Trailing-Edge
-
PDP-10 Archives
-
ks10_8080_microcode
-
v5-2.not
There are no other files named v5-2.not in the archive.
4.2 VS. 5.2...
--------------
At the end of April 79 Mark Tighe (DDC) sent a memo to Gary
Clearwater (FS) detailing some possible security risks embedded in
the 8080 Microcode. These consisted of the following problems:
(1) One can dial up on the Klinik line and just hit a character and
the repeat button. The KS-10 will respond with a ?NA as fast
as it can. This will cause all output to stop to the CTY and
since TOPS-20 cannot now do anything with the CTY the system
may crash. What the 8080 should do is hangup the line so that
this is not possible and the person on the remote line would
have to dial up again.
This was fixed by causing the 8080 to hang up the line after the
?NA. The place in the code where this got fixed was at line
number 2201 label MODE0:. Instead of just returning to caller
via RET this section (after it prints ?NA) goes to KILL.KLINIK
to actually hang up the line. It now does a JMP KILL.KLINIK.
In addition another fix would have cured the problem anyway.
This was to allow simultaneous output to both CTY and KLINIK
without causing KLINIK output to delay CTY output until done.
Before, the KLINIK had a higher priority than CTY for output.
Now, the KLINIK still has a higher priority but if both want
output the time is shared equally between CTY and KLINIK. So
for that situation they are of equal priority.
(2) One can dial up the KS-10 and as a User Mode KLINIK lockout the
CTY from output. This is described in the previous paragraph
and is fixed as follows: In 'KS10 to 8080 Character Service'
the last thing done was to do a JMP TTOCOM which writes data
into one of the reserved words (word 31..35) so that TOPS-20
can do whatever it wants with it. Then the 8080 went back to
null job and picked up another character and since the KLINIK
was a highest priority took it from there. So the CTY never
got serviced. The correction in the code was to change the
JMP TTOCOM to CALL TTOCOM to output the character, then to
return to calling point and to a DI. Control would just pass
through the following code which just happened to be the CTY
character handling code. The DI was to turn off interrupts
while the CTY character (if there was one) was being handled
so that output would alternate between KLINIK character and
CTY character. The JMP TTOCOM code used the TTOCOM code to
return. Doing the CALL TTOCOM will use the same return to get
back to calling point - then the return in the CTY code is
used as the final return. The CALL TTOCOM, DI code is located
at line number 2073 at label NULKL:.
(3) If someone had dialed in on KLINIK (KL 1) and gave password and
so forth in Protect Mode, someone else could call in after
and fiddle with the system without being asked for password.
This occurred because various places did not cause the 8080
to do a reexamination of the mode it was in when carrier went
away or someone on KLINIK just hung up. To fix the following
sections of code were modified:
Line 979 was CNZ HANGUP (in the Null job)
Line 2061 was CALL HANGUP (in the 8080/KS10 character service
code where 8080 realizes that the KLINIK comm word has a 2
which indicates 'hangup')
These lines changed to CNZ KILL.KLINIK and CALL KILL.KLINIK.
KILL.KLINIK is located directly before HANGUP: and says to
clear KLINIK status word via CLRB KLNKSW. This will cause
a reexamination of the status of the 8080 and KLINIK. Hence
a password will be requested in the future.
(4) DTR would be lost if KS10 was running stand alone (ie. at the
KS10> prompt), KLINIK line was active, and carrier went away
for some reason. Since DTR was gone no one trying to call up
the KS10 on the KLINIK would succeed. This problem was fixed
by adding two lines of code to the routine at label KLNKLT:.
This routine reexamines the switches and makes sure that DTR
does not go away - it does LDA STATE followed by OUT DTR.
(5) TT command does not cause a proper mode change. If someone at
the CTY resets password (hangs up the KLINIK line also) then
says TT, someone can call back and not get challenged for a
password. This is because TT automatically put KLINIK into
mode 2 (assumes that a password has already been given and
it was correct) rather than putting it into mode 2 if a
a password has been given but putting it into mode 1 if not.
This was fixed by adding a little code to the TT command
to check to see if the current mode is 0 or 1 (no password
given yet) and not putting it into mode 2 unless already in
mode 2 or 3. The code is as follows:
LDA CSLMODE ;Get current mode
SUI .MODE2 ;Is it less than mode 2
JP SETM2 ;If no go set mode 2
CLRB KLNKSW ;If no clear KLINIK status to force
; reexamination of switches..
RET ;Return
(Note - in this note when originally written - JP was JM)
The above constitutes the changes made to obtain 5.2 from 4.2
plus an extra one (the last bit of code). There is another problem
which has come up due to the above fixes. That is that giving a c-z
on the CTY will cause someone on the KLINIK line to have to type in the
password again, since the KLINIK status word got cleared and 8080 will
not let KLINIK user back on.