Google
 

Trailing-Edge - PDP-10 Archives - ks10_8080_microcode - v5-2.not
There are no other files named v5-2.not in the archive.
			4.2 VS. 5.2...
			--------------

	At the end of April 79 Mark Tighe (DDC) sent a memo to Gary
Clearwater (FS) detailing  some possible security risks embedded in
the 8080 Microcode.  These consisted of the following problems:

  (1) One can dial up on the Klinik line and just hit a character and
	the repeat button.  The KS-10 will respond with a ?NA as fast
	as it can.  This will cause all output to stop to the CTY and
	since TOPS-20 cannot  now do anything with the CTY the system
	may crash. What the 8080 should do is hangup the line so that
	this is not possible  and the person on the remote line would
	have to dial up again.
      This was fixed by causing the 8080 to hang up the line after the
	?NA.  The place in the  code  where this got fixed was at line
	number 2201 label MODE0:.  Instead of just returning to caller
	via RET this section (after it prints ?NA) goes to KILL.KLINIK
	to actually hang up the line.  It now  does a JMP KILL.KLINIK.
	In addition another fix would  have  cured the problem anyway.
	This was to allow  simultaneous  output to both CTY and KLINIK
	without causing KLINIK output to delay CTY output  until done.
	Before, the KLINIK had a higher priority  than CTY for output.
	Now, the KLINIK  still  has a higher priority but if both want
	output the time is shared  equally between CTY and KLINIK.  So
	for that situation they are of equal priority.

  (2) One can dial up the KS-10 and as a User Mode KLINIK lockout the
	CTY from output.  This is described in the previous paragraph
	and is fixed as follows:  In 'KS10 to 8080 Character Service'
	the last thing done was to do a JMP TTOCOM which writes  data
	into one of the reserved words (word 31..35) so  that TOPS-20
	can do whatever it wants with it.  Then the 8080 went back to
	null job and picked up another character and since the KLINIK
	was a highest priority took it from there.  So  the CTY never
	got serviced.  The correction in the  code  was to change the
	JMP TTOCOM  to CALL TTOCOM to  output the  character, then to
	return to calling point and to a DI.  Control would just pass
	through the following code which just happened to  be the CTY
	character handling code.  The DI was to  turn  off interrupts
	while the CTY character (if  there was one) was being handled
	so that output  would  alternate between KLINIK character and
	CTY character.  The JMP TTOCOM code used  the  TTOCOM code to
	return. Doing the CALL TTOCOM will use the same return to get
	back to calling point - then the return in the  CTY  code  is
	used as the final return. The CALL TTOCOM, DI code is located
	at line number 2073 at label NULKL:.

  (3) If someone had dialed in on KLINIK (KL 1) and gave password and
	so forth in Protect Mode, someone else could  call  in  after
	and fiddle with the system without being asked for  password.
	This occurred because various places did  not  cause the 8080
	to do a reexamination of the mode it was in when carrier went
	away or someone on KLINIK just hung up.  To fix the following
	sections of code were modified:

	Line 979 was CNZ HANGUP (in the Null job)
	Line 2061 was CALL HANGUP (in the 8080/KS10 character service
	  code where 8080 realizes that the KLINIK comm word  has a 2
	  which indicates 'hangup')
	These lines changed  to CNZ KILL.KLINIK and CALL KILL.KLINIK.
	  KILL.KLINIK is located directly before HANGUP:  and says to
	  clear KLINIK status word via CLRB KLNKSW.  This  will cause
	  a reexamination of the status of the 8080 and KLINIK. Hence
	  a password will be requested in the future.

  (4) DTR would be lost if KS10 was running stand alone (ie. at  the
	KS10> prompt), KLINIK line was active, and carrier went away
	for some reason. Since DTR was gone no one trying to call up
	the KS10 on the KLINIK would succeed. This problem was fixed
	by adding two lines of code to the routine at  label KLNKLT:.
	This routine reexamines the switches and makes sure that DTR
	does not go away - it does LDA STATE followed by OUT DTR.

  (5) TT command does not cause a proper mode change.  If someone at
	the CTY resets password (hangs up the KLINIK line also) then
	says TT, someone can call back and not get  challenged for a
	password.  This is because TT automatically put KLINIK  into
	mode 2 (assumes that a password has already  been  given and
	it was correct) rather  than  putting  it  into  mode 2 if a
	a password has been given but putting it into mode 1 if not.
	This was fixed by adding a  little  code  to  the TT command
	to check to see if the  current  mode is 0 or 1 (no password
	given yet) and not  putting it into mode 2 unless already in
	mode 2 or 3.  The code is as follows:
		LDA	CSLMODE	;Get current mode
		SUI	.MODE2	;Is it less than mode 2
		JP	SETM2	;If no go set mode 2
		CLRB	KLNKSW	;If no clear KLINIK status to force
				;  reexamination of switches..
		RET		;Return

	(Note - in this note when originally written - JP was JM)
 

	The above constitutes the changes made to obtain 5.2 from 4.2
plus an extra one (the last bit of code).  There is another problem
which has come up due to the above fixes.  That is that giving a c-z
on the CTY will cause someone on the KLINIK line to have to type in the
password again, since the KLINIK status word got cleared and 8080 will
not let KLINIK user back on.