Virtual Control Storage - Security Measures in VM/370

architecture of a virtual machine system has speciJic advantages over that of conventional operating systems because virtual machines are well separated from one another and from the control program. This structure requires that a protected, multiuser resource manager be placed in a distinct virtual machine because the protection domain and scheduling unit are one erztity, the virtual machine. But cooperation between distinct virtual machines necessarily entails scheduling overhead and often delay. ~ This paper describes an experimental extension to VMl370 ' whereby a distinct execution and data domain (Virtual Control Storage) is made available to virtual machines that require access to a resource manager, without requiring a change in the scheduling unit. Thus scheduling overhead and delays are avoided when transition is made between user program and resource manager. A mechanism is described for exchanging data between execution domains by means of address-space mapping. For the purposes of this paper, the security of a computing system relates to its ability to perform according to design objectives and administrative policies, regardless of the use to which it is subjected, particularly in the face of conscious attempts to sub-vert its protection mechanisms. Examples of design objectives and administrative policies are the ability to allow access to data only on presentation of a password by the user or through the mediation of some system (or user) program, charging of each user according to a function of his central processor and his main and auxiliary storage usage, and scheduling the usage of system resources according to a " fair share " algorithm (or perhaps some other). The system's protection mechanisms are the components that enforce the objectives and policies. If those mechanisms are subverted, the objectives and policies are not met, and the system is said to be not secure. It is generally acknowledged that no commercially significant system can be confidently termed secure by this definition.lV6 Copyright 1979 by International Business Machines Corporation. Copying is permitted without payment of royalty provided that (1) each reproduction is done without alteration and (2) the Journd reference and IBM copyright notice are included on the first page. The title and abstract may be used without further permission in computer-based and other information-service systems. Permission to republish other excerpts should be obtained from the Editor. AWANASIO Figure 1 Typical configuration of virtual machines controlled by one VMM. VM1 VMM 1 In this paper, improving the security (or …