In both civil and military arenas, providing secure computer transactions is of an ever increasing concern. Since an operating system (OS) controls the allocation and usage of computer hardware resources (e.g., memory, control processing unit, peripheral devices, and disk space), such system plays a pivotal role in controlling both internal and external security threats. For example, an OS may have the ability to prevent unauthorized use of computer hardware resources. Conversely, if an OS does not prevent or limit the damage of an unauthorized access, the entire computer/network system may be compromised.
A current approach known as Multiple Independent Levels of Security (MILS) architecture has been implemented within operating systems to address the problem of operating system security. The MILS architecture utilizes a layered approach which ensures that programs and data in one partition are inaccessible to any other partition. The separation assurance is made by using a Memory Management Unit (MMU) of a microprocessor to allow any program running in User Mode to access only memory regions assigned to a particular partition. In this manner, data from distinct security classifications, e.g., Secret versus Top Secret, may be kept separate as if they resided in physically distinct processing units.
The MILS architecture is limited by the currently available system configurations in which the architecture is associated. For instance, when data is passed to and from I/O devices, the data must pass through the processor's interface device (e.g., memory and I/O bus controller) leaving data highly vulnerable to intentional and accidental movement to or monitoring from illicit locations. For example, when data is placed onto a standard, multi-drop I/O bus, such as PCI® or PCI-X® (registered trademarks of PCI SGI—Peripheral Component Interconnect Special Interest Group), any device on the bus may read the data. As such, the currently available interface devices expose data to the I/O buses and to leakage into or out of memory regions belonging to another partition, thus breaking down any guarantee of separation for the MILS environment.
Therefore, it would be desirable to provide a device and method that extends MILS partitioning to the I/O devices.