1. Field of the Invention
The present invention relates generally to systems and methods for implementing multi-level protection of memory domains, and more particularly to implementing N levels of memory domain protection on hardware that only supports two levels of memory domain protection.
2. Discussion of Background Art
Memory domain protections are a necessary part of any computer architecture. Traditionally, computer architectures have illustrated protection of memory domains with a set of concentric circles, i.e. memory domain rings, centered around an operating system. The operating system controls access to a computer""s peripheral devices, internal memory, and processing unit. The operating system controls the most trusted memory domain within a computer.
Moving from the operating system outward, each memory domain ring represents a memory domain which is a less trusted than the memory domain which it encloses. Finally, at the outer periphery of the memory domain rings is a memory domain containing user code. User code consists of any number of application programs that a user typically interacts with directly via a keyboard or some input device. User code represents the least trusted memory domain within the computer.
Typically, a large portion of the operating system is written to protect the computer from blindly executing programming instructions contained in the less trusted memory domains. These protections however, not only increase the size of the operating system code but also severely slow down the computer""s operation regardless of the level of trust from which the programming instructions originated.
The memory domain ring concept recognizes the fact that some code is more trusted and thus need not be subject to rigorous operational checks by the operating system. As a result, computer architectures implemented with memory domain rings may operate faster since more trusted code is spared protective computer checks before the computer is commanded to perform various operations.
The current memory domain ring concept, however, does not support cases where co-dependent applications are equally trusted, and thus the operating system would still perform its rigorous checks that the co-dependent applications communicated with each other, even though such checks would be unnecessary.
Additionally, only hardware implementations of the memory domain concept exist. Thus, to achieve three levels of memory domain protection, the computer""s hardware must be set up specifically for three levels of protection. And, to achieve ten levels of memory domain protection, the computer""s hardware must be set up specifically for ten levels of protection. Due to the expense and complexity of implementing such specific multi-level protection in hardware, only the most expensive or specialized of computers support more than two levels of protection. The two levels support a most trusted memory domain for the operating system and a less trusted memory domain for user application programs.
Today, with the increasing complexity of computer system operation and the tendency toward developing specialized software that is much more trusted than a typical user application, there is a need for a computer supporting multiple levels of memory domain protections without increasing the computer""s hardware complexity.
More specifically, what is needed is a better system and method for implementing N levels of memory domain protection.
The present invention is system and method for multi-level memory domain protection. The present invention enables the three levels of memory domain protection to be achieved on computer hardware that supports only two levels of protection. These three levels are created by first, defining a domain process, including an operating system, domain code and data, and user code and data. Next, a user process having the operating system, a reserved portion, and the user code and data is defined. While the operating system is protected from the domain code and data by normal two level hardware protections, the reserved portion is a software construct which is created to protect the domain code from the user code. By defining a reserved portion within the user process, a third level of protection is created in hardware that supported only two levels of memory domain protection. The three memory domain levels are an operating system level, a domain level, and a user level. The operating system executes a context switch between the user process and the domain process at the request of either the user code or the domain code. These requests are executed by the operating system code using a handshake procedure. Any number of levels of memory domain protection may be implemented simply by creating additional domain processes and performing additional context switches.
Within the system of the present invention, a user process executes user code that accesses user data and executes user-to-domain control transfer instructions. A domain process executes domain code that accesses domain data or user data and executes domain-to-user control transfer instructions or domain-to-user data access instructions. The user code or the domain code that contains either the control transfer instructions or the data access instructions is called the calling-code. The user code or the domain code that the control transfer instructions or the data access instructions are transferring control to or accessing data from is called the target. The user-to-domain control transfer instructions and the domain-to-user control transfer instructions are maintained in call gates.
Call gates implement the mechanism for transferring control from one protection level to another in the multiple level memory domain protections architecture. A user call gate implements a control transfer from the user level to the domain level. A domain call gate initiates a control transfer from the domain level to the user level. Data transfers, required by data access instructions, do not require call gates.
A user call gate and a domain call gate are respectively added to the user code and the domain code. A call gate may call the operating system via a system call to effect a level change. The operating system causes the level change by doing a context switch. A user-to-domain call gate will cause a context switch between a user process and a domain process. A domain-to user call gate will cause a context switch between a domain process and a user process.
The circuit of the present invention is particularly advantageous over the prior art because it enables any number of memory domain protection levels to be implemented on hardware that only supports two levels of memory domain protection.
These and other aspects of the invention will be recognized by those skilled in the art upon review of the detailed description, drawings, and claims set forth below.