This invention relates in general to the field of data security in a computer, and in particular to memory tag use as a lock for data in a digital computer.
A data security problem exists in a digital computer shared by more than one user, or in a computer which contains data with different security classifications. In most computer systems, portions of the internal memory area of the computer are used for different purposes at different times. A memory area may be assigned to one user process for a period of time, and then later reassigned to another user process. Unless some special security precautions are exercised, the data remaining in a memory area from a previous use is readable by a new user of the memory area. Allowing residual data to be read by the new user is a problem because this provides a means for a user or process to circumvent the system's security policy. A user could view another user's data, or a user without a security clearance could view top secret data.
In computer security terminology, the user processes are referred to as "subjects" and the data areas that they access are "objects". An object is "reused" when it is assigned to a new subject. A secure operating system enforces security by permitting subjects to access some objects, but not other objects.
As user processes run, they often request additional temporary memory space for arrays, stacks, queues, heaps, trees, and input/output (I/O) buffers. Most operating systems maintain a pool of memory space to satisfy these requests. The operating system maps a portion of this memory pool into the requesting process's logical address space and then grants the process read/write access. When the process is finished with the space, it is returned to the operating system's pool. Later, this same memory space may be assigned to another process to satisfy its memory request. If data from the previous user remains in the memory space, the new user can read this left-over data. This is a security problem if new users should not have access to the previous user's data.
A conventional method for dealing with the secure object reuse problem in computer memory is for the operating system to overwrite every word in the memory area before it is assigned to the new user. This may, however, impose a considerable performance penalty. There will be no performance penalty if the operating system has been asked to fill the entire reused memory space with data intended to be accessible to the new user process. But if the memory area is to be empty or only partially filled with data, the operating system must still blank out all areas that will be accessible to the new user. The write operations to accomplish the blanking are additional performance overhead to provide secure object reuse.
If a user process must be prevented from accessing certain areas of memory, the operating system needs some special hardware support that is active even when the operating system is not running. This specialized hardware is referred to as a "memory management unit" (MMU). Its purpose is to check every memory access made by the currently running process against a set of constraints previously established by the operating system. If a memory access transgresses the constraints, the MMU terminates the access by signaling an interrupt to the central processing unit.
The MMU generally provides "address translation", i.e., it translates the memory address furnished by the user process into another address that is actually presented to the memory subsystem. The MMU presents numerous drawbacks, however. The MMU is a relatively complicated piece of hardware that increases system cost and may reduce performance. The monetary and performance costs of an MMU may not be justified in a small computer system. MMUs are not even available for some low-end microprocessors and microcontrollers. Most importantly, most MMUs do not provide fine enough access control to prevent one user from accessing data written into the shared data structure by another user. Often the operating system software must provide this finer level, leading to performance degradation.
Thus, what is needed is a method and apparatus which provides the access constraints necessary to guarantee secure object reuse without the need for an MMU in the system, and without requiring operating system intervention.