GB1585960A - Information flow security mechanisms for data processing systems - Google Patents

Information flow security mechanisms for data processing systems Download PDF

Info

Publication number
GB1585960A
GB1585960A GB3191676A GB3191676A GB1585960A GB 1585960 A GB1585960 A GB 1585960A GB 3191676 A GB3191676 A GB 3191676A GB 3191676 A GB3191676 A GB 3191676A GB 1585960 A GB1585960 A GB 1585960A
Authority
GB
United Kingdom
Prior art keywords
register
security
capability
tag
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired
Application number
GB3191676A
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Plessey Co Ltd
Original Assignee
Plessey Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Plessey Co Ltd filed Critical Plessey Co Ltd
Priority to GB3191676A priority Critical patent/GB1585960A/en
Publication of GB1585960A publication Critical patent/GB1585960A/en
Priority to SG49283A priority patent/SG49283G/en
Priority to HK31683A priority patent/HK31683A/en
Priority to MY351/84A priority patent/MY8400351A/en
Expired legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1458Protection against unauthorised use of memory or access to memory by checking the subject access rights
    • G06F12/1483Protection against unauthorised use of memory or access to memory by checking the subject access rights using an access-table, e.g. matrix or list

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Mathematical Physics (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Description

(54) INFORMATION FLOW SECURITY MECHANISMS FOR DATA PROCESS ING SYSTEMS (71) We, THE PLESSEY COMPANY LIMITED, a British Company, of Vicarage Lane, Ilford, Essex IG1 4AQ, do hereby declare the invention, for which we pray that a patent may be granted to us, and the method by which it is to be performed, to be particularly described in and by the following statement: - The present invention relates to digital data processing systems and is particularly concerned with the provision of an information flow security mechanism for use in such systems.
The security mechanisms of most computer systems make little or no attempt to guarantee secure information flow. By that it is meant that steps are not taken to prohibit unauthorised flow of information from one process to another. For example in a government or military system, security requires that processes are not allowed to transfer data from files of higher security classification to files (or users) of lower security rating. Not only should a user be prevented from directly reading a file whose security classification exceeds his own but he must be inhibited from indirectly accessing such information by say interacting with other users who have the authority to access information. Such security measures are equally applicable to non-government classified computer in stallations dealing with for example per sonal documentation files.
The access control mechanisms of the prior art are designed to control immediate access to objects without taking into ac count the information flow paths which may be available by using a collection of access rights in manners differing from those in which they were intended to be used.
Contemporary . access control mecha nisms, such as those involving so called "capability" addressing techniques as de fined in B.P. Specification Serial Noss 1,332,797 and 1,410,631, are very successful in ensuring that information is constrained within the bounds of a protected "domain" in a multi-task system. The term "domain" is used to indicate a protected procedure or enter subroutine structure and forms the data structure upon which processes are performed. Embodied in such a capability addressing system is the concept of "no privileged" mode of user. Because of this principle even the operating system is constrained to work within the capability addressing mechanisms.
It is necessary however to include a copy capability instruction (STORE 'CAPA BILITY) in the repertoire of the processors. Such an instruction permits a re questor of a capability (be it data or capability type) firstly to obtain the access right from a "domain creating" macro-instruction and secondly to pass on the necessary access right to other system users (domains or processes). Accordingly, be it by design or error, it is possible for an object to be invaded by obtaining the capability of access to the object through the STORE CAPABILITY instruction. In systems organised according to the capability addressing structure objects include storage segments (storing for example data files, working-data areas, read-only tables, pro cess dump stacks, capability pointer tables, program code and enter resources of complex structures) together with peripheral equipment access register sets. The, term "resource is used to collectively summarise all these alternative forms of capability structures.
It is an aim of the present invention to provide for use in a digital data processing system on information flow security mechanism which ensures that unauthorised invasion of the resources allocated to a domain is prevented.
According to the invention there is provided a data processing system for handling, in a time-sharing manner, a number of processes, which system includes a memory and at least one processing device co-operating with the memory to execute a process wherein the said memory provides storage for a table of system resources and each process is provided with a list of resources to which it is to be permitted access and each entry in the table of system resources includes a security class tag and each data processing device includes a plurality of registers for use in accessing a system resource and each such register includes a security tag and the processing device further includes (i) first means arranged in operation to set the security tag of a register when it is loaded with data, (ii) second means arranged in operation to compare the security tag of a register with the security tag of the system resource to be accessed when the contents of the said register are used in a write access operation and (iii) third means arranged in operation to inhibit the resource write access operation when the security tag of the said register is lower than that of the said resource to be accessed and in which for use during the performance of register load operations involving system resources the processor includes means arranged in operation to set the security tag of the register to be loaded to the highest security code indicated by the current setting of the registers security tag, the security code of the resource from which the register is to be loaded and the security code of the address register involved i.n the loading of the register.
The invention should be more readily understood from the following description of one embodiment of the invention which should be read in conjunction with the accompanying drawings. Of the drawings Fig. 1 shows a block diagram of a central processing unit suitable for use in one embodiment of the invention whereas Figs.
2 to 5 show in diagrammatic form various CPU/store operational sequences involving the security tag arrangements according to the invention.
Before embarking upon the description of the techniques involved in the operation of the security tag system of the invention opportunity will be taken to summarise the facilities provided by a data processing system which incorporates resource protection using so-called capability addressing techniques.
Fig. 1 shows a central processor unit (CPU) which is a 24 bit parallel, microprogram controlled, general purpose machine. It can be used to form part of a modular system which is capable of expansion from a single processor/store configuration to a multi-processor/multi-store configuration of the type disclosed in U.S.
Specification Serial No. 3,787,818. The system is process based with the provision for re-entrant and recursive (nested) procedures: The "store" protection features restrict processor accesses so that any attempted violation immediately suspends operations and prevents corruption of information within the memory or peripheral.
The protection system employs capabilities to prevent a processor from, (i) modify- ing program code, (ii) altering tables of constant, (iii) executing data as instructions or (iv) reading instructions as data.
Each capability comprises the "store" address bounds of the resource together with an access type code. Programs and subroutines (processes) are allocated only the capabilities they require for their task.
Each object can only be accessed by a pro cess which owns a capability for that object and which uses a mode of access which is allowed by the access code of the capability. Because processes are given just the required number of capabilities to access those objects (or resources) which they validly require, there is no need for a concept of "normal versus executive mode" to exist in a system using capabilities. Rather such a system embodies the strategy of an indefinite grading from the smallest limited resource to those which have widespread control.
Reference was made above to the system under consideration being process based.
A process is defined as being the application of a block of program code to an external event (as defined by input data). It is, therefore, possible for the same block of re-entrant program code to be simultaneously executed by two different processes as completely separate transactions.
A system using capabilities is ideally suited for implementation in a multiprocessor system of the type shown in B.P.
Specification 1,394,431. In such a system each processor module has its own bus SB over which "store" addressing techniques allow the processor to access all store modules and all peripheral equipment control register sets. Accordingly the peripheral equipment control register sets look like small blocks of store and they are accessed in exactly the same way as accessing a memory segment. Hereafter reference to "store blocks" should be constructed as reference to either memory held segments or peripheral register sets.
Process Dump Stack Associated with every process is a block referred to as the Process, Dump Stack.
The stack is used to- preserve the various Capability and data -values associated with the process for interrupt purposes. It also stores the parameters for the nesting of subroutines within a process using a pushdown file area. Each process uses a separate Dump Stack. This results in a system whereby any number of processes may be in existence, some active and the rest suspended.
Scope of a Capability It is essential to protect independent objects from unauthorised access by any process. This is accomplished by only issuing each process with a Capability for the objects which it needs to access. The size of a directly addressable object covered by a Capability can be any number of words between one and 65536 words.
Processors can only access objects for which they have "loaded" capabilities. Any attempt to violate the constraints imposed by Capabilities causes a Fault Interrupt.
Each object is defined both in size and location and the address values currently in use are held in hardware Capability Registers. Each and every memory access is then checked for correctness of operation.
Capability Registers Capability protection is enforced by hardware. Each capability is held in a double length Capability Register, one of which must be referenced by any instruction requiring access to memory.
Capabilities for immediate use by the program being run at any instant are held in Capability Register Stacks in the processor. The remaining capabilities available to the program are held in capability blocks in store, which have been allocated to the process executing that program.
Each capability register comprises two words. In the first word is the Ba.se Address, and the second words holds the Limit Address and the Access Type. Since the base value takes part in a store address construction, each capability register can be regarded as a store relocation base register. The blocks of storage defined by the base limit values are the only valid objects which the process can access.
The Base Address is a 24 bit binary value. Conventionally the top 8 bits of the Base define the store Module in which the block is held. The bottom 16 bits define the offset within the Module at which the block starts. The Limit Address consists of 16 bits and defines the offset at which the block ends within the module.
General Purpose Capability Registers Capability values may be loaded into eight general purpose Capability Registers, referred to as C(0) to C(7).
Capability Register C(7) defines the Capability for the current program block. Any instruction which loads a new Capability into C(7) causes a transfer of control to tlie block defined by the loaded Capability.
Every time an instruction is read the "type" of C7 is checked to be a program type. Capability Register C(6) is conventionally used to hold the root Capability Block of the program in execution.
Special Purpose Capability Registers There are five special purpose Capability Registers, which are used by the Processor microprogram and the Operating System to access control information.
(a) Capability Register C(D) contains Base/Limit Addresses and Access code for the process Dump Stack of the active process.
(b) Capability Register C(I) defines a single store location which contains the Interval Timer value. It mea- sures the absolute time elapsed.
When it reaches zero, a normal In terrupt is generated.
(c) Capability Register C(C) defines a block of store containing the System Capability Table.
(d) Capability Register C(N) defines a single store location containing a Capability to the Normal Interrupt process.
(e) Capability Register C(S) defines a four word block of memory which is used by the processor when dealing with Fault Interrupts.
The reloading of any of the above re gisters is permitted to programs which have the Capability addressing "Internal Mode".
Address Construction When addressing a word within a block of store a Capability Register is used. The address construction takes the base value and adds an offset from the instruction (and a modifier) to give the absolute store address. The resulting address is then checked to see tha.t it lies within the Base and Limit Addresses, and if not a fault interrupt occurs. If it does then the type of access being performed is checked against the Access Type which specifies the kinds of operation which can -be performed on the store block.
Access Type The Capability Access Type is an eight bit linear code. If the two most significant bits are set to one (indicating an in-form capability) then the remaining six bits have the following significance. Read Data and Write Data if set permit transfers between the store block and Data Registers, while Read Capability and Write Capability permit load and store operations between the store block and Capability Registers.
Execute Data specifies a program block, and Enter Capability specifies a subroutine.
The enter type can only be accessed by entering it as a protected procedure; the calling procedure cannot obtain access to the objects of the procedure without transferring control to it. In all cases an attempt by the processor to perform an access which is not permitted will drive it into a fault interrupt.
Checking Mechanisms When the operations constructed as above are presented to the bus interface, they are checked within the processor by hardware comparators. There are, there fore independent autonomous hardware checks on the in-range validity of the constructed address, and each access which the processor is about to perform. Therefore single failures in the Processor Unit cannot cause access to areas of store other than those defined by the currently loaded capability registers. This is the first fundamental requirement for the guaranteed preservation of a logical program and data base.
It follows from the above that the only way in which a program could gain access to prohibited storage areas is if the base or limit values loaded into a capability register from store were incorrect. To protect against this eventuality, the hardware checks these values when they are fetched against a redundancy code. Hence, if a storage module itself fails in such a way as to give incorrect address values, the proc bability that the values fetched will correspond to the check code is negligible. This ensures that they cannot be corrupted either before or during the loading operation itself. Since the integrity of the capabilities themselves is maintained against possible hardware failure, the entire integrity of store data access is thereby guaranteed.
Capability Manipulation At no stage in the use of the capability addressing mechanism is the program aware of the physical address values being used by the hardware in any program sequence. All addressing is performed by the program in relative values, with respect to a particular capability. The hardware "maps" the current physical base and limit address values at execution time.
This operation is performed by the capability manipulation instructions which convert capability pointers into physical base, limit, and access codes, which are tians ferred to the machine capability registers from the System Capability Table.
The System Capability Table The System Capability Table (SCT) holds a record of all the store blocks.
There is one entry in the System Capability Table for each block of allocated store. It is from here that the Capability Registers within each processor are loaded as required with the base and limit addresses. Each processor contains a special purpose Capability Register which always defines the System Capability Table.
The format of an entry in the System Capability Table includes; the base address (24 bits), the limit address (15 bits) and a sumcheck word (24 bits) which provides a method for the hardware to validate the Base/Limit values.
Capability Pointers When a process wishes to load a capability into one of its capability registers it indicates which of the entries in the SCT is required by means of an "Inform" Capability Pointer. Each process is allow cated blocks of memory which contain Capability Pointers. Each of these contain the Access type and an Offset value which selects a Base/Limit entry. Note that separate processes may access a commdn store area, but each may be given a different access right.
The use of Capability Pointers offers a number of advantages not the least of which is the simplification of dynamic storage allocation. For example to relocate a block within store, the base and limit values covering that block must be changed. This may be accomplished by changing the contents of the entry in the System Capability Table. The Capability Pointers remain unchanged.
The inherent features of the capability mechanism help to simplify the kind of problems that arise in the design ob modular programming systems. This greatly assists in the preparation and maintenance of software modules since the linkages between them are a function of the hardware at run time.
An "Out-form" Capability Pointer indicates unallocated or indirectly accessible resources. A Trap Interrupt is caused whenever a process attempts an access with an Out-form Capability.
Capability Manipulation Thstructions Unlike a transparent paging scheme it must be realised that Capabilities represent logic items It is therefore possible to manipulate the objects identified explicitly by instruction. Indeed given the segrega tion of Data from Capabilities it is possible to permit any programmer the ability to use any of the five capability instructions.
Between them the capability manipulation instructions provide secure facilities for loading any of the base limit registers, passing or copying capability pointers to other capability blocks, testing the access codes and offset value of any capability, calling and returning from a protected procedure through the enter block and swapping the process in execution with a ready to run process by exchanging dump stacks.
Capability Networks A Capability Pointer Block contains a number of Capability Pointers. These Pointers can point to a number of different types of block. These blocks will be data blocks, code blocks and further capability pointer blocks. In this way complex but ordered data structures can be. set up. Each process contains at least one Capability Block, from which other blocks fbr that process may be accessed directly or via other Capability blocks.
At all stages two independent but crucial requirements are checked, firstly the right of a program to access a particular logical address space is checked, and secondly the physical address values used by the hardware are checked.
Protected Procedures As a direct result of the aspects of the enter capability mechanism, highly - critical procedures, which may execute such essentidal system facilities as the alfocation of dynamic storage, are called as subroutines.
No privileged mode of hardware operation is required at any level, only the ownership of the capabilities appropriate for operation. A procedure can be structured such that it enhances the capability mechanism.
Consider the case of a generalised resource.
A Generalised Resource A resource supplies some want or deficiency. Each resource is specified in type, limited in access, and unique. The simplest form of resource is a block of memory, of data, or capability type, with one or more o,f the- accesses permitted.
A general resource is created from objects more complex than one single block of memory, its type is more- varied than simple, data or capability type, and access controls require more subtle arrangements.
With capabilities, resources are addressed by unique enter capabilitfes which are called in order to access the facility provided.
Access a Resource Each access code can be irnplemented as a called program block secured by its referencing capability.
AII access code capabilities are indirectly attached to the enter block. Therefore access codes must be addressed indirectly through the single execute capability of the enter block, called the fan out code, which first checks accessed parameters. Because only the execute block is visible to the caller, faulty call parameters will be detected either by capability checks or software tests.
Reduced access Since the fan-out code checks call parameters against legal limitations, it is possible to reduce the access to a resource.
The result is analogous to the simple store block case where a shared block can be addressed by capabilities with iffering access rights. When the access to a resource is reduced' a new enter capability addressing a block with limited access codes is created for secondary users.
The creator of the original resource may retain or destroy the full access capability.
Only a resource without reduced access (the original object) can be explicitly released, this is ensured by making the release function one of the access codes, present only for the original resource.
Conclusions Capabilities, therefore provide the means for creating explicit and coherent data structures, each module of which is inde pent'gently secured by hardware at execution time. The structures are dynamically reloc table, and all code, can be re entrant, so that only one shared copy of any program or common data need exist. PYo- tected procedures and protected subsystems of an arbitrary complexity can be created.
These mechanisms are all built upon the firm foundation of capability hardware which validates information paths between the machine and its memory.
From the above it can be seen that access to a resource is only possible through a capability and extreme checks are performed to guarantee the integrity of the capability loaded into the capability registers. However, because of the total lack of privileged mode working any user can use the capability manipulating instructions particularly the ''store capabi- lity" instruction.
Accordingly to prevent unauthorised copying of capability pointer tables each register in the central processing unit (CPU) is provided with a security tag code.
For example a two bit code may be used giving 4 security levels: (00) Top- secret, (01) Secret, (IO)-iConfidential and coil) General.
Each system resource, it will be recalled is provided with an entry in the system capability table and included in the "blank" access code area of an entry is a security tag code indicative of the security classification of the related resource (segment). When a capability register is loaded its security tag is conditioned to a state dictated, by the capability entry security tag code (BT). Thereafter any attempt to perform a "store register" operation, to store the register contents in a defined segment must satisfy the condition defined segment tag register tag. Hence if a high security classified capability is compromised at any stage the above condition test will fail. Such a test is included in all "store write" instruction sequences and a failure of the test may be used to cause an indication bit (security violation) to be set and entry into a fault interrupt handling process to be performed. Typically each process dump stack may included a count which is decremented for each security violation before fault handler entry proper is effected.
The above security tag arrangement covers direct copying of capability information however it cannot cover so-called indirect copying situations. Indirect copying arises when the information is manipulated or implied by way of the machine indicators and transferred to the instruction address register. For example, if it is required to copy a word which is in a block having a security tag which is higher than the destination block then for example the word could be read and the machine indicators used to say indicate the state of each bit using an iterative process and the stored result of the indicators can be used to reproduce the original data. Also a word could be read and subjected to a known arithmetic or logical operation and the result then stored for decyphering at a later date. To overcome these difficulties tag registers are associated with the instruction address register (AT) and the indicator registers (IT).
Any instruction which sets the indicators includes an arrangement to set the indicator register security tag (IT) to a new value which is the greater of the security tag of the register under test or the previous value of the indicator register security tag value.
By such a mechanism the indicator register contents cannot be stored in a store block having a lower security tag. Further the condition jump instruction could be used to define protected word content and accordingly the micro-sequence is modified so that the new value of the security tag of the instruction address register is set to the greater of its current value or the value of the indicator register security tag.
All register load operations are now constrained by the routine of setting the security tag value (RT) of the register to be loaded in accordance with the following algorithms: store mode operations RT: = RT(OR) BT(OR) AT register mode operations RE : = RT(OR) AT Where BT = the security tag code of the store block being accessed to load the register at AT = the security tag code of the instruction address register.
Figs. 2 to 5 show in diagrammatic form various CPU/store operational sequences involving the security tag arrangements.
Fig. 2 shows a "load register" instruction sequence in which register RX in the CPU is loaded with the DATA stored in the RESOURCE (storage segment) in the store STS defined by capability C(X). The store input register SDIREG receives the resource address (B + a) formed using the MILL of Fig. 1 by adding the Base Address value from capability register C(X) and the offset value "a" from the instruction word in the instruction register IR. The resource address is set to the store STS over the store bus SB and this is indicated as (1) in Fig. 2. The DATA read from the store is passed over the store bus SB to register R(X), as indicated by path (2) in Fig. 2 and the security tag RT of register R(X) is set by the tag code conditioning logic TCC in accordance with the current state of the register's tag code or the state of the tag code of the capability register defining the resources or the tag code of the instruction address register SCR. The tag code conditioning logic TCC is incorporated as part of the micro-program PROG of the processor CPU.
The above operation has caused the data in register R(X)- to be tagged with a security code which was defined by either the security code of the RESOURCE or the security code of the program accessing the data. At some subsequent time the contents of register R(X) may be written into a resource store block and Fig. 3 shows the way in which the security tag code prevents the data from being copied into a resource which has a lower classification than the resource :from which the DATA was originally copied.
In Fig. 3 the "store DATA" instruction in the instruction register IR causes a location in the RESOURCE defined by capability register C(X) to be accessed (path (1)) and before the data in register R(X) is passed, over pa Fig. 3 are again provided by micro-pros gram unit nPROG although the comparator COMP of Fig. lb is used to compare the security tags RTX and BTX. The control gate GRC equates to gate G14 in Fig. 1b and one of the primary indicators will be caused to indicate a security bit violation.
The processor is arranged to respond to the interrupt condition, evidenced by the setting of SB, as mentioned previously by entering into an interrupt handling process.
Figs. 4 and 5 show the operations involved during the loading and storing of capabilities respectively. The sequence of operations is defined by the numbers 1 to 5 in Fig. 4 and it will be seen that the capability register to be loaded CR(X) has its security tag BTX conditioned by the code stored in the SYSTEM CAPABILITY TABLE entry x. At the same time a copy of the security code is held in the PRO CESS DUMP STACK location corespond- ing to the capability register to be loaded.
Each time an access is made to stored information the rules of Fig. 3 will be obeyed for each access the comparison in this case involving capability register tags.
At some subsequent date the capability loaded into the capability register CR(X) of Fig. 4 will be used to access the resource.
Again the numbered paths 1 to 4 indicate the operations performed and the comparator COMP is used in this case to control gate GRC to prevent the passage of the capability pointer from the PROCESS DUMP STACK to the receiving PROCESS CAPABILITY POINTER BLOCK if the security tag code of this POINTER BLOCK is lower than that of the PRO CESS DUMP STACK. Agai.n the interrupt bit SB is set in the Fault Indicators and entry into the interrupt handler made.
The security tags must of course be preserved during a change process sequence and during entry to (call) and exit from (return) subroutines. When a change-pro- cess occurs all the values of RT (i.e. all working and capability register security tags) AT and IT (the indicators security tag) are swapped and old tags are saved in the dump stack of the old process. The BT tag will of course be renewed by the load capability register operation. During the call microwsequence all the security tags are preserved as they stand and the AT tag is also saved in the push-down file of the processes dump stack. When the return micro-sequence is performed all the RT tags an dthe IT tag are preserved and the AT tag is restored to the saved value in the push-down file of the dump stack.
The above description has shown the application of a two bit security code tag arrangement for use in a capability structured data processing device. Obviously the security code could be expanded there; by giving more levels of classification. Alternatively the access code of each capability may be modified to include a "copyright" bit which when set preserves the copyright of the data block to the process having that resource right. Other processes may be given the same capability but without the copyright bit being set. Such procedures are achieved by allowing under certain circumstances the "anding" of access codes with a check to see that the anded code is more restrictive than either of the original access codes. Finally it has been indicated that a security violation sets an indicator bit and causes an automatic entry into a fault handling process.
However this could be exploited to invade security classified information and accordingly the system may be conditioned to carry on in a normal manner simply having prevented the potential invading access from occurring. In such circumstances it may be necessary to have the ability to disable the security tag mechanism while system acceptance tests are being performed.
Finally the use of a security tag code for each system resource provides a readily usable mechanism for preventing a user printing out unauthorised information simply because the terminal he would use would not carry the required security tag classification.
WHAT WE CLAIM IS:- 1. A data processing system for handling, in a time-sharing manner, a number of processes, which system includes a memory and at least one processing device co-operating with the memory to execute a process wherein the said memory provides storage for a table of system resources and each process is provided with a list of resources to which it is to be permitted access and each entry in the table of system resources includes a security class tag and each data processing device includes a plurality of registers for use in accessing a system resource and each such register includes a security tag and the processing device further includes (i) first means arranged in operation to set the security tag of a register when it is loaded with data, (ii) second means arranged in operation to compare the security tag of a register with the security tag of the system resource to be accessed when the contents of the said register are to be used in a write access operation and (iii) third means arranged in operation to inhibit the resource write access operation when the security tag of the said register is lower than that of the said resource to be accessed and in which for use during the performance of register
**WARNING** end of DESC field may overlap start of CLMS **.

Claims (6)

**WARNING** start of CLMS field may overlap end of DESC **. Fig. 3 are again provided by micro-pros gram unit nPROG although the comparator COMP of Fig. lb is used to compare the security tags RTX and BTX. The control gate GRC equates to gate G14 in Fig. 1b and one of the primary indicators will be caused to indicate a security bit violation. The processor is arranged to respond to the interrupt condition, evidenced by the setting of SB, as mentioned previously by entering into an interrupt handling process. Figs. 4 and 5 show the operations involved during the loading and storing of capabilities respectively. The sequence of operations is defined by the numbers 1 to 5 in Fig. 4 and it will be seen that the capability register to be loaded CR(X) has its security tag BTX conditioned by the code stored in the SYSTEM CAPABILITY TABLE entry x. At the same time a copy of the security code is held in the PRO CESS DUMP STACK location corespond- ing to the capability register to be loaded. Each time an access is made to stored information the rules of Fig. 3 will be obeyed for each access the comparison in this case involving capability register tags. At some subsequent date the capability loaded into the capability register CR(X) of Fig. 4 will be used to access the resource. Again the numbered paths 1 to 4 indicate the operations performed and the comparator COMP is used in this case to control gate GRC to prevent the passage of the capability pointer from the PROCESS DUMP STACK to the receiving PROCESS CAPABILITY POINTER BLOCK if the security tag code of this POINTER BLOCK is lower than that of the PRO CESS DUMP STACK. Agai.n the interrupt bit SB is set in the Fault Indicators and entry into the interrupt handler made. The security tags must of course be preserved during a change process sequence and during entry to (call) and exit from (return) subroutines. When a change-pro- cess occurs all the values of RT (i.e. all working and capability register security tags) AT and IT (the indicators security tag) are swapped and old tags are saved in the dump stack of the old process. The BT tag will of course be renewed by the load capability register operation. During the call microwsequence all the security tags are preserved as they stand and the AT tag is also saved in the push-down file of the processes dump stack. When the return micro-sequence is performed all the RT tags an dthe IT tag are preserved and the AT tag is restored to the saved value in the push-down file of the dump stack. The above description has shown the application of a two bit security code tag arrangement for use in a capability structured data processing device. Obviously the security code could be expanded there; by giving more levels of classification. Alternatively the access code of each capability may be modified to include a "copyright" bit which when set preserves the copyright of the data block to the process having that resource right. Other processes may be given the same capability but without the copyright bit being set. Such procedures are achieved by allowing under certain circumstances the "anding" of access codes with a check to see that the anded code is more restrictive than either of the original access codes. Finally it has been indicated that a security violation sets an indicator bit and causes an automatic entry into a fault handling process. However this could be exploited to invade security classified information and accordingly the system may be conditioned to carry on in a normal manner simply having prevented the potential invading access from occurring. In such circumstances it may be necessary to have the ability to disable the security tag mechanism while system acceptance tests are being performed. Finally the use of a security tag code for each system resource provides a readily usable mechanism for preventing a user printing out unauthorised information simply because the terminal he would use would not carry the required security tag classification. WHAT WE CLAIM IS:-
1. A data processing system for handling, in a time-sharing manner, a number of processes, which system includes a memory and at least one processing device co-operating with the memory to execute a process wherein the said memory provides storage for a table of system resources and each process is provided with a list of resources to which it is to be permitted access and each entry in the table of system resources includes a security class tag and each data processing device includes a plurality of registers for use in accessing a system resource and each such register includes a security tag and the processing device further includes (i) first means arranged in operation to set the security tag of a register when it is loaded with data, (ii) second means arranged in operation to compare the security tag of a register with the security tag of the system resource to be accessed when the contents of the said register are to be used in a write access operation and (iii) third means arranged in operation to inhibit the resource write access operation when the security tag of the said register is lower than that of the said resource to be accessed and in which for use during the performance of register
load operations involving system resources the processor includes means arranged in operation to set the security tag of the register to be loaded to the highest security code indicated by the current setting of the registers security tag, the security code of the resource from which the register is to be loaded and the security code of the address register involved in the loading of the register.
2. A data processing system according to claim 1 wherein for use during the performance of a register load operation involving passage of data from one register to another within the processing device it includes means arranged in operation to set the security tag of the register to be loaded to the highest security code indicated by the current setting of the registers security tag and the security code of the address register involved in the loading of the register.
3. A data processing system according to claim 1 wherein the security tag setting of a register is saved in a process dump stack when a change process operation occurs.
4. A data processing system according to claim 1 wherein a security isolation indication bit is set each time said third means inhibits the resource access.
5. A data processing system according to claim 4 in which a process dump stack includes a counting means which records the number of security violations which occur and the data processing device includes means arranged in operation to cause a fault interrupt when said counter means reaches a predetermined value.
6. A data processing system substantially as described herein with reference to the accompanying drawings.
GB3191676A 1976-07-30 1976-07-30 Information flow security mechanisms for data processing systems Expired GB1585960A (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
GB3191676A GB1585960A (en) 1976-07-30 1976-07-30 Information flow security mechanisms for data processing systems
SG49283A SG49283G (en) 1976-07-30 1983-08-10 Information flow security mechanisms for data processing systems
HK31683A HK31683A (en) 1976-07-30 1983-08-25 Information flow security mechanisms for data processing systems
MY351/84A MY8400351A (en) 1976-07-30 1984-12-30 Imformation flow security mechanisms for data processing systems

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
GB3191676A GB1585960A (en) 1976-07-30 1976-07-30 Information flow security mechanisms for data processing systems

Publications (1)

Publication Number Publication Date
GB1585960A true GB1585960A (en) 1981-03-11

Family

ID=10330306

Family Applications (1)

Application Number Title Priority Date Filing Date
GB3191676A Expired GB1585960A (en) 1976-07-30 1976-07-30 Information flow security mechanisms for data processing systems

Country Status (4)

Country Link
GB (1) GB1585960A (en)
HK (1) HK31683A (en)
MY (1) MY8400351A (en)
SG (1) SG49283G (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0040703A1 (en) * 1980-05-23 1981-12-02 International Business Machines Corporation Enhancements in system/370 type of data processing apparatus
GB2127994A (en) * 1982-09-29 1984-04-18 Apple Computer Memory management unit for digital computer
EP0327707A2 (en) * 1988-02-10 1989-08-16 International Business Machines Corporation Nonhierarchical program authorization mechanism
US4926316A (en) * 1982-09-29 1990-05-15 Apple Computer, Inc. Memory management unit with overlapping control for accessing main memory of a digital computer
GB2230881A (en) * 1989-04-28 1990-10-31 Christopher William Cowsley Data storage protection
GB2274524A (en) * 1993-01-25 1994-07-27 Newbourne Limited Data security in a network file server.

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0040703A1 (en) * 1980-05-23 1981-12-02 International Business Machines Corporation Enhancements in system/370 type of data processing apparatus
GB2127994A (en) * 1982-09-29 1984-04-18 Apple Computer Memory management unit for digital computer
US4926316A (en) * 1982-09-29 1990-05-15 Apple Computer, Inc. Memory management unit with overlapping control for accessing main memory of a digital computer
EP0327707A2 (en) * 1988-02-10 1989-08-16 International Business Machines Corporation Nonhierarchical program authorization mechanism
EP0327707A3 (en) * 1988-02-10 1991-03-13 International Business Machines Corporation Nonhierarchical program authorization mechanism
GB2230881A (en) * 1989-04-28 1990-10-31 Christopher William Cowsley Data storage protection
GB2274524A (en) * 1993-01-25 1994-07-27 Newbourne Limited Data security in a network file server.

Also Published As

Publication number Publication date
MY8400351A (en) 1984-12-31
HK31683A (en) 1983-09-02
SG49283G (en) 1985-03-08

Similar Documents

Publication Publication Date Title
KR860000838B1 (en) Improved memory proterction system using capability registers
US4486831A (en) Multi-programming data processing system process suspension
CA1313424C (en) Nonhierarchical program authorization mechanism
US5280614A (en) Apparatus and method for controlling access to data using domains
CA1205564A (en) Program counter stacking method and apparatus for nested subroutines and interrupts
US4926476A (en) Method and apparatus for secure execution of untrusted software
US6854039B1 (en) Memory management system and method providing increased memory access security
US6823433B1 (en) Memory management system and method for providing physical address based memory access security
US4979098A (en) Multiple address space token designation, protection controls, designation translation and lookaside
CN1307535C (en) Trusted client utilizing security kernel under secure execution mode
US4945480A (en) Data domain switching on program address space switching and return
US8051301B2 (en) Memory management system and method providing linear address based memory access security
US4866599A (en) Call instruction, return instruction and trap procedure for ring crossing architecture
CN101201885A (en) Tamper protection of software agents operating in a vt environment methods and apparatuses
GB2499277A (en) Checking write access to shared resources in a multithreaded processor
US4383297A (en) Data processing system including internal register addressing arrangements
JPS6017135B2 (en) data processing equipment
WO2003050688A2 (en) System and method for handling device accesses to a memory providing increased memory access security
US4703417A (en) Call instruction for ring crossing architecture
KR100791815B1 (en) Privilege promotion based on check of previous privilege level
GB1585960A (en) Information flow security mechanisms for data processing systems
CA1308202C (en) Access register translation means for address generating mechanism for multiple virtual spaces
JP2001519940A (en) Microcomputer
EP0285309A2 (en) Memory protection apparatus for use in an electronic calculator
JPH05241965A (en) Memory managing device

Legal Events

Date Code Title Description
PS Patent sealed
732 Registration of transactions, instruments or events in the register (sect. 32/1977)
PCNP Patent ceased through non-payment of renewal fee