1. Field of the Invention
The present invention relates to the field of electronic data/information processing. More specifically, the present invention relates to methods and apparatuses for protectively operating data/information processing devices.
2. Background Information
The term xe2x80x9cdata/information processing devicesxe2x80x9d as used herein is intended to include all microprocessor based devices and/or systems, operated under the control of an operating system. Examples of these devices/systems include but are not limited to general as well as special purpose computing devices/systems, regardless of form factors, palm sized, laptops, desktops, rack mounted, and the like. Examples of special purpose computing devices include but are not limited to set-top boxes, wireless communication devices, and the like. The term xe2x80x9coperating systemxe2x80x9d as used herein is intended to include all software provided to manage and facilitate application usage of hardware resources, however minimal the control and resource scope may be. Typical resource management functions of an xe2x80x9coperating systemxe2x80x9d include task scheduling, memory management and the like. The term xe2x80x9ctaskxe2x80x9d as used herein is intended to include its common meaning of an executing instance of a program (a collection of programming instructions).
Ever since the early days of computing, computer systems have provided privilege protection to protect the system from being brought down by failures of non-essential programs, such as application programs. The IBM 360 systems provided a supervisor mode and a user mode to segregate privileged system programs and unprivileged user programs. The Multics (Multiplexed Information and Computing Service) developed by Massachusetts Institute of Technology, in cooperation with others, employed a 64 ring approach, combining access node and a triple of ring numbers (r1, r2, r3). In U.S. Pat. No. 4,177,510, issued to Appell et al., a hardware facilitated 4 ring approach is disclosed. Today, the Intel Architecture processors are known to provide a 4 ring hardware facilitated protection through the employment of memory segment descriptors and current task privilege level (CPL). However, partly because most of the other microprocessors remain having a two mode protection approach, the Windows(copyright) operating system, used in most Intel Architecture compatible processors, merely employ two of the four ring protection provided by the hardware. The virtual memory manager and various virtual device drivers (Vxc3x97D) are executed in ring 0, while all other programs, including kernel system services and so forth are executed out of ring 3.
The two levels of protection were reasonably adequate in the days when few programs are executed on most computer systems. Moreover, most of the computer systems operate by themselves, with few interactions from the outside world.
Advances in microprocessor, telecommunication and networking technology have dramatically expanded the applications of computing devices, and changed their operating environment. Today, most data/information processing systems are connected to private and/or public networks, such as the Internet, executing programs that are dynamically downloaded from a number of sources. Some sources are trustworthy, and their programs tend to be well behaved, but others are not.
Accordingly, a need exists to improve the protection of data/information processing systems.
In a data/information processing system, a nested privilege protection is employed to protect the system when executing instructions. A first privilege protection having at least two privilege levels is enforced. Additionally, a second privilege protection having at least two sub-privilege levels is further enforced for at least one privilege level of the first privilege protection to further differentiate the privileges otherwise afforded.
In one embodiment, core system services, programming language runtime support and application programs are afforded the same privilege level of the first privilege protection, and the different types of programs are afforded different sub-privilege levels of the second privilege protection to differentiate the privileges afforded by the first privilege protection. In one embodiment, the differential sub-privilege level protection is further extended to application programs of different sources, such as trusted and untrusted.
In one embodiment, the first privilege protection is hardware facilitated, while the second privilege protection is software facilitated.