1. Field of the Invention
This invention relates generally to computer systems operations, and, more particularly, to a method and apparatus for performing a physical address-based security scheme to provide secure input/output (I/O) access.
2. Description of the Related Art
Computers or computing systems are important elements in many of today's industrial and home applications. Many systems, such as manufacturing systems, power systems, product distribution systems, document systems, etc., are powered by computer systems that utilize processors. These processors perform a variety of tests and execute a plurality of software programs that interact with each other. Many times input/output devices permit manipulation of operations of processors and software programs. A standard level of security is desirable during operation of the processor such that certain software structures (e.g., software objects, subroutines, standalone programs, etc.) can be controlled and given priority over other software structures. Many times, access to certain software structures and certain processor functions are restricted in order to prevent unauthorized or inadvertent access or operation by processors. Current computer architectures include a scheme for utilizing virtual memory that uses several system-defined tables that are resident in the physical memory within a computer system. The entry within these system tables is generally pre-defined and includes reserved sections that restrict access to certain software structures.
Computing systems have evolved from single task devices to multitask devices. A computing system employs an operating system to execute the many tasks and manage their resource utilization. Typically, when a user invokes a process (e.g., opens an application program such as a word processor), the operating system dedicates certain computing resources (e.g., portions of memory) for use by the task. Many computing resources, however, cannot or are not dedicated in this manner. Printer drivers, for example, are frequently used by multiple tasks. Operating systems therefore also usually define access rights and protocols for tasks relative to such shared resources. Thus, by virtue of the operating system's efforts, computing systems can simultaneously execute multiple tasks in an efficient manner.
One important aspect in such a computing environment is “security.” Computing systems that multitask employ security and protection services to protect their operating system from user processes, and to protect the processes from each other. Without protection, a rogue program could unintentionally destroy the program code or data in the memory space belonging to the operating system or to another process. Note that, at least in this context, security does not imply thwarting intentional malicious acts, although it contemplates protecting against these as well.
Many processors, such as x86 processors, provide a plurality of security levels, such as privilege levels. Turning now to FIG. 1, one example of the representation of a plurality of security levels is illustrated. The inverse pyramid styled structure in FIG. 1 illustrates four levels of security (privilege) level 0, level 1, level 2, and level 3 through level n. The operating system is afforded a base privilege level such as level 0. The privilege afforded by the security level 0 allows a particular software structure to obtain access provided by subsequent security levels such as levels 1-3. If a software structure is allowed only a privilege of security level 2, that particular software structure only has access and control over operations that are afforded by privilege levels 2 and 3. In many cases, popular operating systems, such as Microsoft Windows®, do not utilize the full capabilities of the plurality of privilege levels. Some software operating systems only use two privilege levels, such as level 0 and level 3.
A user application program may execute at security level 3 while the operating system services and all drivers operate at security level 0. This can open the computer system to a variety of security risks. This is particularly true since most drivers have access to all of the computer resources because they are operating at the most privileged level, security level 0. Therefore, an unauthorized access to a driver that controls an I/O device in the computer system, such as a modem device, can cause unauthorized operation of the I/O device resulting in system destruction or misuse. Furthermore, unauthorized access to system I/O devices can cause loss of valuable data and software programs.
The present invention is directed to overcoming, or at least reducing the effects of, one or more of the problems set forth above.