Computer security has become an intensely studied and vital field of research in academic, governmental, and commercial computing organizations. While manufacturers and users of computing systems have, for many years, attempted to provide fully secure computer systems with controlled access to stored data, processing resources, and other computational resources within the computer systems, fully secure computer systems currently remain elusive. The need for security has been heightened by public awareness of Internet-related fraud, several high visibility banking-related crimes, and, more recently, the threat of malicious viruses and terrorist-directed cyber assaults.
A fully secure computer needs to be designed on the basis of a comprehensive identification of the myriad different potential vulnerabilities and threats to secure operation of the secure computer system. In general, a fully secure computer system needs to maintain tight security over certain internal resources and isolate and closely monitor external inputs and outputs to insure that external entities, such as external devices, remote computers, and users, cannot access and/or corrupt the internal resources, including portions of system memory within a modern computer system. As computers have evolved to include greater numbers of more complex and capable components, the number of different potential vulnerabilities has greatly increased. Design of fully secure computers is thus a dynamically evolving task that continues to grow in complexity with the evolution of computer hardware. The transfer of data into, and out from, computer systems, for example, involves a set of components that have evolved in ways that increase the potential for unauthorized access of system resources.
FIGS. 1A-D illustrate an initial approach employed within computer systems to transfer data back and forth between internal memory and mass storage devices and communications devices. FIGS. 1A-D employ the same illustration conventions as FIGS. 2A-D and 4A-B, to be discussed below. These illustration conventions are described with respect to FIG. 1A, but will not be repeated in the interest of brevity. FIG. 1A shows important components within a computer system that are involved in input and output (“I/O”) data transfers. In FIG. 1A, a central processing unit (“CPU”) 102, at least one level of cache memory 104, and main memory 106 are interconnected by a system bus 108. In FIG. 1A, an exemplary I/O device, disk drive 110, is controlled by a disk-drive controller 112. The disk-drive controller 112 is connected to an I/O bus 114, to which many additional I/O controllers, not shown in FIG. 1A, may be connected. A bus bridge device 116 interconnects the system bus 108 with the I/O bus 114. Bus bridge devices were initially devised in order to buffer timing and protocol differences between different types of buses, such as the high-speed, synchronous system bus 108 and the lower-speed, asynchronous I/O bus 114.
FIGS. 1B-D illustrate a READ operation initiated by the CPU to READ a block of data from the disk drive to system memory. The CPU 102 initiates the READ operation by controlling signal lines of the system bus 108 to direct a READ operation command to the disk-drive controller 112 via the system bus 108, bus bridge 116, and I/O bus 114. A microprocessor 118 within the I/O controller 112 receives the READ request and, in turn, when the requested data is not resident within a memory cache within the I/O controller, directs a disk READ request to the disk drive 110 and receives the requested data. Next, as shown in FIG. 1C, the I/O controller 112 transmits the requested data, read from the disk drive, back through the I/O bus 114, bus bridge 116, and system bus 108 to the CPU 102. Finally, as shown in FIG. 1D, the CPU writes the received data to one or both of the cache memory 104 and main memory 106. Of course, many additional details are involved in I/O-data transfers, including data buffering within I/O controllers and system memory, detailed device/control program interfaces, and other such details.
In early computers, the operation illustrated in FIGS. 1B-D was carried out for each word of data moved from the I/O controller 112 to memory 106. I/O data transfer was quickly identified as a bottleneck with respect to system performance, because the CPU devoted a large portion of available CPU cycles to I/O data transfers, and the latency for all types of tasks increased with the decrease in available CPU cycles. However, from the standpoint of security, the initial I/O data transfer method, illustrated in FIGS. 1B-D, afforded to a system designer the opportunity for highly secure I/O data transfer. In such systems, the CPU is directly involved in the transfer of each word, or unit, of data, and initiates all I/O data transfers. Moreover, only the CPU initiates READ and WRITE operations directed to system memory and the CPU generally allocates a portion of memory 120 to be used as an I/O data buffer. With appropriate operating system implementation, I/O data transfers can be restricted to read from, and write to, only the portion of system memory 120 allocated as an I/O buffer region.
The performance bottleneck caused by direct CPU intervention in each word-sized I/O data transfer motivated system designers to introduce I/O controllers into systems to manage I/O data transfer, offloading much of the processing overhead of I/O data transfers from the CPU to the system controller. FIGS. 2A-D illustrate a direct-memory access (“DMA”) method for facilitating and controlling I/O data transfer. Comparing FIG. 2A to FIG. 1A, it can be seen that a new processing element 202 is introduced into I/O controller 112. The new processing element 202 is referred to as a DMA engine. In many systems, DMA engines may be included in various other system components, including system controllers. In many systems, multiple DMA engines are employed. Regardless of how many DMA engines are present, and where the DMA engines are located, DMA engines allow for direct, DMA-mediated I/O data transfers by external devices, such as I/O controllers, to main memory 106.
A READ operation carried out using DMA-mediated I/O data transfer is illustrated in FIGS. 2B-D. First, as shown in FIG. 2B, the CPU 102 initiates the READ operation by controlling signal lines of the system bus 108 to send a READ message to the disk-drive controller 112, as in the previous method shown in FIG. 1B. Note, however, that in some systems, the CPU must also, in a separate step, initialize the system controller 116 with system-bus/I/O-bus translations in order to carry out the subsequent READ operation. Next, in FIG. 2C, the disk-drive controller 112 interacts directly with the DMA engine 202 to prepare for the READ operation. Finally, as shown in FIG. 2D, the disk-drive controller 112 repeatedly accesses the disk-drive 110 to fetch successive blocks of stored data and transfers the data, under control of the DMA engine 202, to main memory 106. Following completion of the READ operation, the disk-drive controller may return a READ completion acknowledgment, via an interrupt, to the CPU 102.
DMA-mediated I/O data transfer offloads an enormous amount of processing from the CPU, and even low-end, modern computers generally employ a number of cascaded DMA engines in order to preserve sufficient CPU processing cycles for modern system needs. However, unlike in the original I/O data transfer method, illustrated in FIGS. 1A-D, the processor no longer has direct control over each access to main memory. Instead, an I/O controller may initiate READ or WRITE operation, via the DMA engine, directed to main memory. This direct access by a processing element external to the CPU may constitute a significant potential security vulnerability, because memory protections mechanisms are commonly built into the processor, including privilege levels and attributes associated with memory regions. For this reason, designers, manufacturers, and users of computer systems, and, particularly designers of secure computer systems, have recognized the need for a method and system that allows offloading I/O-data-transfer processing from one or more CPUs of a computer system, but that does not expose portions of memory containing confidential information to processing elements external to the CPU.