is
a primary i Q sirTn objective. There are two ~oals this syst^r-
is designed ti achieve: 1) to provide sharing of data amor.--:
authori?ed users a."±, 2) control access to a consolidated
"warehouse" of data. This controlled access to consolidated
C-7
ft M
data, predicates a star network for the system structure
as depicted in figure 1. It must be noted, however, that the
FSS cannot control the physical security of the Host systems
and that Host systems have the ability to circumvent FSS
security by direct inter-Host communication links. To
preserve data security, all accesses to the FSS consolidated
data must po through the FSS for access validation.
Data sharing among authorized users is accomplished by a
segmented environment which allows controlled direct access
to all on-line data. The Security Kernel (or simply Kernel)
is used to insure that non-discretionary data access is
performed in an absolutely controlled (i.e., secure) manner.





'it is illogical to ignore the fact that computers may
disseminate information to anyone who knows how to ask for
it, completely bypassing the expensive controls Placed on
paper circulation." [Schell(l)]
That this fact is ignored is demonstrated by the
estimated 100 million dollars lost yearly by non-secure
computer systems ir the United States [l)eoning(2 >] . It is
obvious that a primary problem/limitation of computer
systems in use today is the lack of data security. ;
s
recuirements to store and access lata by computer increase,
the seriousness of this pro bier /I imitation can net be
ignored.















Figure 1. System Ccnfi~uration
C-9
different sensitivity (viz., "classification") levels for
users with different access authorizations (viz.,
"clearances") without a security violation is said to be a
multilevel secure system. Because it is usually not
desirable to authorize all system users access to the
highest level of data ('system hish') or provide separate
(without sharing) systems for each level of data, a
multilevel system is highly desirable. \ multilevel system
also allows the maximum amount of controlled data sharing
amors authorized users, a primary ^oal of any data storage
system.
Previous research shows that a viable approach to the
question of internal computer security exists. This
approach, soretimes termed the "security kernel approach"
[Schell(2)] t was introduced by Schell in 1972. It gathers
into one module all elements that effect the system
security. The module, by beins restricted in size, can be
verified correct which in turn allows the total system to be
certifed secure.
The FSS software is comoosed of the Supervisor and the
Kernel. It will provide a multilevel secure consolidated
file storage for distributed Host computer systems. The
non-discretionary security provided by tr.e Kerrel ard the
discretionary security provided by the Supervisor will
implement a wide ran^e of security policies, including t v e
standard Department of Defense !DOD) security policies. Data
sharing is achieved by a segmented memory environment at the
c-io
Supervisor level. The Supervisor uses segments (invisible to
the Host systems) to construct the Host files. Multilevel
security is achieved by the management of files submitted by
the Host systems vhioh erist at distinct security levels.
This allows the construction of a multilevel secure system
which is deperdent en crly on« securp element of the
TSS— the Kernel.
3. BACKGROUND
The dramatic reduction in size and cost alor.^ with the
increase in performance of microprocessors in the last
decade has made their use feasible in areas that have
previously bee^ reserved for mini/Vaxi computers (or rot
computed at all). Whereas security has been notoriously
lacking i~ the larger systems, it has b°en no^-existent i r
microprocessors to date.
2 e cause of their small si? , low '-est, durability, ard,
perhaps most i "ucrtantly, the manpower savings induced (just
to mention a few of many advantages), mi oroprocessors have
hiffh aupeal for use in a military environment. Fowever, the
military also has a" obvious need for security within their
computer systems, whether they are micro, mini, or maxi
cased .
For example, the ^av/ is presently cor.siderir.? systems
or V, oe ne't veneration of non-tactical shiobcarl computers






Cost. siz° and speed constraints will soor be met by
commercially available products. Security, however,
continues to bp a problem not adeauately addressed in ar.y
available systems. To preserve data confidentiality (not
only with respect to clearance le^el but also with respect
to the current stipulations of the Privacy Act), security is
a necessary part of any shipboard computer system. Pay
records, for example, should not have the same access level
as maintenance records. In order to store records in a
common data base and to have controlled sharing when
appropriate, the computer must be able to maintain a
multilevel secure environment.
There are several possible approaches to achieve a
secure multilevel environment. Xhe frontal approach, whi~h
is most difficult, is to certify all distributed computers
which have access to the data base as secure. A second
method and the method adopted for the TSS, is to cerfify
only one eleme^* of the FSS secur c—the Security Kernel. -11
access to the TSS that involves non-liscret ior.ary security
will b^ validated by th*3 Kernel. The FSS therefore
guarantees to manage files in a manner consista.it with the
FSS security policies.
The design for the ~SS is one memre" of a family of
systems proposed by O'Ccnnell and Richardson [O'Connell].
C-12
Security, configuration independence, and a looo-free
structure are characteristics of this family of systems.
C. BASIC fFFINITIONS
1. Security
Although any viable secure system includes both
internal and external aspects, relying excessively or
external controls is not desirable in mary cases due to the
added expenses and increased security risks involved in
error-prone manual procedures. External controls also cannot
provide the secure sharing of data that is needed in such
applications as integrated data bases and computer networks,
primary characteristics of the FSS . The use of the Kernel
concept is a demonstratively effective and practical method
for providing the internal computer security controls that
are necessary for a secure multilevel system. This concept
is at the center of the 7 SS design. .
The ba c ic concept behind this approach is that a
small portion of hardware/software, the Kernel, can provide
the internal security controls that are effective asainst
all attacks, fmalicious or accidental) including those never
thought "if by the d9Sis rer. (This al^c means that err n rs in
the JSS Supervisor cannot cause unauthorized! access tc
data.)
System security is the implementation of a security
policy. This policy is a collection of laws, rules, and
regulations that establish the rules for access to the data
C-13
in the system. Such Policies, such as the one established by
the PCD. have two distinct- aspects: discretionary and
non-discretionary security. Non-discretionary security
erternally constrains what access is possible. In the DOD
environment, the familiar non-discretionary security levels
are: top secret, secret, confidential, and unclassified.
Since most contemporary comouter systems do not provide the
data labeling necessary to support non-discretionary
security, all data is implicitly accessible. In the ?SS,
seamen ta tier allows unioue identification and labeling of
data; non-discretionary security is therefore supported. The
Kernel is the one element in the FSS responsible for
enforcing non-discretionary security.
Non-discretionary security involves the comparing of
the access class of a specific object (object access class,
(oac)) with the access class of th Q recuestor (subject
access class, 'sac)) to insure compatibility. In a DOD
environment, for example, a person (subject) with sac of
secret has access to files (objects) at any access class
equal to or less tha^ secret. The relationships between
different access classes are represented by a partially
ordered lattice structure [T n *"i inr( 1 ) 1 . This lattice
represents the authorized access based on the relationships
of two levels. An ** t a ^ u 1 e of the not —related (making the
lattice partially ordered' relationship, occurs because of
DOD compartrrentalization (e.g., secret is not related to
secret .nuclear) . The following accesses are permitted for
C-14






:read access (read down)
twrite access (write up)
:no access (sac not related to oac)
In each case, the Kernel must know the
identification of the Host system if it is to perform
correct non-discretionary security checks. Unique system
identification is provided by the system port number, which
is hardwired, and known to the Kernel.
Discretionary security provides a refinement to the
non-discretionary security policy and is reflected in the
DOD "need to know" policy. Computer systems which have
"ccess Control Lists (ACL N associated with data, implement
this discretionary policy. The FSS Supervisor is responsible
for the System discretionary security and although this
aspect of the System security is not validated by the Kernel
(and therefore not certified correct), the validity of t'^e
non-discretionary security is not affected.
To implement its asoect of security, the Suoervisor
needs to know the identification of the Best system "user".
This Host system user identification must be passed to the
FSS Suoervisor by the Host system. Since an insecure Host
system cannot be trusted to pass the correct irfcrnatic",
the user identification is only as frood as the Host system
implementation, (i.e., ?SS discretionary security is only as
C-15
good as the Host System's Implementation of discretionary
security.) This implementation may be ?ood on some systems,
(e.g., UNIX [Morris!) but non-existent on other systems
(e.g., CP/m" [Digital"!). It must be remembered that this in
no way affects the enforcement of the non-discretionarv
security by the Kernel.
2. Process
« process can be described as a locus of execution.
The collection r,f locations that may be accessed during this
execution is known as the process' address space [Madnick]
.
A process also has the characteristic that it may be
executed in parallel with other processes, enhancing system
efficiency and allowing the separation of tas^s intc
different processes for desisrn clarity.
The TSS has two processes per Host system. These are
an input/output ^10) process for Supervisor to ^ost data
transfer and communication and a file management (FM)
process that controls and maintains the Supervisor file
structure. Interprocess communication is achieved by the use
of even tcour.ts , seauencers, and synchroni?a t i on primitives
internal to the Kernel (described later).
3. Segmentation
Se^T^e" ta * i on allows for the direct addr°ssinr? of -11
system on-line information and the application of access
control to this information. Mote that direct addressing
C-16
does not mean random access to the on-line inf ormation. On
the contrary, access to segments is controlled by explicit
memory management calls to the Kernel to swap in/out a
segment. A segment can be defined as a logical grouping of
information such as a subroutine, procedure, data area, or
file. Each processes' address space consists of a collection
of segments. In a segmented environment, all address space
references reauirp two components, a segment specifier and
an offset within that segment. Segmentation is used to
provide *he Supervisor domain of each process a virtual
memory of limited size. Segments, as mentioned earlier, are
used by the Supervisor to construct the Host files which
retain the attributes of segments (i.e., access control).
4. Multiprogramming
* mul ti programmed environment is one in which more
than one pnocess is in a state of execution at the sane
time. These processes share orocessor tine, memory, and
other resources among the active processes. In the design
for the FSS • the Supervisor processes are mult iprogrammed in
an asynhcronous manner for system effici°ncy. *
multiprogramming ervironment allows the 'J ost systems to
operate in a logically parallel manner which adds to System
design si^olioity and clarity.
5 . Protection E^nai r s
One of the *ey elements necessary for valid Kernel
C-17
implementation is the isolation of the Kernel from all
possible outside influences. This can he done through the
use of protection domains.
Protection domains are used to arrange process
address spaces into "rings" [Schroeder] of different
privilege. This arrangement is a hierarchical structure with
the most privileged domain being the inner most ring. Figure
2 represents the ring organization in the FSS.
Protection rings may he created by either hardware
or software. Hardware is nore efficient but is not
commercially available in microprocessor devices today. Two
state devices are available, however, and by implementing
the two states as separate rings and providing for software
ring crossing rrecha^isins
.
the necessary two protection
rings can be created.
D. SYST2M S5QUIR2MiNTS
There are no fixed hardware requirements for the
implementation of the FSS. System efficiency does, however,
depend on an appropriate choice of hardware. Two basic
hardware features that are felt to be necessary for a viable
i^ple^en *a.+ i rr of the FSS are segmentation, and multiple
domains.
S e fT" e r t a * i c n. is necessary 'or -cress c c n t r o 1 a n d data
sharing. a ~vlticle state 'two i~> this c^se) is reressary










S 'W Za t






environment for the "
iccess to privileged machine
all system input/output. It
ent in which the Supervisor





A secure computer system is not dependent on the
hardware or. which it is implemented. However, as mentioned
above, segmentation and multiple domains are considered
necessary for ~SS efficiency.
Segmentation allows the use of one uniform type of
information object, the segment, at the Kernel level. This
simplifies Kernel design, and contributes to keeping Kernel
size small. A segment address consists of a segment name and
offset within the segment. Although this addressing can be
done in software, it is faster and more efficient when done
in hardware. Hardware can also simultaneously check for
authorized access, a necessary feature of a secure system.
Multiple domains are- currently used in some of the
larger machines to protect the operating systems from the
applications programs. Multiple domains have not, until
recently, been available in a microprocessor configuration.
The FSS design reauires only two domains, ore for the Kernel
and one for the Supervisor.
The introduction of ;he Ziloe Z50£2 series
microprocessor meets both the segmentation and multiple
domain recuirements. The FSS is targeted for implementation
on the Z-PTl segmented microrroc°ssor [Zilo-<?(2)l with its
associated Memory Management Unit (MMU) [Zilog'l)]. The
ZS001 is a 16 bit two-domain machine which produces a 23 bit
C-21
<*"
logical address. The Z821P MMU maps the 23 bit logical
address into a 24 bit absolute address and allows the
capability of addressing up to 126 segments (with two MMU's)
of 64K bytes each (9M-bytes total) in a two-dimensional
memory space. (See [Coleman] for further details.) RS-232
bus compatibility is assumed for serial data input/output at
the hardware level. This allows byte synchronization and
byte parity checks to be performed at the hardware level by
the FSS universal asynchronous receiver-transmitter (UART).
B. SYSTEM STRUCTURE
1 . System Levels
Abstraction is a way of avoidin.? complexity and a
mental tool for approaching comolex problems [Di j'rtstra' 2 )1 .
The use of abstaction allows the presentation of a system
design that is concise, precise, and easy to understand.
There are four levels of abstraction for the FSS as
presented in figure 3.
Level is the hardware level a^d consists of the
ZF0C1 microprocessor memory and some form of disc storage
(initial implementation nay be with floppy disc).
Level 1, the Kernel, is isolated and Detected f^om
manipulation 'accid°ntial or malicious) by bei~?; placed in
the more privileged domain of the ZF-3?1. Only the Kernel has
access tc system" machine instructions and controls all
access to the system hardware elements 'memory, disc). The














cor. trol 'i.e., conn 1:".
i
cation^
Fi^urf 3. Abstract System View
C-23
Supervisor operates.
Level 2, the Supervisor, operates in the outer (less
privileged) domain of the Z8P01. It has access to "normal"
machine instructions, but must go through the software
Gatekeeper [Coleman] of the Kernel to get access to memcry
(viz., segments) and disc storage. The Supervisor provides a
virtual file hierarchy to each Host system for file storage.
In order to manage the file hierarchy, surrogate processes
(input /output (10) and file management (FM)) are assigned to
each ^ost system. These processes act on the reauests
submitted by the Host computer systems. All processes are
created at system generation time and are not created or
deleted in a dynamic manner.
Level 3 consists of the "ost comouter systems. These
systems are hardwired to the ZS?01 in the 7S3 design. lach
port has a fixed access level so that if a multilevel secure
Host desires to handle data at two levels, it ^ust have two
connections to the FSS. (Note that if the Host is not a true
secure multilevel Host, and does have multiple connections




2 . System Protocol
Protocol* anp formal specifications which constrain
data exchange between systems and the ^SS. These
specifications allow the FSS to achieve hounded, deadlock
free and. fault tolerant communication. To organize and
C-24
simplify protocol design in the FSS, protocol is logically
divided into a hierarchical structure of two interacting
layers. Level 1 protocol handle? packet (descrited later)
synchroniza tier
, error detection, and command type
determination. Level 2 handles the repetitive activity of
data transfer.
Data and commands are transmitted between VSS and
Host via fixed si?? packets. Packet synchronization is
necessary for Host-FSS communication. Error
detection/correction is closely related tc the problem of
packet synchronization; packets not in synchronization will
not be correct. The converse is not true, however. A
synchronized packet may contain transmission errors. There
are several methods for error detection/correction
[Hamming]. A design choice of a simple check sum per packet
(to detect packet errors) was made in the interest of System
simplicity. If an error is detected in a packet, the Host
will be reauested to stop packet transmission and to fce^ir
again with the packet in which the error was detected. Cf
course, the FSS must be able to provide the same service.
This retransmission upon error ^et^ctior strategy. combined
with the byte rarity checks performed at the hardware level
by the UART, will provide the error detection/correction
scheme in the initial FSS design.
3 . Post invironment
The job of the FSS is to provide a service, viz., to
C-25
store files in a secure 'data warehouse . The files are
submitted by various Host computer systems. The virtual
environment provided the Host systems is therefore a primary
design consideration of the overall FSS design. Design goals
are to make this Host environment simple, easy to use and
understand, efficient and robust.
The center of the Host environment is the
hierarchical file structure maintained by the Supervisor of
the FSS. This file structure is a tree organization which
facilitates design abstraction (virtual file systems per
Host) as well as file system searches via tree traversal.
Figure 4 illustrates the overall logical structure of the
Supervisor file system.
A file can be defined, in the case of the FSS , as
one or more Supervisor segments grouped together for the
purpose of access control (security), retrieval (read), and
modification (wnite) [Shaw]. In the FSS the file is the
basic unit of storage at the Host system level.
The hierarchical file system contains two types of
files: 1) lata files, and 2) directory files. Both file
types are constructed from segments (invisible to the Host
systems) at the Supervise level. The characteristics
usually associated with a segmented environment (Supervisor
level) such as data sharing and access control, are
transferred to the file environment (Host level) ty the FSS.
The Host system environment consists of a virtual



















Figure 4. "re^^a! Supervisor Tile Fierarchy Fxample
C-27
virtual file system per hardware port). A primary reason for
having multiple virtual file hierarchies is to avoid the
problem of naming conficts which would eventually occur in
the Supervisor hierarchy as the system grew if per-host
virtual file systems did not exist. Multiple directories
also allow the Host systems to group related files into one
directory, simplifying search and Host use. The Supervisor
will control the duplication problem within a virtual file
system by not allowing duplicate file names in a single
directory file. Pathnames are required to uniauely identify
files in the Supervisor file systems and must be included in
the Host reouest.
Access to the Supervisor file hierarchy is
controlled in both a discretionary and non-discretionary
manner. The non-discretionary access is controlled by the
Kernel which will prevent a Host system from reading up or
writing down (confinement property). Discretionary access to
the files is handled by the Supervisor which compares the
Host. user (Host user combination) with the file ACL.
Reauested access is permitted only if the Host. user is
explicitly permitted access by the file ACL.
vach a ost system virtual file hierarchy is
constructed from data files ar.-i directory files which, as
mention°d above, are constructed of Supervisor segments.
Although dynamic growth and shrinkage are usual segment
attributes, a design choice for System simplification was
made to fix segment size at three increments, SMALL (512
C-28
bytes), MEDIUM (2K bytes), ard LARGS (SK bytes). These sizes
were chosen as a compromise between expected file sizes,
Supervisor buffer retirements , and minimizing the number of
software ring crossings that would be required during a data
file 'read' or 'store* operation. "Fecausp segr-ent size is
limited ard there exists the likelihood of en oour tering
files larger than the maximum segment size, the concept of a
multiple segment file (msf) is known to th 13 Supervisor.
Figure 5 depicts the general tree structure of a
Supervisor virtual file hierarchy. Directory files are
represented by sauares and data files by circles. Data
files, as their name implies, contain data only. Directory
files are constructed of a header and zero or more
"entries". There are two types of entries, branch entries
and link en tri es
.
Pranch entries contain the attributes of the file
which they identify. In figure 5, for example, the
attributes of directory file User_l (entry name, ACL, size,
type, etc.) are contaired in directory file Host_l, branch
entry User_l. One branch entry designates one Supervisor
segmen t
.
8 link entry, represented by the dotted 1
1
:. e in
figure 5, is composed of a" 'entry name (lirk nam e^ a r d a
pathname. (« pathname is the concatenation of entry names
starting fro* the root directory proceeding
seouential order to the specified file.) Like a branch























File 1 File 1
isure ?. Virtual *ile hierarchy 'logical view)
C-30
example, in figure 5, the pathname contained in the link
entry is Fost_l>User_3>Dir_l
. Unlike a branch entry,
however. the link entry does not contain any file
attributes. Access is controlled as the .Supervisor traverses
the specified path to the requested file.
The use of link entries allows sharing of files
among Host systems and among Host system users. Loops which
might be generated by two links which reference each other,
are prevented by the Supervisor. (Loous could present a tree
traversal problem to the Supervisor.)
Each file has a file name (Sntry__Mame—unique per
directory file) given by the Host system at file creation
time. This file name and its pathname are used to uniauely
locate the file in the Host's virtual file system. By
traversing the virtual hierarchy, the Supervisor can locate
the reauested file if it exists in the system. In either
case (viz., whether the file exists or not), aoprooriete
action can be taken by the Supervisor.
a. Directory File
Figure 5 is a logical representation of a file
directory. lach directory file, is made up of a header aH
zero or tots fixed size branch /I ink entries. A fixed
directory size of Lt'Ml { B'i bytes) was chosen to insure a
reasonalble amount of directory soace for Kcst system use.
This could cose a "space" problem, especially for secondary






















Tisure 6. Loeical Directory Structure
C-32
buffer space.) The Kernel, which stores segments as pages,
may want to compact' segments by not storing on secondary
storage pages which contain all "zeros". This would greatly
reduce the amount of wasted space on secondary storage.
(Another equally viable solution, but not s°lected for this
design, is to have multiple seempnt directories in the
Supervisor similar to multiple segment data files.) The
directory file header contains the following information:
Entry_Count: This is the number of branch/link
entries in the directory.
ACL__Count: This is a count of the number of
ACL_EN'THY elements left in a "dooI" of such elements.
If the entry is a branch entry, it will contain
the following el c rioT]t s:
Tntry_Name: rntry name is the file name. The
Host systems a^e responsible for supplying these names but,
as mentioned above, will be prevented by the Supevisor from
having duplicate names (file names) in ore directory file.
Access_Class : This element contains the file
access level .
3ranch_Link_Swi ten : This element will identify
the entny as a branch ent^v which in turn specifies the
entry forma t
.
ACL ?*r: This element will point to a r '>. CL for
the branch entry. The TSS has only three distinct
di sere f i ^na ry access modes: 1) 'null access as the na^e
implies, declares that no access is to be allowed to the
C-33
specified Host. user combination, 2) "read" access allows a
qualified Host. user to read a file only (i.e., no write
access), 3) "write" access allows a Host. user write access
to a file (also implicit read access). The actual ACL will
be a list of authorized users ir the form Host. user with ar
associated access mode. A 'don't care* authorization (in
this case a *) , will allow general access in that category.
Tor example, *.user would allow the specified 'user* to
access this file from any connected Host system with a
specified access mode. This ACL for entry "user" can easily
be expanded to ir elude other categories such as "project" to
further refine the discretionary access allowed to a file.
File_Size: This information is necessary for
proper management of the Host REAP_?III and STCR"2_FILS
commands by the Supervisor, viz., it allows the Supervi^o^
to calculate the number of segments that nai-ce up a multiple
segment file. It will be supplied by the Host system in t v e
STCRE_FIL2 command request (in bits).
Data_Dir_Switch : This switch tells the
Supervisor the type of file to which the branch points
'data, directory). This is r.eressary due to the differs:
file formats.
Fi le_Crea tM : This °lf"ri ort is used for ^er.eral
audit pur coses, i.e., to have a permanent record cf the file
creator ar\i the ti-e cf creatior.
LastJJpdate: This ele-npnt will identify the last
Host and user to store into the file. This identification
C-34
will be of the form Hos t . us^r .date, time. This will allow the
FSS to have a limited audit capability. The confinement
property prevents the FSS from also keeping track of read
accesses since processes at higher levels can read at lower
levels but cannot write the audit information. Also rote,
that the Last_Update information for upgraded directories
nay not be accurate for the samp reason.
If the entry is a link entry, it contains only
four elemerts. These are: 1) Entry_Name to identify the
file, 2) ?ranch_Link_Switch to identify the entry type, 3)
Link, a pathrane to uniouely identify a file, and 4)
Create JTirne , the time of link initiation alms with the
Host. user who created the link. All attribute checking is
done as the Supervisor traverses the specified path.
A FSS design choice is to limit all pathlengths
to 129 bytes. This places some restrictions on the Host in
that long file names will socn consume the bytes available
for a pathname, however, this restriction can be overcome by
pathnames which contain several link entries, which can
themselves be 12P bytes. With 32 branch/link entries per
directory, there are an average of 32 ACL entries (3 bytes
each) available to each brarch entry. ( Remember ,1 irk entries
do not have ACL entries.) Figure 5 contains the initial
field sizes for the directory construction. The primary
factor in calculating the si:e of branch/link entries is the
size of the link pathname. This increase* the size of li^k
entries to 163 bytes and although space is wasted in branch
C-35
entries, the simplification of System design resulting from
a fixed size of branch/li.nic entry is felt to be sufficient
Justification in the initial design.
b. Tata v iles
Data files are always "leaf" nodes in the file
hierarchy and contain only data.
c. Multiple Segment File Directory
A msf directory is a Supervisor construct
(invisible to Host systems) to manage files larger than the
maximum fixed segment size. Because the number of segments
that will be required by the Supervisor to store a file can
be calculated from the file size information passed by the
Host, a msf directory need only be a segment of size zero.
This makes the Kernel' alias table (which is a fixed
size— see [Coleman!) the limiting factor in the maximum file
size. The alias table has the same number of entries as a
Supervisor directory (viz., 32) which limits maximum Host
file size to 256K bytes. Files that exceed the maximum file
size must be split by the Host svstem. an attempt to store a
file that is 'too* large will result is an error condition
resoon5e to the Host ar^ a r une^ecutei ccmrani.
4. Host System Commands
The Host commands provide the only interface that a
Host system has with the FSS. Each command is interpreted by
C-36
the FSS and acted upon by surrogate Supervisor processes;
the Post system has no direct access to the 7SS. There is
one acknowledgement between the Host and FSS at this level.
This is a command complete" acknowledgement that informs
the Eost svster that the Supervisor has complete* action or.
its reauest. If an error condition occurs, the appropriate
error code is returned in the acknowledgement.
8 nother asnect of the Host environment reeds to be
defined also. The Host environment can be divided into two
states! they are the "old" state, before the FSS has acted
upon the Host request, and the "new" state, which occurs
after action has been completed by the FSS. The specific
state of the FSS at any instant is indeterminate at the Host
level if more than one Host is accessing the same file of
the FSS at o^e tine. That is, since Supervisor processes
execute in a completely asynchronous manner, the FSS state
may change after a Host command is sent but before the FSS
acts on the command. This will not affect the performance of
the System or validity of its security; Host commands will
be executed as a single, atomic operation in the FSS state
in which they are received and interpreted. The Host will
get some "correct" response for some state existing between
the sending of the 'Jost command and the FSS acfcrovledsrenen t
on the ^are cmvraM. This allow? several Hosts to safely
synchronize their actions external to the FSS.
The follrwir.fr is considered to be a minimal subset
of commands available to the Host System for adeouate file
C-37
control. Figure 7 illustrates the required discretionary
access attributes. T^e files are referenced in the Host
command descriptions startinr fron the root of the Hcst
virtual file system. Tne pathname specifies the parent
directors file (containing access attributes of the file),
and the file (data or directory) to which the u ost command
refers. All commands require a pathname for unique file
identification, Tach command also reauires the specif icatior.
of the Host system "user" in order for the Supervisor to
perform discretionary security checks. This 'userid' will he
supplied by the Host system or the Host system user, which
ever is appropriate.
CEEATE_EILE <pathname, access_class . file_type
(directory, data)>. This command reauests that the
Supervisor create a branch entry in the specified directory
under the specified file name at the specified access class.
An initial access mode of write, will be ^iven to file
creator and may be altered by the use of the *DD_.fl CL_ENTRY
and DELE?E_ACL_ENTRY commands. This is the only Host command
where file access class is specified. It is T:sed ir this
command to create upgraded directory files, if desired.
'Data files may not be upgraded—described later.) In the
initial implementation (with single level Hosts), there will
be ro utsradei directories within a Host virtual file
system. Irit.Ial data file size is zero; initial directory
file size is LARGH (FK bytes). Actions taken:













Figure 7. File Discretionary Access Control
C-39
file system for this Host and does a tree traversal to
locate the parent directory file.
2) If the parent directory file is not found or
found but write access to the parent directory file is not
allowed, ar appropriate error code is returned ("file rot
found' or 'write rot permitted').
3) If the directory file is found, and room exists
in the directory, the new file is entered in a branch. *s
mentioned above, no duplicate file names will be allowed by
the Supervisor.
CREATT_LINK (pathname, link ,userid>. This command
reauests that the Supervisor create a link in the specified
directory under the specified file name. As already
mentioned, the Supervisor will not allow links to form
loops. This is done by restricting the maximum number of
files in one pathname to 64 files. (This figure is reached
by allowing a maximum pathlength of 128 bytes and having
file names of ore character. File name delimitors of one
character, viz. ">", will give a maximum pathlength of 64
files.) 3y keeping track of the path, traversed, the
Suoervisor is able to determine if and when a loop i
s
formed. Actions taken:
1) The Suoervisor locates the root of the virtval
file system for this Host and does a tree traversal to
locate the parent directory file.
2) If the parent directory file is not found or
found but write access to the parent directory file is not
C-40
allowed, an appropriate error code is returned.
3) If the parent directory file is found and room
exists in the directory, the link is entered in a link
entry.
DELETS_FILF Pathname ,userid>. This command
reaves ts that the Supervisor delete the sppcified file from
the virtual file hierarchy. ?or design simplicity, only
terminal files (including msf's), can be deleted. This means
that directories must be empty in order to be deleted.
Actions taken:
1) The Supervisor locates the root of the virtual
file system for this Host and does a tree traversal to
locate the parent directory file.
2) If parent directory file is not found or found
but write access to the parent directory file is not
permitted, an appropriate error code is returned.




type (directory , data,
size) ,userid>. This command reauests that the Supervisor
trarsmit to the Host either a data file, directory file
'selected elements only^, or the Tr ile_Size, Last_Update, and
5 ccess_Class fentry data) elements associated with a
particular file. *-n explanation of the last parameter, to
transmit e^try data only, r eeds s^e explanation.
Branch entry elements can be logically divided into
C-41
tvo categories with respect to discretionary security. The
first category, which includes ?r.try_Name,
Branch_LinV-_Svitch Access_Class , ard ACL_Ptr are branch
entry attributes which cannot be altered by a Host process
unless the process has discretionary write access to the
directory which contains the file branch entry.
The second category, which contains File_Size and
Last_Update, are attributes which 'belong* to the file and
must be updated when the file is updated. A situation may
exist where a Drocess may not have any discreti orary access
to a directory but may have discretionary read access to a
file in the directory (plus implicit access to the rest of
the directory during the "search"). In order to read this
file, the Host system will need to know file size in order
to prepare to receive it. This is the situation where the
READ_TILE (size) command is needed. Actions taken: (for data
file)
1) The Supervisor locatps the root of the virtual
file system for this Host and does a tree traversal to
locate the desired directory file.
2) If the file is not found or found but read access
to the file is not allowed, an approoriate error message is
re turn ed
.
3) Otherwise, the file is transmitted to the
reouesting Host System.





3) If the directory file is found and read access
allowed, selected elements of the branch/lin* entries are
returned to the Host.
(for file size)
1) The Supervisor locates the root of th*3 virtual
file system for this Host and does a tree traversal to
locate the desired file.
2) If the file is not found or found out read access
to the file is not permitted, an appropriate error cede is
returned .
3) Otherwise, the File_Size and Last_Update elements
are returned to the Host.
STCE5_?ILE <pathname, f ile_si7e ,userid>. Thi?
command reauests that the supervisor store the specified
file in the FSS. Actions taken:
1) The Supervisor locates the root of the virtual
file system for this Host and does a tree traversal to
locate the data file.
2) If the data file is not found or found but write
access to the data file not allowed, an appropriate error
code is returned. Mote that Host systems can store only data
files; directories are 'built' by t v e Supervisor.
3) Otherwise, a store operation is performed by th°
FSS.
READ AC1 ^oathrame ,userid> . This command is used by
C-43
the Host systerrs in conjunction with the ADD_ACL_ENTRY and
D*,L?T£_ACL_'FNTRY to adjust (give/rescind) the access mode
(read/write) allowed to a Host/Host user to a specific file.
Actions taken:
1) The Supervisor locates the the root of the
virtual file system for this Fost and does a tree traversal
to locate the parent directory file.
2) If the file is not found or is found but read
access is net allowed to the parent directory file, an
appropriate error code is returned.
3) Otherwise, the supervisor returns the file 4CL
for Host system user examination.
ADD_ ACL_ENTRY < pathname, ACL_2rtry ,userid>. This
command reauests the Supervisor to add to the soecified file
ACL the specified ACL_Entry (Host. user combination, plus
associated access mode). As with the previous commands, the
access is checked for correctness by- both the Supervisor and
the Kernel before any action is taken.
DSLETE_ACL_ENTRY ^pathname, «CL_Entry ,userid>. This
command reauests that an ACL_2rtry be deleted fnon a file
fi CL. Again, appropriate discretionary and non-discretionary
checks are made before any action is taken by the FSS.
ABORT. This command reauests the Supervisor to quit
execution of the present command and return the file system
to its original state. Th°re are only certain locations in
the execution of Host con-rands that the Supervisor is able
C-44
to interupt. If an ABORT command is received after an
operation has teen completed but before the final Host
acknowledgement is sent, the original command completion
will be acknowledged and the abort command will be ignored.
Otherwise, action of the command will be halted and the
Supervisor will wait for another Host command. All Host
commands (including A?OF.T) will be explicitly acknowledged
with either a 'command comnlete" message or an appropriate
error code.
C. PROCESS STRUCTURE
There are two Supervisor processes which act on behalf
of each Host system (hardware port). The input/cutput (10)
process and the file management (FM) process. The 10 process
is responsible for communication and data transfer (via
packets) between the Supervisor and the Host system. The FM
process is responsible for managing the per-Host virtual
file systems and providing overall FSS control. a.ll Host
commands are interpreted by the FM process? the 10 process
acts in a "slave" mode to the rM process. Acting together,
the FM and 10 orrcesses interpret and execute the file
management reauests of the Host systems. Kernel orimitives
F.FAD, »P: fl \Cy. fcV*IT, and TICXFT used in conjunction with
eventccunts and seauencer (described later), are used to
synchronize Host surrogate orocess execution.
Both the ? M and 10 processes call on Kernel primitives
to perform actual segment manipulation. The normal order in
C-45
which these calls are made is fixed by the Kernel design. To
add a segment to a process memory, the order of Kernel calls
is: 1) Gatekeeper. Create_Segment , 2) Gatekeeper .Make JCaovn,
and 3) Gatekeeper. Swa p_In . To delete a segment from a
process memory, the order of Kernel calls is: 1)
Gatekeeper .Swap_0ut , 2) Gatekeeper. Terminate, and 3)
Gatekeeper. Delete_Segment . The Suuervisor procedures use
these invokation orders.
There are three levels of abstraction for a Host
surrogate process. They are: 1) the level at which Host
commands are known, 2) the level at which files are known,
and 3) the level at which Supervisor segments or packets are
known. These levels of abstraction should be kept in mind
when reading the FM and 10 process descriptions.
A design choice to simplify file system maintenance and
control is to allow upgrading of only directories (e.g.,
unclassified to secret). This will eliminate the possibility
of having a secret file in an unclassified directory, a
situation which would prevent updating of the file branch
data by the secret process since writing "down" is not
allowed. This restriction is not felt to exclude any
significant FSS capabilities ann* provides for a simplified
implementation .
The modular construction of the FSS enhances System
structure, ill data bases, except the files themselves, are
module local. Cod^ is expected to be written in PLZ/STS
[Snook], which is a high level pascal-like structured
C-46
programming language. Pecause of the its length, code is
located in Appendix C. The code listed in this appendix
gives the interprocess and intermodule control structure of
the FSS.
1 . Shared Segment Interactions
Supervisor process execution occurs in a completely
asynchronous manner. When a process is refered to in the
« following discussions, the two Host surrogate processes are
being referenced; these surrogate processes have the same
clearance levels as the Host they represent.
As already mentioned, the task of the FSS is to
provide a service. To be of maximum benefit, this service
should be unambiguous, easy to use, and robust.
The ^a.^r proble m that the FSS must handle for
proper System security is the confinement problem, viz., to
prevent a process from reading a file with a higher
classification or writing ;i.e., storing or updating) a file
with a lower classification. This job is handled entirely by
the Kernel.
Another problem closely related to the confirement
problem which also irvoles the Supervisor, is the
"readers/wri t er c " prnbl°n [Court ois! . 1^ order to preserve
file integrety, reading and writing of a shared file cannot
be allowed at the sa^p time. Since a primary objective of
the FSS is to provide for the sharing of files, this problem
will certainly occur and must be handled properly for System
C-47
viaMlity.
Both the confinement problem and the readers/writers
problem can be solved in one of two ways. Mutual exclusion,
a mechanise which forces a time ordering on the execution of
critical r°£ions, forces concurrent processes into a total
•order execution sequence. This is counterproductive to the
purpose of a process structure, which inherently allows
concurrent execution of processes.
a second and relatively new method is the use of
eventcounts and seauencer [Reed] to control access to
critical regions. This method preserves the idea of
concurrent processing' to a much greater extent. An
eventcount is a object that keeps count of the number of
events (in the case of the ?SS, segment read/write accessps)
that have occured so far in the execution of the System
procedures. These eventcounts are associated with the
Supervisor segments. They are accessed only via Kernel calls
and can be thought of as non-decreasing integer values. Each
Supervisor segment has two eventcounts associated with it,
one to keep track of the read accesses and one to keep track
of the write accesses.
A Kernel primitive ADVANCE signals the occurrence of
an event (read/write segment access) associated with a
particular segment eventcount. The value of an eventcount is
the number of *DV fi ^CE operations that have been uerformed on
it. A process can observe the value of an eventcount by
either HEAD^Seg_#, E), which returns the value directly, or
C-48
by AWAIT!Seg_# f T, t), which returns when the eventcount
reaches the specific value t.
A sequencer is also necessary to solve the
confinement and readers/writers problems. Some
synchronization problems reauire arbitration (e.g., two
write accesses to the same segment); eventcounts alone do
not have the ability to discriminate between two events that
happen in an uncontrolled (i.e., concurrent) manner. A
seauencer, like eventcounts, can be thought of as a
non-decreasing integer variable that is initially zero. Each
Supervisor segment has associated with it one seauencer. The
only operation on a seauencer is a Kernel primitive
operation called TICKET (Seg_#, S), which, when applied to a
sequencer, returns a non-negative integer value. (Similar to
getting a ticket and waiting to be served at a barber shou.)
Two uses of TICK7T(Seg_*,S ) will return two different values
corresponding to the relative 'time'' of call.
The segment number associated with these
synchronization primitives informs the Kernel of which
segment is being referenced. The use *f eventcounts and
seauencer can be illustrated by examining the following two
urocedures 'read O as not equal). The FSS imole^ents these





abort: w := READ(Seg_# ,S ) ; 'get reader eventcount!
AW.aiT(S<=g_*,C,w) ; !walt until write complete!
'read file';




ADV*NCE(Seg tf ,S)» fincrement reader eventcount!
t ;- TICKETTSeg_*,T); ?get sequencer!
AWAIT(S°g_* ,C, t ) J !wait for write to complete!
'read and update file';
ADV *KCr{Seg_#, C ) ; lincrement writer eventcount!
END
The Kernel will enforce the confinement property and
prevent the application of the ADVANCE and TICKET primitives
to segments with an access class less than the Host access
class. Not to do so, would allow a communication path to be
created between two different access levels. The two
eventccunts a Supervisor segment will have associated with
it (in the Kernel) are a write eventcount, C, and a read
eventcount, S. Each segment will also have a sequencer, T,
associated with it. Eventcounts and sequencer are initially
7ero.
These eventcounts and sequencers, with their
associated Kernel primitives, are used by the ESS to oerfcrm
the synchronization functions of "lock ar.d Vakeup ("Coleman 1
,
described i n the original Kernel design. Eventcourts ard
seouencers provide a clearer picture of t^e process
interaction as well as explicit control of the
'readers /writers ' problem. Even more importantly, they
C-50
permit the synchronization between processes of different
access levels. This is essential in order to permit a high
level Host to read files of a lower level.
Th°re are two groups of Host reauests. They can be
'classified as read reauests (e.g., ?.Y.*.D_?I IE, -E a D_ACl) and
write requests (e.g., CREATE_FILE, STORE_FILS). These
categories can he further subdivided into read data file,
read directory file and write data file, write directory
file subcategories. rach category tyoe must be handled in a
proper manner by the Supervisor to irsure file integrity.
Each category will be discussed in turn beginning with the
read file category.
There two conditions which might develop over which
a process has nc control; file update by another process,
and file deletion by another process. *n example of file
update might occur while a secret process is traversing a
file hierarchy and is in the middle of searching the
directory for an Entry_Name when another process (at the
directory access level) updates the directory. Since the
secret process will READ th*3 s pgment "reader" °ve n tcour.t , S,
before and after the search, it will icnow that the data it
had obtained is possibly invalid. Although th<=re does rot
aDDear to be a problem with allowing the 'reading' process
to re-read the directory file until 5 "good" . ead is
achieved, a closer ova^ination of this condition should te
ma^e at implementation time, viz., is it possible for a
'writing* process to alter the pathname of a 'reading*
C-51
process so that an inconsistant state is achieved for the
reading process? a possible solution could reauire a process
which suffers a "cad" read to begin the traversal over,
beginning at the root directory.
When a directory is being read to pass directory
data back to a Host, the directory data is out in a buffer
and sent from there.
A single segment buffer nay bp to small to hold a
data file 'e.g., maximum file size of 256K bytes).
Therefore, to present the Eost with only valid data, a data
file "buffer" is needed at the process level. Since this
buffer will be at the process access level, it can be locked
by the process to insure that no other process interfers
during the reading ooeration once the data file is in the
buffer file. This cooying of the data file is done by the FM
process and the 10 process will read, the file from the
buffer file when transfering the file to a Host system. The
choice of making a cooy of a data file is awkward but
considered necessary in order to provide the Host with only
atomic operations, i.e., to prevent the situation from
occuring where half of a ten segment msf is transmitted to
the Hos* a^d the file is either updated nr, deleted.
The other condition which may arise daring a file
read is a file deletion. This situation occurs wh A n one
orocess is reading a file and another orccess deletes tne
same file. The first pmcpss, not knowing that the file
(segment) has been deleted, will try to reference the file
C-52
again. A hardware segment fault will occur and cause a
transfer of control to the Kernel. Note that in this
situation, it is the higher access class process which will
suffer the fault while it is reading a lower access class
file. To handle this problem, viz., the Supervisor segment
fault, a fault handler must be part of the distributed
Supervisor. _A Kprrei primitive also reeds definir^. This
primitive, la tekeeper.On_vaul t ( Taul t _cond it ion, Intry_pt),
is called ir the initialization of the Supervisor process
where it is possible for a segment fault to occur. A call to
a Superivsor condition establisher is also necessary. This
will place a specific condition handler on a 'condition
stack". If a fault occurs, the Kernel returns to the
Supervisor fault hardier with a 'segment fault' error
condition. This fault handler in turn transfers control to
the condition handler at the top of the 'condition stack'
which can make a normal return from all procedures. When the
error condition is detected (from the return code) by the
appropriate Supervisor level, action is taken, viz., the
Host command in re-initiated. Since the file (segment(s))
has been delete, this reinvocation nay well result in a
'segment net found' error condition being returned from the
Kernel and a "file not found" enror condition bein<? relayei
to the Host. V,: h <=Ti *he Supervisor e^its the "se.grpnt fault" a
'revert" command is necessary to remove the condition
han.'ilen fn^m th° condition stack.
Another side benefit of having the Supervisor do all
C-53
the actual file reading (and therefore take all the segment
faults) is that it prevents a hardware fault from occurin*?
during the actual data transfer in the Kernel during 10
process execution. this condition would force the handling
of the fault in the Kernel domain— a difficult task.
Writing a file is a more straight foreward task and
presents fewer problems. This is because a writing process
has the sane access class as the file ard can prevent all
other access to the file (segment(s)) it is concerned with.
To alter a directory ( C?.EATE_FIL2, DFLETF_FILF . etc), a
process will get a ticket to the directory and perform the
necessary manipulation when its number is called. In order
to store a file, more care must be taken. If a process were
allowed to store directly into the old file, the possibility
exists that a software or hardware error misht result in a
partially updated file- and loss of file integrity. To
prevent this from occurring, a data file is first stored
into a temporary file set up by the FM process. This also
allows the original file to continue to be read by other
processes while the store operation is going- on, a
significant advantage if the data file is Ions. A-fter the
file is st^r^d by the 10 process, the F^ process gets a
ticket to the fil^ directory and when its turn cones, makes
the "eces^rv directory updates, viz., the temporary file
name is sub si tut ed for the old file 7ntry_'Jame, Last_Upiate
information charred, ard the old file deleted. (If the file
is a msf, each segment is, of course, deleted.)
C-54
2 . File Management Process
The FM process is composed of the five modules
depicted is figure S (with associated Kernel calls). The FM
process is the controller of the FSS and directs all
interaction between the FSS and a Host system. Each module
which makes up this process will he described along with the
procedures which nake up th° individual modules.
a. File Management Command Handler Module
As depicted in figure 3, the FM_Comnand_Handler
module ;see Appendix C, p. 134) is at the top of the FM
process hierarchy. This is the level of abstraction at which
Host commands are "known". This module is responsible for
interprocess communication and synchronization (with the 10
process) and Host command interpretation. Interprocess
communication is achieved by the Kernel primitives TICKFT,
ADVANCE and AWAIT which act on an event count associated with
the shared mail_box segment. Figure 9 shows the logical
construction ard he data base description of the m a11_bcr.
figure 1 * is a list of the procedures contained within ^n-3
?M_Command_Eandler module and their input and output
na rame ters
.
The ?M Cmd_Hnd procedure is the entry procedure
into the FM Command Handler noiule. This is the control
procedure of the module and is responsible for routing Host
commands to specific FM_Command_Handler procedures for
















































Figure 8. ™ Process Modules
C-56


















Figure 9. Mail_3ox Segment
C-57
PHOCFDURF INPUT















Mail Box .Ms^-.Succ Code
















Mail_~ox . M S£. Inst
Mail_?.ox . Ms£ . Succ_Code
Mai 1_ Box .Ms^.File_Si?e
Mail_ r :x .Msa.Tnst
Mai!_:-o^. v sr.5':co_Co J e














Figure IF". Command. Handler Module
prfl^c^ifp I^pn* /Ou*pn t p^ra^eters
C-58
packet, is lr. the T»all_box, th» FM process retrieves the
command and "begins appropriate action. The ^ost command
fe.p., STORE_FILF, aEAP_FILE) Is actually an entry into a
case statement which directs the correct FM_Command_"andler
procedure to take action. Zach Host command has associated
with it, at this level, its own procedure.
Because the procedures of th*1 module are
relatively straight forward, they will net he discussed ir.
detail. The pe^eral functions of all the procedures in this
module are to pass instructions to t^e 10 process and to the
Birectory_Co r, t rol module, the "workhorse" of the FM process.
Some explanation of Host command parameters is







v s e r i d
?
n I entry.
I 1" all h p st commands, the pathname passed by the
'-"est is f he pathname 'relative to the 'root' directory of
the :.'rs f virtual *ile system) of the file of interest,
whether a directory or data file, "rem the pathname, the 7 V
process is able to extract the pathname of the parent
directory which it must brins into the FM process memory to
C-59
check for proper discretionary access. The complete
oathname, in terns of the FSS file system, is oassed to the
Di rectcry_Cort rol module for actual directory manipulation.
a pathname and file size (for the 'buffer file') is returned
(dir_pathoame, dir_f ile_ si ze ) by the Directory_Control
module during a ^ost RF a D_FILF or STORS^IIF reauest. This
new pathname and file size is passed to the 10 process where
the actual data transfer takes place for these operations.
Sinoe discretionary security checks are made in the FM
process and all input/output "buffers" (e.g., temporary data
file, mail_boT segment) are under positive FM process
control, the 10 process need not be concerned with
discretionary security or the possibility of a "segment
fault '
.
A link is a pathname which a Host passes in the
CP.EATF_LINK command.
Tile type is used for the CRF4TF_FILF Host
command and is necessary because of the different file
formats.
Command type is used in the REAE__?ILE Host
command to speoify the tyre of 'read' the FSS is to conduct,
i.e., to read a -Mr^ctory file, a lata file, or only a data
file size.
File size is passed by t^.e Host durinr
STC.-E_FI!I reouests. m r i s irformation is necessary for the
FM process to create a temporary file of sufficient size to
store a Host. file. File size is relayed to the 10 process so
C-60
#>
that the 10 process can go directly to the data file without
having to chpck the directory file for file size. File size
is in hits.
Access level is -e^ded for thp CREATE_FIL3
command. This allows for upgraded directories (remember,
data files cannot be upgraded).
The identification of the Host system user is
necessary for the FSS to perform discretionary security
checks. This is orovided by the Host system through the
userid parameter.
£CL_5>try is used with the ADD_«CL_ENTEY and
DTLFT^A CL_FNTRY commands to give/rescind discretionary
access to files.
b. Directory Control Module
The Directory_Cont rol module, as the na-np
imolies. i^es the directory manipulation and maintenance.
Fisure 11 lists the procedures which make up this module.
along with their input/output parameters.
This i* the level of the FM process at which
files are known. The Directory_Contorl module nandles trie
readers/writers problem with the appropriate use of the
Kernel syncronization primitives ?.EAD, ADVANCE, A '.v AIT. and
TICKFT. It handles the sesrmert fault condition by a call to
the condition establisher when the possibility of a segment
fault exists. The 10 nro^ess uses the same primitives while






























Figure 11. Directory_Control Module
P-oce3ures Input /Output Parameters
C-62
operations, viz., the tree traversal when locating the data
file read buffer or the temporary storage file. Js
previously mentioned, the IC process will rot face the
oroble^ of file deletion while reading and will therefore
not have to establish a condition handler.
Logically, u ost reauests reouire four basic
actiors to be perf^r^ed at this level. They are: 1) to brinr
a directory file into process memory for a read and/or write
ooeration, 2) to delete a file, 3) to create a file, or 4^
to copy a data file into a data file buffer. All other file
mainterance functions such as mana^ir.,2; memory or mana^ir.fT
the limited number of segments available to a process, ar°
performed by subordinated modules. There are three
procedures in this module.
The Pi r_Cntrl_Bi rectory procedure is the
Di rectory_Cort r^l module procedure which handles Host
commands which reauire that the parent directory be brought
into process memory in order that reauired discretionary







To oerform these tasks, the parent directory
C-63
segment (which contains the file "branch/link entry) must be
brought into rrooess memory to check for prooer
discretionary access. If access is permitted, the
Seamen t_ Handler module is called with a pathname of a
segment reauired to be brought into process memeory.
For action or. a DFLF7F_FIL!i: command,
discretionary write access to the directory is reauired
since the branch y l ink entry of the file must b° removed from
the directory v^en t^e file is delete!. (Note that this
raises the possibility of a Host having write access to a
file but not able to delete it because he does not have
write access to the directory.) If the parent directory file
is not found or found but write access to the directory rot
permitted an appropriate error code is returned, viz., "file
not found" or "write access not permitted".
If an error condition does not arise, the
directorv is brought into p^coes^ n"em nr y u r i a check of the
file attributes is made to determine file type (data,
directory, link). If it is a data file or link entry, it can
be deleted because it is a terminal node in the file
hierarchv. If it is a directory, the (directory) file itself
must be brought into process memory to see if the directory
is empty • v i 7 . , c v er\r of Fntry Count and presence of a
Supervisor temoorary file'. If it is not empty, an error
code of "not terminal file" is returned to the Host. If the
directory is empty, it can be deleted.
If no error condition occurs during the
C-64
y*^»
preceding checks, the file may (subject to check by the
Kernel) be dele^d. The Dir_Cr. trl_Directory procedure will
call on Ses_ trnd_ v'ake_ TJnaidres5able procedure which will in
turn call Mem_R*H_Swapcut procedure to remove the segment
from process memory if it is in memory. (Remember the actual
order: Swap_0u f
.
Terminate, Delete.) Ne^t, the Kerr el
primitive, ^ate^eeper .Delete_Segment is called to delete the
file from the TSS . N«te that in the case of msf's, th c se
steps must be repeated until all segments of the file are
deleted. *t this time, the branch entry is removed from the
directory by zeroing all branch entry elements (to allow for
Kernel secondary storage compaction of iisc pages of 7eros).
The 10 process is then instructed to acknowledge the Rost
with "file deleted". This f~ees the entry for future use.
The deletion of a link requires the same
discretionary wri to access to the directory. 1* this case,
no further checks are necessary and the link entry elements
are zeroed in t.h° directory, freeing the entry for re-use.
Tor the "R^ATF^IL" command, analogous action is
taken by the Dir_Cr.t.rl_Di rectory procedure, viz., to chec 1'
discretionary write access to the directory which will
contain the file branch e r ^v.
Once this check has been satisfactorily
corrple + ed, b* a r^^p oTi^ts in the lireotcry, the Kernel call
la teke^per . f re a *e Segment is made to create the file. The
i n i*ial file c i7o i= zero for data files since the
Supervisor has no prior knowledge of the size of the file
c-65
that will be stored in the branch entry. As explained
earlier, a file size of LARGE (SK bytes) was selected for
the fixed directory size.
The CRFATF_LINK reauest is a r*ain analogous, the
only difference beir*! that instead of a branch entry bein^
made in the directory, a lirk entry is made. As previously
mentioned, the Supervisor will not allow a loop state.
Checks will «"t be nade at link creation time? however, the
Supervisor will 'abort " a file search if it encounters this
error condition during tree traversal.
The R7AD_7IL"F ^dir) command reouires read access
to a directory file. If no error condition arises during
discretionary security checks, selected directory data
(e.g., Sntry_Mame, 7ile_Size, etc.) is trans.fered to the
Host system via the mail_box segment (viz.,
Dir_Data_Buf fer ) . This selected directory data for each
'occupied'' branch/lirk entry is trar.sfered during the
READ_FILE <dir) command. For the READ_FILE (size) request,
only selected directory data for a specific data file is
transfered. The TC and FM orpcesses use appropriate Kernel
synchronization primitives to assrre that the information in
the mail_box segment is valid.
The las f thr^e Host reauests handled by the
?ir_Cntrl_Direct ory procedure are related. Asain,
aocropriate discretionary ac r e«s checks must be ^ade in the
parent directory. If no error condition arises, t::e action
taker is straight foreward. In the case of the ?.E?D .^CL
C-66
command, the file *CL is transfered to the mail_box
4CL_buffer and the procdure returns to the
FM_Commar.d_^andler module. In the case of the
,
fl DD(DFLTrE N'_ACL_ZMTRY commands, the action is completed ty
the Dir__Cntrl_ r)irectory procedure and the appropriate
Di r_Succ_Code returned.
The M^Cr. trl^ata procedure is nesponsible for
trarsf erirg tf/fr^m a Host a reauested data file if
necessary urecond it ions are net (viz., discretionary and
non-discretionary security). In order to read c^ store a
file, a Host -nust have the proper discretionary access to
the file. To check this, the parent directory which contains
the file branch entry must he brought into memory. This is
done by the Ser^e^t _Eandler module. If the proper access is
not allowed, a" erro 7* code is returned to t'^ c
FM__Command_Kandl° T' ^odul° for relay to the Host system. If
the proper access is allowed, a copy of the file is made in
the case of the ?.E£D_?IL2 command, or a temporary file is
created in the case of the STORE_FILE command. The pathname
and file size of the data ^iles to be transfered are passed
to the 10 process which will perform the actual dat=>
transfer. tfp°n a successful transmission of the data by th°
10 process. t u e 7rv orocess instructs the 10 process *
ac'-rn^wled^e the H^sf with a "r°ad complete' or "st r ~ c
oomplete', as ^pnno^ria te
.
The Dir_Cntrl_Data procedure will ma'^e
appropriate use of Kernel synchronization primitives (e.g.,
C-67
AWAIT, R'AD, etc.) when copying a data file into the data
file read buffer or setting up a temporary file for the
store operation. After the file transfer has taker. place in
the 10 process, thp IC proc°ss returns a success cole to the
?M process. The 10 process will return to the F M process
when one of three conditions erist: 1) either the read or
store operation is successful and complete, or 2) a command
packet is receive*? (viz., an abort cowman -!), cr 3) a
'time-out ' occurs and the 10 process was not able to
complete the c^n-Taiii.
Tor a store operation, the Dir_Cn trl_Update
procedure is ^alled to update the directory data (viz.,
exchange the temporary file *ntry_Name with the old file
Entry_'Jare^ aM deletes the old file. (The temporary file
should be deleted by this procedure if, upon attempting to
update the file, the old'file cannot be found.)
Since each directory segment has only one
temporary file for file update, some delay may be
experienced by ^ost systems if several try to store large
files irto th° «.a^p director?/". This ^oes not appear to be a
major problem si^c3 most users are anticipated to be
operating fro** * viPir fvi directory files.
The r.trl Update pnoceiure is also use! to
free the temporary storage file in the c a» c <= of a Host abort
command
.
c. Discretionary Security Module
C-68
The Msc-etion.any_Security module is responsible
for checking Host user discretionary access to a specific
file and adding and deleting ACL_entries . All file flCL's are
logically located in this nodule. This is the only othpr
module besides the !Urectory_Con t rol module where a segment
fault night. occur. Appropriate use cf the condition
establishen must be made before any attempt to read an ACL
so that a pn^p«r reMirn is pyecuted to the Dinect0r.7_C0n.tn0l
module in the event of a fault. There ane four procedures
which make up this nodule as depicted in figure 12.
The t>i sc_Sec_ChecK_Access procedure, as the name
implies, checks f«r a specific usen discretionary access to
a specific file. * success code returns, indicating the
result of the check. This discretionary ~hpck is only made
on the specific file which is r^cvir^i in. a Host command,
i.e., a design choice was made not to make discretionary
access checks during the tree traversal search fon the
specified file. This makes explicit in one ACL who has
access to a file, which contnibutes to clean security
semantics. (This also eliminated the Question of what to do
if an intenmediate directory was encountered durin ile
search to which the process lid not have reai access.)
The "M s o Se^ fl dd_'CL_Int ny pnocedune adds a
.CL entry to file ACL and net urns a success code to
indicate *.h° artio r taken. 3 s noted previously, a directory
has a limited number of ACL_entry elements. The Supervisor




























figure 1? . Msc T,Ptior.ary_Security Module
Procedure In "out /Cut. put Parameters
C-70
the file creator). If another ACL_entry is reauired and the
!t.CL_entry "r>ool" is empty, an *CL_er.try element will have to
he explicitly freed from a file by the Host before a file
8 CL can be added to.
The T^isc_Sec_ T^elete_.a ', L_^ntr.7 procedure performs
the straight foreword task of deleting ar 4 CL_entrv from a
file ACL. This prociure returns a success code when deletion
is complete .
The last procedure of this module is the
Disc_Sec_Get_£CL procedure. It is usel during the lr.tial
creation of a file by the Directory __Control nodule to get an
initial ACL_Intry element.
d. Segment handler Module
The Segment ^Handler module is the abstraction
level at which Supervisor segments ar? <?.o.m. This module
works in con .ivrctior. with th ° ^errc r, y Handler module
'describe! later) to either bring a segment into process
memory f'd'.. M,= vp_y~n W n t Svap_In.) or to terminate a segment
(viz., Swap_Cut, Terminate'1 . This module is responsible for
rai^ t ai"1 1 i e? the FM^KST f^nvr sp^prt, tabl c—^i^ur 13) data
base. The data has° elements of the FM_KST are the pathname
of a segment Vm-ivn +r the p^^^e^s, th c segment number
~> >[^es_P] of the terminal file in this pathname, ^oie (i.e.,
neai or ,-'ri Mr-^ , a^n" the usp bit. ^ece^sary for a I VJ removal
algorithm ( approximation ) . Tn prevent the situation where a
segment has been deleted by one process but is still
C-71
Pathname See__* "lode Use














?r^^pdn'%o I" put /Output ?^raT°ters
C-72
indicated as "in memory" "by another process, each new Host
command will initiate a Kernel call, Gatekeeper. Swap_In
(Seff_#, Ease_.6 d3r)
, to confirm the existence of a segment. (
Kernel return of "segmpnt not found" will indicate that the
segment has been deleted. The TSS must then clear its date
structures o* invalid data and traverse th° virtual
hierarchy from the root directory to insure that the segment
is truely gone an-i that it has not been renamed by another
process i.e., f ^ cover the unlikely situation wher° a
pathname has teen deleted and then re-created with the same
filenames. This would associate different segment numbers
with the same pathname.
Fi^'irp l-i is a list of the ' procdur°s of this
module along with their input/output parameters. This module
receives a file segment pathname and returns when it has
been brought into p-ocess memory or an error condition
arises. The possible error condition that might be returned
from this module is 'file not found'. This module has twe
tasks, and therefore two procedures. To make a segment
addressable by the -ost process (viz., brin^ it into process
memory) or to na v " a segment unaidressable by a Test process
•viz., to remove the segment from onoc-ss memory). The
sroce dunes which h^n-lle these tasks 3ne the
Se£_Hnd_Kake_AddressaMe 'i.e., bring a segment mt: process
memory' and 3^°" ?"d Nake Ur.addressable (i.e., remote a
segment from orocess memory) procedures. 'Mote that to ma-ce
a segment addnessable also reauires making the segment
C-73
known' and that making a segment unaddressable requires
"terminating" the segment.) Both tasks are accomplished by
appropriate use of Kernel primitives and accompanied by
calls to the tfe^ory^Rar dl«r module to Swap_In or Swap_0ut a
segment.
This module is also responsible for segment
management. Segment management is necessary because each MMU
allows the addressing of only 64 sements. ttith one MMU in
the initial TSS implementation and several segments taken by
the Supervisor and Kernel segments, the number available to
the Supervisor processes will be somewhat less
(MAX_KNOWN_SEG) thai 64. This number must be managed in a
dynamic manner without interfering with process execution.
The Se^_End_Mak°_Addressable procedu 1" is the
more involved of the two module procedures. If a reauest to
make a segment known is received, the FM_KST is checked to
see if it is already known. If it is, the LRU bit is set and
the Memory..Hardier module is called to assure that the
segment is in process memory. If it is not already Known to
the process, it must be made known by the Kernel call,
Gatekeeper .Make_Kr.own (Par_seg_^, entry_*, node). But this
can only be done i F r> no cess segment limit is not exoeedei.
If the addition of a segment will cause an overflow, a
s°f? r~ert rust be removed by the 3e* Hrd fade "Jr.aidressable
procedure. Once this is ionr, the desired s a ^ment oan be
made known, the FM_KST updated, and the Menory_Eandler
module called to bring it into process memory.
C-74
The Seg_Hnd_Make_Unaddressable procedure is
straight forever*!. This procedure may he called to either
delete a specific segment or to delete the LRU segment. If
called to ~enove a specific segment, actior is taker, to
remove the segment 'described below). If called to remove
the LBU segment, a LPU removal algorithm f approximation) is
uspd to determine which segment will be remove^. When this
has been done, the Memo^y^andler module is called to
Sv;ap_Cut the segment from process memory. A returned success
code indicates that the segment has been removed by the
Kernel call Gatekeeper .Swap^Out (Seg_#). A call is then made
to termirate the selected segment. The Kernel call,
Gatekeeper. Terminate (?ar_Sp£_*, !!ntry_K#), will cause rhe
segment to be deleted from the Kernel KST. Removing the
segment pathname from the ?iM_KST will complete the acti~*"
taken by this pr^cMure.
e# y e rr>nry Handler Module
This module operates in a "slave" node to the
Seamen t_Eardler module and consist of two procedures. Th°se
orocedures are listed in figure 15 along with their
input /output paramp* e~s . The job of this module is t:
dynamically manage a fixed size linear virtual memory. I:
does this by s we "Doing in and oi>t of process me", o*, y segments
as reauirei
.
Wher the Mem_Hnd_Swap_In procedure is called,









Men_Hnd_Svap_Out. Se£_# Mem Succ Code
Figure 15. Memory_Handler Module
Procedure Input/Output Parameters
Sez_# Size Base_Addr Use
Figure 16. FM AST
7 i 2 • • • "Base_Addr
SEG_#
Figure l 7 . Mem_Map
C-76
see if it is already in memory. If it is, its LRU bit is set
and Gatekeeper .Swau_In 'Se*_#, 3ase_»ddr) is called to
Insure that the sp^e^t has not been delete! by another
Drocess since last use. If the segment is not in memory, tre
M*M_MAP data structure, <"i^urp 17, is chpcked to find room
for a segment of t*p reauired size. Anguemerts car be made
for both a first-fit and best-fit memory management scheme
[Shaw], a first-fit scheme is chosen for the "FSS d'je to t h e
simpler implon-ora t ion and the reduced memory fragmentation.
If room cannot be found, Mem.JTiid _Swap_Cut is called
iterativelv until enough room erist for the segment to be
brought into process memory. a 'Kernel call,
Gatekeeper .Swapi* (Se*?_ tf , 3ase_Addr), is used tc move + he
segment into process memory when room exists.
Mem_Hnd_Swap_Cut may either be called to remove
a specific segment or to remove the L?.U segment from process
memory. If the reauest is to remove a specific segment, the
task is straight foreward: a call is made to the Kernel
primitivp Gate^epper .Swap_Cut (Seg_#). If the reauest is to
remove a suecific segment, a LRU algorithm (approximation)
is used to dsterrni^e which se^re"* to r op,ove. When this is
done the l'ernel call is made a r d the Memory^ar iler date
bas ,nc a r= u'oda^e^ *^ reflect the seg^e^t removal.
*- preliminary analysis of memory reauirement?
indicates that ^dt o c e ^ c linpar virtual Tpf n ry will n eed to be
at least ?\7. bytes. The driving factor in this calculation
is the fact that two data segments (possibly SK bytes each)
C-77
may be required in process memory during the copying of a
data file into the data file "buffer". A 24K "byte memory
would allow for the worst rase, viz., one SS byte segment
positioned in the middle of linear memory? room would still
exist for the two 3K byte segments.
3. Input/Outout Process
The 10 nrocess is the second of the two processes
which act on behalf of a Host system to provide a requested
file management service. The 10 process acts in a slave mode
to the 5T process! i t receives its commands from the FM
process via the shared mail_box segment described in
connection with the FM process.
The 10 r^ocess is responsible, as the nsme implies,
for all input and output between the Supervisor and the Host
systems. The 10 process is composed of five modules as
depicted in figure 19. (along with Kernel calls). Two of
these modules, 5°^ rnent_"andler and Memo^y^Handler , are the
same modules as ^scribed i* th p FM process and will not be
discussed further. Their task is to brin^ into the virtual
memory of the 10 p^oces^ the data segments into and fror
which "ost files are stored or read. Note ' that since
discretionary security ch°c v s xr° io^e in the F!^ process,
the IC process does not have to repeat these checks.
lir-ec* invocation of the ?ac>et_ Handler module from
the IC_Command_ rrandler module is possible to send Host
"acknowledgements". If a file is to be read or stored, the
C-78










































Tiffurp IP. 10 Process Module
C-79
File__Handler module is first called to perform the read or
store operation.
The 10 process is also responsible for FSS-Host
Drotocol. Pata is transferee between Host and 7SS via fixed
size "packets". Therp are thr°e formats for these packets:
1) a synchronization packet format, 2) a command packet
format and, 3^ a T*ata packet format. Figure 19 gives the
logical construction of the data and command packets. The
synchronization packe* is left for later design in
connection with the design for a Host interface. The packet
size of 521 bytPS for data and command packets was chosen to
maximize lata transfer efficiency at the expense of
increasing the commas packet size. Because 512 bytes is the
size of the smallest Supervisor segment, this was chosen as
the "unit" of data transfer.
i protocol must pxist that insures reliable
transmission and reception *f packets by both the sender and
receiver in the FSS-Host packet exchange. The simplest
protocol that will handle packet transmission is to transmit
packets one at a time anfl wait for packet acknowledgement
before sending the nert packet. The following diagram
illustrates this simple Drotocol.











































Figure IP. Packet Construction.
C-81
Operatic ir. this fashion is extremely inefficient,
especially in the transmission of large data files! it does
not allow the sender to send oackets before an
acknowledgement is received nor does it allow the receiver
to accept r^^c that one packet at a tine (i.e.. read ah°ad
and write behind). A multi-packet protocol is necessary to
take advantage of 3 ^ead ahead and write behind scheme.
In specif inr a multi-packet protocol, some means of
distinguishing individual packets must be established. This
is done by ?ivin<? each packet a seauence number carried in
the packet header. The receiver returns acknowledgements
indicating the seauence number of the packet(s) neceived and
accepted {i.e., no errors detected). The number of packets
that nay be transmitted before an acknowledgement is
received is called the packet "window width". Packet
transmission is controlled by an algorithm which uses packet
seauence numbers and the window width. At System
initialization time and anytime a command racket is
received, the seauence number of the FSS is reset to zero.
Thus the first seauence number expected by the FSS upon
system initiation 'and afterwards upon command completion)
is zero.
? Tr an explanation of how the oac^cet window works,
let N f t ) deicte th° transmitted seaue^cp number of the
current packet and let \T (t-l^ denote the next exoected
seauence number. The window width is denoted by W. .At the




the Host is allowed to transmit packets bearing
sequence numbers in the ranee fl'NUKW. The receiver expects
the packets to arrive ir correct s^auertial order. As they
arrive, packets are checked for correctness 'at both the
hardware (USAPT) and software level); an incorrect packet is
discarded and may be considered 'lost*. Let the seauenre
number of a particular correctly received packet be S . If
S = Nft-t l) (i.e., the expected packet), then the racket is
received in the correct seouence ard it should be accepted
by the receiver and ar acknowledgement sent with the proper
seouence number (in this case, S) to the sender. If
S<^N(t + l), then the packet is a repetition of a packet
previously received by the receiver; the second transmission
may be due to either a lost or delayed acknowledgement. The
receiver should generate another acknowledgement and send it
to the sender ard otherwise ignore the packet. If S>N(t+l),
then the packet is ahead of seouence, indicating that an
earily packet has bee'1 lost; such a packet should be ignored
and. an "error" acknowledgement sent so the packet can be
retransmitted .
The arrival of acknowledgements at the sender also
nepds to be ii scu** ed . As each acknowledgement arrives, f n-?
sender can delete the copy it has retained of
corresponding Dacket. As packets are acknowledged, fresh
packets ca~ b^ transmitted, i.e., wren packet ? has be a r.
acknowledged
,
?^ cket W can be sent. Acknowledgements can get
lost in transmission as well as packets. If a received
C-83
acknowledgement does not refer to the earliest transmitted
packet awaiting ackn owl ei cement, the", in this protocol, the
sender may safely delete all packets up to and including
that ref priced by the acknowledgement. Against each copy of
a transmitted packet will te noted a time (i.e., the
ti^e-ont) by which time the packet rust he acknowledged
.
Failing such an acknowledgement, the packet must te
retransmitted with its original seauence number. A packet
will only te received in seauential order, so it will te
necessary to re^ra^s^it not only the earliest unacknowledged
packet, tut also all later packets. The following figure
illustrates this protocol. The aueues should be considered






In this figure, the sender is node A and the
receiver is node E. Mode A has sent out oackets 3,4, and 5,
the last of vhiob is still in transit to 8. \'od Q 3 has
received all oacket* uo to and including 4. -It has just
acknowledged 3 znl 4 and is ready to accept 5,6, and ? when
they arr in ord^r. When nnde A receives acknowledgement
for 3 and 4. it will be able to transmit successfully
packets 6 and 7.
This protocol insures that packets are handled in
C-84
sequential order which will insure that the data is received
and stored correctly. It also assures positive control over
the receipt and transmission of packets; a necessary
requirement to prevent buffer overflow and loss of data.
The r ernel controls all the hardware assets, as
erplained in Chapter 1. Kernel calls are therefore r.ecessarv
to transfer packets between the FSS and the Host systems.
The format of these Kernel oalls are:
Gatekeeper .Setup (Buff_Addr, Mode, Status)
Gatekeeper .Send_?acket ''Offset, Status)
Gatekeeper .Store_?acket (Offset, Status)
Gatekeeper. Cbanee_Byte_Coun ter '#_of_Bytes, Status)
iach hardware port, is virtualized into a^ input and
an output port. raoh victual port has associated with it a
unit control block (UC3) at the Kernel level. The elements
of these UC? 's are
t
Byte_Counter : This element is used to keep track of
the number of bytes that have been transmitted or received.
This counter is modulo "packet size" so that once packets
are synchronized, they should remain so. It can be altered
by the Ch3 n f*o _?y t e_Cou^t en call in rr^er t<" «s°t f h° 7SS a n d
"J ost back into racket synchronization.
Buffer Address: This is the starting address in the
Input/out buffer wv e^e rackets will be olared ( in c omnium) or
taken from (outroin^). It is initialized by th*3 Setup Kernel
call.
C-85
?uf fer_Length: This element is the length (in
packets) of the Input/output buffer. This allows the Kernel
to perform automatic wrap around at the end of the buffer.
V/ird^w_Wid th : This element is used by the input port
UC3 to prevent buffer over flow. Each invocation of
Store_Packet will advance the window and allow another
packet to be stored into the 10 buffer. If a Host system
violates protocol by sending too many packets, the Kernel
will dump them to a "bit bucket". This element is used by
the output port to control the number of packets that the
FSS is able to send to a Host before receiving an
acknowled<?emen t . 41thoue*h this parameter (viz., window
width) may be different for the various Host systems, it
should rot change often and car therefore be set at system
initiali zat ion
.
Fo** a s^nre operation (FSS to receive packets), a
Setup call is used to set the input UC3 base address to the
initial storage location in the 10 buffer. A Setup call is
also required to set the output QCB with the base address in
the 10 buffer from which acknowledgments will be sent. It
should be noted here that the IC buffer in the IC pnocess is
t v e location that p^c>ets ane c^eck^d for enrors and
enpacketed" or "d eoaoketed " . It is just a intermdiate stop
for data and neither t v e final destination no 7* origin of
d a t a .
Subseaupr-t Kernel calls to Store_?acket will return
the location of the next oacket in the 10 buffer to be
C-36
processed. The Kernel will store ahead into the 10 buffer
during the store operation hut will not over write the
buffer. That is, each call to the Kernel will indicate that
a new packet location is oner. The 10 process will control
which packets 'and h^w ma^y) are se n t to thp FSS by proper
use of acknowledgements 'for both correct and incorrect
packets) .
Two Setup calls are also necessary for a send
operation. They again set the virtual input/output ports for
the transfer of packets from the 7SS to a Host. Subseauent
calls to Send_Packet indicate that a Packet is ready to be
transmitted. The 10 process knows when it can discard a
packet by the acknowledgments it receives from the Host
system.
The Chan£e_"°yte_Counter primitive is used by the
synchronization procedure to shift a UCB byte counter in
order to bring packet transmission back into
synchronization. (Synchronisation may be required during a
temporary communication interruption or system start up.)
The following is a description of the three 'Vv"
modules which make uo the 10 process.
a. I»i put /Output Command Handler v ^dule
«t the top of the IC process module hierarchy is
the I0_C ^rari _Fa^-' l^r module t* * UppendiT c, p. 117). This
module is responsible for the interface with the F M orocess.
Communication between the processes is via the mail_boT
C-37
shared segment and synchronization is through the use of an
eventcount ard the Kernel primitives TICKET, 'DVANCE and
AWAIT. The oroeedures of this module along with their
input/ou*put para^Pters are listed in figure 2?.
The IO^md^nd procedure, like the "5'M_Cmd_ u nd
procedure a case statemert, routes FK process i n structiors
to a specific IO_ r'ommand_"andler procedure for action.
The procedure involved when the Host command is
not a RT.»D_?IL* or STOR'^IL? reauest is the IC_Cmd_Hnd_Ack
procedure. This procedure is able to invoke the
?acket_Handler module directly for performing directed (by
the Ff! process) Host acknowledgement and/or data transfer
from the shared mail_box segment.
The IO_Cnd_H-'!_Send and IO_Cmd_Hnd_Store
procedures are relatively straight forward. They provide the
IC-FM process interface required for <= .~.IAD_FI15 or
3T0? 7
_
rIL T "os* reouest. Both procedures call the
File_Handler module to perform the actual file manipulation.
b. file handler Module
The FlleJEandler module is required for file
manipulation in the 10 process and is the level in toe IC
process a* whioh files at^ k^owr. The procedures which ma!-re
up this module along with their input/output parameters are
listed in fi^ir fl 21. a s mp»nt. iorel ahoyp, th^re ane only two
Host reauests that renuire the 10 nrocess to bring data
files into process memory. These are ilFAD^FILZ and
C-88
PFOCEDUKE INPUT OUTPUT
IO_Cmd_Hnd Mailbox .Ms*. Inst Output returned
IO_Cmd Mail Box.Ms^.Succ Code from subordinate
und_Ac* modules.
IO_Cmd_ Mail Bot .Ms/?. Pathname
*?rd_Ser.d Mailbox.MS2.?ile_Size
IC Crd_ Mail ^OT.Msff. Pathname
Hnd Store Mail Box .Ms^?. File Size
Figure 2?. IO_Ccmmand_Ear.'iler Module
Procedure Inout/Output parameters
PROCEDURE INPUT OUTPUT
File_Hnd_ Mailbox. Ms*. Pathname 7ile_Succ_Coie
Ser.d_File Mail~BoT.Ms*.File_Size
File_Fnd_ MailJ^ox.Ms*. Pathname File_Succ_Code
St^re File Mail 3or.Msr.File Size
Figure 21. File_Fandler Module
p nr re^u r *= I*i du *" 'Out put Para^^ters
C-89
ST0R3_?ILT. Note that since file size is passed from the FM
process, and the ^he access to the data files involved is
controlled in the ?m process, data file segments can be
brought directly into 10 process memory a^d any requirement
for the 10 process to access directory files (other than
tree traversal) is eliminated . Because the terminal nodes in
the tree traversal are controlled by the F*! Drocess, the
paths to these terminal -odes will not b*= alterable until
control is released by the rM process.
Th° File_Handler module consist of two
procedures, File_Hnd_Send_'pile (for Host command RF4D_FILF)
and File_Hrd_Store_File (for Host command STORF_FILE) . Both
procedures oDerate in a similar manner. Upon receiving a
pathname and file si"?e *rom the FM process, these procedures
use the Segment_ TJaniler procedures to brin^ the necessary
data file (segment. (s) ). into process menory. A call is then
made to the Packet JFandler module to transfer data from/to
specified segments.
The order of events in the reading and storing
of data files follows the following seau°nces. For a
R?M)
-
?IL 1P operation. the order of actions ta.-cen by the
Supervisor are:
1) discretionary a^l non-ii scretionary checks
are made in the FM process.
2) «. copy is made of the data file into a
per-process data file buffer.
Z) The pathname of the data file to be read
C-90
(remember, directory data is read by the FM process) is
passed to the 10 process along with the file size. The 10
process can determine the file size from the file directory
tut by passing file size to the 10 process, this step is
elimirated for the 10 process.
4) The read takes place in the 10 process.
5> The 10 process returns to the FM process with
a success code of "read complete" or an appropriate error
code. The cly reason for a read operation to fail in the 10
process is the receipt of an abort command from the Host or
a 'time out' which would occur if the Host stopped sending
for some unexplained reason.
6) The FM process instructs the 10 process to
acknowledge the "read complete" or to send the appropriate
error code. The data file read buffer is then free for
further use.
If th° operation is a ST0H2 FILF operation the
following steps are taken by the Supervisor:
1) Discretionary and non-discretionary security
checks are made by the FM process.
?,) A temporary **ile is created by the Supervisor
large enoi.g v to store the file in. a purooriate use of the
synchronization primitives prevpnts this temporary file from
being vs d by rrcre than one process at a time.
3) Th^ pathname of the temporary file is sent to
the 10 process *rd t v e 10 process stones the file into the
temporary file.
C-91
4) The 10 process returns a success code to the
?M process and the ?M process updates the directory to
reflect the new file (viz., Entry_Name of temporary file is
changed to the old file ^ntry_Name) . The old file is then
deleted by the ?M process.
5) The TM process then instructs the 10 process
to acknowledge the "store complete". There is no reason a
store operation should fail other than an explicit abort
reauest by the Host system or hardware failure.
c. Packet Handler Module
The ?acket_Handler module does the actual
transfer of data between the FSS and the Host system and is
the 10 process level at which the concept of "packet" is
known. The procedures of this module along with their
input /output parameters are listed in figure 22. The tasks
that this module must perform are: 1) synchronization of
packets. 2^ error detection, 3^ packet acknowledgement, and
4) transfer of data to/from Supervisor segments. Figure 23
is a finite state diagram of packet transfer.
The synchronization task is performed, on the
system I?L and wh<s * D ve r packet synchronization is lost
thereafter, "rror detection and reauest for retransmission
upon error detection a^e ^n^ pi
i
rectory functions which a~e
performed on every racket received from a Host.
Pac l'>=f transfer during synchronization




Pk_End_Sync Sy*c Od Packet Sync




Pk Hnd_ Packet Data
Store
'isure ??.. Packet_Handler Module
Procedure In out /Cut put Parameters
C-93
Ti^u-e 23. finite Statp Maarram of Packet Transfer
C-94
synchronization procedure to begin synchronization in the
middle of the first packet and still have two rackets to
confirm synchronization when it is achieved.
Packet transfer of command packets occurs one at
a time. The reason for this is that each command packet must
he acted uuon in a synchronous manner. Data packet read
ahead and write behind is permitted to increase the transfer
rate of data packets. The number of oackets that are allowed
to be sent or stored depends on the IC buffer size. The
?acket_Eandler module is also responsible for data
"enpacketing" and "depacketing" for the FSS.
The ?k_Hnd_Sync procedure is used to synchronize
packet transmission. It is explicitly called at I?L and
whenever the packet synchronization is lost by the Host
system. It is invoked implicitly by the FSS whenever a
packet is not able to be decoded (viz., the packet tyue and
packet check-sum are incorrect).
The ?k_End_.»ck procedure is used to send
acknowledgements to the Host systems. This procedure will
always be called ^ror^ thP IO_CoT»mand_Handler module which
will reauire the ?acket_Eandler module to either acknowledge
the Host vi *h a SLp rific ^essa-re or to send seme data
located in a mail_box segment buffer to the Host.
The Pk Hnd Send procedure is used to transfer
data segments from the FSS to a Host system. This procedure
is called from the File_Handler module which makes sure that
the correct data segment is in process memory for the
C-95
trarsfer. The segment number alontf with the number of hits
that are reauired to he transferee! are passed to this
procedure from the File_Eandler module. This procedure then
transfers the segment until the specified number of bits
have been transmitted. A success code is returned when
action is complete.
The Pk_ TT nd_S tore procedure works in a manner
completely analogous to the ?k_Hnd_Eead procedure.
C-96
III. CONCLUSIONS
k. ST«TUS O v Rr S T »HCH
This design applies state of the art software and
hardware to solve the secure multilevel computer problem ir
a file storage system. It presents an inexpensive hut highly
Dowerful design for a system "based on a micro-computer tut
not restricted to a rr>irro-cnnput p n environment, i.e., there
is ro restictior on the type of Fost comouter system
serviced "by the FSS. Implementation of this design on ZS?'Z2
hardware along with the analysis of FSS design parameters
(Appendix a) are tas^s left to be done.
There are two major classes of apulications for the FSS.
One application uses the FSS as a system file system (e.g..
for distributed micros^. This implies that the total system
is multilevel secure with only one secure component (vi?..
the Kernel). It must he noted, however, that in this
configuration, the distributed Hosts (i.e., the micros) have
no autonomous life.
The other class of applications, involves using the FSS
as one el°ment of a net of autonomous Fost systems. Ir this
configurate-, the FSS pr^vidps facilities fc" cent re lief
data sharing and romm^irat ion.
An obvious direct application of the FSS, is for
shipboard use (e.g., for the SN\fi ?-II system [Smith]) or for
use at other installations wh°re data would he mor<=
efficiently used if controlled data sharing were allowed.
C-97
A major design choice of the FSS which allowed the
Kernel to he kept small (and therefore more easily
verifiable^, was the elimination of the discretionary
security from the Kernel domain to the Supervisor domain.
The implication of this choice is that each Host svstem is
responsible for its own discretionary security? not an
unreasonable '•eouest or design choice.
The ne^t major task to he accomplished in this project
is ?SS implementation. This will not be a trival task, but
it is felt that the designs presented in this thesis and the
companion work done by Coleman provide a solid basis.
5. ?OILOW ON YORK
This desir* i^ a specific implementation of one member
of a family of operating systems based on the Security
Kernel concept discussed by O'Ccr.nell and Richardson
[O'Connelll. There are obvious areas that this design could
be expanded and generalized; areas that should be examined
after a successful first implementation. Some of these areas
are
:
operator ter~i r al interface fur.cior.
s
e x "oa r d e i H *> s t c o > IB " A; C
mar of
t
different user r.r?s in diffenent :iosts to
common "user" in the r SS
data conpac^io'" onto secondary st^ra f; Q
multilevel ^osts




These are just a few of the many possible areas for
e r parsior that could he explored. Oe arpa not mentioned ir
the list tut an area that should he looked at during the
initial i rrpiP-n°r ta t icn is for a way to prevent the
Supervisor from suffering a "segment fault*. The oresent
arrar^emen* , wi*h a faul f handler, is not efficient or
'elegant'. Since the deletio r of a segment is controlled ty
the ^elete_Se^'T, ^ T, t Kernel primitive, a method of leaving an
'orphan' cooy ir. process memory would eliminate the fault
condition. The only operation that, would he defined on this
'orphan' would he a ^elete_ Segment command by a process to
remove it from process memory. After it had teen, deleted by
all processes, the cooy could be destroyed. - variation of
this scheme would, up^ a Kernel Swa?__Ir call, sv-p i - * -
process memory a per-process copy of the desired segment.

















































Not Terni'nal 7 ile
?M_Command_Haniler
Module
Directory C n rtrol
Module
Vri te_Acces s_Not_A.ll owed





















ACCESS L 7VEL BYTE
LINK STRING
ACL ENTRY ACL TYPE)
RFTURMS ' DIR_SUCC_CODE ? YTE)
















'.for host cnds~that access data file:
read_f ile,
store_file!
DIR CNTRL UPDATE PROCEDURE MSG BYTE
USERID PYtv
PA TUN AME STRING)
BYTE)^ETUPNS 'DI c ,.SUCC_CODE
!to update directory after io rrcc°ss
acts o^ h^st c^ds: ~ead_file, ?tT n_f:1°
abort !
C-102
GL03AL Imodule entry point!
FM CMD HND PROCEDURE ?case statement on Host cmls!
ENTRY
DO
MAIL. POX. MSG .INST := RPAD CMP
MAIL" BOX. MSG. PATHNAME := NULL
MAIL BOX.MSG.FIL? SIZE := NULL
MAILJPOX.^-.SU^^OP*' := NULL
t := GATSKEEPER. TICKET ;MAIL_BOX, C)
G*TEKE rPEF . ADVANCE (MAIL_BOX. S)
GAT^FEP^R.^WAIT (M»IL ?OX, C, 't+2))
IF MAIL BOX. MSG. INST = CMP ?K_R2ADY
THIN
ITT n ST_nMT>
CASS PELET* FILE TEEN F v CMP_HNE DELFTS FILE
CASF C-EATF~FIIE THEN FM~CMD_END~C?EATE_EILE
CA. S* CR T »T V_LINT TH^N FM~CMP_UND~CRE AT V_LINK
CASE HEAD FILE THEN FM_CMB END REAP FILE
CASE STOKE *ILE THEN FM_CMD_HND STOP? FILE
CAS T R T *D
'
tr l THFN ?M_CMP_HND_RE»D_»CL
CASE ArD ACL ENTRY THEN FM CMD_HND APD ACL_EN'TRY
CASE DELlTE *CL_ENT?Y TK2N~FM_CMD HND DELATE *CL ENTRY
CASF A^ORT T CV N FM CMrt_~ND APORT
ELSE
MAIL_BOX. MSG. INST := ACK_FCST
MAILJPOX .MSG .? S TEN^7 : = nu__
MAIL_3CX. MSG.EILE_SI7 V := NULL
MAIL BOX. MSG .S v CC_r n^ v : = Et EC?. CODE (ILLEG'-L C WP)
t :="C-«T rK TT ? 7R .TICKET (MAIL ^OX, C)
GATEKEEPER .ADVANCE (MAIL_BOx7 C)
GATEKEEPER. "WAIT (MAIL BOX, C, (t+2))
FI
ELSE
MAIL BOX. MSG. INST := a C 7 HOST
MAIL BOX. MSG. PATHNAME :=~NULL
MAIL"30X.MSG.FIL T_SIZE := NULL
MAIL_BCX.M3G.SUCC CODE := EPROR CODE ( CMD_?K_EX?ECTED
)
t : = ~G B T rK"r
'
!:
'P'r ?. .TICKET 'M*IL "POX, C)
GATEKEEPER .ADVANCE (MAIL_EOx7 C)





MSG = ?YT 7
FM CMD HND DEISTS TILE PROCEDURE
ENTFY
MSG := D^L^T^ ^TL?








l v DIR SUCC CO 7)' = TRUE
THEN
MAIL BOX. MSG. INST := ACK_HCST
MAIL POX.MSG. PATHNAME := NULL
MAIL~BCX.MSG.FILE_SIZE := NULL
MAIL~BOX.MSG.SUCC_CODE := FILE_DSLETED
t := G A T^K'^P^R. TICKET 'MAIL ^OX , C)
GATEKEEPER. ADVANCE (MAIL_3CX7 C)
GATEKEEPER. AW A IT (MAILBOX, C, (t+2))
ELSE
MAIL_3CX. MSG.INST := ACK_HOST
MAIL_BCX. MSG. PATHNAME := NULL
MAIL_BOX.-M SG .EIL^_SIZ^ := NULL
MAIL_BCX.MSG.SUCC_CODE : = ERRCR_CODE ( D H_SUCC_CODE
)
Iflle not found; write access to directory
not serin tted !




GATEKEEPER."/: A IT (MAIL POX, 3, (t+2))
FI
END FM CMD END DELETE FILE
C-104










Ireturns dir succ code!
IF LIR_SUCC_CCrE = TRUE
THEN
MAIL POX. MSG. INST := »GKJTOST
MAIL* 3CX. MSG. PATHNAME := NULL
MAILBOX. MSG. FILF_SIZE := NULL
MAIL'POX.wSG.SUf^OD 7 := VI L 7_CREATFD
t := GATFKEFPF J . TICKET (MAIL_30X, C)
GATEKEEPER. a D7ANCE (MAIL_BOX, C)
GATFFFEPER.»WMT (M»IL_°OX. C. U+2))
ELSE
MAIL_BOX. MSG .INST := *CK_FOST
MAIL_?OX. MSG. PATHNAME ?= NULL
MAIL_BOX.MSG.FILF_SIZF : = NULL
MAIL_BOX. M SG.SUCC_C0DE r= E??.OR_CODE ' DIR_SUCC_CODE)
ldir°ctory not found: vrite access to directory
not permitted? directory pull!
t := GATEKEEPER. TICKET (MAIL_30X. C)
GATFyr? P rR . sr> V a Ki nr (MAIL T0X"~ C)
GATEKEEPER. A* A IT (MAIL 3CX , C, (t + 2))
FI
END FM CMP HNT? CFEAT T FIL*
C-105
FM CMD_CRFAT 7 LINK PROCEDURE
ENTRY









IF DIF_SUCC_CODE = TRUF
TF VN
MAIL_BOX.MSG.IMST := ACK HOST
MAIL_>OX. MSG. PATHNAME : = NULL
M AIL_?OX.MSG.viL^_SIZ? := NULL
MAIL_BCX.MSG.SUCC_CCDE : = LINK_CREATES
t := GATEKE"PE?. TICKET 'MAIL BOX, C)
GATEKEEPER. »DV « NC? '^ILJPOXT C)
GATEKEEPER. AWAIT (MAIL_BOX, C :t+2))
ELSE
MAIL BOX. MSG. INST := *rK_HOST
MAIL_BCX. MSG. PATHNAME : = NULL
MAIL BOX.MSG.FIL T_SIZF := NULL
MAIL'flQX.^SG.SUC^COP 7 '- TRROR_CO^F ( EIR_SUCC_COPE)
Idirectory n ot f n urdJ write access to directory
not permitted! directory full!
t := GAT^K^P^R. TICKET r MAIL_'CX, C)
GATEKEEPER .A TV A NC 7 (MA II "OX \ C)
GATEKEr ?EP. . i>iIT 'MAIL BOX, C. ' t +2 )
)
FI
END FM CMD HME CREATE LINK
C-106
FM_CMD READ FILE PROCEDURE
FNTPY
IF FILE TYPF = DAT*
THIN
MSG := PEAD_FILS




Ireturns dir_succ code, dir_Dathname, dir file_size!
IF DIP_SUCC_CODE = TRUE
MAIL_BOX. MSG.lNST := READ FILE
MAIL BOX. MSG. PATHNAME := DIR PATHNAME
MAILBOX .MSG.TILE SIZ r -.= DIR_FILE SIZE
MAIL_30X.MSG.SUCC_rODF :^ NULL
t := GATE^EFPE 1*. TICKET <>«IL_BOX, C)
GATFK^PER.^V'NC* 'M*IL *OX, C)
GATEKEEPER. AWAIT (MAIL_30X, C, (t+2))






! update will not fail !
M»IL_'D OX. MSG.INST := ACF HOST
MA I L_B CX. MSG. PATH NAME := NULL
MAIL_BOX.MSG.FILE_SIZE := NULL
MAIL_*D OX . M SG .SU r T rCD"5, •= Read COMPLETE
t := GATEKEEPER .TTC^^T (MAILBOX, C)





MAI L_30X. MSG. INST := ACK_HOST
MAIL 'c OX.MSG.?»T u N a MV := NULL
MAIL_30X.MSG.FILE_SIZE := NULL
MAIL_BOX.MSG.SUCC~CODE := M AI L_BCX .MSG . SUCC_CODE
!error code returned from io process!
!file rot found by in process!
file read aborted by write?
file read aborted by file deletion;
cp3 pac'^t receive*!
t := G'?Er E?P7 ? .TICKET 'M*IL BOX, C)
GATEKEEor-^sT^KTE ' M si* VQX
, C)
SAT5KFFPFR.AWAIT (MAIL BOX, C, (t+2))
EI
ELSE
M ? IL_BOX. MSG. INST := 8 CK_HCSr
MATL_ r CY ."SG .P-'THN^e : = NULL
MAIL irx. v SG.FILE_SIZE := NULL
MAIL_BOX.MSG.SUCC_CODF := ERROR_CODE (D IR_SUCC_CODE
)
Ifile not found;
read access to file not permitted!
C-107
t := GATS7FFPEP.TICKET (MAIL_30X, C)
GAT*7T*P*P.»tiv«NC? 'WIL POX"i C)
GATEKEEPER. AWAIT (MAIL_BOX, C, (t+2))
FI
FLSF










IF ^IR SUCC CODE = TRU7
THEN"
MAIL_BOX.MSS.INST := ACK_H0ST
MAIL POX. MSG. PATHNAME t= NULL
MAIL_BCX. VSG.FILE_SIZE := NULL
MAIL_B0X.MSG.SUCC~CCDE := DI~_HSAD_COMPLETE
Idir data transfered from dir_buffer;
ack" owl ?H **PTigr t s pn t!
t : = GATEKEEPER .TICKET 'M*IL_BOX, D
ZhTVYTrvpvft .\^yi.yrT 'MAIL ""OX" C)
GATEKEEPER .AWAIT 'MAIL_30X, C, (t+2))
ELSE
MAIL ~CX. MSG. INST := AC^_ IT05T
MAIL BOX. MSG. PATHNAME := NULL
MAIL~BOX.MSG.FILE STZE := NULL
MI«IL_POX.MSG.SUCC_CODF := ERR0R_C0DE (DIR_SUCC_COr~ )
Idirecto'-v rot fourd,
read access to directory not permitted!
t := GAT~~T"P~R .TICTFT 'MAIL_B0X, G)
GATEKEEPER.ADVANCE 'MAIL_SOX, C)
GATEKEEPER. AW AIT 'M*-IL_BOX, C, (t+2))
FI
ELSE
MSG := ?" 5 D ENTPY_D*T»








! returns iir succ code!
IF DI?_SUCC_C0!>S = TRUE
T~ r N
MAIL BOX. MSG. IMST := ACK_HOST
MAIL BOX. MSG. PATHNAME :=~NULL
MATL_BOX.MSG.FILF SIZ" := NULL

















try data transfered from dir_buffer?
)cnovled*?emen t sent!
= GATEXEEPER .TICKET 'MAIL_BOX, C)
EKFFPFF.*DV»NCF 'MAIL_ROX, C)
SKEEPER .AWAIT (MAIL ?OX, C, (t+2))
LJ»OZ. M S rr.INST := AT HOST
L BOX. MSG. PATHNAME :=~NULL
L1B0X.MSG.FILF_ST7F := MULL
L_POX .msg .SUCC~(W : = FRROR_CODF
le n^t fon^dJ read access to file
= G4T?F?FPF?.TIC rFT (M*IL_BCX, C)
TVP-pprp .ativANC* (MAIL ^OX, C)









MSG := STOR* ^IL^
DIR CNTRL_rATA (MSG
USE? ID
paT CT M a Mv
FILE_SIZE)
Ireturns d i r_"Da th na ^e ? dir_succ_ccde!
IF T)IR_SUrC_',0^' = TRUE
THEN
MAIL BOX. MSG. INST := STORE FILE
MAILBOX. MSG .P^T^NAM* • = DIR_PATHNAME
MAIL_30X.MSG.FILE_SIZE := FILE_SIZE
MAIL_BOX.MSG.SUCC COD 7 := NULL
t := GST^K^P^R .TICKET 'M*IL_POX, C)
GATEKEEPER. ADVANCF (MAIL BOX ~, C)
GATEKEEPER. *V*IT (MAIL BOX, C, (t+2))
IF M*IL POX.MSG.SUCC TOD 7 = TRUE
THEN




Iupdate will not fail !
MAIL_BCX.MSG.INST := ACK_HCST
MAIL_BOX. MSG. PATHNAME := NULL
MA.IL_BOX.MSG.FTLF_STZ r, := NULL
MAIL_30X.VSG.SUCC CODE := STORE COMPLETE
t : = G'-TT^FYPF- .TICKET ' *** IL_30X , C
)
GA T^trPT^n , s ny a VC-V /Ma IL T 0X, C)
GATEKEEPER. AWAIT (MAIL 3CX , C, (t+2) )
ELSE
MAIL_?OX. MSG.INST := * rir
_
TT OST
MAIL BOX. MSG. PATHNAME := NULL
.
MAIL"?OX.MSG.FIL? SIZ' := NULL
MAIL_BCX.MSG.SUCC_COD^ := MAIL_30X .MSG .SUCC_CODE
terror returned from io process?
cmd packet received: improper number of data oackets!
t := GATEKEEPER. TICFET (MAIL BOX, C)
GATEKFF?EF.. ft DVANCE 'MHL_BOX. C)
GATFK^FpT'R.iWAIT (M»ILJ?OX, C, (t+2))
EI
ELSE
MAILBOX .MSG. INST := ACK HOST
MAIL 30X.MSG.?ATFNA V F :=~NULL
MAIL~BOX. MSG. FILE SIZE := NULL
MAIL_?CX.MS r'- .SUT_rC^ := ^RROR^O 7^ ( D^SUC^COD?)
Ifile nr»* f/^undt write access to file not permitted!
t :- GATFKEFPEP.TICKFT 'MAIL_ECX, C)
a i^vrtrvw?
m i^Y i^rv fvaiL PCX, 0)
gatekeeper, await (mail pcx, c, (t+2))
FI




MSG := READ *CL













M*IL_30X -MSG .?i.THN.4MF := NULL
M A I L ^OX-MSG.^IL^SIZ^ r= MULL
MAIL~3CX.MSG.SUCC_COE 7 := ACL_RSAD_CCM?LETE
!acl data trar.sfered from acl_buffer;
host acknowledgement sent!
t := GATEKEEPER. TICKET (MAIL_30X, C)
GATFKEEPEF. a DVANCE (M*IL__BOX. C)
GATEKEEPER .AWAIT (MAIL "°OX , C, ft +2))
ELSE
MAIL_30X. MSG. INST := ACK HOST
MJIL_?OX .MSG. PATHNAME :=""NULL
M AIL 3CX. MSG. FILE SIZE := MULL
MA_IL_EOX."mSG.'sUCC_CODE := E?ROR_CODE (DIR_SUCC_CODE
)
Ifile not found; reed access to directory file
pot ,noT»'n^t, *o^*
t := GATEKEEPEF. TICKET (MA.IL_BOX, C)
GATTK^PER. a DV.«NCTT 'M»IL_POX, C)
GATEKEEPER. AWAIT (MAIL_BCX, C, (t+2))
EI
END FM C M D FN!) ?F fl D ACL
C-lll
FM CMD_HND ADD «^L *NTRY PROCEDURE
ENTRY
MSG := ADD *CL ENTRY







!retur^s dir s*icc cofle!
IF DIR SUCC CODE = TFUE
TF rN~
MAIL BOX. v S<"r. INST := AC? HOST
MAIL BOX. MSG. PATHNAME :« NULL
MAIL POX. MSG. "FILE SIZE := NULL
MAIL'SOX.MS^.SUCC'CCDE : = ACL ENTRY ADPED
t : =~G A TFr^EPFP. TICKET (MAIL 30X, C)
GAT T K rEP rR .ADV aM^" r M'IL ?CX , ?)
GATEKEEPER. AWAIT (MAIL BOX, C, (t-^2))
ELSE
MAILBOX . W SC-. INST := «r^_~OST
MAIL_30X.MSG .PATHNAME := NULL.
MAIL~B0X.MS5.TILI SIZE := MULL
MAIL POX . V S- .SU r, n"'C nD r '= rRROR COD 1! DIR^SUCC_COD 7
!file r»rtt fourtd? writ? ^rc r-ss to directory lot
permitted! acl_er.try "1)001" encty'
t := rT n>vvY;-7vpvz) .TICK"7 ? 'MAIL 'OX, C)
GATEKEEPER .ADVANCE (MAIL PCX 7 C)
GATEOFPSF. 9 WA.IT (MAIL BOX, C. (t+2))
EI
END FM CMD HNr ADD ACL ENTRY
C-112
FM CMD HNDJJELSTE ACL ENTRY PROCEDURE
ENTRY
WSG := DELFT7 *CL ^NTRY






!returns dir succ rode!
IF DIR_SUCC cov.t = TRUT
THEN
MAIL BOX. MSG. INST := A CK HOST
M AIL~FOX ."S-.PiT^N*^ := NULL
MAIL_30X..MSS.EILE_SIZE := NULL
MAIL BOX.^SG.SUCC_CODE := ACLJENTPY DELETED
t :»~G.*T TK TTP ,pR. TICKET 'M*IL ^OX, C)
GATEKEEPER. ADVANCE (MAIL PCX, C)
GATEKEEPER. AWAIT (M.4IL_BOX. C, (t*2))
ELSE
MAIL_BOX. v SG.lNST := »Cr_HOST
MAIL^CX-MST. PATHNAME := NULL
MAIL~PCX.MSG.EIL X, _SIZ T '.- NULL
MAILBOX. M SG.SUCC_CODF := ERRCR_CODE (DIR_SUCC_CODE
!file not found? writ? access to directory rot
permitted
!
t := GATEKEEPER. TICKET 'MAIL "*OX, C)
GATEKEEPER . PDVANCE (M fi IL BCX*i C)
GATEETEPTR.AWAIT (MAILBOX. C, (t+2))
EI





DIP CNTP.L UPDATE 'MSS
USERI*)
PATHNAME)
Isto^e c^rt "p«^ t.o free t.pr»prrary file!
MAIL *OX. MSI. IMST := ACK_ TT0ST
MAIL 30X. MSG. PATHNAME :- MULL
M;iL~30X.MSG. r ILF_SIZ v :^ NULL
M/IL~?OX.MST.SUrr_COD v := CMP ^PORTED
t := GATEKE5??-. TICKET (MAIL POX, C)
GATEKE?PER.«D T7«NCE fMAIL_ROX~.' C)
G«TT!K?TpTH.iy»IT (MHt_P0X, C, ft +2))
END FM_CMP_ENr_A3C?.T




PK_HND STORF ?ROC 7THJRF <S V " # LWORD
SIZE LWORD) ! number cf tits!
RETURNS (PK_SUCC_CODF ?YT r )
PK_HND_SFND PRO^rrjRF (S 7G_# LWORD
SIZE LWO-.D) !ruTib«r cf bits!
RETURNS '?K_SUfC_':0?E *YTF)
?IC_HNr_ACK_HCST PROCEDURE ( VSG 3YTE)
FILE ^ND SFND_FIL 7 PROC^UR 7 (PATHNAME STRING
RETURNS ( FILE_SUCC_CODE BYTE)
FILE_HND_STO?E FILE PROCEDURE fP.ATHNa.ME STRING)
RETURNS ( EILE_SUCC_CODE 3YTE)
INTERNAL
10 CMD HMD PROC^UR 7
ENTRY
t := TICKET (M»IL 30X . C^
AWAIT ,M aH_-coX, C, ( t*l) >
DC
IF MAIL_BOX.VSG.INST
CAS 7 R 74 - CM D T^^N ?T U H T) R^AD CMD




CAS 7 SFND_FIL7 TH 7N 7 IL 7
_
tTND_RF* D FILE
( MAIL_3CX . MSG . PATHNAME
(MAIL_30X.MSG.EILE_SIZE)




t := TICFFT ' MAIL_30X, C)
ADVANCE (MAIL BOX"] C)
4W fl TT r M«IL ^OX, r , f (t-1-?)
CD
END IO.CMD_HND
END 10 COMv «ND ^NDL 7 ?.
C-115
LIST OF REFERENCES
COLEMAN, A. A., Security Kerr.pl Desl.gr ^or a
Micro crocessor-'Pased Multilevel, "rchival Storage System MS
Thesis, Naval Postgraduate School, December 1979.
COURTOIS. P. J.. Peynans, *., and Parnas, D. L., 'Concurrent
Control with "Headers" and "Writers', Communications of the
^CM , v. 14 no. 5 p.«67-663. October 1971.
DA VIES, D. V., and others, Computer Networks and Their
Protocols
.
John Wiley S Sons, 1979.
DTTMST Communications Agency NIC 7104, Arpanet Protocol
Handbook
, by Me^wor 1^ Information Center, January 1978.
DENNING(l), D. ?., * a Lattice Model of Secure Information
Flow," Communications of th° ACM , v. 19 p. 235-242, Mav
1976.
DENNING{2), D. E. and Denning, P. J., "Data Security," j>CM
Computing Surveys . v. 11 nr. 3, p. 227-242, May 1976.
DIGITAL Research, CP/M Interface Guide
,
1973.
DIJXSTHA'l). E. W.. "The Structure of 'The' Mult iprogamning
System," Communications of the ACM
,
v. 11 no. 5, p. 341-346,
May 1968.""""
DIJKSTRA ! 2) , ? . W.. 'The ^umble Programmer,' Communl cat ions
of the ACM
,
v. 15 no. 10-, p. P59-26R, October 1372.
HABFPMANN, A. N.. Intnodvction to Operating- System Design ,
Science Research Associates , Inc . , 1976
.
HAMMING. D. 7., Coding and Information Theory . Prentice
Hall, Inc., I960.
HANSON, 3., Oper at.lnr System Design , Printice-Hall , Inc.,
1973.
HONEYWELL, Th^ Multlcs Virjuaj. Memory , Ju-« 1972.




M0RRIS. R. arA Thompson, r., Passwond Security, A Case
Hi s t^rv
,
paper presented to 3ell Labratories, April 3, 1973.
MI-TR.T Corporation Peoort ? 334, The Design e^d Specification
of a Security Kernel for the FTP-11/45 , by T. T. Schiller ,
May .1.975,
O'CONNFLL, J. S., and Richardson, L. D., Distributed Secure
C-116
<*»
Design for a Mult l-mlcroprocessor Operating System
,
MS
Thesis, Naval Postgraduate Schorl, June 1979.
ORGANIC?. r . I., The Multlcs System: an Examination of Its
Struc* uro, MIT Press, 1972.
PEED, ?. D., and Kanodia, P. K. , 'Synchronization with
Fventcounts and Seouencers ," ^o^municat ions of the ACM
,
v.
" 22 no. 2 p. 115-124, February 1971T
~~
S^ITR, ts. Method to Evaluate Microcomputers for
No^-Tact \ ra I SMur^ard 'Js° , MS Thesis, Naval Pcst^raduatP
School , Sec tern be r 1 Qr? 9 .
SCHELL'l), Lt.Col. P. P., "'Computer Ser-arity: The Achillas'
Heel of the Electronic Mr Force?,'* Ajr University "evi^v ,
v .XXX no. 2, January 1979.
SCHELLY ), Lt.Crl. P. P., Se^nrl'v Kej^elsj '> Methodical
^esi^n of System Security US r Technical Papers (Spring




' \ hardware architecture for Implementing
Protection Rings," Communications of the ACM , v. 15 no. 3,
p. 157-170, March 1972""
SHAW, A. C., The Logical ?°;ign of Operating Systems ,
Prentice Hall, I^c, 1974.




ZILOG(l), Inc., »r introduction to the Z c ?l^ M MU Memory











1. Defense Documentation Center 2
Cameron Station
Alexandria, Virginia 22314
2. Library, Code 0142 2
Naval Postgraduate School
Monterey, California 93940




















8. I. Larry Avrunin, Code 18 1
DTNSRDC
Bethesda, MD 20084
9. R. P. Crabb, Code 9134 1
Naval Ocean Systems Center
San Diego, CA 92152
10. G. H. Gleissner, Code 18 1
DTNSRDC
Bethesda, MD 20084




12. Ronald P. Kasik, Code 4451
Naval Underwater Systems Center
Newport, RI 02840
13. Dr. J. McGraw
U.C. - L.L.L. (1-794)
P.O. Box 808
Livermore, California 94550
14. George Mebus, Code 5033
NADC
Warminster, PA 18974
15. Joel Trimble, Code 221
Office of Naval Research
800 North Quincy
Arlington, Virginia 22217
16. Mark Underwood, Code P204
NPRDC
San Diego, CA 92152
17. Michael Wallace, Code 1823
DTNSRDC
Bethesda, MD 20084
18. Walter P. Warner, Code K70
NSWC
Dahlgren, VA 22448
19. John Zenor, Code 31302
Naval Weapons Center
China Lake, CA 93555





DUDLEY KNOX LIBRARY - RESEARCH REPORTS
5 6853 01071278 9
U19A18
