Many computing environments process and transmit information having different security classification levels. For example, military computing environments process classified information having security levels such as top secret and secret, as well as unclassified information. Typically, unclassified information is separated from classified information in these computing environments, so that classified information is not improperly passed to an unsecured computing environment. Keeping unclassified information separated from classified information has dictated separate processing environments and interconnection networks, such as separate black processing environments for processing unclassified or encrypted data, and red processing environments for processing unencrypted classified data.
Partitioned processing environments have been developed that enable single processors to host Multiple Independent Levels of Security (MILS). For example, the AAMP7G processor manufactured by Rockwell Collins of Cedar Rapids, Iowa utilizes a National Security Agency (NSA) certified brickwall Partition Management Unit (PMU) to enforce separation of processes, while a MILS Real Time Operating System (RTOS) provides process separation with a software implemented partitioning environment, which can operate on Commercial Off-The-Shelf (COTS) processors.
In current MILS systems, the operating system may provide separation assurance (ex.—create distinct partitions) utilizing the processor's Memory Management Unit (MMU). However, memory protection provided by such partitioning is only effective for processor-originated actions (ex.—execute, read, write). Thus, the remainder of the MILS system, including all connected Input/Output (I/O) devices, is/are not controlled by the operating system's partitioning activities. This may be problematic in situations where the I/O devices are high capacity I/O devices and require Direct Memory Access (DMA) to operate. During DMA operations, data may be transferred from main memory to an I/O device via a bus, without passing the data through the processor (i.e., CPU). Essentially, the I/O device becomes the “bus master” and may place an arbitrary address on the bus, making it possible for the I/O device to read or write anywhere in system memory. Although some bus controllers may be able to protect some memory regions during DMA operations, they may not necessarily be able to restrict access to a partition's memory when multiple I/O devices on the same bus are utilizing DMA. Further complicating matters is that DMA operations during time critical partitions may take away precious processor cycles when the I/O device controls the memory bus.
Thus, it would be desirable to provide a system for providing Multiple Independent Levels of Security (MILS) partitioning which addresses the problems associated with current solutions.