












The Naval Postgraduate School
SECURE ARCHIVAL STORAGE SYSTEM
Part II
- Segment and Process Management Implementation










Rear Admiral J. J. Ekelund D# A> schrady
Superintendent Acting Provo^
This research was partially supported by grants from the Office of Naval
Research, Project No. 427-001, monitored by Mr. Joel Trimble, and the Naval
Postgraduate School Research Foundation.
Reproduction of all or part of this report is authorized.
This report was prepared by:
Unclassified
SECURITY CLASSIFICATION OF THIS PAGE (Whan Data Entered)
REPORT DOCUMENTATION PAGE READ INSTRUCTIONSBEFORE COMPLETING FORM
I. REPORT NUMBER
NPS52-81-001
2. GOVT ACCESSION NO. 3. RECIPIENT'S CATALOG NUMBER
4. TITLE (and Subtitle)
The Naval Postgraduate School
SECURE ARCHIVAL STORAGE SYSTEM
Part II - Segment and Process Management
Implementation
5. TYPE OF REPORT & PERIOD COVERED
Technical Report
6. PERFORMING ORG. REPORT NUMBER
7. AUTHORfs; 8. CONTRACT OR GRANT NUMBERf«)
Lyle A Cox, Roger R„ Schell, and
Sonja U Perdue
9. PERFORMING ORGANIZATION NAME AND ADDRESS
Naval Postgraduate School
Monterey, CA 93940
10. PROGRAM ELEMENT. PROJECT. TASK
AREA 4 WORK UNIT NUMBERS
61152N; RR000-01-10
NaeO148lWRl0034





13. NUMBER OF PAGES
451
U. MONITORING AGENCY NAME 4 A0DRESS(7f different from Controlling Office)
Chief of Naval Research
Arlington, Virginia 22217




16. DISTRIBUTION ST ATEMEN T (of thla Report)
Approved for public release; distribution unlimited,,
17. DISTRIBUTION STATEMENT 'ot the abatrmet entered In Block 20, If different from Report)
18. SUPFLHMEN TARY NOTES
19. KEY WORDS (Continue on reverae aide it neeeeaary and Identify by block number)
Security Kernel, Microcomputers, Archival Storage, Computer Networks,
Operating Systems, Computer Security
20. ABSTRACT 'Continue on reverae aide It neceeemry and Identify by block number)
The security kernel technology has provided the technical foundation
for highly reliable protection of computerized information,, However, the
operating system implementations face two significant challenges: providing
(1) adequate computational resources for applications tasks, and (2) a
clean, straightforward structure whose correctness can oe easily reviewed.
This paper presents the experience on an ongoing security kernel implement-




aT73 1473 EDITION OF 1 NOV 65 IS OBSOLETE
S/N 0102-314- 6601 Unclassified
SECURITY CLASSIFICATION OF THIS PAGE (When Dmtm Entered)
Ilnrlassifipd
.L'-umTY CLASSIFICATION OF THIS PtGEfWfisn Data Entered)
20.
the Z8002 microprocessor. The performance issues of process switching
domain changing, and multiprocessor bus contention are explicityly
addressed,, The strictly hierarchical (i.e., loop-free) structure prov
a series of increasingly capable, separately usable operating system
subsets. Security enforcement is structured in two layers: the basic
kernel rigorously enforces a non-discretionary (viz., lattice model)
policy, while an upper layer provides the access refinements for a
discretionary policy.
SECURITY CLASSIFICATION OF THIS PAGE(TWian Data I
The Naval Postgraduate School
SECURE ARCHIVAL STORAGE SYSTEM
Part II
-Segment and Process Management Implementation-
by
Roger R. Schell, Lyle A. Cox, and Sonja L. Perdue
March 1981
Report number: NPS52-81-001
THE STROCrORE OF A SECURITY KERNEL POR A Z8000
MULTIPROCESSOR
LYLE A. COX, Jr., and ROGER R. SCHELL, Col., (JSAF




The security kernel technology has provided the technical
foundation for highly reliable protection of computerized
information. However, the operating system implementations
face two significant challenges: providing (1) adeguate
computational resources for applications tasks, and (2) a
clean, straightforward structure whose correctness can be
easily reviewed. This paper presents the experience of an
ongoing security kernel implementation using the Advanced
Micro Devices 4116 single-board computer based on the Z8002
microprocessor. The performance issues of process switch-
ing, domain changing, and multiprocessor bus contention are
explicitly addressed. The strictly hierarchical (i.e.,
- ii -
loop-free) structure provides a series of increasingly capa-
ble, separately usable operating system subsets. Security
enforcement is structured in two layers: the basic kernel
rigorously enforces a non-discretionary (viz., lattice mo-
del) policy, while an upper layer provides the access re-
finements for a discretionary policy.
BACKGROUND
For the last two and a half years the Naval Postgraduate
School has been conducting a research and development pro-
ject involving security Jcernel based operating systems de-
signed foe multiple processor implementations. As this work
continues we feel that it is important to report on our pro-
gress and experiences, especially in the area of micropro-
cessor implementations.
This effort has come to be known as the "SASS" or Secure
Archival Storage System project [1]. In fact, this is a
misnomer, as SASS is but a single instance of a more general
family of secure operating systems designed early in the
project [2]. while SASS has been the object of the majority
of the research reported it is not the only implementation.
Another operating system of this family has also been writ-
ten to support a signal processing system that uses multiple
Intel 8086 processors [3].
- iii -
SASS has been oar principal testbed for exploring the im-
plementation and performance issues related to these types
of operating systems. SASS itself was designed to be a com-
prehensive multiuser, multilevel secure file storage system.
As designed, it will consist of a small number of
Z8000-based [U] single board computers sharing a single Mul-
tibus with storage devices and input/output devices. SASS
will interface via bidirectional lines to a number of "host"
systems, as illustrated in Figure 1. SASS will provide each
host with a hierarchical file system. This system can be
used to store and retrieve files, and share files with other
hosts. This design will allow SASS to serve as a central
hub of a data secure network of computers with diverse se-
curity authorization for sensitive information. SASS pro-
vides archival, shared storage while insuring that each in-
terfaced host processor can access only that information
appropriate to its security authorizations.
- iv -














Figure 1: SASS System Interfaces
- v -
STRUCTURE
For this family of operating systems the security kernel
technology has been used not only to effect security but
also to provide the underlying organizational framework for
the operating system. The SASS, one member of this family,
is in the final stages of implementation. This development
experience has highlighted the importance of several fea-
tures that are key to this family:
- The pervasive, yet systematizing impact of the security
kernel methodology [5].
- The design simplicity that accompanies a loop-free mo-
dularization that is highly compatible with the resource
sharing and multiprogramming functions.
- The significance of a high degree of configuration in-
dependence, particularly for the ability to use the latest
microprocessors for testbed implementation.
Independent of security, this particular kernel structure
is attractive as a canonical operating system interface. It
appears adequate for a wide range of functionality and ca-
pacity, and it evidences a high degree of independence from
hardware idiosyncrasies. These operating system features
will be discussed further below.
- vi -
Security Kernel Approach
Members of this operating system family are organized
with three distinct extended machine layers: (1) the secur-
ity kernel, (2) ths supervisor, and (3) the applications.
This is illustrated in Figure 2. The concept of a hierarchy
of extended machines is, to be sure, not new; however, the
security kernel significantly constrains the organization.
In particular, for reason of security all the management of
physical resources must be within the kernel itself. Furth-
ermore, confidence is increased by keeping the kernel as
small and simple as possible. This means that much of what
is commonly thought of as the operating system is provided
outside the kernel in the supervisor layer. For this parti-
cular family member there is no major applications layer
(viz. , within SASS itself) , since the applications are con-
tained in the individual hosts.
The basic family of operating systems requires the ker-
nels to provide extended virtual machines that specifically
support both asynchronous processes and segmented address
spaces. Within SASS, the kernel virtualizes processors, all
levels of storage, and input/output. The kernel creates
virtualized objects -- processes, segments, and devices. It






Figure 2: Extended Machine Layers
- Till -
basis for canonical operating system features. The SASS su-
pervisor is in turn built upon the kernel, using these vir-
tualized objects to construct the file system.
Both the kernel and the supervisor have certain responsi-
bilities for system security. The kernel manages all physi-
cal resources, and the kernel is distributed (i.e., includ-
ed) in the address space of every process. At this level,
isolation of the kernel — protection from users and the su-
pervisor — must be provided by hardware enforced domains.
The design of the system is strictly hierarchical (viz., the
kernel is more privileged than the supervisor) so protection
rings, as defined for Multics [6], are a satisfactory domain
implementation.
The kernel has the responsibility for the enforcement of
access limitations: that is, the kernel provides the mechan-
ism for supporting non-discretionary security policy. The
SASS kernel can support any such policy which can be ex-
pressed by a lattice of access classes [7]. Every object —
process, segment, or device -- has a non-forgable label that
denotes its access class. This non-discretionary security
has been parameterized in SASS such that exactly one module
has knowledge of the interpretation of this label in terms
of a specific policy. Thus, only this single module need be
tailored to support a particular policy.
- ix -
SASS provides discretionary security (shared access
within the bounds of non-discretionary policy based on indi-
vidual user identification) via the supervisor and the file
structure. This discretionary security is completely out-
side of the kernel (in contrast with the KSOS [8] approach).
The supervisor handles the "Secure Beader- Writer Problem"
with a non-exclusionary approach (one writer, retry on read)
to provide synchronization between processes of different
access classes. This control of interprocess communication
is implemented via kernel primitives using Reed f s event-
counts and sequencers [9],
The SASS supervisor capabilities are achieved by associ-
ating two processes with each host link. These processes
access that portion of the SASS file structure associated
with that host. One of these processes provides I/O tran-
smission and link management, while the other, a file manag-
er, is responsible for the file system structure of its as-
sociated host. Communication between these processes (as is
communication between all processes) is achieved using
shared segments -- a mailbox. Synchronization is provided
by the kernel (with eventcounts and sequencers).
The complementary kernel/supervisor approach to security
has several advantages for SASS: the size and the complexi-
- x -
ty of the kernel can be minimized, and, given reliable host
authentication, any host weaknesses will not impact the re-
liable enforcement of the non-discretionary security policy.
The security kernel approach constrains not only the in-
terface but also the detailed design and implementation of
internal state variables. The problem is to prevent indi-
rect information paths between processes with different ac-
cess classes. We address this problem using essentially the
approach detailed by Millen [10], although without the rigor
of a proof. Internal state variables, e.g., shared resource
tables, are assigned an access class, and it is confirmed
that its values will not be reflected to processes of an in-
consistent access class. The most apparent result is that
the "success code" (returned in response to tne invocation
of kernel primitives) primarily reflects the state of the




Another aspect of the design that has helped to keep the
security kernel simple and understandable is the loop-free
structure of SASS. The loop-free design supports the soft-
ware engineering concept of "information hiding" [11], as
there are really no global data structures within SASS. The
kernel is internally organized into four distinct layers, as
illustrated in Figure 3; these layers, that will be de-
scribed below, are termed (1) segment and event managers,
(2) traffic controller, (3) memory manager, and (4) inner
traffic controller.
In practice we have been guite doctrinaire in enforcement
of the loop-free structure for this organization. While
many operating systems claim to be modular or well-struc-
tured, we empirically validate this claim. He "peel-off"
the upper layers one at a time by literally removing the
code and data, and then demonstrate that the remainder can
be loaded and run as a functionally intact, but obviously
limited, operating system subset. The function of each lay-




















Figure 3: Internal Kernel Organization
- xiii -
l£££I Traffic Controller. Processor multiplexing has two
layers, similar to those proposed for Multics [12]. Each
physical processor has a fixed number of "virtual proces-
sors" that are multiplexed onto it. Two of these virtual
processors are dedicated to system services: an idle virtu-
al processor and a memory manager process to manage the as-
ynchronous access to secondary storage devices. The remain-
ing virtual processors (currently two per physical
processor) are available to the (upper level) traffic cont-
roller. The inner traffic controller provides signal and
wait synchronization primitives that include a message that
is passed between virtual processors. In terms of tradi-
tional jargon, the inner traffic controller provides multi-
programming by scheduling virtual processors to run on the
CPU they are (permanently) associated with. Note that this
structure implies that the security kernel is interruptible,
viz., is not a critical section; however, the inner traffic
controller itself is not interruptible. In addition, this
layer provides all the multiprocessing interactions between
individual physical processors, using a hardware "preempt"
interrupt.
Memory Manager. This layer manages the multiplexing of the
physical storage resources, viz., "disk" and "core". Phis
layer also manages the segment descriptors in the memory
management unit (MMU) image for each process. Most of the
functions of this layer are executed by the per-CPU memory
- xiv -
manager processes, with synchronization provided by inner
traffic controller signal and wait primitives. The single
board computers have per-processor, local memory; there is
also additional global memory that is addressable by all
processes. The memory manager insures that (only) shared
segments are in global memory.
This policy can reguire some transfers between local and
global memory; however, the low transaction rate of the ar-
chival storage system is not demanding, and this structure
minimizes bus transfer reguirements under expected operating
conditions.
Traffic Controller. The variable number of processes (two
per host) are multiplexed onto virtual processors defined by
the inner traffic controller. Each process has an affinity
to the physical processor whose local memory contains a por-
tion of its address space at the time of the process sche-
duling decision. As indicated earlier, the traffic cont-
roller layer uses Reed*s advance and await mechanism [9] to
provide interprocess communication.
Segment and Event Managers. All entries into the kernel
pass through the segment/event manager layer. The explicit
non-discretionary security checks are made at this level by
comparing the access class labels of subjects and objects.
This layer uses a per-process known segment table to convert
- xv -
process local names (viz., segment number) for objects into
system-wide names. Each segment has associated with it two
eventcounts and a sequencer; thus, segment numbers also
serve as their names. The segment manager provides for the
creation and deletion of segments and their entry into and
removal from a process address space.
Gate Keeper. A process invoices a security kernel function
using the traditional trap mechanism. The Z8000 "system
call" instruction causes a trap, and the gate keeper is
merely the trap handler. All parameters and return values
are "passed by value" in CPU registers; this simplifies se-
curity validation. The gate keeper merely calls the parti-
cular procedure that corresponds to the requested function.
Microprocessor Testbed
One important aspect of this research has been the actual
implementation and testing of the concepts developed. Trad-
itionally the implementation of multiple processor struc-
tures has been an expensive undertaking. Recently the de-
velopment of sophisticated microprocessors that feature
multiple operating modes, advanced addressing, support of
multiple processor configurations, and a standard bus co-
nfiguration with peripheral support have all made the imple-
mentation of advanced operating systems on microprocessor
devices possible, and economically feasible.
- xvi -
The processors of SASS all share the same bus; aach
processor is a commercial single board computer with on-
board random access memory. These processors also share a
global memory, and certain peripheral devices. This co-
nfiguration is illustrated in Figure 4.
In general, security Icernel based operating systems find
three processor-supported execution domains (operating
states) highly desirable: for the Icernel, supervisor, and
applications. This is true of the operating system family
discussed here. Currently there are no single chip proces-
sors that support three states. This is not a significant
problem for SASS, since it is the hosts rather than the SASS
system processors that execute user application programs.
Under these circumstances a two mode (kernel and supervisor)
machine is sufficient. Such architectures are currently
available as microprocessors, in particular the 29000.
Accordingly, we are implementing a multiple microproces-
sor system to test the SASS concept. The current hardware
in use is the AMD 4116 single board computer £13] in a stan-
dard Multibus backplane. This configuration has a signifi-
cant limitation: it does not include the hardware Memory



















Figure 4: Multiprocessor Configuration
- xviii -
Currently we simulate in software the memory management
unit, so the kernel is not protected from the supervisor as
the original design specified. Hardware protection in the
form of addressing limitations is available, and has been
used in some of the experiments to assure the integrity of
the Icernel. In this configuration, the hardware protects
one half of the local memory from any access when the CPU is
operating in the normal mode. Any attempt to access memory
which is thus protected generates an interrupt and the fault
detection software traps the access. This is adequate for
current tests, but a complete memory management system is
clearly more desirable. Our experiences on this testbed in
terms of performance and software development are discussed
further below.
THE SASS EXPERIENCE
The lessons learned to this point fall into two broad ca-
tegories: programming (software engineering) experiences,
and performance experiences. We will discuss both of these
issues belDw.
Programming E xp eriences
The nature of this research effort has been hignly struc-
tured, emphasizing modularity at every opportunity. The
software design is strictly "top-down". This has been a
- xix -
matter of good design practice, and of necessity. Since the
majority of the work has been performed by a succession of
Master's degree students [14,15,16,17,18,19] during their
brief six to nine months of research each, the clear defini-
tion of software modules has been key to the success of the
effort. We have found that the high degree of modularity
has allowed the students to work on the project with a mini-
mum of "start-up" time, and a maximum of productive effort
and learning.
The actual implementation is proceeding in an essentially
bottom up manner, with test harnesses and stubs being writ-
ten as necessary for testing. The SASS modules were speci-
fied in a pseudo-language resembling current higher level
languages. The SASS modules as implemented were coded in
PLZ-ASM [20], the Z8000 structured assembly language. Me
found that the pseudo-code specifications of modules were
adeguate, and that the translation from this code to the
structured assembly language was straightforward.
The structured assembly language of the Zilog Z8000 sup-
ported many of the constructs usually thought to be unique
to higher level languages, including typed record struc-
tures, DO-loops, IF-THEN-ELSE, and CASE. In fact, our pro-
grammers think of this assembly language as a higher level
language. Approximately 40 percent of the statements writ-
- xx -
ten in SASS are equivalent to statements in modern program-
ming languages.
Despite the qualities of the structured assembler, it was
selected by default. When the decision was made, the proto-
type hardware boards were just becoming available. There
was virtually no software support available. In particular,
no higher level language was available. The software envi-
ronment was (by modern standards) very primitive, with no
tools for operating system development available. Neverthe-
less, the progression from microprocessor development system
to commercial single board computer system has been surpris-
ingly smooth (an opinion that some students might dispute).
The software development environment has grown slowly. Yet,
this has not proved to be a handicap.
- xxi -
Performance Issues
In the programming for the SASS, we have generally treat-
ed performance as a secondary issue, in deference to more
basic concerns such as security and modularity. However, we
have addressed performance on a design level where perfor-
mance is strongly related to architectural choices.
Obviously, one basic design choice is the use of multi-
processing as a way to increase processing capacity. Howev-
er, bus contention is a major performance concern in the
multiprocessor configurations, since all processors share a
single Multibus. If, for example, all code and data were
located in global memory, then even two or three processors
would saturate the bus. However, in reality only shared,
writable segments need be in global memory. Our use of a
purely virtual, segmented memory permits the kernel to det-
ermine exactly which are the shared, writable segments. As
noted before, the memory manager layer totally controls the
allocation to global memory, and thus markedly controls bus
contention.
In the current SASS implementation we use the "Normal"
and "System" modes of the Z8000 hardware, with the system
mode dedicated to the security kernel. The domain changes
automatically generate a switch of the stack within the
- xxii -
hardware. This is particularly important to the efficiency
with which we can switch domains while maintaining the in-
tegrity of the kernel.
In SASS a process switch is achieved by switching the
stack. SASS saves the process history in the stack, so a
switch requires only the stack exchange. Preempt hardware
interrupts can initiate scheduler changes, and associated
virtual interrupts to the virtual processors. This sequence
is relatively efficient given the Zilog architecture. The
process switching performance question is nore interesting
in the context of processor multiplexing.
The multiprogramming time is the interval from the time
the inner traffic controller signal primitive is invoked in
one virtual processor until there is a return from a (pend-
ing) wait invocation in a different virtual processor. This
includes both process switching and message passing opera-
tions.
For interprocess communication, the read and ticket calls
(from the normal mode) include a system call though the gate
keeper to the kernel, the non-discretionary security checks,
and access to the eventcount or sequencer value; however, no
process switch is involved. The synchronization time in-
cludes the interval from the invocation of the system call
- xxiii -
(in normal mode) for advance in one process until the return
from a (blocking) await invocation in a different process.
This includes the security checks and scheduling of both a
virtual and a physical processor.
A set of measurements on the current implementation are
summarized in Table 1. There has been no effort to "tune"
the system to improve performance. Me find these results









Table 1. Performance Measurements
- XXIV -
SUMMARY
A modern operating system featuring kernel based securi-
ty, segmented memory and multiple processors has been de-
signed and is being implemented using modern microproces-
sors. To date our focus on methodical design has paid off:
the implementation of a carefully designed, simple structure
using elementary software development tools has proceeded
well.
The initial testbed implementation is running and prelim-
inary data is now available regarding the operating perfor-
mance of such systems implemented on microprocessors of ad-
vanced architectures. Data gathered suggests that the
security kernel is indeed an attractive structure for a mo-
dern operating system. There is a wide range of applica-
tions where sophisticated operating systems can be imple-
mented upon microprocessors, and attractive performance can




The authors would like to acknowledge the many long hours
of work and dedicated effort contributed by E. E. Moore, A.
V. Gary, S. L. Reitz, J. T. Wells, and A. a. Strickler, the
students of the SASS project. Without their dedication,
ideas and effort, this project would never have been able to
progress. Specifically, we would like to acknowledge the
contributions of Ms. C. Yamanaka and Ms. N. Seydel, whose
typing and assistance were invaluable. This research was
partially supported by grants from the Office of Naval Re-
search, Project No. 427-00 1, monitored by Mr. Joel Trimble,
and the Naval Postgraduate School Research Foundation.
- XXVI -
REFERENCES
[1] Schell, R. R. and Cox, L. A. "A Secure Archival Storage
System," PROCEEDINGS OF COMPCON FALL, September 1980.
[2] 0*Connell, J. S. and Richardson, L. D., Di stributed,
Secure Design for a Multi-microprocessor Operating Sys-
tem, Master of Science Thesis, Naval Postgraduate
School, June 1979.
[3] Schell R. R. , Kodres, U. a.. Amir, U., Wasson, J., and
Tao, T. F., "Processing of Infrared Images by Multiple
Microcomputer System, Proceedings SPIE Symposium,
"Real-Time Signal Processing III," Vol. 241, (1980),
pp. 267-278.
[4] Peuto, B. L., "Architecture of a New Microprocessor,"
Computer, Vol. 12, No. 2, February 1979, p. 10.
[5] Schell, R. R., "Security Kernels: A Methodical Design
of System Security," USE Technical Papers (Spring Con-
ference, 1979), March, 1979, pp. 245-250.
[6] Schroeder, M. D. and Saltzer, J. H. , "A Hardware Archi-
tecture for Implementing Protection Rings," Communica-
tions of the ACM, Vol. 15, No. 3, March 1972, pp.
157-170.
[71 Denning, D. F. , "A Lattice Model of Secure Information
Flow," Communications of The ACM, Vol. 19, May 1976,
pp. 236-242.
- xxvii -
[8] McCauley E. J. and Drongowslci, P. J., "KSOS - The De-
sign of a Secure Operating System," Proceedings of the
National Computer Conference, 1979, pp. 345-371.
[9] Reed, P. D. and Kanodia, R. K., "Synchronization with
Eventcounts and Seguencers," Communications of the ACM,
Vol. 22, No. 2, February, 1979, pp. 115-124.
[10] Millen, J. K. , "Security Kernel Validation in Prac-
tice," Communica tions of the ACM, Vol. 19, No. 5, May
1976, pp. 243-250.
[11] Parnas, D. L. , "On the Criteria to be Used in Decompos-
ing Systems into Modules," Communications of the ACM,
Vol. 15, No. 12, December 1972, pp. 1053-1058.
[12] Schroeder, M. D. et. al., "The Multics Kernel Design
Project," Proc. Sixth ACM Symposium on Operating Sys-
tems Principles, November 1977, pp. 43-56.
[13] Advanced Micro Devices, Am 96/4116, Am Z8000 16-Bit Mo-
noBoard Computer User's Manual, 1980.
[ 14] Parks, E. J., The Design of a Secure File S torage Sys-
tem, Master of Seience Thesis, Naval Postgraduate
School, December 1979.
[15] Coleman, A. R. , Security Kernel Design for a Micropro-
2§§so£- Based, Multilevel Archival Storage System, Bas-
- xxviii -
ter of Science Thesis, Naval Postgraduate School, De-
cember 1979.
[16] Moore, E. E. and Gary, A. V., The Design and Implemen-
tation of the Memory. Manager for a Secure Ar chival Sto-
mas Systems, Master of Science Thesis, Naval Postgrad-
uate School, June 1980.
[17] Reitz, S. L. , An Implementation of Multiprogramming and
££2cess Management for a Security Kernel Operating Sys-
tem, Master of Science Thesis, Naval Postgraduate
School, June 1980.
[18] Wells, J. T., Implementation of Segment Mana gement for
a Secure Archi val Storage System, Master of Science
Thesis, Naval Postgraduate School, September 1980.
[19] Strickler, A. R., IfiEiementation of Process Mana gem ent
f°£ i Secure Ar chival Storage S_ystem, Master of Science
Thesis, Naval Postgraduate School, March 198 1.




This technical report contains edited segments of four mas-
ters 1 theses:
The Design and Implementation of the. Memory Manag-
er £2£ ^ Secure Archi val St oracle System by E. E.
Moore and A. 7. Gary
kQ Implementation of Multiprogramming a&d Process
Management for a Secu rity Ke.rnei 2E§£ating System
by S. L. Reitz
Implementation of Segment Management for a Secure
Archival Storage System by J. T. Wells
Imglementation of Process Management for a S ecure
archival Storage System by A. E. Strickler
which describe the development and implementation of the Na-
val Postgraduate School Secure Archival Storage System
(SASS) . These theses are based upon the design outlined in
the Naval Postgraduate School SECURE ARCHIVAL STORAGE SYSTEM
Part I - Design - by R. R. Schell and L. A. Cox [ 17]. This
design is updated and presented in detail.
Some sections of each thesis have been excluded in order
to eliminate repetition and bulk. Similarly, the program
listings in this report represent the current state of the
project and do not pertain to any one thesis. An attempt
has been made to footnote some discrepancies between the
- XXX -
system described by these theses and the current state.
However, there may be some details described herein which do
not correspond to the current SASS system. Consequently,
the reader is advised to consult the individual thesis if
more detail on a particular phase of the development is re-
quired. A program description document, providing greater




THE STRUCTURE OF A SECURITY KERNEL FOR A Z8000
MULTIPROCESSOR ii
FOREWORD XXX
PART A — INTRODUCTION
Chapter 2I£®
I. BACKGROUND 2






PART B ~ SECURE ARCHIVAL STORAGE SYSTEM DESIGN
ChajDter E§c[e
III. BASIC SASS OVERVIEW 18
IV. SUPERVISOR 23
FILE MANAGER PROCESS 24
INPUT/OUTPUT PROCESS 25
V. GATE KEEPER 26
VI. DISTRIBUTED KERNEL 28
SE3MENT MANAGER 29
EVENT MANAGER 32
NON-DISCRETIONARY SECURITY MODULE 33
TRAFFIC CONTROLLER . 33
INNER TRAFFIC CONTROLLER 38
DISTRIBUTED MEMORY MANAGER 41
- xxxii -
VII. NON-DISTRIBUTED KERNEL 43
MEMORY MANAGER PROCESS 43
VIII. SYSTEM HARDWARE 48
IX. SUMMARY 52
PART C — THE DESIGN AND IMPLEMENTATION OF THE MEMORY
MANAGER POR A SECURE ARCHIVAL STORAGE SYSTEM
Chapter page
X. INTRODUCTION 54
XI. MEMORY MANAGER PROCESS DETAILED DESIGN 57
INTRODUCTION 57
DESIGN PARAMETERS AND DECISIONS 60
DATA BASES 63
Global Active Segment Table 63
Local Active Segment Table 68
Alias Table 69
Memory Management Unit Image 71
Memory Allocation/Deallocation Bit Maps ... 74
BASIC FUNCTIONS 75
Create an Alias Table Entry 78
Delete an Alias Table Entry 80
Activate a Segment 83
Deactivate a Segment 37
Swap a Segment In 91
Swap a Segment Out 95
Deactivate All Segments 98
Move a Segment to Global Memory 99
Move a Segment to Local Memory 101
Update the MMU Image 102
SUMMARY 103
XII. STATUS OF RESEARCH 105
CONCLUSIONS 105
FOLLOW ON WORK 107
PART D — AN IMPLEMENTATION OF MULTIPROGRAMMING AND






INNER TRAFFIC CONTROLLER 114
Virtual Processor Table (VPT) 114
Level- 1 Scheduling 118
Getwork 119




















FOLLOH ON WORK 152
PART E — IMPLEMENTATION OF SEGMENT MANAGEMENT FOR A
SECURE ARCHIVAL STORAGE SYSTEM
Chapter pa ge
XVI. INTRODUCTION 154










XVIII. SEGMENT MANAGEMENT IMPLEMENTATION 167
IMPLEMENTATION ISSUES 167
Interprocess Messages 168
Structures as Arguments 170
Reentrant Code 170
Process Structure of the Memory Manager . . 171
Per-Process Known Segment Table 172
DBR Handle 172
SE3MENT MANAGER MODULE 173
Create a Segment 174
Delete a Segment 177
Make a Segment Known 178
Make a Segment Unknown (Terminate) 181
Swap a Segment In 182
Swap a Segment Out 183
NON-DISCRETIONARY SECURITY MODULE 183
Equal Classification Check 186
Greater or Equal Classification Check . . . 186
DISTRIBUTED MEMORY MANAGER MODULE 187
Description of Procedures 188
Interprocess Communication 190
SUMMARY 192
XIX. CONCLUSIONS AND FOLLOW ON WORK 193
PART F — IMPLEMENTATION OF PROCESS MANAGEMENT FOR A
SECURE ARCHIVAL STORAGE SYSTEM
Chapter pa ge
XX. INTRODUCTION 196
XXI. IMPLEMENTATION ISSUES 198
DATABASE INITIALIZATION 198
Inner Traffic Controller Initialization . . 199
Traffic Controller Initialization 202
Additional Initialization Requirements . . . 205
PREEMPT INTERRUPTS 206
Physical Preempt Handler 207
Virtual Preempt Handler 209
IDLE PROCESSES 213
ADDITIONAL KERNEL REFINEMENTS 215
SUMMARY 217
XXII. PROCESS MANAGEMENT IMPLEMENTATION 218























FOLLOW ON WORK 245
Appendix gage
A. EVENT MANAGER LISTINGS 247
B. TRAFFIC CONTROLLER LISTINGS 258
C. DISTRIBUTED MEMORY MANAGER LISTINGS 287
D. GATE_KEEPER LISTINGS 308
E. BOOTSTRAP_LOADER LISTINGS 317
F. LIBRARY FUNCTION LISTINGS 330
G. INNER TRAFFIC CONTROLLER LISTINGS 335
H. SEGMENT MANAGER LISTINGS 364
I. NON-DISCRETIONARY SECURITY LISTINGS 335
J. MEMORY MANAGER LISTINGS 387
LIST OF REFERENCES 404
- xxxvi -
INITIAL DISTRIBUTION LIST 406
- XiXVll -
LIST OF FIGURES
1. SASS System Interfaces v
2. Extended Machine Layers viii
3. Internal Kernel Organization xiii
4. Multiprocessor Configuration xviii
5. SASS System 20
6. System Overview (Dual Host) 22
7. Known Segment Table (KST) 31
8. Active Process Table (APT) 35
9. Virtual Processor Table (VPT) 39
10. Extended Instruction Set 46
11. Kernel Databases 47
12. Memory Management Unit (MMU) Image 50
13. SASS H/W System Overview 59
14. Global Active Segment Table 64
15. Alias Table Creation 67
16. Local Active Segment Table 69
17. Alias Table 70
18. Memory Management Unit Image 73
19. Memory Allocation/Deallocation Map 75
20. Memory Manager Mainline Code 77
21. Create Entry Pseudo-code 79
- xxxviii -
22. Delete Entry Pseudo-code 82
23. Activate Pseudo-code 86
24. Deactivate Pseudo-code 90
25. Swap_In Pseudo-code 94
26. Swap_0ut Pseudo-code 97
27. Deactivate All Pseudo-code 99
28. Move To Global Pseudo-code 100
29. Move To Local Pseudo-code 101
30. Opdate Pseudo-code 102
31. Success Codes 104
32. SASS SYSTEM 111
33. MM0_IMAGE 113
34. Virtual Processor Table 115
35. Virtual Processor States 117
36. SHAP_DBE 120
37. Kernel Stack Segments 124
38. GETWORK 125
39. Active Process Table 140
40. Initialized Stack 148
41. Known Segment Table 159
42. Memory Management Onit Image 165
43. Memory Manager-CPU Table 166
44. Initial Process Stack 210
45. Implementation Module Structure 219
46. TC_ADVANCE Algorithm 230







This chapter is an updated excerpt from Implemen-
tation 2l Segment Management £fi£ I. Secure Archival
Storage System by J. T. Wells f2QJ.
O'Connell and Richardson provided the design for a fami-
ly of secure, distributed, multi-microprocessor operating
systems from which the subset, SASS, was later derived [7],
In their work, two of the primary motivations were to pro-
vide a system that (1) effectively coordinated the process-
ing power of microprocessors and (2) provided information
security.
The basis for emphasis on utilization of microprocessors
is not purely that of replacing software with more powerful
(and faster) hardware (microprocessors) but is also an eco-
nomic issue. Software development and computing operations
are becoming more and more expensive, putting further pres-
sure on system designers to increasingly utilize people
solely for system functions that computers cannot perform in
a cost effactive manner. Microcomputers, on the other hand,
are becoming less and less expensive and are, therefore, in-
creasingly being used for more functions.
The need for information security has been gradually re-
cognized as the uses of computers have expanded. As security
- 2 -
needs for specific computer systems have been recognized,
attempts have been made to modify the existing systems to
provide the desired security. The results have been systems
that could not be certified as secure and/or which have
failed to resist penetration efforts, i.e. systems which, in
effect, did not provide adeguate information security. It
has become clear that, in order to be certifiably secure, a
computer system must have security designed in from first
principles [10,11]. Such is the case with SASS. Information
security was and continues to be a chief design feature.
Integral to the design goal of information security were two
related goals. One of these goals was to provide multilev-
el controlled access to a consolidated warehouse of data for
a network of multiple host computers. The other key goal was
to provide for controlled sharing among the computer hosts.
A brief background of prior work relative to SASS fol-
lows. O'Connell and Richardson originated the design of a
secure family of operating systems. Their design provided
two basic parts for their system — the supervisor (to pro-
vide operating system services) and the kernel (to provide
for physical resource management) . The design of the SASS
supervisor was completed by Parks [9]. No implementation or
further design effort on the supervior has followed, to
date. The initial design of the kernel was completed by
Coleman [2]. That design described the kernel in terms of
seven modules:
- 3 -
1. Sate Keeper Module — provided for ring-crossing me-
chanism and thus isolation of the kernel.
2. Segment Manager Module — provided for management of
segmented virtual memory.
3. Traffic Controller Module — multiplexed processes
onto virtual processors and supports the inter- pro-
cess communication primitives Block and Makeup.
4. Non-Discretionary Security Module — mediated non-
discretionary security access attempts.
5. Inner Traffic Controller Module — multiplexed virtu-
al processors onto real processors and provided the
Kernel synchronization primitives Signal and Hait.
6. Memory Manager Module — managed main memory and sec-
ondary storage.
7. Input-Output Manager -- managed the moving of infor-
mation to external devices outside the boundaries of
the SASS.
Refinement of the kernel design and partial implementation
was completed by Gary and Moore [5] in conjunction with
Reitz [12]. The resultant description of the kernel as a re-
sult of their work was:
1. Gate Keeper Module
2. Segment Manager Module
3. Event Manager Module — worked with the Traffic Cont-
roller to manage the event data associated with the
IPC mechanism of eventcounts and sequencers.
4. Non-Discretionary Security Module
5. Traffic Controller Module — replaced Block and Wake-
up with Advance and Await (to implement Supervisor
IPC mechanism of eventcounts and sequencers).
6. Memory Manager Module
7. Inner Traffic Controller Module
- 4 -
Reitz implemented the Traffic Controller Module and Inner
Traffic Controller Module. Gary and Moore completed a de-
tailed design of the Memory Manager, originated the Memory
Manager code (written predominantly in PLZ/SYS) , selected a
thread of the code, hand compiled it into PLZ/ASM and ran it
on the Z8000 developmental module. Wells provided the im-
plementation of the Segment Manager and Non-Discretionary
Security Modules as well as partial implementation of Dis-
tributed Memory Manager functions. StricJcler refined and






This chapter is an excerpt from Implementat ion of
process Management for a Secure 4L£hival storage
Sisteo by A. E. Stricicler [19]. Minor changes
have been made for integration into report.
This section provides an overview of several concepts
essential to the SASS design. Readers familiar with SASS or
with secure operating system principles may wish to skip to
the next section.
A. PROCESS
The notion of a process has been viewed in many ways in
computer science literature. Organick [ 8 ] defines a process
as a set of related procedures and data undergoing execution
and manipulation, respectively, by one of possibly several
processors of a computer. Sadnick and Donovan [6] view a
process as the locus of points of a processor executing a
collection of programs. Reed [10] describes a process as
the sequence of actions taken by some processor. In other
words, it is the past, present, and future "history" of the
states of the processor. In the SASS design, a process is
viewed as a logical entity entirely characterized by an ad-
dress space and an execution point. A process* address
space consists of the set of all memory locations accessible
- 6 -
by the process daring its execution. This may be viewed as
a set of procedures and data related to the process. The
execution point is defined by the state of the processor at
any given instant of process execution.
As a logical entity, a process may have logical attri-
butes associated with it, such as a security access class, a
unigue identifier, and an execution state. This notion of
logical attributes should not be confused with the more typ-
ical notion of physical attributes, such as location in me-
mory, page size, etc. In SASS, a process is given a securi-
ty access class, at the time of its creation, to specify
what authorization it possesses in terms of information ac-
cess (to be discussed in the next section) . It is also giv-
en a unigue identifier that provides for its identification
by the system and is utilized for interaction among process-
es. A process may exist in one of three execution states:
1) running, 2) ready, and 3) blocked. In order to execute,
a process must be mapped onto (bound to) a physical proces-
sor in the system. Such a process is said to be in the
"running" state. A process that is not mapped onto a physi-
cal processor, but is otherwise ready to execute, is in the
"ready" state. A process in the "blocked" state is waiting
for some event to occur in the system and cannot continue
execution until the event occurs. At that time, the process
is placed into the ready state.
- 7 -
B. INFORMATION SECURITY
There is an ever increasing demand for computer systems
that can provide controlled access to the data it stores.
In this thesis, "information security" is defined as the
process of controlling access to information based upon
proper authorization. The critical need for information se-
curity should be clear. Banks and other commercial enter-
prises risk the theft or loss of funds. Insurance and cre-
dit companies are bound by law to protect the private or
otherwise personal information they maintain on their cus-
tomers. Oniversities and scientific institutions must pre-
vent the unauthorized use of their often over-burdened sys-
tems. The Department of Defense and other government
agencies must face the very real possibility that classified
information is being compromised or that weapon systems are
being tampered with. In fact, security related problems can
be found at virtually every level of computer usage.
The security of computer systems processing sensitive
information can be achieved by two means: external security
controls and internal security controls. In the first case,
security is achieved by encapsulating the computer and all
its trusted users within a single security perimeter estab-
lishe by physical means (e.g., armed guards, fences, etc.)
This means of security is often undesirable due to its added
cost of implementation, the inherent risk of error-prone ma-
nual procedures, and the problem of trustworthy but error-
- 8 -
prone users. Also, sinca all security controls are external
to the computer system, the computer is incapable of secure-
ly handling data at differing security levels or users with
differing degrees of authorization. This restriction great-
ly limits the utility of modern computers. Internal securi-
ty controls rely upon the computer system to internally dis-
tinguish between multiple levels of information
classification and user authorization. This is clearly a
more desirable and flexible approach to information securi-
ty. This does not mean, however, that external security is
not needed. The optimal approach would be to utilize inter-
nal security controls to maintain information security and
external security controls to provide physical protection of
our system against sabotage, theft, or destruction. The
primary concern of this thesis is information security and
will therefore center its discussion on the achievement of
information security through implementation of the security
kernel concept.
One might argue that a "totally secure" computer system
is one that allows no access to its classified or otherwise
sensitive information. Such a system would not be of much
value to its users. Therefore, when we say that a system
provides information security, it is only secure with res-
pect to some specific external security policy established
by laws, directives, or regulations. There are two distinct
aspects of security policy: non-discretionary and discre-
- 9 -
tionary. Each user (subject) of the system is given a label
denoting what classification or level of access the user is
authorized. Likewise, all information or segments (objects)
within the system are labelled with their classification or
level of sensitivity. The non-discretionary security me-
chanism is responsible for comparing the authorization of a
subject with the classification of an object and determining
what access, if any, should be granted. The DOD security
classification system provides an example of the non-discre-
tionary security policy and is the policy implemented in
SASS. The discretionary security policy is a refinement of
the non-discretionary policy. As such, it adds a higher de-
gree of restriction by allowing a subject to specify or res-
trict who may have access to his files. It must be empha-
sized that the discretionary policy is contained within the
non-discretionary policy and in no way undermines or substi-
tutes for it. This prevents a subject from granting access
that would violate the non-discretionary policy. An example
of discretionary security is provided by the DOD "need to
know" policy. In SASS, the discretionary policy is imple-
mented within the supervisor [ 9 ] by means of an Access Con-
trol List (ACL) . There is an ACL maintained for every file
in the system, which provides a list of all users authorized
access to that file. Every attempt by a user to access a
file is first checked against the ACL and then checked
against the non-discretionary security policy. The "least"
- 10 -
or "most restrictive" access found in these checks is then
granted to the user.
The relationship between the labels associated with the
subject's access class (sac) and the object's access class
(oac) is defined by a lattice model of secure information
flow [12] as follows (" | " denotes "no relationship"):
1. sac = oac, read and write access permitted
2. sac > oac, read access permitted
3. sac < oac, write access permitted
4. sac | oac, no access permitted
In order to understand how these access levels are deter-
mined, it is necessary to gain an awareness of and consider-
ation for several basic security properties.
The "Simple Security Property" deals with "read" access.
It states that a subject may have read access only to those
object's whose classification is less than or equal to the
classification of the subject. This prevents a subject from
reading any object possessing a classification higher than
his own.
The "Confinement Property" (also known as "*-property ")
governs "write" access. It states that a user may be grant-
ed write access only to those objects whose classification
is greater than or equal to the classification of the sub-
ject. This prevents a user from writing information of a
higher classification (e.g.. Secret) into a file of a lower
classification (e.g., Unclassified). It is noted that while
- 11 -
this property allows a user to write into a file possessing
a classification higher than his own, it does not allow him
access to any of the data in that file. The SASS design
does not allow a user to "write up" to higher classified
files. Therefore, in SASS, "sac < oac" denotes "no access
permitted.
"
The "Compatibility Property" deals with the creation of
objects in a hierarchical structure. In SASS, objects (seg-
ments) are hierarchically organized in a tree structure.
This structure consists of nodes with a root node from which
the tree eminates. The Compatibility Property states that
the classification of objects must be non-decreasing as we
move down the hierarchical structure. This prevents a pa-
rent node from creating a child node of a lower classifica-
tion.
Several prereg uisites must be met in order to insure
that the security kernel design provides a secure environ-
ment. Firstly, every attempt to access data must invoke the
Kernel. In addition, the Kernel must be isolated and tam-
perproof. Finally, the Kernel design must be verifiable.
This implies that the mathematical model, upon which the
Kernel is based, must be proved secure and that the Kernel
is shown is to correctly implement this model.
- 12 -
C. SEGMENT ATIQH
Segmentation is a key element of a security Kernel based
system. A segment can be defined as a logical grouping of
information, such as a procedure, file or data area [6 J.
Therefore, we can redefine a process' address space as the
collection of ail segments addressable by that process.
Segmentation is the technique applied to effect management
of those segments within an address space. In a segmented
environment, all references within an address space require
two components: 1) a segment specifier (number) and 2) the
location (offset) within the segment.
A segment may have several logical and physical attri-
butes associated with it. The logical attributes may in-
clude the segment 1 s classification, size, or permissable ac-
cess (read, write, or execute) . These logical attributes
allow a segment to nicely fit the definition of an object
within the security kernel concept, and thus provide a means
for the enforcement of information security. A segments
physical attributes include the current location of the seg-
ment, whether or not the segment resides in main memory or
secondary storage, and where the segment's attributes are
maintained by a segment descriptor. The segment descriptors
for each segment in a process' address space are contained
within a Descriptor Segment (viz. , the MMU Image in SASS) to
facilitate the memory management of that address space.
- 13 -
Segmentation supports information sharing by allowing a
single segment to exist in the address spaces of multiple
processes. This allows us to forego the maintenance of mul-
tiple copies of the same segment and eliminates the possi-
bility of conflicting data. Controlled access to a segment
is also enforced, since each process can have different at-
tributes (read/write) specified in its segment descriptor.
In the implementation of SkSS, any segment which is shared,
but has "read only" access by every process sharing it, is
placed in the processor local memory supporting each of
these processes rather than in the global memory. This im-
plies the maintenance of multiple copies of some shared seg-
ments. It is noted that the problem of "conflicting data"
is avoided since this only applies to read only segments.
This apparent waste of memory and nonuse of existing sharing
facilities is justified by a design decision to provide max-
imum reduction of bus contention among processors accessing
global memory. This reduction in bus contention is consid-
ered to be of more importance than the saving of memory
space provided by single copy sharing of read only segments.
This decision is also well supported by the occurrence of
decreasing memory costs, which we have experienced in terms
of high speed bus costs.
- 14 -
D. PROTECTION DOMAINS
The requirement for isolating the Kernel from the re-
mainder of the system is achieved by dividing the address
space of each process into a set of hierarchical domains or
protection rings [18]. O^onnell and Richardson [7] defined
three domains in the family of secure operating systems:
the user, the supervisor, and the kernel. Only two domains
are actually necessary in the SASS design since it does not
provide extended user applications. The Kernel resides in
the inner or most privileged domain and has access to all
segments in an address space. System wide data bases are
also maintained within the Kernel domain to insure their ac-
cessibility is only through the Kernel. The Supervisor ex-
ists in the outer or least privileged domain where its ac-
cess to lata or segments within an address space is
restricted.
While protection domains may be created through either
hardware or software mechanisms, a hardware implementation
provides much greater efficiency. Current microprocessor
technology only provides for the implementation of two do-
mains. This two domain restriction does not support O'Con-
nell and Richardson* s complete family design, but it is suf-
ficient to allow hardware implementation of the ring
structure required by the SASS subset.
- 15 -
E. ABSTRACTION
Dijkstra [4 ] has shown that the notion of abstraction
can be used to reduce the complexity of a problem by apply-
ing a general solution to a number of specific cases. A
structure of increasing levels of abstraction provides a
powerful tool for the design of complex systems and general-
ly leads to a better design with greater clarity and fewer
errors.
Each level of abstraction creates a virtual hierarchical
machine [6] which provides a set of "extended instructions"
to the system. A virtual machine cannot make calls to
another virtual machine at a higher level of abstraction and
in fact is unaware of its existence. This implies that a
level of abstraction is independent of any higher levels.
This independence provides for a loop-free design. Addi-
tionally, a higher level may only make use of the resources
of a lower level by applying the extended instruction set of
the lower level virtual machine. Therefore, once a level of
abstraction is created, any higher level is only interested
in the extended instruction set it provides and is not con-
cerned with the details of its implementation. In SASS,
once a level of abstraction is created for the physical re-
sources of the system, these resources become "virtualized"
making the higher levels of the design independent of the
physical configuration of the system.
- 16 -
PABT B
SECURE ARCHIVAL STORAGE SYSTEM DESIGN
This section is an excerpt from I m£lementation of P rocess
Management for a Se c ure Archival Storage System by A. R.
Strickier [19]. Minor changes have been aade for integra-
tion into this report.
Chapter III
BASIC SASS OVERVIEW
The purpose Df the Secure Archival Storage System is to
provide a secure "data warehouse" or information pool which
can be accessed and shared by a variable set of host compu-
ter systems possessing differing security classifications.
The primary goals of the SASS design are to provide informa-
tion security and controlled sharing of data among system
users.
Figure 5 provides an example of a possible SASS usage.
The system is used exclusively for managing an archival sto-
rage system and does not provide any programming services to
its users. Thus the users of the SASS may only create,
store, retrieve, or modify files within the SASS. The host
computers are hardwired to the system via the I/O ports of
the Z8001 with each connection having a fixed security clas-
sification. Each host must have a separate connection for
each security level it wishes to work on (It is important to
note that Pigure 5 only represents the logical interfacing
of the system. Specifically, the actual connection with the
host system must be interfaced with the Kernel as the I/O
instructions for the port are privileged) . In our example.
Host #1 can create and modify only Top Secret files, but it
- 18 -
can read files which are Top Secret, Secret, Confidential,
or Unclassified. Likewise, Host #2 can create or modify
secret files, using its secret connection or confidential
files, using its confidential connection. Host #2 cannot
create or modify Top Secret or Unclassified files.
In order to provide information security and controlled
sharing of files, the SASS operates in two domains: (1) the
Supervisor domain and (2) the Kernel domain. The SASS ac-
hieves this desired environment through a distributed oper-
ating system design which consists of two primary modules:
the Supervisor and the Security Kernel. Each host system
connected to the SASS has associated with it two processes
within the SASS which perform the data transfer and file
management on behalf of that host. The host computer commu-
nicates directly with its own I/O process and File Manager
process within the SASS.
We can use our notion of abstraction to present a system
overview of the SASS. The SASS consists of four primary
levels of abstraction:
Level 3-The Host Computer Systems
Level 2-The Supervisor
Level 1-The Security Kernel
Level O-The SASS Hardware
A pictorial representation of this abstract system overview
is presented in Figure 6. This representation is limited to















1 I-- 1 1 1 1 1
T| S| C| C| U|
o| 91 01 o| n|
PI c\ n I a| c|
I rl f I fl 11
S| e| i I il a|
e| t| ai d| si
c| 1 e I e| s|
r| 1 n I n| il
e| 1 t| t| fl
t| 1 i | il il
I 1 a 1 a| e|




























Figure 5: SASS System
- 20 -
that the Sate Keeper module is in actuality the logical
boundary between levels one and two and as such will be de-
scribed separately.
Level 3, the host computer systems, of SASS has already
been addrassed. It should be noted that the SASS design
makes no assumptions about the host computer systems. There-
fore each host may be of a different type or size (i.e.- mi-
cro, mini, or maxi-computer system) . Furthermore, the ne-
cessary physical security of the host systems and their






















Input/ 1 I File |













1 I i I




Level 2 of the SASS system is composed of the Supervisor
domain. As already stated, the SASS consists of two do-
mains. The actual implementation of these domains was
greatly simplified since the Z8001 microprocessor provides
two modes of execution. The system mode, with which the
Kernel was implemented, provides access to all machine in-
structions and all segments within the system. The normal
mode, with which the Supervisor was implemented, only pro-
vides access to a limited subset of machine instructions and
segments within the system. Therefore, the Supervisor oper-
ates in an outer or less privileged domain than the Kernel.
The purpose of tne Supervisor is to manage the data link
between the host computer systems and the SASS by means of
Input/Output control, and to create and manage the file
hierarchy of each host within the SASS. These functions are
accomplished via an Input/Output (I/O) process and a File
Manager (FM) process within the Supervisor. A separate FM
and I/O process are created and dedicated to each host at
the time of system initialization.
- 23 -
A. FILE MANAGE! PROCESS,
The FM process directs the interaction between the host
computer systems and the SASS. It interprets all commands
received from the Host computer and performs the necessary
action upon them through appropriate calls to the Kernel.
The primary functions of the FM process are the management
of the Host's virtual file system and the enforcement of the
discretionary security policy.
The virtual file system of the Host is viewed as a hier-
archy of files which are implemented in a tree structure.
The five basic actions which may be initiated upon a file at
this level are: 1) to create a file, 2) to delete a file, 3)
to read a file, 4) to store a file, and 5) to modify a file.
The FM process utilizes a FM Known Segment Table (FM_KST) as
the primary database to aid in this management.
The FM process maintains an Access Control List (ACL)
through which it enforces the discretionary security in
SASS. The FM process initializes an ACL for every file in
its Host's file system. The ACL is merely a list of all us-
ers that are authorized to access that file. The ACL is
checked upon every attempt to access a file to determine its
authorization. The user (host computer) directs the FM pro-
cess as to what entries or deletions should be made in the
ACL, and as such, specifies who he wishes to have access to
his file. As noted earlier, discretionary security is a re-
finement to the Non-Discretionary Security Policy and there-
- 24 -
fore can only be utilized to add further access restrictions
to those provided by the Non-Discretionary Security. This
prevents a user from granting access to a file to someone
who otherwise would not be authorized access.
B. INPOT/QOTPOT PROCESS
The 1/3 process is responsible for managing the input
and output of all data between the host computer systems and
the SASS. The I/O process is subservient to the FM process
and receives all of its commands from it. Data is transfer-
red between the SASS and Host Computer systems in fixed size
"packets". These packets are broken up into three basic
types: 1) a synchronization packet, 2) a command packet, and
3) a data packet. In order to insure reliable transmission
and receipt of packets between the Host computer and the
SASS, there must exist a protocol between them. Parks [9]





The primary objective of the gate keeper is to isolate
the Kernel and make it tamperproof. This goal is accom-
plished by reason of a software ring crossing mechanism pro-
vided by the gate keeper. In terms of SASS, this notion of
"ring-crossing" is merely the transition from the Supervisor
domain to the Kernel domain. As noted earlier, the gate
keeper establishes the logical boundary between the Supervi-
sor and the Kernel, and as a matter of course, it provides a
single software entry point (enforced by hardware) into the
Kernel. Therefore, any call to the Kernel must first pass
through the gate keeper.
The gate keeper acts as a trap handler. Once it is in-
voked by a user (Supervisor) process, the hardware preempt
interrupts are masked, and the user process* registers and
stack pointer are saved (within the kernel domain) . It then
takes the argument list provided by the caller and validates
these passed parameters to insure their correctness. To aid
in the validation of these parameters, the gate keeper uti-
lizes the Parameter Table as a database. The Parameter ta-
ble contains all of the permitted functions provided by the
Kernel. These relate directly to the extended instruction
- 26 -
set (viz.. Supervisor calls) provided by the Kernel (these
extended instructions will be described in the next sec-
tion) . If an invalid call is encountered by the gate keep-
er, ' an error code is returned, and the Kernel is not in-
voked. If a valid call is encountered by the gate keeper,
the arguments and control are passed to the appropriate Ker-
nel module.
Once the Kernel has completed its action on the user re-
guest, it passes the necessary parameters and control back
to the gate keeper. &t this point, the gate keeper deter-
mines if any software virtual preempt interrupts have occur-
red. If they have, then the virtual preempt handler is in-
voked vice the Kernel being exited (virtual interrupt
structure is discussed by Strickler [19]. Correspondingly,
if a software virtual preempt has not occurred, then the re-
turn arguments are passed to the user process. The user
process 1 registers and stack pointer (viz., its execution
point) are restored and control returned to the Supervisor
domain. & detailed description of the Gate Keeper interface




Level 1 of our abstract view of SASS consists of two
components: the distributed Kernel and the non-distributed
Kernel. These two elements comprise the Security Kernel of
the SASS. The Security Kernel has two primary objectives:
1) the management of the system»s hardware resources, and 2)
the enforcement of the non-discretionary security policy.
It executes in the most privileged domain (viz., the system
mode of the Z8001) and has access to all machine instruc-
tions. The following section will provide a brief descrip-
tion of the distributed Kernel, its components, and the ex-
tended instruction set it provides. A discussion of the
non-distributed Kernel will be given in the next section.
The distributed Kernel consists of those Kernel modules
whose segments are contained (distributed) in the address
space of every user (Supervisor) process. Thus, in effect,
the distributed Kernel is shared by all user processes in
the SASS. The distributed Kernel is composed of the Segment
Manager, the Event Manager, the Non-Discretionary Security
Module, the Traffic Controller, the Inner Traffic Controll-
er, and the Distributed Memory Manager Module. The Segment
Manager and the Event Manager are the only "user visible"
- 23 -
modules in the distributed Kernel. In other words, the set
of extended instructions available to user processes invokes
either the Segment Manager or the Event Manager.
A. SEGMENT MANAGER
The objective of the Segment Manager is the management
of a process 1 segmented virtual storage. The Segment Manag-
er is invoiced by calls from the Supervisor domain via the
gate keeper. Calls to the Segment Manager are made by means
of six extended instructions provided by the segment manag-
er. These extended instructions (viz., entry points) are:
1) CREArE_SEGMENT, 2) DELETE_SEGMENT, 3) MAKE_KNOiN, 4)
TERMINATE, 5) SM_SWAP_IN, and 6) SM_SHAP_OUT. The extended
instructions CREATE_SEGMENT and DELETE^SEGMENT add and re-
move segments from the SASS. MAKE_KNOWN and TERMINATE add
and remove segments from the address space of a process.
Finally, SM_SWAP_IN and SM_SSJAP_OUT move segments from sec-
ondary storage to main storage and vice versa.
The primary database utilized by the Segment Manager is
the Known Segment Table (KST) . A representation of the
structure Df the KST is provided in Figure 7. The KST is a
process local database that contains an entry for every seg-
ment in the address space of that process. The KST is in-
dexed by segment number with each record of the KST contain-
ing descriptive information for a particular segment. The
KST provides a mapping mechanism by which the segment number
- 29 -
of a particular segment can be converted into a unique han-
dle for use by the Memory Manager. The Memory Manager will
be discussed in the next chapter.
- 30 -
-Segment #
MM Handle 1 Size | Acess | In | Class | Mentor | Entry
I | Mode | Core | J Seg No 1 Number
Figure 7: Known Segment Table (KST)
- 31 -
B. EVENT MANAGER
The purpose of the Event Manager is the management of
event data which is associated with interprocess communica-
tions within the SASS. This event data is implemented by
means of eventcounts (a synchronization primitive discussed
by Reed [11]). The Event Manager is invoked, via the Gate
Keeper, by user processes residing in the Supervisor domain.
There are two eventcounts associated with every segment ex-
isting in the Supervisor domain. These eventcounts (viz..
Instance 1 and Instance 2) are maintained in a database re-
siding in the Memory Manager. The Event Manager provides
its management functions through its extended instruction
set READ, TICKET, ADVANCE, and AWAIT, and in conjunction
with the extended instructions TC_ADVANCE and TC_AWAIT pro-
vided by the Traffic Controller (to be discussed next)
.
These extended instructions are based on the mechanism of
eventcounts and sequencers [11]. The Event Manager verifies
the access permission of every interprocess communication
request through the Non-Discretionary Security Module. The
extended instruction READ provides the current value of the
eventcount requested by the caller. TICKET provides a com-
plete time ordering of possibly concurrent events through
the mechanism of sequencers. The Event Manager will be dis-
cussed in more detail by Strickler [ 19].
- 32 -
C. NJ3N-DISCRETI0NARY SECURITY MODULE
The purpose of the Non-Discretionary Security Module
(NDS) is the enforcement of the non-discret ionary security
policy of the SASS. While the current implementation of
SASS represents the Department of Defense security policy,
any security policy which may be represented through a lat-
tice structure [3] may also be implemented. The NDS is in-
voked via its extended instruction set: CLASS_EQ and
CLASS_GE. The NDS is passed two classifications which it
compares and then analyzes their relationship. CLASS_EQ
will return a true value to the calling procedure only if
the two classifications passed were equal. Ihe CLASS_GE in-
struction will return true if a given classification is ana-
lyzed to be either greater than or equal to another given
classification. The NDS does not utilize a data base as it
works only with the parameters it is passed.
D. TRAFFIC CONTROLLER
The task of processor scheduling is performed by the
traffic: controller. Saltzer [14] defines traffic controller
as the processor multiplexing and control communication sec-
tion of an operating system. The current SASS design uti-
lizes Reed 1 s [10] notion of a two level traffic controller,




The primary function of the Traffic Controller is the
scheduling (binding) of user processes onto virtual proces-
sors. A virtual processor (VP) is an abstract data struc-
ture that simulates a physical processor through the preser-
vation of an executing process 1 attributes (viz., the
execution point and address space). Multiple VP*s may exist
for every physical processor in the system. Two VP»s are
permanently bound to Kernel processes (viz., Memory Manager
and Idle) and as such are not in contention for process
scheduling. These processes and their corresponding virtual
processors are invisible to the TC. The remaining virtual
processors are either idle or are temporarily bound to user
processes as scheduled by the TC. The database utilized by
the TC in process scheduling is the Active Process Table
(APT) . Figure 8 provides the structure of the APT.
The APT is a system-wide Kernel database containing an
entry for every user process in the system. Since the cur-
rent SASS design does not provide for dynamic process crea-
tion/deletion, a user process is active for the life of the
system. Therefore, the size of the APT is fixed at the time
of system generation. The APT is logically composed of
three parts: 1) an APT header, 2) the main body of the APT,
and 3) a YP table. The APT header includes: 1) a Lock to
provide for a mutual exclusion mechanism, 2) a Running List
indexed by VP ID to identify the current process running on
each VP, 3) a Ready List, which points to the linked list of
- 34 -
Lock














III III 1 awaited Event
AP | DBR |Access| Priority IState | Af fi-| VP| Handle
Link| Handle JClass | | Inity |ID| Instance









Figure 8: Active Process Table (APT)
- 35 -
processes which are ready for scheduling, and H) a Blocked
List, which points to the linked list of processes which are
in the blocked state awaiting the occurrence of some event.
A design decision was made to incorporate a single list
of blocked processes instead of the more traditional notion
of separate lists per eventcount because of its simplicity
and its ease of implementation. This decision does not ap-
preciably affect system performance or efficiency as the
"blocked" list will never be very long. The VP table is in-
dexed by logical CPU number and specifies the number of VP's
associated with the logical CPU and its first VP in the Run-
ning List. The logical CPU number, obtained during system
initialization, provides a simple means of uniquely identif-
ying each physical CPU in the system. The main body of the
APT contains the user process data required for its effi-
cient control and scheduling. NEXT_AP provides the linked
list threading mechanism for process entries. The DBR entry
is a handle identifying the process' Descriptor Segment
which is employed in process switching and memory manage-
ment. The ACCESS_CLASS entry provides every process with a
security label that is utilized by the Event Manager and the
Segment Manager in the enforcement of the Non-Discretionary
Security Policy. The PRIORITY and STATE entries are the
primary data used by the Traffic Controller to effect pro-
cess scheduling. AFFINITY identifies the logical CPU which
is associated with the process. VP ID is utilized to iden-
- 36 -
tify the virtual processor that is currently bound to the
process. Finally, the EVENTCOUNT entries are utilized by
the TC to manage processes which are blocked and awaiting
the occurrence of some event. HANDLE identifies the segment
associated with the event, INSTANCE specifies the event, and
COUNT determines which occurrence of the event is needed.
The Traffic Controller determines the scheduling order
by process priority. Every process is assigned a priority
at the time of its creation. Once scheduled, a process will
run on its VP until it either blocks itself or it is
preempted by a higher priority process. To insure tnat the
TC will always have a process available for scheduling,
there logically exists an "idle" process for every VP visi-
ble to the TC. These "idle" processes exist at the lowest
process priority and, consequently, are scheduled only if
there exists no useful work to be performed.
The Traffic Controller is invoked by the occurrence of a
virtual preempt interrupt or through its extended instruc-
tion set: ADVANCE, AWAIT, PROCESS_CLASS, and
GET_DBR_NUMBER. ADVANCE and AWAIT are used to implement the
IPC mechanism envoked by the Supervisor. PROCESS_CLASS and
GET_DBR_NUMBER are called by the Segment Kanager to ascer-
tain the security label and DBR handle, respectively, of a
named process. A more detailed discussion of the TC is pro-
vided by Strickier [19].
- 37 -
E. INNER TRAFFIC CONTROLLER
The Inner Traffic Controller is the second part of our
two-level traffic controller. Basically, the ITC performs
two functions. It multiplexes virtual processors onto the
actual physical processors, and it provides the primitives
for which inter-VP communication within the Kernel is imple-
mented. A design choice was made to provide each physical
processor in the system with a small fixed set of virtual
processors. Two of these VP*s are permanently bound to the
Kernel processes. The Memory Manager is bound to the high-
est priority VP. Conversely, the Idle Process is bound to
the lowest priority VP and, as a result, will only be sche-
duled if there exists no useful work for the CPU to perform.
The primary database utilized by the ITC is the Virtual Pro-
cessor Table (VPT) . Figure 9 illustrates the VPT.
The VPT is a system wide Kernel database containing en-
tries for every CPU in the system. The VPT is logically
composed of four parts: 1) a header, 2) a VP data table, 3)
a message table, and 4) an external VP list. The header in-
cludes a L3CK (spin lock) that provides a mutual exclusion
mechanism for table access, a RUNNING LIST (indexed by logi-
cal CPU #) that identifies the VP currently running on the
corresponding physical CPU, a READY LIST (indexed by logical
CPU #) which points to the linked list of VP's which are in
the "ready" state and awaiting scheduling on that CPU, and a








































I Entry I I






Figure 9: Virtual Processor Table (VPT)
- 39 -
in the message table. The VP data table contains the de-
scriptive data required by the ITC to effectively manage the
virtual processors. The DBE entry points within the MMU Im-
age to the descriptor segment for the process currently run-
ning on the VP. PRI (Priority) , STATE, IDLE_FLAG, and
PREEMPT are the primary data used by the ITC for VP schedul-
ing. PREEMPT indicates whether or not a virtual preempt is
pending for the VP. The IDLE_FLAG is set whenever the TC
has bound an "idle" process to the VP. Normally, a VP with
the IDLE_FLAG set will not be scheduled by the ITC as it has
no useful work to perform. In fact, such a VP will only be
scheduled if the PREEMPT flag is set. This scheduling will
allow the VP to be given (bound) to another process.
PHYSICAL PROCESSOR contains an entry from the Processor Data
Segment (PRDS) that identifies the physical processor that
the VP is executing on. EXT_VP_ID is the identifier by
which the VP is known by the Traffic Controller. I design
choice was made to have the EXT_VP_ID equate to an offset
into the External VP List. The External VP List specifies
the actual VP ID (viz., VPT entry number) for each external
VP identifier. This precluded the necessity for run time
calculation of offsets for the EXT_VP_ID. NEXT_READY_VP
provides the threading mechanism for the "Ready" linked
list, and MSG_LIST points to the first entry in the Message
Table containing a message for that VP. The Message Table
provides storage for the messages generated in the course of
- 40 -
Inter-Virtual Processor communications. MSG contains the
actual communication being passed, while SENDER identifies
the VP which initiated the communication. NEXT_MSG provides
a threading mechanism for multiple messages pending for a
single VP.
The ITC is invoked by means of its extended instruction
set: WAIT, SIGNAL, SWAP_VDBR, IDLE, SET_PREEMPT, and
RUNNING_VP. WAIT and SIGNAL are the primitives employed in
implementing the Inter-VP communication. SHAP_VDBR, IDLE,
SET_PREEMPT, and RUNNING_VP are all invoiced by the Traffic
Controller. SWAP_VDBR provides the means by which a user
process is temporarily bound to a virtual processor. IDLE
binds the "Idle" process to a VP (the implication of this
instruction will be discussed later) . SET_PREEMPT provides
the means of indicating that a virtual preempt interrupt is
pending on a VP (specified by the TC) by setting the PREEMPT
flag for that VP in the VPT. RUNNING_VP provides the TC
with the external VP ID of the virtual processor currently
running on the physical processor.
F. DISTRIBUTED BEHORI MANAGER
The Distributed Memory Manager provides an interface
structure between the Segment Manager and the Memory Manager
Process. This interfacing is necessitated by the fact that
the Memory Manager Process does not reside in the Distribut-
ed Kernel and conseguently is not included in the user pro-
- 41 -
cess* address space. The primary functions performed in
this module are the establishment of Inter-VP Communication
between the VP bound to its user process and the VP perma-
nently bound to the Memory Manager Process, the manipulation
of event data, and the dynamic allocation of available memo-
ry. The Distributed Memory Manager Module is invoked by the
Segment Manager through its extended instruction set:
MM_CREATE_ENTRY, MM_DELETE_ENTRY, MM_ACTIVATE,
MM_DEACTIVATE, MM_SWAP_IN, and MM_SWAP_OUT. These extended
instructions are utilized on a one to one basis by the ex-
tended instruction set of the Segment Manager (e.g.,
SM_SWAP_IN utilizes (calls) MM_SHAP_IN). Wells [20] pro-
vides a more detailed description of this portion of the
Distributed Memory Manager and the extended instruction set
associated with it.
The Distributed Memory Manager is also invoked through
its remaining extended instructions: MM_READ_EVENTC00NT r
MM_TICKET, MM_ADVANCE, and MM_ALL0CATE. These Distributed





The Non-Distributed Kernel is the second element resid-
ing in Level 1 of our abstract system view of the SASS. The
sole component of the Non-Distributed Kernel is the Memory
Manager Process.
A. MEMOS! MANAGER PROCESS
The primary purpose of the Memory Manager Process is the
management of all memory resources within the SASS. These
include the local and global main memories, as well as the
hard-disk based secondary storage. A dedicated Memory Man-
ager Process exists for every CPU in the system. Each CPU
possesses a local memory where process local segments and
shared, non-writeable segments are stored. There is aiso a
global memory, to which every CPU has access, where the
shared, writeable segments are stored. It is necessary to
store these shared, writeable segments in the global memory
to ensure that a current copy exists for every access.
The Memory Manager Process is tasked by other processes
within the Kernel domain (via Signal and Wait) to perform
memory management functions. These basic functions include
the allocation/deallocation of local and global memory and
- 43 -
of secondary storage, and the transfer of segments between
the local and global memory and between secondary storage
and the main memories. The extended instruction set provid-
ed by tha Memory Manager Process includes: CREATE_ENrRY,
DELETE_ENTRY, ACTIVATE, DEACTIVATE, SWAP.IN, and SWAP_3UT.
These instructions correspond one to one with those of the
Distributed Memory Manager Module. The system wide data
bases utilized by all Memory Manager Processes are the Glo-
bal Active Segment Table (G_AST) , the Alias Table, the Disk
Bit Map, and the Global Memory Bit Map. The processor local
databases used by each Memory Manager Process are the Local
Active Segment Table (L_AST) , and the Local Memory Bit Map.
Gary and Moore [5] provide a detailed description of the Me-
mory Manager, its extended instruction set, and its databas-
es.
A summary of the extended instruction set created by the
components of tha Security Kernel is provided by Figure 10.
One might question the prudence of omitting
PHYS_PREEMPT_HANDLER and VIRT_PREEMPT_HANDLER (viz., the
handler routines for physical and virtual interrupts) from
the extended instruction set as both of these interrupts may
be raised (viz. , initiated) from within the Kernel. A deci-
sion was made to not classify these handlers as "extended
instructions" since they are only executed as the result of
a physical or virtual interrupt and as such cannot be di-
rectly invoiced (viz. , "called") by any module in the system.
- 44 -
A summary of the databases utilized by Kernel modules is





































* Denotes user visible instructions
Figure 10: Extended Instruction Set
- 46 -
MODULE DATABASE
Gate Keeper Parameter Table
Segment Manager Known_Segment_Table (KST)
Traffic Controller Active_Process_Table (APT)













Level of the SASS consists of the system hardware.
This hardware includes: 1) the CPU, 2) the local memory, 3)
the global memory, 4) the secondary storage (viz. hard
disk) , and 5) the I/O ports connecting the Host computer
systems to the SASS. Since the SASS design allows for a
multiprocessor environment, there may exist multiple CPO*s
and local memories. The target machine selected for the in-
itial implementation of the system is the Zilog Z8001 micro-
processor [22]. The Z8001 is a general purpose 16-bit, re-
gister oriented machine that has sixteen 16-bit general
purpose registers. It can directly address 8M bytes of me-
mory, extensible to 48M bytes. The Z8001 architecture sup-
ports memory segmentation and two-domain operations. The
memory segmentation capability is provided externally by the
Zilog Z8010 Memory Management On it (MMO) . The Z8010 MMU
[23] provides management of the Z8001 addressable memory,
dynamic segment relocation, and memory protection. Memory
segments are variable in size from 256 bytes to 64K bytes
and are identified by a set of 64 Segment Descriptor Regis-
ters, which supply the information needed to map logical me-
mory addresses to physcal memory addresses. Each of the 64
- 48 -
Descriptor Registers contains a 16-bit base address field,
an 8-bit limit field, and an 8-bit attribute field. Unfor-
tunately, the Z8001 hardware was not available for use dur-
ing system development. Therefore, all work to date has
been completed through utilization of the Z8002 non-segment-
ed version of the Z8000 microprocessor family [22]. The ac-
tual hardware used in this implementation is the Advanced
Micro Computers Am96/4116 MonoBoard Computer [1] containing
the AmZ8002 sixteen bit non-segmented microprocessor. This
computer provides 32K bytes of on-board RAH, 8k. bytes of
PROM/ROM space, two RS232 serial I/O ports, 24 parallel I/O
lines, and a standard INTEL Multibus interface. The general
structure of the design has been preserved by simulation of
the segmentation hardware in software. This software MMU
Image (see Figure 12) is created as a database within the
Inner Traffic Controller.
The MMU Image is a processor-local database indexed by
DBR_No. Each DBR_No represents one record within the MMU
Image. Each record is an exact software copy of the Segment
Descriptor Register set in the hardware MMU. Each element
of this software MMU Image is in the same form utilized by
the special I/O instructions to load the hardware MMU. Bach
DBR record is indexed by segment number (Segment_No) . Each
Segment_No entry is composed of three fields: Base_Addr,
Limit, and Attributes. Base_Addr is a 16-bit field which










Base_Addr | Limit | Attributes |





(entries for one DBR #)
Figure 12: Memory Management Unit (MMU) Image
- 50 -
Limit is an 8-bit field that specifies the number of conti-
guous blocks of memory occupied by the segment. Attributes
is an 8-bit field representing the eight flags which specify





An extended overview of the current SASS design has been
presented. The four major levels of abstraction comprising
the SASS system have been identified, and the major compo-
nents of each level have been discussed. The extended in-
struction set provided by the SASS Kernel was also defined.
The actual details of this implementation are described by
Strickler [ 19 ].
- 52 -
PART C
THE DESIGN AND IMPLEMENTATION OP THE MEMORY
MANAGES FOR A SECURE ARCHIVAL STORAGE SYSTEM
This section contains updated excerpts from a Naval Postgra-
duaduate School MS Thesis by E. E. Moore and A. V„ Gary [5].
The origins of these excerpts are:
INTRODUCTION from Chapter I
MEMORY MANAGER PROCESS DETAILED DESIGN from Chapter III
STATUS OF RESEARCH from Chapter IV
Minor changes have been made for integration into this report
Chapter X
INTRODUCTION
This thesis addresses the design and partial implementa-
tion of a memory manager for a member of the family of se-
cure, distributed, multi-microprocessor operating systems
designed by Hichardson and O'Connell £7]. The memory manag-
er is responsible for the secure management of the main me-
mory and secondary storage. The memory manager design was
approached and conducted with distributed processing, multi-
processing, configuration independence, ease of change, and
internal computer security as primary goals. The problems
faced in the design were:
1) Developing a process which would securely man-
age files in a multi-processor environment.
2) Ensuring that if secondary storage was inadver-
tantly damaged, it could usually be recreated.
3) Minimizing secondary storage accesses.
4) Proper parameter passing during interprocess
communication.
5) Developing a process with a loop-free structure
which is configuration independent.
- 54 -
6) Designing databases which optiiize the memory
management functions.
The proper design and implementation of a memory manage-
ment process is vital because it serves as the interface
between the physical storage of files in a storage system
and the logical hierarchical file structure as viewed by the
user (viz., the file system supervisor design by Parks [9].
If the memory manager process does not function properly,
the security of that system cannot be guaranteed.
The secure family of operating systems designed qy Sich-
ardson and , Connell is composed of two primary modules, the
supervisor and the security kernel. A subset of that system
was utilized in the design of the Secure Archival Storage
System (SASS) . The design of the SASS supervisor was ad-
dressed by Parks [9], while the security kernel was ad-
dressed concurrently by Coleman [2]. The SASS security ker-
nel design is composed of two parts, the distributed kernel
and the non-distributed kernel. The design of the distribut-
ed kernel was conducted by Coleman [2], and processor man-
agement was implemented by Reitz [12]. This thesis presents
the design and implementation of the non-distributed kernel.
In the SASS design, the non-distributed kernel consists
solely of the memory manager.
The design of the memory manager and its data bases was
completed. The initial code was written in PLZ/SZS, but
could not be compiled due to the lack of a PLZ/SYS compiler.
- 55 -
A thread of the high level code was selected, hand compiled
into PLZ/ASM, and run on the Z3000 developmental module.
- 56 -
Chapter XI
MEMORY. MANAGES PROCESS DETAILED DESIGN
A . INTRODUCTION
The memory manager is responsible for the management of
both main memory (local and global) and secondary storage.
It is a non-distributed portion of the kernel with one memo-
ry manager process existing per physical processor. The me-
mory managsr is tasked (via signal and wait) to perform me-
mory management functions on behalf of other processes in
the system. The major tasks of the memory manager are : 1)
the allocation and deallocation of secondary storage, 2) the
allocation and deallocation of global and local memory, 3)
segment transfer from local to global memory (and vice ver-
sa) , and 4) segment transfer from secondary storage to main
memory (and vice versa) . There are ten service calls (via
signal) which task the memory manager Process to perform












Upon completion of the service request, the memory manager
returns The results of the operation to the waiting process
(via signal) . It then blocks itself until it is tasked to
perform another service. The hardware configuration managed
by the memory manager process is depicted in Figure 13. The
shared data bases used by all memory manager processes are
the Global Active Segment Table (G_ASr) , the Alias Table,
the Disk Bit Map, and the Global Memory Bit Map. The proces-
sor local data bases used by each process are the Local Ac-
tive Segment Table (L_AST) , the Memory Management Unit Imag-
es and the Local Memory Bit Map.
* In the current state these service calls are not implemented
therefore, there are currently six service calls.
- 58 -
Figure 13: SASS H/H System Overview
- 59 -
B. DESIGN PARMEXI1S AND DECISIONS
Several factors were identified during the design of the
memory manager process that refined the initial kernel de-
sign of Coleman [2]. The two areas that were modified, were
the management of the MMU images and the management of core
memory. Both of these functions were managed outside of the
memory manager in the initial design. The inclusion of
these functions in the memory manager process significantly
improved the logical structure of the overall system de-
sign. Additional design parameters were established to fa-
cilitate the initial implementation. These design parame-
ters need to be addressed before the detailed design of the
memory manager process is presented.
It was decided to make the block/page size of both main
memory and secondary storage egual in size. This was to sim-
plify the mapping algorithm from secondary storage to main
memory (and vice versa) . In the initial design the block/
page size was set to 512 bytes.
The size of the page table for a segment was set at one
page (non-paged page table) . This was to simplify implemen-
tation, and had a direct bearing on the maximum segment size
supported in the memory manager. For example, a page size
cf 256 bytes will address a maximum segment size of 32,768
bytes, while a page size of 512 bytes will address a segment
size of 131,072 bytes.
- 60 -
The size of the alias table was set to one page
(non-paged alias table) . The number of entries that the
alias table will support is limited by the size of the page
table (viz. , a page size of 512 bytes will support up to 42
entries in the Alias Table)
.
In the original design, the main memory allocation was
external to the memory manager. This was due to the parti-
tioned memory management scheme outlined by Parks [9] and
Coleman [2]. In the current design, all address assignment
and segment transfer are managed by the memory manager. This
design choice enhanced the generality of the design, and
provided support for any memory management scheme (either in
the memory manager or at a higher level of abstraction)
.
However, the current design still has a maximum core const-
raint for each process.
Dynamic memory management is not implemented in this de-
sign. Each process is allocated a fixed size of physical
core. However, it is not a linear allocation of physical
memory. The design supports the maximum sharing of segments
in local and global memory. All segments that are not
shared, or shared and do not violate the readers/writers
problem will reside in local memory to eliminate the global
bus contention. The need to compact the memory (because of
fragmentation) should be minimal in this design due to the
maximum sharing of segments. If contiguous memory is not
available, the memory manager will compact main memory. Aft-
er compaction, the memory can be allocated.
- 61 -
The design decision to represent memory as one
contiguous block (not partitioned) was made to support a dy-
namic memory management scheme. Without dynamic memory man-
agement, the process* total physical memory can not exceed
the systems main memory. The supervisor knows the size of
the segments and the size of the process* virtual core,
therefore it can manage the swap in and swap out to ensure
that the process* virtual core has not been exceeded.
In the original design, the user*s process inner-traffic
controller maintained the software images of the memory man-
agement unit. This design required the memory manager to re-
turn the appropriate memory management data (viz. , segment
location) to the kernel of the user's process. In the cur-
rent design, the software images of the MHU are maintained
by the memory manager. A descriptor base pointer is provid-
ed for the inner-traffic controller to multiplex the process
address spaces. The HMU image data base does not need to be
locked (to prevent race conditions) due to the fact that
process interrupts are masked in the kernel. Thus, if the
memory manager (a kernel process) is running then no other
process can access the MMU image.
The system initialization process has not been addressed
to date. However, this design has made some assumptions
about the initial state of the system. Since the memory
manager handles the transfer of segments from secondary sto-
rage to main memory, it is likely to be one of the first
- 62 -
1
processes created. The memory manager^ core image will con-
sist of its pure code and data sections. The minimal ini-
tialization of the memory manager 1 s data bases are entries
for the system root and the supervisors segments in the
G_AST and L_AST (s) , and the initializaton of the MMU images
with the kernel segments. The current design does not call
for an entry in the G_AST or L_AST for the kernel segments.
However, when system generation is designed this will have
to be readdressed.
The original [2] memory manager databases have been re-
fined by this thesis to facilitate the memory management
functions. The major refinements of the global and local ac-
tive segment tables are outlined in the following section.
C. DATA BASES
1 • Global Active Segment Table
The Global Active Segment Table (see Pigure 14) is a
system wide, shared data base used by memory manager pro-
cesses to manage all active segments. A lock/unlock mechan-
ism is utilized to prevent any race conditions from occur-
ring. The signalling process locks the G_AST before it
signals the memory manager. This is done to prevent a dead-
ly embrace from occurring between memory manager processes,
and also to simplify synchronization between memory manag-
ers. The entire G_AST is locked in this design to simplify























* Field indicates a two processor environment
/ # Active | No. I Page( Alias | Seq- |Inst- Inst-|
/In Memory Active
I
Size|Table| Table| uencerj ancel ance2|
/ I Depend. I Loc | Loc | | 1
/ I I 1
/ I i I
/ t I i
/ I i
/ I I I
/ I
/ I I 1 i
/ 1 1 1
Figure 14: Global Active Segment Table
- 64 -
The G_AST size is fixed at compile time. The size of
he G_AST is the product of the G_AST record size, the maxi-
mum number of processes and the number of authorized known
segments per process. Although the G_AST is of fixed size,
it is plausible to dynamically manage the entries as pro-
posed by Richardson and O'Connell [7]. The current memory
manager design could be extended to include this dynamic
management.
The Onique_Id field is a unique segment identification
number in the G_AST. This field is four bytes wide and will
provide over four billion identification numbers. A design
choice was made not to manage the reallocation of the uni-
que_id*s. Thus when a segment is deleted from the system,
the unique_id is not reused.
The Global_Address field is used to indicate if a seg-
ment resides in global or local memory. If not null, it con-
tains the global memory base address of a segment. A null
entry indicates that the segment might be in local memo-
ry (s) .
The Processors_L_ASTE_# field is used as a connected
processors list. The field is an array structure, indexed
by Processor_Id. It identifies which L_AST the segment is
active in, and provides the index into each of these tables.
The design choice of maintaining an entry in the L_AST for
all locally active segments implies that if all entries in
the Processors_L_ASTE_# field are null, the segment is not
- 65 -
active and can be removed from the G_AST (viz., no proces-
sors are connected) .
The Flag_Bits field consists of the written bit, and
the writable bit. The written bit is set when a segment is
swapped out of memory, and the MMU image indicates that it
has been written into. The writable bit is set during seg-
ment loading to indicate that some process has write access
to that segment.
If an active segment is a leaf, the G_ASTE_#_Parent
field provides a back pointer to the G_AST index of its pa-
rent. This back pointer to the parent is important during
the creation of a segment. If a request is received to
create a segment which has a leaf segment as its parent,
then an alias table has to be created for that parent.
Also, the alias table of the parent's parent needs to be up-
dated to reflect the existence of the newly created alias
table (sea Figure 15) . The indirect pointer shown is the
back pointer to the parent via the G_AST.
The No_Active_In_Memory field is a count of the number
of processes that have the segment in global memory. It is
used during swap out to determine if the segment can be re-
moved from global memory.
The No_Active_Dependents field is a count of the number
of active leaf segments that are dependent on this entry
(viz., require that this segment remain in the G_AST) . Each
time a process activates or deactivates a dependent segment













Figure 15: Alias Table Creation
- 67 -
The Size field is the size of the segment in bytes. The
Page_Table_location field is the disk location of the page
table for a segment, and the Alias_Table_Location field is
the disk location of the alias table for the segment. The
Alias_Table field can be null to indicate that no alias ta-
ble exists for the segment.
The last three fields are used in the management of ev-
entcounts and seguencers [ 12]. The Seguencer field is used
to issue a service number for a segment. The Instance_1
field and Instance_2 field are eventcounts (i.e., are used
to indicate the next number of occurances of some event)
.
2. Local Active Segmen t Table
The Local Active Segment Table (see Figure 16) is a
processor local data base. The L_AST contains the character-
istics (viz., segment number, access) of each locally active
segment. An entry exists for each segment that is active in
a process "loaded" on this CPU and in local memory. The
first field of the L_AST contains the memory address of the
segment. If the segment is not in memory, this field is
used to indicate whether the L_AST entry is available or ac-
tive. The Segment_No/Access field is a combination of seg-
ment number and authorized access. It is an array of records
data structure that is indexed by DBB_#. The first record
element (viz., most significant bit) is used to indicate the
access (read or read/write) permitted to that segment. The
- 68 -
second record element (viz., the next seven bits) is used to
indicate the segment number. A null segment number indi-





DBR_0 DBR_1 DBR_2 DBR_3 DBR_4 DBR_5
Figure 16: Local Active Segment Table
3. Alias Table
The alias table (see Figure 17) is a memory manager data
base which is associated with each non leaf segment in the
kernel. An aliasing scheme is used to prevent passing sys-
temwide information (unigue_id.) out of the kernel. Seg-
ments can only be created through a mentor segment and entry
- 69 -
number into the mentor's alias table. When a segment is
created, an entry must be made in its mentor segments alias
table. Thus the mentor segment must be known before that
segment can be created.
Entry_#




Figure 17: Alias Table
The alias table consists of a header and an array struc-
ture of entries. The header has two "pointers" (viz., disk
addresses) , one that links the alias table to its associated
segment and one that links the alias table to the mentor
segment's alias table. The header is provided to support the
re-construction of the file system after a system crash due
- 70 -
to device I/O errors. It is not used at all during normal
operations. Each entry in the array structure consists of
five fields for identifying the created segments. The Uni-
que_Id field contains the unique identification number for
the segment. The Size field is used to record the size of
the segment. The Class field contains the appropriate secur-
ity access class of the segment. The Page_Table_Location
field has the disk, address of the page table. A null entry
indicates a zero-length segment. The Alias_Table_Location
field has the disk, address of the alias table for the seg-
ment. A null entry indicates that the segment is a leaf
segment.
4 . Memory Management Unit Imaae
The Memory Management Unit Image (MMU..Image) is a pro-
cessor local data base. It is an array structure that is in-
dexed by the DBR_#. Each MMU_lmage (see Figure 18) includes
a software representation of the segment descriptor regis-
ters (SDR) for the hardware MMU [23]. This is in exactly
the format used by the special I/O instructions for loading/
unloading the MMU hardware. The SDR contains the
Base_Address r Limit and Attribute fields for each loaded
segment in the process* address space. The Base_Address
field contains the base address of the segments in memory
(local or global) . The Limit field is the number of blocks
of contiguous storage for each segment (zero indicates one
- 71 -
block). rhe Attribute field contains eight flags. Fiv<
flags are used for protecting the segment against certaii
types of access, two encode the type of accesses made to th<
segment (read/write) , and one indicates the special struc-
ture of the segment [23], Five of the eight flags in the
attribute field are used by the memory manager. The "systei
only" and "execute only" flags are used to protect the cod*
of the kernel from malicious or unintentional modifications.
The "read only" flag is used to control the read or write
access to a segment. The "change" flag is used to indicate
that the segment has been written into, and the "CPU-inhi-
bit" flag is used to indicate that the segment is not in me-
mory.
The last two fields of the MMO_Image are the Block_asec
field and the Maximum_Available_Blocks field. These twc
fields are used in the mangement of each process 1 virtual






Max Avail Blocks |
Base_Addr | Limitl Attributes
one record / DBR_#
Figure 18: Memory Management Unit Image
- 73 -
5. Meiorz Allocation/Deallocation Bit Mags
All of the memory allocation/deallocation bit maps (see
Figure 19) are basically the same structure. Secondary sto-
rage, global memory and local memory are managed by memory
bit maps. The Disk_Bit_Map is a global resource that is
protected from race conditions via the locking convention
for the G_AST. Each bit in the bit map is associated with a
block of secondary storage. A zero indicates a free block
of storage while a one indicates an allocated block of sto-
rage. The Global_Memory_Bit_Map is used to manage global me-
mory. It is a shared resource that is protected from race
conditions by the locking of the G_AST. The Lo-
cal_Memory_Bit_Map is the same structure as the Glo-
bal_Memory_Bit_Map and is used to manage local memory. The
Local_Memory_Bit_tiap is not locked since it is not a shared






Figure 19: Memory Allocation/Deallocation Map
D. BASIC FUNCTIONS
The detailed source code for the basic functions and
main line of the memory manager is presented in Appendix J.
In the discussion of the memory manager design, a pseu-
do-code similar to PLZ/SYS is utilized. The rationale for
using this pseudo-code was to provide a summary of the memo-
ry manager source code, and to facilitate the presentation
of this design.
It is assumed that the memory manager is initialized
into the ready state at system generation (as previously
mentioned) . When the memory manager is initially placed
into the running state, it will block itself (via a call to
- 75 -
the kernel primitive Wait) . Wait will return a message from
a signalling process. This message is interpreted by the me-
mory manager to determine the requested function and its re-
quired arguments. The function code is used to enter a case
statement, which directs the request to the appropriate me-
mory manager procedure.
When the requested action is completed, the memory man-
ager returns a success code (and any additional required
data) to the signalling process via a call to the kernel
primitive Signal. This call will awaken the process which
requested the action to be taken, and place the returned
message into that process' message queue. When that action
is completed, the memory manager will return to the top of
the loop structure and block itself to wait for the the next
request. The main line pseudo-code of the memory manager






VP_ID r MSG 7= WAIT
FUNCTION, ARGUMENTS := VALIDATE MSG (MSG)
IF FUNCTION
CASE CREATE_ENTRY THEN
SUCCESS_CODE := CREATE_ENTRY (ARGUMENTS)
CASE DELETE_ENTRY THEN
SUCCESS_CODE := DELETE_ENTR* (ARGUMENTS)
CASE ACTIVATE THEN
SUCCESS_CODE := ACTIVATE (ARGUMENTS)
CASE DEACTIVATE THEN
SUCCESS_CODE := DEACTIVATE (ARGUMENTS)
CASE SWAP_IN THEN
SUCCESS_CODE := SWAP_IN (ARGUMENTS)
CASE SWAP_OUT THEN
SUCCESS_CODE := SWAP_OUI (ARGUMENTS)
CASE DEACTIVATE_ALL THEN
SUCCESS_CODE := DEACTIV AIE_ALL (ARGUMENTS)
CASE MOVE_TO_GLOBAL THEN
SUCCESS_CODE := MOVE_TO_GLOBAL (ARGUMENTS)
CASE MOVE_TO LOCAL THEN
SUCCESS_CODE := MOVE_TO_LOCAL (ARGUMENTS)
CASE UPDATE THEN
SUCCESS_CODE := UPDATE (ARGUMENTS)
FI
SI3NAL (VP_ID, SUCCESS_CODE, ARGUMENTS)
OD
END MEMORY_MANAGER_PLZ/SYS MODULE
Figure 20: Memory Manager Mainline Code
- 77 -
1 • Create an Alias Table Entr.y
Create_Entry is invoked when a user desires to create a
segment. A segment is created by allocating secondary sto-
rage, and by making an entry (unigue_id, secondary storage
location, size, classification) into it's mentor segments
alias table. This implies that the mentor segment must have
an alias table associated with it, and that the mentor seg-
ment must be active in order to obtain the secondary storage
location of the alias table.
The mentor segment can be in one of two states. It may
have children (viz., have an alias table), or it may be a
leaf segment (viz., not have an alias table). If the mentor
segment has children, it has an alias table and this alias
table can be read into core, secondary storage can be allo-
cated, and the data can be entered into the alias table. If
the mentor segment is a leaf, an alias table must be created
for that segment before it (the alias table) can be read
into core and data entered into it (see Figure 15)
.
The pseudo-code for CREATE_ENTBY PRQCEDUfiE is presented
in Figure 2 1. The arguments passed to Create_Entry are the
index into the G_AST for the mentor segment, the entry num-
ber into its alias table, the size of the segment to be
created, and the security access class of that segment. The
return parameter is a success code, which would be
"seg_created H for a successful segment creation.
- 78 -
CREATE_ENTRY PROCEDURE (PAR_INDEX WORD, ENTRY_# WORD,
SIZE WORD, CLASS ~BYTE)
RETURNS (SUCCESS_CODE BYTE)
LOCAL BLKS WORD, PAGE_TABLE_LOC WORD
ENTRY
IF ALIAS_TABLE_DOES_NOT_EXIST THEN
SUCCESS_CODE := CRE ATE_ALI AS_TABLE
IF SUCCESS_CODE <> VALID THEN RETURN
FI
FI
BLKS := CALCULATE_NO_BLKS_REQ (SIZE)
SUCCESS_CODE : = R EAD~ALIAS_TABLE (
G_AST[ PAR~INDEX ]. ALIAS TABLE LOC)
IF SUCCESS_CODE <> VALID THEN RETURN
FI
SUCCESS CODE := CHECK_DUP ENTRY ! in alias table !
IF SUCCESS_CODE <> VALID THEN RETURN
FI
SUCCESS_CODE, PAGE_TABLE_LOC := ALLOC_SEC_STORAGE (BLKS)
IF SUCCESS_CODE <> VALID THEN RETURN
FI
UPDATE ALIAS_TABLE(ENTRY_#, SIZE, CLASS, P AGE_TABLE_LOC)
SUCCESS_CODE~:= WRITE_ALIAS_TABLE (
G_AST( PAR_INDEX].ALIAS_TABLE_LOC)
IF SUCCESS_CODE <> VALID THEN RETURN
ELSE SUCCESS_CODS := SEG_CREATED
FI
END CREATE ENTRY
Figure 21: Create Entry Pseudo-code
- 79 -
When invoked, Create_Entry will determine which state
the mentor segment is in (viz., if it has an alias table).
If an alias table does not exist for the mentor segment, one
is created and the alias table of the mentor segments pa-
rent is updated. The alias table is read into core and a
duplicate antry check is made. If no duplicate entry exists,
the segment size is converted from bytes to blocks, and the
secondary storage is allocated for non-zero sized segments.
The appropriate data is entered into the alias table and the
alias table is then written back to secondary storage.
2. Delete an Alias Table Entry.
Delete_Entry is invoked when a user desires to delete a
segment. A segment is deleted by deallocating secondary
storage, and by removing the appropriate entry from the ali-
as table of its mentor segment (the reverse logic of
Create_Entry) . This implies that the mentor segment must be
active at the time of deletion. There are three conditions
that can be encountered during the deletion of a segment:
the segment to be deleted may be an inactive leaf segment,
an active leaf segment, or a mentor segment.
If the segment to be deleted is an inactive leaf segment
(viz., has been swapped out of core, and does not have an
entry in the G_AST) , the secondary storage can be deallocat-
ed and the entry deleted from the mentor segment* s alias ta-
ble. If the segment is an active leaf segment, the segment
- 80 -
must first be swapped out of core and deactivated before it
can be deleted. This entails signalling the memory manager
of each processor, in which the segment is active, to swap
out and deactivate the segment.
If the segment to be deleted is a mentor segment, an
alias table exists for that segment . If the alias table is
empty, the secondary storage for the alias table and the
segment can be deallocated, and the entry for the deleted
segment can be removed from its lentor's alias table. If the
alias table contains any entries, the segment cannot be de-
leted because these entries would be lost. If this condition
is encountered a success code of "leaf_segment_exists" is
returned to the process which requested to delete the entry.
Due to a confinement problem in "upgraded" segments, this
Success_code cannot always be passed outside of the kernel.
This implies that the segment manager must strictly prohibit
deletion of a segment with an access class not equal to that
of the process.
The pseudo-code for DELETE_ENTBY_PEOCEDUBE is presented
in Figure 22. The parameters that are passed to this proce-
dure are the parent's index into the G_AST and the entry
number into the parent's alias table of the segment to be
deleted. The alias_table_loc field is checked to determine
the state of the mentor segment (either a leaf or a node)
,
and the appropriate action is then taken. A success code is
returned to indicate the results of this procedure.
- 81 -




! Check if the passed mentor segment has an alias table. !
IP G_AST[PAR INDEX], ALI AS_TABLE_LOC <> NULL





IF SUCCESS_CODE <> VALID THEN RETURN
FI
! Determine if segment has children in alias table !
IF ALIAS_TABLE_NOT EMPTY THEN
SUCCESS_CODE : =~LEAF_SEGHENT_EXISTS
RETURN ! Deletion will delete children !
ELSE
! Search G AST with UNIQUE ID to verify segment inactive !
IF ~ACTIVE_IN_G_AST~ THEN




! Check G_AST to verify segment inactive in other L_AST*s i
IF ACTIVE_IN_OTHEH_L_AST THEN








G_AST[ PAR~INDEX]. ALIAS TABLE_LOC)
IF SUCCESS_CODE = VALID THEN
SUCCESS_CODE := SEG DELETED
FI
END DELETE ENTRY
Figure 22: Delete Entry Pseudo-code
- 82 -
3. Activate a Segment
Activate is invoked when a user desires to make a seg-
ment known by adding a segment to his address space. A seg-
ment is activated by making an entry into the L_AST for that
processor, and the G_A3T. The activated segment could be in
one of three states; it could have previously been activated
by another process and have a current entry in both the
G_AST and L_kST f it could have previously been activated by
another process on a different processor and have an entry
in the G_AST but not the L_AST, or it could be inactive and
have an entry in neither the G_AST nor the L_AST.
If the segment to be activated already has entries in
both the L_AST and G_AST, these entries need only be updated
to indicate that another process has activated the segment.
The segment number is entered into the Seg-
ment_No/Access_Auth field of the L_AST, and if the segment
is a leaf, its mentor's No_Active_Dependents field in the
G_AST is incremented. In this design, the G_ASI is always
searched to determine if the segment has been previously ac-
tivated by another process.
If the segment to be activated has an entry in the G_AST
but not the L_AST, an entry must be made in the L_AST and
the G_AST must be updated. The L_AST is searched to deter-
mine an available index. The segment number is entered into
the L_AST r and the index number is entered into the G_AST
- 83 -
Processors_L_ASTE_# field. If the segment to be activated is
a leaf segment, its mentor's No_Active_Dependents field in
the G_AST is incremented.
If the activated segment does not have an entry in eith-
er the G_AST or L_AST, an entry must be made in both. The
G_AST is searched to find an available index, and the entry
is made. The L_AST is then searched to find an available in-
dex, and the entry is made. The L_AST index is then entered
into the G_AST Processors_L_ASTE_# field. If the activated
segment is a leaf, the No_Acti ve_Dependents field of its
mentor* s 5_AST entry is incremented.
The pseudo-code for ACTIVATE PROCEDURE is presented in
Figure 23. The parameters that are passed are the DBR_# of
the signalling process, the mentor segment's index into the
G_AST, the alias table entry number, and the segment number
of the activated segment. The mentor segment is always
checked to determine if it has an associated alias table. If
it does not, the success code of "alias_does_not_exist" is
returned. If the alias table does exist, it is read into
core and the entry number is used as an index to obtain the
activated segment's unigue_id. The G_ASI is then searched
to determine if the segment has already been activated. If
the unique_id is found, the G_AST is updated and the L_AST
is either updated or an entry is made (depending on whether
an entry existed or not) . If the unigue_id of the segment
was not found during the search of the G_AST, an entry must
- 84 -
be made in both the G_AST and L_AST. Activate returns the
activated segment's classification, size, and handle to the
signalling process.
- 85 -
ACTIVATE PROCEDURE (DBR_# BYTE, PAR_INDEX WORD,
ENTRY_# WORD, SEGMENT.NO BYTE)
RETURNS (SUCCESS_CODE BYTE, RET_G_AST_HA NDLE HANDLE,
CLASS BYTE, SIZE WORD)
LOCAL G_INDEX WORD, L_INDEX WORD
ENTRY
! Verify that passed segment is a mentor segment I
IF G_AST[ PARllNDEX].ALIAS_TABLE_LOC <> THEN
SUCCESS_CODE := READ_ ALIAS_TABLE (




IF SUCCESS_CODE <> VALID THEN RETURN
FI
! Check 3_AST to determine if active !
SUCCESSICODE, INDEX := SEARCH_G_AST (UNIQUE_ID)
IF SUCCESS_CODE = FOUND THEN
IF SEGHENT_IN_L_AST THEN




IF G_AST["lNDEX ]7ALI AS_T ABLE_LOC = NULL THEN





MAKE_L AST_ENTRY (PAR INDEX, ENTRY #)
FI
SUCCESS_CODE := SEG_ACTIV ATED
END ACTIVATE
Figure 23: Activate Pseudo-code
- 86 -
** • P§§£ti vate a Segment
Deactivate is invoiced when a user desires to remove a
segment from his address space. To deactivate a segment,
the memory manager either removes or updates an entry in
both the L_AST and G_AST. Deactivate uses the reverse logic
of activate. Once a segment is deactivated, it can only be
reactivated via its mentor's alias table as discussed in ac-
tivate. If a process requests to deactivate a segment which
has not bean swapped out of the process* virtual core, the
memory manager swaps the segment out and updates the MMU im-
age before the segment is deactivated. The segment to be
deactivated could be in one of three states; more than one
process could concurrently hold the segment active in the
L_AST, the segment could be held active by one process in
the L_AST and more than one in the G_AST, the segment could
be held active by only one process in both the L_AST and the
G_AST.
Deactivation of leaf segments and mentor segments are
handled differently. If the segment is a mentor segment and
has active dependents, it cannot be removed from the G_AST
(even though no process currently has that segment active)
.
This is based on the design decision which requires that the
mentor of all active leaf segments remain in the G_AST to
allow access to its alias table. The mentor's alias table
must be accessible when an alias table is created for a de-
- 87 -
pendent leaf segment. If a leaf segment is deactivated, the
No_Active_Dependents field of its mentor's G_AST entry is
decremented. A mentor segment can only be removed from the
G_AST if no process holds it active, and it has no active
dependents.
If more than one process concurrently hold a segment ac-
tive in the L_AST, and one of them signals to deactivate
that segment, the entry in the L_AST is updated. This is ac-
complished by nulling out the Segment_No/Access_Auth field
of the L_AST for the appropriate process. If required, the
No_Active_Dependents field of its mentor segment* s G_AST en-
try is decremented.
If only one process holds the segment active in the
L_AST, and that Process signals to deactivate the segment,
the L_ASI entry for that segment is removed. The Proces-
sors_L_ASTE_# is updated and checked to determine if there
are other connected processors. If there are no other con-
nected processors and the segment has no active dependents,
the segment is removed from the G_AST. If there are other
connected processors, the G_AST is updated. If the deacti-
vated segment is a leaf, the mentor segments
No_Active_Dependents field in the G_AST is decremented.
The pseudo-code for DEACTIVATE PROCEDURE is presented in
Figure 24. The parameters that are passed to the memory man-
ager are the DBR_# of the signalling process, and the index
into the G_AST for the segment to be deactivated. The
- 88 -
procedure first updates the L_AST, and then removes xhe en-
try if no local process holds the segment active. The G_AST
is then updated, and its mentor segment is checked (if the
deactivated segment was a leaf) , to determine if it can be
removed. If no processes currently hold the segment active,





























PROCEDURE (DBR_# BYTE, PAR_INDEX WORD)
(SUCCESS_CODE BYTE)
INDEX WORD
f segment is in core !
T( INDEX ]. NO_ACTIVE_IN_MEMORY <> THEN
eck MMU image to determine if in local memory !
IN LOCAL_MEMORY THEN
SUCCESS_CODE := OUT (DBR_#, INDEX)






f deleted segment was a leaf !
T[ INDEX ].G_ASTE # PAR <> THEN
ST[PAR_INDEX ]. NO_DEP ENDENTS_ACTI VE -
ne if parent can be removed i
CK_FOR_REMOVAL (PAR_INDEX)
= 1




Figure 24: Deactivate Pseudo-code
- 90 -
5. Swag a Segment In
SWAP_IN is invoiced when a user desires to swap a seg-
ment into main memory (global or local) from secondary sto-
rage. A segment is swapped into main memory by obtaining the
secondary storage location of its page table from the G_AST,
allocating the reguired amount of main memory, and reading
the segment into the allocated main memory. The segment must
be active before it can be swapped into core, and the re-
guired main memory space must be available. Three conditions
can be encountered during the invocation of SWAP_IN. The
segment can already be located in global memory, the segment
can already be located in one or more local memories, or the
segment may only reside in secondary storage.
If the segment is not in local or global memory, local
memory is allocated, the segment is read into the allocated
memory, and the appropriate entries are made in the tfMU im-
age, the L_AST and the G_AST. If the segment is already in
global memory, it can be assumed that the segment is shared
and writable. In this case the only required actions are to
update the G_AST and L_AST. The No_Active_In_Memory field of
the G_AST entry is incremented, and the ft&U image is updated
to reflect the swapped in segment 1 s core address and attri-
butes.
If the segment already resides in one or more local me-
mories, it must be determined if the segment is "shared" and
- 91 -
'•writable". A segment is "shared" if it exists in more than
one local memory. A segment is "writable" if one process has
j
write access to that segment. If the segment is not shared
or not writable and in local memory, the appropriate entries
j
are updated in the HMU image, the L_AST, and the G_AST. If
the segment does not reside in local memory, the required I
amount of local memory is allocated, the segment is read
into the allocated memory, and the appropriate entries are
made in the MMO image, the L_AST, and the G_AST.
If the segment is shared, writable, and in local memory,
the segment must be moved to global memory. If the segment
is not in the memory manager's local memory, it signals
another memory manager to move the segment to global memory.
After the segment is moved to global memory, the memory man-
ager signals all of the connected memory manager's to update
their L_AST and AMU data bases. When all local data bases
are current, the memory manager updates the G_AST and re-
turns a success code of seg_activated.
The pseudo-code for SWAP_IN PROCEDURE is presented in
Figure 25. The arguments passed to SWAP_IN are the
G_AST_INDEX of the segment to be moved in, the process'
DBR_#, and the access authorized. SWAP_IN will convert the
segment size from bytes to blocks, and verify that the pro-
cess' core will not be exceeded. If the virtual core will
be exceeded, a success code of "core_space_exceeded" will be
returned. If write access is permitted, the writable bit is
- 92 -
set. Checks are then performed to determine the segment's
storage location (local or global) , and the appropriate ac-
tion is taken.
- 93 -
SWAP_IN PROCEDURE (INDEX WORD, DBR_# BYTE,
ACCESS_AUTH BYTE)
RETURNS (SUCCESS_CODE BYTE)
LOCAL L_INDEX WORD, BLKS WORD
ENTRY
BLKS := CALCULATE_NO._OF_BLKS (G_ASr[ INDEX ]. SIZE)
SUCCESS_CODE := CHECK~MAX_LINEAR_CORE (BLKS)
IF SUCCESS_CODE = VI RTUAL_LI NE Afl_CORE_FULL THEN
RETURN
FI
G_AST[ INDEX ]. NO_SEGMENTS_IN_MEMORY = 1
IF ACCESS_AUTH = WRITE* THEN
G AST[INDEX].FLAG BITS ;= WRITABLE_BIT_SET
FI
! Determine if segment can be put in local memory i
IF G_AST[ INDEX]. FLAG BITS AND WRITABLE_MASK =
ORIF 3_AST[ INDEX ]. NO_ACTIVE_IN_MEMORY <= 1 THEN




READ_SEGMENT "(PAGE TABLE_LOC, BASE ADDR)
L_AST[L_INDEX] := BASE ADDR
FI
ELSE







MOVE TO_GLOBAL (L_INDEX, BASE ADDR, SIZE)
ELSE




UPDATE_MMU_IMAGE (DBR_#,SEG_# ,BASE ADDR, ACCESS, BLKS)
UPDATE_L_AST_ACCESS (L INDEX, ACCESS, DBR #)
SUCCESS_CODE := SWAPPED_IN
END SWAP IN
Figure 25: Swap_In Pseudo-code
- 94 -
6. Swag a Segment O ut
SWAP_OUT is invoked when a user desires to move a seg-
ment out of core. A segment is swapped out of core by ob-
taining its secondary storage location, writing the segment
to that location (if required) , and deallocating the main
memory used. The decision to write the segment is deter-
mined by the G_AST written bit. This bit is set whenever the
segment has been modified. The segment to be swapped out
can be in one of two states: the segment can be in local
memory, or the segment can be in global memory.
If one process has the segment in local memory and the
written bit is set, the segment is written into secondary
storage and the local memory is deallocated. If the written
bit is not set, the local memory need only be deallocated.
If more than one process has the segment in the same local
memory, the segment remains in core. The appropriate MMO im-
age is updated to reflect the segments deletion and the
G_AST No_Active_In_Memory field is decremented.
All segments in global memory are shared and writable.
If a process requests the segment to be swapped out, the
segment remains in memory. The MMU image is updated to re-
flect the segments deletion, and the G_AST
No_Active_In_Memory field is decremented. If the
No_Active_In_Memory indicates that one process has the seg-
ment in core, its memory manager is signalled to move the
segment to local memory.
- 95 -
The pseudo-code for SWAP_OUT PROCEDURE is presented in
Figure 26. The arguments passed to SWAP_OUT are the DBR_#
of the signalling process, and the G_AST_INDEX of the seg-
ment to be removed. The return parameter is a success code.
SWAP_OUT removes the segment from the process* s virtual
core, deletes the segment from its HMU image, and decrements
the No_Acti ve_In_Memory field. If the segment can be removed
from memory, it is determined which memory can be deallocat-
ed. If the segment has been modified, it is written back to
secondary storage and the appropriate memory deallocated.
If the segment has not been modified, the appropriate memory
is deallocated. If after the deletion one process has the
segment in global memory, its memory manager need only be
signalled to move the segment to local memory. When
SWAP_OUT successfully completes, it returns a success code
of "swapped out".
- 96 -
SWAP_OUT PROCEDURE (DBR_# BYTE, INDEX WORD)
RETURNS (SUCCESS_CODE BYTE)
ENTRY
BLKS := G_AST[ INDEX]. SIZE / BLK_SIZE
FREE_PROCESS_LINEAR_CORE (BLKS)"
DELETE_MMU_ENTRY (DBR_#, SEG_#)
G_AST[ INDEX ]• NO_SEGMENTS_IN_MEMORY - = 1
! Determine if segment has been written into !
IF MMU_IMAGE[ DBR_# ]. SDR[ S EG_# ]. ATTRIBUTES=WRITTEN THEN
! If segment has been written into, update G_AST !
3_AST[INDEX].FLAG_BITS := WRITTEN
FI
! Determine if segment is in global memory !
IF S_AST[ INDEX ]. GLOBAL_ADDfi <> NULL THEN
IF G_AST[ INDEX ]. NO_SEGMENTS_IN_MEMOR Y =




IF G_AST[ INDEX ] . NO_ACTI VE_IN_MEMO RY = THEN
FREE LOCAL_BIT MAP (MEMORY ADDR,BLKS)
FI
FI
ELSE I If not in global memory !
IF G_AST[ INDEX]. NO_ACTIVE_IN_MEM0RY =











Figure 26: Swap_Out Pseudo-code
- 97 -
7. Deactivate All Segments
DEACTIVATE_ALL is invoked when it becomes necessary to
remove a segment from every process* address space. Each
process is checked to determine if the segment is active. If
a process has the segment active, it is deactivated from its
address space. The pseudo code for Deactivat e_all is illus-
trated in Figure 27. The parameters passed to Deacti-
vate_all are the deactivated segment's G_AST index and the
L_AST index. The L_AST is searched by DBR_# to determine
which process has the segment active. If the check reveals
that the segment is active, it is deactivated by calling
Deactivate. If the segment was successfully deactivated froi
all processes, a success_code of valid is returned.
- 98 -






IF I = MAX_DBR # THEN
EXIT
FI
IF L_AST[ L_INDEX]. SEGMENT NO/ACCESS AUTH[I]
<> ZERO THEN
SUCCESS_CODE := DEACTIVATE (I, INDEX)






SUCCESS_CODE : = VALID
END DEACTIVATE~ALL
Figure 27: Deactivate All Pseudo-code
8- 39.y.§ i Segment to Global Memgry.
MOVE_TO_GLOBAL is invoked when it becomes necessary to
move a segment from local to global memory. If a segment re-
sides in one or more local memories, and a process with
write access swaps that segment into core, or if a segment
resides in in local memory (with write access) and another
process with read access reguests the segment swapped in,
the segment is moved from a local to global memory to avoid
a secondary storage access. If the segment resides in the
running memory managers local memory, it will affect the
- 99 -
segment transfer, otherwise it will signal another memory
manager of a connected processor to affect the transfer.
Figure 28 illustrates the pseudo-code for MOVE_TO_GLOBAL.
Once the segment has been moved to global memory, the sig-
nalled memory manager will update the MMU images for all
connected processes, and deallocate the freed local memory.
A success code of completed will be returned to the signall-
ing memory manager. The parameters passed to the memory
manager are the segment's L_AST index the global memory ad-
dress of the move, and the size of the segment. This infor-
mation is passed because the G_AST is locked during this re-
quest.


















gment from local memory to global memory !
RY_MOVE (MEMORY_ADDR, GLOBAL ADDR)
NDEX ]. MEMORY_ADDR := AVAILABLE
the MMU image to reflect new address !
_ALL_DBR*S
AST[ L_INDEX].SEGMENT_NO/ACCESS AUTH <> ANDIF
MAGE[DBR_#].SDR[SEG_#].ATTRIBUTES=IN_LOCAL THEN
_IMAGE[ DBR_# ]. SDR[ SEG_# ]. BASE_ADDR :=GLOBAL ADDR
CODE := VALID
GLOBAL
Figure 28: Move To Global Pseudo-code
- 100 -
»• «o2e a Segam to £ocai Uuan
aO7B_T0_LOCAL is invoiced when it h*™*a becomes necessary to




swaps the segment out. The s«amon* •eg e t is moved from global me-mory to the local memory of +h* ~» t e remaining process. Fi gure 29illustrates the pseudo-code for MOVE TO LOCAL The«.- ->«»•**• parame-
ters passed to the memory manager are th*ae segment's L ASTindex, the global address of the segment and „ ,
"
***»*»*, the size ofthe segment. The return parameter 1-is a success code. The
















S&CCESS.CODE :* VALID2ND HOFS^TO.LOCAL
Pigura 29: Move To Local Pseudo-code
- 101 -
10. legate the 8BU Image
UPDATE is invoiced following a M0VE_T0_SL0BAL operation.
After a segnent has been moved from local aeaory to global
memory, it is necessary to signal the memory managers of all
connected processors to update their 8M0 images and L_AST
with the current location of the segment. They must also
deallocate the moved segment* s local memory. Figure 30 il-
lustrates the pseudo-code of UPDATE. The parameters passed
to the memory manager are the segment's L_AST index, the new
global address for the segment, and the size of the segment.
The return parameter is a success code.
UPDATE PROCEDURE (L_INDEX HOBD, GLOBAL_ADDR WORD,
SIZE WORD)
RETURNS (SUCCESS CODE BYTE)
ENTRY
DO FOR_ALLJ)BR«S
IP L_ASTfL_INDEX]. SEGMENT NO/ACCESS AUTH <> ANDIF





BLKS :- SIZE / BLK_SIZE
FREE.LOCAL^BIT.SAP" (MEMORY ADDR , BLKS)
L_AST[ L.INDEX ]7mEH0RY_ADDR~:= ACTIVE
SUCCESS CODE :- VALID*
END UPDATE
Figure 30: Update Pseudo-code
- 102 -
E. SOHHAaY
In this chapter the detailed design of the memory manag-
er process has been presented. The purpose of the memory
manager was outlined, followed by a detailed discussion of
the memory manager's data bases. The design presented has
identified ten basic functions for the memory manager. The
success codes returned by the memory manager are presented
in Figure 3 1
.
This design has assumed that the kernel level inter-pro-
cess synchronization primitives will be Saltzer's signal and
wait primitives [14], This fact dominated the design deci-
sion to lock the G_AST in the user's process before it sig-
nals the memory manager. In a multi-processor environment,
the possibility of a deadly embrace exists if the memory
manager processes lock the G_AST. Should follow on work im-
plement eventcounts and seguencers as kernel level synchron-
ization primitives, the locking of the 3_AST and memory man-
ager synchronization will need to be readdressed.
- 103 -





























! * DISK ERRORS !





The memory manager design utilized stare of the art
software techniques and hardware devices. The design was de-
veloped based upon ZILOG*S Z8001 sixteen bit segmented mi-
croprocessor used in conjunction with the Z8010 Memory Man-
agement Unit [23]. A microprocessor which supports
segmentation is required to provide access control of the
stored data. The actual implementation of the selected
thread was conducted upon the Z8002 non-segmented micropro-
cessor without the Z8010 HMU.
While information security requires that the micropro-
cessor support segmentation, the memory manager was devel-
oped to be configuration independent. The design will sup-
port a multi-processor environment, and can be easily
implemented upon any microprocessor or secondary storage
device. The loop free modular design facilitates any re-
quired expansion or modification.
Global bus contention is minimized by the memory manag-
er. Segments are stored in global memory only if they are
shared and writable. Secondary storage is accessed only if
- 105 -
the segment does not currently reside in global memory or
some local memory. The controlled sharing of segments optim-
izes main memory usage.
The storage of the alias tables in secondary storage
supports the recreation of user file hierarchies following a
system crash. The aliasing scheme used to address segments
supports system security by not allowing the segment's memo-
ry location or unigue identification to leave the memory
manager.
The design of the distributed kernel was clarified by
assigning the HMU image management to the memory manager.
The transfer of responsibility for memory allocation and
deallocation from the supervisor to the memory manager pro-
vides support for dynamic memory management.
In conclusion, the memory manager process will securely
manage segments in a multi-processor environment. The pro-
cess is efficient, and is configuration independent. The
primitives provided by the memory manager will support the
construction of any desired supervisor/user process built
upon the kernel.
- 106 -
B. FOLLOW ON HORK
There are several possible areas in the SASS design that,
can be looked into for continued research. The complete im-
plementation of the memory manager design (refine and optim-
ize the current PLZ/SYS code) is one possibility. Other pos-
sibilities include the implementation of dynamic memory
management, and modifying the interface of the memory manag-
er with the distributed kernel using eventcounts and se-
quencers for inter-process communication.
The implementation of the supervisor has not been ad-
dressed to date. Areas of research include the implmenta-
tion of the file manager and input/output processes, and the
complete design and implementation of the user-host proto-
cols. The implementation of the gatekeeper, and system ini-
tialization are other possible research areas. Dynamic pro-
cess creation and deletion, and the introduction of
multi-level hosts could also prove interesting.
- 107 -
PART D
AN IMPLEMENTATION OP MULTIPROGRAMMING AND
PROCESS MANAGEMENT POR A SECURITY KERNEL
OPERATING SYSTEM
This section contains updated excerpts from a Naval Post-
graduate School MS Thesis by S. L. Reitz [12]. The origins
of these excerpts are:
INTRODUCTION from Chapter I
IMPLEMENTATION from Chapter IV
CONCLUSION from Chapter V
Minor changes have been made for integration into this repor
Chapter XIII
INTRODUCTION
The application of contemporary microprocessor technolo-
gy to the design of large-scale multiple processor systems
offers many potential benefits. The cost of high-power com-
puter systems could be reduced drastically; fault tolerance
in critical real-time systems could be improved; and compu-
ter services could be applied in areas where their use is
not now cost effective. Designing such systems presents
many formidable problems that have not been solved by the
specialized single processor systems available today.
Specifically, there is an increasing demand for computer
systems that provide protected storage and controlled access
for sensitive information to be shared among a wide range of
users. Data controlled by the Privacy Act, classified De-
partment of Defence (DoD) information, and the transactions
of financial institutions are but a few of the areas which
require protection for multiple levels of sensitive informa-
tion. Multiple processor systems which share data are well
suited to providing such services - if the data security
problem can be solved.
A solution to these problems - a multiprocessor system
design with verifiable information security - is offered in
- 109 -
a family of secure, distributed multi-microprocessor operat-
ing systems designed by O'Connell and Richardson [7], A
subset of this family, the Secure Archival Storage Systei
(SASS) [9,5], has been selected as a testbed for the general
design. SASS will provide consolidated file storage for a
network of possibly dissimilar "host" computers. The system
will provide controlled, shared access to multiple levels of
sensitive information (Figure 32) .
This thesis presents an implementation of a basic moni-
tor for the 0' Connell-Richardson family of operating sys-
tems. Ths monitor provides multiprogramming and process
management functions specifically addressed to the control
of physical processor resources of SASS. Concurrent thesis
work [7] is developing a detailed design for a security ker-
nel process, the Memory Manager, which will manage SASS me-
mory resources.
- 110 -























Implementation of the distributed kernel was simplified
by the hierarchical structure of the design for it permit-
tad methodical bottom-up construction of a series of extend-
ed machines. This approach was particularly useful in this
implementation since the bare machine, the Z8000 Developmen-
tal Module, was provided with only a small amount of soft-
ware support.
A. DEVELOPMENTAL SUPPORT
A Zilog MCZ Developmental System provided support in de-
veloping Z3000 machine code. It provided floppy disk file
management, a text editor, a linker and a loader that creat-j
ed an image of each Z8000 load module.
A Z8000 Developmental Module (DM) provided the necessary
hardware support for operation of a Z8002 non-segmented mi-
croprocessor and 16K words (32K bytes) of dynamic RAM. It
included a clock, a OSART, serial and parallel I/O support,
and a 2K PROM monitor.
The monitor provided access to processor registers and
memory, single step and break point functions, basic I/O
functions, and a download/upload capability with the MCZ
system.
- 112 -
Sinca a segmented version of the processor was not
available for system development, segmentation hardware was
simulated in software as an MMO image (see Figure 33) . Alt-
hough this data structure did not provide the hardware sup-
port (traps) reguired to protect segments of the kernel do-








High byte Low byte Attributes
Figure 33: MM0_IMAGE
- 113 -
B. INNER TRAFFIC CONTROLLER
The Inner Traffic Controller runs on the bare machine to
create a virtual environment for the remainder of the sys-
tem. Only this module is dependent on the physical proces-
sor configuration of the system. All higher levels see only
a set of running virtual processors. k kernel data base,
the Virtual Processor Table is used by the Inner Traffic
Controller to create the virtual environment of this first
level extended machine. A source listing of the Inner
Traffic Controller module is contained in Appendix G.
1 • Ii£tual Processor Table (VPT)
The VPT is a data structure of arrays and records that
maintains the data used by the Inner Traffic Controller to i
multiplex virtual processors on a real processor and to
create the extended instruction set that controls virtual
processor operation (see Figure 34) . There is one table for
each physical processor in the system. Since this implemen-
tation was for a uniprocessor system (the Z8000 DM) , only
one table was necessary.
The table contains a LOCK which supports an exclusion
mechanism for a multiprocessor system. It was provided in
this implementation only to preserve the generality of the
design.
The Descriptor Base Register (DBR) binds a process to a









DBRJ PHI | STATE! IDLE FLAGI CPU J NEXT VP| MSG LIST
MSG
INDEX
MESSAGE SENDER NEXT_MSG |
i
Figure 34: Virtual Processor Table
ing the list of descriptors for segments in the process ad-
dress space.
A virtual processor (VP) can be in one of three states:
running, ready, and waiting (Figure 35) . A running VP is
urrently scheduled on a real processor. A ready VP is
eady to be scheduled when selected by the level-1 schedul-
- 115 -
ing algorithm. A waiting VP is awaiting a message from some
other VP to place it in the ready list. In the meantime it









Figure 35: Virtual Processor States
- 117 -
2. Level- J. Scheduling
Virtual processor state changes are initiated by the in-
ter-virtual-processor communication mechanisms, SIGNAL and
WAIT. These level- 1 instructions implement the scheduling
policy by determining what virtual processor to bind to the
real processor. The actual binding and unbinding is per-
formed by a Processor switching mechanism called SWAP_DBR
[14], Processor switching implies that somehow the execu-
tion point and address space of a new process are acquired
by the processor. Care must be taken to insure that the old
process is saved and the new process loaded in an orderly
manner. A solution to this problem, suggested by Saltzer
[14], is to design the switching mechanism so that it is ai
common procedure having the same segment number in every ad-
dress space.
In this implementation a processor register (R14) was
reserved within the switching mechanism for use as a DBR.
Processor switching was performed by saving the old execu-
tion point ( i.e., processor registers and flag control
word) , loading the new DBR and then loading the new execu-
tion point. The processor switch occurs at the instant the
DBR is changed (see Figure 36) . Because the switching
procedure is distributed in the same numbered segment in all
address spaces, the "next" instruction at the instant of the
switch will have the same offset no matter what address
- 118 -
space the processor is in. This is the key to the proper
operation of SWAP_DBR.
To convert this switching mechanism to segmented hard-
ware it is necessary merely to replace S«AP_DBR with special
I/O block-move instructions that save the contents of the
HHD in the appropriate MM(J_IMAGE and load the contents of
the new MMU_IMAGE into the MMO.
a. Getwork
SWAP_DBR is contained within an internal Inner Traffic
Controller procedure called GETWORK. In addition to multi-
plexing virtual processors on the CPU, 3ETW0RK interprets
the virtual processor status flags, IDLE and PREEMPT, and
modifies VP scheduling accordingly in an attempt to keep the
CPO busy doing useful work.
There are actually two classes of idle processes within
the system. One class belongs to the Traffic Controller.
Conceptually there is a ready level-2 idle process for each
virtual processor available to the Traffic Controller for
scheduling. When a running process blocks itself, the
Traffic Controller schedules the first ready process. This
will be an idle process if no supervisor processes are in
the ready list.
The second class of idle process exists in the kernel.












































Figure 36: SWAP DBR
- 120 -
The distinction is made between these classes because of
the need to keep the CPU busy doing useful work whenever
possible. There is no need for GETWOEK to schedule a lev-
el-2 idle process that has been loaded on a virtual proces-
sor, because the idle process does no useful work. The vir-
tual processor IDLE_FLAG indicates that a virtual processor
has been loaded with a level-2 idle process. GETWORK will
schedule this virtual processor only if the PREEMPT flag is
also set. The PREEMPT flag is a signal from the Traffic
Controller that a supervisor process is now ready to run.
When GETWORK can find no other ready virtual processors
with IDLE and PREEMPT flags off, it will select the virtual
processor permanently bound to the kernel Idle process.
Only then will the Idle process actually run on the CPU.
Getwork contains two entry points. The first, a normal
entry, ressts the preempt interrupt return flag. (RO is re-
served for this purpose within GETWORK.) The second, a
hardware interrupt entry point, contains an interrupt han-
dler which sets the preempt interrupt return flag. The DBR
(R14) must also be set to the current value by any procedure
that calls GETWORK in order to permit the SWAP_DfiR portion
Df GETWORK to have access to the scheduled process^ address
space. Upon completion of the processor switch, GETWORK ex-
imines the interrupt return flag to determine whether a nor-
lal return or an interrupt return is required.
- 121 -
The hardware interrupt entry point in GETHORK supports
the technique used to initialize the system. Each process
address space contains a kernel domain stack segment used by
SWAP-DBR in GETWORK to save and restore VP states. For the
same reason that SWAP-DBR is contained in a system wide seg-
ment number, the stack segment in each process address space
will also have the same number (Segment #1 in this implemen-
tation) . Each stack segment is initially created as though
it's process had been previously preempted by a hardware in-
terrupt. This greatly simplifies the initialization of pro-
cesses at system generation time. The details of system in-
itialization will be described later in this chapter. It is
important to note here, however, that GETWORK must be able
to determine whether it was invoked by a hardware preempt
interrupt or by a normal call, before it can execute a re-
turn to the calling procedure. This is because a hardware-
interrupt causes three items to be placed on the system
stack: the return location of the caller, the flag control
word, and the interrupt identifier, whereas a normal call
places only the return location on the stack. Therefore, in
order to clean up the stack, GETWORK must execute an inter-
rupt return (assembly instruction :IRET) if entry was via the
hardware preempt handler (i.e., RO set). This instruction
will pop the three items off the stack and return to the ap-
propriate location. If the interrupt return flag, RO, is
off, a normal return is executed.
- 122 -
During normal operation, SWAP-DE-R manipulates process
stacks to save the old VP state and load the new 7P state.
This action proceeds as follows (Figure 37) :
1. The Flag Control Word (FCW) , the Stack Pointer (R15)
and the preempt return flag (BO) are saved in the old
VP's kernel stack.
2. The DBR (R14) is loaded with the new VP's DBR. This
permits access to the address space of the new pro-
cess.
3. The Flag Control Word (FCW), the Stack Pointer (R15)
and the Interrupt Return Flag (RO) , are loaded into
the appropriate CPU registers.
a. RO is tested. If it is set, GETWORK will execute an
interrupt return. If it is off, a normal return oc-
curs.
By constructing GETWORK in this way, both system initializa-
tion and normal operations can be handled in the same way.
A high level GETWORK algorithm is given in Figure 38.
- 123 -
















Figure 37: Kernel Stack Segments
- 124 -
GETWORK Procedure (DBR = R14)
Begin
Reset Interrupt Return Flag (RO)




Save supervisor stack pointer
Set Interrupt Return Flag (RO)
Get first ready VP
Do while not select
If Idle flag is set then
if Preempt flag is set then
select
else







Save old VP registers in stack segment
Swap dbr (R14)
Load new VP registers in stack segment





Restore supervvisor stack pointer






3. Virtual Processor Instruction Set
The heart of the SASS scheduling mechanism is the inter-
nal procedure, GETWORK. It provides a powerful internal
primitive for use by the virtual processors and greatly sim-
plifies the design of the virtual processor instruction set.
Virtual processor instructions perform three types of func-
tions: multiprogramming, process management and virtual in-
terrupts.
SIGNAL and WAIT provide synchronization and communica-
tion between virtual processors. They multiplex virtual
processors on a CPU to provide multiprogramming. This im-
plementation used a version of the signal and wait algor-
ithms proposed by Saltzer [ 14 ]. In the SASS design each CPU
is provided with a unique (fixed) set of virtual processors.
The interaction among virtual processors is a result of mul-
tiprogramming them on the real processor. Only one virtual
processor is able to access the VPT at a time because of the
use of the VPT LOCK (SPIN_LOCK) to provide mutual exclusion.
Therefore race and deadlock conditions will not develop and
the signal pending switch used by Saltzer is not necessary.
This implementation also included message passing mecha-
mism not provided by Saltzer. The message slots available
for use by virtual processors are initially contained in a
queue pointed to by FREE-LIST. When a message is sent from
one VP to another, a message slot is removed from the free
- 126 -
list and placed in a FIFO message queue belonging to the VP
receiving the message. The head of each VP's message queue
is pointed to by MSG-LIST. Each message slot contains a
message, the ID of the sender, and a pointer to the next
message in the list (either the free list or the VP message
list.
IDL2 and SWAP_VDBR provide the Traffic Controller with a
means of scheduling processes on the running VP.
SET_VPREEMPT and TEST_VPREEMPT install a virtual inter-
rupt mechanism in each virtual processor. When the Traffic
Controller determines that a virtual processor should give
up its process because a higher priority process is now
ready, it sets the PREEMPT flag in that VP. Then, even if
an idle process is loaded on the VP, it will be scheduled
and will be loaded with the first ready process.
Test_VPreempt is a virtual interrupt unmasking mechanism
which forces a process to examine the preempt flag each time
it exists from the kernel.
a. Wait
WAIT provides a means for a virtual processor to move
itself from the running state to the waiting state when it
has no more work to do. It is invoked only for system
events that are always of short duration. It is supported
by three internal Procedures.
- 127 -
SPIN_LOCK enables the running VP to gain control of the
Virtual Processor Table. This procedure is only necessary
in a multiprocessor environment. The running VP will have
to wait only a short amount of time to gain control of the
VPT. SPIN_LOCK returns when the VP has locked the VPT.
GETWORK loads the first eligible virtual processor of
the ready list on the real processor. Before this procedure
is invoiced, the running VP is placed in the ready state.
Both ready and running VP*s are members of a FIFO gueue.
GETWORK selects the first VP in this ready list, loads it on
the CPU, and places it in the running state. When GETWORK
returns, the first VP of the gueue will always be running
and the second will be the first VP in the ready gueue.
GET_FIRST_MESSAGE returns the first message of the mes-
sage list (also managed as a FIFO gueue) associated with the
running VP. The action taken by WAIT is as follows:
WAIT Procedure (Returns: 2isg, Sender_ID)
Begin
Lock VPT (call SPIN_LOCK)
If message list empty (i.e., no work) Then
Move VP from Running to Waiting state
Schedule first eligible Ready VP (call GETWORK)
end if
(NOTE: process suspended here until
- 128 -
it receives a signal and is
selected by GETWOHK.)





If the running virtual processor calls WAIT and there is
a message in its message list (placed there when another VP
signaled it) it will get the message and continue to run.
If the message list is empty it will place itself in the
wait state, schedule the first ready virtual processor, and
move it to the running state. The virtual processor will
remain in the waiting state until another running VP sends
it a message (via SIGNAL) . It will then move to the ready
list. Finally it will be selected by GETWORK, the next in-
structions of WAIT will be executed, it will receive the




Messages are passed between virtual processors by the
instruction, SIGNAL, which uses four internal procedures,
SPIN_LOCK, ENTER_MSG_LIST, MAKE_READY, and GETWORK.
SPIN_LOCK, as explained above insures that only one vir-
tual processor has control of the Virtual Processor Table at
a time.
ENTER_MSG_LIST manages a FIFO message queue for each
virtual Processor and for free messages. This queue is of
fixed maximum length because of the implementation decision
to restrict the use of SIGNAL. A running VP can send no
more than one message (SIGNAL) before it receives a reply
(i.e., WAIT'S for a message). Therefore if there are N vir-
tual processors per real processors, the message queue
length, L, is:
L = N - 1
MAKE_READY manages the virtual processor ready queue.
If a message is sent to a VP in the waiting state,
MAKE_READY wakes it up (it places it in the ready state) and
enters it in the ready list. If a running VP signals a
waiting VP of higher priority, it will place itself back in
the ready state and the higher priority VP will be selected.
The action taken by signal is as follows:
SIGNAL Procedure (Message, Destination_VP)
Begin
- 130 -
Lock V?T (call SPIN_LOCK)
Send message (call ENTER_MSG_LISI)
If signaled VP is waiting Then
Make it up and make it ready
(call NAKE_READY)
end if
Put running VP in ready state.






SWAP_VDBR contains the same processor switching mechan-
ism used in SWAP_DBR, but applies it to a virtual processor
rather than a real processor. Switching is quite simple in
this virtual environment because both processor execution
point and address space are defined by the Descriptor Base
- 131 -
Register. SWAP_VDBR is invoked by the Traffic Controller to
load a new process on a virtual processor in support of lev-
el-2 scheduling. It uses GETWORK to control the associated
level-1 scheduling. The action taken by SWAP_VDBR is:
SWAP_VDBR Procedure (New_DBR)
Begin
Lock VPT (call SPIN_LOCK)
Load running VP with New_DBR
Place running VP in ready state





In this implementation one restriction is placed upon
the use of this instruction. If a virtual processors mes-
sage list contains at least one message, it can not give up
its current DBR. This problem is avoided as the natural re-
sult of using SIGNAL and WAIT only for system events, and
- 132 -
"masking" preempts within the kernel. If this were permit-
ted, the messages would lose their context. (The messages
in a VP_MS3_LIST are actually intended for the process load-
ed on the VP.)
d. IDLE
The IDLE instruction loads the Idle DBR on the running
virtual processor. Only virtual processors in contention
for process scheduling will be loaded by this instruction.
(The Traffic Controller is not even aware of virtual proces-
sors permanently bound to kernel processes.)
IDLE has the same scheduling effect as StfAP_VDBR, but it
also sets the IDLE_FLAG on the scheduled VP. The distinc-
tion is made between the two cases because, although the
Traffic Controller must schedule an Idle process on the VP
if there are no other ready processes, the Inner Traffic
Controller does aot wish to schedule an Idle V? if there is
an alternative. This would be a waste of physical processor
resources. The setting of the IDLE_FLAG by the Traffic
Controller aids the Inner Traffic Controller in making this
scheduling decision. Logically, there is an idle process
for each VP; actually the same address space (DBR) is used
for all idle processes for the same CPU, since only one will
run at a time. As previously explained, virtual processors
loaded by this instr action will be selected by GETWORK only
to give the Idle process away for a new process in response




Lock VPT (call SPIN_LOCK)
Load running VP with Idle DBR
Set VP«S IDLE_FLAG
Place running VP in ready state






SET_VPREEMPT sets the preempt interrupt flag on a speci-
fied virtual processor. This forces the virtual processor
into level- 1 scheduling contention, even if it is loaded
with an Idle process. The instruction retrieves an idle
- 134 -
virtual processor in the same way a hardware preempt ret-
rieves an idle CPU by forcing the VP to be selected by
GETWORK. The only difference between the two cases is the
entry point used in GETWORK. The action of SETJ7PREEMPT is:
SET_VPREEHPT Procedure (VP)
Begin
Set VP's PREEMPT flag





Since the action is a safe sequence, no deadlocks or




Within the kernel of a multiprocessor system all process
interrupts (which excludes system I/O interrupts) are
masked. If process interaction results in a virtual preempt
being sent to the running virtual processor by another CPU,
it will not be handled since GETHORK has already been in-
voiced. TEST_VPREEMPT provides a virtual preempt interrupt
unmasking mechanism.
TEST„VPREEMPT mimics the action of a physical CPU when
interrupts are unmasked. It forces the process execution
point back down into the kernel each time the process at-
tempts to leave the kernel domain, where the preempt flag of
the running VP is examined. If the flag is off,
TEST_VPR3EMPT returns and the execution point exits through
the Gatekeeper into the supervisor domain of the process ad-
dress space as described above. However, if the PREEMPT
flag is on, the TEST_VPREEMPT executes a virtual interrupt
handler located in the Traffic Controller. This jump from
the Inner Traffic Controller to the Traffic Controller
(TC_PREEMPT__HANDLER) is a close parallel to the action of a
CPO in response to a hardware interrupt, that is a jump to
an interrupt handler. The Traffic Controller Preempt Han-
dler forces level-2 and level-1 scheduling to proceed in the
normal manner. The preempt handler forces the Traffic Cont-
roller to axamine the APT and to apply the level-2 schedul-
ing algorithm, TC_GETWORK. if the APT has been changed
since the last invocation of this scheduler, it will be re-
- 136 -
fleeted ia the scheduling selections. Eventually, when the
running VP's preempt flag is tested and found to be reset,
TEST_VPREEMPT will return to the Gatekeeper where the pro-
cess execution point will finally make a normal exit into













The Traffic Controller runs in a virtual environment
created by the Inner Traffic Controller. It sees a set of
running virtual processor instructions; SWAP_VDB2, IDLE,
SET_VPREEMPT, and RONNING_VP, and provides a scheduler,
TC_GETWORK, which multiplexes processes on virtual proces-
sors in response to process interaction. It also creates a
level-2 instruction set: ADVANCE, AWAII, and PSOCESS_CLASS,
which is available for use by higher levels of the design.
The Traffxc Controller uses a global data base, the ACTIVE
PROCESS TABLE to support its operation.
1 • Active Process Table (APT)
The Active Process Table is a system-wide kernel data-
base containing entries for each supervvisor process in SASS
(Figure 39) . It is indexed by active process ID. The
structure of the APT closely parallels that of the Virtual
Processor Table. It contains a LOCK to support the imple-
mentation of a mutual exclusion mechanism, a RONNING_LIST,
and a READY_LIST_HEAD . The Traffic Controller is only con-
cerned with virtual processors that can be loaded with su-
pervisor processes. Since two VP«s are permanently bound to
kernel processes (the Memory Manager and the Idle Process)
,
they cannot be in contention for level-2 scheduling; the
Traffic Controller is unaware of their existence; since
there are a number of available virtual processors, the
- 138 -
RUBIIBG.LIS I was iapl evented as an array indexed by VP_ID.
Ihe R2ADI_LIST_HEAD points to a FIFO gueue that includes
both running and ready processes. The running processes
will be at tie top of the ready list.
5ecaus= of tneir completely static nature, idle process-
es require no entries in the A?T. Logically, there is an
idle process at the end of the ready list for each V? avai-
lable to tne Traffic Controller. If tae ready list is emp-
ty, TC_GZTwCRf: loads one of tnese "virtual" idle processes
by calling IDLF, and enters a reserved identifier, 3IDLI, in
the appropriate a TJNNING_LI5I entry. This identifier is the
only data concerning idle processes that is contained m tae
APT. Idle procass scneduling considerations are aoved down
to ievel-1, because the Inner Traffic Controller knows about
physical processors, and can cptiaize CPO use by scheduling
idle processes only when there is zothing else to do.
The suoject access rrlass, S_ZLA5S, provides eacn process
with a label that is required by ieveI-3 modules to enforce,
the 3ASS non-discretionary security policy.
- 139 -
LOCK
















Figure 39: Active Process Table
- 140 -
2. Lez§iz2 Scheduling
Above the Traffic Controller, SASS appears as a collec-
tion of processes in one of the three states: running,
ready, or blocked. Running and ready states are analogous
to the corresponding virtual processor states of the Inner
Traffic Controller. However, because of the use of event-
count synchronization mechanisms by the Traffic Controller,
the blocked state has a slightly different connotation than
the VP waiting state.
Blocked processes are waiting for the occurrence of a
non-system event, e.g., the event occurrence may be sig-
nalled from the supervisor domain. When a specific event
happens, ail of the blocked processes that were awaiting
that event are awakened and placed in the ready state. This
broadcast feature of event occurrence is more powerful than
the message passing mechanism of SIGNAL, which must be di-
rected at a single recipient.
Just as SIGNAL and WAIT provide virtual processor multi-
plixing in level-1, the eventcount functions, ADVANCE and
AWAIT, control process scheduling in levei-2.
a. TCJ3ETWORK
Level-2 scheduling is implemented in the internal Traff-
ic Controller procedure, TC_G2TW0RK. This procedure is in-
voked by eventcount functions when a process state change
- 141 -
may have occurred. It loads the first ready process on the
currently scheduled VP (i.e., the virtual processor that has





Do while not end of ready list
if process is running then
get next ready process
else
BUNNING_LIST [VP_ID] : = PBOCESS_ID












Preempt interrupts are masked while a process is execut-
ing in the Icernel domain. As the process leaves the kernel,
the gatekeeper unmasks this virtual interrupt by invoking
TEST_VPREEMPT. This instruction tests the scheduled 7P«s
PREEMPT flag. If this flag is off, the process returns to
the Gatekeeper and exits from the kernel; out if the flag is
set, TEST_VPREEMPT calls the Traffic Controller's virtual
preempt interrupt handler, TC_PREEMPT_HANDLER
. This handler
invokes rc_GETtfORK, which re-evaluates level-2 scheduling.
Eventually, when the schedulers have completed their func-
tions, the handler will return control to the preempted pro-
cess, which will return to te Gatekeeper for a normal exit.
This seguence of events closely parallels the action of a
hardware interrupt, but in the environment of a virtual pro-
cessor rather than a CPU. The virtualizaticn of interrupts
provides the ability for one virtual processor to interrupt
execution of another that may, or may not, be running on a
CPU at that time. This is provided without disrupting the
logical structure of the system. This capability is parti-
cularly useful in a multiprocessor environment where the
target virtual processor may be executing on another CPU.
Because these interrupts will be virtuaiizad, the operating
system will retain control of the system. The action of the






Process_ID := RUNNING LIST [VP_ID]
If process is not idle Then






WAIT_LJCK and WAIT_UNLOCK provide an exclusion mechanism
which prevents simultaneous multiple use of the APT in a
multiprocessor configuration. This mechanism invoices WAIT
and SIGNAL of the Inner Traffic Controller.
- 144 -
3. Eventcounts
An eventcount is a non-decreasing integer associated
with a global object called an event [11]. The Event Manag-
er, a level-3 module, controls access to event data when re-
quired and provides the Traffic Controller with a HANDLE, an
INSTANCE, and a COUNT. The values for all aventcounts (and
sequencers) are maintained at the Memory Manager level and
are accessed by calls to the Memory Manager. The HANDLE
provides the traffic controller with an event ID, associated
with a particular segment. INSTANCE is a more specific de-
finition of the event. For example, each SASS supervisor
segment has two eventcounts associated with it, a INSTANCE_1
and a INSTANCE_2, that the supervisor uses keep track of
read and write access to the segment [9], Eventcounts pro-
vide information concerning system-wide events. They are
manipulated by the Traffic Controller functions ADVANCE and
AWAIT and by the Memory Manager functions, BEAD and TICKET.
A proposed high level design for ADVANCE and Ah'AIT is pro-
vided by Seitz [ 12 ].
a. Advance
ADVANCE signals the occurrence of an event (e.g., a read
access to a particular supervisor segment) . The value of
the eventcount is the number of ADVANCE operations that have
been performed on it. When an event is advanced, the fact
must be broadcast to all blocked processes awaiting it and
- 145 -
the process must be awakened and placed on the ready list.
Some of the newly awakened processes may have a higher pri-
ority than some of the running processes. In this case a
virtual preempt, SET_VPREEMPT (VP_ID) , must be sent to the
virtual processors loaded with these lower priority process-
es.
b. Await
When a process desired to block itself until a particu-
lar event occurs, it invokes AWAIT. This procedure returns
to the calling process when a specified eventcount is
reached. Its function is similar to WAIT.
c. Read
READ returns the current value of the eventcount. This
is an Event Manager (level three) function. This module
calls the Memory Manager module to obtain the eventcount va-
lue.
d. Ticket
TICKET provides a complete time-ordering of possibly
concurrent events. It uses a non-decreasing integer, called
a seguencer, which is also associated with each supervisor
segment. As with READ, this is an Event Manager function
that calls the Memory Manager to access the sequencer value.
Each invocation of TICKET increments the value of the se-
- 1U6 -
quencer and returns it to the caller. Two different uses of
ticket will return two different values, corresponding to
the order in which the calls were made.
D. SYSTEM INITIALIZATION
Because the Inner Traffic Controller's scheduler,
GETWORK, can accommodate both normal calls and hardware in-
terrupt jumps, the problem of system initialization is not
difficult.
When SASS is first started at level-1, the Idle VP is
running and the memory manager VP , which has the highest
priority, is the first ready virtual processor in the ready
list. All VP's available to the Traffic Controller for lev-
el-2 schedling are ready. Their IDLE_FLAG's and PREEMPT
flags are set.
At level-2, all VP's are loaded with idle processes and
all supervisor processes are ready.
The kernel stack segment of each process is initialized
to appear as if it had been saved by a hardware Preempt in-
terrupt (Figure 40)
.
All CPJ registers and the supervisor stack pointer are
stored on the stack. R15 is reserved as the kernel stack
point; R14 contains the DBR. All other registers can be
used to pass initial parameters to the process. The order



















Figure 40: Initialized Stacic
- 148 -
The status block contains the current value of the stack
pointer, R15, and the preempt interrupt return flag. This
flag is set to indicate that the process has been saved by a
preempt interrupt. The first three items on the stack: the
process entry point, the initial process flag control word,
and an interrupt indentifier, are also initialized to sup-
port the action of a hardware interrupt.
To start-up the system, R14 (the DBR) is set to th.e Idle
process DBR; the CPU Program counter is assigned the
PREEMPT_ENTRY point in GETWOBK; tne CPU Flag Control Word
(FCW) is initialized for the kernel domain; and the CPCJ is
started. Because the Idle_VP is the lowest priority VP in
the system, it will place itself back in the ready state and
move the Memory Manager in the running state. The Memory
Manager will execute an interrupt return because the inter-
rupt return flag was set by system initialization. There
will be no work for this kernel process so it will call WAIT
to place itself in the waiting state. The next ready VP is
idling, but since it's IDLE_FLAG and PREEMPT flag are set,
GETWORK will select it. It too will execute an interrupt
return, but because its PREEMPT flag is set, it will call
TC_PREEM?T_HAND!ER. This will cause the first ready process
to be scheduled. Each time a supervisor process blocks it-
self, the next idle VP will be selected and the sequence
will be repeated.
- 149 -
The action described above is in accord with normal op-
eration of the system. The only unique features of initial-
ization are the entry point (PREEMPT-ENTRY: in GETWORK) an<
the values in the initialized kernel stack.
The implementation presented in this thesis has been ruD
on a Z8000 developmental module. System initialization has
been tested and executes correctly. At the current level of
implementation, no process multiplexing function is availa-
ble. There is no provision for unlocking the APT after an
initialized process has been loaded as a result, a call to
the Traffic Controller (viz., ADVANCE or AWAIT) . In a pro-
cess multiplexed environment this would cause a system dead-
lock. Once the process left the kernel domain with a locked
APT, no process would be able to unlock it. The Traffic




The implementation presented in this thesis created a
security kernel monitor that runs on the Z8000 Developmental
Module. This monitor supports multiprogramming and process
management in a distributed operating system. The process
executes in a multiple virtual processor environment which
is independent of the CPU configuration.
This monitor was designed specifically to support the
Secure Archival Storage System (SASS) [2, 9, 5]. However,
the implementation is based on a family of Operating Systems
[7] designed with a primary goal of providing multilevel se-
curity of information. Although the monitor currently runs
on a single microprocessor system, the implementation fully
supports a multiprocessor design.
A. IECCMSENDATIONS
Because the Zilog MMU is not yet available for the Z3000
Developmental Module, it was necesary to simulate the seg-
mentation hardware. As Reitz explained [12], this was ac-
complished by reserving a CPU register, R14, as a Descriptor
Base Register (DBR) to provide a link to the leaded addresss
space. When the MMU becomes available, this simulation must
be removed. This can be done in two steps.
- 151 -
First, the addressing format must be translated to the
segmented form. This requires no system redesign.
Second, the switching mechanism most be modified to ac-
comodated to use the MMU. This can be done by modifying the
SWAP_DBR portion of GETUORK to multiplex the MHU_IMAGE onto
the MMU hardware and this can be accomplished by changing
about a dozen lines of the existing code.
B. FOLLOW ON WORK
Although the monitor appears to execute correctly, it
has not been rigorously tested. Before higher levels of the
system are added, it is essential that the monitor be highly
reliable. Therefore a formal test and evaluation plan
should be developed.
An automated system generation and initialization me-
chanism is also required if the monitor to be is a useful
tool in the development of higher levels of the design.
Once the monitor has been proven reliable and can be
loaded easily, work on the implementation of the Memory Man-




IMPLEMENTATION OF SEGMENT MANAGEMENT FOR A
SECURE ARCHIVAL STORAGE SYSTEM
This section contains excerpts from a Naval Postgraduate
School MS Thesis by J. T. Wells [20]. The origins of these
excerpts are:





SUMMARY from Chapter II
SEGMENT MANAGEMENT IMPLEMENTATION from Chapter III
CONCLUSIONS AND FOLLOW ON WORK from Chapter IV
Minor changes have been made for integration into this report,
Chapter XVI
INTBODOCTION
This thesis addresses the implementation of the segment
management functions of an operating system known as the Se-
cure Archival Storage System or SASS. This system, with full
implementation, will provide: (1) multilevel secure access
to information (files) stored in a "data warehouse" for a
network of multiple host computers, and (2) controlled data
sharing among authorized users. The correct performance of
both of these features is directly dependent upon the prop-
er implementation of the segment management functions ad-
dressed in this thesis. The issue of access to sensitive in-
formation is addressed by the Non-Discretionary Security
Module, which mediates all non-discretionary access to in-
formation. Sharing of information is accomplished chiefly
through the properties of segmentation, the SASS memory man-
agement scheme that is supported by the Memory Manager Mo-
dule and the Segment Manager Module. The implementation of
segment management for SASS is thus integral to the attain-
ment of the two key goals that SASS was designed to achieve.
This implementation addresses the Son-Discretionary Securi-
ty, Distributed Memory Manager (the interface to the Memory






The Segment Manager is the focal point of the segment
management function. Using the per-process Known Segment Ta-
ble as its database and the Memory Manager and Non-Discre-
tionary Security Module in strongly supportive roles, it is
responsible for managing the segmented virtual memory for a
process. Its role can be viewed as somewhat intermediary in
nature (viz., between the Supervisor modules and the Memory
Manager modules) . The extended instruction set created in
the Segment Manager includes the following instructions:
CREATE_3ESMENT, DELETERS EGMENT, MAKE_KNCKN, TERMINATE
SM_SWAP_IN, and SM_SKAP_00T (note that the names for SWAP_IN
and SWAP_OiJT have been modified by preceding each with SM_,;
this is strictly for clarity because the Memory Manager also
creates two instructions called 5HAP_IN and SWAP_G0"T) .
These instructions are invoked by the Supervisor domain of
the process (viz. , calls are made from the Supervisor domain
via the Gatekeeper to the Segment Manager in the Kernel do-
main) to provide SASS support to the Host.
- 155 -
In general, when the Segment Manager receives these
calls, it performs certain checks to ensure the validity and
security compliance (when reguired) of the reguest (call)
.
These checics are performed using its own database (the KST)
and by calls to the Non-Discretionary Security Module (when
reguired) . The Segment Manager invoices one of six Memory
Manager (more specifically, the Distributed Memory Manager
Module) created instructions. These instructions include:
MM_CREATE_2NTRY, MM_DELETE_ENTBY, MM_ACTIVATE,
aa_DEACTIVATE, MM_SWAP_IN, and MM_SHAP_OOT. These invoked
instructions (procedures) in turn perform interprocess com-
munciations with the non-distributed memory manager process
(where actual memory management functions are accomplished)
These interprocess invocations and returns are accomplished
through the use of the IPC primitives Signal and Wait. The
Segment Manager returns the reguired arguments to the Super-
visor by value (as passed back to it by the Memory Manager
and/or determined within itself) . The Segment Manager per-
forms actual segment number assignment when a segment is
made known to a process* address space. It also performs
any further database (KST) updating as may be reguired.
2. Database
The Known Segment Table (KST) is the database used to
manage segments. The KST is described in its tabular form
and PLZ/SYS structured representation in Figure 41. There
- 156 -
are several basic and pertinent facts to be noted of the
KST:
1. It is a process local database; that is, each process
has its own KST.
2. The KST is indexed by segment numoer; each record of
the KST consists of a set of fields (description in-
formation) regarding a particular segment.
3. Entering information into the fields of a segment is
called "making a segment known". This simply refers
to adding a segment to a process' address space
(viz., making a segment accessible to a process).
4. In 5ASS, a correspondence exists between making a
segment "known" and making a segment "active"; i.e.,
when a segment is added to the address space of a
process, this action results in an entry in the KST
(making "known") by the Segment Manager and an entry
in the Global Active Segment Taole (G_AST) by the Me-
mory Manager process (making it "active") . The G_AST
will be described later in this chapter.
A proper description of the structure and fields of the KST
is necessary at this point. Using the representation of the
PLZ/SYS language structure, the KST is described as an array
of records of fields of varying types. The fields are de-
scribed separately below. Although the KST index is not in
itself a field in the record, it does perform a rather sig-
nificant role. The KST index is an integer closely related
- 157 -
to the segment number of the segment described in that. K3T
entry (viz. , it is the subscript into the array of records)
.
This segment number also corresponds to the MMU descriptor
register (number) for that segment.
The MM_Handle is the first field in a KST record. The
MH_Handle is a system wide unique number that is assigned to
each segment with an entry in the G_AST (viz. , every active
segment) . This "handle" is the instrument of controlled sin-
gle copy sharing of information (segments) . It allows a seg-
ment to exist under one unique handle but be accessible in
the address space of more than one process (with different
segment numbers in each address space). The MM_Handle is re-
turned to the Segment Manager by the Memory Manager during
the execution of the Make_Known instruction.
The Size field is an integer value (of language struc-j
ture type "word") which represents the number of 256 byte
blocks composing a segment.
The Access_Mode field is used to describe the process'
access to the segment (i.e., null or read and/or write).
The In_Core field is used to indicate if the segment is
or is not in main memory (i.e., this field is a flag or
true/false boolean switch)
.
The Class field is a long word field used to represent
the degree of information sensitivity (viz., access class)
assigned to the segment. This field (for example) would be












KST Array [4 KST_BEC]






Entry_Nuaber Short_Int eger ]
Ficure HI: Known Segment Table
- 159 -
The Mantor_Seg_Nr field is a number representing the
segment number of a segment's parent or "mentor" segment.
Its importance will discussed shortly.
The Entry_Nr field is a number representing a segment's
index number into its parent or mentor segment's Alias Table
(not yet discussed)
.
The Alias Table is a Memory Manager database and will be
described later. The aliasing scheme provided via the alias
tables is used to prevent passing system wide information
out of the Kernel (i.e., the Unigue_ID of a segment). The
"alias" of a segment is the concatenation of the Men-
tor_Seg_Nr with the segment's Entry_Nr (index) into the men-
tor segment's Alias Table. It is clear that the last two
fields of a KST record are the "alias" of that segment.
3. NON-DISCRETIONARY SECURITY MODULE
The key in protection of secure information using inter-
nal controls was identified as the security kernel concept.
The basic idea within this concept is to prove the hardware
part of the Kernel correct and, similarly, to keep the soft-
ware part small enough so that proving it correct is feasi-
ble. A central component of the kernel software is the
Non-Discretionary Security Module (hereafter referred to as
the NDS Module) . The NDS Module is concerned only with the
non-discretionary aspect of the security poiicy in effect;
since the discretionary aspect is subservient in nature to
- 160 -
the non-discretionary aspect, it is then sufficient that the
Kernel contain only the software representing the non-dis-
cretionary aspect of the security policy. The discretionary
security is provided outside the kernel in the SASS supervi-
sor. Every attempt to access information must result in an
invocation of the NDS Module.
The function of the NDS Module is to compare two classi-
fications (viz.
, compare two labels) , make a decision as to
their relationship (i.e., =,>,<,{), and return a true/false
interpretive answer relative to the guery of the calling
procedure. The mechanism used as a basis is the lattice mo-
del abstraction previously discussed. The NDS Module does
not require a database since the labels it compares are
stored in (passed from) other Kernel databases.
C. MEMORY MANAGER
1 • ?aSSt ion
The Memory Manager process is the only component of the
non-distributed kernel. It is responsible for aanacing the
real memory resources of the system — ma^n (local and glo-
bal) memory and secondary storage. It is tasked by ether
processes within the Kernel domain (via Signal and Wait) to
perform memory management functions. Ihis thesis will ad-
dress the Memory Manager in terms of two components: (1) the
Memory Manager Process (also called the nondistributed ker-
nel and the Memory Manager Module), and (2) the distributed
- 161 -
Memory Manager (also called the Distributed Memory Manager
Module) . The former is the "true" memory manager while the
latter is the interface with other processes, that is, it
resolves the issue of interprocess communication with the
"true" memory manager.
The Distributed Memory Manager Module creates the fol-
lowing extended instruction set: MM_CBEATE_ENTRY,
MM_DELETE_ENTRY, MM_ACTIVATE, MM_DEACTIVATE, MM_StfAP_IN, and
MM_SHAP_OUr. The instructions form the mechanism of communi-
cation between the Segment Manager of a process and a memory
manager process (where the actual memory management func-
tions are performed) . The Memory Manager Process instruction
set corresponds one to one with that of the Distributed Me-
mory Manager; the set consists of: CREAIE_ENTRY,
DELETE_ENTRY, ACTIVATE, DEACTIVATE, StfAP_IN, and StfAPJDUT.
The basic functions performed by the Memory manager are al-
location/deallocation of global and local memory and of sec-
ondary storage, and segment transfers from local to global




A detailed and descriptive discussion of the Memory Man-
pager databases is presented in the work of Gary and Moor
[5], and the reader may refer to it for memory manager data-
base details. This thesis addresses the implementation of
- 162 -
the distributed Memory Manager bat not the Memory Manager
Process, thus brief descriptions are provided of the lat-
ter's databases.
The Global Active Segment Table (G_AST| is a system wide
(i.e., shared by all memory manager processes) database used
to manage all active segments. A lock/unlock mechanism is
used to prevent race conditions from occurring. The distri-
buted memory manager of the signalling process locks the
G_AST before it signals the memory manager process.
The Local Active Segment Table (L_AST) is a processor
local database which contains an entry for each segment ac-
tive in a process currently loaded in local memory.
The Alias Taole is a system wide database associated
with each aonleaf segment in the Kernel. It is a product of
the aliasing scheme used to prevent passing system wide in-
formation out of the Kernel. The alias table header (provid-
ed for file system reconstruction after system crashes) has
two pointers, one linking the alias table to its associated
segment, the other linking the alias table to the mentor
segment* s alias table. The fields in the alias taole are
Cnique_ID, Size, Class, Page_Table_Loc, and Aiias_Table_Loc.
The index into the alias table is Entry_No.
The Memory Management Unit Image <MMU_Iaage, Figure 42)
is a processor local database indexed by DBR_No (viz., for
each D3R_No there is a MMU_Image record, with each record
containing a software image of the segment descriptor regis-
- 163 -
ters of the hardware MMU) . The MM0_Image is an exact image
of the MMU. Each record is indexed by Segment_No (segment
number) and each Segment_No entry contains three fields. The
Base_Addr field contains the segments base address in memo-
ry. The Limit field contains the number of blocks of conti-
guous storage for the segment (zero indicates one block)
.
The Attributes field contains 8 flags including 5 whicn re-
late to the memory manager. The Blks_Used field and the
Max_Blks (available) fields are per record (not per segment
entry) and are used in the management of
each process* virtual core.
The Memory Bit Maps (Disk_Bit_Map, Glo-
bal_Memory_Bit_Map, and Local_Memory_Bit_Map) are memory
block usage maps that use true/false flags (bits) to indi-
cate the use or availability of storage blocks.
The only database in the Distributed Memory Manager is
the Memory Manager CPU Table (Figure 43) . It is an array of
memory manager VP_ID»s (MM_VP_ID) indexed by CPU number.
This table enables a signalling process to identify the ap-













Array [ Max_DBR_No MflU ]

















Figure 43: Memory Manager-CPU Table
D. SUMMABY
The segment management functions and Jcey related con-
cepts (such as segmentation) were discussed in this chapter.
The importance of segmentation to data sharing and informa-
tion security was emphasized as were key information securi-
ty concepts. With this background, the implementation of
segment management and a non-discretionary security policy
will be described in the following chapter.
- 166 -
Chapter XVIII
SEGMENT MANAGEMENT I MPLEMENTAIION
The implementation of segment management functions and a
non-discretionary security policy is presented in this chap-
ter. Paramount to this implementation were several key is-
sues that effected the implementation. laese issues are dis-
cussed first. The implementation is discussed in terms of
the Segment Manager, Non-Discretionary Security <NDS) , and
Distributed Memory Manager modules.
^« IMPL3M5NTATI0M ISSUES
Segment management for the SASS was provided througn the im-
plementation of the Segment Manager Module, the NDS Module,
and the Distriouted Memory Manager Module. Additionally,
since a iemcnstration/testbed was integral to the testing
and verification of the implementation, it was necessary to
complete other supportive tasks. Seitz [12] provided a de-
monstration of tne operation of the Inner Traffic Controller
primitives SIGNAL and WAIT (for interprocess communica-
tion) . Integral to this demonstration was the correct per-
formance of the Inner Traffic Controller 7? scheduling me-
chanism and a "stub" of the Traffic Controller and its
process scheduling mechanism (the TC support and use of the
- 167 -
mechanism of eventcounts and sequencers was not a part of
the demonstration) . The Segment management demonstration
(hereafter referred to as "Seg_Mgr. Demo") was "built on top
of" Reitz' ITC synchronization primitive demonstration
(hereafter referred to as "Sync. Demo") . Thus, an immediate
issue was to resolve the feasibility of adding on to
Sync. Demo and also to refine the present design of the Sync.
Demo to facilitate its integration into the Seg_Hgr.Demo.
One aspect of this effort was in resolving the problem of
how to pass (i.e., in interprocess communication) a larger
message.
1 • IS£erp_rocess Messages
The Sync. Demo passed "word" (16 bit) messages. To pro-
vide the mechanism for the distributed memory manager to i
signal the memory manager process with a command function
identification code and the arguments needed to perform that
function (e.g., CREATE-ENTRY and its input arguments), a
message size of at least eight words (16 bytes) was neces-
sary. An obvious answer was to signal with an array of
eight words as the message. PLZ/SYS, however, does not al-
low passing arrays in its procedure calls (a procedure call
is analogous to a subroutine call). Another alternative was
to signal with a pointer to the array of words, since
PLZ/SYS does allow passing pointers in procedure calls (thus
the message would be a pointer to the real message) . This,
- 168 -
however, would be invalid in the segmented implementation
(on the Z8000 segmented microprocessor) since identical seg-
ment numbers in different processes may not refer to identi-
cal segments. For example, a pointer in a process (e.g.,
file management) points to an array (i.e., provides its ad-
dress) by segment number and offset; passing this pointer to
another process (e.g., memory manager) would provide this
same segment number and offset which, of course, may be a
different object in the second processes address space).
Another alternative considered was that of a shared
"Mailbox" segment with an associated eventcount acted on by
the Kernel Inner Traffic Controller primitives
TICKET, ADVANCE and AWAIT. A design for using this concept
in the supervisor ring is provided by Parks [9]. This al-
ternative was not deeply considered since these primitives
are not included in the current Inner Traffic Controller.
The method ultimately used to signal the new length mes-
sages is based on the fact that the ITC is in both the sig-
nalling and the receiving (memory manager) processes 1 ad-
dress space. The message is loaded into an array in process
#1 and a pointer to the array is passed in the call SIGNAL;
the VPT, the ITC's database, is then updated by (using the
pointer) putting the message into its USG_Q section. The
message is retrieved by process #2 by execution of Reitz 1
WAIT primitive with only one refinement. That refinement is
for the "waiting" process to provide as an. argument (in the
- 169 -
WAIT primitive) a pointer to its own message array so that
the message in the VPT can be copied to it. This refinement
provides for passing a long message essentially "by value"
between processes.
2- Structures as Ar guments
Another issue concerned the use of pointers in the im-
plementation of segment management. Ihis necessary "evil"
is a result of the need to pass linguistically "complex"
data types in procedure calls. Complex types refer to arraj
and record structures in PLZ/SYS (as opposed to the "simple"
types— byte, word, integer, short-integer, long, and poin-
ter). In managing databases (e.g., KSI, 3_AST) which con-
sist of arrays of records (wnich in turn contain records
and/or arrays) , it was freguently necessary to reference
data as an array or record. tfithin a process, the use of
pointers was not a problem (i.e., not a proolem such as
would be encountered in IPC passing of pointers)
.
3. l§entrant Code
The issue of code reentrancy was addressed at the assem-
bly language level through the use of a stack segment anc
registers for storage of local variables. PLZ/SYS (higt
level language) does not address reentrant procedures anc
thus the segment management high level code is not automati-
cally reentrant. The problem of reentrancy can be seen bj
- 170 -
looking at a shared procedure that is not reentrant; such a
procedure has storage for its variables allocated statically
in memory. Suppose a procedure (e.g., in the Kernel) can be
activated by more than one process. While the procedure is
executing in one process, a process switch occurs (e.g., to
wait for a disk transfer) and its execution is suspended.
The second process is activated, and while it is running it
invokes the procedure. While the procedure is executing for
the second process it uses the same storage space for varia-
bles as it did when executing for the first process. Eventu-
ally, it relinquishes the processor. However, when the
procedure resumes its execution for the first process, the
variable values that were in use by it originally have been
changed during its execution in the second process. Thus,
incorrect results are now inevitable.
* • Process Structure of the Memory. Manager
References to the "Memory Manager" in past works have
generally meant, the memory manager process (non-distributed
kernel) * This work references two distinct components of
the "memory manager module". The Distributed Memory Manager
is an interface provided to the Memory Manager Process. It
is, in fact, distributed in the address space of each Super-
visor process. In contrast, the Memory Manager Process
clearly is not distributed and its address space is con-
tained entirely in the Kernel.
- 171 -
5. £§Ez£E2cess Known Segment labie
Another key issue was that of the per process Segment
Manager database, the K5T. Since each process has its own
KST, it cannot be linked to the (shared) segment manager
procedures. To implement the KST as a per process database,
it was convenient to establish, by convention, a KST segment
number that is consistent from process to process. That
segment in each process is the KST segment for that process.
Implementation is then accomplished by using the segment
number to construct a pointer to the base of the appropriate
KST. It is then easy to calculate an appropriate offset to
index any desired entry in the KST data.
6. DBR Handle
In Reitz's implementation of the multilevel scheduler
and the IPC primitives, references to "DBB" (descriptor base
register) are references to an address. That address value
represents a pointer to an MMU_IMAGE record containing the
list of descriptors for segments in the process address
space. Gary and Moore [5] reference a "DBfi_NO" that is es-
sentially a handle used within the memory manager as an in-
dex within the MMO_IMAGE to a particular MMU record. The
base address of the MMO record indexed by DBR_NO is then
equivalent to the concept of DBR value used in Reitz 1 work.
The effect of this inconsistency on the segment management
implementation was minor and will be further discussed later
in this chapter.
- 172 -
B. SEGMENT MANAGER MODULE
The Segment Manager Module consists of six procedures
representing the six extended instructions it provides.
These are based on the design of Coleaan £2], Only calls
from external to the Kernel (via the Gate Keeper) may be
made to the Segment Manager (per the loop-free structure of
the SASS)
.
The normal sequence of invocation of the Segment
Manager functions to allow referencing a segment is: (1)
CREATE_SEGMENT--allocate secondary storage for the segment
and update the mentor segments Alias Table, (2)
MAKE_KNOWN— add the segment to the process address space
(segment number is assigned)
, (3) SWAP_IN— move the segment
from secondary storage into the process*s main memory. The
normal sequence of invocation to "undo" the above is: (1)
SWAP_O0T— move the segment from main memory to secondary
storage, (2) TERMINATE— remove the segment from the pro-
cess's address space, (3) DELETE_SEGMENT— deallocate secon-
dary storage and remove the appropriate entry from the alias
table of its mentor segment. The six Supervisor entries
into the Segment Manager (viz., the six extended instruc-
tions) will be discussed individually below. The PLZ/ASM
listings for the Segment Manager are in Appendix H.
- 173 -
1 • Create a Segment
The function that creates a segment (i.e., adds a new
segment to the SASS) is CREATE_SEGMENT. This function vali-
dates the correctness of the Supervisor call by checking the
parameters and making certain security checks. The distri-
buted memory manager is then called to accomplish interpro-
cess communication with the Memory Manager Process, where
segment creation is realized through secondary storage allo-
cation and alias table updating.
CREATE_SEGMENT is passed as arguments: (1) Men-
tor_Seg_No--the segment number of the mentor segment of the
segment to be created, (2) Entry_No—the desired entry num-
ber in the alias table of the mentor segment, (3) Class— the
access class (label) of the segment to be created, and (4)
Size--the desired size of the segment (in blocks of 256
bytes) . The initial check is to verify that the desired
size does not exceed the designed maximum segment size. If
this check is satisfactory, a conversion of the Men-
tor_Seg_No to a KST index is necessary. This is because the
Kernel segments use the first several segment numbers avai-
lable but do not have entries in the KST. Thus if there
were 10 Kernel segments and a system segment had segment
number 15, then its index in the KST would actually be 5
(i.e., the Kernel segments would use numbers 0-9, and this
segment would be the sixth segment in the KST and its index
would be 5) . A call is then made to the procedure
- 174 -
ITC_GET_SEG_PTR with the constant KST_SEG_NO passed as a
parameter. This procedure will return a pointer to the base
of this process* KST. This pointer is then the basis for
addressing entries in the KST. The next check is to see if
the mentor segment is known (viz., is in the address space
of the process, and thus, in the KST). The key to determin-
ing if any segment is known is the mentor segment entry
(M_SEG_So) for that segment in the KST. If not known, this
entry in the segment's KST record will be filled with the
constant N0LL_SEG. The basis for checking to see if the
segment's aentor segment is known is the aliasing scheme im-
plication that a mentcr segment must oe known before a seg-
ment can be created. The process classification must next
be obtained from the Traffic Controller. The process clas-
sification is checked to ensure that it is egual to the
classification of the mentor segment since write access to
its alias table is needed to create a segment. The NDS mo-
dule's CLASS_SQ procedure is called and returns a code of
true or false. The last check is the compatibility cneck to
ensure that the classification of the segment to be created
is greater than or equal to the classification of the mentor
segment. This is accomplished by calling the NDS Module's
CLASS_GE procedure which returns a code of true or false.
If any of these checks are unsatisfactory, an appropriate
error code is generated and the Segment Manager returns to
its calling point. If all checks are satisfactory, then a
- 175 -
pointer to the mentor segments MH_Handle array is derived
(HPTR) . Note that in the current memory manager design [5]
the actual MM_Handle contents are a Unigue_ID (a long word,
viz., two words concatenated), and an Index_No (index into
the G_AST, a word) ; thus together these two fields are a to-
tal of three words. Since the Segment Manager does not in-
terpret this handle, it is considered a three word array at
this level. For this reason, the entire uninterpreted
MM_Handle array will be passed by passing its pointer. This
pointer and Entry_No, Size, and Class are then passed in a
call to the distributed memory manager procedure
MM_CREATE_ENTRX. This procedure, in turn, performs IPC with
the memory manager process where segment creation ultimately
is accomplished. A success code is returned in an IPC mes-
sage from the memory manager process via the distributed me-
mory manager to the CREATE_SEGMENT procedure to indicate
success or failure as appropriate. This success code is
checked by the Segment Manager to ensure confinement would
not be violated if it is returned to the calling process'
supervisor domain. Only after the success code has been re-
turned can the action of segment creation be considered com-
plete. Segment creation does not imply the ability to re-
ference that segment; MAKE_KNOWN will accomplish that.
- 176 -
2. Delete a Segment
The function that deletes a segment (i.e., deletes a
segment from SASS) is DELETE_SEGMENT. Validation of parame-
ters and security checks are performed here similar to (but
fewer than) the CREATE_SEGMENT checks. The distributed me-
mory manager is then called to cause IPC with the memory
manager process, where segment deletion is realized through
secondary storage deallocation and alias table entry dele-
tions. DELETE_SEGMENT is passed as arguments: (1) Men-
tor_Seg_No and (2) Entry_No. Conversion of the Men-
tor_Seg_No to a KST index is accomplished first. The
pointer to the base of the KST is located and returned, as
before. The mentor segment is checked to ensure it is
known, again, by verifying that its own M_SEG_No (mentor
segment number) entry in the KST is not the NULL_SEG. The
process classification is obtained from the TC and checked
(by a call to CLASS_EQ) to ensure it is equal to the mentor
segment classification, since deleting an entry requires
write access to the alias table. If all caecks are satis-
factory, then the mentor segment 1 s ttfc_Handle pointer is der-
ived. This pointer and the mentor segment alias table entry
number are passed in a call to the distributed menory manag-
er procedure MM_DELETE_ENTSY. It then performs IPC with the
memory manager process where segment deletion is accom-
plished and a success code is returned as before.
- 177 -
3 • Make a Segment Known
The function that makes a segment known (i.e., adds that
segment to the process* address space by assigning a segment
number, updating the KST, and causing the memory manager
process to "activate" the segment (that is, add it to the
AST )) is MAKE_KNOWN. Making a segment known is the way the
Supervisor declares its intention to use a segment.
MAKE_KNOWN is passed as arguments: (1) Mentor_Seg_No, (2)
Entry_No, and (3) Acess_Desired (e.g., write, read, or
null) . It returns (1) a success code, (2) the access al-
lowed to the segment, and (3) the segment number. Conver-
sion of the mentor segment number to a KST index, finding
the KST pointer, and verifying that the mentor segment is
kncwn occur as previously discussed.
There are three basic cases that may occur in ,
MAKE_KNOWN: (1) the segment is already known (has an entry
in the KST)
, (2) the segment is not known and there is a
segment number available, or (3) the segment is not known
and there is no segment number available.
A search is made of the KST using each record's (seg-
ments) M_SEG_.No (mentor segment number) and Entry_Number
fields as the search key. If these two fields match the in-
put values Mentor_Seg_No and Entry_No, then the record in-
dexed is that of the desired segment; thus the segment to be
made known is already known. In this case, all that need be
done is to return the success code, segment number (convert-
- 178 -
ed from the index by adding to it the number of kernel seg-
ments)
,
and the access allowed (equal to the Access_Mode en-
try in the KST for the already known segment)
.
During the search of the KST, the M_SEG_No field is also
checked to see if it contains the NULL_SEG entry (this im-
plies that the segment number associated with the record is
"available")
.
The first time this is noted, the index is
saved. Note the first available index is saved since it is
desired to assign segment numbers at the "top" of the KST to
keep it dense there. When the search does not find that the
segment is already known, the index for the available seg-
ment number is retrieved and converted to segment number by
adding to it the number of kernel segments. If this index
is the NOLL_SEG entry, then there is no segment number avai-
lable. In this event, the success code is set to
NO_SEG_AVAIL, the segment number is assigned NOLL_SEG, and
access allowed is set to N l'LL_ACCESS (this is the third case
mentioned) , If the index is not equal to NULL_SEG and con-
version to segment number has occurred then the Traffic
Controller is called to provide the DBfi_No (descriptor base
register number) for the current process. The DBB_No is
used by the memory manager process as an index in the
aKD_Image and the local AST. The distributed memory manager
procedure MJ1_Ac tivate is called; it is passed the DBR num-
ber, the pointer to the mentor segment's JJM_Handle entry*
the mentor segment alias table Entry_No, and the segment
- 179 -
number. MM_Activate perforins the normal interface function
(performs IPC with the memory manager process procedure that
updates the local and global AST 1 s) and also updates the KST
entry for the new segment's MM_Handle entry (returned from
the memory manager process) . It also returns to the Segment
Manager the success code, the segment classification, and
the segment size from the memory manager process. If the
success code is "succeeded" then the issue of access to be
granted must be resolved. The process classification is ob-
tained from the TC and passed with the segment classifica-
tion to the NDS Module procedure CLASSJ5E. If the
CONDITION_CODE returned is FALSE then access allowed is
NULL_ACCESS, the segment number is NULL_SEG, and
MM_DEACTIVATE is called to deactivate the segment. An appro-
priate error code is returned. If it is greater than or
egual then the access allowed is assigned as follows: (1)
the two classifications are compared again— this time to see
if egual; (2) If they are egual, then the access allowed is
either read or write per the access desired; (3) if they are
not egual (i.e., the process class is greater than the seg-
ment class) then the access allowed is read. Finally the
KST entries for that segment number (more accurately for its
index in the KST) are filled with the appropriate informa-
tion (e.g., IN_CORE is false, etc.). If the success code
returned from the memory manager process via -che distributed
memory manager is not "succeeded", then the segment number
- 180 -
is set to NULL_SEG and the access allowed is set to
NULL_ACCESS.
4. Make a Segment Onknown (Terminate)
The function that makes a segment unknown (i.e., removes
that segment from the process* address space— by updating
the KST and causing the memory manager process to "deacti-
vate" the segment) is TERMIMATE. It results in removal of
the M_SEG_No (mentor segment number) entry from that seg-
ments KST record. Terminate is passed the segment number
of the segment to be terminated as an argument. It returns
a success code. Conversion of the segment number to a KST
index, finding the KST pointer, and verifying that the seg-
ment is known occurs in the same manner as previously dis-
cussed. The next check is to verify that the segment is not
still leaded in the process* virtual core (viz., it has been
"swapped-out") . If not, an error code is returned and the
user must cause the Segment Manager extended instruction
sa_SWAP_OUT to be executed. The next check is to ensure
that the user is not attempting to terminate a Kernel seg-
ment. The first several segment numbers in a process* ad-
dress space will be used by Kernel procedures and data
(though they will not be entries in the KST) . Thus if there
were 10 Kernel segments, then the segment number to be ter-
minated must be greater than or egual to #10 (since the Ker-
nel segments used f*s 0-9) . Thus a check is made to ensure
- 181 -
that the segment number is not less than the number of Ker-
nel segments; otherwise an error code is returned. Next,
the segment number is checked to ensure that it is not lar-
ger than the maximum segment number allowable (if so, an er-
ror code is returned) . If all checks are satisfactory, then
the segment's MM_Handle pointer and the process DBR_No are
obtained (as discussed before) and passed in a call to the
MH_Deactivate procedure. It calls the memory manager pro-
cess procedure DEACTIVATE which removes or updates (as ap-
propriate) the entries in the local and global AST's.
5. Swafi a Segment In
The function that swaps a segment from secondary storage
to main memory (global or local) is SH_SHAP_IN. It is
passed the segment number of the segment to be swapped in as
an argument and returns a success code. Conversion of the
segment number to a KST index, finding the KST pointer, and
verifying that the segment number is known are accomplished
as previously discussed. If the check is satisfactory, then
the segment's MM_Handle pointer and the process DBR number
are obtained. They are passed with the segment's access
mode (from the KST) as arguments in the call to HM_SWAP_IN.
It performs normal interface (IPC) functions and returns a
success code from the memory manager process 1 SWAP_IN proce-
dure (where, if not already in core, allocation of main me-
mory space and reading the segment into main memory occurs)
.
- 182 -
If the success code is "succeeded" then the segment's
IN_CORE antry in the KST is updated to show that the segment
is in main memory for this process (i.e., the entry is now
"true") .
6- Swag a Segment Out
The function that swaps a segment from main memory to
secondary storage is SM_SiAP_OUX. It is passed the segment
number of the segment to be swapped out as an argument and
returns a success code. The behavicr of SM_SWAP_OUT is ex-
actly analogous to that of SH_SMAP_I1J except that the seg-
ment's KST IN_CORE entry is updated to reflect that the seg-
ment has been removed from main memory for this process
(i.e., the new entry is "false").
C NQN-DISCRETJJ)NARY SECURITY MODOLE
The Non-Discretionary Security Module implements the
non-discretionary security policy for the SASS. The NDS mo-
dule contains two procedures: CLASS_EQ and CLASS_GE; both
compare two labels (classifications) and determine if their
relationship meets that of the procedure's name (i.e.,
egual, or greater than or equal) . Although the type of
checks being made are, in fact, compatibility checks. Simple
Security Condition checks, etc, the NDS Module does not re-
cognize or need to recognize this. It simply uses an algor-
ithm to determine if classification #1 = classification #2
- 133 -
or if classification #1 >= classification #2, as appropri-
ate. It then returns a condition code of true or false in
accordance with the particular case. The earlier discussion
of label comparison in accordance with a partially ordered
lattice structure is relevant in discussing the NDS Module^
algorithm. Consider the same "totally ordered" relationship
TS > S > C > of levels and the "disjoint" relationship Cy
I N | Nu j % of categories, comparison of levels will be
numerical comparisons while comparison of categories will
use set theory comparison as a basis. If TS=4, S=3, C=2, 0=1
are level numerical assignments, then the totally ordered
relationship is maintained (i.e., TS>S>C>U is still true).
Now consider the categories and make the following assign-
ments: Cy=1, N=2, Nu=4, X=0. Note that a classification may
have only one level and one category set (the category set
may contain several categories) . Consider this example:
(TS, Cy,N . The level is TS (=<*) . The category is the set
Cy,N and numerically is formed by performing a logical OB
with the categories Cy and N. Sixteen bit representation of
this is:
Cy OR N
(0000 0000 0000 0001) OR (0000 0000 0000 0010)
= 0000 0000 0000 0011 = Cy,N
If (TS, Cy,N ) is considered label #1 and (S, N ) as label
#2 then a comparison of the two labels would be:
(1) Compare level #1 with level #2 — 4 > 3?
Clearly, the answer is yes.
- 184 -
i?
(2) Compare category #1 with category #2 — is
(0000 0000 0000 0011) a superset of
(0000 0000 0000 0010), or more clearly
is the latter a subset of the former?
The answer is yes, and one way to show that is true is
by performing a logical OR of category #1 with category #2
and comparing the result to category #1. if the result of
the OR operation equals category #1 then category #1 is a
superset (not necessarily proper) of category #2. Since us-
age of the term subset is more frequent than that of super-
set, this relationship will typically be stated as "category
#2 is a subset of category #1. To illustrate the above;
cy,N OR N :
(0000 0000 0000 0011) OR (0000 0000 0000 0010)
= 0000 0000 0000 0011 = category #1.
This means , in this example, that category #2 is a sub-
set (not necessarily proper) of category #1. Since level #1
> level #2 and category #2 subset category *1 then label #1
> label #2. Thus, a call to the CLASS„EQ procedure with
these two labels as the input classifications would return a
condition code of false while CLASS_.GE would return true.
The decision to have the classifications as long word (32
bits) supports the requirement of some DoD specifications
for eight levels and sixteen categories. This module uses
sixteen bits for the level and sixteen bits for the catego-
ry. Appendix I is the PIZ/ASM listings for the NDS Module.
- 185 -
1 . Egijal Classification Check
The CLASS_EQ procedure perforins comparison of two clas-
sifications (labels) and returns a condition code of true if
they are equal (an exact match of the two long words bit per
bit) or false if they are not.
2- Greater or Egu&i Classification Check
The CLASSJ5E procedure performs comparison of two clas-
sifications (labels) and returns a condition code true if
classification #1 is greater than or equal to classification
#2 or a condition code of false otherwise. For classifica-
tion #1 to be greater than or equal to classification #2,
the following must be true: (1) level #1 >= level #2 (deter-
mine this by simple numerical comparison of values) and (2)
category #2 subset category #1 (determine this by performing
a logical OR with the categories and comparing the result to
category »1 — if they are equal then category #2 is a sub-
set of category #1).
Since PLZ/SYS allows passing only "simple" types in
calls, the labels were passed as long words (as opposed to
each being word arrays of length two) . An access class label
is never interpreted outside the NDS Module. However, with-
in the NDS Module it is necessary to address the classifica-
tions components separately (viz., level and category).
Thus, an "overlay" of the logical view of the classification
#as created. This overlay was a record cf type ACCESS_CLASS
- ie6 -
and it consisted of two fields: level — 16 bit integer and
category — 16 bit integer. A pointer type CPTR was declared
to be of type pointer to ACCESS_CLASS. Two other pointers
CLASS1_PT8 and CLASS2_PTR were declared to be of type CPTE
and were set equal to the base address of CLASS1 and CLASS2
respectively. This "overlay" of the record frame over the
two classification labels passed as arguments allowed the
desired component addressibility. Futhermore, the non-dis-
cretionary policy enforced by SASS can be changed from the
current DoD policy to another lattice policy by changing
(only) the HDS Module.
D« DISTRIBOTJD MEMORY IM1GI1 3LOD0LB
The Distributed Memory Manager Module performs as an in-
terface between the Segment Manager and the Memory Manager
Process. As its name implies, it is distributed in the ker-
nel domain of each Supervisor process. The key role per-
formed in this module is to arrange and perform interprocess
communication between its process (actually the VP) and the
memory manager process (VP) . The module consists of eight
procedures. Six of the procedures are called directly by
Segment Manager procedures; they are EM_CREATE_2NTR Y
,
MM_DELET2_SNTRY, MM_ACTIVATE, MM_DE ACTIVATE, MM_SWAP_IN, and
MM_SWA?_oar. The other two procedures are "service" proce-
dures called by multiple procedures; they are:
MM_GET_DBR_VALUE and PERFORM_IPC. The logic used in the
- 187 -
first six procedures is somewhat uniform (except for
MH_ACTIVATE) . Thus, the general logic will be explained
(with MM_CRSATE_ENTRY as an example) and it should suffice
as a description for all (except MM_ACTIVATE) procedures.
The servica procedures will be described separately.
1 • Description of Proced ures
Each procedure is invoiced (and returns) on a one to one
basis with a corresponding procedure in the Segment Manager.
For example, CREATE_SEGMENT invokes MM_CRE ATE_ENTRY which
signals the CREATE_ENTRY procedure in the Memory Manager
Process Module. Associated with each procedure is an IPC
message "frame" to describe the unique format of the con-
tents of the message to be signalled to the memory manager
process. Similarly, there must be a message "frame" for re-
turn messages from the memory manager process; this frame is
the same for all but the MM_ACTIVATE procedure. Consider the
message frame for MM_CREATE_ENTRY ; it consists of: (1) a
code to describe which function is to be performed (e.g.,
CREATE_CODE indicates that the CREATE_ENTRY procedure is the
intended recipient of the message), (2) MM_Handle (an array
of three words)
, (3) Entry_No, (4) Size, and (5) Class. The
message frame has a filler (in this case) of one byte to en-
sure that it is of length 16 bytes. The purpose of this
frame is to provide an overlay onto the actual message array
to be signalled and to facilitate loading the arguments into
- 188 -
the message array. This is accomplished by having a pointer
of the type that points to the frame but by converting its
address so that it actually points to the base of the mes-
sage array. Consider these lines of PLZ/SIS code:
CE_MSGPTR := CE_PTR COM_MSGPTR
CE_KSGPTR-».CREATE_CODE := CRE AT E_ENTRY_CODE
This code is putting a value into the structure pointed to
by CEJISGPTR at entry CREATE_C0DE. The key point is that
the frame of that structure is, in fact, CREATE_SSG (as de-
scribed before)
, but the physical location pointed to is the
message array. This is assured by having the pointer
CE_MSGPTR (which points to a structure of type CREATE_aSG)
set egual to a pointer (COM_HSGPTR) to the actual message
array (COH_MSGBOP) . This is accomplished by the first line
of code. The message array itself is never directly refer-
enced, but rather the message array that is overlayed by the
message frame is filled in the format of the CREATE_MSG
frame. In this example, the first two bytes of the message
array now contain the value cf the constant
CREATE_ENTRY_CODE. The remainder of the message array is
filled in the same manner (all procedures use the same no-
tion of a frame, although the frames have different for-
mats) . The PERFORM_IPC (perform interprocess communication)
procedure is called by all procedures at this point in their
execution. The key is that the argument passed is the mes-
sage array pointer not the pointer to the CREATE_MSG record
- 189 -
(after all it is only an overlay frame — linguistically, it
is only a type and is never declared as a structure requir-
ing memory storage allocation) . When PERFORM_IPC returns,
the message array contains a return message. This message
consists of only a success code and filler space in all cas-
es but MM_ACTIVATE. Interpretation of the return message is
performed in the same manner as loading the message array.
The retrieved success code is returned to the calling Seg-
ment Manager procedure. For MM_ACTIVATE, the return message
must be interpreted and values for success code, segment
size, and segment classification retrieved and returned to
the Segment Manager MAKE_KNOWN procedure. The value for the
MM_Handle (called the G_AST_Handle by the memory manager
process) must be retrieved and entered in the KST record for
this segment.
2. Interprocess Co mmunication
The final arrangements and actual performance of IPC is
completed by the internal procedure PERFORM IPC. By locating
the identity of the current physical processor (CPU) and us-
ing that identity to index into the MM_CPU_TABLE, the VP_ID
of the current memory manager is resolved, so that the memo-
ry manager process dedicated to this physical processor is
signalled. The call to K_LOCK is, in fact, a disguised call
to the SPIN_LOCK procedure (since K_LOCK calls SPIN_LOCK)
.
K_LOCK represents an ultimate (as yet unimplemented) goal of
- 190 -
a Kernel locking (wait-lock) system. in any event, the
G_AST lock must be set prior to signalling the memory manag-
er process. After SIGNAL has been called, a call is made to
WAIT with the pointer to the message array as the argument.
The synchronization cycle that results is: (1) PEEFORM_IPC
calls the ITC procedure SIGNAL with the memory manager VP_ID
and message array pointer as arguments; PEEFOHM_IPC then
calls WAIT with the message array as the argument, (2)
SIGNAL causes the message array to be copied into the mes-
sage gueue (in the V?T) of the appropriate VP_ID, (3) ulti-
mately, the signalled VP is scheduled; it had previously
called WAIT, passing a pointer to its own local message ar-
ray; the action of WAIT is to copy the message from the VPT
to the signalled process' local message array; there it is
interpreted by the memory manager process main procedure and
the appropriate procedure is called for action (e.g.,
CREAT2_ENTRY)
, (4) when action is completed the memory man-
ager process fills its local message array with the appro-
priate return message and calls SIGNAL with a pointer to the
message and the original signalling process 1 VP_ID as argu-
ments, (5) SIGNAL causes the memory manager process 1 message
to be copied into the VPT message gueue for the appropriate
VP_ID, (6) that 7P is eventually scheduled and through the
action of WAIT has the return message copied from its mes-
sage gueue in the VPT to its local message array; WAIT then
returns to ?ERFORH_IPC. The G_AST lock is unlocked and
- 191 -
PERFORM_IPC returns to the appropriate distributed memory
manager procedure.
The last procedure in the distributed memory manager is
MM_GET_DBR_VALUE. This procedure simply provides the ser-
vice of translating a DBR_NO {DBR number) into its appropri-
ate DBR address. It is called by the TC_GETaQHK procedure to
allow it to call the ITC procedure SWAP_VDBR (remember that
presently the Inner Traffic Controller deals with the DBR as
the address of the appropriate MMO record in the MMU_IMAGE
while the Traffic Controller uses DBR as a DBR number which
indexes to the appropriate MMO" record).
E. SUMMARY
The implementation of segment management functions and a
non-discrstionary security policy for the SASS has been pre-
sented in this chapter. The implementation of the Segment
Manager Module, Non-Discretionary Security Module, and Dis-




CONCLUSIONS AND FOLLON ON WORK
The implementation of segment management tor the securi-
ty kernel of a secure archival storage system has been pre-
sented. The implementation was completed on Zilog»s Z8002
sixteen bit nonsegmented microprocessor. Segmentation hard-
ware {Zilog*s Z8010 Memory Management Unit) was not availa-
ble, therefore it was simulated in software as described by
Reitz [12]. The loop free modular construction used in the
implementation facilitates ease of expansion or modifica-
tion.
A non-discretionary security policy was implemented us-
ing a partially ordered lattice structure as a basis. En-
forcement was realized through an algorithm that compared
two labels and determined if their relationship was equal to
a desired relationship. Although the DqO security classifi-
cation system was represented, any non-discretionary securi-
ty policy that may be represented by a lattice structure may
similarly be implemented. This implementation has shown that
by having the non-discretionary security policy enforced in
one module, changing to another policy requires changing
only this one module.
- 193 -
Software engineering techniques used in previous work
emphasized the advantages of working with code that is well
structured, well documented, and well organized. Despite be-
ing written in assembly language, Reitz* implementation of
multiprogramming and process management proved to be consis-
tent in style, clarity and documentation. This enhanced the
construction of a segment management demonstration which was
built onto his synchronization demonstration. Further, re-
finements made to his code (not necessitated by any failures
of his coda) were relatively easily accomplished.
While the segment management implementation appears to
perform properly, it has not been subjected to a formal test
plan. Such a test plan should be developed and implemented.
The Memory Manager Process has been designed but not im-
plemented. Segment management implementation, provision for
IPC using more practical size messages, and the detailed de-
sign of the memory manager by Moore and Gary £5], provide a
sound foundation for memory manager implementation. A frame-
work of the mainline code needed is provided in the Memory
Manager Module of the demonstration code in Appendix J. Pri-
or to this implementation, formal testing of the segment
management implementation herein and the monitor implemented
by Reitz [12] should be completed.
- 194 -
PART F
IMPLEMENTATION OF PROCESS MANAGEMENT FOR A
SECURE ARCHIVAL STORAGE SYSTEM
This section contains excerpts from a Naval Postgraduate
School MS Thesis by A. R. Strickier [19]. The origins of
these excerpts are:
INTRODUCTION from Chapter I
IMPLEMENTATION ISSUES from Chapter III
PROCESS MANAGEMENT IMPLEMENTATION from Chapter 17
CONCLUSION from Chapter V
Minor changes have been made for integration into this report
Chapter XX
INTBODOCTION
This thesis addresses the implementation of process Man-
agement functions for the Secure Archival Storage System or
SASS. This system is designed to provide multilevel secure
access to information stored for a network of possibly dis-
similar host computer systems and the controlled sharing of
data amongst authorized users of the SASS. Effective pro-
cess management is essential to insure efficient use and
control of the system.
The major accomplishments of this thesis effort include
the provisions for efficient process creation and manage-
ment. These functions are provided through the establish-
ment of a system Traffic Controller and the creation of a
virtual interrupt structure. An effective mechanism for in-
ter-process communication and synchronization is realized
through an Event Manager that makes use of uniquely identi-
fied segments supported by eventcount and sequencer primi-
tives. A hardware controlled two domain operational envi-
ronment is created with the necessary interfacing between
domains provided by a software "gate" mechanism. Additional
support is provided through considerable work in the area of
database initialization and a technique for limited dynamic
memory allocation.
- 196 -
This implementation was completed on the commercial AMC





Issues bearing on the implementation of process manage-
ment and refinements made to existing modules are presented
in this chapter. Process management for the SASS was pro-
vided through the implementation of the Traffic Controller
Module, the Event Manager Module, the Distributed Memory
Manager Module, and a Gate Keeper Stub (system trap) . Addi-
tionally, since a demonstration/testbed was integral to the
testing and verification of the implementation, it was ne-
cessary to complete other supportive tasks. These suppor-
tive tasks included limited Kernel database initialization,
revised preempt interrupt handling mechanisms. Idle process
definition and structure, and additional refinements to ex-
isting modules.
A. DAJAB4§E INITIALIZATION
Previous work on SASS has relied on statically built da-
tabases, which proved to be sufficient for demonstration of
a single processor, single host supported system. In the
current demonstration, multiple hosts are simulated, and the
Kernel data structures have been refined to represent a mul-
tiprocessor environment. Since a multiprocessor system was
- 198 -
unavailable at the time of this demonstration, several
"runs" were made and traced, using different logical CPU
numbers, to show the correctness of this structure. Due to
this multiprocessor representation and simulation of multi-
ple hosts, the use of statically built Kernel databases was
no longer convenient. Therefore, it became necessary to
provide initialization routines for the dynamic creation of
these Kernel databases required for this implementation.
While it was not the intent of this effort to implement sys-
tem initialization, care was taken in the writing of these
initializing routines so that they might be utilized in the
system intiaiiz ation implementation with, hopefully, minimal
refinement. Database initialization was restricted to those
databases existing in the Inner Traffic Controller and the
Traffic Controller. Limited elements of the Known Segment
Table (KST) and Global Active Segment Table (G_AST) were
also created for demonstration purposes.
1- Iaa§£ S£afiic Controller Initialization
A "Bootstrap Loader" Module, which logically exists at a
higher level of abstraction within the Kernel, was created
to initialize the databases of the Inner Traffic Controller.
This initialization includes the creation of: 1) the Pro-
cessor Data Segment (PRDS) , 2) an MMU Map, 3} Kernel domain
stack segments for Kernel processes, 4) allocation and up-
dating of MMU entries for Kernel processes, and 5) Virtual
Processor Table (VPT) entries.
- 199 -
The PRDS was loaded with constant values that specify
the physical CPU ID, logical CPU ID, and number of VP's al-
located to the CPU. A design decision was made to allocate
logical CPU ID's in increments of two (beginning with zero)
so that they could be used to directly access lists indexed
by CPU number. The MMU map, constructed as a "byte" map,
was created to specify allocated and free MBU Image entries.
A separate procedure, CREATE_STACK, was created to es-
tablish the initial Kernel domain stack conditions for Ker-
nel processes. A discussion and diagram of these initial
stack conditions is presented in the next section.
ALLOCATE_HMU checks the MMU Map and allocates the next
availabe MMU entry to the process being created. The PRDS
is inserted in the allocated MMU entry and the DBR number is
returned to the calling procedure. The DBR number (handle)
is merely the offset of the DBR in the HMU Image. Since the
ITC deals with an address rather than a handle, a procedure,
GET_DBR_ADDR, was created to convert this offset into a phy-
sical address. UPDATE_MMU_IMAGE is the procedure which
creates or modifies MMU Image entries. UPDATE_MMU_IMAGE ac-
cepts as arguments the DBR number, segment number, segment
attributes, and segment limits. To facilitate process
switching and control, various process segments must possess
the same segment number system wide. This is accomplished
during initialization through the use of the
UPDATE_MMU_IHAGE procedure. In the ITC, these segments in-
- 200 -
elude the PHDS (segment number zero) and the Kernel stack
segment (segment number one).
The final task required in ITC intializat ion is the
creation of the VPT. The VPT header is initialized with the
"running" and "ready" lists pointers set to a 'nil* state,
and the "free" list pointer set to the first entry in the
message table. Virtual Processor entries are inserted in
the main body of the VPT by the UPDATE_VP__I ABLE procedure.
Entries are first made for the VP»s permanently bound to the
Memory Manager and Idle processes. The VP bound to the MM
process is given a priority of 2 (highest) , and the VP bound
to the Idle process is given a priority of (lowest) . The
External VP ID for both of these VP's is set to "nil" as
they are not visible to the Traffic Controller. The remain-
ing VP«s allocated to the CPU (viz., TC visible VP 1 s) are
then entered in the VPT with a priority of 1 (intermediate)
,
and their "idle" and "preempt" flags are set. The preempt
flag is set for these TC visible VP*s to insure proper sche-
duling by the Traffic Controller, The DBR for these remain-
ing VF»s is initialized with the Idle process DBR. A dis-
cussion of "idle" processes and VP f s will be provided later
in this chapter. The External VP ID for each TC visible VP
is merely the offset of the next available entry in the
EXTERNAL VP LIST. This External VP ID is entered in the
VPT, and the corresponding VP ID (viz., VPT Entry #) is en-
tered in the EXTERNAL VP LIST.
- 201 -
Once these VPT entries have been made, it is necessary
to set the state of each VP to "ready" and thread them (by
priority) into the appropriate ready list. A VPT threading
mechanism was provided by Reitz [12] in procedure
MAKE_READY. However, it was desired to have a more general
threading mechanism that could be used for other lists.
Procedure LIST_INSERT was created to provide this general
threading mechanism. LIST_INSERT is logically a "library"
function that exists at the lowest level of abstraction in
the Kernel. This function threads an object into a list
(specified by the caller) in order of priority, and then
sets its state as specified by the calling parameters.
Once the "Bootstrap Loader" has completed ITC initiali-
zation, it passes control to the ITC GETiORK procedure to
begin VP scheduling.
2. Traffis Controller Initialization
The initialization routines for the TC include rc_INIT,
CREATE_PROCSSS, and CREATE_KST. These routines are called
from the Memory Manager process. The MM process was chosen
to initiate these routines as it is bound to the highest
priority VP and will begin running immediately after the In-
ner Traffic Controller is initialized. Procedure
MM_ALLOCATE was written to allocate memory space for data
structures during initialization (viz.. Kernel stacks, user
stacks, and KST's). Memory space is allocated in blocks of
- 202 -
100 (hex) bytes. MM_ALLOCATE is merely a stub of the memory
allocating procedure designed by Moore and Gary [5].
It was necessary to pass long lists of arguments to the
TC for initialization purposes. To aid in this passing of
parameters, a data structure template was used. This temp-
late was created by declaring the parameters as a data
structure in both the sending and receiving procedures, and
then imaging this structure at absolute address zero. The
process 1 stack pointer was then decremented by the size of
the parameter data structure, and the parameters were loaded
into this data structure indexed by the stack pointer. This
template made it very easy to send and receive long argument
lists using the process' stack segment.
TC_INIT initializes the APT header and virtual interrupt
vector (discussed later) . Each element of the running list
is marked "idle", the ready and blocked lists are set to
"nil", and the number of VP*s and first VP for each CPU are
entered in the VP table. The address of the virtual preempt
handler is then passed to the ITC procedure CSEATE_INT_VEC
for insertion in the virtual interrupt vector.
CEEATE_PROCESS intializes user processes and creates en-
tries in the APT. ALLOCATE_MHU is called to acquire a DBR
number, and an APT entry is created with the process de-
scriptors (viz.
,
parameters) . The process is then declared
"ready" and threaded into the approciate ready list by
calling the threading function, LIST_INSEBT. A user stack
- 203 -
is allocated and UPDATE_MMU_IMAGE is called to include the
user stack in the MMU as segment number three. Ihe user
stack contains no information or user process initialization
parameters (viz., execution point and address space) as all
processes are initialized and begin execution from the Ker-
nel domain. Next, a Kernel domain stack is allocated and
included in the HM(J Image. A design decision was made to
initialize the Kernel stacks for user processes with the
same structure as the Kernel process 1 stacks. The rationale
for this decision is presented in the next section. As a
result of this decision, it became possible to use the
CREATE_STACK procedure in building Kernel domain stacks for
both Kernel and user prosesses. CBEAIE_STACK was therefore
used as a library function and placed in the library module
with LIST-INSERT.
Finally, a Known Segment Table (KST) stub is created to
provide a means of demonstrating the mechanism provided by
the eventcounts and sequencers for interprocess communica-
tion (IPC) and mutual exclusion. Space for the process* KST
is created by calling MM_ALLOCATE. The KST is then included
in the process' address space, as segment number two, by
aPDATE_a?lU_IilAGE. Initial entries are made in the Known
Segment Table by procedure CHEATE_KST. CREATE_KST makes an
entry in the KST for the "root" and marks the remaining KST
entries as "available." The Onigue_ID portion of the root's
handle (viz., upper two words) is initialized as -1 (for
- 204 -
convenience) and the G_AST entry number portion of the han-
dle (viz., lowest word) is initialized with zero.
3. Additional Init ial ization. Beguirements
As already mentioned, the Memory Manager Process prepares
the arguments utilized by TC_INIT, CREATE_PROCESS, and
CREATE_KST for TC initialization and user process creation.
Additionally, the MM process creates a Global Active Segment
Table (G_AST) stub utilized for demonstration of event data
management. The G_AST stub is declared in a separate module
(viz., the DEMO_DATABASE Module) with the format prescribed
by Moore and Gary [5]. However, the only fields initialized
and utilized by this implementation are UNIQUE_ID,
SEQUENCES, INSTANCE 1, and INSTANCE 2. The eventcounts and
seguencer fields are initialized as zero whenever an entry
is created in the G_AST. The ONIQUE^ID is created just to
support this demonstration and does not reflect the seg-
ment's unigue identifier as specified by Moore and Gary [5].
In this demonstration, UNIQUE_ID is built with the parame-
ters passed to MM_ACTIVATE. The first word in UHIQU£_ID is
the G_AST entry number of the segment's parent, and the sec-
ond word is the segment's entry number into the alias table.
The UNIQUE_ID together with the offset of tie segment's en-
try in the G_AST comprise the segment HANDLE maintained in
the KST. The first entry in the G..ASI is reserved for the
root, and is initialized with an Unigue_ID of minus one
- 205 -
(-1). It should be noted that any call to att_ACTIVATE for a
segment already possessing an entry in the G_AST will not
effect any changes to that entry. This is to insure that a
single G_AST entry exists for every segment as specified by
Moore and Gary [5].
B. PREEMPT INTERRUPTS
Various refinements were made in the handling of both
physical (hardware) and virtual (software) preempt inter-
rupts. A hardware preempt is a non-vectored interrupt that
invokes the virtual processor scheduling mechanism (viz.,
ITC GETWORK) . A virtual preempt is a software vectored in-
terrupt that invokes the user process scheduling mechanism
(viz., TC_GETWORK) . This implementation provides the notion
of a virtual interrupt that closely mirrors the behavior of
a hardware interrupt. In particular, there are similar con-
structs for initialization of a handler, invokation of a
handler, masking of interrupts, and return from a handler.
As with most hardware interrupts, a victual interrupt can
occur only at the completion of execution for an "instruc-
tion," where each kernel entry and exit for a process delim-
it a single "virtual instruction."
- 206 -
1 • 2kZ§ical Preempt Handler
The physical preempt handler resides in the virtual pro-
cessor manager (viz.
, Inner Traffic Controller)
. The func-
tions it perform are: 1) save the execution point, 2) in-
voke ITC GETWORK, 3) check for virtual preempt interrupts,
4) restore the execution point, and 5j return control via
the IRET instruction. Reitz [12] included the hardware
preempt handler in ITC GETWORK by establishing two entry
points and two exit points, one for a regular call to
GETWORK and another for the preempt interrupt. He had a se-
parate procedure, TEST_PREEMPT, that *as used to check for
the occurrence of virtual preempt interrupts. This structure
works nicely, but it reguires some means of determining how
GETWORK was invoked so that the proper exiting mechanism is
used. This was resolved by incorporating a preempt inter-
rupt flag in the status register block of every process 1
Kernel domain stack segment. A design decision was made to
restructure the hardware preempt handler into a single and
separate procedure, PHYS_PREEMPT_HANDLER. This allowed ITC
GETWORK to have a sugle entry and exit point, and it did
away with the necessity of maintaining a preempt interrupt
flag in the process stacks. PHYS_PRE2HPT_HANDLER was con-
structed from the preempt handling code in GETWORK and
procedure TEST_PB2EHPT. TEST_?REEMPT was delated from the
ITC as its functions were performed by PHZS_PREEMPT-HANDLER.
- 207 -
A further refinement was made to the hardware preempt
handler dealing with the method by which the virtual preempt
handler was invoiced. Reitz [12] invoked the virtual preempt
handler from TEST_PREEMPT by means of the "call" instruc-
tion. Since the virtual preempt handler logically exists at
a higher level of abstraction than the ITC, this invocation
violated our notion of only allowing "calls" to lower or
equal abstraction levels. However, this deviation was ne-
cessitated by the absence of a virtual interrupt structure.
This problem was alleviated by creating a virtual interrupt
vector in the ITC that is used in the same way as the hard-
ware interrupt vector. The virtual preempt was given a vir-
tual interrupt number (zero). The virtual interrupt handler
is then invoked by means of a "jump" through the virtual in-
terrupt vector for virtual interrupt number 0. This invoca-
tion occurs in the same manner that the handlers for hard-
ware interrupts are invoked. The virtual interrupt vector
is created by procedure CREATE_INT_VEC. CRE ATE_INT_VEC ac-
cepts as arguments a virtual interrupt number and the ad-
dress of the interrupt handler. The creation of the virtual
preempt entry in the virtual interrupt vector is accom-
plished at the time of the Traffic Controller initialization
by TC_INIT.
- 208 -
2. Virtual Preem2t Handles
The virtual preempt handler (VIRT_PREEMPT_HANDLER) re-
sides in the user process manager (viz., the Traffic Cont-
roller)
.
The functions performed by VIRT_PREEMPT_HANDLER
are: 1) determine the VP ID of the virtual processor being
preempted, 2) invoke the process scheduling mechanism (viz.,
TC_GETWORK)
,
and 3) return control via a virtual interrupt
return. The correct VP ID is obtained by calling RUNNING_VP
in the ITC. The Active Process Table is then locked, and
the state of the process running on that VP is changed to
"ready." kz this time, process scheduling is effected by
calling TC_GETVORK. Once process scheduling is completed,
the APT is unlocked and control is returned via a virtual
interrupt return. This virtual interrupt return is merely a
jump to the PREEMPT_RET label in the hardware preempt han-
dler (This jump emulates the action of the IRET instruction
for a hardware interrupt return)
.
This label is the point
at which the virtual preempt interrupts are unmasked.
All Kernel processes are initialized to appear as thougn
they are returning from a hardware preempt interrupt. All
user processes initially appear to be returning from a vir-
tual preempt interrupt. Therefore, the initial conditions
of a process' Kernel domain stack is largely influenced by
the stack manipulation of the preempt handlers. Figure 44


























Figure 44: Initial Process Stack
- 210 -
The initial Kernel Flag Control Word (FCW) value is
"5000", indicating non-segmented code r system mode of opera-
tion, non-vectored interrupts masked, and vectored inter-
rupts enabled. The Current stack Pointer value is set to
the first entry in the stack (viz., SP) . The IEET Frame is
the portion of the Kernel stack affected by the IRET in-
struction. The first element. Interrupt ID (set to "FFFF")
is merely popped off of the stack and discarded. The next
element, Initial FCW, is popped and placed in the system
Flag Control Word. Initial FCW is set to "5000" for Kernel
processes and "1800" (indicating normal mode with all inter-
rupts enabled) for user processes. The final element of the
IRET frame, Initial IC is popped off of the stack and
placed in the program counter (PC) register. This value is
initialized as the entry address of the process in question.
The "register" entries on the stack represent the ini-
tial register contents for the process at the beginning of
its execution. Since the Kernel processes (viz., MM and
Idle) do not require any specific initial register states,
their entries reflect the register contents at the time of
stack creation. Initial register conditions are used to
provide initial "parameters" required by the user processes.
This will depend largely upon the parameter passing conven-
tions of the implementation language. The means for regis-
ter initialization was provided through CREATE_PEOCESS ; how-
ever, the only initial register condition used for the user
- 211 -
processes in this demonstration was register #13. Register
#13 was used to pass the user ID/Host number of the process
created. This value is utilized by the user process in ac-
tivating the segment used for inter-process communication
between a Host's Pile manager and I/O processes. Another
logical parameter passed to the user processes is the root
segment number. This did not reguire a register for passing
in the demonstration as it is known to be the first entry in
the KST for all processes. The N__S_P entry on the stack
represents the initial value of the normal stack pointer.
For user processes, this value is obtained when the Supervi-
sor domain stack for that process is created. For Kernel
processes, this value is set to "FFFF" since they execute
solely in the Kernel domain and have no Superivsor domain
stack. The Preempt Return Point specifies the address where
control will be passed once the process' VP is scheduled and
the "return" from ITC GETWORK is executed. For Kernel pro-
cesses, this is the point within the hardware preempt han-
dler where the virtual processor table is unlocked. For
user processes, this is the point within the virtual preempt
handler where the Active Process Table is unlocked.
It is important to note that if the APT was not unlocked
when a user process began its initial execution, the system
would become deadlocked and no further process scheduling
could occur. It should be further noted that the initial
stack conditions for user processes do not reflect a valid
- 212 -
history of execution. The "normal" history of a user pro-
cess returning from ITC GETWORK after a virtual preempt in-
terrupt would reflect the passing of control through
SKAP_VDBR and TC_GETWORK to the point in the virtual preempt
handler where the APT is unlocked. Another "possible" his-
tory could reflect the occurrence of a hardware preempt in-
terrupt at the point in the virtual preempt handler where
the APT is unlocked. Such a history would be depicted by
replacing the current top of the stack with the return point
into the hardware preempt handler (viz., at the point of
virtual preempt interrupt unmasking) and an additional hard-
ware preempt interrupt frame whose IC value in the IRET
frame is the point in the virtual preempt handler where the
AFT is unlocked. The current initial stack condition fcr
user processes was chosen for its ease of understanding and
its clear depiction of the fact that the structure of a Ker-
nel domain stack is the same for both Kernel and user pro-
cesses.
C IDLE PROCESSES
In the SAS3 design, there logically exists a Kernel do-
main "Idle" process for every physical processor in the sys-
tem and a Supervisor domain "Idle" process for every "TC vi-
sible" virtual processor in tae system. These processes are
necessary to insure that both the VP scheduler (viz., ITC
GETWORK) and the process scheduler (TC_GETWORK) will always
- 213 -
have some object to schedule, hence precluding any CPU or VP
from ever having an undefined execution point. Since the
Kernel domain Idle process performs no useful work, it could
be included within the ITC by means of an infinite looping
mechanism. The Kernel Idle process was maintained separate-
ly, however, as it is hoped that future work on SASS will
provide this Idle process with some constructive purpose
(e.g., performing maintenance diagnostics).
The Supervisor domain Idle processes (hereafter referred
to as TC Idle processes) are scheduled (bound) on VP«s when
there are no user processes awaiting scheduling. Since a TC
Idle process performs no user constructive work, we do not
want any VP executing a TC Idle process to be bound to a
physical processor. In other words, a VP bound to a TC Idle
process assumes the lowest system priority (represented by
the "idle flag"). Therefore, any such VP will have its idle
flag set and will not be scheduled unless it receives a vir-
tual preempt interrupt. Such an interrupt will allow the VP
to be rescheduled by the Traffic Controller. It should be
obvious, at this point, that a TC Idle process will never
actually begin execution on a real processor. This know-
ledge allowed a design decision to be made to only simulate
the existence of TC Idle processes. At the TC level, this
was accomplished by a constant value, IDLE_PROC, that was
used as a process ID in the APT running list, thus preclud-
ing the necessity of any "Idle" entries in the APT. At the
- 214 -
ITC level, any VP marked "Idle" (viz., the idle flag set)
was given the DBR number (viz., address space) of the Kernel
Idle process solely to provide the use of a Kernel domain
stack for rescheduling of the VP.
D. ADDITIONAL KERNEL REFINEMENTS
In addition to those already discussed, several other
refinements to existing Kernel modules were effected in this
implementation. One of these refinements deals with the way
virtual processors are identified by the Traffic Controller.
In the current implementation, all TC visible virtual pro-
cessors are given an External VP ID which corresponds to its
entry number in an External VP List. This required a modi-
fication to the ITC procedure RUNNING_VP. The benefits der-
ived from this refinement included the ability to directly
access the External VP ID in the Virtual Processor Table
vice the requirement of a run time division to compute its
value and the ability to use the External VP ID as an index
into the TC running list.
Refinements were also made to the existing Memory Manag-
er, File Manager and 10 process stubs used for demonstration
purposes. These refinements were largely associated with
the eventcount and sequencer mechanisms utilized in this im-
plementation. The current status of these processes is pro-
vided in this report.
- 215 -
The remaining refinements deal largely with the MMO Im-
age. In aoore and Gary's [5] design, the MMU Image was man-
aged by the Memory Manager process. This was largely be-
cause the MMO* Image is a processor local database and would
seem well suited for management by the non-distributed Ker-
nel. In fact, the MMU Image is utilized mainly by the ITC
for the multiplexing of process address spaces. Therefore,
in the current design, the MMU Images are maintained by the
Inner Traffic Controller. However, the MMU header proposed
by Moore and Gary (viz., the BLOCKS_USED and
MAXIMUM_AVAILABLE_BLOCKS fields) was retained in the Memory
Manager as it is used strictly in the management of a pro-
cess* virtual core and is not associated with the hardware
MMO.
In Wells 1 design [20], the Traffic Controller used the
linear ordering of the DBR entries in the MMU Image as the
DBR handle (viz., 1,2,3...). This required a run time divi-
sion operation to compute the DBS numoer, and a run tim
multiplication operation, by MM_GET_DBR_VALUE , to recompute
the DBR address for use by the ITC. In the current design,
the offset of the DBR entry in the MMU Image (obtained at
the time of KMO allocation) is used as the DBR handle in th€
Traffic Controller. Furthermore, SWAP_VDBR was refined tc
accept a DBR handle rather than a DBR address to preclude
the necessity of the Traffic Controller having to deal witl
MMO addresses. DBR addresses are computed only within th<
- 216 -
€
ITC (viz., by procedure GET_DBR_ADDR) by adding the value of
the DBR handle to the base address of the MMU Image. Since
DBR addresses are now used solely within the ITC, procedure
MM_GET_DBB_VALUE was no longer needed and was deleted from
the Memory Manager.
E. SUMMARY
The primary issues addressed in this thesis effort have
been presented in this chapter. Aside from the process man-
agement functions, this description included a mechanism for
limited Kernel database initialization, a revised preempt
interrupt handling mechanism, the creation of a virtual in-
terrupt structure, a definition of "idle" processes and
their structure, and a discussion of the minor refinements
effected in existing SASS modules. A detailed description
of the implementation of process management functions for




The implementation of process management functions and a
gate keeper stub (system trap) is presented in this chapter.
The implementation is discussed in terms of the Event Manag-
er, Traffic Controller, Distributed Memory Manager, Oser
Gate, and Kernel Gate Keeper modules. A block diagram dep-
icting the structure and interrelationships of these modules
is presented in Figure 45. Support in developing the Z8000
machine code for this implementation was provided by a Zilog
MCZ Developmental System operating under the RIO operating
system. The Developmental System provided disk file manage-
ment for a dual drive, hard sectored floppy disk, a line
oriented text editor, a PLZ/ASM assembler, a linker and a
loader that created an executable image of each Z8000 load
module. An upload/download capability with the Am96/4 116
MonoBoard computer was also provided. This capability,
along with the general interfacing of the Am96/<*116 into the
SASS system, was accomplished in a concurrent thesis endea-
vor by Gary Baker. Baker's work relating to hardware ini-
tialization in SASS, will be published upon completion of
his thesis work in June 1981.
- 218 -







1 1 I i
\ Read | | Atrait I I Ticket | | Advance |
I 1 «
1












I TC.Await | I Process | j TC_Advance |







TC_Getwork | | Virt Int |j_,















Figure 45: Implementation Module Structure
- 219 -
A. EVENT MANAGER HOPPLE
The eventcount and sequencer primitives [11]# which are
system-wide objects, collectively comprise the event data of
SASS. As mentioned earlier, this event data is tied direct-
ly to system segments and is stored in the Global Active
Segment Table. There are two eventcounts and one sequencer
for every segment in the system. These objects are identi-
fied to the Kernel in user calls by specification of a seg-
ment number. Once this segment number is identified by the
Kernel, the segment's handle can be obtained from the pro-
cess 1 Known Segment Table. The segment handle identifies
the particular entry in the G_AST containing the event data
desired.
The Event Manager module manages the avent data within
the system and provides the mechanism for interprocess com-
munication between user processes. The Event Manager con-
sists of six procedures. Four of these (Advance, Await,
Read, and Ticket) represent the four user extended instruc-
tions provided by the Event Manager. The remaining two
procedures provide internal computational support to include
necessary security checking. The Event Manager is invoked
solely by user processes, via the Gate Keeper, through uti-
lization of the extended instruction set provided. For ev-
ery Event Manager extended instruction invoked by a user
process, the non-discretionary security is verified by com-
- 220 -
paring the security access classification of the process in-
voking the instruction with the classification of the object
(segment) being accessed. Access to the user process 1 Known
Segment Table is reguired by the module in order to ascer-
tain the segment handle and security class for a given seg-
ment number
.
The PLZ/ASM asssmbly language listing for the
Event Manager module is provided in Appendix A. A more de-
tailed discussion of the procedures comprising the Event
Manager follows.
1 • SugEort Procedures
The procedures GET_HANDLE and CQNVERT_AND_VERIFY provide
internal support for the Event Manager and are not visible
to the user processes. Procedure CONVERT_AN£_VERIFY is in-
voked by the four procedures representing the instruction
set of the Event Manager. The input parameters to
CONVERT_£M: _VERIFY are a segment number and a requested mode
of access {viz., read or write). C'CNVERT„AND_VERIFY returns
a pointer to the segment's handle and a success code.
Procedure GET_HANDLE is invoked solely by
CONVERT _AND_VERIFY. The input parameter to GET_HANDLE is
the segment number received as input by CONY ERT_AND_VERIFY.
GET_HANDLE returns a pointer to the segment's handle, a
pointer to the segment's security classification, and a suc-
cess cede. A discussion of the functions provided by these
support procedures follows,.
- 221 -
Procedure GET_HANDLE translates the segment number, re-
ceived as input, into a KST index number and verifies that
the resulting index number is valid. Next the base address
of the process' KST is obtained from procedure
ITC_GET_3E3_PTR. The KST index number is then converted
into a KST offset value and added to the base address to ob-
tain the appropriate KST entry pointer for the segment in
guestion. A verification is then made to insure that the
referenced segment is "known" to the process. If the seg-
ment is not known, an error message is returned to
CONVERT_AND_VERIFY. Otherwise, a pointer to the segments
handle is obtained to identify the segment to the memory
manager. A pointer to the segment's security class entry in
the KST is also returned for use in appropriate security
checxs.
Procedure CONVERT_AND_VERIEY provides the necessary
non-discretionary security verification for the extended in-
struction set of the Event Manager. Procedure GET_HANDLE
is invoked for segment number verification and to obtain
pointers to the segment's handle and security class. If
GET_HANDLE returns with a successful verification, the pro-
cess' security class is compared to the segment's security
class to verify the mode of access requested. A request for
"write" access causes invocation of the CLASS_EQ function in
the Non-Discretionary Security Module to insure that tne se-
curity classification of the process is equal to the classi-
- 222 -
fication of the eventcount or sequencer, which is the same
as that of the segment. Otherwise, the CLASSJSE function is
called to verify that the process has read access. if the
appropriate security check is unsuccessful, an error code is
returned by CONVERT_AND_VERIFY. Otherwise, the segment han-
dle is returned along with a success code of "succeeded" in-
dicating that the user process possesses the necessary se-





Procedure READ ascertains the current value of a user
specified eventcount and returns its value to the caller.
The input parameters to READ are a segment number and an
instance (viz., an event number). CONVERT_AND_VERIFY is in-
voked with a "read" access request to obtain the segment's
handle and necessary verification. "Read" access is suffi-
cient for this operation as it only requires observation of
the current eventcount value and performs no data modifica-
tion. If verification :.s successful, procedure
MM_READ_EVENTCOu*NT is called to obtain the eventccunt value.
3 Ticket
Procedure TICKET returns the current sequencer value for
the segment specified by the user. CONVEBT_AND_VERIFY is
called with a request for write access to obtain verifica-
- 223 -
tion and the segment handle. Write access is required be-
cause once the sequencer value is read it must be increment-
ed in anticipation of the next ticket request. Once verifi-
cation is complete, MMJTICKET is invoked to obtain the se-
quencer value that is returned to the user process. It is
noted that every call to TICKET for a particular segment
number will return a unique and time ordered sequencer va-
lue. This is because the sequencer value may only be read
within MM_TICKET while the G_AST is locked, thereby prevent-
ing simultaneous read operations. Futhermore, once the se-




Procedure AWAIT allows a user process to block itself
until some specified event has occurred. The parameters to
AWAIT include a segment number and instance, which identify
a particular event, and a user specified value which identi-
fies a particular occurrence of the event. Verification of
read access and a pointer to the segment's handle is ob-
tained fuom procedure C0NVERT_AND_VERIFY.
.
Procedure
TC_AWAIT is invoked to effect the actual waiting for the
event occurrence. TC_AWAIT w^ll not return to AWAIT until
the requested event has occurred. It is noted that AWAIT
makes no assumptions about the event value specified by the
user. Therefore, the Kernel cannot guarantee that the event
- 22U -
specified by the user will ever occur; this is the responsi-
bility of other cooperating user processes.
5. Advance
Procedure ADVANCE allows a user process to broadcast the
occurrence of some event. This is accomplished by incre-
menting the value of the eventcount associated with the
event that has occurred. The parameters to ADVANCE include
a segment number and instance which identify a particular
event. The calling process must have write access to the
identified segment as modification of the eventcount is re-
quired. Verification of write access and a pointer to the
segments handle is obtained through procedure
CONVERT_AND_VERIFY. Procedure TC_ADVANCE is invoked to per-
form the actual broadcasting of event occurrence.
B« TRAFFIC CONTROLLER MODULE
The primary functions of the Traffic Controller module
are user process scheduling and support of the inter-process
cott-.mur.ication mechanism. The Traffic Controller is invoked
by the occurrence of a virtual preempt interrupt and by the
Erect Manager and the Segment Manager through the extended
instruction set: TC_Advance, TC_Await # Process_Class, and
Get_DBR_Nu*MBER. The Traffic Controller module is comprised
of nine procedures. Four of these procedures represent the
extended instruction set of the Traffic Controller. A de-
- 225 -
tailed discussion of six of the procedures contained in the
Traffic Controller module is presented below. The remaining
three procedures (viz., TC_INIT, CREAIE_PROCESS , and
CREATE_KST) were described in chapter three. The PLZ/ASM
assembly language source code listings for the Traffic Cont-
roller module is provided in Appendix B.
1 • TC Getworlc
Procedure TC_GETWORK provides the mechanism for user
process scheduling. The input parameters to TC_GETWORK are
the VP ID of the virtual processor to which a process will
be scheduled and the logical CPU number to which the virtual
processor belongs. The determination of which process to
schedule is made by a looping mechanism that finds the first
"ready" process on the ready -ist associated with the cur-
rent logical CPU number. Processes appear in the ready list
by order of priority. This looping mechanism is required as
both "running" and "ready" processes are maintained on the
ready list. This ready list structure was chosen to simpli-
fy the algorithm provided in procedure TC_Advance. If a
ready process is found, its state is changed to "running"
and its process ID (viz., the APT entry number) is inserted
in the running list entry associated with the current virtu-
al processor. Procedure SHAP_VDBR is then invoiced in the
Inner Traffic Controller to effect the actual process
switch. If a ready process was not found (viz., the ready
- 226 -
list was empty or comprised solely of "running processes")
,
then the running list entry associated with the current vir-
tual processor is marked with the constant "Idle_Proc" and
procedure IDLE is invoiced in the Inner Traffic Controller.
2. IC_Await
The primary function of TC_AWAIT is tha determination of
whether some user specified event has occurred. If the
event has occured, control is returned to the caller. Oth-
erwise, the process is blocked and another process is sche-
duled. The input parameters to TC_AWAIT are a pointer to a
segment handle, an instance (event number! , and a user spe-
cified eventcount value. TC_AWAIT initially locks the Ac-
tive Process Table and obtains the current value of the ev-
entcount in question by calling procedure
MM_READ_EVENTCOUNT. The determination of event occurrence
is made by comparing the user specified eventcount value
with the current eventcount. If the user value is less than
or equal to the current eventcount, the awaited event has
occurred and control is returned to the caller. Otherwise,
the awaited event has net yet occurred and the process must
be blocked.
If the process is to be blocked, procedure RaNNING_VP is
invoked to ascertain the VP ID of the virtual processor
bound to the process. The process* ID (viz., APT entry num-
ber) is then read from the running list. The input parame-
- 227 -
ters to TC_AWAIT (viz.. Handle, Instance, and Value) are
then stored in the Event Data portion of the process* APT
entry. The process is removed from its associated ready
list by redirecting the appropriate linking threads (poin-
ters) . Once removed from the ready list, the process is
threaded into the blocked list and its state changed to
"blocked" by invocation of the library function LIST_INSSRT.
Procedure TC_GETWORK is then called to schedule another pro-
cess for the current virtual processor.
3 . TC Advance
The primary purpose of TC_ADVANCE is the broadcasting
of some event occurrence. This entails incrementing the ev-
entcount associated with the event, awakening all processes
that are waiting for the event, and insuring proper schedul-
ing order by generating any necessary virtual preempt inter-
rupts. The high level design algorithm for TC_ADVANCE is
provided in Figure 46. The input parameters to TC_ADVANCE
are a pointer to a segment's handle and an instance (event
number) . Initially, TC_ADVANCE locks the APT to prevent the
possibility of a race condition. The eventcount identified
by the input parameters is then incremented by calling
MM_ADVANCE. MM_ADVANCE returns the new value of the event-
count. Once the eventcount has been advanced, TC_ADVANCE
awakens all processes awaiting this event occurrence. This
is accomplished by checking all processes that are currently
- 228 -
in the blocked list. The process* HANDLE and INSTANCE en-
tries are compared with the handle and instance identifying
the current event. if they are the same, then the process
is awaiting some occurrence of the current event. In such a
case, the process 1 VALUE entry in the APT is compared with
the current value of the eventcount. if the process 1 VALUE
is less than or equal to the current eventcount value, the
awaited event has occurred and the process is removed from
the blocked list and threaded into the appropriate ready
list by the library function LIsr_INSERI.
Once the blocked list has been checked, it is necessary
to reevaluate each ready list to insure that the highest
priority processes are running. It is relatively simple to
determine if a virtual preempt interrupt is necessary, how-
ever, it is considerably more difficult to determine which
virtual processor should receive the virtual preempt. To
assist in this evaluation, a "count" variable (number of
preempts needed) is zeroed and a preempt vector is created
on the Kernel stack with an entry for every virtual proces-
sor associated with the logical CPU being evaluated. Ini-
tially, every entry in the preempt vector is marked "true"
indicating that its associated virtual processor is a candi-
date for preemption. Once the preempt vector is initial-
ized, the first "n" processes on the ready list (where n
equals the number of VP's associated with the current logi-
cal CPU) are checked for a determination of their state. If
- 229 -
TC_ADVANCE Procedure (HANDLE, INSTANCE)
Begia
! Get new eventcount !
COUNT := MM.ADVANCE (HANDLE, INSTANCE)
Call WAIT.LOCK (APT)
! Wake up processes !
PROCESS := BLOCKED_LIST_HEAD
Do while not end of BLOCKED.LIST
If (PROCESS. HANDLE = HANDLE) and
(PROCESS. INSTANCE = INSTANCE) and
(PROCESS. COUNT <= COUNT)
then
Call LIST.INSERT (READY LIST)
end if
PROCESS := PROCESS. NEXT_PROCESS
end do
! Check all ready lists for preempts I
L0GICAL_C?U_NO := 1
DO while LOGICAL.CPU.NO <= #NR_CPU
! Initialize preempt vector I
VP_ID := FIRST.VP (LOGIC AL.CPU.NO)
DO for LOOP := 1 to NR.VP (LOGICAL_CPU.NO
RUNNING_LIST[VP_ID]. PREEMPT := #TRUE
VP_ID := VP_ID 1
end do
I Find preempt candidates !
CANDIDATES :=
PROCESS := READY_LIST_HEAD (LOGICAL.CPU_N0)
Figure 46 : TC.ADVANCE Algorithm
- 230 -
VP_ID := FIRST_VP(LOGICAL_CPU_NO)
Do (for CYCLE - 1 to NR_VP(LOGICAL_CPU_N0) and
not end of READY_LIST (LOGICAL CPU_NO)
If PROCESS = #RUNNING
then
RONNING_LIST[VP_ID]. PREEMPT := #FALSE
else
CANDIDATES := CANDIDATES + 1
end if
VP_ID := VP_ID + 1
PROCESS := PROCESS. NEXT_PROCESS
end do
! Preempt appropriate candidates !
VP_ID := PIRST_VP(LGGICAL_CPU_NO)
DO for CHECK := 1 to NR_VP (LOGICAL_CPU_NO)




CANDIDATES := CANDIDATES - 1
end if
VP_ID := VP_ID 1
end do





Figure 46: TC_ADVANCE Algorithm (Continued)
- 231 -
a process is found to be "running" then it should not be
preempted as processes appear in the ready list in order of
priority. When a running process is found, its associated
entry in the preempt vector is marked "false." If a process
is encountered in the "ready" state then it should be run-
ning and the "count" variable is incremented. When the
first "n" processes have been checked or when we reach the
end of the current ready list (whichever comes first) , the
entries in the preempt vector are "popped" from the stack.
If an entry from the preempt vector is found to be "true",
this indicates that its associated virtual processor is a
candidate for preemption since it is either bound to a lover
priority process, or it is "idle." In such a case, the
"count" variable is evaluated to determine if the virtual
processor associated with the vector entry should be
preempted. If the count exceeds zero, a virtual preempt in-
terrupt is sent to the VP and the count is decremented.
Otherwise, no preempt is sent as there is no higher priority
process awaiting scheduling.
This preemption algorithm is completed for every ready
list in the Active Process Table. Once all ready lists have
been evaluated, the APT is unlocked and control is returned
to the caller. It is noted that it is not necessary to in-
voke TC_GETW03K before exiting ADVANCE. If the current VP
reguires rescheduling, it will have received a virtual
preempt interrupt from the preemption algorithm. If this
- 232 -
has occurred, the VP will be rescheduled when its running
process attempts to leave the Kernel domain and the virtual
preempt interrupts are unmasked.
* • yirtual_Preempt Handler
VlRTOAL_PREEMPT_HANDLER is the interrupt handler for
virtual preempt interrupts. The entry address of
VIRTOAL_PREEMPT_HANDLER is maintained in the virtual inter-
rupt vector located in the Inner Traffic Controller. 3nce
invoked, the handler locks the Active Process Table and det-
ermines which virtual processor is being preempted by call-
ing RUNNIMG_VP. The process running on the preempted VP is
then set to the "ready" state and TC_GETHORK is invoked to
reschedule the virtual processor. Hhen TC_GETWORK returns
to VIRTUAL_PREEMPT_HANDLER, the APT is unlocked and a virtu-
al interrupt return is executed. This return is simply a
jump to the point in the hardware preempt handler where the
virtual interrupts are unmasked. This effects a virtual in-
terrupt return instruction.
5. R§aaiaing Proce dures
The remaining two procedures in the Traffic Controller
module represent the extended instructions: PROCESS_CLASS
and GET_DBP._NUMBER. Both procedures lock the Active Process
Table and call RUNNING_VP to determine which virtual proces-
sor is executing the current process. The process ID (viz.,
- 233 -
APT entry Number) is then extracted from the running list.
PROCESS_CLASS reads and returns the current process 1 securi-
ty access classification from the APT. GET_DBR_NUMBER reads
and returns the current process 1 DBS handle. It should be
noted that in general the DBH number provided by procedure
GET_DBR_NUMBER is only valid while the APT is locked. Par-
ticularly, in the current SASS implementation, the Segment
Manager invokes GET_DBR_NDMBER and then passes the obtained
DBR number to the Distributed Memory Manager for utilization
at that level. In a more general situation, the process as-
sociated with the DBR number may have been unloaded before
the DBR number was utilized, thus making it invalid. This
problem does not arise in SASS as all processes remain load-
ed for the life of the system.
C. DISTRIBUTED SEM.ORJ MANAGER MODULE
The Distributed Memory Manager module provides an inter-
face between the Segment Manager and the Memory Manager pro-
cess, manipulates event data in the Global Active Segment
Table (G_AST) , and dynamically allocates available memory.
A detailed description of the Distributed Memory Manager in-
terface to the Memory Manager process was presented by Wells
[20]. The remaining extended instruction set is discussed
in detail below. The complete PLZ/ASM source listings for
the Distributed Memory Manager module is provided in Appen-
dix C.
- 234 -
1 • £H_Read_Eventco ant
MM_READ_EVENTCOUNT is invoked by the Event Manager and
the Traffic Controller to obtain the current value of the
eventcount associated with a particular event. The input
parameters to this procedure are a segment handle pointer
and an instance (event Number) , which together uniguely
identify a particular event.
The G_AST is locked and the entry offset of the segment
into the G_AST is obtained from the segment's handle. The
instance parameter is then validated to determine which ev-
entcount is to be read. If an invalid instance is speci-
fied, control is returned to the caller specifying an error
condition. Otherwise, the current value of the specified
eventcount is read. The G_AST is then unlocked, and the
current eventcount value is returned to the caller.
2. M£_Advance
MM_ADVANCE is invoked by the Traffic Controller to re-
flect the occurrence of some event. The input parameters to
HM_ADVANCE are a pointer to a segment 1 s handle and a parti-
cular instance (event number)
.
The Global Active Segment Table is locked to prevent a
race condition,. and the offset of the segment's entry into
the G_AST is obtained from the segment handle. The instance
parameter is then validated to determine which eventccunt is
to be advanced. If an invalid instance is specified, an er-
- 235 -
cor condition is returned to the caller and no data entries
are affected. If the instance value is valid, the appropri-
ate eventcount is incremented, and its new value is re-
turned.
3 . M5_£icket
MM_TICKET is invoked by the Event Manager to obtain the
current value of the sequencer associated with a specified
segment. The input parameter to MM_TICKET is a pointer to a
segments handle.
Initially, MM_TICKET locks the Global Active Segment Ta-
ble to prevent a race condition. Next the offset of the
segment 1 s entry into the G_AST is obtained from the segment
handle. The current value of the sequencer for the speci-
fied segment is then read and saved as a return parameter to
the caller. The sequencer value is then incremented in an-
ticipation of the next ticket request. 3nce this is com-
plete, the G_AST is unlocked and control is returned to the
caller.
*• MSJUlocate
The MM_ALLOCATE procedure provided in this implementa-
tion is a stub of the MM_ALLOCATE described in the Memory
Manager design of Moore and Gary [5]. The primary function
of MM_ALLOCATE is the dynamic allocation of fixed size
olocks of available memory space. It is invoked in the cur-
- 236 -
rent implementation by the initialization routines in
BOOTSTRAP.LOADER and TC_INIT for the allocation of memory
space used in the creation of the Kernel domain and Supervi-
sor domain stack segments and the creation of the Known Seg-
ment Tables for user processes. Dynamic reallocation of
previously used memory space (viz., garbage collection) is
not provided by the MM_ALLOCATE stub in this implementation,
all memory allocation required in this implementation is for
segments supporting system processes that remain active, and
thus allocated, for the entire life of the system. Memory
is allocated in blocks of 256 (decimal) bytes of processor
local memory (on-board RAM) . In this stub allocatable memo-
ry is declared at compile time by a data structure
(MEM_POOL) that is accessible only by MM.ALLOCATE.
The input parameter to MM_ALLOCATE is the number of
blocks of requested memory. This parameter is converted
from a block size to the actual number of bytes requested.
This computation is made simple since memory is allocated in
powers of two. The byte s:.ze is obtained by logically
shifting left the input parameter eight times, where eight
is the power of two desired (viz., 256). Once the size of
the requested memory is computed, it is necessary to deter-
mine the starting address of the memory block (s) to be allo-
cated. To assist in this computation, a variable
(NEXT_BLOCK) is used to keep track of the next available
block of memory in MEM_POOL. NEXT_BLOCK, which is initial-
- 237 -
ized as zero, provides the offset into the memory being al-
located. Once the starting address is obtained, the physi-
cal size of the memory allocated is added to NEXT_BLOCK so
that the next request for memory allocation will begin at
the next free byte of memory in MEM_POOL. This new value of
MEXT_BLOCK is saved and the starting address of the memory
for this request is returned to the caller.
D. GATE KEEPER MODULES
The 5ASS Gate Keeper provides the logical boundary bet-
ween the Supervisor and the Kernel and isolates the Kernel
from the system users, thus making it tamper proof. This is
accomplished by means of the hardware system/normal mode and
the software ring-crossing mechanism provided by the Gate
Keeper. The Gate Keeper is comprised of two separate mo-
dules: 1) the USER_GATE module, and 2) the
KERNEL_GATE_KEEPER module. These modules are disjoint, with
the asER_GATE module residing in the Supervisor domain and
the KERNEL_GATE_KEEPER module residing in the Kernel domain.
It is important to note that the USER_GATE is a separately
linked component in the Supervisor domain and is not linked
to the Kernel. The only thing in common between these two
modules is a set of constants identifying the valid extended
instruction set which the Kernel provides to the users.
The Gate Keeper modules presented in this implementation
are only stubs as they do not provide all of the functions
- 238 -
required of the Gate Keeper. However, the only task not
provided in this implementation is the validation of parame-
ters passed from the Supervisor to the Kernel. A detailed
description of this parameter validation design is provided
by Coleman [2]. In the process management demonstration,
the Supervisor stabs are written in PLZ/ASM with all parame-
ters passed by CPO registers. A detailed description of the
Gate Keeper modules and the nature of their interfaces is
presented below. The PLZ/ASM source listings for the two
Gate Keeper modules are provided in Appendix D.
1 • 5§er_Gate Module
The OSER_GATE module provides the interface structure
between the user processes in the Supervisor domain and the
Kernel. The QSER_GATE is comprised of ten procedures (viz.,
entry points) that correlate on a one to one basis with the
ten "user visible" extended instructions (listed in Figure
10) provided by the Kernel. The only action performed by
each of these procedures is the execution of the "system
call" instruction (SC) with a constant value, identifying
the particular extended instruction invoiced, as the source
operand.
The SC instruction is a system trap that forces the
hardware into the system mode (Kernel domain) and loads re-
gister 15 with the system stack pointer (Kernel domain
stack} . The current instruction counter value (IC) is
- 239 -
pushed onto the Kernel stack along with the current CPU flag
control word (FCW) . In addition, the system trap instruc-
tion is pushed onto the Kernel stack with The upper byte
representing the SC instruction and the lower byte repre-
senting the SC instruction's source operand (viz., the Ker-
nel extended instruction code) . Together, these operations
form an interrupt return (IBET) frame as illustrated in Fig-
ure 44. Once this is complete, the FCW is loaded with the
FCW value found in the System Call frame of the Program Sta-
tus Area (viz. , the hardware "interrupt vector") . The
structure of the Program Status Area is illustrated in Fig-
ure 47. The instruction counter is then loaded with the ad-
dress of the SC instruction trap handler. This value is








































* NOTE: Offsets represent Program Status Area structure
for non-segmented Z8002 microprocessor.
Figure 47: Program Status Area
- 241 -
2. Kernel Gate Kee per Module
The system trap handler for the System Call instruction
is the KERNEL_GATE_KEEPER. The address of the
KERNEL_3ATE_KEEPER and the Kernel FCH value are placed in
the System Call frame of the Program Status Area by the
BOOTSTRAP_LOADER module during initialization. The
KERNEL_GATE_KEEPER fetches the extended instruction code
from the trap instruction entry in the IRET frame on the
Kernel stack. This value is then decoded by a "case" state-
ment to determine which extended instruction is to be exe-
cuted. If the extended instruction code is valid, the ap-
propriate Kernel procedure is invoked. Otherwise, an error
condition is set and no Kernel procedures are not invoiced.
Once control returns to the KERNEL_GATE_KEEPER, the CPO re-
gisters and normal stack pointer (NSP) value are pushed onto
the Kernel stack in preparation for return to the Supervisor
domain. It is noted that this operation would normally oc-
cur immediately upon entry into the KERNEL_GATE_KEEPER. In
this implementation, however, parameter validation is not
accomplished and the CPU registers are used to pass parame-
ters to and from the Kernel only for use by the process man-
agement demonstration. In an actual SASS environment, all
parameters would be passed in a separate argument list and
the CPO registers would appear exactly the same upon leaving
the Kernel as they did upon entering the Kernel. This is
- 242 -
important :o insure that no data or information is leaked
from the Kernel by means of the CPU registers.
Control is returned to the Supervisor by means of the
return mechanism in the hardware preempt handler. This me-
chanism is utilized to preclude the necessity of building a
separate mechanism for the KERNEL_GATE_KEEPER that would ac-
tually perform the very same function. To accomplish this #
the KERNEL_GATE_KEEPER executes an unconditional jump to the
PREEMPT_RET label in PHYS_PREEMPT__HANDLER. This "jump" to
the hardware preempt handler represents a "virtual IRET" in-
struction providing the same function as the virtual inter-
rupt return described in the discussion of the virtual
preempt handler. At this point, the virtual preempt inter-
rupts are unmasked, the normal stack pointer and CPU regis-
ters are restored from the stack, and control is returned to
the Supervisor by execution of the IRET instruction.
E. SUMMARY
The implementation of process management functions for
the SASS has been presented in this chapter. The implemen-
tation was discussed in terms of the Event Manager, Traffic





The implementation of process management for the securi-
ty Kernel of a secure archival storage system has been pre-
sented. The process management functions presented provide
a logical and efficient means of process creation, control,
and scheduling. In addition, a simple but effective mechan-
ism for inter-process communication, based on the eventcount
and seguencer primitives, was created. tforlc was also com-
pleted in the area of Kernel database initialization and a
Gate Keeper stub to allow for dual domain operation.
The design for this implementation was based on the Zi-
log Z8001 sixteen bit segmented microprocessor [22] used in
conjunction with the Zilog Z80 10 Memory Management Unit
[23]. The actual implementation of process management for
the SASS was conducted on the Advanced Micro Computers
Am96/41i6 MonoBoard Computer [1] featuring the AmZ8002 six-
teen bit non-segmented microprocessor. Segmentation hard-
ware was simulated by a software Memory Management Unit Im-
age.
This implementation was effected specifically to support
the Secure Archival Storage System (SASS) [17]. However,
the implementation is based on a family of Operating Systems
- 244 -
[7] designed with a primary goal of providing multilevel in-
formation security. The loop free modular design utilized
in this implementation easily facilitates any reguired ex-
pansion or modification for other family members. In addi-
tion, this implementation fully supports a multiprocessor
design. While the process management implementation appears
to perform correctly, it has not been subjected to a formal
test plan. Such a test plan should be developed and imple-
mented before kernel verification is begun.
A. FOLLOW ON WORK
There are several possible areas in the SASS design that
would be immediately suitable for continued research. In
the area of hardware, this includes, the establishment of a
multiprocessor environment, hardware initialization, and in-
terfacing to the host computers and secondary storage.
Further work in the Kernel includes the actual implementa-
tion of the memory manager process, and the refinement of
the Gate Keeper and Kernel intialization structures. The
implementation of the Supervisor has not been addressed to
date. Its areas of research include the implementation of
the File Manager and Input/Output processes, and the final
design and implementation of the SASS-Hosts protocols.
Other areas that could also prove interesting in rela-
tion to the SASS include the implementation of dynamic memo-
ry management, the support of multilevel hosts, dynamic pro-
- 245 -
cess creation and deletion, and the provision of















ACCESS_CLASS_NOT EQ : = 33
ACCESSJZLASS NOT GE := 41
KST_SEG NO ;:= 2
NR_OF_KSEGS := 10
MAX_NO_KST_ENTRIES ; = 54























! NOTE: THIS SECTION IS AN "OVERLAP
OR "FRAME" OSED TO DEFINE THE
FORMAT OF THE KST. NO STORAGE IS
ASSIGNED BUT RATHER THE KST IS
STORED IN A SEPARATELY OBTAINED
AREA. (A SEGMENT SET ASIDE FOR IT)!
SABS

























* READS SPECIFIED EVENTCOUNT *




* R1: SEGMENT t *
* R2: INSTANCE *
******************************
* RETURNS: *
* RO: SUCCESS CODE *
* RR4: EVENTCOUNT *
******************************!
ENTRY
! SAVE INSTANCE !
PUSH dR15, R2
! "READ" ACCESS REQUIRED !
LD R2, #READ_ACCESS
! GET SEG HANDLE & VERIFY ACCESS !
























* RETURNS CURRENT VALUE OF *
* TICKET TO CALLER AND INCRE- *
* MENTS SEQUENCER FOR NEXT *
* TICKET OPERATION *
*******************************
* PARAMETERS: *
* R1: SEGMENT # *
*******************************
* RETURNS: *
* R0: SUCCESS CODE *
* RR4: TICKET VALUE *
*******************************!
ENTRY
! GET SEG HANDLE S VERIFY ACCESS !
! "WRITE" ACCESS REQUIRED 2
0020 2102 LD R2, #WEITE_ACCESS
0022 0000






0028 0B00 CP RO, #SUCCEEDED
002A 0002
IF EQ ! ACCESS PERMITTED!
002C 5E0E THEN ! GET TICKET !
002E 0038'




! RSTORE SUCCESS CODE !







* CURRENT EVENTCOUNT VALUE IS *
* COMPARED TO USER SPECIFIED *
* VALUE. IF USER VALUE IS *
* GREATER THAN CURRENT EVENT- *
* COUNT VALUE THEN PROCESS IS *
* "BLOCKED" UNTIL THE DESIRED *
* EVENT OCCURS. *
*******************************
* PARAMETERS: *
* R1: SEGMENT # *
* R2: INSTANCE (EVENT #) *
* RR4: SPECIFIED VALUE *
**************************** ***
* RETURNS: *
* RO: SUCCESS CODE *
* ********************** * *******
j
ENTRY
! SAVE DESIRED EVENTCOUNT VALUE !
003A 91F4 PUSHL 3R15, RR4
! SAVE INSTANCE !
003C 93F2 PUSH 3R15, R2
! "READ" ACCESS REQUIRED !
003E 2102 LD R2, #READ_ACCESS
0040 0001
! GET SEG HANDLE & VERIFY ACCESS !







0046 0B00 CP RO, #SUCCEEDED
0048 0002
IF EQ ! ACCESS PERMUTED i
004A 5E0E THEN ! AWAIT EVENT OCCURRENCE i
034C 005A 1
! RESTORE INSTANCE !
004E 97F2 POP R2 r 3R15
! RESTORE SPECIFIED VALUE !
0050 95F4 POPL RR4, 3R15






















* SIGNALS THE OCCURRENCE OF *
* SOME EVENT. EVENTCOUNT IS *
* INCREMENTED AND THE TRAFFIC *
* CONTROLLER IS INVOKED TO *
* AWAKEN ANY PROCESS AWAITING *
* THE OCCURRENCE. *
*******************************
* PARAMETERS: *
* R1: SEGMENT # *
* R2: INSTANCE (EVENT *) *
*******************************
* RETURNS: *
* RO: SUCCESS CODE *
********************************
ENTRY
! SAVE INSTANCE !
0060 93F2 PUSH 3R15, R2
! GET SEG HANDLE & VERIFY ACCESS i
! "WRITE" ACCESS REQUIRED i
0062 2102 LD R2, #WRITE_ACCESS
0064 0000






006A 0B00 CP RO, #SUCCEEDED
006C 0002
I? EQ ! ACCESS PERMITTED !
006E 5E0E THEN ! ADVANCED EVENTCOUNT I
0070 007C»
! RESTORE INSTANCE !
0072 97P2 POP R2, o>R15





0078 5E08 ELSE ! RESTORE STACK!
007A 007E*








t ******************************* V***«* V *
* CONVERTS SEGMENT NUMBER TO KST INDEX*
* AND EXTRACTS SEGMENT'S HANDLE FROM *
* KST. IF SUCCESSFUL, THEN ACCESS *
* CLASS OF SUBJECT IS CHECKED AGAINST *
* ACCESS CLASS OF OBJECT TO INSURE *
* THAT ACCESS IS PERMITTED. *
*** ** *** ****** ********* ********** *** * **
* PARAMETERS: *
* ,R1: SEGMENT NUMBER *
* R2: ACCESS REQUESTED *
*************************** XXV*** ******
* RETURNS: *
* RO: SUCCESS CODE *
* R1: HANDLE POINTER *
***************************************;
ENTRY
! SAVE REQUESTED ACCESS !
0000 93F2 PUSH 3R15, R2
! GET SEGMENT HANDLE !






C006 0B00 CP RO, #SUCCEEDED
C008 0002
IF EQ ! SEGMENT IS KNOWN !
COOA 5S0E THEN ! VERIFY ACCESS !
000C 005E'
! SAVE HANDLE 5 CLASS PTR !
000E 91F4 PUSHL 3R15, RR4
I GET SUBJECT'S SAC !
00 10 5F00 CALL PROCESS_CLASS ! RETURNS:
0012 0000*
RR2:PROC CLASSI
! RETRIEVE SEG CLASS POINTER !
0014 95F0 POPL RRO, a)R15
! GET SEGMENT'S CLASS !
0016 1414 LDL RR4, d)R1
• RETRIEVE REQUESTED ACCESS J
0018 97F1 POP R1 , dR15
! SAVE HANDLE POINTER •
001A 93F0 PUSH 3R 1 5 , RO
! CHECK ACCESS CLEARANCE !
001C 0301 CP R1, #WRITE_ACCESS
001E 0000









0028 0B01 CP R1, #FALSE
002A 0000
IP EQ ! ACCESS NOT PERMITTED!
002C 5S0E THEN
002E 0038«
0030 2100 LD RQ, #ACCESS CLASS NOT EQ
0032 0021
0034 5E08 ELSE !ACCESS PERMITTED!
0036 003C 1
0038 2100 LD RO, *SUCCEEDED
003A 0002
PI
003C 5E08 ELSE ! READ ACCESS REQUESTED !
003E 0058»





0044 0B01 CP R1, #FALSE
0046 0000
IF EQ 'ACCESS NOT PERMITTED!
0048 5E0E THEN
004A 0054'
004C 2100 LD RQ, #ACCESS_CLASS_NOT_GE
004E 0029
0050 5E08 ELSE !ACCESS PERMITTED!
0052 0058*




! RETRIEVE HANDLE POINTER !
0058 97F1 POP R1, 3R15
005A 5E08 ELSE
005C 0060*
! RESTORE STACK !







* CONVERTS SEGMENT NUMBER TO *
* KST INDEX AND DETERMINES IF *
* SEGMENT IS KNOWN. IF KNOWN *
* POINTER TO SEGMENT HANDLE *
* AND POINTER TO SEGMENT CLASS*
* ARE RETURNED. *
*******************************
* PARAMETERS: *
* R1: SEGMENT NUMBER *
*******************************
* RETURNS: *
* R0: SUCCESS CODE *
* R4: HANDLE POINTER *




• CONVERT SEGMENT # TO KST INDEX # !
0062 0301 SUB EM, #NR_OF_KSEGS
0064 000A
! VERIFY KST INDEX !
0066 2100 LD RO, #SUCCEEDED
0068 0002
006A 0B01 CP R1, #0
006C 0000
IF LE ! INDEX NEGATIVE!
006E 5E0A THEN
0070 007A'
0072 2100 LD RO, #SEGMENT NOT_KNOWN
0074 001C
0076 5S08 ELSE I INDEX POSITIVE!
0078 0086*
007A 0B01 CP R1, *MAX NO KST ENTRIES
007C 0036
IF GT ! EXCEEDS MAXIMUM INDEX!
007E 5E02 THEN 'INVALID INDEX!
0080 0086*




0086 0B00 CP RO, #SUCCEEDED
0088 0002
IF EQ ! INDEX VALID!
008A 5E0E THEN
008C OOBE 1
! SAVE KST INDEX !
008E 93F1 PUSH a)R15, R1
! GET KST ADDRESS !
0090 2101 LD S1, #KST SEG NO
0092 0002





! RETRIEVE KST INDEX * !
0098 97F3 POP R3, SR15
! CONVERT KST INDEX # TO KST OFFSET !
009A 1902 MULT RR2, tSIZEOF KST_REC
009C 0010
! COMPOTE KST ENTRY ADDRESS !
009E 8103 ADD R3, RO
! SEE IF SEGMENT IS KNOWN !
OOAO 4D31 CP KST.M_SEG_NO (R3) , #NOT_KNOHN
00A2 000E
00A4 OOFF
IF EQ ISEGMENT NOT KNOWN!
00A6 5E0E THEN
00A8 00B2«
OOAA 2100 LD RO, #SEGMENT_NOT_KNOWN
OOAC 001C
OOAE 5E08 ELSE ISEGMENT KNOWN!
00B0 OOBE*
00B2 2100 LD RO, tSUCCEEDED
00B4 0002
! GET HANDLE POINTER !
0OB6 7634 LDA R4, KST. MM_HANDLE (R3)
00B8 0000
! GET CLASS POINTER !
















































































RUN_ARRAY ARRAY[VP_NR AP_PTR ]














































! THESE VARIABLES ARE USED DURING TC
INITIALIZATION TO SPECIF* AVAILABLE
ENTRIES IN THE APT, AND ARE INITIAL-





!NOTE: USED AS OVERLAY ONLY!
0000 ARG_LIST RECORD










INOTE: USED AS STACK FRAME FOR














!THE FOLLOWING DECLARATION IS UTILIZED
AS A STACK FRAME FOR STORAGE OF
- 260 -














!NOTE: KST DECLARATION IS USED HERE
TO SUPPORT KST INITIALIZATION FOR
THIS DEMONSTRATION ONLY. THIS
DECLARATION AND INITIALIZATION
SHOULD EXIST AT THE SEGMENT MANAGER
LEVEL AND THUS SHOULD BE REMOVED










* PROVIDES GENERAL MANAGE- *
* MENT OF USER PROCESSES BY *
* EFFECTING PROCESS SCHEDO- *
* LING ON VIRTUAL PROCESSORS*
******************* **********
* PARAMETERS: *
* R1: CURRENT VP ID *
* R3: LOGICAL CPU # *
*****************************
* LOCAL VARIABLES: *
* R2: NEXT READY PROCESS *





























































! FIND FIRST READY PROCESS I
LD R2, APT.READY_LIST(R3)
GET READY_AP:
DO ~! WHILE NOT (END OF LIST OR READY)!
CP R2, #NIL
IF EQ !NO READY PROCESS! THEN
EXIT FROM GET_READY_AP
FI
CP APT. AP. STATE (R2) , #READY
IF EQ I PROCESS READY! THEN
EXIT FROM GET_READY_AP
FI
! GET NEXT AP FROM LIST !




IF EQ 2 IF NO PROCESSES READY ! THEN
! LOAD IDLE PROCESS !


















! LOAD FIRST READY AP !
LD APT.RUNNING_LIST (R1) , R2
LD APT. AP. STATE (R2) , #RUNNING
LD APT. AP. VP_ID(R2) , R1














* LOADS FIRST READY AP *




!** CALL «AIT_LOCK (APT-.LOCK) **!
!** RETURNS WHEN PROCESS HAS LOCKED APT **!
LDA R4, APT. LOCK
CALL K_LOCK




! GET AP !
LD R2, APT.RUNNING_LIST(R1)
• IF NOT AN IDLE PROCESS, SET IT TO READY !
CP R2, #IDLE_PROC
IF NE ! NOT IDLE 1 THEN
LD APT.AP.STATE(R2) , #READY
FI
! LOAD FIRST READY PROCESS !
0072 5F00 CALL TC GETWORK !R1:VP ID
0074 0000'
R3:CPU #!
!NOTE: THIS IS THE INITIAL POINT OF
EXECUTION FOR USER PROCESSES.!
VIRT_PREEMPT RETURN:
»**~CALL UNLOCK (APT-. LOCK) **!
!** RETURNS WHEN PROCESS HAS UNLOCKED APT **!
!** AND ADVANCED ON THIS EVENT **!
0076 7604 LDA R4, APT. LOCK
0078 0000*
007A 5F00 CALL K_UNLOCK
007C 0000*
• PERFORM A VIRTUAL INTERRUPT RETURN !
!NOTE: THIS JUMP EFFECTS A VIRTUAL
IRET INSTRUCTION.
!


















* INITIALIZES APT HEADER *
* AND VIRTUAL INT VECTOR *
*****************************
* PARAMETERS: *
* HI: CPU_ID *
* R2: NR_VP *
*****************************{
ENTRY
! NOTE: THE NEXT FOUR VALUES ARE






NOTE: THE FOLLOWING CODE IS INCLUDED
ONLY FOR SIMULATION OF A MULTIPROCESSOR
ENVIRONMENT. THIS IS TO INSURE THAT THE
READY LIST(S) AND VP DATA OF THE SIMULATED
CPU(S) ARE PROPERLY INITIALIZED. IN AN
ACTUAL MULTIPROCESSOR ENVIRONMENT, THIS






























! INITIALIZE READY_LISTS AS EMPTY I
LD APT.READY_LIST(R4) , #NIL
INITIALLY MARK ALL LOGICAL CPU 1 S
AS HAVING 1 VP. THIS IS NECESSARY
TO INSURE TC_ADVANCE WILL FUNCTION
PROPERLY, AS"lT EXPECTS EVERY CPU
- 266 -
TO HAVE AT LEAST 1 VP. !
002C 4D45 LD APT.VP.NR VP(R4), #1
002E 0010*
0030 0001
0032 A941 INC R4, #2
0034 E8F2 OD
! END MULTIPROCESSOR SIMULATION CODE.
A*************************************;
0036 6F12 LD APT.VP.NR VP(R1), R2
0038 0010*
003A 6103 LD R3 , NEXT VP
003C 00A0»
003E 6F13 LD APT. VP. FIRST (R1 ) , R3
0040 0014»
! RECOMPUTE NEXT_VP VALUE FOR TC
INITIALIZATION OF NEXT LOGICAL
CPU. !
0042 A125 LD R5 , R2
0044 1904 MULT RR4, #2
0046 0002
0048 8153 ADD R3, R5
004A 6F03 LD NEXT_VP, R3
004C 00A0'
! INITIALIZE RUNNING LIST !
004E 6113 LD R3, APT. VP. FIRST (R 1)
0050 0014"
DO
0052 0B02 CP R2, #0
0054 0000




005E 4D35 LD APT. RUNNING_LIST (R3) , #IDLE_PROC
0060 0002 1
0062 DDDD
0064 A931 INC R3, #2
0066 AB20 DEC R2, #1
0068 E8F4 OD
006A 4D15 LD APT.READY_LIST (R1 ) , #NIL
006C 0006'
006E FFFF
0070 2101 LD R1 , #0
0072 0000
• ENTRY ADDRESS !
0074 7602 LDA R2 , VIRTUAL_PfiEEMPT_HANDLEE
0076 0054'









* CREATES USER PROCESS *



































!NOTE: THIS PROCEDURE IS A STUB TO ALLOW
PROCESS INITIALIZATION FOE THIS
DEMONSTRATION.!
• ESTABLISH STACK FRAME FOR LOCAL
VARIABLES. !
SUB R15, #SIZEOF CREATE
! STORE INPUT ARGUMENT POINTER !
LD CREATE. ARG_PTR (R15) , R14
! LOCK APT !
LDA R4, APT. LOCK
CALL K_LOCK
! RETURNS WHEN APT IS LOCKED !
! CREATE MMU ENTRY FOR PROCESS i
CALL ALLOCATE_MMU ! RETURNS:
RO: DBR #»
! GET NEXT AVAILABLE ENTRY IN APT !
LD R1, APT_ENTRY
! COMPUTE APT OFFSET !
LD R2, #SIZEOF AP_TABLE
ADD R2, R1
! SAVE NEXT AVAILABLE APT ENTRY !
LD APT_ENTRY, R2
! CREATE APT ENTRY FOR PROCESS !
LD APT. AP. NEXT_AP (R1) , #NIL
LD APT. AP. DBR(R1) , RO
! GET PROCESS CLASS I
LDL RR2, ARG_LIST. SAC1 (R14)
LDL APT. AP.SAC (R1) , RR2
! GET PROCESS PRIORITY !
LD R2, ARG_LIST.PRI1 (R14)
- 268 -
00B4 0022
00B6 6F12 LD APT. AP. PRI (R1)
, R2
00B8 0028'
! GET LOGICAL CPO # !
OOBA 61E2 LD R2, ARG_LIST.CPU ID(R14)
OOBC 001C
OOBE 6F12 LD APT. AP. AFFINITY (R1) , R2
OOCO 002C
ITHREAD IN LIST AND MAKE READY!
00C2 7623 LDA R3 r APT. READY LIST(R2)
00C4 0006*
00C6 7604 LDA R4, APT. AP. NEXT AP
00C8 0020'
OOCA 7605 LDA R5, APT. AP. PRI
OOCC 0028*
OOCE 7606 LDA R6 , APT. AP. STATE
OODO 002A»
00D2 2107 LD R7, #READY
00D4 0001
00D6 AD21 EX R1, R2
! SAVE DBR # !
00D8 6FF0 LD CREATE. DBR NUM(R15), RO
OODA 0002
OODC 5F00 CALL LIST_INSERT
OODE 0000*
! R2: OBJ ID
R3: LIST HEAD PTR




! ONLOCK APT !
OOEO 7604 LDA R4, APT. LOCK
00E2 0000*
00E4 5F00 CALL K UNLOCK
00E6 0000*
!CREATE USER STACK!
! RESTORE ARGUMENT POINTER !
00E8 61FE LD R14, CREATE. ARG_PTR(R15)
OOEA 0000
OOEC 61E3 LD S3, ARG_LIST .USR_STK (R14)
OOEE 0024
! SAVE LIMITS !
OOFO 6FP3 LD CREATE. LIMITS (R1 5) , R3
00F2 0004




.'COMPUTE & SAVE NSP!
00F8 A128 LD R8, R2
! ESTABLISH INITIAL SP VALUE
FOR USER STACK. !
OOFA 0108 ADD R8, #STK_OFFSET
- 269 -
OOFC OOFF
OOFE 6FF8 LD CREATE. N_S_P (R 15) , R8
0100 0008
! RESTORE LIMITS !
0102 61F4 LD R4, CREATE. LIMITS (R15)
104 000'4
0106 AB40 DEC R4 !SEG LIMITS!
! RESTORE DBR !
0108 61F0 LD RO, CREATE. DBRJJUM (R 1 5)
010A 0002
010C 2101 LD R1, #USER_STACK
010E 0003
0110 2103 LD R3, #WRITE IATTRIBUIE!
0112 0000








! RESTORE ARGUMENT POINTER i
0118 61FE LD R14, CREATE. ARG_PTR (R15)
011A 0000
01 1C 61E3 LD R3, ARG LIST.KER STK(R14)
011E 0026





! RESTORE DBR # !
0124 61F0 LD RO, CREATE. DBR NUM(R15)
0126 0002
0128 2101 LD R1, #KERNEL STACK
012A 0001
012C A134 LD R4, R3
012E AB40 DEC R4
0130 2103 LD R3, #HRITE
0132 0000
! SAVE START ADDRESS !
0134 6FF2 LD CREATE. SEG ADDR(R15), R2
0136 0006








! RESTORE ARGUMENT POINTER !
013C 61FE LD Rl4 r CREATE. ARG_PTR (R1 5)
- 270 -
013E 0000
! RESTORE STACK ADDRESS !
0140 61F1 LD R1, CREATE. SEG ADDR(R15)
0142 0006
0144 2103 LD R3 , #USER FCW
146 1800
0148 61E4 LD R4, ARG LIST.IC(R14)
014A 001A
! RESTORE INITIAL NS P !
014C 61F5 LD R5, CREATE. N_S P(R15)
014E 0008
0150 7606 LDA R6, VIRT PREEMPT RETURN
0152 0076*
0154 030F SUB R15, #8
0156 0008
0158 1CF9 LDM SR15, R3, #4
015A 0303
! LOAD ARGUMENT POINTER FOR
CREATE STACK CALL !
015C A1F0 LD RO, R15
015E 93P1 POSH 3R15, R1
0160 A1E1 LD R1, R14
! LOAD INITIAL REGISTER VALUES TO
BE PASSED TO USER PROCESS AS
INITIAL PARAMETERS. !
0162 5C11 LDM R2 f ARG_LIST.REG (R1) , #13
0164 020C
0166 0000
0168 97F1 POP R1, 3R15
16A 5F00 CALL CREATE STACK
016C 0000*
! BO: ARGUMENT PTR
R1: TOP OF STACK
R2-R14: INITIAL
REG STATES!
!NOTE: THE ABOVE INITIAL REG STATES
REPRESENT THE INITIAL PARAMETERS
(VIZ., REGISTER CONTENTS) THAT A
USER PROCESS WILL RECEIVE UPON
INITIAL EXECUTION. J
016E 010F ADD R15, #8 'OVERLAY PARAMETERS!
0170 0008
! ALLOCATE KST !
0172 2103 LD R3, #K3T_LIMIT
0174 0001




! RESTORE DBR !
017A 61F0 LD RO, CREATE. DBR SUM (R15)
017C 0002
! SAVE KST ADDRESS I
017E 6FF2 LD CREATE. SEG_ADDR (R15) , R2
- 271 -
0180 0006
•MAKE MMO ENTRY FOR KST SEG!
0182 2101 LD R1, #KST_SEG
0184 0002
0186 2103 LD R3, #WRITE 1ATTRIBUTE!
0188 0000
018A 2104 LD R4, #KST_LIMIT-1
18C 0000
018E 5F00 CALL UPDATE_MKU_IMAGE
0190 0000+





! RESTORE KST ADDRESS !




I CREATE INITIAL KST STUB !
CALL CREATE KST !R2:KST ADDR!
! REMOVE TEMPORARY VARIABLE
STACK FRAME. !
019A 010F ADD R15, #SIZEOF CREATE
019C 000A
019E 9E08 RET




* CREATES KST STUB FOR *
* PROCESS MANAGEMENT *
* DEMO. INSERTS ROOT *
* ENTRY IN KST. NOT *








!NOTE: THIS PROCEDURE IS A STUB USED
FOR INITIALIZATION IN THIS IMPLEMENTATION
ONLY. THE ACTUAL INITIALIZATION CODE
FOR THE KST HILL RESIDE AT THE SEGMENT
MANAGER LEVEL ONCE IMPLEMENTATION OF
SYSTEM INITIALIZATION IS EFFECTED. !
! CREATE ROOT ENTRY IN KST !
0U0 1406 LDL RR6, #-1 !ROOT HANDLE!
01A2 FFFF
01A4 FFFF
01A6 5D26 LDL KST. MM_HANDLE (R2) , RR6
01A8 0000
!SET ROOT ENTRY # IN G_AST !
01AA 4D25 LD KST. MM_HANDLE[ 2] (R2) , #0
01AC 0004
01AE 0000
! SET ROOT CLASSIFICATION !
01B0 1406 LDL RR6 r #SYSTEM_LOH
01B2 0000
01B4 0000
0136 5D26 LDL KST. CLASS (R2) , RR6
01B8 000A
!SET MENTOR SEG #!
01BA 4C25 LDB KST. M_SEG_NO (R2) , #0
01BC 000E
01BE 0000
UNITIALIZE FREE KST ENTRIES
FOR DEMO. NOT FULL KST!
01C0 2101 LD R1, #10
01C2 000A
DO
01C4 0B01 CP R1, #0
01C6 0000




























* EVENTCOUNT IS ADVANCED BY *
* INVOCATION OF MM ADVANCE. *
* PROCESSES THAT ARE AWAITING *
* THIS EVENT OCCURRENCE ARE *
* REMOVED FROM THE BLOCKED LIST*
* AND MADE READY. THE READY *
* LISTS ARE THEN CHECKED TO *
* INSURE PROPER SHEDULING IS *
* EFFECTED. IF NECESSARY VIR- *
* TUAL PREEMPTS ARE SENT TO ALL*
* THOSE VP«S BOUND TO LOWER *
* PRIORITY PROCESSES. *
********************************
* PARAMETERS: *
* R1: HANDLE POINTER *
* R2: INSTANCE (EVENT #) *
********************************
* RETURNS: *
* RO: SUCCESS CODE *
********************* ************
ENTRY
! ESTABLISH TEMPORARY VARIABLE
STACK FRAME. !
030F SUB R15, #SIZEOF TEMP
0012
! SAVE INPUT ARGUMENTS !
01E4 6FF1 LD T EMP. HANDLE_PT R (R15) , R1
01E6 0000
01E8 6FF2 LD TEMP . EVENT_NR (R1 5) , R2
01EA 0002
! LOCK APT !
01EC 7604 LDA R4, APT. LOCK
01EE 0000 1
01F0 5F00 CALL K_LOCK
01F2 0000*
! RETURNS WHEN APT IS LOCKED !
! ANNOUNCE EVENT OCCURRENCE BY
INCREMENTING EVENTCOUNT IN G_AST!






01F8 0B00 CP RO, #SUCCEEDED
01FA 0002
01FC 5E0E IF EQ THEN
01FE 0372'
! SAVE EVENTCOUNT I
5DF2 LDL TEMP. EVENT VAL(315), RR20200
0202 0004
- 275 -
! RESTORE INSTANCE !
0204 61F0 LD R0 r TEMP.EVENT_NR (R15)
0206 0002
! RESTORE HANDLE POINTER !
0208 61F1 LD R1, TEMP.HANDL£_PTR (R1 5)
020A 0000
! SAVE HANDLE !
020C 5414 LDL RR4, HANDLE VAL. HIGH(R1)
020E 0000
0210 5DF4 LDL TEMP. HANDLE_HIGH (R15) , RR4
0212 000C
0214 6114 LD R4, HANDLE_V AL. LOW (R1)
0216 0004
0218 6FF4 LD TEMP. HANDLE LOW(R15), R4
021A 0010
! AWAKEN ALL PROCESSES AWAITING
THIS EVENT OCCURRENCE I
! GET FIRST BLOCKED PROCESS I
021C 6101 LD R1, APT.BLOCKED_LIST
021E 000A'




! DETERMINE IF AT END OF BLOCKED LIST I
0224 0B01 CP R1, #NIL
0226 FFFF
IF EQ ! NO MORE BLOCKED PROCESSES !





! SAVE NEXT ITEM IN LIST !
0230 6117 LD R7, APT. AP. NEXT_AP (R1)
0232 0020«
I DETERMINE IF PROCESS IS ASSOCIATED
WITH CURRENT HANDLE !
0234 54F4 LDL RR4 r TEMP. EANDLE_HIGH (R 1 5)
0236 000C
0238 5014 CPL RR4, APT. AP. HANDLE (R1)
023A 0030 8
IF EQ !HIGH HANDLE VALUE MATCHES!
023C 5E0E THEN
023E 02A2*
02^0 61F4 LD R4 r TEMP. HANDLE_LOW (R15)
0242 0010
0244 4B14 CP R4, APT. AP. HANDLE[ 2 ] (R 1)
246 00 34'
IF EQ ! HANDLE'S MATCH !
0248 5E0E THEN ! CHECK FOR INSTANCE MATCH !
024A 029C










































IF EQ ! INSTANCE MATCHES !




CPL RR2, APT. AP. VALUE (R1)
IF GE JAWAITED EVENT HAS OCCURRED!
THEN ! AWAKEN PROCESS !
! REMOVE FROM BLOCKED LIST !
LD o)R6, R7
! SAVE LOCAL VARIABLES !
PUSHL 3R15, RR6
!SET LIST THREADING ARGUMENTS!
LD R2, APT.AP. AFFINITY (R 1
)
LDA R3, APT.READY_LIST (R2)
LDA R4, APT.AP. NEXT^AP
LDA R5, APT.AP. PRI





R3: LIST HEAD PTR
R4: NEXT OBJ PTR
R5*. PRIORITY PTR
R6: STATE PTR
R7: STATE VALUE !
! RESTORE LOCAL VARIABLES !
POPL RR6, o)R15
LD R11, #REMOVED
ELSE ! PROCESS STILL BLOCKED!
CLR R11
FI ! END VALUE CHECK !
ELSE ! PROCESS STILL BLOCKED!
CLR R11
FI ! END INSTANCE CHECK !






































FI ! END HANDLE CHECK !
ELSE ! PROCESS STILL BLOCKED!
CLR R11
FI ! END HIGH HANDLE CHECK !
! RESET AP POINTER REGISTERS !
CP R11, #REMOVED




LD R1 f R7
OD
! DETERMINE IF ANY VIRTUAL PREEMPT




CP R2, #NR_CPU * 2
IF EQ !ALL READY LISTS CHECKED! THEN
EXIT FROM PREEMPT_CHECK
FI
! CREATE PREEMPT VECTOR FOR VP»S !
CLR R1
DO 'FOR R 1=1 TO NR VP'S!
INC R1
CP R1, APT.VP.NR_VP(R2)





! # TO PREEMPT !
CLR R3
LD R4, APT.VP. NR_VP(R2)
! # OF VP'S !
! GET FIRST READY PROCESS !




! SEE IP READY LIST IS EMPTY !
CP R1, #NIL
IF EQ !LIST IS EMPTY!
THEN EXIT FROM CHECK RDY LIST
FI
CP APT. AP. STATE (R1) , #RUNNING
IF EQ IPROCESS IS RUNNING!
THEN !DON»T PREEMPT IT!
LD R5, APT.AP.VP_ID(R1)
!COHPUTE LOCATION IN PREEMPT VECTOR!
SUB R5, APT. VP. FIRST (R2)
LDA R6, R15(R5)
LD 3R6, tFALSE









! GET NEXT AP IN READY LIST !
LD R0, APT. AP.NEXT_AP(R1)
LD R1, RO
OD !END CHECK_RDY_LIST!
! SET NECESSARY PREEMPTS !
LD R4, APT.VP.NR_VP(R2)
LD R1, APT. VP. FIRST (R2)
SEND PREEMPT:
DO
97F0 POP RO, dR15
! CHECK TEMPLATE !
0B0O CP RO, #TRUE
0001









































0336 0B03 CP R3, #0
0338 0000
IF GT ! PREEMPTS REQUI
033A 5E02 THEN ! PREEMPT IT!
033C 0350*
I SAVE ARGUMENTS!
033E 93F1 POSH 3R15, R1
0340 91F2 POSHL 3R15, RR2
0342 93F4 POSH 3R15, R4




0348 97F4 POP R4, aai5
034A 95F2 POPL RR2, fl)R15





0350 A911 INC R1, #2
0352 AB40 DEC R4
0354 0B04 CP R4, #0
0356 0000






0360 E8E5 OD ! END SEND_PREEMPT!
! CHECK NEXT READY LIST
0362 A921 INC R2, #2
0364 E8A8 OD ! END PREEMPT_CHECK!
! UNLOCK APT !
0366 7604 LDA R4, APT. LOCK
0368 0000*




! RESTORE SUCCESS CODE !
LD RO, #SUCCEEDED
FI
I RESTORE STACK !
0372 010F ADD R15, tSIZEOF TEMP
0374 0012
0376 9E08 RET




* CHECKS USER SPECIFIED VALUE *
* AGAINST CURRENT EVENTCOUNT *
* VALUE. IF USER VALUE IS LESS *
* THAN OR EQUAL EVENTCOUNT THEN*
* CONTROL IS RETURNED TO USER. *
* ELSE USER IS BLOCKED UNTIL *
* EVENT OCCURRENCE. *
********************************
* PARAMETERS: *
* R1: HANDLE POINTER *
* R2: INSTANCE (EVENT #) *
* RR4: SPECIFIED VALUE *
********************************
* RETURNS: *
* R0: SUCCESS CODE *
********************************!
ENTRY
! ESTABLISH STACK FRAME FOR
TEMPORARY VARIABLES. !
SUB R15, #SIZEOF TEMP
! SAVE INPUT PARAMETERS !
LD TEMP.HANDLE_PTR(R15) , R1
LD TEMP.EVENT_NR(R15) , R2
LDL TEMP.EVENT_VAL (R15) , RRU
! LOCK APT !
LDA R4, APT. LOCK
CALL K_LOCK
! RETURNS WHEN APT IS LOCKED !







0394 0B00 CP R0, #SUCCEEDED
0396 0002
0398 5E0E IF EQ THEN
039A 0440'
! DETERMINE IF REQUESTED EVENT
HAS OCCURRED !
039C 54F6 LDL RR6, TEMP. EVENTUAL (R15)
039E 0004
















































































IF GT !EVENT HAS NOT OCCURRED!
THEN ! BLOCK PROCESS!




! SAVE RETURN VARIABLES !
LD TEMP.ID_VP (R15) , R1
LD TEMP.CPU_NUM (R15) , R3
LD R8, APT.RUNNING_LIST(R1)
! RESTORE REMAINING ARGUMENTS i
LD R2, TEMP.EVENT_Nfi(R15)
LD R1, TEMP.HANDLE_PTR (R15)
! SAVE EVENT DATA !
LDL RR4, HANDLE_VAL.HIGH (R1)
LDL APT.AP.HANDLE(R8) , RR4
LD R4, HANDLE_VAL.L0W(R1)
LD APT.AP.HANDLE[ 2] (28) , R4
LD APT. AP. INSTANCE (R8) , R2
LDL RR6, TEMP.EVENT_VAL(R15|
LDL APT. AP. VALUE (R8) , RR6
! REMOVE PROCESS FROM READ* LIST !
LD R'J, APT. AP. AFFINITY (R8)
LD R2, APT. READ Y_LIST (R1)
! SEE IF PROCESS IS FIRST
ENTRY IN READY LIST !
CP R2, R8
IF EQ !INSERT NEW READY LIST HEAD!
THEN
LD R3, APT.AP.NEXT_AP (£8)
LD APT.READY_,LIST(B1) , R3






























IF EQ IFOUND ITEM IN LIST!
THEN












LDA R5 r APT.AP.PRI
LDA R6 r APT. AP. STATE
LD R7, #BLOCKED






! GET CURRENT VP ID !
0428 61F1 LD R1, TEMP . ID_VP (R 15)
042A 0008




! SCHEDOLE FIRST READY PROCESS !
CALL TC GETWORK !R1:VP ID
R3:CPU #!
! UNLOCK APT !
0434 7604 LDA R4 , APT. LOCK
0436 0000'
0438 5F00 CALL K_UNLOCK
043A 0000*
! RESTORE SUCCESS CODE !
















* READS SECURITY ACCESS *
* CLASS OF CURRENT PROCESS *
* IN APT. CALLED BY SEG *
* MGR AND EVENT MGR *
****************************
* LOCAL VARIABLES: *
* R1: VP ID *
* R5: PROCESS ID *
****************************
* RETURNS: *
* RR2: PROCESS SAC *
****************************!
ENTRY
0446 7604 LDA R4, APT. LOCK
0448 0000*
044A 5F00 CALL K_LOCK ! R4 :-«APT .LOCK!
044C 0000*




0452 6115 LD R5,APT. RUNNING_LIST(R1)
0454 0002'
0456 5452 LDL RR2, APT . AP . SAC (R5)
0458 0024«
! UNLOCK APT !
045A 7604 LDA R4, APT. LOCK
045C 0000»
045E 5F00 CALL K_UNLOCK
0460 0000*
0462 9E08 RET




* OBTAINS DBR NUMBER FROM APT *
* FOR THE CURRENT PROCESS. *
* CALLED BY SEGMENT MANAGER *
************** ************* ******
* LOCAL VARIABLES: *
* R1: VP ID *
* R5: PROCESS ID *
*********************************
* RETURNS: *
* R1: DBR NUMBER *
***************** **** ****** ******
i
ENTRY
!NOTE: DBR # IS ONLY YALID WHILE PROCESS
IS LOADED. THIS IS NO PROBLEM IN SASS
AS ALL PROCESSES REMAIN LOADED. IN A
MORE GENERAL CASE, THE DBR * COULD ONLY
BE ASSUMED CORRECT WHILE THE APT IS LOCKED!
0464 7604 LDA R4, APT. LOCK
0466 0000'
0468 5F00 CALL K_LOCK !R4: -.APT. LOCK •
046A 0000*




0470 6115 LD R5 , APT. RUNNING LIST(R1)
0472 0002'
0474 6151 LD R1,APT. AP.DBfi(R5)
0476 0C22'
I UNLOCK APT I
0478 7604 LDA R4, APT. LOCK
047A 0000'







DISTRIBUTED MEMORY MANAGER LISTINGS
Z8000ASM 2.02
























H ARRAY ARRA I [3 WORD]










































! mote: next_block is used in the mm_allocate
stub as an~offset pointer into the block
3f allocatable memory. it is initialized




•note: these records are "overlays" or "frames" used













































DEACTIVATE_{!SG BECOED[ DEACT_CODE WORD
D_DBR_NO WOBD
D_MM_HANDLE H_ABBAY
D_FILL ABRAY[ 3 WOBD]]
SABS
SWAP_IN_MSG RECOBD [S_IN_CODE WORD
SI MM HANDLE a AEBAY
SI~DBR NO WOBO










SC~FILL ABBAY[ 15 BYTE]]
SABS

























* INTERFACE BETWEEN S EG MGR *
* (CREATE_SEG PROCEDURE) AND *
* MMGR PROCESS (CREATE_ENTRY *
* PROCEDURE) . ARRANGES~AND *
* PERFORMS IPC. *
*********************************
* REGISTER USE: *
* PARAMETERS *
* R0:SUCCESS_CODE (RET) *
* R1:HPTR (INPUT) *
* R2:ENTRY_NO (INPUT) *
* R3:SIZE (INPUT) *
* RR4:CLASS (INPUT) *
* LOCAL USE *





•USE STACK FOR MESSAGEI
0000 030F SUB R15,#SIZEOF COM MSG
0002 0010
0004 A1FD LD R13,R15 ! -COM_MSGBUF !
!FILL COM_MSGBUF (LOAD MESSAGE) . CREATE MSG
FRAME IS BASED AT ADDRESS ZERO. IT IS
OVERLAID ONTO COM MSGBUF FRAME BY INDEXING
EACH ENTRY (I.E. ADDING TO EACH ENTRY) THE
BASE ADDRESS OF COMJiSGBUF!
CREATE_MSG.CR_CODE (R13) , #CREATE_CODE
R6,R1(#0) ilNDEX TO HM_HANDLE ENTRY!
CREATE_MSG.CE_MM_HANDLE[ J (R13) ,R6
R6,R1 (#2)
CREATE_MSG.CE_MM_HANDLE[ 1 ] (R13) ,R6
R6,R1 (#4)























002C 6FD3 LD CREATE_MSG. CE SIZE(R13),R3
002E OOOA
0030 A1D8 LD R8,R13
0032 5F00 CALL PERFORM_IPC !R8: -.CQM_MSGBUF
!
0034 018C 1
IRETRIEVE SUCCESS_CODE FROM RETORNED MESSAGE!
0036 8D08 CLR RO
0038 60D8 LDB RLO, RET_S(JC_CODE. SUC_CODE (R13)
003A 0000
003C 010F ADD R15,#SIZE0F COM_MSG 'RESTORE STACK STATE!
003E 0010
0040 9E08 RET






































* INTERFACE BETWEEN S EG MGR *
* (DELETE_SEG PROCEDURE) AND *
* MMGR (DELETE_ENTRY PROCEDURE) . *
* ARRANGES AND PERFORMS IPC. *
*********************************
* REGISTER USE: *
* PARAMETERS *
* R0:SUCCESS_CODE(RET) *
* R1:HPTR (INPUT) *
* R2:ENTRY_NO (INPUT) *
* LOCAL USE *

































LD R13,R15 ! -COM_MSGBUF !
IFILL COM_MSGBUF (LOAD MESSAGE). DELETE_MSG FRAME
IS BASED~AT ADDRESS ZERO. IT IS OVERLAID ONTO
COM_MSGBUF FRAME BY INDEXING EACH ENTRY (I.E. ADD-
ING~TO EACH ENTRY) THE BASE ADDRESS OF COM MSGBUF!
LD DELETE_MSG.DE_CODE(fi13) , #DELETE_CODE
LD R6 r R1(#0) IINDEX TO MM_HANDLE ENTRY!
LD DELETE_MSG.DE_MM_HANDLE[ ] (R13) ,R6
LD R6,R1(#2)
LD DELETE_MSG.DE_MM_HANDLE[ 1 J (R13) ,R6
LD R6,R1(#4)
LD DELETE_MSG.DE_MM_HANDLE[ 2] (R13) ,R6
LD DELETE_MSG.DE_ENTRY_NO (S13) ,R2
LD R8,R13
CALL PERFORM_IPC ! R8 : -*COM_MSGBUF
!
!RETRIEVE SUCCESS_CODE FROM RETURNED MESSAGE!
CLR RO
LDB RL0,RET_SUC_CODE.SUC_CODE(R13)






* INTERFACE BETWEEN SEG MGR *
* (MAKE_KNOWN PROCEDURE) AND *
* MMGR (ACTIVATE PROCEDURE) . *
* ARRANGES AND PERFORMS IPC. *
******** *********************** **
* REGISTER USE: *
* PARAMETERS *
* R1:DBR_NO (INPUT) *
* R2:HPTR (INPUT) *
* R3:ENTRY_NO *
* R4:SEGMENT_NO *
* R12:RET_HANDLE PTR *









!USE STACK FOR MESSAGE!
007C 030F SUB R15,»SIZEOF COM_MSG
007E 0010
0080 A1FD LD R13,R15 ! -»COM_MSGBUF I
! SAVE RETURN HANDLE POINTER !
0082 93FC PUSH a)R15, R12
!?ILL COM_MSGBUF (LOAD MESSAGE). ACTIVATEJ1SG FRAME
IS BASED AT ADDRESS ZERO. IT IS OVERLAID~ONTO
COMJ1SGBUF FRAME BY INDEXING EACH ENTRY (I.E. ADD-
ING TO EACH ENTRY) THE BASE ADDRESS OF COM_MSGBUF!
LD ACTIVATE_MSG.ACT_CODS(R13) , *ACTIVATE_CODE
LD ACTIVATE_MSG.A_DBR_NO (R13) ,R1
LD R6,R2(#0)
LD ACTIVATE_MSG.A_MM_HANDLE[ ](R13) ,R6
LD R6,R2(#2)
LD ACTIVATE_MSG.A._MM_HANDLE[ 1 ](R13) ,R6
LD R6,R2(#4)






















OOAA 6EDC LDB ACTI VATE_MSG. A_SEGMENT_NO (B13) , RL4
OOAC OOOB
OOAE A1D8 LD R8,R13
OOBO 5F00 CALL PEFFORM_IPC ! (R8 :-.COM_MSGBUF!
00B2 018C»
! RESTORE RETURN HANDLE POINTER I
00B4 97FC POP R12, o)R15
! UPDATE MM_HANDLE ENTRY !
00B6 54D6 LDL RR6, I_ACTIVATE ARG.R MM HANDLE (R13)
00B8 0002
OOBA 5DC6 LDL MM_HANDLE. ID (R 12) , RR6
OOBC 0000
OOBE 61D6 LD R6,R_ACTIV ATE_ARG. R MM HAN DLE[ 2 ] (R 1 3)
OOCO 0006
00C2 6FC6 LD MM_HANDLE. ENTRY_NO (R12) , R6
00C4 0004
IRETRIEVE OTHER RETURN ARGUMENTS!
00C6 8D08 CLR RO
00C8 60D8 LDB RLO, R_ACTIVATE_ARG.R_SUC_CODE (R13)
OOCA 0000
OOCC 54D2 LDL RR2,R ACTIVATE ARG.R CLASS (R13)
OOCE 0008
OODO 61D4 LD RU ,R_ACTIV AIE_ARG. RESIZE (R 13)
00D2 OOOC
00D4 010F ADD R15,#SIZE0F COM_MSG I RESTORE STACK STATE!
00D6 0010
00D8 9E08 RET




* INTERFACE BETWEEN SEG MGR *
* (TERMINATE PROCEDURE) AND *
* MMGR (DEACTIVATE PROCEDURE) . *
* ARRANGES AND PERFORMS IPC. *
*********************************
* REGISTER USE: *
* PARAMETERS *
* RO: SUCCESS CODE (RET) *
* R1:DBR_NO (INPUT) *
* R2:HPTR(INPUT) *
* LOCAL USE *






!USE STACK FOR MESSAGE!
OODA 030F SUB R15,#SIZEOF COM MSG
OODC 0010
OODE A1FD LD R13,R15 ! -.COM_MSGBUF !
•FILL COM_MSGBUF (LOAD MESSAGE). DEACTIV ATE_MSG FRAME
IS BASED AT ADDRESS ZERO. IT IS OVERLAID ONTO
COM_MSGBUF FRAME BY INDEXING EACH ENTRY (I.E. ADD-





R6,R2(#Q) IINDEX TO MM_HANDLE ENTRY!
DEACTIVATE_MSG.D_MM_HANDLE[0 ] (R13) , R6
R6,R2 (#2)
DEACTIVATE_MSG.D_MM_HANDLE[ 1 ] (R13) ,R6
R6,R2<#4)
DEACTIVATE_MSG.D_MM_HANDLE£2] (R13) , Rb
R8,R13
CALL ?ERFORM_IPC !R8: -.COM_MSGBUF
!
IRETRIEVE SUCCESS_CODE FROM RETURNED MESSAGES
0108 8D08 CLR RO























010E 010F ADD R15,#SIZEOF COM MSG IRESTORE STACK STATE!
01 10 0010
0112 9E08 BET




* INTERFACE BETWEEN SEG MGR (SM *
* SWAP_IN PROCEDURE) AND MMGR *
* (SWAP_IN PROCEDURE)
. ARRANGES *
* AND PERFORMS IPC. *
*********************************
* REGISTER USE: *
* PARAMETERS *
* R0:SUCCESS_CODE(RET) *
* R1 :DBR_NO (INPUT) *
* R2:HPTR(INPUT) *
* R3: ACCESS (INPUT) *
* LOCAL USE *






!USE STACK FOR MESSAGE!
0114 030F SUB R15,#SIZEOF COM MSG
0116 0010
0118 A1FD LD R13,R15 ! -.COM_MSGBUF !
!FILL COM_MSGBUF (LOAD MESSAGE). SWAP_IN_MSG FRAME
IS BASED AT ADDRESS ZERO. IT IS OVERLAID ONTO
COMJiSGBUF FRAME BY INDEXING EACH ENTRY (I.E. ADD-
ING TO EACH ENTRY) THE BASE ADDRESS OF COM_MSGBUF!
01 1A 4DD5 LD S WAP_IN_MSG. S_IN_CODE (R1 3) , #SW AP_IN_CDDE
01 1C 0000
011E 0036
0120 3126 LD R6,R2(#0) 1INDEX TO MM_HANDLE ENTRY!
0122 0000
0124 6FD6 LD SWAP IN MSG. SI MM_HANDLE[ ] (R1 3) ,R6
0126 0002
0128 3126 LD R6,R2(#2)
012A 0002
12C 6FD6 LD S WAP_IN_MSG. SI_MM_HANDLE[ 1 ] (R1 3) ,R6
012E 0004
0130 3126 LD R6,R2(#4)
0132 0004
0134 6FD6 LD S WAP_IN_MSG. SI_MM_HANDLE[ 2 ] (R1 3) ,R6
0136 0006
0138 6FD1 LD S WAP_IN_MSG. SI_DBR_NO (R13) ,R1
013A 0008
013C 6EDB LDB S WAP_IN_MSG. SI_ACCESS_AUTH (R13) ,RL3
013E 000A
0140 A1D8 LD R8,R13
0142 5F0O CALL PERFORM_IPC ! R8 : -.CQMJ1SG BUF!
0144 018C
JRETRIEVE SUCCESS_CODE FROM RETURNED MESSAGE!
0146 8D08 CLR RO


















* INTERFACE BETWEEN SEG MGR (SM *
* SWAP_OUT PROCEDURE) AND MMGR ~*
* (SWAP_OUT PROCEDURE). ARRANGES*
* AND PERFORMS IPC. *
fr**************^*****************
* REGISTER USE: *
* PARAMETERS *
* RO: SUCCESS CODE (RET) *
* R1 :DBR_NO (INPUT) *
* R2:HPTR (INPUT) *
* LOCAL USE *






•USE STACK FOR MESSAGE!
0152 030F SUB R15,#SIZEOF COM_MSG
0154 0010
0156 A1FD LD R13,R15 ! -.COM_MSGBUF I
!FILL COM_MSGBUF (LOAD MESSAGE). SWAP_OUT_MSG FRAME
IS BASED AT ADDRESS ZERO. IT IS 0VERLAID~ONTO
COM_MSGBUF FRAME BY INDEXING EACH ENTRY (I.E. ADD-
ING TO EACH ENTRY) THE BASE ADDRESS OF COM_MSGBUF!
0158 4DD5 LD S WAP_OUT_MSG. S_OUT_CODE (R1 3) , #SWAP_0UT_C3De
015A 0000
015C 0037
015E 3126 LD R6,R2(#0) IINDEX TO MM HANDLE ENTRY!
0160 0000
0162 6FD6 LD SWAP_OUT_MSG.SO_MM_HANDLE[ ] (R 13) , R6
0164 0004
0166 3126 LD R6,R2(#2)
0168 0002
016A 6FD6 LD S WAP_OUT_MSG .SO_MM_HANDLE[ 1 ] (R 13) , R6
016C 0006
016E 3126 LD R6,R2(#4)
0170 0004
0172 6FD6 LD S WAP_OUT_MSG.SO_MM_HANDLE[ 2 ] (R 1 3) , R6
0174 0008
0176 6FD1 LD SWAP OUT_MSG. SO_DBR_NO (R 13) ,R
1
0178 0002
017A A1D8 LD R8,R13
017C 5F00 CALL PERFORM_IPC ! R8 : -»CCM_MSG BUF!
017E 018C
!RETRIEVE SUCCESS_CODE FROM RETURNED MESSAGE!
0180 8D08 CLR RO
182 60D8 LDB RLO, RET_SUC_CODE. SUC_CODE (R13)
0184 0000








* SERVICE ROUTINE TO ARRANGE AND *
* PERFORM IPC WITH THE MEM MGS PROC *
*************************************
* REGISTER USE: *
* PARAMETERS *
* R8: -.COM_MSG (INPUT) *
* LOCAL USE *
* R1,R2: WORK REGS *
* R4: -G_AST_LOCK *




018C 93FD PUSH SR15,R13 ! -.COM_MSGBUF!
018E 5F00 CALL GET_CPU_NO ! RET-R1 :CPU_NO!
0190 0000*
0192 A112 LD R2,R1
0194 6121 LD R1,MM_CPU_TBL(R2) !MM_VP_ID!
0196 0000 1
0198 7604 LDA R4 ,G_AST_LOCK
019A 0000*
019C 5F00 CALL K_LOCK
019E 0000*
01A0 5F00 CALL SIGNAL !R 1 : MM_VP_ID, R8: -.COM_MSGBUF
!
01A2 0000*
01A4 97FD POP R13,o)R15
01A6 A1D8 LD R8,R13 !-«COM_MSGBUF!
01A8 93FD PUSH o)R15,B13
1AA 5F00 CALL WAIT ! R8: -.COMJ1SGBUF!
01AC 0000*
1AE 7604 LDA R4 ,G_AST_LOCK
01B0 0000*
01B2 5F00 CALL K_UNLOCK
01B4 0000*
01B6 97FD POP R13,o)R15
0tB8 9E08 RET




* ALLOCATES BLOCKS OF CPU*
* LOCAL MEMORY. EACH *
* BLOCK CONTAINS 256 *
* BYTES OF MEMORY. *
**************************
* PARAMETERS: *
* R3: # OF BLOCKS *
* RETURNS: *
* R2: STARTING ADDR *
* LOCAL: *
* R4: BLOCK POINTER *
**************************{
ENTRY
! NOTE: THIS PROCEDURE IS ONLY A STUB
OF THE ORIGINALLY DESIGNED MEMORY
ALLOCATING MECHANISM. IT IS USED
BY THE PROCESS MANAGEMENT DEMONSTRATION
TO ALLOCATE CPU LOCAL MEMORY FOR ALL
MEMORY ALLOCATION REQUIREMENTS. IN AN
ACTUAL SASS ENVIRONMENT, THIS WOULD
BE BETTER SERVED TO HAVE SEPARATE
ALLOCATION PROCEDURES FOR KERNEL AND
SUPERVISOR NEEDS. (E.G., KERNE L_ALLOCATE
AND SUPERVISOR_ALLOCATE) . !
I COMPUTE SIZE OF MEMORY REQUESTED !
01BA B331 SLL R3, #BLOCK_SIZE
01BC 0008
! COMPUTE OFFSET OF MEMORY THAT IS
TO BE ALLOCATED !
01BE 6104 LD R4, NEXT BLOCK IOFFSET!
01C0 0F00»
01C2 7642 LDA R2, MEM_POOL(R4) ISTART ADDR!
01C4 0000»
1C6 8134 ADD R4, R3 ! UPDATE OFFSETI
I UPDATE OFFSET IN SECTION OF AVAILABLE
MEMORY TO INDICATE THAT CURRENTLY
REQUESTED MEMORY IS NOH ALLOCATED !
1C8 6F04 LD NEXT_BLOCK, R4 'SAVE OFFSET!
01CA 0F00'
1CC 9E08 RET




* RETURNS CURRENT VALUE OF *
* SEGMENT SEQUENCER AND *
* INCREMENTS SEQUENCER VALUE*
* FOR NEXT TICKET OPERATION *
******** *********************
* PARAMETERS: *
* R1: SEG HANDLE PTR *
* RETURNS: *
* RR4: TICKET VALUE *
* LOCAL VARIABLES: *
* RR6: SEQUENCER VALUE *




! SAVE HANDLE PTR !
01CE 93F1 PUSH o)R15, R1
! LOCK G_AST !
01DO 7604 LDA Ru7 G AST LOCK
01D2 0000*
01D4 5F00 CALL K LOCK
01D6 0000*
! RESTORE HANDLE PTR !
01D8 97F1 POP R1 f 3R15
! GET G_A$T ENTRY t I
01DA 6118 LD R8, MM HANDLE. ENTRY NO(R1)
01 DC 0004
! GET TICKET VALUE !
01DE 5486 LDL RR6, G AST. SEQUENCER (R8)
01E0 0014*
! SET RETURN REGISTER VALUE !
01E2 9464 LDL RR4 r RR6
IADVANCE SEQUENCER FOR NEXT
TICKET OPERATION!
01E4 1606 ADDL RR6, #1
01E6 0000
01E8 0001
• SAVE NEW SEQUENCER VALUE IN G AST
01EA 5D86 LDL G^AST. SEQUENCER (R8) , RR6
01EC 0014*
! UNLOCK G_AST !
! SAVE RETURN VALUES !
01EE 91F4 PUSHL 3R15, RR4
01F0 7604 LDA R4 r G AST_LOCK
01F2 0000*
01F4 5F00 CALL K_UNLOCK
01F6 0000*
! RETRIEVE RETURN VALUES !






* READS CURRENT VALUE OF THE *




* H1: SEG HANDLE PTR *
* R2: INSTANCE (EVENT #) *
*******************************
* RETURNS: *
* RR4: EVENTCOUNT VALUE *
*******************************
* LOCAL VARIABLES: *
* RR6: SEQUENCER VALUE *
* R8: G_AST ENTRY # *
*******************************!
ENTRY
! SAVE INPUT PARAMETERS !
PUSH 3R15, R1
PUSH 8R15, R2
! LOCK G_AST !
LDA R47 G_AST_LOCK
CALL K_LOCK
! RESTORE INPUT PARAMETERS !
POP R2, o>R15
POP R1, SR15
! GET G_AST ENTRY # !
LD R8, MM_HANDLE.2NTRY_N0(R1)
! READ EVENTCOUNT !
! CHECK WHICH EVENT # !
IF R2




0218 5484 LDL RR4, G_AST.E VENT1 (R8)
021A 0018*
021C 2100 LD RO, #SUCCEEDED
021E 0002






022C 5484 LDL RR4, G_AST .E VENT2 (R8)
022E 001C*













0234 5E08 ELSE IINVALID INPUT!
0236 023C
0238 2100 LD R0, #INVALID INSTANCE
023A 005F
FI
! NOTE: NO VALUE IS RETURNED IF
USER SPECIFIED INVALID EVENT #!
• SAVE RETURN VALUES !
023C 91F4 PUSHL 3R15, RR4
! UNLOCK G_AST !
023E 7604 LDA R4 , G_AST_LOCK
0240 0000*
0242 5F00 CALL K_UNLOCK
0244 0000*
! RESTORE RETURN VALUES !
0246 95F4 POPL RR4, SR15
0248 9E08 RET
024A END MM READ EVENTCOUNT
- 305 -
024A MM_ADVANCE PfiOCEDURE
t * ********** ************************
* DETERMINES G_AST OFFSET FROM *
* SEGMENT HANDLE AND INCREMENTS *
* THE INSTANCE (EVENT #) SPECIFIED *
* BY THE CALLER. THIS IN EFFECT *
* ANNOUNCES THE OCCURRENCE OF THE *
* EVENT. THE NEW VALUE OF THE *




* R1: HANDLE POINTER *
* R2: INSTANCE (EVENT #) *
***********************************
* RETURNS: *
* RR2: NEW EVENTCOUNT VALUE *
***********************************!
ENTRY
! SAVE INPUT PARAMETERS !
024A 93F1 PUSH 3R15, R1
024C 93F2 PUSH 3R15, R2
! LOCK G_AST !
024E 7604 LDA R4, G_AST LOCK
0250 0000*
0252 5F00 CALL K_LOCK
0254 0000*
! RESTORE INPUT PARAMETERS !
0256 97F2 POP R2 , a)R15
0258 97F1 POP R1, a)R15
! GET G_AST OFFSET !
025A 6114 LD R4, MM HANDLE. ENTRY_NO (R 1)
025C 0004
! DETERMINE INSTANCE !
IF R2




0266 5442 LDL RR2, G AST. EVENT1 (R4)
0268 0018*
026A 1602 ADDL RR2, #1
026C 0000
026E 0001
! SAVE NEW EVENTCOUNT !
0270 5D42 LDL G AST .EVENT1 (R4) , RR2
0272 0018*
0274 2100 LD RO, #SUCCEEDED
0276 0002







0284 5442 LDL RR2, G_AST.EVENT2(R4)
0286 001C*
0288 1602 ADDL RR2, #1
028A 0000
028C 0001
! SAVE NEW EVENTCOUNT !
028E 5D42 LDL G_AST.EVENT2 (R4) , RR2
0290 00 1C*
0292 2100 LD RO, #SUCCEEDED
0294 0002
0296 5E08 ELSE IINVALID INPOT!
0298 029E»
029A 2100 LD RO, #INVALID_INSTANCE
029C 005F
FI
! NOTE : AN INVALID INSTANCE V
MILL NOT AFFECT EVENT DATA
! UNLOCK G_AST !
029E 7604 LDA R4, G_AST_LOCK
02A0 0000*















ADVANCE_CALL : = 1
AWAIT_CALL ! : = 2
CREATE_SEG_CALL ! ; — 3
delete!seg_call ; = 4
MAKE_KNOWN_CALL ; = 5
READ~CALL : = 6
SM_SWAP_IN_CALL : , = 7
SM SWAP_OUT_CALL j = 8
TERMINATE_CALL J: = 9
TICKET_CALL I = 10
WRITE_CALL : : = 11
WRITELN_CALL = 12
CRLF CALL : = 13
WRITE : = X0FC8 'PRINT CHAR!
WRITELN ; = %0FC0 SPRINT MSG!
CRLF ; : = XOFDU ICAR RET/LINE
MONITOR : = %A902
REGISTER_BLOCK ; , = 32
rRAP_CODE_0?FSET : : = 36




























! SAVE REGISTERS !
SOB R15, #REGISTER_BLOCK
LDM a)R15, R1, #16
! SAVE NSP !
POSH dR15, R2
LDCTL R2, NSP
! RESTORE INPUT REGISTERS !
000C 2DF2 EX R2, 3R15
• SAVE REGISTER 2 !
OOOE 93F2 PUSH o)R15, R2
! GET SYSTEM TRAP CODE !
00 10 31F2 LD R2, R15(#TRAP CODE OFFSET)
0012 0024
! REMOVE SYSTEM CALL IDENTIFIER FROM
SYSTEM TRAP INSTRUCTION !
0014 8C28 CLRB RH2
! NOTE: THIS LEAVES THE USER VISIBLE
EXTENDED INSTRUCTION NUMBER IN R2 !
! DECODE AND EXECUTE EXTENDED INSTRUCTION
IF R2
! NOTE: THE INITIAL VALUE FOR REGISTER 2
WILL BE RESTORED WHEN THE APPROPRIATE
CONDITION IS FOUND I




001E 97F2 POP R2, 3R15
0020 5F00 CALL ADVANCE
0022 0000*






0030 97F2 POP R2 r 3R15
0032 5F00 CALL AWAIT
0034 0000*
































































CASE #DELETE SEG CALL THEN
POP R2, SR15
CALL DELETE_SEG
CASE #MAKE KNOWN CALL THEN
POP R2, 3R15
CALL MAKE_KNOWN
CASE #READ CALL THEN
POP R2 r SR15
CALL READ
CASE #SM SWAP IN CALL THEN
POP R2, 3R15
CALL SM_SWAP_IN
CASE #SM SWAP OUT CALL THEN
POP R2, 5)R15
CALL SH_SWAP_OUT





























































CASE tWRITE CALL THEN
POP R2, 3R15
CALL WRITE
CASE #WRITELN CALL THEN
POP R2, 3R15
CALL WRITELN
SE #CRLF CALL THEN
POP R2, a)R15
CALL CRLF
ELSE ! INVALID KERNEL INVOCATION!
! RETURN TO MONITOR !
! NOTE: THIS RETORN TO MONITOR IS
FOR STUB USE ONLI. AN INVALID
KERNEL INVOCATION WOULD NORMALLY






! SAVE REGISTERS ON KERNEL STACK I
! SAVE R1 !
010C 93F1 PUSH 3R15, R1
! GET ADDRESS OF REGISTER BLOCK i
010E 34F1 LDA R1, R15 (#4)
0110 0004
! SAVE REGISTERS IN REGISTER BLOCK
ON KERNEL STACK. !
0112 1C19 LDH 3R1, R1, #16
01 14 010F
! RESTORE R1 BUT MAINTAIN ADDRESS
OF REGISTER BLOCK !
0116 2DF1 EX R1, 3R15
! SAVE R1 ON STACK !
0118 33F1 LD R15(¥4) , R1
011A 0004
! RESTORE REGISTER BLOCK ADDRESS I
01 1C 97F1 POP R1, o)R15
! SAVE VALID EXIT SP VALUE !
011E 33F1 LD R15 (#30) , R1
0120 001E
! EXIT KERNEL BY MEANS OF HARDWARE
PREEMPT HANDLER !
0122 5E08 JP KERNEL_EXIT
0124 0000*
0126 END GATE_KEEPER_MAIN
END KERNEL GATE KEEPER
- 312 -
Z8000ASM 2.02






AWAIT_CALL ; = 2
CREATE_SEG_CALL ; = 3
DELETE_SEG CALL ; s 4
MAKE_KNOWN_CALL ; = 5
READ~CALL • = 6
SM_SWAP_IN_CALL ; = 7
SM_SWAP~OUT_CALL s 8
TERMINATE_CALL ;; = 9
riCKET_CALL j = 10































* R1:SEGMENT # *
* R2:INSTANCE *
* RR4:SPECIFIED VALUE *
************************
* RETURNS: *

















* R0:SOCCESS CODE *
************************ I
ENTRY






















* R3: ACCESS DESIRED *
************************
* RETURNS: *
* RO:SUCCESS CODE *
* R1:SEGMENT # *















* R0:SUCCESS CODE *










* R1:SEGMENT # *
************************
* RETURNS: *
* RO: SUCCESS CODE *
************************
ENTRY
0018 7F07 SC #SM_SWAP_IN_CALL
001A 9E08 RET
001C END SM_SWAP_IN
00 1C SM_SWAP_OUT PROCEDURE
i ************************
* PARAMETERS: *
* R1:SEGMENT # *
************************
* RETURNS: *
* RO:SUCCESS CODE *
************************ I
ENTRY






* R1:SEGMENT # *
************************
* RETURNS: *
* RO:SUCCESS CODE *
************************
ENTRY










* R0:SUCCESS CODE *
* RR4:TICKET VALUE *
************************ i
ENTRY


























! ******** SYSTEM PARAMETERS ********
NR_CPU ; = 2
NR_VP ; , = NR_CPU*4
NR~AVAIL VP : • = NR~CPU*2
MAX_DBR_NR : = 10
STACK_SEG : = 1
STACK SEG SIZE ; = X100
STACK~BLOCK ; — STACK_SEG_SIZE/2 56
J * * OFFSETS 3:n STACK SEG * * !
STACK_BASE ; , = STACK SEG_SIZ2-%10
STATUS_REG_BLOCK. : = STACK_SEG_SIZE~£10
INTERRUPT FRAME ; . = STACK BASE-4
INTERRUPT_REG ; ; = INTERRUPT^ RAME- 34
N_S_P : . = interruptIreg-2
F_C~W : = STACK_SEG_SIZE-55E
i ****** SYSTEM C()NSTANTS ****** !
ON : ; - SFFFF
OFF ; =
READY : = 1
NIL ; = %FFFF
INVALID ; = SEEEE
K2RNEL_FCW ; = X50G0
AVAILABLE : =
ALLOCATED : = SFF
SC OFFSET ; = 12
TYPE




















NEXT READY VP VP INDEX
MSG_LIST MSG_INDEX
EXT~ID WORD


















RUNNING_LIST ARRAY[ NR_CPU WORD]
READY_LIST ARRAY[ NR~~CPU WORD]
FREE-LIST MSG INDEX
VIRT_INT_VEC ARRAY[1 # ADDRESS]
FILLER_2 WORD
VP ABRAX [ NR_VP, VP TABLE]
MSG_Q ARRAY [NR_VP,~MSG TABLE]
- 318 -
EXT_VP_LIST ARRAY( NR_AVAIL VP WORD]








• NOTE: THESE DECLARATIONS WILL NOT WORK
IN A TRUE MULTIPROCESSOR ENVIRONMENT AS
THEY ARE SUBJECT TO A "CALL." THEY MUST
BE DECLARED AS A SHARED GLOBAL DATABASE
WITH "RACE" PROTECTION (E.G., LOCK). !
0000 NEXT_AVAIL_VP INTEGER






* CREATES KERNEL PROCESSES AND *
* INITIALIZES KERNEL DATABASES.*
* INCLUDES INITIALIZATION OF *
* VIRTUAL PROCESSOR TABLE, *
* EXTERNAL VP LIST, AND MMU *
* IMAGES. ALLOCATES MMU IMAGE *
* AND CREATES KERNEL DOMAIN *
* STACK FOR KERNEL PROCESSES. *
********************************!
ENTRY
! INITIALIZE PRDS AND MMU POINTER !
! NOTE: THE FOLLOWING CONSTANTS ARE
ONLY TO BE INITIALIZED ONCE. THIS
WILL OCCUR DURING SYSTEM INITIALIZATION!
0000 4D05 LD PRDS. PHYS_CPU_ID, #%FFFF
0002 0000*
0004 FFFF
! NOTE: LOGICAL CPU NUMBERS ARE ASSIGNED
IN INCREMENTS OF 2 TO FACILITATE INDEXING
(OFFSETS) INTO LISTS SUBSCRIPTED BY
LOGICAL CPU NUMBER. !













! SPECIFY NUMBER OF VIRTUAL PROCESSORS





! ESTABLISH GATE KEEPER AS SYSTEM CALL
TRAP HANDLER !
! GET BASE OF PROGRAM STATUS AREA !
001E 7D15 LDCTL R1, PSAP
! ADD SYSTEM CALL OFFSET TO PSA BASE ADDR !
0C20 0101 ADD R1, #SC OFFSET
0022 OOOC
! STORE KERNEL FCW IN PSA !
0024 0D15 LD 3R 1 , tKERNEL FCW
0026 5000
! STORE ADDRESS OF GATE KEEPER IN PROGRAM
STATUS AREA AS SYSTEM TRAP HANDLER !






R1 ! NEXT_AVAIL_MMU INDEX i
! INITIALIZE ALL MMU IMAGES AS AVAILABLE !
SET MMU MAP:
DO
0030 4C15 LDB NEXT_AVAIL_MMU(R1)
, #AVAILA3LI0032 0000*
0034 0000
0036 A910 INC R1, #1
! CHECK FOR END OF TABLE !
0038 0B01 CP R1, #MAX_DBR_NR
003A 000A





! CREATE MEMORY MANAGER PROCESS !
0046 2103 LD R3 r #STACK_BLOCK
0048 0001
! ALLOCATE AND INITIALIZE KERNEL
DOMAIN STACK SEGMENT !




004E A121 LD R1, R2
0050 2103 LD R3, #KERNEL_FCH
0052 5000
0054 7604 LDA R4, MM_ENTRY
0056 0000*
0058 6105 LD R5, XFFFF INSP!
005A FFFF
005C 7606 LDA R6, PREEMPT_RET
005E 0000*
0060 93F1 POSH SR15, R1 'SAVE STACK ADDR!
0062 030F SOB R15, #8
0064 0008
0066 1CF9 LDM 3R15, R3, #4
0068 0303
006A A1F0 LD RO, R15
! NOTE: ARGLIST FOR CREATE_STACK INCLUDES
KERNEL FCW, INITIAL IC, NSP, AND INITIAL
RETURN POINT. !
006C 5F0O CALL CREATE_STACK ! (RO: ARGUMENT PTR
006E 0000*





























(RO: DBR #) i
! SEGMENT NO. !
R2, dR15 !GET STACK ADDR!













! SPECIFY NUMBER OF BLOCKS. COUNT STARTS
FROM ZERO. (I.E.,1 BLOCK=0, 2=1, ETC.)!
LD R4, #STACK_BLOCK-1
! SAVE DBR * !
PUSH 0R15, RO
! CREATE MMU ENTRY FOR MM STACK SEGMENT !




R4: SEG LIMITS) !
! RESTORE DBR # !
POP R0 r 3R15
! GET ADDRESS OF MMU IMAGE !
CALL GET_DBR_ADDR ! (RO: DBR #)
RETURNS:
(R1: DBR ADDRESS) !
! PREPARE VP TABLE ENTRIES FOR MM !
R2, #2 ! PRIORITY !
R5, #OFF ! PREEMPT !








! INITIALIZE MM_CPU_TBL IN DISTRIBUTED MEMORY
MANAGER WITH VP ID OF MM PROCESS !
! GET LOGICAL CPU # !
LD R1Q, PRDS.LOG_CPU ID
- 322 -
00A6 6FA9 LD MM_CPU_TBL (R10|
, R9
00A8 OOOO*
! CREATE IDLE PROCESS !
OOAA 2103 LD R3, #STACK_BLOCK
OOAC 0001




00B2 A121 LD R1, R2
00B4 2103 LD R3, #KERNEL_FCW
00B6 5000
00B8 76 04 LDA R4, IDLE_ENTRY
OOBA 0000*
OOBC 2105 LD R5, #XFFFF !NSP!
OOBE FFFF
OOCO 7606 LDA R6, PREEMPT_RET
0C2 0000*
00C4 93F1 POSH 3R15, R1 ISAVE STACK ADDR!
00C6 030F SUB R15, #8
00C8 0008
OOCA 1CF9 LDM 3R15, R3, #4
OOCC 0303
OOCE A1F0 LD RO, R15
! INITIAL IZE IDLE STACK VALUES !





R1: TOP OF STACK
R2-R14: INITIAL
REG. STATES !
R15, #8 'OVERLAP ARGUMENTS!
00D8 5F00
OODA 0000*
! ALLOCATE MMU IMAGE FOR IDLE PROCESS !











! PREPARE IDLE PROCESS MMU ENTRIES !




R2, AR15 !GET STACK ADDR!
R3, #0 ! tfRITE ATTRIBUTE !
34, #STACK_BL0CK-1 ! BLOCK LIMITS !
! SAVE DBR # !
PUSH dR15, RO
! CREATE MMU IMAGE ENTRY !




R4: SEG LIMITS ) !
! RESTORE DBR # !
0OF0 97F0 POP RO, d>R15
! GET MMU ADDRESS !
00F2 5F00 CALL GET_DBR__ADDR ! (RO: DBR #)
00F4 0000*
RETURNS
(R1: DBS ADDRESS) I
! PREPARE VPT ENTRIES FOR IDLE PROCESS !
00F6 2102 LD R2, #0 ! PRIORITY !
00F8 0000
OOFA 2105 LD R5, #OFF ! PREEMPT !
OOFC 0000
OOFE 2106 LD R6, #OFF ! KERNEL PROC !
0100 0000
! CREATE VPT ENTRIES i








! ENTER VP ID OF IDLE PROCESS IN PRDS i
0106 6F09 LD PRDS.IDLE_VP, R9
0108 0006*
! INITIALIZE IDLE VP« S !
010A 2102 LD R2, #1 ! PRIORITY !
010C 0001
010E 2105 LD R5, #ON ! PREEMPT !
0110 FFFF
0112 2106 LD R6, #ON 'NON-KERNEL PROC!
0114 FFFF
0116 6100 LD RO, PRDS.VP_NR
0118 0004*
! INITIALIZE VP VALUES !
DO







R9: VP ID !
011E ABOO DEC RO, #1
0120 0B00 CP RO, #0
0122 0000







! INITILIZE VPT HEADER !
! GET LOGICAL CPU NOMBER !
012E 6102 LD R2, PRDS. LOG_CPU ID
0130 0002*
132 4D05 LD VPT. LOCK, #OFF
0134 0000*
0136 0000
0138 4D25 LD VPT. RUNNING LIST (R2) , #HIL
013A 0002*
013C FFFF
013E 4D25 LD VPT. BEAD? LIST(R2), #NIL
0140 0006*
0142 FFFF
0144 4D08 CLR VPT. FREE LIST !HEAD OF HSG LIST!
0146 000A*
! THREAD VP»S BY PRIORITY AND SET STATES TO READY I
0148 8D28 CLR R2 ISTART WITH VP #1!
THREAD:
DO
014A 610D LD R13, PRDS.LQG_CPU_ID
014C 0002*
014E 76D3 LDA R3, VPT. RE ADY_LIST (R 13)
0150 0006*
0152 7604 LDA R4 , VPT. VP ,NEXT_READY_VP
0154 001C*
0156 7605 LDA R5 , VPT. VP .PRI
0158 0012*








! SAVE OBJ ID !
PUSH o>R15, R2






RESTORE OBJ ID !
POP R2, 3R15




016E 0B02 CP R2, # (NR_VP * (SIZEOF VP^TABLE) )
0170 0100




































































! INITIALIZE VP MESSAGE LIST I
! NOTE: ONLY THE THREAD FOR THE MESSAGE
LIST NEED BE CREATED AS ALL MESSAGES
ARE INITIALLY AVAILABLE FOR USE. THE
INITIAL MESSAGE VALUES HERE CREATED
FOR CLARITY ONLY TO SHOH THAT THE
MESSAGES HAVE NO USABLE INITIAL VALUE!
CLR R1
LST_INIT:
! NOTE: R1 REPRESENTS CURRENT ENTRY IN
MSG_LIST, R2 REPRESENTS CURRENT POSITION
IN MSG_LIST ENTRY, AND R3 REPRESENTS




ADD R3, #SIZEOF MESSAGE
FILL_MSG:
DO
LD VPT.MSG_Q.MSG(R2) , ^INVALID
INC R2, #2
CP R2, R3





















I GET LOGICAL CPU # FOR USE
BY ITC GETiOBK. !
01C2 610D LD R13, PRDS.LOG_CPU ID
01C4 0002*
! BOOTSTRAP COMPLETE !
! START SYSTEM EXECUTION AT PREEMPT ENTRY !
! POINT IN ITC GETWORK PROCEDURE !





* INITIALIZES VPT ENTRIES *
********************************





* R2: PRIORITY *
* R5: PREEMPT FLAG *
* R6: EXTERNAL VP FLAG *
* RETURNS: *
* R9: ASSIGNED VP ID *
* LOCAL VARIABLES: *
* R7: LOGICAL CPU # *
* R8: EXT_VP_LIST OFFSET *
* R9: VPT OFFSET *
*************** ****** ******** * **t
ENTRY
! GET OFFSET IN VPT FOR NEXT ENTRY !
01CA 6109 LD R9, NEXT_AVAIL_VP
01CC 0000'
01CE 6F91 LD VPT. VP. DBR (R9) , R1
01DO 0010*
01D2 6F92 LD VPT. VP. PRI (R9) , R2
01DU 0012*
01D6 6F96 LD VPT. VP. IDLE_FLAG (R9) , R6
01D8 0016*
01DA 6F95 LD VPT. VP. PREEMPT (R9) , S5
01DC 0018*
01DE 6107 LD R7 , PRDS. LOG_CPU ID
01E0 0002*
01 E2 6F97 LD VPT. VP. PHYS_PROCESSOR (R9) , R7
01E4 001A*
01E6 4D95 LD VPT. VP. NEXT_READ3f _VP (E9) , #NIL
01E8 001C*
1EA FFFF
01EC 4D95 LD VPT. VP. MSG_LISI (R9) , #NIL
01EE 001E*
01F0 FFFF
! CHECK EXTERNAL VP FLAG I
01F2 0B06 CP R6, *ON
1F4 FFFF
IF EQ !EXTERNAL VP
!
1F6 5E0E THEN ! VP IS TC VISIBLE !
01F8 0210*
1FA 6108 LD R8, NEXT EXT_VP
01FC 0002'
! INSERT ENTRY IN EXTERNAL VP LIST !
01FE 6F89 LD EXT_VP LIST (R8) , R9
0200 0000*
0202 6F98 LD VPT. VP. EXT ID (R9) , R8
0204 0020*
- 328 -
0206 A981 INC R8, #2
0208 6F08 LD NEXT_EXT_VP, R8
020A 0002«
020C 5E08 ELSE !VP BOUN
020E 0216*




0216 A19A LD R10, R9
0218 010A ADD R10, #SIZEOF VP_TABLE
021A 0020



































* INSERTS OBJECTS INTO A LIST *
* BY ORDER OF PRIORITY AND SETS *
* ITS STATE *
*********************************
* REGISTER USE: *
* PARAMETERS: *
* R2: OBJECT ID *
* R3: HEAD_OF_LIST_PTR ADDR *
* R4: NEXtI0BJJ?TR~ADDR *
* R5: PRIORITY~PTR ADDR *
* R6: STATE_PTR ADDR *
* R7: OBJECT STATE *
* LOCAL VARIABLES: *
* R8: HEAD_OF_LISTJ?TR *
* R9: NEXT~OBJ_PTR~ *
* R10: CURRENT~OBJ PRIORITY *
* R11: NEXT_OBJ PRIORITY *
*«*******************************;
ENTRY
! GET FIRST OBJECT IN LIST !
0000 2138 LD R8, a)R3
0002 0B08 CP R8, #NIL
ooou FFFF
0006 5E0E IF EQ !LIST IS EMPTY! THEN
0008 0018'
! PLACE OBJ AT HEAD OF LIST !
000A 2F32 LD a)R3, R2
OOOC 7449 LDA R9, R4(R2)
000E 0200




! COMPARE OBJ PRI WITH LIST HEAD PRI !
0018 715A LD R10, R5 (R2) i OB J PRI!
001A 0200
001C 715B LD R11, R5 (R8) IHEAD PRI!
001E 0800
0020 8BBA CP R10 r R11
0022 5E02 IF GT !OBJ PRI>HEAD PRI! THEN
0024 0030«
0026 2F32 LD a>R3, R2 !PUT AT FRONT!
0028 7348 LD R4(R2), R8
002A 0200





0030 0B08 CP R8, #NIL
0032 FFFF
0034 5E0E IF EQ !END OF LIST! THEN
0036 003C
0038 5E08 EXIT FROM SEARCH_LIST
003A 0052'
FI
003C 715B LD R11, R5 (R8) !GET NEXT PRI
!
003E 0800
0040 8BBA CP R10, R1
1
0042 5E02 IF GT JCUBRENT PRI>NEXT PRI! THEN
0044 004A»
0046 5E08 EXIT FROM SEARCH LIST
0048 0052'
FI
! GET NEXT OBJ !
004A A189 LD R9, R8
004C 7148 LD R8, R4(R9)
004E 0900
0050 E8EF OD ! END SEARCH_LIST !
! INSERT IN LIST !
0052 7348 LD R4 (R2) , R8
0054 0200




! SET OBJECT* S STATE !
005A 7367 LD R6 (R2) , R7
005C 0200
005E 9E08 RET




* INITIALIZES KERNEL STACK *
* SEGMENT FOB PROCESSES *
****************************m*
* REGISTER OSE: *
* PARAMETERS: *
* RO: ARGUMENT POINTER *
* (INCLUDES:FCW,IC, NSP, AND *
* RETURN POINT. SEE LOCAL *
* VARIABLES BELOW.) *
* R1 : TOP OF STACK *
* R2-R14: INITIAL REGISTER *
* STATES. (NOTE: IN DEMO, NO*
* SPECIFIC INITIAL REGISTER *
* VALUES ARE SET, EXCEPT R13*
* (USER ID) FOR USER PRO- *
* CESSES.) *
****** *************** ***********
* LOCAL VARIABLES *
* (FROM ARGUMENTS STORED ON *
* STACK.) *
* R3: FCW *
* R4 : PROCESS ENTRY POINT (IC) *
* R5: NSP *




o)R15, RO !SAVE ARGUMENT PTR!
RO, R15 !SAVE SP!
R15, R1 (#INTERRUPT_REG)
3R15, R1, #16 IINIIIAL REG. VALUES!
NOTE: ONLY REGISTERS R2-R14 MAY CONTAIN
INITIALIZATION VALUES !
R15, RO IRESTORE SP!
R0 r 3R15 'RESTORE ARGUMENT PTR!
R14, R15 !SAVE CALLER RETURN POINT!
R15, RO !GET ARGUMENT PTR!
R3, 0>R15, #4 !LOAD ARGUMENTS!
S15, R1 (#INTERRUPT_FRAME)
3>R15, R3, #2 !INIT IRET FRAME!
R15, R1 (#N_S_P)
o)R15, R5 !SET NSP!
R15, #2




























! INITIALIZE STATUS REGISTER BLOCK !
#KERNEL_FCH
R15, #2 ISAVE SP 6 FCW!
R14 ! RESTORE RETURN POINT!
0090 2100 LD RO,
0092 5000
0094 1C89 LDM a>R8,
0096 0F01
0098 A1EF LD R15,
009A 9E08 RET




INNER TRAFFIC CONTROLLER LISTINGS
Z8000ASM 2.02





( THIS IS A FD





C. THE PREEMPT I




Y DOES NOT SAVE REGISTERS.
NOTION OF THE GATEKEEPER ).
NPUT PARAMETER TO GETHORK THAT
THAT HILL EVENTUALLY BE ON
ARE. THIS REGISTER MUST BE
S A DBR BY ANY PROCEDURE
ORK.
NTERRUPT ENTRY HANDLER DOES
ATEKEEPER AND MUST PERFORM
MALLY ACCOMPLISHED BY IT
AL ENTRY AND EXIT.
REGS, NSP; UNLOCK VPT, TEST INT)
2. GENERAL:
A. ALL VIOLATIONS OF VIRTUAL MACHINE INSTRUCTIONS
ARE CONSIDERED ERROR CONDITIONS AND HILL RETURN
SYSTEM TO THE MONITOR HITH AN ERROR CODE IN R0
AND THE PC VALUE IN R1
.
3. ITC PROCEDURES CALLING GETHORK PASS DBR
(REGISTER R14) AND LOGICAL CPU NUMBER
(REGISTER R13) AS INPUT PARAMETERS.
(INCLUDES: SIGNAL, HAIT, SHAP_VDBB,
PHYS_PREEMPT_HANDLER, AND IDLE) . !
ERROR CODES ********** !
UNAUTHORIZED LOCK !
MESSAGE LIST EMPTY !
MESSAGE LIST ERROR !
READY LIST EMPTY I
MESSAGE LIST OVERFLOH
SWAP NOT ALLOWED !





M~L EM ::= 1
m'l^ER ::* 2






i ******** SYSTEM PARAMETERS ******** «
NR SDR : = 64 'LONG 'WORDS!
NR~CPU : : = 2
NR~VP J = NR CPU*4
NR~AVAIL_VP ! ; = NR CPU*2
MAX_DBR_NR i : = 10 !PER CPU!
STACK_SEG ; = 1
PRDS_SEG ! =
STACK SEG SIZE , , = 56100



















INVALID : — /6EEEE
MONITOR := XA900



































MSG IlST MSG INDEX
]
EXT_ID WORD








RUNNING_LIST ARRAY[ NR_CPU WORD]
READY_LIST ARRAX[ NR~CPU WORD]
FREE_LIST MSG_INDEX
VIET INT VEC ARR AY[ 1 , ADDRESS]
fill!r_2~ WORD
VP ARRAX [NR_VP, VPJTABLE]
MSG Q ARRAY [ NR VP,"~MSG TABLE]
]




MMU STRUCTURE ARRAX[ MAX DBR NR MMO]
]



























































































! GET STACK BASE !
LD R4, R14 (#STACK_SEG*4)










! * * SAVE SP * * !
LD 3R5, R15
! * * SAVE FCW * * !
LDCTL R3, FCW
LD R4 (#F_C_W) , R3
61D1
0006*
BOOTSTRAP_ENTRY: ! GLOBAL LABEL •
• GET READY_VP LIST !














DO ! UNTIL ELGIBLE READY_VP FOUND !
CP VPT. VP.IDLE_FLAG (R1) ,~#ON
IF EQ ! VP IS IDLE ! THEN
CP VPT.VP.PREEMPT(RI) , #ON
IF EQ ! PREEMPT INTERRUPT IS ON ! THEN
EXIT FROM SELECT VP
- 338 -
FI
002C 5E08 ELSE ! VP NOT IDLE !
002E 0034*
0030 5E08 EXIT FROM SELECT VP
0032 003C
PI
! GET NEXT READY VP i
0034 6113 LD R3, VPT.VP.NEXT READY VP(R1)
0036 001C
0038 A131 LD R1 , R3
003A E8EC OD
! NOTE: THE READY_LIST WILL NEVER BE EMPTY SINCE
the idle vp, which is the lowest pbi vp,
will never be removed from the list.
it will ron only if all other ready vp»s are
idling or if there are no other vp«s on
the ready_list. once scheduled, it
will ron Until receiving a hdwe interrupt, i
! note: r14 is used as dbr here. when mmo
is available this series of save and load
instroctions will be replaced by special i/o
instructions to the mmo. !
! place new_vp in ronning state !
































* INSERTS POINTER TO MESSAGE *
* FROM CORRENT_VP TO SIGNALED_VP*
* IN FIFO MSG_LIST *
*********************************
* REGISTER USE: *
* PARAMETERS: *
* R8(R9):MSG (INPUT) *
* R1: SIGNALED_VP (INPUT) *
* R13: LOGICAL CPU NUMBER *
* LOCAL VARIABLES: *
* R2: CURRENT_VP *
* R3: FIRST_FREE_MSG *
* R4: NEXT_FREE_MSG *
* R5: NEXT_Q MSG *




005C 61D2 LD R2, VPT.RUNNING_LIST(R13)
005E 0002*
j GET FIRST MSG FROM FREE_LIST i
0060 6103 LD R3, VPT.FREE_LIST
0062 000A'
t * * * * DEBUG * * * * •
0064 0303 CP R3, #NIL
0066 FFFF
0068 5E0E IF EQ THEN
006A 0078*
006C 7601 LDA R1, $
006E 006C 1
0070 2100 LD RO, #M_L_0! MESSAGE LIST
0072 0004


















! * * * END DEBUG * * * !
R4, VPT.MSG_Q.NEXT_MSG(R3)
VPT.FREE_LIST, R4




7PT . MSG_Q . SENDER (R3) , R2
- 340 -
! INSERT MSG IN MSG_LIST !
0090 6115 LD R5, VPT. VP. MSG LIST(21)
0092 001E"
0094 0B05 CP R5, #NIL
0096 FFFF
0098 5E0E IF EQ ! MSG LIST IS EMPTY ! THEN
009A 00A4«
! INSERT MSG AT TOP OF LIST !
009C 6F13 LD VPT.VP.MSG LIST(R1), S3
009E 001E"
00A0 5E08 ELSE ! INSERT MSG IN LIST i
00A2 0OBC«
MSG_Q_SEARCH:
DO ! WHILE NOT END OF LIST !
00A4 0B05 CP R5, #NIL
00A6 FFFF
00A8 5E0E IF EQ ! END OF LIST ! THEN
OOAA 00B0 1
OOAC 5E08 EXIT FROM MSG_Q_SEARCH
OOAE 00B8'
FI
! GET NEXT LINK !
OOBO A156 LD R6, R5
00B2 6165 LD R5, VPT. MSG_Q . NEXTJiSG (R6>
00B4 0122*
00B6 E8F6 OD
! INSERT MSG IN LIST I
00B8 6F63 LD VPT. MSG_Q.NEXT._MSG (R6) , R3
OOBA 0122*
FI
OOBC 6F35 LD VPT. MSG_Q. NEXT_MSG (R3) , R5
OOBE 0122«
OOCO 9E08 RET
0OC2 END ENTER MSG LIST
- 341 -
00C2 GET_FIRST_MSG PROCEDURE
i ******************** mm **** *********
* REMOVES MSG FROM MSG_LIST *
* AND PLACES ON FREE LIST. *





* R8(R9): MSG POINTER (INPUT) *
* R13: LOGICAL CPU NUM3ER (INPUT)*
* H1: SENDER VP (RETURNED) *
* LOCAL VARIABLES *
* R2: CURRENT_VP *
* R3: FIRST MSG *
* R4: NEXT_MSG *
* R5: NEXT FREE MSG *
* R6: PRESENT_FREE_MSG *
************************** ****** ***i
ENTRY
00C2 61D2 LD R2, VPT. RUNNING_LIST (R 13)
00C4 0002*
! REMOVE FIRST MSG FROM MSG_LIST !
00C6 6123 LD R3, VPT. VP. MSG LIST(R2)
00C8 001E«
j * m * * DEBUG • * * * !
OOCA 0B03 CP R3, #NIL
OOCC FFFF
OOCE 5E0E IF EQ THEN
00D0 OODE*
00D2 2100 LD RO , #M_L_EM ! MSG LIST EMPTY !
00D4 0001
00D6 7601 LDA R1, $
00D8 00D6»
OODA 5F00 CALL MONITOR
OODC A900
FI
» * * * END DEBUG * * * !
OODE 6134 LD R4, VPT. MSG_Q . NEXT_MSG (R3)
00E0 0122*
00E2 6F24 LD VPT. VP. MSG LIST(22), R4
00E4 001E f
! INSERT MESSAGE IN FREE_LIST i
00E6 6105 LD R5, VPT. FREE_LIST
00E8 000A'
OOEA 0BO5 CP R5, #NIL
OOEC FFFF
OOEE 5E0E IF EQ ! FREE LIST IS EMPTY ! THEN
OOFO 0100*
! INSERT AT TOP OF LIST !
00F2 6F03 LD VPT. FREE LIST, S3
0OF4 OOOA*
- 342 -
00F6 4D35 LD VPT.MSG Q.NEXT MSG (R31 - #NIL
OOFS 0122"
OOFA FFFF




0100 0B05 CP R5, #NIL
0102 FFFF
0104 5E0E IF EQ ! END OF LIST ! THEN
0106 010C«
0108 5E08 EXIT FROM FREE Q SEARCH
010A 0114«
FI
! GET NEXT MSG !
010C A156 LD R6, R5
010E 6165 LD R5, VPT.MSG Q.NEXT MSG (R6)
0110 0122*
112 E8F6 OD
! INSERT IN LIST !
0114 6F63 LD VPT.MSG Q. NEXT_MSG (R6) , R3
0116 0122*
0118 6F35 LD VPT.MSG Q. NEXTJ1SG (R3) , R5
01 1A 0122*
FI
! GET MESSAGE INFORMATION:
(RETURNS R1: SENDING_VP) !
011C 6131 LD R1, VPT. MSG_Q. SENDER (R3)
011E 0120*
0120 763A LDA R10 , VPT. MSG_Q. MSG (R3)
0122 0110«
0124 2107 LD R7,#SIZEOF MESSAGE
0126 0010





! * * INNER TRAFFIC CONTROL ENTRY POINTS * * !
! NOTE: ALL INTERRUPTS MUST BE MASKED WHENEVER
THE VPT IS LOCKED. THIS IS TO PREVENT AN
EMBRACE FROM OCCURRING SHOULD AN INTERRUPT







* CREATES ENTRY IN VIRTUAL INT-*
* ERRUPT VECTOR WITH ADDRESS *




* R1: VIRTUAL INTERRUPT # *
* R2: INTERRUPT HANDLER ADDR *
******************************** I
ENTRY
! COMPUTE OFFSET IN VIRTUAL
INTERRUPT VECTOR !
MULT RRO, #SIZEOF ADDRESS
! SAVE ADDRESS OF VIRTUAL INTERRUPT
HANDLER IN INTERRUPT VECTOR !
LD VPT.VIRT_INT_VEC(R1) , R2
RET









* CALCULATES DBR ADDRESS FROM *
* DBR NUMBER *
********************************
* REGISTER USE: *
* PARAMETERS: *
* RO: DBR # *
* RETURNS: *




! GET BASE ADDRESS OF MMU IMAGE !
R1, MMU_IMAGE
HANDLE (OFFSET) TO MMU BASE













* ALLOCATES NEXT AVAILABLE MMU *
* IMAGE AND CREATES PRDS ENTRY *
********************************
* REGISTER USE: *
* RETURNS: *
* RO: DBR # *
* LOCAL VARIABLES: *
* R1: SEGMENT # *
* R2: PRDS ADDRESS *
* R3: PRDS ATTRIBUTES *
* R4: PRDS LIMITS *
************ *************** ******
ENTRY
! GET NEXT AVAILABLE DBR # !
0012 8D08 CLR RO
0014 8D18 CLR R1
! NOTE: THE FOLLOWING IS A SAFE SEQUENCE
AS NEXT_AVAIL_MMU AND MMU ARE CPU LOCAL!
GET_DBR:
DO
0016 4C11 CPB NEXT_AVAIL HMO (B1) , tAVAILABLE
0018 0A00*
001A 0000
IF EQ !MMU ENTRY IS AVAILABLE!
001C 5E0E THEN
001E 002E«
0020 4C15 LDB NEXT_AVAIL_MMU (R1) , #ALLOCATED
0022 0A00 1
0024 FFFF
0026 5E08 EXIT FROM GET_DBR
0028 004A*







0038 5E0E IF EQ THEN
003A 0048*
003C 2100 LD RO, #M_U iMMU UNAVAILABLE!
003E 0007
0040 7601 LDA R1 , $
0042 0040»
0044 5F00 CALL MONITOR
0046 A900
FI
i * * * END DEBUG * * * !
J
INC R1, #1
ADD RO, #SIZEOF MMU













R1, #PRDS_SEG i SEGMENT NO. •
R2, PRDS I PRDS ADDR !
R3, #1 ! READ AIIR !
R4, #((SIZEOF PRDS)-1)/256
! PRDS LIMITS !
! CREATE PRDS ENTRY IN MMU IMAGE !



















































































S SEGMENT DESCRIPTOR *














, #MMU IMAGE ! MMU BASE ADDRESS !
ADD R10, RO
LD R13 r #SIZEOF SEG_DESC_REG
MULT RR12, R1 J COMPUTE SEG_DESC
ADD R10, R13 !ADD OFFSET TO BASE












ANDB RL4, #% (2) 111 101 1 1 ! EXECUTE MASK
ELSE









* INTRA_KERNEL SYNC/COM PRIMATIVE *
* INVOKED BY KERNEL PROCESSES *
******** ****** ********* ********* * **
* PARAMETERS *
* R8(R9): MSG POINTER (INPUT) *
* R1: SENDING_VP (RETURN) *
* GLOBAL VARIABLES *
* R14: DBR (PARAM TO GETWORK) *
* LOCAL VARIABLES *
* R2: CURRENT_VP (RUNNING) *
* R3: NEXT READY VP *
* R4: LOCK~ADDRESS *
* R13: LOGICAL CPU NUMBER *
*********************************** t
ENTRY
! MASK INTERRUPTS !
0094 7C01 DI VI
! LOCK VPT !
LDA R4, VPT. LOCK
CALL SPIN_LOCK ! (R4 :-.VPT. LOCK) !
NOTE: RETURNS WHEN VPT IS LOCKED BY THIS VP !
GET CPU NUMBER !
CALL GET_CPU_NO ! RETURNS:
R1;CPU #
R2:# VP»S!
00A2 A11D LD R13, R1
LD R2, VPT.RUNNING_LISr (R13)
LD R3, VPT. VP.NEXT_READY_VP(R2)
CP VPT.VP.MSG_LIST(R2) , #NIL
IF EQ ! CURRENT VP« S MSG LIST IS EMPTY ! THEN
! REMOVE CUSRENT_VP FROM READY_LIST I
i * * * * DEBUG * * * * !
CP R3, #NIL
IF EQ THEN
































i * * * END DEBUG * * * !
OOCA 6FD3 LD VPT. HEAD Y_LIST (R 13) , E3
OOCC 0006»
OOCE 4D25 LD VPT . VP . NEXT_BEADY_VP (E2) , #NIL
OODO 001C«
00D2 FFFF
! POT IT IN WAITING STATE !
OOD4 4D25 LD VPT. VP. STATE (H2) , #WAITING
0D6 0014*
00D8 0002
! SET DBB !
OODA 612E LD R14, VPT. VP. DBB(B2)
OODC 0010 1
! SCHEDULE FIBST ELGIBLE HEADY VP !
OODE 93F8 PUSH 3R15,H8
! SAVE LOGICAL CPU # !
OOEO 93FD PUSH 3R15, B13
00E2 5F00 CALL GETWOBK !R13:CPU #
00E4 0000*
B14:DBB!
! RESTORE CPU # !
00E6 97FD POP R13, 3R15
00E8 97F8 POP R8,d)R15
FI
! GET FIRST MSG ON CURRENT VP«S MSG LIST !
OOEA 5F00 CALL GET_FIRST_MSG I COPIES MSG IN MSG ARRAY!
OOEC 00C2»
! R13: LOGICAL CPU t !
•RETURNS B1:SENDER_VP !
! UNLOCK VPT !
OOEE 4D08 CLR VPT. LOCK
OOFO 0000'
I UNMASK VECTORED INTEBBUPTS !
00F2 7C05 EI VI

















































KERNEL SYNC /COM PRIVATIVE *




9) : MSG POINTER (INPUT) *
SIGNALED VP ID (INPUT) *
VARIABLES *
CPU # (PARAM TO GETWORK) *












SPIN_LOCK ! (R4: -.VPT. LOCK) !
!NOTE: RETURNS WHEN VPT IS LOCKED BY THIS VP,
! GET LOGICAL CPU * !









! PLACE MSG IN SIGNALED_VP» S MS3_LIST !
010A 5F00 CALL ENTER_MSG LIST !(R8:MSG POINTER
010C 005C 1 R1:SIGNALED_VP











CP VPT. VP. STATE (R1) , #WAITING






! WAKE IT UP AND MAKE IT READY !
LD R2, R1
LDA R3, VPT.READY_LISI (R13)

































LDA R6, VPT.VP. STATE
LD R7, #READY
! SAVE LOGICAL CPU # !
POSH SR15, R13






! RESTORE LOGICAL CPU * !
POP R13, 3R15
! PUT CURRENT_VP IN READY_STATE I
LD R2, VPT.RUNNING_LIST (R13)
LD VPT.VP. STATE (R2) , #READY
! SET DBR !








! SCHEDULE FIRST ELGIBLE READY VP !
CALL GETHORK !R13:LOGICAL CPU #
R14;DBR !
FI
! UNLOCK VPT !
CLR VPT. LOCK







* SETS PREEMPT INTERRUPT ON*
* TARGET_VP. CALLED BY TC_ *
* ADVANCE. ' *
****************************
* REGISTER USE: *
* PARAMETERS: *
* R1:TARGET_VP ID (INPUT) *
* LOCAL VARIABLES *
* R1: VP_INDEX *
****************************!
ENTRY
! NOTE: DESIGNED AS SAFE SEQUENCE SO VPT NEED
NOT BE LOCKED. !
VP_ID TO VP_INDEX •
R2, EXT_VP_LIST(R1)
TGT_VP PREEMPT FLAG !
VPTTVP. PREEMPT (R2) , #ON
» ** IF TARGET VP NOT LOCAL
( NOT BOUND TO THIS CPU )
[IE, IF «CPU_SEG>>CPU_IDOVPT. VP. PH YS.CPU (R 1 ) ]
THEN SEND HARDWARE PREEMPT INTERRUPT TO



























































































! TURN ON CURRENT VP'S IDLE FLAG I
LD VPT.VP.IDLE_FLAG(R2) , #ON
! SET VP TO READY STATE !
LD VPT. VP. STATE (R2) , #READY
018C 5F00
018E 0000 1
! SCHEDULE FIRST ELIGIBLE READY VP I





! UNLOCK VPT I
CLR VPT. LOCK









* LOADS NEW DBR ON *
* CURRENT VP. CALLED BY *
* TC_GETWORK. *
************** ***********
* REGISTER USE *
* PARAMETERS *
* R1: NEW_DBR (INPUT) *
* GLOBAL VARIABLES *
* R13: LOGICAL CPU # *
* R14: DBR *
* LOCAL VARIABLES *
* R2: CURRENT_VP *
* R4: VPT.LOCK ADDR *
*************************!
ENTRY
! SAVE NEW DBR !
0198 93F1 PUSH o)R15, R1
! MASK INTERRUPTS I
019A 7C01 DI VI
! LOCK VPT !
019C 7604 LDA R4, VPT.LOCK
019E 0000'
01 AO 5F00 CALL SPIN LOCK I (R4: -.VPT. LOCK) !
01A2 0282*
! NOTE: RETURNS WHEN VPT IS LOCKED BY THIS VP.!
! GET CPU # !




01A8 A11D LD R13, R1
! GET CURRENT VP !
01AA 61D2 LD R2, VPT. RUNNING_LIST (R 13)
01AC 0002*
i * * * DEBUG * * * I
01AE 4D21 CP VPT.VP.MSG_LISI (R2) , #NIL
01B0 001E*
01B2 FFFF
01B4 5E06 IF NE i MSG WAITING ! THEN
01B6 01C4'
01B8 2100 LD RO, #S_N_A I SWAP NOT ALLOWED !
01BA 0005
01BC 7601 LDA R1, $ IPCI
01BE 01BC
01C0 5F00 CALL MONITOR
01C2 A900
FI
! * * END DEBUG * * !
» SET DBR i
01C4 612E LD R14, VPT. VP. DBR(R2)
01C6 0010*
! RESTORE NEW DBR I
- 355 -
01C8 97F0 POP RO, o)R15
01CA 5F00 CALL GET_DBR_ADDR ! (RO: DBR #)
01 CC 000A'
RETURNS
(R1: DBR ADDR) !
! LOAD NEW DBR ON CURRENT VP I
01CE 6F21 LD VPT . VP. DBR (R2) , R1
01D0 0010'
! TURN OFF IDLE FLAG \
01D2 4D25 LD VPT . VP.IDLE_FLAG (R2) , #OFF
01DU 0016'
1D6 0000
• SET VP TO READY STATE !
1D8 4D25 LD VPT. VP. STATE (R2) , #READY
01DA 0014*
01 DC 0001
! SCHEDULE FIRST ELGIBLE READY VP !
01DE 5F00 CALL GETWORK !R13:LOGICAL CPU *
01E0 0000*
R1U:DBR i
! UNLOCK VPT !
1E2 4D08 CLR VPT. LOCK
01E4 0000'
! UNMASK VECTORED INTERRUPTS !
01E6 7C05 EI VI
01E8 9E08 RET




* HARDWARE PREEMPT INTERRUPT *
* HANDLER. ALSO TESTS FOR *
* VIRTUAL PREEMPT INTERRUPT *
* FLAG AND INVOKES INTERRUPT *
* HANDLER IF FLAG IS SET. *
* INVOKED UPON EVERY EXIT FROM *
* KERNEL. KERNEL FCW MASKS *
* NVI INTERRUPTS TO PREVENT *
* SIMULTANEOUS PREEMPT INTERR. *
* HANDLING. *
********* ************ ***********
* REGISTER USE *
* LOCAL VARIABLES *
* R1: PREEMPT_INT_FLAG *
* R2: CURRENT_VP *
* GLOBAL VARIABLES *





! * * PREEMPT_HANDLER * * !
! SAVE ALL REGISTERS !
01EA 030F SUB R15, #32
01EC 0020
01EE 1CF9 LDM 0>R15, R1, #16
01F0 010F
! SAVE NORMAL STACK POINTER (NSP) !
01F2 7D67 LDCTL R6, NSP
01F4 93F6 PUSH 3R15, R6
» GET CPU # !




01FA A11D LD R13, R1
! MASK INTERRUPTS !
01FC 7C01 DI VI
! LOCK VPT !
01FE 7604 LDA R4, VPT. LOCK
0200 0000*
0202 5F00 CALL SPIN_LOCK
020U 0282*
IRETURNS WHEN VPT IS LOCKED!
! SET DBR !
0206 61D2 LD R2, VPT. RUNNING.LIST (R1 3)
0208 0002«
020A 612E LD R14, VPT. VP.DBR (R2)
020C 0010*
- 357 -
! PUT CURRENT PROCESS IN READY STATE !
020E 4D25 LD 7PT. VP. STATE (R2) , #READY
0210 0014*
0212 0001




! UNLOCK VPT !
0218 4D08 CLR VPT. LOCK
021A 0000'
! UNMASK VECTORED INTERRUPTS !
021C 7C05 EI VI
KERNEL_EXIT:
i *** (JNMASK VIRTUAL PREEMPTS *** i
! ** NOTE: SAFE SEQUENCE AND DOES NOT REQUIRE
VPT TO BE LOCKED. ** !
! GET CURRENT_VP !
021E 610D LD R13, PRDS.LOG CPU_ID
0220 OAOC 1
0222 61D2 LD R2, VPT. RUNNING LIST(R13)
0224 0002»
! TEST PREEMPT INTERRUPT FLAG !
0226 4D21 CP VPT. VP. PREEMPT (R2) , #ON
0228 0018«
022A FFFF
022C 5E0E IF EQ ! PREEMPT FLAG IS ON ! THEN
022E 0240«
! RESET PREEMPT FLAG !
0230 4D25 LD VPT. VP. PREEMPT (R2) , #OFF
0232 0018*
0234 0000
I SIMULATE VIRTUAL PREEMPT INTERRUPT I
0236 2101 LD R1, #0
0238 0000
023A 6112 LD R2, VPT. VIRT_INT_VEC (R1)
023C 000C
023E 1E28 JP SR2
!NOTE: THIS JUMP TO TRAFFIC_CONTRQL
IS USED ONLY IN THE CASE OF A PREEMPT INTERRUPT,
AND SIMULATES A HARDWARE INTERRUPT. ** !
i *** END VIRTUAL PREEMPT HANDLER *** !
FI
! NOTE: SINCE A HDHE INTERRUPT DOES NOT EXIT
THROUGH THE GATE, THOSE FUNCTIONS PROVIDED
BY A GATE EXIT TO HANDLE PREEMPTS MUST BE
PROVIDED HERE ALSO. !
- 358 -
! RESTORE NSP !
0240 97F6 POP R6 , 3R15
0242 7D6F LDCTL NSP, R6
! RESTORE ALL REGSTERS I
0244 1CF1 LDM R1, 3>R15, #16
0246 010F
0248 010F ADD R15, #32
024A 0020
! EXECUTE HARDWARE INTERRUPT RETURN !
024C 7B00 IRET













































* CALLED BY TRAFFIC CONTROL. *
* RETURNS VP ID. RESULT IS VALID*
* ONLY MHILE~APT IS LOCKED. *
*********************************
* REGISTER USE *
* PARAMETERS *
* R1: EXT_VP_ID (RETURNED) *
* R3: LOG CPU # (RETURNED) *
* LOCAL VARIABLES *




! MASK INTERRUPTS !
DI VI
! LOCK VPT !
LDA R4, VPT. LOCK
CALL SPIN LOCK (R4:-VPI.L0CK) !
! NOTE: RETURNS iHEN VPT IS LOCKED BY THIS VP !
! GET LOGICAL CPU * !







! CONVERT VP_INDEX TO VP_ID !
LD RiT VPT. VP.EXT_ID(R2)
• * * * DEBUG * * * !
CP R1, #NIL
IF EQ ! KERNEL PROC ! THEN




! * * END DEBUG * * !
i UNLOCK VPT !
027A 4D08 CLR VPT. LOCK
027C 0000*
! UNMASK VECTORED INTERRUPTS !
027E 7C05 EI VI
0280 9E08 RET





























































TE: SINCE ONLY ONE PROCESSOR CURRENTLY
IN SYSTEM, LOCK NOT NECESSARY. ** !
* * * DEBUG * * * •
R4, #OFF
IF NE ! NOT UNLOCKED ! THEN




! * * END DEBUG » * I
TEST_LOCK:
! DO WHILE STRUCTURE LOCKED !
TSET 3R4
JR MI, TEST LOCK
! ** NOTE SEE PLZ/ASM MANUAL
FOR RESTRICTIONS ON























:SEG BASE ADDRESS (RET) *
:SEG NR (INPUT) *
: RUNNING VP (LOCAL) *
:DBR_VALUE (LOCAL) *
:VPT.LOCK *

























! SAVE SEGMENT * !
PUSH SR15, R1
! MASK INTERRUPTS !
DI VI
! LOCK VPT !
LDA R4, VPT. LOCK
CALL SPIN LOCK !R4:-«VPT.L0CK!









! UNLOCK VPT !
CLR VPT. LOCK









* FIND CURRENT CPU_NO *
* CALLED BY DIST MMGR *
* AND MM *
*************************
* RETURNS *
* R1: CPU_NO *











02D2 END GET CPU NO
02D2 K_LOCK PROCEDURE
i *************************
* STUB FOR WAIT LOCK *
*************************







02D8 END K LOCK
02D8 K_UNLOCK PROCEDURE
; *************************
* STUB FOR WAIT UNLOCK *
*************************
* R4:-LOCK (INPUT) *
*************************!
ENTRY
02D8 0D48 CLR £R4
02DA 9E08 RET
02DC END K_UNLOCK










NULL SEG ; = -1
NULL^ACCESS : = 4
MAX_SEG_NO ; = 64
max!no_kst_entries : = 54
MAX SEG SIZE ; = 128
KST_SEG_NO ! = 2
NR_OF_KSEGS : = 10
TRUE : = 1
FALSE : =
READ ; = 1
WRITE ; =
I «*** SUCCESS CODES ****
SUCCEEDED j; = 2
MENTOR_SEG_NOT_KNOWN . ; = 22
ACCESS_CLASS_NOT_EQ > = 33
not_compatible : : = 24
SEGMENT TOO LARGE J : = 25
NO_SEG_AVAIL ; = 27
SEGMENT_NOT_KNOWN : = 28
segment!in_core i : = 29
KERNEL SEGMENT j; = 30
INVALID_SEGMENT_NO i ; = 31
NO ACCESS PERMITTED : = 32
LEAF_SEG_EXISTS s ; = 10
NO LEAF EXISTS J ; = 11
ALIAS_DOES_NOT_EXIST j : = 23
NO_CHILD_TO DELETE ; : = 20
G AST FULL j = 12
L_AST_FULL i ; = 13
PROC_CLASS_NOT_GE_SEG_.CLASS :
LOCAL_MEMORY_FULL~ "i : = 16
GLOBAL MEMORY FULL i = 17


















SEG_ARRAY ARRAY [ MAX_SEG_SIZE BYTE]
INTERNAL
SSECTION SM_KST_DCL
! NOTE: THIS SECTION IS AN "OVERLAY"
OR "FRAME" USED TO DEFINE THE
FORMAT OF THE KST. NO STORAGE
IS ASSIGNED BUT RATHER THE KST IS
STORED IN A SEPARATELY OBTAINED
AREA (A SEGMENT SET ASIDE FOR IT) !
$A3S



























































CHECKS VALIDITY OF CREATE
REQUEST AND











R9: KST REC INDEX 1




















ITC GET SEG PTR !R1: KST SEG NOi
!RET:R0:-.KST!
R13,R0 !KST BASE ADDRESS
(IE iKST) !
R1,3R15,#5 IRESTORE NEEDED REGS!





10FFSET TO KST REC!
- 366 -
002E 0010
0030 819D ADD R13,R9 !ADD OFFSET TO KST
BASE ADDRESS!
0032 2106 LD R6 #
0034 FPFF
0036 4ADE CPB RL6,KST.M_SEG_NO (B13)
0038 000E
003A 5E0E IF EQ THEN ! MENTOR SEG NOT KNOWN!
003C 0046*




0046 93FD POSH 2>R15,R13
0048 5F00 CALL PROCESS_CLASS ! RR2: PROC_CLAS
004A 0000*
004C 97FD POP R13,aR15
004E 54D4 LDL RR4, KST. CLASS (R13)
0050 OOOA
0052 93FD PUSH 3R15,R13
0054 5F00 CALL CLASS_EQ !RR2: PROC_CLASS!
0056 0000*
!RR4: MENTOR SEG CLASS!
IB1: (RET) CONDITION_CODE!
0058 97FD POP R13,dRl5
005A A116 LD R6,R1
005C 1CF1 LDM R1,3R15,#5 !RESTORE INPUT RE
005E 0104
0060 0B06 CP R6,#FALSE
0062 0000
0064 5E0E IF EQ THEN
0066 0070 1





0072 9442 LDL RR2,RR4 !CLASS!
0074 54D4 LDL RR4, KST. CLASS (R13)
0076 OOOA




007C 97FD POP R13,a>R15 IRESTORE PTR!
007E 0B01 CP R1,#FALSE
0080 0000
0082 1CF1 LDM R1,a)Rl5,#5
0084 0104
0086 5E0E IF EQ THEN
0088 0092*





0092 76D1 LDA R1,KST.MM HANDLE(R13)
0094 0000
0096 5F00 CALL MM CREATE_ENTRY
0098 0000*






















































































































PUSH dR15,R1 ISAVE NEEDED REGSI
PUSH a)R15,R2
LD R1,#KST_SEG_N0
CALL ITC_GET_SEG_PTR ! R1: KST_SEG_NO
!
LD R13,R0 1-.KST!
POP R2,3R15 JRESTORE INPUT REGS!
POP R1,a)R15
SUB R1,#NR OF_KSEGS 1C0NVERT
HENTOR_SEG_NO TO
KST REC INDEX!












EQ THEN !MENTOR SEGMENT
NOT KNOWN!
RO, #HENTOR_SEG_NOT_KNOWN




! (RETURNS RR2 :PROC_CLASS) !
POP R13,o)R15




0OE4 93FD PUSH SR15,R13
00E6 5P00 CALL CLASS EQ !RR2:PROCESS CLASS!
00E8 OOOO*
!RB4: MENTOR SEG CLASS!
!R1:(RET) CONDIIION_CODE!
OOEA A116 LD R6,R1
OOEC 97FD POP R13,SR15
OOEE 97P2 POP R2,o)R15 !RESTORE NEEDED REGS!
OOFO 97F1 POP R1 f 5)R15
00F2 0B06 CP R6,#FALSE
0OF4 0000
00F6 5E0E IF EQ THEN
00F8 0102*




0102 76D1 LDA R 1 , KST. MM_HANDLE (R1 3)
0104 0000





10A 5F00 CALL CONFINEMENT CHECK
010C 0428*











































































































IED AT POINT OF USAGE
**********************
15, R1 !SAVE INPUT REGS!
15,RR2
,#KST_SEG_NO






LD R5,R1 ICOPY OF MENTOR_SEG_NO!
SUB R5,#NR OFJCSEGS 'CONVERT TO
INDEX!
MULT RR4,#SIZEOF KST_REC ! KST OFFSET
10 SEG REC!
ADD R13,R5 !ADD OFFSET TO -»KST
!
LD R4,#NULL_SEG

































































LD R8,#NULL_SEG "AVAIL SEG INDEX!
LD R9,R0 !-iKST!





CP3 RL2 r KST.ENTRY_NUMBER(R9)






R 1 , R7 ! S EG * !
RL2,KST.ACCESS_MODE (R9)
R10,R1 !SET SEG KNOWN
INDICATOR!








LD R8,R7 !SAVE FIRST
AVAIL SEG INDEX!
ADD R8,#NR_OF_KSEGS














01A6 OBOA CP R10,#NULL SEG
1A8 FFFF
01AA 5E0E IF EQ THEN ISEG KNOWN
INDICATOR NOT SET!
01AC 02C8*
01AE 0B08 CP R8,#NULL SEG
01B0 FFFF
01B2 5E06 IF NE THEN !CASE:SEG UNKNOWN
AND SEG# AVAIL!
01B4 02BC 1
01B6 91F0 PUSHL SR15,RR0 !
--KST AND
MENTOR_SEG NO!
01B8 91F2 PUSHL o)R15,RR2 !ENTRY_NQ~
6ACCESS DESIRED!
01BA 93F8 POSH dR15,R8 'AVAIL SEG
INDEX IN KST!
01BC 93FD PUSH 3R15,R13 iMENTOR SEG REC PTR!
01BE 5F0O CALL GET_DBR NUMBER
! (RET:RL1TdBR~NO) !
01C0 0000*
01C2 A11A LD R10,R1 !DBR_NO!
01C4 97FD POP R13,dR15
01C6 97F8 POP R8,a)Rl5
01C8 95F2 POPL RR2,3R15
01CA 95F0 POPL RR0,dR15
!MUST REARRANGE REGS FOR PASSING AND
RETURN CONSISTENCY OF LOCATION!
01CC A135 000D
047C 5E0E LD R5,R3 ! ACCESS_DESISED!
01CE A123 LD R3 , R2 !ENTRY_NO!
01DO 76D2 LDA R2,KST.MM HANDLE(R13) !HPTR!
01D2 0000
01D4 A116 LD R6,R1 !MENTOfi_SEG_NO
!
01D6 A181 LD R1,R8 !SEGMENT NO (SAVE)!
01D8 A184 LD R4,R8 !SEGMENT_NO
(PASSING ARG) !
01DA A109 LD R9 , RO !-*KST!
01DC 030F SUB R15,#20
01DE 0014
01E0 1CF9 LDM o>R15,R1,#10 !SAVE REGS 1-10!
01E2 0109
01E4 A1A1 LD R1,R10 ! DBR_NO PASSED
IN R1!
01E6 A18B LD R11, R8
01E8 030B SUB R11, #NR_OF_KSEGS
01EA 000A

























































LDM R1,o)R15,#9 IRESTORE REGS 1-9!





ADD R13,R9 IADD -»KST TO OFFSET!
LDL KST. CLASS (R13) ,RR10 1CLASS!












































































LD R1,a)fi15 !SEG #!
LD R2,#NULL_ACCESS
LD RO,
#PROC CLASS NOT GE SEG CLASS
ELSE
PUSH 0>R15,R13





















LDB KST.IN CORE(R13) , #FALSE
LDB KST.M_SEG_NO (R13) r RL6
LDB KST.ENTRY_NUMB£R (R13) ,RL3
- 375 -
02A0 6EDA LDB KST.ACCESS_MODE
(
02A2 0008






2 AC 2101 LD R1,#NULL_SEG
02AE FFFF
02B0 2102 LD R2,#NULL_ACCESS
02B2 0004
FI




02BC 2100 LD RO ,#NO_SEG_AVAIL
02BE 001B
2C0 2101 LD R1 ,#NULL_SEG
02C2 FFFF

























































































LD R3,R1 !COPY OF SEG #!
SUB R3,#NR_OF_KSEGS











































































































































































































LD R7,R1 !COPY OF SEG #1
SUB R7,#NR_OF KSEGS
ICONVERT SEG? TO KST INDEX!
MULT RR6,*SIZEOF KST_REC
JOFFSET TO KST_REC!
PUSH 3R15,R1 !SAVE SEGMENT*!
PUSH 3R15,R7
LD R1 , #KST_SEG_NO















R13,R7 !ADD OFFSET TO KST BASE ADDR!
R6 , #NULL_SEG






















3>R15,R13 !SAVE KST HEC ADDR!









03A4 5F00 CALL CONFINEMENT.CHECK
! (R0:SUCCESS_CODE) !
03A6 0428*
03A8 97FD POP R13,2)R15
03AA 0A08 CPB RLO, tSUCCEEDED
03AC 0202
03AE 5E0E IF EQ THEN
03B0 03B8«

























































































LD R7,R1 ICOPY OF SEG *!
SUB R7,#NR_OF_KSEGS
•CONVERT SEG* TO KST INDEX!
MULT RR6,#SIZEOF KST REC
•OFFSET TO KST_REC!
PUSH £R15,R1 ISAVE SEGMENT*!
PUSH a>R15,R7
LD R1,#KST_SEG_NO




POP R1,0>R15 IRETRIEVE SEGMENT*!







































POSH o)R15,R13 !SAVE KSI EEC ADDR
!
CALL GET_DBR_NOMBER !R 1 : (REI) DBR_NOJ
POP R13,3R15
LDA R2,KST.MM_HANDLE(R13)














0428 END Sa SWAP OOT
- 382 -
0428 CONFINE ME NT_CHECK PROCEDURE
*********************************
SERVICE ROUTINE TO VERIFY
CONFINEMENT IS NOT VIOLATED

















































































































































































TRUE : = 1
FALSE :=0
INTERNAL

















0000 9042 CPL RR2,RR4
0002 5E0E IF EQ THEN
0004 00OE»













RR2 = CLASS1 I
RR4 = CLASS2 !
RETURNED PARAMETER I






























PUSHL 3R15,RR2 !PUSH CLASS1 ON STACK-
-REFER BY ADDR!
LD R13,R15 ! CLASS1 ADDR !
PUSHL dR15,RR4
LD R14,R15 ! CLASS2 ADDR !
LD R7,R14 (#ACCESS CLASS. CAT)
! CAT2 IN R7 !
OR R7,ACCESS_CLASS.CAT(R13)
!CAT1 OR CAT2, R7!
CP R7,ACCESS_CLASS.CAT (R13)
!CAT1=(CAT1 OR CAT2) ?
!
IF EQ THEN
LD R6,ACCESS_CLASS. LEVEL (R13)
ILEVELU
I COMPARE LEVEL1 WITH LEVEL2 !
0030 4BE6 CP R6, ACCESS.CLASS. LEVEL (R14)
0032 0000
0034 5E01 IF GE THEN ILEVEL1 GE LEVEL2!
0036 0040*









0048 2101 LD R1 r #FALSE
004A 0000
FI
004C 95F4 POPL RR4 ,a)Rl5

























































































NO ACT _IN_MEM WORD
NO ACT "dep BYTE
SIZE1 BYTE
PGJTBL^ LOC ADDRESS






















t * * * * MESSAGES * * * * I











0012 12 4B MM_MSG_1










0025 10 4D CREATE MSG


















ARRAY [* BYTE] := •X10HM: DELETE_ENTRY
- 389 -
0047 0C 4D ACTIVATE_MSG







0054 OE 4D DEACTIVATE tiSG








0063 OB 4D SWAP_IN_MSG






006F OC 4D SWAP_O0T_MSG







007C OC 49 ERROR_MSG







0089 02 00 RET_VAL0ES













XOCHM: SWAP OOT 1
XOCINVALID CODE*
2,0, 0,0,0, 16,0, 17, 0,3,0,
1,0,48,0,0 ]
[ 8 WORD ]
- 390 -
SABS
! NO MEMORY ALLOCATED; USED








•NO MEMORY ALLOCATED; USED














































! INITIALIZE G_AST I
CLR G AST LOCK
LD R2, #1




LDL G_AST.UNIQUE_ID(R1) , RR4
INC R2, #1
CP R2, #G_AST_LIMIT
IF GT !END OF G_AST! THEN
EXIT FI
ADD 81, #SIZEOF G_AST_REC
OD
! RESERVE FIRST ENTRY IN
G AST FOR ROOT J
002A 2101 LD R1, #0
002C 0000
002E 1404 LDL RR4, #-1
0030 FFFF
0032 FFFF
0034 5D14 LDL G_AST.UNIQUE_ID (S1) , RR4
0036 0000*




3C 93F1 POSH o)R15, R1 !SAVE CPU #!





! USER/HOST # I
LD R13, #0
! INITIALIZE USERS !
DO











































IF GT !ALL HOSTS INITIALIZED!
THEN EXIT
FI
! CREATE FM PROCESS !
LD RO, 3R15 IRESTORE CPU #!
SOB R15, #SIZEOF ARG_LIST
•SETS ARGUMENT LIST IN STACK!
LD R1 f R15
LD ARG_LIST.CPU_ID(R1), RO
!LOAD INITIAL REGISTER PARAMETERS
FOR FM PROCESS (SIMULATED)
R13 DENOTES USER # !
LDM ARG_LIST.REG(R1) , R2 , #13
LD R2, #FM_ENTRX




LDL ARG_LIST.SAC(R1) , RR2
LD ARG_LIST.PRI (R1) , #2
LD ARG_LIST.USR_STK (R1) , #STK_SIZE
LD ARG_LIST.KER_STK(R1) , #SIK_SIZE
LD R14, R1
PUSH 3R15 r R13
CALL CREATE_PROCESS !R14: ARG PTR!
POP R13, SR15
! CREATE 10 PROCESS !
- 393 -

















!LOAD INITIAL REGISTER PARAMETERS
FOR 10 PROCESS (SIMULArED)
R13 DENOTES USER # !
LDM ARG_LIST.REG (R1) , R2 , #13
LD R2, #IO_ENTRY
LD ARG_LIST.IC(R1) , R2
LD R14, R1
PUSH o)R15, R13
CALL CREATE_PROCESS I R14: ARG PTR!
POP R13, SR15
ADD R15, tSIZEOF ARG_LIST
OD
! REMOVE CPU # FROM STACK !
POP RQ, o)R15
DO !** DO FOREVER **!
OOBA 7608 LDA R8 r MM_MSG_ARRAY
OOBC 009A'
OOBE 5F00 CALL WAIT
00C0 0000*
00C2 6F01 LD SENDER, R1 'SAVE SIGNALING PROC #!
00C4 OOAA'
00C6 2103 LD R3,#50
00C8 0032
OOCA 5F00 CALL MM_PRINT_BLANKS
OOCC 030C
OOCE 2102 LD R2,#MM_MSG_1
OODO 0012'
00D2 5F00 CALL SNDMSG
00D4 0000*
00D6 6101 LD R1, SENDER
00D8 OOAA 1
IF R1






0E6 5F00 CALL SNDMSG
00E8 0000*









OOFA 5F00 CALL SNDMSG
OOFC 0000*
FI
OOFE 5F0O CALL MM_DELAY
0100 02D8»
0102 5F00 CALL SNDCRLF
0104 0000*
106 2103 LD R3,#50
0108 0032
010A 5F00 CALL MM_PRINT_BLANKS
010C 030C









































































































CASE #CREATE ENTRY CODE THEN
CALL CREATE_ENTBY
CASE #DELETE ENTRY CODE THEN
CALL DELETE_ENTRY
CASE #ACTIVATE SEG CODE THEN
CALL ACTIVATE
CASE tDEACTIVATE SEG CODE THEN
CALL DEACTIVATE
CASE #SWAP IN SEG CODE THEN
CALL SWAP_IN


































































DONE 1 ) ** !
R8,MM_MSG_ARRAY
CALL SIGNAL
OD ! ** REPEAT FOREVER ** !
RET
END MM MAIN
019E CREATE ENTRY PROCEDURE
ENTRY
019E 7608 LDA R8,MM_MSG_ARRAY
01A0 009A 1
01A2 0C85 LDB o)R8,#SUCCEEDED
01A4 0202
1A6 2102 LD R2,#CREATE_MSG
01A8 0025 1
01AA 9E08 RET
01 AC END CREATE ENTRY
01 AC DELETE ENTRY PROCEDURE
ENTRY
1 AC 7608 LDA R8,MM_MSG_ARRAY
01AE 009A*
01 BO 0C85 LDB dR8,#SUCCEEDED
01B2 0202
1B4 2102 LD R2,#DELETE_MSG
01B6 0036*
1B8 9E08 RET
01BA END DELETE ENTRY
- 397 -
01BA ACTIVATE PROCEDURE
! R8: ARGUMENT PTR !
ENTRY
01BA 7608 LDA R8, MM_MSG_ARR AY
01BC 009A'
01BE 6182 LD R2 , ACTIVATE_ARG. HANDLE 2 (R8)
I0NIQUE ID!
1C0 0008
01C2 8D38 CLR R3
1C4 608B LDB RL3, ACTIVATE_ARG . ENTRY_NO (R8)
01C6 000A
1C8 030P SOB R15, #SIZEOF RET_VAL
01CA 0010
01CC A1F8 LD R8 r R15
01CE 2100 LD RO, #FALSE
1 DO CCCC
01D2 2101 LD R1 r #0 !G_AST INDEX!
01D4 0000




01DA 5012 CPL RR2 r G_AST. UNIQUE_ID (R 1)
01DC 0000*
01DE 5E0E IF EQ ISEGMENT IS ACTIVE! THEN
01E0 01EA 1
01E2 2100 LD RO, #TROE
01E4 BBBB
01E6 5E08 EXIT FROM SEARCH_G_AST
01E8 01FE 1
FI
01EA A940 INC E4, #1
01EC 0B04 CP RH, #G_AST_LIMIT
01EE 000A
01FO 5E02 IF GT !END OF G AST! THEN
01F2 01F8»
01F4 5E08 EXIT FROM SEARCH G AST
01F6 01FE«
FI
01F8 0101 ADD B1 f #SIZEOF G_AST_REC
01FA 0020
01FC E8EE OD
01FE 0B00 CP RO, #FALSE
0200 CCCC
IF EQ !SEGMENT NOT ACTIVE!
0202 5E0E THEN
0204 0266»
0206 2100 LD RO, #1
0208 0001


















































































CPL RR4, G_AST.UNIQUE_ID (R1)





IF GT !END OF G_AST! THEN
EXIT FROM FIND_FREE_ENTRY
FI
ADD R1, #SIZEOF G_AST_REC
OD
CP RO, #G_AST_LIMIT
IF LE 'FOUND FREE ENTRY!
THEN
LDL G_AST. UNIQ.UE_ID(R1) , RR2
! ZERO ALL EVENT DATA ENTRIES !
LDL RR4, #0
LDL G_AST. SEQUENCER (R1) , RR4
LDL G_AST.EVENT1 (R1) , RR4
LDL G_AST.EVENT2(R1) , RR4
LDB RET_VAL.CODE1 (R8) , #SUCCEEDED
ELSE
LDB RET_VAL.CODE1 (R8) , #G_AST_FULL
FI






























































RET_VAL.ttfl_HANDLE (R8) , RR2
RET_VAL.MM_HANDLE 2 (R8) , R1
RR4, #%30001
LDL RET_VAL. CLASS (R8) , RR4




LDIRB 3R8 f o)R9, R2
LD R2, #ACTIVATE_HSG






029E 7608 LDA R8 ,MM_MSG_ARRAY
02A0 009A*
02A2 0C85 LDB 3R8 , tSOCCEEDED
02A4 0202






02AC 2102 LD R2 , #%FF30
02AE FF30
02B0 3B26 OUT %FFD2, R2
02B2 FFD2
02B4 7608 LDA R8 , MM_HSG_ARRAY
02B6 009A«
02B8 5F00 CALL WAIT !R8:MSG ARRAY!
02BA 0000*
02BC 7608 LDA R8 , MM_MSG_ARRAY
02BE 009A 1
O2C0 0C85 LDB a)R8, #SOCCEEDED
02C2 0202
02C4 2102 LD R2 , #SWAP_IN_MSG
02C6 0063*
02C8 9E08 RET





2CA 7608 LDA R8,MM_MSG_ARRAY
02CC 009A'
02CE 0C85 LDB o)R8,#SUCCEEDED
02D0 0202
02D2 2102 LD R2,#SWAP_0UT_MSG
02D4 006F 1
02D6 9E08 RET
02D8 END SWAP OUT
PROCEDURE
02D8 MM_DELAY PROCEDURE
; ********** ********* ***** **** **«**]






02D8 2102 LD R2,
02DA 000A
02DC 2101 LD R1,
02DE 01F4
DO
02E0 0B02 CP R2
02E2 0000




2EC AB20 DEC R2
02EE 7B1D MREQ R1
02F0 E8F7 OD
02F2 9E08 RET





! PRINTS LINE LENGTH
! SPEC IN R3.
i *********************************
ENTRY
02F4 C82D LDB RLO, #DASH
DO
02F6 0B03 CP R3 r #0
02F8 0000




0302 5F00 CALL SNDCHR
0304 0000*






! PRINTS NUMBER OF
! BLANKS SPEC IN R3.
i *********************************
ENTRY
030C C820 LDB RLO, #SPACE
DO
030E 0B03 CP R3, #0
0310 0000




031A 5F00 CALL SNDCHR
031C 0000*
031E AB30 DEC R3
0320 E8F6 OD
0322 9E08 RET




1. Advanced Micro Computers, AM96/4116 AMZ8000 16-bit
Monoboard Computer, Osers^s Manual, 1980.
2. Coleman, A. R., Secur ity Kernel Design, for a
Microprocessor- Based . Multilevel. Archival Storage
System, MS Thesis, Naval Postgraduate School, December
79797"
3. Denning, D. E., "A Lattice Model of Secure Information
Flow," Communications of the ACM, 7. 19, p 236-242, May
1976.
4. Dijkstra, E. W. , "The Humble Programmer,"
Communications of the ACM, 7. 15, No. 10, p. 859-865,
October 1972."
5. Gary, A. 7. and Moore, E. E. , The Desig.ii and
Implementation of the Memory. Manager for a S ecure
£££k.iia.i Storage System. MS Thesis, Naval Postgraduate
School, June, 1980.
6. Madnicic, S. E. and Donovan, J. J., Operating. Systems.
McGraw Hill, 1974.
7. O^onnell, J. S. and Richardson, L. D. , Distributed
Secure Desgji for a Multi-micro processor Operating
System. MS Thesis, Naval Postgraduate School, June
1980."
8. Organic*, E. J., The Multics System: An Exa mination of
Its Structure, MIT Press, 19 72.
9. Parks, E. J., The Design of a Secure File Storage
System, MS Thesis, Naval Postgraduate School, December
1979*7"
10. Reed, P. D., Processo r Multipl exin g in a Lay ered
QP.§£ating System. MS Thesis, Massachusetts Institute of
Technology, MIT LCS/TR-167, 1979.
11. Reed, P. D. and Kanodia, R. K. , "Sycnhronization Hith
Eventcounts and Seguencers," Co mmunications of the ACM,
7. 22, No. 2, pp. 115-124, February~1979
.
- 404 -
12. Reitz, S. L,
. ,
An Ijnfilementatign of Multiprogramming
and Process Management £or a Security_~Kernii Operating
System, MS Thesis Naval Postgraduate School, June 1980.
13. Riggins, C, "when No Single Language Can Do the Job,
Make it a Language-Family Matter," Electronics Design,
February 15, 1979.
14. Saltzer, J. H., Traffic Control in a Multiplexed
Computer System, Ph.D. Thesis, Massachusetts Institute
of Technology, 1966.
15. Schell, Lt. Col. R. R., "Computer Security: the
Achilles Heel of the Electronic Air Forece?," Air
University, Review. V. 30, No. 2, pp. 16-33, January
1979.
16. Schell, Lt. Col. R. R., "Security Kernels: A
Methodical Design of System Security," USE Technical
Papers (Spring Conference, 1979) pp. 245-25q"7 March"
1979.
17. Schell, R. R. and Cox, L. A., Secure Archival Storage
Sy.st.2a, Part I zz. Design. Naval Postgraduate School,
NPS52-30-002, March 1980.
18. Schroeder, M.D., "A Hardware Architecture for
Implementing Protection Rings," Communications of the
ACM, 7. 15, No. 3, pp. 157-170, March~19727"
19. Strickler, A. R., Im p l em entation of Process Management
12L i Secure Archival Storage System, MS Thesis, Naval
Postgraduate School, March 1981.
20. Wells, J. T. , I mplementation of Segment Mana gement for
a Secure irchival Storage Sytem. MS Thesis, Naval
Postgraduate School, Septemeber 1980.
21. Zilog, Inc., Z8 000 PLZ/ASM Assembly Language
Programming Manual . 03-3055-01, Revision A, April 1979.
22. Zilog, Inc., Z8001 CPU Z8002 CPU, Preliminary. Product
Specif icaion. March 1979.
23. Zilog, Inc., Z8010 MMU Memory Management Unit,








2. Library, Code 0142 2
Naval Postgraduate School
Monterey, California 93940
3. Department Chairman, Code 52 2
Department of Computer Science
Naval Postgraduate School
Monterey, California 93940
4. National Security Agency 5
Attn.: Col. Roger R. Schell
C1
Fort George Meade, Maryland 20755
5. Lyle A. Cox, Jr., Code 52C1 4
Department of Computer Science
Naval Postgraduate School
Monterey, California 93940
6. Joel Trimble, Code 221 1
Office of Naval Research
800 North Quincy
Arlington, Virginia 22217




8. Digital Eguipment Corporation 1






University of Southwestern Louisiana
P.O. Box 44330
Lafayette, Louisiana 70504
10. LCDR 3ary Baker, Code 37
COMRESPATWINGPAC
Code 32
NAS Moffett Field, California 94035
1 1. LCDR John T. Wells
P.O. Box 366
Waynesboro, Mississippi 39367
12. James P. Anderson Co.
Box 4 2
Fort Washington, Pennsylvania 19034
13. I. Larry Avrunin, Code 18
DTNSRDC
Bethesda, Maryland 20084
14. Gerald B. Blanton
242 San Carlos Way
Novato, Calif. 94947
15. Intel Corporation
Attn: Mr. Robert Childs
Mail Code: SC4-490
3065 Bowers Avenue
Santa Clara, California 95051
16. Dr. J. McGraw
U.C. - L.L.L. (1-794)
P.O. BOX 808
Livermore, California 94550
17. M. George Michael














20. David P. Reed 1
MIT Lab for Computer Science
545 Tech Sq
Cambridge, Mass. 02139
21. Capt. Anthony R. Strickler 1
HQ Command,
US Army Signal Center & Ft. Gordon (W0U5AA)
Ft. Gordon, Georgia 30905
22. Lt. W. J. Wasson 1
Naval Electronics Systems Command
Headquarters, PME 124
Washington D. C. 20360
23. S. H. Wilson 1
Code 7590
Naval Research Lab
Washington D. C. 20375
24. Maj. Robert Yingling 1
Box 6227
APO New York, New York 09012
25. LCDR William R. Shockley 40
Code 5 2Sp
Department of Computer Science
Naval Postgraduate School
Monterey, California 93940
26. LCDR Ronald W. Modes 5
Code 52Mf
Department of Computer Science
Naval Postgraduate School
Monterey, California 93940
27. S. L. Perdue 5
Code 5 2





DUDLEY KNOX LIBRARY - ««^"22E?
5 685301071267 2
U199439
•
•
