The present invention relates to data processing systems and more specifically to an architecture to prevent compromise (i.e., unauthorized dissemination) of data in a multi-level secure environment.
The efficiencies attendant to sharing hardware resources and the communication requirements of large systems dictate the need to handle data of multiple security levels within the same data processing system. Department of Defense Directive Number 5200.28, Dec. 18, 1972, provides an overall statement of Defense Department Policy regarding security of data within data processing systems. Section VI provides the minimum requirements. The normal method of preventing compromise of data in this environment is to maintain protection under software control. To accomplish this, computers are designed containing CPU(s) that are separated into one or more executive or control states and one or more task or worker states. Execution in a task state prohibits the use of certain computer instructions, bounds memory access to previously defined limits in terms of types of access (i.e., read, write, instruction, execution, etc.) and areas of access (i.e., which addressable locations), and prevents any I/O functions. CPU's which can prohibit compromise of data from one task state computer program to another exist according to many designs. The applications software or computer programs that perform most of the data processing system functions are executed in task states.
Control software is needed, however, to perform those housekeeping and administrative chores associated with I/O, resource sharing, and with enforcement of task state limitations. This control software is normally called an executive program. The executive program, by virtue of executing in one or more executive states, can execute those instructions not permitted in the task state and is not precluded, by hardware, from accessing any data within the CPU's memory nor from performing any I/O function. These capabilities are required by the executive program to enable it to perform its functions, but they also provide the capability of the executive program to compromise secure data. Therefore, such systems normally require the executive program to maintain a security level and degree of protection at least equal to that of the highest security level and highest degree of protection of any data in the system. Furthermore, unauthorized modification of the executive program can compromise the entire data base of the system.
The I/O transfers of computers are normally performed by one or more I/O processors (or I/O controllers) which operate asynchronously from the CPU(s). An I/O processor may provide the relatively complex functions of format conversion, arithmetic translations, and event analysis, or it may merely interface external I/O devices to the computer memory. In each situation, the necessary function is the transfer of I/O data. The I/O processor is usually programmable in modern computers of even moderate capacity but functions under control of the CPU, and hence the executive program. The executive program provides the interface between the I/O processor functions and the task programs which actually operate upon the I/O data. As stated earlier, the executive program is in a position to compromise secure data becauase of its unique controlling capabilities.
The present invention provides an alternative architecture that restricts CPU control of the I/O functions to the extent necessary to preclude compromise of secure data unless both software and hardware are compromised.