A Hardware Architecture for Implementing Protection Rings

Michael D. Schroeder\* and Jerome H. Saltzer\*

August 2, 1971

#### ABSTRACT

Protection of computations and information is an important aspect of a computer utility. In a system that uses segmentation as a memory addressing scheme, protection can be achieved in part by associating concentric rings of decreasing access capability with a computation. This paper describes processor mechanisms for implementing these rings of protection in hardware. The mechanisms allow cross-ring calls and subsequent returns to occur without "traps". Automatic hardware validation of references across ring boundaries is also performed. Thus, a call by a user procedure to a protected subsystem (including the supervisor) is no more complex than a call to a companion user procedure. The complexity of passing and referencing arguments is the same in both cases as well.

> PREPRINT This paper will be presented at the 3rd ACM Symposium on Operating Systems Principles, to be held in Palo Alto, California, October 18-20, 1971.

<sup>\*</sup> Massachusetts Institute of Technology, Department of Electrical Engineering and Project MAC, Cambridge, Massachusetts. Work reported herein was supported in part by Project MAC, an M.I.T. research program sponsored by the Advanced Research Project Agency, Department of Defense, under Office of Naval Research Contract N00014-70-A-0362-0001.

# Introduction

The topic of this paper is the control of access to stored information in a computer utility. The paper describes a set of processor access control mechanisms that were devised as part of the second iteration of the hardware base for the Multics system. These mechanisms provide a hardware implementation of protection "rings" which limit the access capability of an executing program.

Multics is a general-purpose, multiple-user, interactive computer system developed at Project MAC of M.I.T. in a joint effort with the Cambridge Information Systems Laboratory of Honeywell Information Systems Inc. and, until 1969, the Bell Telephone Laboratories. It was built and is being run as an experiment in designing, implementing, operating, and evaluating a prototype computer utility. (See the bibliography in [1] for a complete list of publications on Multics.)

Multics is currently implemented on a Honeywell 645 computer system. The 645 represents a first attempt to define a suitable hardware base for a computer utility. While containing special logic to support a segmented virtual memory, the 645 processors [2] provide only a limited set of access control mechanisms, forcing software intervention to implement protection rings. In 1967 Graham [3] proposed a way of supporting protection rings in hardware that would have required less software intervention; mechanisms similar to those he proposed appear in the Hitachi 5020 [4]. In the course of Multics development a second

iteration of the design of the hardware base has been undertaken and the resulting new hardware system is being built using the technology of the Honeywell 6000 series computer systems. The new processor includes an improved set of access control mechanisms, described here, that implement rings almost completely in hardware. These mechanisms developed from a scheme described in [5]. Although specifically designed for Multics, the mechanisms are applicable to any computer system which uses segmentation as a memory addressing scheme.

This paper begins by establishing the general need to control access to stored information in a computer utility and by presenting several criteria for comparing different sets of access control mechanisms. Relevant aspects of the organization of segmented memories are then sketched, and the processor mechanisms for implementing protection rings are described. The paper concludes by considering how rings can be used and evaluating the impact of a hardware implementation of rings on software system design.

# <u>Access Control in a Computer Utility</u>

Protection of computations and information is an important aspect of a computer utility which arises because a computer utility serves multiple users with different goals and who are responsible to different authorities. Such a diverse group will use the same system only if it is possible for them to achieve independence from one another. On the other hand, a great potential benefit of a computer utility is its ability to allow

users to easily communicate, cooperate, and build upon one another's work. The role of protection in a computer utility is to control user interaction -- guaranteeing total user separation when desired, allowing unrestricted user cooperation when desired, and providing as many intermediate degrees of control as will be useful.

While there are many manifestations of protection in a computer utility, most may be related to controlling access to stored information. Because stored information represents both data and executable procedure, control of access to stored information serves to regulate information processing as well.

Four criteria can be applied to a set of access control mechanisms to judge its usefulness in a computer utility: functional capability, economy, simplicity, and programming generality. The first means that a set of access control mechanisms should have the functional capability to meet an interesting set of user protection needs in a natural way. The ability to meet interesting protection needs must be a quality of the basic mechanisms, while the ability to do so in a natural way An obvious goal in is a quality of their user interface. designing new protection mechanisms is to maximize functional capability.

The second criterion, economy, means that the cost of specifying and enforcing a particular kind of access constraint with a set of mechanisms should be so low that it is not an important consideration in determining the type of access control

4 👘

to be used in a particular application. In addition, cost should be proportional to the functional capability actually used. The existence of access control mechanisms with sophisticated capabilities should cost no extra to those with unsophisticated Cost includes the subsystem complexity needs. and user inconvenience that result from use of the access control mechanisms, as well as any associated extra storage space and execution time.

Simplicity is the third criterion. While it is true that simplicity often leads to economy, something more is at stake here. For a set of access control mechanisms to be accepted and used there must be a high degree of confidence that there exists no way to circumvent it. The best way to achieve confidence in the protection is to keep the mechanisms simple so that they may be completely understood. With respect to access control mechanisms, lack of simplicity often implies lack of security.

The fourth criterion, programming generality, is often neglected. It means that individual procedures may be easily combined into larger units without understanding or altering their internal organizations. Programming generality allows sharing to be effective in encouraging users to build upon one another's work. An implication of programming generality of relevance to access control mechanisms is that it be possible to change the protection environment of procedures and collections of procedures without altering their internal structure. The specific protection environment of a procedure should not be

reflected in its object code so that it may operate in different protection environments without recompilation.

It clearly is difficult to design access control mechanisms that satisfy all four of these criteria simultaneously. Increases in functional capability come at the expense of economy, simplicity, and programming generality. The challenge designing a set of access control mechanisms is to maximize in functional capability within the constraints of the other three criteria. In the following sections a set of hardware access control mechanisms that was devised in the course of Multics development is described. These mechanisms appear to provide a significant improvement in the simultaneous satisfaction of the four criteria as compared with the mechanisms in the initial Multics implementation.

# The Segmented Virtual Memory Environment

The processor access control mechanisms described here the ability of an executing program to reference regulate information in a segmented virtual memory. As а basis for understanding these access control mechanisms this section briefly reviews the structure of a segmented virtual memory. (See [6-8] for detailed descriptions of several segmented virtual memories.)

A machine language program for a segmented environment does not reference memory by absolute address. Rather, its memory consists of independent segments identified by number. Each segment is a variable length array of words. A two-part address

 $(\underline{s}, \underline{w})$  identifies word  $\underline{w}$  of the segment numbered  $\underline{s}$ .

The collection of segments in the virtual memory is defined by a descriptor segment. It contains an array of segment descriptor words (SDW's), each of which can describe a single segment in the virtual memory. The number of a segment is just the index of the corresponding SDW in the descriptor segment. Among other things, an SDW contains the absolute address of the beginning of the corresponding segment in memory. The absolute address of the beginning of the descriptor segment is contained in the descriptor base register (DBR) of a processor. Each processor contains logic for automatically translating two-part addresses into the corresponding absolute addresses. Address translation, done with an indexed retrieval of the appropriate SDW from the descriptor segment, occurs each time a word in the virtual memory is referenced, i.e. each time an instruction, indirect word, or instruction operand reference is made by an executing program.

Storage for segments is usually allocated with a paging scheme in scattered fixed-length blocks. If used, paging is taken into account by the address translation logic as well as segmentation, but is totally transparent to an executing machine language program. Paging, if appropriately implemented, need not affect access control; it will be ignored in the remainder of this paper.

Changing the absolute address in the DBR of a processor will cause the address translation logic to interpret two-part

addresses relative to a different descriptor segment. This facility can be used to provide each user of the system with a separate virtual memory. A single segment may be part of several virtual memories at the same time, allowing straightforward sharing of segments among users.

For clarity, the following sections describe control of access in terms of the Multics implementation, although, as mentioned before, the techniques described are equally applicable to any system using segmentation.

## Controlling Access in a Virtual Memory

A process with a new virtual memory is created for each user when he logs in to Multics, and the name of the user is associated with the process. The process is the active agent of the user, and is his only means of referencing and manipulating information stored on-line.

On-line storage in Multics is organized as a collection of segments of information. A process can reference a segment of on-line storage only if the segment is first added to the virtual memory of the process. Adding a segment to a virtual memory is an operation performed by supervisor programs. This operation provides the initial opportunity for controlling access to information stored on-line. The name of the user associated with a process must match some entry on the access control list of a segment before the supervisor will add that segment to the virtual memory of the process.

Once a segment is included in the virtual memory, however,

finer control on access is required. (If a process could, say, write in any segment to which it had access, little sharing of information among users would occur.) If this finer control is to be effective against arbitrary machine language programs constructed by users, it must be implemented as hardware access validation on each reference. The structure of the virtual memory makes it natural to record these finer constraints in the SDW associated with each segment. Since the processor must retrieve the SDW for a segment each time that segment is referenced by two-part address anyway, there is little time cost added to validate the intended access against constraints recorded there. With this structure it is also possible to change the allowed access to a segment by changing the finer constraints recorded in the SDW, and to expect the change to be immediately effective.

With the Honeywell 645, flags which enable a segment to be read, written, and executed appear in each SDW. The value for each flag comes from the access control list entry which matched the name of the user associated with the process. An attempt by a process to change the contents of a word of a segment, for example, would be allowed by the processor only if the write flag were <u>on</u> in the SDW for the segment. This mechanism provides individual control on the ability of each user's process to read, write, and execute the words in each segment stored on-line. It also makes a segment the smallest unit of information that can be separately protected.

With the access control mechanisms described so far, a11 executed as part of some process have the same programs capability to access information. However, there seems to be an intrinsic need in many computations for the access capability of a process to vary as the execution point passes through the various programs that direct the computation. The most obvious examples of this need are explicit invocations of supervisor programs during the course of a computation. The execution point may pass from a user program to a supervisor program to initiate an input/output operation or change the access control list of a file, and then pass back to the user program. Presumably the executing supervisor program can access information in some way that the user program cannot. In a system that allows and encourages sharing of information among users, other examples appear. For instance, user A may wish to allow user B to access a sensitive data segment, but only through a special program, provided by A, that audits references to the segment. During the course of a computation in a process of user B, access to the sensitive data segment should be allowed only when the execution point is in the special program provided by A.

The word "domain" is frequently associated with a set of access capabilities. The examples above point to an intrinsic need for multiple domains to be associated with a process and for the domain in which the process is executing to occasionally change as the execution point passes from one program to another. A descriptor segment with read, write, and execute flags in the

SDW's defines a single domain. Additional mechanisms are required to allow multiple domains to be associated with a single Multics process.

A very general set of access control mechanisms would place no restriction on the number of domains which could be associated with a process, and would force no restrictive relationships to exist among the sets of access capabilities included in the Unfortunately, devising such a set of access control domains. mechanisms that also meet the criteria of economy, simplicity, and programming generality is a difficult research problem. (See [9-14] for several approaches that have been explored.) l n Multics the strategy was adopted of limiting the number of domains which may be associated with a process, and of forcing relationships to exist among the sets of access certain capabilities included in the domains. The result is protection rings. The extent to which this strategy results in a useful set of access control mechanisms will be discussed later.

The characterization of rings as a restricted implementation of domains is the result of hindsight. When developed, rings were viewed as a natural generalization of the supervisor/user modes that provided protection in many computers. This path of development was chosen because it solved the most pressing problems of access control involved in the prototype computer utility and, because of the inherent simplicity of the idea, it was a path that the Multics designers felt confident they could successfully complete. Even today rings appear to provide an

effective trade-off among the criteria mentioned above.

# Protection Rings

Associated with each Multics process are eight domains called protection rings. The protection rings are named by the integers 0 through 7. The access capabilities included in ring m are constrained to be a subset of those in ring <u>n</u> whenever  $\underline{m} > \underline{n}$ . Put another way, the sets of access capabilities represented by the various rings of a process form a collection of nested subsets, with ring 0 the largest set and ring 7 the smallest set in the collection. Thus, a process has the greatest access ability when executing in ring 0, and the least access ability when executing in ring 7. The total ordering of the sets of access capabilities defined by the consecutively numbered rings of a process is the property that allows a straightforward implementation of rings in hardware.

As described earlier, the permission flags of each segment in the virtual memory of a process simply indicate that the segment can or can not be read, written, or executed by the process. With the addition of rings, the flags must be extended to indicate which rings include each access capability. Because of the nested subset property of rings, the capability, say, to write a particular segment, if allowed at all, is included in all rings numbered less than or equal to some value  $\underline{w}$ . The range öf rings over which this write permission applies is called the write bracket of the segment for the process. Read and execute brackets for each segment can be established in the same way. Α

process is permitted to read, write, or execute a segment in its virtual memory only if the ring of execution of the process is within the proper bracket.

A partial hardware implementation of rings places numbers indicating the top of each bracket of a segment in the SDW of the segment, along with the read, write, and execute flags. If a then the number specifies the extent of flag is on the corresponding bracket. Turning a flag <u>off</u> indicates that the corresponding access capability is not included in any ring of the process. For example, a data segment might have its execute flag turned off or a procedure segment might have its write flag turned <u>off</u>. A register is added to the processor to record the current ring of execution of the process. The processor can then validate each reference to a segment by making the obvious comparisons when the SDW for the segment is retrieved for address translation.

Figure 1 illustrates the flags and brackets that might be associated with a writeable data segment for some process. The segment can be written into when the process is executing in ring 0, read from when the process is executing in any of rings 0 through 4, and cannot be executed from any ring.

The association of multiple domains of protection with a process generates the need for a new kind of access capability -the capability to change the domain of execution of a process. Since changing the domain of execution has the potential to make additional access capabilities available to a process, it is an



Figure 1: Example access indicators for a writable data segment



Figure 2: Example access indicators for a pure procedure segment



Figure 3: Example access indicators for a procedure segment showing coincidence of bottom of execute bracket and top of potential write bracket.

operation that must be carefully controlled. An understanding of the sort of control required can be gained by reviewing the purpose of domains (and rings in particular). A domain provides the means to protect procedure and data segments from other procedures that are part of the same computation. Using domains it should be possible to make certain access capabilities available to a process only when particular programs are being executed. Restricting the start of execution in a particular domain to certain program locations, called gates, provides this ability, for it gives the program sections that begin at those locations complete control over the use made of the access capabilities included in the domain. Thus, changing the domain of execution must be restricted to occur only as the result of transfering control to one of these gate locations of another domain.

With a completely general implementation of domains, each domain could provide protection against the procedures executing in all other domains of a process. The corresponding property of rings is that the protection provided by a given ring of a process is effective against procedures executing in higher numbered rings. Switching the ring of execution to a lower number may make additional access capabilities available to a process, while switching the ring to a higher number can only reduce the available access capabilities. Thus, the downward ring switching capability must be coupled to a transfer of control to a gate into the lower numbered ring. Gates are

specified by associating a (possibly empty) list of gate locations with each segment in the virtual memory of a process. If the execution point of the process is transferred to a segment while the ring of execution is above the top of the execute bracket for the segment, then the transfer must be directed to one of the gate locations in the segment. If the transfer is to a gate, then the ring of execution of the process will switch down to the top of the execute bracket of the segment as the transfer occurs. If the transfer is not directed to one of the gate locations, then the transfer is not allowed.

To provide control of this downward ring switching capability which is consistent with the subset property of rings, a gate extension to the execute bracket of a segment is defined. The gate extension specifies the consecutively numbered rings above the execute bracket of the segment that include the "transfer to a gate and change ring" capability for the segment.

The gate list and the gate extension to the execute bracket can both be specified with additional fields in the SDW for each segment. Certain restrictions on the form of the gate list, to be described later, allow its specification in a fixed-length field.

In contrast to downward ring changes, switching the ring of execution to a higher numbered ring can only decrease the available access capabilities of a process. Thus, an upward ring switch is an unrestricted operation that can be performed by any executing procedure. (Care must be taken, however, to insure

that the instruction to be executed immediately following an upward ring switch will come from a segment that is executable in the new, higher numbered ring.) For programming convenience the upward ring switch may be coupled to a special transfer instruction.

A specific example will help clarify the meaning of the execute bracket, the gate extension, and the gate list of a segment. Figure 2 illustrates the way the access capabilities to a pure procedure segment (one which does not modify itself when executed) might be distributed to the various rings of some process. When the process is executing in any of rings 0 through 4, any words of this segment may be executed as machine instructions. When the process is executing in rings 5 or 6, only transfers of the execution point to words 0 or 1 of the segment will be allowed. These transfers will result in the ring of execution switching down to 4. From ring 7 no attempt to execute in the segment will be allowed. The segment may be read from any ring in which it will execute.

The abstract description of rings is now one step from completion. The last step comes from the observation that for each procedure segment in the virtual memory of each process there is a lowest numbered ring in which that procedure is <u>intended</u> to execute. Further, that ring is not always zero. For example, user procedures are not intended to execute in ring 0, the ring of a process containing the most access capabilities. Allowing a non-zero bottom on the execute bracket would provide

the means to prevent the accidental transfer to and execution of a procedure in a ring numbered lower than intended. Violating the nested subset property with respect to execute access capability by allowing a non-zero bottom on the execute bracket of a segment turns out to make rings no more difficult to implement, and is thus desireable in view of the protection against errors it provides.

The non-zero bottom on the execute bracket of a segment can be provided without adding another field to the SDW. The method is to use the field which specifies the top of the write bracket to specify the bottom of the execute bracket as well. The double use of this field does not appear to remove any interesting functional capability from the access control mechanisms. In fact, it eliminates an unwanted degree of freedom in access specification, thereby removing the potential to make certain types of errors. There are two cases to consider in support of this contention. For a segment with a write bracket but ňo execute bracket, or vice versa, nothing is lost by double use of For a segment with both a write bracket and an the field. execute bracket the double use of the SDW field constrains these brackets to overlap by exactly one ring. Overlap by more than one ring is not interesting because executing a procedure in a ring lower than the highest ring from which it can be written invalidates the protection provided by the lower ring. The forced single ring overlap guarantees that writable procedures execute in only one ring. Finally, there is no obvious wi11

As redefined, then, the execute bracket of a segment for a process can be any consecutively numbered group of rings, and need not begin with ring 0. If the segment also has a write bracket, then the bottom of the execute bracket must coincide with the top of the write bracket. When the ring of execution is below the execute bracket the process cannot execute words of the as machine instructions, although the process can use segment the unrestricted upward ring switch capability to execute the segment in a higher ring that is within the execute bracket. For many procedure segments the execute bracket includes exactly one ring -- the ring in which the procedure segment is intended to Procedure segments with wider execute brackets usually execute. contain commonly used library subroutines that are certified as acceptable for execution in any of the rings from which they may be called.

Figure 3 illustrates the relationship of the execute bracket and the potential write bracket for a typical pure procedure segment in the virtual memory of some process. This segment is executable in ring 4 and contains gates into ring 4 for rings 5 and 6. It may be read from rings 0 through 4. If the procedure were also writable then the write flag would be <u>on</u>, and execution and modification could occur in ring 4.

The gate list and the numbers specifying the read, write, and execute brackets, and gate extension for a segment all come

from the access control list entry which permitted the process to include the segment in its virtual memory, as did the values for the read, write, and execute flags.

## Call and Return

In the case of general domains, a change in the domain of execution of a process occurs when the executing procedure transfers control to a gate of another domain. In the context of most programming languages an interprocedure transfer represents a subroutine call, a return following a call, or a non-local Linguistically, all three operations produce a change goto. in the environment of the execution point; this change affects the binding of variable names to virtual storage locations. The call operation has the additional function of transmitting arguments and recording a return point. Producing the correct change in the environment (as well as transmitting arguments and recording a return point in the case of a cally generally requires the cooperation of both the procedure initiating the operation and the procedure receiving control. If a call, return, or goto changes the domain of execution because it happens to be directed to a gate location of another domain, then the situation becomes more complicated, for neither procedure can depend upon the other to cooperate. An important simplification introduced bу restricting domains to a ring structure is that a procedure may assume the cooperation of procedures in lower numbered rings.

When procedures are shared among different processes and different domains, the addressing environment is usually defined

via a processor register, for it is not convenient to embed addresses within the procedures themselves. In Multics, pure procedures are used with a per process call stack, and the stack pointer register provides the required environment definition. The call stack of a process is implemented with a separate segment for each ring being used. The stack segment for procedures executing in ring <u>n</u> has read and write brackets that end at ring <u>n</u>. Thus, stack areas for these procedures are not accessible to procedures executing in any ring <u>m</u> > <u>n</u>. Part of the function of the call, return, and goto operations is to properly update the stack pointer register.

The most common ways of changing the ring of execution of a process are a call to a gate of a lower numbered ring and the subsequent upward return. A downward call represents the invocation of a user-provided protected subsystem or a supervisor procedure. Because the Honeywell 645 was designed around the supervisor/user usual protection method, the Multics implementation for this machine simulates rings by "trapping" to special ring-changing software when downward calls and upward returns are performed. The hardware mechanisms detailed in the next section eliminate the need to "trap" in these cases. Using these improved hardware access control mechanisms, downward calls and upward returns occur without the intervention of special software and are performed by the same object code sequences that perform calls and returns that do not change the ring of execution.

It is the nested subset property of rings that makes a straightforward hardware implementation of downward calls and upward returns possible. Because of this property the called procedure automatically has all access capabilities required to reference any arguments that the calling procedure can legitimately specify and to return to the calling procedure in the ring from which it called. Furthermore, it is reasonable to trust the called procedure to properly restore the stack pointer on return since it has access capabilities which allow it to cause the calling procedure to malfunction in many other ways anyway. However, three problems remain. First, the called procedure must be able to calculate the correct new stack pointer. Second, the called procedure must have a way of validating references to arguments so that it cannot be tricked into reading or writing an argument that the caller could not also read or write. Finally, the called procedure must have a way of knowing for certain the ring in which the calling procedure was executing so that the called procedure cannot be tricked into returning control to a ring not as high as that of the calling procedure.

The key to solving the first problem, creation of a new stack pointer, is a rule relating the segment number of the stack segment for a ring to the ring number. Using this rule, the processor automatically calculates the segment number of the proper stack segment for the called procedure's ring of execution. By convention, word zero of each Multics stack

segment points to the beginning of the next available stack area. Thus, the stack segment number alone provides the called procedure with enough information from which to construct its own stack pointer. Because the processor provides the stack segment number, no procedure executing in a higher numbered ring, e.g. the calling procedure, can affect the value of the stack pointer for the called procedure.

The second problem, validation of argument references, is solved by providing processor mechanisms which allow a procedure to assume the more restricted access capabilities of any higher numbered ring when convenient. Using these mechanisms the called procedure can validate access when referencing arguments as though execution were occurring in the (higher numbered) ring of the calling procedure. Thus, the called procedure, even though it is executing in a ring with more access capabilities than the ring of the calling procedure, can prevent itself from reading or writing any argument that the calling procedure could not also read or write.

The final problem, knowing the ring of the caller, is solved by having the processor leave in a program accessible register the number of the ring in which execution was occuring before the downward call was made. The subsequent return is made to that ring. Thus, the calling procedure has no opportunity to lower the number of the ring to which the return is made.

The next two sections describe in more detail how downward calls, argument referencing and validation, and upward returns

are implemented. Before proceeding to that description, however, there is another possibility to consider: an upward call and the subsequent downward return.

An upward call occurs when a procedure executing in ring <u>n</u> calls an entry point in another procedure segment whose execute bracket <u>bottom</u> is <u>m</u> > <u>n</u>. When the call occurs the ring of execution will change to <u>m</u>. The subsequent return is downward, resetting the ring of execution to <u>n</u>. This case exhibits two unpleasant characteristics of a general cross-domain call and return that were not present in the case of the downward call and upward return.

first is that the calling procedure may specify `The arguments that cannot be referenced from the ring of the called procedure. (In the case of the downward call, the nested subset property of rings guaranteed that this could not happen.) There are at least three possible solutions to this problem. One is to require that the calling procedure specify only arguments that are accessible in the higher numbered ring of the called procedure. This compromises programming generality by forcing the calling procedure to take special precautions in the case of an upward call. Another possible solution is to dynamically include in the ring of the called procedure the capabilities to reference the arguments. Because a segment is the smallest unit of information for which access can be individually controlled, this forces segments which contain arguments to contain no other be protected differently, again information that should

compromising programming generality, unless segments are inexpensive enough that, as a matter of course, every data item is placed in its own segment. It may also be expensive to dynamicallv include and remove the argument referencing capabilities from the called ring. The third possible solution is copying arguments into segments that are accessible in the called ring, and then copying them back to their original locations on return. This solution restricts the possibility of sharing arguments with parallel processes. None of the three solutions lend themselves well to a straightforward hardware implementation.

The second unpleasant characteristic is that a gate must be provided for the downward return. (In the case of the upward return the nested subset property of rings made a return gate unnecessary.) The return gate must be created at the time of the upward call and must be destroyed when the subsequent return occurs. If recursive calls into a ring are allowed, then this gate must behave as though it were stored in a push-down stack, so that only the gate at the top of the stack can be used. The gates specified in SDW's seem poorly suited to this sort of dynamic behavior. Processor mechanisms to provide dynamic, stacked return gates are not obvious at this time.

Because of these two problems, the hardware implementation of rings described in the next section does not automatically perform upward calls and downward returns. When an attempt to perform an upward call or downward return is detected by the

hardware it "traps" to a supervisor procedure that executes in ring 0 and which performs the necessary addressing and protection environment adjustments.

#### The Hardware Implementation of Rings

In this section the ideas presented in the previous sections are gathered into a description of a design for processor hardware to implement rings. The description only touches upon those aspects of the processor organization that are relevant to access control. The segmented addressing hardware described earlier serves as the foundation of the ring implementation mechanisms.

Figure 4 presents a schematic description of segment descriptor words, instruction words, indirect words, and processor registers that are relevant to the discussion which follows. The descriptor base register (DBR) contains the absolute address and length of the descriptor segment.

Segment descriptor words (SDW's) are the entries in the descriptor segment. If the validity bit (SDW.V) is <u>on</u> then the SDW contains the absolute address and length of some segment in the virtual memory of the process. The access indicator portion of an SDW specifies the brackets, flags, and gate locations for the segment. The three 3-bit ring numbers (SDW.R1, SDW.R2, and SDW.R3) delimit the read, write, and execute brackets and the gate extension. The write bracket is rings 0 through SDW.R1; the execute bracket SDW.R1 through SDW.R2; and the gate extension SDW.R2+1 through SDW.R3. Rather than providing a fourth number

| Descriptor base register                   |               |           | •    |        |       |   |                      |
|--------------------------------------------|---------------|-----------|------|--------|-------|---|----------------------|
| DBR                                        | ADDRESS       | LENGTH    |      |        |       |   |                      |
|                                            |               |           |      |        |       |   |                      |
| Segment descriptor word (stored in memory) |               |           |      |        |       |   |                      |
| SDW                                        | ADDRESS       | LENGTH    | R1 R | 2 R3   | RW    | E | GATE V               |
|                                            | L <del></del> |           |      |        |       |   |                      |
| Instruction point <u>er register</u>       |               |           |      |        |       |   |                      |
| IPR                                        | RING          | SEGNO     |      | WO     | RDNO  |   |                      |
|                                            |               |           |      |        |       |   |                      |
| Instruction word                           | (stored in    | memory)   |      |        |       |   |                      |
| INST                                       | PRNUM         | OFFSET    |      | PCODE  |       |   | I                    |
|                                            |               |           |      |        |       |   |                      |
| Program accessibl                          | e pointer 1   | registers |      |        |       |   |                      |
| PRO                                        |               |           |      |        |       |   | (argument pointer)   |
| PR1                                        |               |           |      |        |       |   |                      |
| PR2                                        |               |           |      |        |       |   |                      |
| PR3                                        |               |           |      |        |       |   |                      |
| PR4                                        |               |           |      |        |       |   |                      |
| PR5                                        |               |           |      |        |       |   |                      |
| PR6                                        |               |           |      |        |       |   | (stack pointer)      |
| PR7                                        |               | ·····     |      |        |       |   | (stack base pointer) |
|                                            | RING          | SEGNO     |      | WORDNO |       |   |                      |
|                                            |               |           |      |        |       |   |                      |
| Indirect word (st                          | ored in men   | nory)     |      |        |       |   |                      |
| IND                                        | RING          | SEGNO     |      | W      | ORDNO |   | I                    |
|                                            |               |           |      |        |       |   |                      |
|                                            |               |           |      |        |       |   |                      |
| Temporary pointer                          | register      |           |      |        |       |   |                      |
| TPR                                        | RING          | SEGNO     | · .  |        | ORDN  | 0 |                      |
|                                            |               |           |      |        |       |   |                      |

.

Figure 4: Schematic description of segment descriptor words, instruction words, indirect words, and relevant processor registers

to specify the top of the read bracket, SDW.R2 is reused for this purpose. Forcing the top of the read and execute brackets to coincide in this manner does not seem to preclude any important cases, and saves one ring number in the SDW. Supervisor code for constructing SDW's guarantees that SDW.R1  $\leq$  SDW.R2  $\leq$  SDW.R3 is true. The single-bit read, write, and execute flags (SDW.R, SDW.W, and SDW.E) also appear. Finally, the list of gate locations of a segment is compressed to a single fixed-length field (SDW.GATE) by requiring all gate locations to be gathered together beginning at location 0 of a segment. Thus, SDW.GATE need only contain the number of gate locations present.

The instruction pointer register (IPR) specifies the current ring of execution and the two-part address of the next instruction to be executed. The general format of an instruction word in memory (INST) is also shown for later reference.

There are eight program accessible pointer registers (PRO through PR7). All can contain a two-part address and a ring number. Because most procedure segments in Multics are pure and segment numbers cannot be known at the time a procedure segment is compiled, machine instructions specify two-part operand addresses by giving an offset (in INST.OFFSET) relative to one of the PR's (specified by INST.PRNUM) or IPR. The ring number in a pointer register (PRn.RING) is used to specify a validation level for the address, and is part of the mechanism that allows an executing procedure to assume the access capabilities of a higher numbered ring for referencing arguments. The processor is

designed so that it is never possible for any PRn.RING to contain a number that is less that the ring of execution found in IPR.RING.

Indirect addressing may be specified in an instruction by setting the indirect flag (INST.I). Indirect words (IND) contain the same information as PR's, and may also indicate further indirection with an indirect flag (IND.I).

The final item in Figure 4 is the temporary pointer register (TPR). The TPR is an internal processor register that is not program accessible. It is used to form the two-part address of each virtual memory reference made. The ring number (TPR.RING) provides the value with respect to which permission to reference the virtual memory location is validated.

There are two aspects to the implementation of rings in The first is access checking logic, integrated with hardware. the segmented addressing hardware, that validates each virtual reference. The second is special instructions memory for changing the ring of execution. The best way to describe the first aspect is to walk through the processor instruction cycle, paying particular attention to the places where operations related to access validation occur. The second aspect will be discussed when the description of the instruction cycle reaches the point where the instruction is actually performed.

The first phase of the instruction cycle, retrieving the next instruction to be executed, is described in Figure 5. (Refer to Figure 4 for the abbreviations used in the flow charts



Figure 5: Retrieval of next instruction to be executed

<sup>\*</sup> This check for segment presence must occur each time an SDW is retrieved. To avoid cluttering the flow charts, it is left out of Figures 6-10.

of Figures 5 through 10.) The two-part address of the next instruction along with the ring of execution are loaded into TPR from IPR. At the point during address translation that the SDW becomes available, the ring of execution (now in TPR.RING) is matched against the execute bracket of the segment containing the instruction and the execute flag is checked. If the segment may be executed from the current ring of execution the instruction fetch is completed. Otherwise, the access violation derails the instruction cycle into the fault mechanism of the processor. The action of a fault is discussed later in this section.

The next phase of the instruction cycle, calculating the effective address of the instruction's operand, is described in Figure 6. This phase occurs only if the instruction has an operand in memory. The effective address is the final two-part address of the operand (after all address modifications and indirections have taken place) together with an effective ring number. The effective ring number is used to validate the actual reference to the operand. The effective address is formed in TPR which, as a result of the preceding instruction retrieval phase, begins the effective address calculation containing the two-part address of the instruction being executed and the current ring of execution.

The formation of the segment number and word number portions of the effective address in TPR.SEGNO and TPR.WORDNO is very straightforward and is described by Figure 6. The calculation of the ring number portion of the effective address in TPR.RING and





the access validation performed before retrieving indirect words, also shown in Figure 6, need further comment.

The effective ring portion of the effective address provides a procedure with the means of voluntarily assuming the access capabilities of a higher numbered ring when making an instruction operand reference. The effective ring number also is used to the highest numbered ring from which an executing record procedure possibly could have influenced the effective address calculation. One opportunity for the value of TPR.RING to change during effective address calculation occurs if the instruction contains an address that is an offset relative to some PRn. In this case TPR.RING is updated with the larger of its current value and the ring number in the specified pointer register (PRn.RING). Thus, if PRn.RING contains a value that is greater than the current ring of execution, validation of the operand reference will be as though execution were occuring in this higher numbered ring.

The remaining opportunities to change the value of TPR.RING occur in conjunction with the processing of indirect words involved in the effective address calculation. Each time an indirect word is retrieved TPR.RING is updated with the larger of its current value, the ring number in the indirect word (IND.RING), and the top of the write bracket for the segment containing the indirect word (SDW.R1). The ring number in the indirect word has the same purpose as the ring number in a pointer register -- forcing validation of the operand reference

relative to some higher numbered ring. Including in the calculation the top of the write bracket of the segment containing the indirect word, however, has another purpose. The top of the write bracket represents the highest numbered ring from which an executing procedure could alter the contents of the indirect word and thereby influence the result of the effective address calculation. Taking into account SDW.R1 when updating TPR.RING guarantees that the operand reference will be validated with respect to the highest numbered ring which could have influenced the effective address.

The capability to read an indirect word during effective address formation must be validated before the indirect word is retrieved. Validation is with respect to the value in TPR.RING at the time the indirect word is encountered.

At the conclusion of the effective address calculation described in Figure 6, TPR contains the effective address of the instruction operand, including the effective ring number with respect to which the reference to the operand will be validated. The next phase of the instruction cycle is to perform the instruction. For the purpose of access validation, the possible instructions may be broken into three groups according to the type of reference made to the operand. Figure 7 shows the access validation for the straightforward cases of instructions which read their operands and instructions which write their operands. The third group, instructions which do not reference their operands, is illustrated in Figure 8. One set in this group is







Figure 8: Access validation for instructions which do not reference their operand

the "Effective Address to Pointer Register"-type (EAP-type) instructions which load the RING, SEGNO, and WORDNO fields of PRn with the corresponding fields of TPR. The operand is not referenced so no access validation is required. Instructions of this type are important for they are the only way to load PR's.

The remaining instructions illustrated in Figure 8 are transfer To provide some protection against instructions. changing the ring of execution by accident, a11 transfer instructions except two, CALL and RETURN, are constrained from doing so. Since a transfer instruction does not reference its operand, but just loads the address of its operand into the instruction counter, no access validation is really required. However, an advance check on whether reloading IPR from TPR will result in a fault on the next instruction cycle is very useful from the standpoint of debugging, for it catches the access violation while it is still possible to identify the instruction which made the illegal transfer. Figure 8 describes the advance check for transfer instructions other than CALL and RETURN.

The two instructions that remain to be considered are the instructions which can change the ring of execution: CALL and RETURN. They are intended to be used to implement the same-named linguistic operations.\* CALL will automatically switch the ring of execution to a lower number and RETURN to a higher number if the occasion requires it. When used to perform an upward call or

<sup>\*</sup> RETURN may also be used to implement the non-local goto operation.

a downward return the instructions cause faults which allow software intervention to complete the operations.

9 describes the access validation and performance of Figure points the CALL instruction. Several require further explanation. The first concerns gates. From Figure 9 it is apparent that a CALL must be directed at a gate location even when the called procedure will execute in the same ring as the calling procedure. The rationale for this use of the gate list of a segment is that it can provide protection against accidental calls to locations that are not entry points, even when the call comes from within the same ring. Thus, SDW.GATE for a procedure segment usually specifies the number of externally defined entry points in the procedure segment. These become gates for higher numbered rings in the sense described in the previous sections only if the top of the gate extension of the segment is above the top of the execute bracket, i.e. only if SDW.R3 > SDW.R2 for the segment. The price paid for this error detection ability is that if any externally defined entry point in a procedure segment is a gate for a higher numbered ring, then all are. From within the execute bracket of a procedure segment the gate restriction can be by-passed by using a normal transfer instruction rather than a CALL to pass control to the segment.

The only exception to having the CALL instruction respect the gate list of the operand segment occurs if the operand is in the same segment as the instruction. Allowing a CALL instruction to ignore the gate list of the segment containing the instruction





permits it to be used to implement calls to internal procedures.

The access validation for the CALL instruction is made relative to the ring number computed as part of the effective as a result of PR-relative addressing and address. Since, indirection, the effective ring value can be higher than the current ring of execution (IPR.RING), what would appear to be a call within the same ring or to a lower ring with respect to TPR.RING can in fact be an upward call with respect to IPR.RING. Because in normal circumstances this situation represents an error, the decision is made to generate an access violation when it occurs, even if the current ring of execution is within the execute bracket of the called procedure segment.

The new ring of execution is calculated in TPR.RING. Following this calculation, CALL generates in PR7, a register chosen by system convention, a pointer to word 0 of the stack segment for the new ring of execution. The segment number of the appropriate stack segment is the new ring number.\* In addition, PR7.WORDNO is set to 0 and PR7.RING is set to the new ring of

<sup>\*</sup> Two subtle features may be included at this point by changing the way the new stack segment number is derived. If the CALL instruction does not change the ring of execution then the new stack segment number is taken directly from the current stack pointer register (PR6, by convention), allowing the use of non-standard stack segments for procedures executing in the same ring. If the CALL instruction does change the ring of execution then the new stack segment number is calculated by adding the new ring number to an additional DBR field that consecutively numbered segments that are the eight specifies the standard stack segments of the process. The use of the additional DBR field allows more flexibility in stack segment assignment, facilitating the preservation of stack history following an error and the implementation of forked stacks.

execution.

Finally, the transfer of control is achieved by reloading IPR.RING, IPR.SEGNO, and IPR.WORDNO from the corresponding fields of TPR.

The RETURN instruction is described by Figure 10. The access validation is the same as for other transfer instructions. The ring to which the return is made is specified by the effective ring portion of the effective address generated by the RETURN instruction. In the case that the return is upward, the ring number fields in all pointer registers are replaced with the larger of their current values and the new ring of execution. replacement, together with the fact that PR's can only be This loaded with EAP-type instructions, guarantees that PRn.RING can never contain a value that is less than IPR.RING, a fact which proves very useful when passing arguments on a downward call and which makes it easy to perform an upward return to the proper ring. (See the next section for details.)

This almost completes the description of the processor hardware for implementing rings. One of the final items to consider is the action of a fault or interrupt. Access violations generate faults, as do a variety of other conditions, e.g. missing page, missing segment, or processor timer runout. An interrupt is the recognition by the processor of an external signal. A fault or interrupt causes an unconditional transfer of control to a pre-specified location and the change of the number of the ring of execution to zero. A special instruction allows



Figure 10: Access validation and performance of RETURN instruction

the state of the processor at the time of the fault or interrupt to be restored later if appropriate, continuing the faulted or interrupted instruction. The program that executes in ring 0 which gains control in the event of a fault or interrupt is part of the supervisor.

The final point concerns privileged instructions. Certain instructions, if executable by all procedure segments, could invalidate the protection provided by the ring mechanisms. Among these are the instructions to load the DBR, I/O instructions, and the instruction to restore the processor state after a fault or interrupt. Any instruction designated as privileged will be performed only if the process is executing in ring 0. This convention restricts their use to supervisor procedures.

## <u>Call and Return Revisited</u>

The intended use of the hardware mechanisms just described is illustrated by considering again two key aspects of the linguistic meaning of the operations call and return.

The first aspect to be reconsidered is the way arguments are passed and referenced. A procedure making a call constructs an array of indirect words containing the addresses of the various arguments to be passed with the call. Each indirect word is generated by forming the address of the corresponding argument in some pointer register using an EAP-type instruction and then storing the contents of that pointer register as the indirect word. To inform the called procedure of the location of this argument list, the calling procedure loads a specific pointer

# register, designated by software convention to be PRO, with the address of the beginning of the argument list. An instruction of the called procedure can reference the nth argument as its operand by using an indirect address. The location of the indirect word is specified in the instruction as PRO offset by <u>n</u>. If this operand reference constitutes an upward cross-ring

argument reference then the proper validation is automatic, for PRO.RING, as set by the calling procedure, must contain a number that is greater than or equal to the number of the ring in which the calling procedure was executing when the call was made. Thus, validation of all argument references by the called procedure will be with respect to an effective ring that is at least as high as the ring of the caller.

The ring number in the argument pointer register, then, allows the called procedure to automatically assume the fewer access capabilities of the calling procedure in the case of an upward cross-ring argument reference via PRO and the argument Not all argument references, however, will be via PRO and list. the argument list. For example, if an argument is an array, then the corresponding argument list indirect word will address the first element. The called procedure may find it convenient to load, say, PR1 with the actual two-part address of the beginning of that array argument so that array indexing can be more easily If PR1 is loaded with an EAP-type instruction accomplished. whose operand address is specified via PRO and the argument list, then the proper effective ring number will automatically be put

M0126

in PR1.RING, and subsequent references to the argument via PR1 will also be validated with respect to an effective ring that is at least as high as the ring of the caller. If PR1 is then stored as an indirect word, this effective ring is put into the RING field of the indirect word. In fact, as long as the called procedure does not make an explicit effort to lower the effective ring associated with an argument address, e.g. by zeroing the field of an indirect word, then all manipulations of the RING argument address are safe, and all argument references will be validated with respect to an effective ring that is at least as high as the ring of the caller.

One further comment needs to be made about argument passing referencing with respect to downward calls. The scheme just and described naturally extends to a sequence of downward calls. For example, assume that procedure A executing in ring 4 calls procedure B to execute in ring 1 which then calls procedure C to execute in ring 0. Assume further that an argument passed from A to B is passed on from B to C. When C references this argument, the reference will automatically be validated with respect to ring 4, not ring 1 as might be expected. The reason follows from the way in which B constructs the argument list for C. Using the normal pattern of forming an argument address in some PRn with an EAP-type instruction and then storing that PR as an argument list indirect word, an indirect word for an argument to C will have 4 its RING field if the corresponding argument happens to have in been originally provided by A. Thus, when C references this

argument, an effective ring number of 4 will be used to validate the reference. B could force validation of references to this argument by C to be relative to ring 1 simply by resetting the ring field of the corresponding argument list indirect word to 1.

second aspect to be reconsidered with respect to call The and return is the way that the stack pointer register (PR6) is manipulated and the return address is recorded. Before a procedure calls another, the return address is recorded as an indirect word in a standard location of the stack area of the calling procedure. When the call occurs, PR6 remains pointing to the stack area of the calling procedure. Only after the called procedure has located its new stack area (using the address in PR7 provided by the CALL instruction) and the contents of PR6 are saved in that new stack area, is PR6 reset to address the stack area of the called procedure. When it comes time to return, the called procedure restores PR6 with the saved pointer value. PR6 is then used to address the indirect word containing the return point that is the operand of the actual RETURN instruction. Because PR6.RING as restored was initially set by the calling procedure, it must contain the number of the ring in which the calling procedure was executing (or some higher value). Thus, the RETURN instruction is guaranteed to generate an effective ring number no lower than the ring of the calling procedure, and will return control to the ring of the caller or some higher numbered ring.

# <u>Use of Rings</u>

Some insight into the functional capabilities of rings can be gained by considering briefly the way the basic mechanisms described in the previous sections are used in Multics.

The ring protection scheme allows a layered supervisor to be included in the virtual memory of each process. In Multics, the lowest level supervisor procedures, such as those implementing the primitive operations of access control, input/output, memorv multiplexing, and processor multiplexing, execute in ring 0. The remaining supervisor procedures execute in ring 1. Examples of ring 1 supervisor procedures are those performing accounting, input/output stream management, and file system search direction. (Deciding how many layers to use and which procedures should execute in each layer is an interesting engineering design problem.) Supervisor data segments have read and write brackets that end at ring 0 or ring 1, depending on which layer of the supervisor needs to access each.

Implicit invocation of certain ring 0 supervisor procedures occurs as a result of a fault or an interrupt. Explicit invocation of selected ring 0 and ring 1 supervisor procedures by procedures executing in rings 2 through 7 of a process is by standard subroutine calls to gates. No other access to supervisor segments by procedures executing in higher numbered rings is allowed.

Because separate access control lists for each segment and separate descriptor segments for each process provide the means

to control separately the use of each segment by each user's process, not all gates into supervisor rings need be available to the processes of all users and not all gates need have the same gate extension associated with them. For example, some gates into ring 0 are accessible to the processes of all users, but only to procedures executing in ring 1. Such gates provide the internal interfaces between the two layers of the supervisor. Some gates into ring 1 are accessible to procedures executing in rings 2 through 7 in the processes of selected users, but not accessible at all from the processes of other users. An example of the latter kind is a gate for registering new users that is available only from the processes of system administrators.

As pointed out by Dijkstra [15], the layered supervisor allowed by the ring protection scheme has several advantages. Constructing the supervisor in enforced layers limits the propagation of errors, thereby making the supervisor easier to modify correctly and increasing the level of confidence that the supervisor functions correctly. For example, changes can be made in ring 1 without having to recertify the correct operation of the procedures in ring 0.

By arranging for most user procedures to execute in ring 4, rings 2 and 3 become available for the protection of subsystems constructed by members of the user community. Subsystems executing in rings 2 and 3 of a process can be protected from procedures executing in ring 4 through 7 in the same way that the supervisor is protected from procedures executing in rings 2

through 7. All comments made about a supervisor implemented in rings 0 and 1 of each process apply to protected subsystems implemented in rings 2 and 3. Different protected subsystems may be operated simultaneously in rings 2 and 3 of different processes and several processes may share the use of the same protected subsystem simultaneously. The ring protection scheme allows the operation of user-constructed protected subsystems without auditing them for inclusion in the supervisor. Examples of protected subsystems that might be provided by various users are a personnel records subsystem, a proprietary compiler, or a subsystem to play "moo" and safely record in a central data base the result of every game of every player for later publication.

With most user procedures executing in ring 4, rings 5, 6, and 7 are available for user self-protection. For example, a user may debug a program by executing it in ring 5 where only procedure and data segments intended to be accessed by the program would be accessible. The ring protection mechanisms would detect many of the possible addressing errors that could be made by the program and would also prevent the untested program from damaging other user segments accessible from ring 4. In the same way ring 5 can be used for the execution of a program borrowed from another user when the program is not trusted.

Supervisor gates are not accessible from rings 6 and 7 of any process in Multics. Thus, procedures executed in these rings have no explicit access to supervisor functions; they may, however, call user-provided gates into rings 4 or 5. Ring 6 of a

process might be used, for example, to provide a suitably isolated environment for student programs being evaluated by a grading program executing in ring 4.

The complete description of a software access control facility based on rings that allows them to be used in the manner just outlined would require another paper. Although a given ring may simultaneously protect different subsystems in different processes, each ring of each process can protect only one subsystem at a time. A useable software access control facility must constrain each user's ability to dynamically set and modify access control specifications so that this sole occupant property can be verified and enforced when necessary.

## <u>Conclusions</u>

The hardware mechanisms derived and described in this paper implement a methodical generalization of the traditional supervisor/user protection scheme that is compatable with a shared virtual memory based on segmentation. This generalization solves three significant kinds of problems of a general purpose system to be used as a computer utility:

- users can create arbitrary, but protected, subsystems for use by others,
- the supervisor can be implemented in layers which are enforced,

- the user can protect himself while debugging his own (or borrowed) programs.

The subset access property of rings of protection does not provide for what may be called "mutually suspicious programs"

operating under the control of a single process. But on the other hand, it is just that subset property which imposes an organization which is easy to understand and thus allows a system or subsystem designer to convince himself that his implementation is complete. Also, it is just the subset property which is the basis for a hardware implementation that is integrated with segmentation mechanisms, requiring very small additional costs in hardware logic and processor speed.

The long-range effect of hardware protection mechanisms which permit calls to protected subsystems that are no more complex than calls to other procedures is bound to be significant. In the interface to the supervisor of most systems there are many examples of facilities whose interface design is biased by the assumption that a call to the supervisor is relatively expensive; the usual result is to place several closely related functions together in the supervisor, even though only one of the group really needs protection. For example, in the Multics typewriter I/O package, only the functions of copying data in and out of shared buffer areas and of executing the privileged instruction to initiate 1/0 channel operations need to be protected. But, since these two functions are deeply tangled with typewriter operation strategy and code conversion, the typewriter I/O control package is currently implemented as a set of procedures all located in the lowest numbered ring of the system, thus increasing the quantity of code which has maximum privilege.

A similar example is found in many file system designs, where complex file search operations are carried out entirely by protected supervisor routines rather than by unprotected library packages, primarily because a complex file search requires many individual file access operations, each of which would require transfer to a protected service routine, which transfer is presumed costly.

initial implementation of Multics was carried out using The software simulated rings of protection. The result was a very conservative use of the rings of protection: originally just two supervisor rings and one user ring were employed, and the two supervisor rings were temporarily collapsed into one (thus exploiting the programming generality objective referred to before) while the ring crossing software mechanisms were tuned Today, although there are many obvious applications waiting, up. are just beginning to be exploited. multiple rings The availability with the new Multics processors of hardware protection which make downward calls and implemented rings of upward returns no more complex than calls and returns in the same ring should significantly increase such exploitation.

# Background and Acknowledgements

The concepts embodied in the mechanisms described here were the result of seven years of maturing of ideas suggested by many workers. The original idea of generalizing the supervisor/user relationship to a multiple ring structure was suggested by R. M. Graham, E. L. Glaser and F. J. Corbato. An initial software

simulation of rings using multiple descriptor segments [1] was worked out by Graham and R. C. Daley, and implemented by members of the Multics system programming team. That implementation makes use of hardware access mode indicators stored in the segment descriptor word of the Honeywell 645 computer. Graham [3], in 1967, proposed a partial hardware implementation of rings of protection which included three ring numbers embedded in segment descriptor words, and a processor ring register, but which still required software intervention on all ring crossings. This hardware scheme, though a related scheme was implemented in the HITAC 5020 time-sharing system [4], was never implemented in Multics, which today (1971) still uses a version of the software simulation. The complete automation of downward calls and upward returns was proposed in a thesis in 1969 [5]; the description in this paper extends that thesis slightly with the addition of rings numbers to indirect words and the processor pointer registers, as suggested by Daley. The CALL and RETURN instructions proposed there have also been simplified.

The hardware implemented call and return, and automatically managed stacks, were at least partly inspired by similar mechanisms which have long been used on computer systems of the Burroughs Corporation [16,17].

In addition to those named above, D. D. Clark, C. T. Clingen, R. J. Feiertag, J. M. Grochow, N. I. Morris, M. A. Padlipsky, M. R. Thompson, V. L. Voydock, and V. A. Vyssotsky contributed significant help in understanding and implementing rings of protection.

# References

[1] <u>Multics Programmer's Manual</u>, M.I.T, Project MAC, 1969.

[2] <u>Model 645 Processor Reference Manual</u>, Cambridge Information Systems Laboratory, Honeywell Information Systems Inc., April, 1971.

[3] Graham, R. M., "Protection in an Information Processing Utility", <u>Communications of the ACM 11</u>, 5 (May, 1968), pp. 365-369.

[4] Motobayashi, S., T. Masuda, and N. Takahashi, "The Hitac 5020 Time-Sharing System", <u>Proceedings ACM 24th National</u> <u>Conference</u> (ACM Publication P-69), 1969, pp. 419-429.

[5] Schroeder, M. D., "Classroom Model of an Information and Computing Service", S.M. Thesis, M.I.T., February, 1969. (An expanded version of this thesis is available as Project MAC Technical Report MAC-TR-80.)

[6] Bensoussan, A., C. T. Clingen, and R. C. Daley, "The Multics Virtual Memory", <u>Second ACM Symposium on Operating Systems</u> <u>Principles</u> (October, 1969), Princeton University, pp. 30-42.

[7] Apfelbaum, H., and G. Oppenheimer, "Design of Virtual Memory Systems", <u>Fifth Annual IEEE Computer Society Conference</u>, Boston, September, 1971.

[8] Arden, B. W., et al, "Program and Addressing Structure in a Time-Sharing Environment", <u>Journal of the ACM 13</u>, 1 (January, 1966), pp. 1-16.

[9] Lampson, B. W., "An Overview of the CAL Time-Sharing System", Computation Center, University of California, Berkeley (September 5, 1969).

[10] Lampson. B. W., "Dynamic Protection Structures", <u>AFIPS</u> <u>Conference Proceedings</u> <u>35</u> (1969 FJCC), pp. 27-38.

[11] Evans, D. C., and J. Y. LeClerc, "Address Mapping and the Control of Access in an Interactive Computer", <u>AFIPS Conference</u> <u>Proceedings</u> <u>30</u> (1967 SJCC), pp. 23-30.

[12] Dennis, J. B., and E. C. VanHorn, "Programming Semantics for Multiprogrammed Computations", <u>Communications</u> of <u>the ACM 9</u>, 3 (March, 1966), pp. 143-155.

[13] Fabry, R. S., "Preliminary Description of a Supervisor for a Computer Organized around Capabilities", <u>Quarterly Progress</u> <u>Report No. 18</u>, Section I-B, Institute of Computer Research, University of Chicago, 1968, pp. 1-97. [14] Vanderbilt, D. H., "Controlled Information Sharing in a Computer Utility", Project MAC Technical Report MAC-TR-67, M.I.T., 1969.

[15] Dijkstra, E. W., "The Structure of the THE Multiprogramming System", <u>Communications</u> of the <u>ACM</u> <u>11</u>, 5 (May, 1968), pp. 341-346.

[16] <u>A Narrative Description of the Burroughs B5500 Master</u> <u>Control Program</u>, Burroughs Corporation, Detroit, October, 1969.

[17] Hauck, E. A., and B. A. Dent, "Burroughs' B6500/B7500 Stack Mechanisms", <u>AFIPS</u> <u>Conference</u> <u>Proceedings</u> <u>32</u> (1968 SJCC), pp. 245-251.