In recent years it has become increasingly important to provide a secure environment for executing software programs within computer systems. Malicious software programs have increased in sophistication to a point where software-based security solutions, by themselves, frequently fail to provide adequate protection against such malicious programs. For example, buffer overflow attacks, where values stored in memory (e.g., a return address) are selectively replaced by exceeding the boundaries of a data buffer, demonstrate just how sophisticated these malicious programs have become.
Many computers achieve a degree of protection against these malicious programs by segregating the hardware of a system, as well as the software executing on the hardware, into secure and non-secure levels of operation. Hardware is designated as secure, non-secure, or mixed-mode hardware (capable of either secure or non-secure levels of operation). Similarly, software is designated as either secure or non-secure software, and is stored and/or operated within hardware with a matching security designation or level. Thus, for example, secure software is stored in secure memory, and executed on a processor operating at a secure level. Although resources of a given security designation may access resources of an equal or lower designation, a resource is generally prohibited from accessing resources of a higher security designation.
This type of combined hardware and software segregation provides protection by restricting the manner in which secure and non-secure resources interact, and designing at least some of these restrictions into the system hardware. Thus, for example a non-secure program, executing on a processor operating at a non-secure level, is prohibited from accessing a secure resource, such as a value stored within secure memory. A violation of such a restriction may cause the system hardware to generate a trap or exception. The system may be configured to initiate a number of actions in response to the trap or exception. Such actions may include, for example, special software processing of the violation, a system reset, or a system shutdown.
Other security issues may remain in segregated systems, however. For example, although a non-secure resource cannot access a secure resource, a non-secure resource can potentially interfere with calls and returns to and from routines when a system is transitioning between secure and non-secure levels of operation. In systems that monitor violations across security boundaries, such interference with calls and returns may not be detected or prevented since the interference may not violate a security boundary or any other security constraint within the system.