In some circumstances, it is desirable to have an isolated or “curtained” portion of memory, to which access is restricted. For example, a computer may run two operating systems side-by-side, in which one operating system is secure and the other is not. In this case, it is desirable for the secure operating system to have a curtained memory in which it can store secret information that cannot be accessed by the non-secure operating system.
One way to implement curtained memory is through address translation control. Many modern computers use a virtual memory system, in which software running on the computer addresses the memory using virtual addresses, and a memory management unit uses a set of address translation maps to translate the virtual addresses into physical addresses. Typically, each process has its own address translation map, so that the mapping between virtual and physical addresses changes from process to process. It is possible to configure a given process's address translation map such that the process's map does not expose to the process any virtual address for a given block (e.g., page) of physical memory. Thus, by ensuring that only secure processes have virtual addresses for a given block of physical memory, it is possible to implement curtained memory by controlling the contents of the address translation maps.
One problem that arises when such a mechanism is used to implement curtained memory is that, since the address translation maps are stored in memory, every operation that writes the memory could potentially affect the maps, and thus might cause a virtual address for curtained memory to be exposed to a process that should not have access to curtained memory. One way to prevent such a virtual address from being exposed is to check every element of every map each time a write operation on the memory is performed in order to ensure that no page of curtained memory has a virtual address in the map of any process that should not have access to the curtained memory. However, given the frequency of write operations, this technique is inefficient.
In view of the foregoing, there is a need for a mechanism that overcomes the drawbacks of the prior art.