RU2626350C1 - Method of functioning computer device operating system of software and hardware complex - Google Patents

Abstract

FIELD: physics.

SUBSTANCE: sequentially, one by one, initialization of the components of the hypervisor is carried out, which has an 8-level hierarchical structure for executing commands, load of the controlling microkernel operating system on the nodes of the multiprocessor computer system with a parallel multitran architecture, each process-thread of which has two statuses - manager or subordinate, a compiler, a microassembler and an autonomous subsystem of fault tolerance. The proxy module of client requests, guest operating systems is loaded, the lists of requests for resource allocation is received, then the stage of preparing the task for execution is carried out.

EFFECT: increasing the effectiveness of malicious software detection and the level of protection of the computing device operating system.

3 cl, 1 dwg, 5 tbl

Description

The invention relates to computer technology, and in particular to operating systems of multiprocessor electronic computers that are part of hardware and software systems and can be used in such fields of technology as quantum informatics, meteorology, geological exploration, and also when performing tasks associated with intensive irregular memory access to the computing device (DIS-tasks), high-speed processing of signals and images, and work with storages of heterogeneous information of large size measure (RDF - database).

Known multi-threading devices of processors of electronic computers that perform various computing tasks, including, among other things, fault tolerance systems (see, RU, 133952 U1, class G06F 11/07, published. 10.27.2013; US, 2014351565 A1, CL G06F 9/308, published 11/27/2014; US, 9256496 B1, CL G06F 11/00, published 09/02/2016).

The disadvantages of the known technical solutions are the lack of built-in protection of data, commands and threading devices, the lack of support for globally addressable memory and emulation of various types of thread processes (ultralight cores of GPUs, medium cores of RISC microprocessors like MIPS, light cores of vector processors with SIMD support mode).

A known method of organizing a virtual architecture of heterogeneous memory for virtual machines in a multiprocessor computer based on creating an instance of a virtual machine with specific operational characteristics inherent in it, choosing the topology of virtual nodes that regulate the memory load, additionally, the multiprocessor computer contains a computing system and readable computer medium, according to the way of functioning and the set of essential features adopted for the closest analogue (prototype) of the invention (see RU, 2569805 C2, class G06F 1 2/02, published. 11.27.2015).

The disadvantages of the known technical solution are the lack of implemented mechanisms for working through a single address space with a memory capacity of at least several dozen petabytes, the lack of control of context-sensitive transitions when processing requests from users of the operating system (OS) for allocation of resources, the lack of verification procedures and blocking the execution of invalid commands even at the stage of preparing the task, before transmitting the opcode instructions for the execution of the microprocessor hardware cores or control Yeru peripheral equipment, as well as classic FIFO stack with restrictions on the size of the transmitted data of several hundred bytes.

The task to which the claimed invention is directed is to increase the efficiency of detecting malicious software (software) in the components of hypervisors, guest operating systems (OS) of users in real time of a lot of intensive data streams, as well as to increase the fault tolerance of the operating system that controls the operation of the computing device.

The technical result achieved in this case, which consists in increasing the efficiency of detecting malicious software and the level of security of the operating system of the computing device, is ensured by the fact that in the method of operating the operating system of the computing device of the software and hardware complex, according to the invention, the components are initialized sequentially one after the other a hypervisor having an 8-level hierarchical structure of command execution, loading onto the halls of a multiprocessor computing system of a controlling microkernel operating system with a parallel multredited architecture, each process thread of which has two statuses - manager or subordinate, equipped with a compiler, microassembler and autonomous fault tolerance subsystem, loading the proxy module of client requests, forming a set of tables of safe operations and exchanging data with command verification module, loading guest operating systems and receiving lists of requests for allocation resources, then they carry out the stage of preparing the task for execution, during which the command verification module using the semantic query processing pipeline uses marker scanning to check the set of tuples of logical variables of generative tables, namely the Opcode command opcode, Dom_id domain identifier, system attribute S, hierarchy attribute Ord, Context_type memory access tags, user transaction identification for allocating Context_id resources, field labels for monitoring tcu query results with by assessing the admissibility of operations in the form of allowed and forbidden values of the state function, the parameters of the received requests are analyzed using a cycle based on the value of the state assessment function, if the value of the state function is “Yes”, the process is added to the list of allowed for execution, if if the value of the status function is “No”, the process is blocked, a list of prohibited processes is created and an updated database of malicious software is created with an alert m of the security administrator, then, using the attribute of the Ord hierarchy, they determine whether the running process thread is basic with the maximum level of authority, which is assigned the value “0”, or generated, which is assigned the value “1” with the level of authority in the form of an application, information about all processes - streams processed by the operating system are obtained by analyzing the values of user transaction identifiers for allocating Context_id resources, the mechanism for accessing the operating system functions is performed by m model of interaction "client-server", in which the role of the vehicle performs microkernel operating system, control the activity of network applications and incoming / outgoing data packets is carried out on the basis of safe operations tables created module proxies client requests.

In addition, generative tables represent the semantic part of coding chains of client requests that are formed at the stage of task preparation, and the entire set of variables of generative tables is checked before starting each process thread.

In addition, the full dynamic state of running process flows of the operating system is characterized by the following parameters, namely, “Operating state” with the modes “Free”, “Reserved”, “Passive”, “Active”, “Delayed” and “Waiting”, “ Blocking status of the operating state ”and“ Transitional state ”, which goes either to“ Operational state ”or“ Blocking state ”, depending on the presence in the operating system of already issued but still incomplete commands.

Implementation of the proposed method for the operation of the operating system of a computing device in hardware and software systems has the following advantages:

- firstly, in the claimed method of operating the operating system, multi-domain protection is implemented, that is, 4 protection rings are used, while in traditional operating systems, for example, the Unix and Windows NT classes, only 2 protection rings are used;

- secondly, support for eight levels of privileges for executing commands has been introduced, which allows implementing a multi-level ("enhanced") role-based security policy. In addition, each process thread can have two statuses - basic (manager) or child (subordinate);

- thirdly, instead of the classic FIFO stack, a pipeline for processing semantic queries is implemented;

- fourthly, there is no restriction on the size of the transmitted data, since when processing request lists instead of using indirect C / C ++ indirect links, as is done in classical operating systems, transition control is performed using marker commands initialized by the verification module, which allows the operating system to process huge streams of information (blocks several tens of bytes in size);

fifthly, a microprocessor control has been introduced at the level of the hardware virtualization module (S8): before starting each thread process, the whole set of variable generative tables for each launched thread process is checked first instead of the classic signature recognition used in traditional operating systems. If the operation violates the requirements of the security policy, then the opcode of the operation is not transferred to the microprocessor device's hardware cores;

- sixth, emulation of various types of thread processes (ultralight cores of graphic processors, light cores of vector processors with SIMD support, medium cores of RISC microprocessors like MIPS and heavy cores of superscalar microprocessors with x86 architecture) has been implemented;

- seventh, support for all types of hypervisors (XEN, KVM, VMWare ESX, Microsoft Hyper-V, etc.) is implemented;

- eighth, built-in support for globally addressable memory of a few tens of Pbytes (32 Pbytes) in size;

- ninth, for the operation of the operating system of the computing device, a proprietary compiler has been developed that performs static interprocedural analysis to optimize the placement of overflow tests and microassembler manufactured using the domestic element base,

- tenth, for more efficient operation of the operating system of the computing device, transparent control of context-sensitive transitions is developed when executing commands by means of a set of special register fields W - “working state”, B - “state lock of the working state”, T - “sign of the transition process either in working or locked state ”;

- eleventh, the control operating system implements mechanisms for correctly blocking invalid operations at all levels of the command execution hierarchy; a fault tolerance subsystem in the form of “hot” redundancy is built in. Additionally, the use of 4 protection rings allows isolating the most critical operating system code from client applications and the dispatcher of work with equipment;

- in the twelfth, in the operating system of the computing device, it is possible to obtain information about all running processes-threads, which makes the operating system used flexible and transparent for programmers and virus analysts, and therefore there are no states of uncertainty that would not be they are solvable in the entire range of states of process flows; there are also no implicit operations for changing context-dependent transitions that were not formalized and not controlled.

Thus, the differences between the proposed method of functioning of the operating system of a computing device of a hardware-software complex from the functioning of classical operating systems are as follows:

- implemented multi-domain protection;

- introduced support for 8 levels of privileges for command execution. The number of such processes, taking into account the 8 levels of the command execution hierarchy, is 16. The number of protection domains is also 16. Thus, there is a stable connection between the launched process threads and the hardware protection domains;

- Implemented a pipeline for processing semantic queries. The data of client requests and their opcodes of commands are presented as a set of tuples of variable generative tables. Non-procedural languages such as AMBIT and Refal are used to form queries. Work is carried out with a virtual single address space of several Petabytes;

- there are no restrictions on the size of the transmitted data (for example, in processors of the x86 family, the stack size is 256 bytes, the data format is not more than 64347 bytes, and when the specified reserve is exceeded, a denial of service occurs). If, at the stage of preparation of the task, all the fields for writing the generative tables are not initialized (as a result of an attempt to generate a request in the form of an incorrect operation, violation of address segments, buffer overflow of the processed data, etc.), then this request is blocked and is not sent to the hardware device

- Implemented emulation of different types of thread processes. Moreover, all requests to hardware devices (cache controller and DMA devices, network coprocessor, etc.) are presented in the form of semantic queries with an assessment of the admissibility of operations in the form of allowed and forbidden values of the Fi function;

- the operating system has a parallel multi-thread architecture and is a distributed microkernel system with a built-in fault tolerance subsystem;

- two new modules were introduced into the operating system: a proxy module that intercepts calls to the interrupt handler and memory manager and monitors I / O operations when working with device emulators, as well as a verification module that controls the execution of commands at the level of the processor's executive region;

- the operating system has integrated protection for data, commands and threading devices through the implementation of marker scanning, which allows you to create an isolated software and hardware environment for tasks and detect malicious software at all eight levels of the command execution hierarchy.

The claimed invention is illustrated by the image of a flowchart that most fully illustrates the algorithm of functioning of the operating system of a computing device of a hardware-software complex.

The flowchart illustrates the way the operating system of the software and hardware complex functions, which allows you to detect malicious software in the components of the hypervisor, guest operating systems, when as input parameters lists of requests from guest operating systems, users of virtual machines, which are represented by a certain set, are used operations.

In the inventive method of operating the operating system of a computing device of a hardware-software complex, the applicant proposes to decompose the interaction processes in the hypervisor into an 8-level hierarchical structure, where: S1 - application level; S2 - kernel level of the guest operating system; S3 - level of interrupt handlers; S4 - hypervisor memory manager level; S5 is the level of the input-output subsystem of the hypervisor; S6 - hypervisor task scheduler level; S7 - dispatcher working with hypervisor equipment; S8 - executive processor level. At the same time, traditional security features operate at levels S1-S5, which use sets of access control rules that meet the requirements of a security policy.

The proposed method takes into account the features of the functioning of software device emulators that handle system calls of guest operating systems, task scheduler (level S6), equipment manager (level S7) and hardware virtualization module (level S8).

Arrow 1 conventionally shows the initialization of the hypervisor, preparing the loading of the controlling operating system on the nodes of the multiprocessor computing system, loading the command verification module and the proxy client request module.

Arrows 2 and 3 indicate the process of loading guest operating systems and receiving lists of requests for allocation of resources.

Arrow 4 conditionally shows the initialization procedure and checking the set of a tuple of variable generative tables by the command verification module at the stage of preparing the task for execution.

The requirements of the security rules specified in the table form are used to control requests from guest operating systems. The proxy module forms a set of tables of safe operations and communicates with the command verification module (arrow 5).

The search procedure for different classes of malware is a cycle (arrows 6, 7, and 10), in which query lists are analyzed based on the value of the function of evaluating the state of Fi: if Fi = “Yes”, the process is added to the list of allowed, if Fi = “ No ”, a list of prohibited processes is being generated.

The function of assessing the state of Fi (see table 1) is described by a set of parameters

(x1 x2 x3 x4 x5 x6 x7), where: x1 = Opcode; x2 = Dom_id; x3 = s; x4 = Ord; x5 = Context_type; x6 = Context_id; x7 = tcu. The designation “X” means that a logical variable can take the values “1” or “0”.

As a result of the algorithm, a database of malicious software is created (arrow 8), which is periodically updated. Based on the secure operation tables, network application activity is monitored and incoming and outgoing data packets are monitored.

In case of detection of suspicious actions, the security administrator is notified (arrow 9).

When developing the operating system, we used the apparatus of graph theory, algorithm theory, decomposition of hierarchical structures to formalize the processes of information interaction, taking into account the architecture of hypervisors and the features of modern technologies for virtualizing hardware resources.

GNU assembler, Refal and the Total View debugger were used as tools for developing the operating system.

In carrying out experimental studies of the modification capabilities of guest operating systems and the hypervisor, various malicious programs were used: Seven Pandora, Noh, HackerDefender, Storm, Croax, Legend, BluePill, VICE Toolkit, DRM, IceBrute, Rustock, Dragon and others.

The effectiveness of the developed protection system was evaluated based on the use of various protection tools and analysis of the number of successful recognition and errors of malicious software.

Based on the experimental studies carried out by the applicant-author, it was found that the claimed method of functioning of the operating system of a computing device allows to increase the detection efficiency of various classes of malicious software by 87% compared to known analogues.

Most software is machine independent and portable between different hardware architectures.

Machine-dependent aspects of the kernel are separate from the main code. In particular, no part of machine-independent code contains code that is architecture-specific. When it is necessary to perform actions that are architecture dependent, machine-independent code calls a function that depends on the architecture of the machine, which is located in the machine-dependent part of the code (see table 2).

Only a small part of the kernel is responsible for initializing the system. This code is used during the initial boot of the system to enter the operating mode and is responsible for setting up the hardware and software environment of the kernel. Some operating systems (especially those that are limited by the amount of physical memory) perform actions to unload or overlap the program code that performs these functions after it is finished. The kernel does not work repeatedly with the memory used by the source code, because this amount of memory is less than 0.5 percent of the kernel resources used on a typical machine. Also, the initial code is not located only in one place of the kernel - it is dispersed everywhere, and usually appears where it is logically connected with the initialization object.

The term “marker” means a set of specific features represented as a tuple of three parameters (s, Ord, Context_type).

Instead of classical signature recognition, generative tables are used.

The term “generative tables" means an array of data in which each row represents the following expression:

Where:

1 - allows you to identify the user's transaction for the allocation of resources;

2- memory access label;

3 - sign of hierarchy;

4 - a sign of systemicity;

5 - domain identifier.

The core of any operating system is a privileged component of the system that controls access to hardware resources, allocates and frees memory, creates and manages threads, performs in-process thread synchronization and controls I / O.

The operating system uses linked (composite) stacks to reduce the amount of memory used by the thread.

In any operating system, when the kernel code is paired with hardware at the physical level, forbidden states arise - a zero tuple of data that the processor forbids even programs in the zero protection ring to access.

Moreover, switching the context of active tasks in protected mode can only be performed by the processor module, since when shadow copying the data of the executable code, the programmer cannot get direct access to the information.

Identified problems can be resolved using the marker scanning method used in the claimed method of operating the operating system. Parameters are specified as parameters (s, Ord, Context_type). Instead of the classic signature recognition of code, generative tables are used. The Ord parameter is a field that initializes the status of the kernel thread.

The Ord field determines whether the running process thread will be basic or generated (the value of the bit of subordination of code segments).

If the Ord field is assigned the value “0”, then the constructor of the object describes the base (parent) thread, if the value is “1”, then the child (child) threads are launched in the system. Bit s not only identifies special OS descriptors, but also defines the context of the process flows of Windows NT and Unix class operating systems, JX, Cedar, RMox, VINO family of OSs at the processor module level. Each process thread is assigned a Context_id identifier.

If bit s = "0", then the process receives the status System, the marker describes a system object with delegation of the maximum level of authority (the ability to execute privileged processor commands and change the context of function calls), if bit s = "1", then Context_id (process identifier) is assigned the status of Application ("Application").

In addition to encoding the address separation of memory protection rings, the OS of different classes implements a strictly typed interface for interfacing with the hardware core of the processor and controlling the execution context of binary code, taking into account the compilation and assembly profile — using system object markers.

The data array of the tuple {s, Ord} is transferred to the processor execution region by the binary code loader and encapsulated as an extended tuple <s, Ord, Context_type>. The Context_type parameter uniquely determines the local space of the kernel's executive layer (Context_type ≥0) or the address of the upper register of the system memory allocated for critical OS devices (Context_type <0).

The “shadow” register contains “snapshots” of active kernel thread processes. By looking at the values of the Context_id identifiers, you can get information about all processes-threads, which makes the OS flexible and “transparent” for programmers and virus analysts.

A key element of the architecture of modern computing systems is the hypervisor. Having gained control of the hypervisor, the attacker has virtually unlimited possibilities.

When describing the principle of operation of the hypervisor, special attention is paid to such a concept as "protection rings" that implement hardware separation of the system and user levels.

Additional modes (4 privilege levels) appeared due to the development of hardware virtualization technology by Intel and AMD.

IPL mode indicates that most hypervisors have more privileges than the kernel of the operating system, which usually runs in the zero ring of protection.

The hypervisor coordinates the use of available hardware resources by several operating systems in the same way that the operating systems themselves distribute resources between several tasks.

System Management Mode (SMM) is the most preferred execution mode. This code is written to a specially designated area of the System Management Memory, inaccessible to the operating system and application programs.

To service events associated with this mode, a System Management Interrupt is provided, which is independent of the other interrupts and has the highest priority.

None of the vectors of the standard table are used to store the address of the procedure for this interrupt; the address is stored in special processor registers.

The module can operate at the IPL level in host controller mode (SMM is one managing Bare Metal hypervisor at the IPL level), a “nested” controller (nested virtualization host, starting one hypervisor under the control of another, that is, several controlling hypervisors at the IPL level), real-time virtual computing node of a multisocket board (Direct IO computing node, one instance of a hypervisor at level 0 of the protection ring for a group of virtual machines of a computing cluster) or in emulation mode with support for running on a single virtualization server FIR hypervisor copies (VT computing node, multiple hypervisors at 0 protect ring). Thus, taking into account 4 rings of protection, the maximum number of possible privilege levels increases to 8.

Thus, the set of all possible states is a finite and closed set of components of the virtualization environment. Each operating mode uniquely corresponds to a set of variables Dom_id, s.

When changing the context of the query execution (see table 3), switching between different modes occurs, which is reflected in the data tuple of the generative tables in the form of seven variables x1 x2 x3 x4 x5 x6 x7, which set the safety assessment functions of the state of the modern computing system as not contradicting security policy requirements.

F = (Opcode, Dom_id, s, Ord, Context_type, Context_id, tcu) (1), where:

tcu - field for controlling the results of query execution;

Context_id - unique identifier of the request;

The tcu field takes the following values:

X01X10 - suspension of the execution of the parent application with lock for an indefinite period and interception of third-party software control with increasing the priority level of execution to the maximum;

011X01 - waiting for completion with the launch of child threads (attempt to remove the blocking of access to resources and launch malicious software while the regular parent process is in TIME_WAIT mode);

111X10 - forced termination of all "sleeping" processes;

010101 - the resource is occupied by the application - the regular task launch mode - the synchronous mode of access to resources;

010010 - the resource is occupied by the application - the regular task launch mode - asynchronous mode of access to resources;

0X1X10 - regular completion of the active task.

Opcode is either equal to an empty command (NOP) or it contains a sequence of commands (! = NOP), L is the basic set of meta-operations, Opcode ∈L.

Context_id is either equal to zero (the System Idle status is “simple”, there are no active tasks in the list) or not (a new user request for resource allocation has been registered in the system).

The developed approach is based on the fact that the set of labels {m} for “coloring” a transaction multigraph is represented by a tuple of values of variables of formula (1). The ambiguity of transitions between the nodes of the multigraph of transactions is explained by the existence of uncontrolled states of the hypervisor. The predictive identification algorithm for hidden threats to information security can be represented by the following sequence of steps:

Step 1. Build a multigraph of transactions.

Step 2. Present the context of the query as a set of labels {m}.

Step 3. Conduct an analysis of the correctness of the completion of commands in terms of information security requirements.

The requirements of the security policy are formulated in terms that specify the sequence of processing operations and restrictions on their execution (see table 4). Moreover, at each level of the operation model S1-S8, events and results are recorded, including parameters T - time and Res - the result of operations, and the transaction multigraph is “colored” using a set of labels (markers).

The restriction on privilege escalation and transition control when changing the context of operations are set by the values of the logical function for assessing the admissibility of states F.

The internal cycle of the processor at the hardware level is determined by time intervals (T - synchronization periods). When executing one instruction, other requests are blocked for the duration of the kernel task. Multiplexing communication channels with external equipment allows you to create a parallel processing queue (conveyor). At the decoding level, there is a conversion to a sequential selection of bits, then the command execution time (T0-T5) takes a maximum of 3-4 clock cycles, 1 clock cycle to control the execution and 1 clock cycle to supply a gating signal to open access to the processor memory chip.

A total of 7 clock cycles for selecting instructions for processing instructions at each level (S1-S7) of the query hierarchy. Schematically, the mechanism for accessing the functions of the operating system, designed as servers, is as follows. A client, which can be either an application program or another component of the operating system, requests the execution of a function from the corresponding server, sending it a message.

Direct messaging between applications is not possible because their address spaces are isolated from each other.

The microkernel, running in privileged mode, has access to the address spaces of each of these applications and therefore can work as an intermediary. The microkernel first sends a message containing the name and parameters of the called procedure to the desired server, then the server performs the requested operation, after which the kernel returns the results to the client using another message.

Thus, the operation of the micronuclear operating system corresponds to the well-known client-server model, in which the micronucleus plays the role of vehicles. A set of ports is a minimal set of files that tells your system how to correctly compile and install the program, taking into account the expansion of a specific executable environment with support for the environment.

The kit for integration with a solution with industrial hypervisors includes:

- File smw-test.cfg

The fault tolerance subsystem is an autonomous functional structure and has its own control loop (carried out by a system operator or service engineer). All parameters for deploying and configuring the network are saved in the smw-test.cfg configuration file;

- OS-param file. This file contains information about the files that must exist on your system and their checksums, to verify that the files were not damaged during the download, operating system settings - boot mode, memory settings at different interface privilege levels, path to executable image of the operating system (Single Image Distributive). There are 4 sections in the file for configuring modules at the IPL_LEVEL, KERNEL_LEVEL, SUPERVISOR_LEVEL, USER_LEVEL levels, which correspond to Dom_id = 00, Dom_id = 01, Dom_id = 10, Dom_id = 11;

- Bootable OS image (Single Image Distributive) - the server operating system is Unix - a similar system with support for XEN or KVM, VMWare ESXi or Windows Server with support for Hyper-V. Under the control of these hypervisors, guest OSs of user virtual machines are launched;

- OS-files directory. This additional directory (the basic distribution with all folders included in the boot image) contains the most recent patches, the use of which is necessary to update the version of the operating system. Patches are software update modules that contain changes that need to be made to the operating system in order to function correctly and resolve previous errors in the program code;

- OS-plist file. This is a list of all files that will be downloaded. It also instructs the port system to delete certain files during reconfiguration of the operating system. This file is used for security logging and auditing purposes.

The boot program is executed in each core, the thread device executes with a zero physical address. At the same time, the thread device operates in a special privilege mode - IPL_LEVEL. In this mode, physical addressing is used when accessing command memory and data memory.

At this level, only the trusted boot and protection module functions. Then, the virtual infrastructure manager and host operating systems with support for hypervisors (KERNEL_LEVEL, SUPERVISOR_LEVEL levels) are loaded. At the final stage, guest OSs are launched at the USER_LEVEL level.

The system can be divided into several subsystems, each of which manages a certain type of resources (memory, tasks, files, communications).

The subsystem consists of several Managers, each of which provides a higher level of resource abstraction. Higher-level managers use the tools of the lower-level managers of their subsystem, as well as other subsystems. Microkernel distributed architecture is an alternative to the classical way of building an operating system.

The level that allows you to manage the protected mode of the processor, boot and control the system at the processor instruction level is called IPL (Instruction Processor Level, IPL). The set of functions of the micronucleus usually corresponds to the functions of the layer of the basic mechanisms of the regular kernel (KERNEL_LEVEL).

Such operating system functions are difficult, if not impossible, to execute in user space. All other higher-level kernel functions are executed in the form of applications operating in user mode (USER_LEVEL).

Resource managers, which are integral parts of the regular kernel — the file system, virtual memory and process management subsystems, and the security manager — become “peripheral” modules operating in supervisor mode (SUPERVISOR_LEVEL).

The trusted boot and protection module boots with the IPL privilege level and exercises exclusive control over the allocation of server computing resources by viewing data from t_reg. 4 processor protection rings are used: Dom_id = 00, Dom_id = 01, Dom_id = 10, Dom_id = 11. Taking into account the support of hardware virtualization, “gluing together” the Dom_id and s parameters (the lines are written onto the stack in the reverse order) allows you to set the interface level at which the transaction is processed according to the “client-server interaction” scheme.

The full dynamic state of the process-stream is determined by the three signs of its behavior <W, B, T>, where:

- W - Work State, the operating state of TU, can have the values “Free”, “Reserved”, “Passive”, “Active”, “Delayed” and “Waiting”.

- B - Block State, blocking state of the operating state

- Т - Transition State, a sign of a transition process to the specified operating state or a blocking state associated with the presence of currently executing, but still incomplete commands of the process-stream.

Signs of the state of the process flow are displayed in the fields of the same register t_reg. In this case, all possible states of thread processes are explicitly initialized, taking into account the dynamic nature of the process of allocating computing resources (see table 5).

In more detail, process flows are characterized by the following states:

- “Free” - the thread device is not reserved for use by any protection domain.

- “Reserved” for use in a certain protection domain, but this controls the binding of the process flow being prepared for execution to a certain protection domain when initialization has not yet passed (waiting state for generating generative tables).

- “Passive” - the process thread contains a program for execution, however, the reading of the instructions of this process thread is blocked until the activation command for this process thread is received. Such a process thread does not have running, but not yet completed commands. A process thread of a program can be removed from such a process thread by the operating system and then loaded.

- “Active” - the process thread contains the program and is ready to issue commands for execution, however, the instructions for reading are executed in accordance with the operation algorithm of the TCU block of the corresponding multi-process stream kernel, and their acceptance for direct execution in functional devices comes from readiness for data from these teams.

- “Delayed" - the process thread contains the executable program, but is not ready to issue commands for execution until the timer value of this process thread becomes zero. Previously issued commands from this process thread can still be executed. If there are such commands, then the most significant bit in the register is nonzero.

- “Waiting” - the process thread contains the program, but is not ready to issue commands for execution until some event occurs, which is associated with the arrival of a signal in the process thread. Such a process thread may contain running, but not yet completed commands.

- “Suspended” - the process thread contains the program for execution, and is in any of the operating states “Passive”, “Active”, “Delayed” or “Waiting”, but is blocked for issuing commands and performing operations on this process- flow. This is a special static state of a process-thread, when, in privileged mode, you can perform actions with it, and then release its lock at the request of the user (100), or preserve it for an indefinite period of time (110) without removing the lock, or completely destroy it (111) . A process thread in this state does not contain running, but not yet completed commands.

As a result of the patent information search, not a single source of information was found containing the entire set of essential features of the claimed invention, which allows us to conclude that it meets the patentability criteria of “novelty”, “inventive step” and “industrial applicability”.

Claims (3)

1. The method of functioning of the operating system of a computing device of a hardware-software complex, characterized in that the components of a hypervisor having an 8-level hierarchical structure for executing commands are sequentially initialized one after another, loading a micronuclear operating system with a parallel multi-architecture architecture on the nodes of a multiprocessor computing system , each process thread which has two statuses - manager or subordinate, equipped with a compiler, mik an assembler and an autonomous fault tolerance subsystem, loading a proxy client request module, generating a set of safe operations tables and exchanging data with a command verification module, loading guest operating systems and receiving resource allocation request lists, then the stage of preparing the task for execution is performed, during which the verification module commands using the semantic query processing pipeline through marker scanning checks the set of log tuples variables of the generation tables, namely the opcode of the Opcode commands, the Dom_id domain identifier, the S attribute of the system, the Ord hierarchy attribute, the Memory access tag Context_type, the identification of the user’s transaction for allocating Context_id resources, the field label for monitoring the results of the tcu request with an assessment of the admissibility of the operation in the form of allowed and forbidden values of the state function, the parameters of the received requests are analyzed using a cycle based on the value of the state evaluation function, if the value of the function is Yes, the process is added to the list of allowed for execution if the status function value is No, the process is blocked, a list of prohibited processes is created and an updated database of malicious software is generated with a notification to the security administrator, then using attributes of the Ord hierarchy determine whether the running process thread is basic with a maximum level of authority that is assigned a value of "0" or a child that is assigned a value of "1" with the level of authority in the form of an application, information about all the process flows processed by the operating system is obtained by analyzing the values of user transaction identifiers for allocating Context_id resources, the mechanism for accessing the operating system functions is implemented through the client-server interaction model, in which the role of vehicles is played by the microkernel of the operating system, monitoring the activity of network applications and incoming / outgoing data packets is carried out on the basis of safe opera tables s generated proxies module client requests. 2. The method of functioning of the operating system of the computing device of the software and hardware complex according to claim 1, characterized in that the generative tables are the semantic part of the coding of the chains of client requests that are formed at the stage of preparing the task, while the entire set of variables of the generative tables is checked before each process thread. 3. The method of functioning of the operating system of the computing device of the software and hardware complex according to claim 1, characterized in that the full dynamic state of the running processes-threads of the operating system is characterized by the following parameters, namely, "Operating state" with the modes: "Free", "Reserved" , “Passive”, “Active”, “Delayed” and “Pending”, “Operational state lock state” and “Transient state”, which goes either to “Operational state” or “Blocking state” depending on on the availability of the operating system already issued for the execution, but still incomplete teams.

Images