The sharing of the resources including hardware, software, and data in the form of a data base of a large data processing system offers great efficiencies to users of such systems. However, an undesired characteristic of the sharing of resources in such systems is that important data may be destroyed or secret or confidential data may be compromised. Further, in some processing environments there is a need to handle data of multiple security levels which requires screening access to sensitive data by matching user clearance level to the security levels.
Generally, data processor security systems control the flow of information by using a combination of hardware and software protection mechanisms. The role of hardware and software protection mechanisms is two-fold. First, they enforce the access controls, governing the resources of the data processing system thereby implementing the security policy of the installation having the computer. This security policy may be based on the concept of data classification levels. Second, they control a user's ability to perform certain functions known as trusted processes. These processes perform critical system administrative duties and should only be run under controlled conditions.
A commonly known conventional data processor security system is one in which the identity or pass-word of the user is confirmed through appropriate operations at a terminal before a process requested by the user is initiated or before access to the requested data is permitted.
Another commonly known conventional data processor security system similar to the one described above is one in which a mutual data transfer is performed between a host computer and a terminal to identify the terminal/user in precedence to initiating the requested process. This conventional system requires that identification data be previously stored in memories or switch circuits of the host computer and the terminals connected thereto, and that identification data be mutually exchanged between the host computer and a terminal when a request for data access is issued by the terminal. When a coincidence is recognized between the exchanged identification data, communication is allowed to be established between the host computer and the terminal.
The above described conventional systems which make use of identification data to identify either the user or a terminal connected to a host computer suffers from various disadvantages. For example, access to data in the computer by a user with a valid identification is not limited in any way. The user applying the valid identification attains access to all of the data and devices in the computer without discrimination. Further, the system does not fully provide both hardware and software protection mechanisms to perform the two-fold function described above.
A further conventional data processor security system makes use of a privilege ring architecture to implement the two-fold function described above. Trusted processes and the most sensitive data are assigned to the ring of highest privilege, while less sensitive data and less trusted processes are assigned to rings of lower privilege. This conventional data processor security system, however, complicates security, since a single hardware mechanism enforces both the access control and the trusted process control of the two-fold function described above.
Further, the above described conventional data processor security system provides a large number of avenues to obtain access to data in the most privileged computer state. For example, to provide access to a trusted process in the ring of highest privilege, access to all sensitive data in the ring of highest privilege must also be provided. Likewise, to provide access to sensitive data in the highest ring of privilege, access to all trusted processes in the highest ring of privilege must also be provided. Also, in the conventional data processor security system described above, a single security breach often results in a complete compromise of the system.