re 1&2. Ok, that's what I was thinking. Thanks for the refresher.
re protection model. Nah, it was MULTICS from a Saltzer and Shroeder paper. They're among the pioneers of INFOSEC in high-assurance security which I'm often talking about here. They describe their reasoning about that here [1]. It, segments, and an IOMMU were in SCOMP, the first system certified to high security. Early promoter Roger Schell got an ex-Burroughs guy that Intel hired to add the rings and segments to their chips so high-assurance, security kernels could use them. The one he backed and got certified, GEMSOS, did leverage about every security feature on Intel CPU's. STOP used all the rings. GEMSOS had a hybrid scheme. BAE was selling STOP with Aesec still selling GEMSOS. Threw in a link on security kernels if you want to check that out. Today's state of the art moved on to secure hardware/software architectures using a mix of formal verification and language-level security on top of other QA activities. The competition used type enforcement [3] and capability security [4].
[1] https://www.multicians.org/protection.html https://www.multicians.org/exec-env.html
[2] http://www.cse.psu.edu/~trj1/cse443-s12/docs/ch6.pdf
[3] https://cryptosmith.com/mls/lock/
[4] https://web.archive.org/web/20160304223007/https://www.cis.u...
The four rings and their purpose was copied from VAX and VMS. It was specifically added by Intel trying to convince DEC to port VMS.
The GE-645 had 16 protection rings in hardware IIRC, and was designed so that unprivileged software would see essientially an unlimited number of rings. It's a very different model in practice (and way better IMO).
IMO we're probably going to have to migrate back to a hardware model to describe the memory regions to hardware to protect against the cache based Spectre variants the same way we protect against Meltdown.
"The GE-645 "
That was part of the MULTICS project.
"The four rings and their purpose was copied from VAX and VMS. It was specifically added by Intel trying to convince DEC to port VMS."
Oh yeah, I forgot VMS had rings. Cutler did VMS and Windows NT. So, that would make sense. It might have been segments the Burroughs sold them on. Anyway, I just found a nice link with more details about VMS vs Windows needs for rings for anyone curious.
https://superuser.com/questions/1063420/why-do-x86-cpus-only...
Still curious, though, since they were doing all their security pushing subversively back then since hardly anyone cared about it. Found the [long, long] interview below:
https://conservancy.umn.edu/bitstream/handle/11299/133439/oh...
Here's what he said:
"I took a Digital Equipment Corporation PDP-11/45. I picked the 11/45 because it had hardware segmentation, and the other DEC equipment didn’t; and used the 11/45 to build a security kernel; a guy named Lee Schiller built a first demonstration security kernel. The first running security kernel was on the DEC PDP-11/45, which was a legitimate security kernel, and was tamperproof, small and verifiable, and non-by-passable, and had three protection rings in the hardware. They didn’t know it, but they did. And so that was close enough to allow us to build that security kernel." (my emphasis)
He talks like it was an accident of the design. Later, he says they weren't trying to sell security to the government like IBM was, were surprised they were doing security kernels on it, and otherwise kept pushing it as a minicomputer. Really strange. I don't know much about why PDP-11/45 and VAX were designed the way they are, which VAX's had rings first, or why. My traceability stops there on them for now. Here's what I was remembering about Schell and Intel x86:
" During that time I also consulted with Intel on the x86 architecture. Ted Glaser had been with them as a significant consultant during development, since he was an architect at Burroughs, and then it was naturally he would be an architect and consultant. And he had recommended that I consult with him on someof the security issues, which I did, and had some of what I think the architect for the x86 called small but significant impacts on the x86 architecture—a reasonable characterization—so that it would support a high assurance security. And it did. I mean, the architecture; what they had originally did have flaws, and problems, and those we believe were wrung out so that the x86 architecture was one that could support that. And so the papers you saw then later with GEMSOS from Gemini Computers and such, you know, leveraged that. But the x86 was just evolving at that time and since I knew enough about what it was, and there was enough published, my research results at the postgraduate school looked forward to that. We took a z2000 microprocessor and actually laid out how we could add hardware, much as we did with the SCOMP in order to add segmentation and protection rings to a commodity microprocessor, knowing that Intel was actually going to build those into its chips."
His wording makes it seem like they added it because Glaser asked him what they were doing for security. He then started developing and commissioning software for it before the features were released to market. I'll also note that, being an acquisitions guy, he often sold things in ways that had little to do with security. The reason was virtually no buyers or sellers cared about security at the time. IBM (NSA partner) and Burroughs/Unisys were two of few exceptions. NSA mostly did COMSEC, looking down on "COMPUSEC." It's possible he and Glaser added them for security but sold them on compatibility with some OS or other non-security benefits. Pure speculation: no data yet to reconcile the different stories. There's the citation, though.