1. Field of the Invention
The present invention relates to computer architecture and, more particularly, to techniques for controlling access to resources in a computer system.
2. Related Art
Computers include a variety of resources, including memory (e.g., ROM and RAM), processor registers, and input/output devices. In early computer architectures, any program executing on a computer could access any resource without limitation. For example, any program, whether it be an operating system, device driver, or application program, could read and write values to any memory location. Although such computer architectures had the advantage of being relatively simple to design and implement, they had the disadvantage that a poorly-designed or malicious program could cause the computer to malfunction by modifying a resource in an inappropriate way. For example, an application program could inadvertently or maliciously modify data relied upon by the operating system and thereby cause the operating system to malfunction or crash. As another example, a first application program could overwrite data in use by a second application program, thereby causing the second application program to malfunction or crash.
One technique that has been employed to address this problem is to provide each software program executing on a computer with a particular set of resource access rights (also referred to as “privileges”). A particular application program may, for example, have the right to access a particular subset of main memory and a particular set of I/O devices. Another application program may have the right to access a different subset of main memory and a different set of I/O devices. The operating system typically has the right to access all resources.
A resource access control mechanism, which may be implemented in hardware and/or software, is provided for enforcing these access rights. When a particular program requests that a particular operation be performed on a particular resource, the access control mechanism determines whether the program has the right to perform the requested operation on the specified resource. If the program does have such a right, the access control mechanism allows the requested operation to proceed. Otherwise, the access control mechanism denies the request and typically generates a fault.
In a particular computer system, there may be a large number of resources and a large variety of access rights that can be associated with each resource (such as the right to read from the resource, write to the resource, and execute software on the resource). Instead of allowing each program to be assigned an individually-configurable set of access rights, most systems define a set of “privilege levels,” each of which is associated with a particular set of access rights. Each program is then assigned one of the predefined privilege levels, thereby granting to the program the set of access rights associated with the assigned privilege level.
Consider a simple example of a computer system which has two privilege levels: (1) a most-privileged level (sometimes referred to as the “kernel privilege level”); and (2) a less-privileged level (sometimes referred to as the “application program privilege level”). Programs executing at the kernel privilege level may have the right to perform all operations on all resources, while programs executing at the application program privilege level typically have the right to execute only instructions within a certain subset of the processor's instruction set and to access only a subset of the computer's memory. In such a system, the operating system typically is assigned the kernel privilege level, while application programs typically are assigned the application program privilege level. The use of privilege levels makes it possible to assign and identify the access rights granted to a particular program by reference to the program's privilege level, without the need to assign and identify individual access rights on a program-by-program basis. The use of privilege levels is described in more detail in the commonly-owned patent application entitled “Method and System for Privilege-Level-Access to Memory Within a Computer,” Pub. No. U.S. 2003/0084256 A1, published on May 1, 2003, hereby incorporated by reference.
There may be any number of privilege levels in a computer system. Typically, privilege levels are numbered sequentially beginning with zero. Consider, for example, a system in which there are four privilege levels, numbered from zero through three. Privilege level zero typically is the most-privileged level. The operating system typically has privilege level zero. Intermediate privilege levels (such as privilege levels 1 and 2) may be granted to device drivers and other software programs which require a relatively high degree of access to a subset of the computer's resources. The least-privileged level (e.g., privilege level 3) typically is assigned to application programs.
Computer systems which implement resource access control rights, such as through the use of privilege levels, thereby prevent programs from accessing resources in ways which might cause the system to malfunction. As computer architectures continue to evolve, however, the techniques described above may be insufficient to provide the necessary kind and degree of resource access control for all resources in a computer system. What is needed, therefore, are improved techniques for controlling access to resources in a computer system.