This invention relates to data processing systems and more specifically to an architecture to prevent compromise (i.e., unauthorized dissemination) of data in a multi-level secure environment.
The efficiencies attendant to sharing hardware resources and the communication requirements of large systems dictate the need to handle data of multiple security levels within the same data processing system. Department of Defense Directive Number 5200.28, Dec. 18, 1972, provides an overall statement of Defense Department Policy regarding security of data within data processing systems. Section VI provides the minimum requirements. The normal method of preventing compromise of data in an environment containing multiple security levels is to produce a computer containing CPU(s) that are separated into one or more executive or control states and one or more task or worker states. Execution in a task state prohibits the use of certain computer instructions and bounds memory access to previously defined limits in terms of types of access (i.e., read, write, instruction, execution, etc.) and areas of access (i.e., which addressable locations). Many CPU's have been designed which can prohibit compromise of data from one task state computer program to another. The applications software or computer programs that perform most of the data processing system functions are executed in task states.
Control software is needed, however, to perform those housekeeping and administrative chores associated with resource sharing and with enforcement of task state limitations. This control software is normally called an executive program. The executive program, by virtue of executing in one or more executive states, can execute those instructions not permitted in the task state and is not precluded, by hardware, from accessing any data within the CPU's memory. These capabilities are required by the executive program to enable it to perform its functions, but they also provide the capability of the executive program to compromise secure data. Therefore, such systems normally require the executive program to maintain a security level and degree of protection at least equal to that of the highest security level and of the highest degree of protection of any data in the system. Furthermore, unauthorized modifications of only the executive program can cause compromise of the entire data base of the system.
The present invention provides an alternative architecture that separates the data protection functions from the other executive functions and imbeds those data protection functions into hardware. The result is a data processing system whose data base can not be comprised unless both software and hardware are modified (i.e., in an unauthorized way).