Trailing-Edge
-
PDP-10 Archives
-
BB-L288A-RM
-
swskit-documentation/execute-only.memos
There are 5 other files named execute-only.memos in the archive. Click here to see a list.
+---------------------------+
! ! ! ! ! ! ! !
! d ! i ! g ! i ! t ! a ! l ! i n t e r o f f i c e m e m o r a n d u m
! ! ! ! ! ! ! !
+---------------------------+
To: TOPS-20 Monitor Memo List
CC:
From: Tom Porcher
Dept: LCG Software Engineering
Loc: MR1-2/E37 Ext: 231-6877
Date: 1-Feb-78
PDM: TCP-78-001-00-S
Subject: Execute-Only Files on TOPS-20
This is the latest, revised, version of my specification for
execute-only files on TOPS-20. Of particular interest to most people is
Section 2, specifically 2.3 and 2.5.
Execute-only files will be implemented in Release 4 of TOPS-20 as
described in this specification.
To: TOPS-20 Monitor Memo List Page 2
Subject: Execute-Only Files on TOPS-20
Specification for:
Execute-Only Files on TOPS-20
1.0 INTRODUCTION
This memo is intended to describe the changes necessary to TOPS-20 to
provide an execute-only file capability on TOPS-20.
2.0 DEFINITION OF EXECUTE-ONLY FILES AND PROCESSES
2.1 Definition
The basic definition of an execute-only file is one that cannot be
copied or read in a normal manner, but can be run as a program.
In order to provide this capability, the following constraints must be
placed on a file to be called an execute-only file:
1. The file must be protected with EXECUTE access allowed but
without READ access allowed.
2. The file cannot be read or written using any of the
file-oriented monitor calls (i.e. SIN, SOUT, BIN, PMAP
referencing a file, etc.). The TOPS-20 file system already
provides this protection through the use of OPENF and access
checks.
3. The file can be mapped into a process (via GET), but only in
its entirety and only into a virgin process.
A process so created will be called an execute-only process.
An execute-only process must be restricted in the following ways:
1. No other process can read anything from an execute-only
process' address space or accumulators.
2. No other process can change any part of an execute-only
process' context in such a way as to cause the execute-only
process to reveal any part of its address space
unintentionally.
Some other related definitions:
To: TOPS-20 Monitor Memo List Page 3
DEFINITION OF EXECUTE-ONLY FILES AND PROCESSES
1. A "virgin process" is one that has just been created (using
CFORK) but no operations which change its context or map into
the process have been performed on the process.
2. The "context" of the process includes its address space, PC,
AC's, interrupt system, traps, etc.
2.2 Non-definitions
The following attributes sometimes associated with execute-only are not
being implemented. Some of these features are descibed in detail in
section 4.
1. Hardware concealment of process pages. The KL10 hardware has
the capability to conceal pages within a process from other
parts of the same process. This feature, if used, would
provide the additional feature that non-execute-only programs
could load execute-only programs into their address space, such
as an execute-only Object Time System.
2. Protection from meddling with the operation of a process. The
protection provided is the minimum protection required such
that an execute-only process does not reveal its address space
unintentionally. Additional protection would be required for a
"no-meddle" capability. This capability would be useful for
programs that want to assure the integrity of a database or
programs that possess restricted capabilities.
3. Additional capabilities provided by file attributes. No
additional capabilities will be provided to execute-only
programs. A file attribute could be added which provided
additional capabilities to a process when it was executed.
4. Protection of other processes mapped from an execute-only
process. Thus it is possible to examine pages in a process
which is created by an execute-only process and which has pages
mapped from the execute-only process.
5. Protection of programs from programming errors. If an
execute-only program reveals itself in any way, regardless of
whether it was intentional or a programming error, no
protection will be provided. It is assumed that the programmer
understands that his program will be execute-only and will code
accordingly.
To: TOPS-20 Monitor Memo List Page 4
DEFINITION OF EXECUTE-ONLY FILES AND PROCESSES
2.3 User Implications
A program will be execute-only for particular users based on its file
protection. If a user tries to RUN a file and can't READ it, but does
have EXECUTE access, a process will be created as usual. The file will
be mapped into this "virgin" process, circumventing the READ protection
on the file. This process will then be an "execute-only" process. This
process cannot be manipulated (examined, written, or mapped in any way).
Some of the characteristics that a TOPS-20 user would see relating to
execute-only files and processes:
1. Users may select a file to be execute only by allowing EXECUTE
but not READ access to the file. This can be done by setting
the protection field for the desired class of users (owner,
group or world) to FP%EX+FP%DIR, or 12 octal. For example, to
make a file execute-only for everybody except the owner of the
file, set the protection to 771212 octal.
The SET FILE PROTECTION command can be used to set the
protection, or the ;P attribute can be applied to the file
specification in the SAVE or CSAVE command.
2. Most programs (.EXE files) can be protected execute-only. Some
exmaples:
1. Any independent program run by the EXEC.
2. A saved image of a FORTRAN, COBOL, or BASIC program. Note
that it is up to the compilers to produce code which GETs a
certified version of the Object Time System (i.e. NOT from
the user's directory) for the selected language.
Some programs which cannot be execute only:
1. Any Object Time System (OTS).
2. The TOPS-10 Compatability Package (PA1050).
3. The Record Management System (RMS).
4. Any program to be run by the TOPS-10 UUOs RUN or GETSEG.
5. Any program which needs to be started at any location
except its entry vector (START or REENTER address).
6. Any program with undefined entry points (not 0 or 1 in the
vector).
7. Any program that uses TOPS-10 style "CCL starts" (starting
at the start address plus one).
To: TOPS-20 Monitor Memo List Page 5
DEFINITION OF EXECUTE-ONLY FILES AND PROCESSES
8. A compiler or linker invoked through the
COMPILE/LOAD/EXECUTE/DEBUG commands (because of CCL start).
3. The EXAMINE, DEPOSIT, MERGE, DDT, SET ENTRY-VECTOR, SET
PAGE-ACCESS, SET ADDRESS-BREAK commands will not work for
execute-only programs.
4. The CONTINUE command will not work after an execute-only
process is halted.
5. The START command cannot be used with a start address argument
for an execute-only process.
6. the INFORMATION (ABOUT) VERSION command will not return the
version of an execute-only program.
7. A program which is execute-only must be written to protect
itself. The program should not map itself out to inferior
processes. The program should not GET and execute programs
into its address space for which it has no control. Generally,
the programmer should take some care in protecting itself if it
is to be execute-only.
2.4 Technical Implications
There are some general implications of this definition:
1. The JSYSes which allow access to other process' address space
must be restricted for execute-only processes. This prevents
direct copying of the execute-only file from the address space.
2. The JSYSes which change a process' context must be restricted
for execute-only processes. This prevents a malicious process
from changing the context of an execute-only process in such a
way as to reveal itself. An obvious example of this is mapping
a routine into the execute-only process which then writes the
entire address space out to a file. Less obvious is causing
the execute-only process to start at a random address which
(unintentionally) does the same thing.
3. An execute-only process can be started only at its entry
vector. This prevents starting the program at unpredictable
locations.
4. A process which is created by an execute-only process with the
same address space (using CFORK) must also become execute-only.
This prevents another process from copying the file through the
address space of the process created by the execute-only
process. This allows an execute-only process to create lower
processes which map its address space.
To: TOPS-20 Monitor Memo List Page 6
DEFINITION OF EXECUTE-ONLY FILES AND PROCESSES
5. A GET of an execute-only file will work only to a virgin
process. This prevents the context of the process from
starting out on the wrong foot; i.e. with code already in
memory to dump the address space to a file or with pages from
the process already mapped to another process.
6. GET will work only on the entire execute-only file. This is to
prevent the malicious user from starting only part of a program
which may have the effect of revealing itself.
7. GET must be able to get an execute-only file without READ
access. READ access is required to read or map the file into
the process' address space; thus GET must circumvent the
existing file access checking.
8. GET must have special access to PMAP into an execute-only
process. In order to prevent access to a process which is
currently GETting an execute-only file, the process must be
marked as execute-only. However, the process executing the GET
must be allowed access to the execute-only process so as to use
PMAP from the file into the execute-only process.
9. Monitor-executed GETs of PA1050 and RMS for execute-only
processes must be restricted to physical SYS:. This prevents a
user version of "PA1050" from being loaded into an execute-only
process, which merely copies the address space out to a file
when a UUO is executed. Likewise with RMS and RMS functions.
2.5 Restrictions And Drawbacks
1. Only entire files may be protected - there is no page-by-page
access control.
2. Only disk-resident files can be considered execute-only.
3. GET will only work on an entire execute-only file.
4. An execute-only process cannot map any part of its address
space into another process, with the exception of creating a
copy with CFORK.
5. PA1050, RMS and any other Object-Time Systems cannot be
execute-only. This is due to the fact that they must be mapped
into a non-virgin address space.
6. The TOPS-10 UUOs RUN and GETSEG will not work on execute-only
files. As above, these UUOs require mapping into non-virgin
address space.
To: TOPS-20 Monitor Memo List Page 7
DEFINITION OF EXECUTE-ONLY FILES AND PROCESSES
7. PA1050 and RMS must exist on physical (system logical name)
SYS: for execute-only programs. These versions should be
certified to protect the process' address space into which they
will be mapped and to which they will have access.
8. A user cannot use his own version of PA1050 and RMS with an
execute-only program.
9. Having WHEEL capability enabled will allow READ access; thus
execute-only processes will not be created by WHEELs and will
not be protected from other processes within that job. It is
assumed that a WHEEL process is responsible for its actions.
To perform a GET and create an execute-only process, the
program should disable WHEEL and re-enable it after the GET, if
required.
10. The version of an execute-only process cannot be read since it
is in the entry vector. Thus INFORMATION (ABOUT) VERSION will
not return the program version if the program is execute-only.
11. TOPS-10 style "CCL starts" (starting at the normal start
address plus one) will not work. This affects any compilers
and linkers which are currently invoked by the
COMPILE/LOAD/EXECUTE/DEBUG commands.
12. The SET NO UUO-SIMULATION command cannot be used when
execute-only programs are to be run. This is because SET NO
UUO-SIMULATION changes the Compatability Package entry vector.
13. The version of an execute-only program cannot be read, since it
is stored only in the program's address space.
14. Inferiors of an execute-only process which has pages mapped
from their superior will not be protected. Thus the programmer
must be careful not to reveal itself through its inferior.
15. There will be no JSYS to explicitly indicate that a given
process is an execute-only process. Note that RFACS will
always fail for an execute-only process and can be used to get
this information, if someone actually can find a use for it.
To: TOPS-20 Monitor Memo List Page 8
IMPLEMENTATION
3.0 IMPLEMENTATION
3.1 Control Structure
Three additional bits of process status will control the manipulation of
execute-only processes. These bits will be in the SYSFK area in the
job's Job Storage Block (JSB). This part of the JSB is indexed by
job-relative fork number (JRFN), one word per process in the job. The
new bits are defined as follows:
1. SFVGN - This is a "virgin" process. This bit is set by CFORK
when a new process is created without any mapping and without
starting the process. SFVGN is cleared whenever any
context-changing JSYS addressing the process is executed. Note
that all JSYSes and JSYS functions which are illegal for
execute-only processes will clear this bit.
2. SFEXO - This is an execute-only process. This bit is set when
either a GET of an execute-only file occurs to this process or
CFORK creates a process which maps an execute-only process.
SFEXO is cleared only by CFORK when creating a new process.
3. SFGXO - This process is doing an execute-only GET. This bit is
set in the process executing a GET of an execute-only file
during the GET process so that PMAP will allow the file to be
mapped into the execute-only process.
3.2 General Subroutines
3.2.1 CHKNXS - Check If Not Execute-only Or SELF - Routine CHKNXS will
be added to the general process-testing routines in the process module.
This routine will return if the process specified in T1 is either SELF
or not an execute-only process. Otherwise, an illegal instruction trap
will occur, returning the error mnemonic FRKHX8 - "Illegal to manipulate
an execute-only process".
If the specified process is not execute-only, it will be declared
non-virgin by clearing the virgin process bit SFVGN.
The process structure must be locked when this call is made.
Call:
T1/ Job-relative fork number to be tested
CALL CHKNXS
Returns:
+1: Always
To: TOPS-20 Monitor Memo List Page 9
IMPLEMENTATION
3.3 Not-so-general Subroutines
3.3.1 SETEXO - Make Process Execute-only - This routine in FORK will
cause the selected process to become execute-only. If the process is
not virgin, then this will not succeed.
This routine is needed by GET and CFORK.
Call:
T1/ Job-relative fork number to become execute-only
CALL SETEXO
Returns:
+1: Process is not virgin and cannot be made execute-only
+2: Process is now execute-only
3.3.2 SETGXO/CLRGXO - Enable/Disable Execute-only GET Status - These
routines set and clear the execute-only GET bit (SFGXO) in the current
process. These routines are called by GET to allow it to map into an
execute-only process.
Call:
CALL SETGXO/CLRGXO
Returns:
+1: Always
3.3.3 SREADF - Set READ Access And Restricted-access - This routine in
IO will set the READ access bit (READF) and the restricted-access bit
(FRKF) in the status word for the selected JFN. Also, the previous
state of the FRKF flag will be returned.
This routine will only be called from GET. This routine is required to
allow GET to use BIN, SIN, PMAP, etc. to a file opened only for execute
access.
Call:
T1/ JFN
CALL SREADF
Returns:
+1: Always
T2/ Previous state of FRKF in LH,
process for FRKF in RH
To: TOPS-20 Monitor Memo List Page 10
IMPLEMENTATION
3.3.4 CREADF - Clear READ Access And Restricted Access - This routine
un-does what SREADF did.
Call:
T1/ JFN
T2/ Previous state of FRKF in LH,
process for FRKF in RH
CALL CREADF
Returns:
+1: Always
3.4 New Error Mnemonics
3.4.1 FRKHX8 - Illegal to manipulate an execute-only process
3.5 JSYS Changes
3.5.1 Restricted JSYSes - The following JSYSes or JSYS functions which
either change a process' context or allow access to a process' address
space will be restricted for execute-only processes. For each of these
JSYSes or functions, a call to routine CHKNXS will be added. If the
process is execute-only and not SELF, then an illegal instruction trap
will occur for the executing process. The error mnemonic FRKHX8 -
"Illegal to manipulate an execute-only process" will be returned.
The JSYSes marked with an asterisk ("*") require special considerations
and are described in detail below.
1. CFORK - *
2. SFORK
3. SPACS
4. PMAP - *
5. RFACS
6. SFACS
7. SFRKV - vector locations other than 0 or 1
8. SIR
9. EIR
10. DIR
To: TOPS-20 Monitor Memo List Page 11
IMPLEMENTATION
11. AIC
12. IIC
13. DIC
14. SIRCM
15. STIW
16. GET - *
17. SAVE
18. SSAVE
19. SEVEC
20. SCVEC
21. SDVEC
22. ADBRK - functions .ABSET, .ABCLR
23. TFORK - functions .TFSET, .TFRAL, .TFRTP, .TFUUO, .TFSJU,
.TFRUU
24. UTFRK
25. SETER
26. CRJOB - *
3.5.2 Special Case Restrictions -
3.5.2.1 CFORK -
CFORK creates a virgin process if CR%ST (start process) and CR%MAP (give
process same map as creating process) are not set. Note that loading
parameters in the ACs using CR%ACS does not make this a non-virgin
process. Setting CR%ST and either CR%ACS or CR%MAP would allow the
process to execute code so therefore makes the process non-virgin.
Setting CR%ST without CR%MAP or CR%ACS seems rather useless.
CFORK creates an execute-only process if bit CR%MAP is set and the
creating process is an execute-only process. This is the only way
(besides GET) to create an execute-only process.
To: TOPS-20 Monitor Memo List Page 12
IMPLEMENTATION
3.5.2.2 PMAP -
It is illegal to specify an execute-only process as either the source or
the destination in a PMAP call unless it is SELF.
If the executing process is doing a GET of an execute-only file (SFGXO
set), then the process may map pages into any execute-only process.
3.5.2.3 GET -
A GET call which addresses an execute-only process is illegal unless the
process is SELF.
If the JFN specified in the GET call refers to a file for which the user
only has execute access, then the process specified must be a virgin
process. GET must overcome two protection features to GET an
execute-only file:
1. Reading the file without READ access (and not allowing others
access at the same time).
2. Mapping pages from the file into an execute-only process.
In order to allow the GET to succeed, the following steps are performed:
1. Perform OPENF on the file for READ and EXECUTE (as always).
2. If the OPENF succeeds, then proceed as usual (at step 13) since
the file is not execute-only access.
3. If the OPENF for READ and EXECUTE fails and either the
specified process is not virgin or GT%ADR (address limits) was
specified, return the error from the OPENF.
4. Perform OPENF for only EXECUTE access.
5. If this OPENF fails, return the error from the OPENF.
6. Lock the process structure.
7. Set the execute-only bit (SFEXO) in the destination process by
calling SETEXO. If the destination process is not virgin, the
execute-only bit will not be set and:
1. Unlock the process structure.
2. Close the file (but don't release the JFN).
3. Restart at step 1, returning the OPENF error this time.
To: TOPS-20 Monitor Memo List Page 13
IMPLEMENTATION
8. Unlock the process structure.
9. Remember that this will be an execute-only GET.
10. Disable interrupts within this process (NOINT). This is to
protect the use of READ access to the file and the use of the
execute-only GET bit (SFGXO).
11. Set READ access and restricted-access in the JFN status for the
selected JFN by calling SREADF.
12. Set the execute-only GET bit (SFGXO) in the executing process
by calling SETGXO.
13. Perform the normal operations required to GET the file into the
process.
14. If any errors occur, proceed as below but return error.
15. If this was an execute-only GET:
1. Clear the READ access and restricted-access in the JFN
status by calling CREADF.
2. Clear the execute-only GET bit (SFGXO) in the executing
process by calling CLRGXO.
3. Enable process interrupts (OKINT).
16. Close the file (if possible) using CLOSF. Note that if pages
are mapped from the file, it will not be closed, but will be
left open with only EXECUTE access.
3.5.2.4 CRJOB -
When CRJOB creates a new job, it also creates the top-level process.
CRJOB will always create a virgin process. Thus, an execute-only
program can be RUN as the top-level fork.
3.5.3 JSYSes Not Affected -
To: TOPS-20 Monitor Memo List Page 14
IMPLEMENTATION
3.5.3.1 Context-changing JSYSes - The following JSYSes affect the
context of a process. However, their effect cannot cause a process to
reveal its address space.
1. SPLFK
2. EPCAP
3. CLZFF
4. SCTTY
5. SPJFN
6. HFORK
7. KFORK
8. RFORK
9. FFORK
10. PRARG
Note that all the file JSYSes can also change the context of an
execute-only process!
3.5.3.2 Other JSYSes - The following JSYSes reference other processes
but neither reveal the process' address space nor change the context of
the process.
1. GETER
2. ERSTR
3. RUNTM
4. GTRPI
5. GTRPW
6. RIR
7. SKPIR
8. RCM
9. RWM
10. RIRCM
To: TOPS-20 Monitor Memo List Page 15
IMPLEMENTATION
11. RTIW
12. RPCAP
13. WFORK
14. RFSTS
15. RFRKH
16. GFRKS
17. RMAP
18. RPACS
19. GEVEC
20. GCVEC
21. GDVEC
22. RTFRK
3.5.3.3 Privileged JSYSes - The follow JSYSes reference processes but
are privileged. These JSYSes will not be restricted for execute-only
processes:
1. SPRIW
2. MSFRK
3.6 Other Monitor Changes
3.6.1 Monitor-executed GETs Of PA1050 And RMS -
The monitor must assure that only a certified copy of PA1050 or RMS is
loaded for execute-only processes. This certified copy is assumed to
exist on physical (system logical name) SYS:. When an execute-only
process requests PA1050 or RMS, the monitor will set GJ%PHY for the
GTJFN of SYS:xxx.EXE.
To: TOPS-20 Monitor Memo List Page 16
IMPLEMENTATION
3.6.2 Use Of Restricted-access JFNs -
Currently, the restricted-access JFN bit (GJ%ACC) in the GTJFN call only
restricts the JFN from inferiors of the owning process. The routine
CHKJFN would have to be modified to restrict the JFN to a single
process. The JFN could only be accessed after the process was KFORKed
or RESET.
This change is required for the execute-only GET code.
3.7 EXEC Changes
Some changes are required to the TOPS-20 Command Processor (EXEC).
3.7.1 Illegal Instruction Processing - Currently the EXEC prints the
offending instruction if an illegal instruction trap should occur. The
EXEC should not print the instruction if it can't access the process
(because it is execute-only).
3.7.2 EXAMINE/DEPOSIT Commands - These commands should neatly print the
error string if the process access JSYSes should trap because the
selected process is execute-only.
3.7.3 TOPS-10 Compatable START/REENTER/DDT Commands - These commands
cannot call PA1050 if the process is execute-only, as they currently do.
3.7.4 RDMAIL - The EXEC's interface to RDMAIL implies that RDMAIL
cannot be execute-only.
3.7.5 INFORMATION (ABOUT) VERSION Command - The version of an
execute-only process cannot be read. The EXEC should just not print it
if the process is execute-only.
3.7.6 SET ADDRESS-BREAK, ENTRY-VECTOR, PAGE-ACCESS - These commands
should be neat about the error string also.
To: TOPS-20 Monitor Memo List Page 17
RELATED FEATURES
4.0 RELATED FEATURES
Below are descriptions of some features related to execute-only not
planned for implementation but available for comment.
4.1 Hardware Page Concealment
4.1.1 Definition -
Page concealment is a feature of the KI10 and KL10 hardware allowing
part of an address space to be concealed from the rest of the address
space. Pages marked as concealed can only be transferred into at
locations containing a PORTAL (JRST 1,) instruction.
Using page concealment would have to be used in conjunction with the
execute-only implementation described above. This is because it seems
useless to protect a part of an address space from the rest of it
without also protecting it from other processes via the JSYSes.
The following additional features would be gained from this:
1. It would be possible to GET an execute-only file into a
non-virgin address space, marking it as concealed. This would
be the case of a non-execute-only program using an execute-only
OTS.
2. The TOPS-10 UUO's GETSEG and RUN would work on execute-only
programs.
The following restrictions would apply:
1. No execute-only program can GET another execute-only program
into its address space. This restriction affects execute-only
programs desiring to use execute-only OTSes.
2. Only one execute-only segment can exist PER JOB. This is
because any process running concealed can map any other process
running concealed through indirect map pointers. To eliminate
this restriction would require significant changes to the way
KL paging works in the hardware.
3. This type of concealment would only be available on the
processors that support it; i.e. the KI10 and KL10. The KS10
does not support page concealment.
To: TOPS-20 Monitor Memo List Page 18
RELATED FEATURES
4.1.2 Possible Implementation -
Inplementation would include the following:
1. All pages created (by whatever means) will be marked as Public.
2. GET of an execute-only program would set the Concealed bit in
each page that was loaded from the file.
3. SFORK and SFRKV would enter in Public mode so as to requre
concealed pages to have PORTALs.
4.2 Meddle Protection
4.2.1 Definition -
Basiclly, meddle protection implies that a program so protected would
always be able to run to completion in an orderly fashion. Programs
which would need this type of protection would be, for example, a
database manager which wants to keep its database consistent.
This implies that the only way a meddle-proof fork could be killed is by
the fork halting under its own control (or by panic channel interrupts
not enabled for).
4.2.2 Possible Implementation -
Part of the burden must be placed on the user program to be intelligent
enough to handle all existing traps. Also the user must protect his
program as execute-only if the user also wants that protection.
Some of the changes required would be:
1. A new file attribute would indicate meddle-proof-ness.
2. A method of setting the meddle-proof attribute would be
required.
3. GET would check the meddle-proof status when it loads the file,
and set a per-process status bit accordingly.
4. All JSYSes which affect the interrupt system would become
restricted. These include SIR, EIR, DIR, AIC, IIC, DIC, STIW,
SIRCM.
5. All JSYSes which freeze a process must be restricted. These
include ADBRK, TFORK, UTFORK, FFORK, RFORK.
To: TOPS-20 Monitor Memo List Page 19
RELATED FEATURES
6. JSYSes which change capabilities must be restricted. These
include EPCAP.
7. JSYSes which change the fork structure must be restricted.
These include SPLFK.
8. JSYSes which stop or reset a fork must be restricted. These
include KFORK, HFORK, RESET. These JSYSes would be legal only
if the meddle-proof fork was halted. Possibly these should
cause an interrupt in the meddle-proof fork.
9. The EXEC must be changed to do something more reasonable with
the new errors from these JSYSes.
4.3 Process Capabilities From Files
4.3.1 Definition - This feature would allow a file to give a particular
process more capabilities than it normally would have. This would be
useful, for example, for an operator to run a DUMPER which had full file
access capability, which the operator would not have.
4.3.2 Possible Implementation -
As with meddle-proof-ness above, the user program must take some
responsibility for protection of the additional capabilities granted.
This includes using the execute-only and meddle-proof features described
above.
Some of the changes that would be required would be:
1. Add a file attribute called Additional Capabilities.
2. Add a method of setting this attribute. Only a user with the
requested capabilities could give them to any particular file.
Thus a user with insufficient capabilities could not copy the
file without decreasing the capabilities it provides.
3. GET would OR the existing capabilities of the process with the
Additional Capabilities that a file provides for the process.
This would only occur for virgin processes.
[End of EXONLY.MEM]
+---------------------------+
! ! ! ! ! ! ! !
! d ! i ! g ! i ! t ! a ! l ! i n t e r o f f i c e m e m o r a n d u m
! ! ! ! ! ! ! !
+---------------------------+
To: TOPS-20 Meeting Attendees
CC:
From: Tom Porcher
Dept: LCG Software Engineering
Loc: MR1-2/E37 Ext: 231-6877
Date: 17-Jan-78
PDM: TCP-78-002-00-S
Subject: Restricted Access and Execute-Only
1.0 INTRODUCTION
This memo is an addendum to the specification "Execute-Only Files on
TOPS-20", written by me and dated 13-Jan-77. If you haven't read that
spec, I suggest that you do before you read this.
I mentioned the capability of restricting a JFN to a particular process,
needed in order to perform a GET of an execute-only file. I intended to
use the control excercised by GTJFN with GJ%ACC, and not OPENF with
OF%RTD as the spec said.
The documentation for these functions and related JSYSes is very
unclear. I would like to point out where the documentation is unclear
and what additional functionality is required to support execute-only
files on TOPS-20.
1.1 Existing Related Functions
Just to clarify what exists and its relation to what is needed for
execute-only, let's see how things work now.
1.1.1 GTJFN With GJ%ACC - Setting GJ%ACC in the GTJFN call restricts
the JFN from use by any of the inferiors of the process performing the
GTJFN. This will be called "restricted JFN access". Note that
superiors still have access to the JFN and another process can always
access the same file by using a different JFN. Also, GTSTS (get file
status) always works regardless of whether a JFN is restricted or not.
To: TOPS-20 Meeting Attendees Page 2
INTRODUCTION
This function is well documented in the TOPS-20 Monitor Calls manual
under GTJFN.
1.1.2 OPENF With OF%RTD - This restricts the file which is opened to
the JFN which it is currently opened on. Thus, no other process can
open another JFN on the file in question. This will be called
"restricted file access". However, another process can use the same JFN
to access the file (unless it is restricted using GJ%ACC above).
This function is not clearly documented. It in fact mentions "process"
where OF%RTD is not related to any process.
1.1.3 CLZFF With CZ%UNR - Setting CZ%UNR (unrestrict JFNs) in the CLZFF
(close process' files) call removes only the JFN access restrictions
implied by setting GJ%ACC. This call may be executed by any superior
process to the process which got the JFN with GTJFN and set GJ%ACC.
This function is documented very poorly. It is not clear whether this
function removes what GJ%ACC did or what OF%RTD did, or both.
1.1.4 GTSTS (GS%FRK Bit) - This bit means that this is a restricted
access JFN, i.e. GJ%ACC was set in the GTJFN call for the JFN whose
status was requested.
The documentation of this bit is wrong, or at least very dubious: "If
the file is open, it is open for restricted access". This implies
restricted file access, provided by OF%RTD in OPENF.
1.1.5 STSTS (GS%FRK Bit) - Setting this bit in the STSTS call has no
effect. Clearing this bit in the STSTS call will clear restricted JFN
access, provided by GJ%ACC in the GTJFN call. This, like all the other
file JSYSes, requires the executing process to be superior to the
process who set GJ%ACC if it is a restricted access JFN.
The documentation of the GS%FRK bit is, as with GTSTS, wrong. Also the
documentation does not indicate that you can only clear (and not set)
any of the bits which you can modify (GS%ERR, GS%HLT, GS%FRK).
1.2 Functions Required By Execute-only
The GET code for an execute-only file has to have the execute-only file
open for READ. However, it is mandatory that no other processes have
access to this JFN while the file is open for READ, since they would be
able to steal the execute-only program.
To: TOPS-20 Meeting Attendees Page 3
INTRODUCTION
Thus, restricted JFN access is required, but the restrictions must be
stronger than those currently provided by GTJFN (GJ%ACC). The JFN must
be restricted for use only by the process performing the GET. Note that
the following additional capabilities would be required for execute-only
GET:
1. JFN usage restricted to a single process (no superiors).
2. JFN usage restricted to the process performing the OPENF or GET
(not the one performing the GTJFN).
This could be implemented by either:
1. modifying the way restricted JFN access works now or
2. adding a new OPENF function or
3. adding a monitor-internal restriction mechanism to be used only
by GET.
1.3 Functions Required By Meddle-proof-ness
In order to implement meddle-proof-ness (which is not yet planned), a
facility to restrict JFN usage to a single process is required. Note
that this is similar to the requirements of GET above, but does not
require the OPENFing process to be the owning process.
[End of RSTEXO.MEM]