The present invention pertains to computer security and more particularly to an arrangement for guaranteeing that untrusted software handles data in a secure fashion.
In today's society computers have become the storage place for virtually all data. For businesses, data stored within a computer may be categorized by type, e.g. "financial data", "technical data", "business plan data", etc. In addition, this data may be classified according to its sensitivity to disclosure, e.g. "public", "proprietary", "highly confidential", etc. Further, computers may contain sensitive government data or software which is classified according to its type and sensitivity.
Such data and software must be protected against read or write access by human users and programs which do not have the appropriate authorization. Such authorization may grant the right to read or write only certain types and sensitivities of data. Enforcing these constraints may be accomplished in two fashions: (1) by testing programs thoroughly to insure that they do not read or write data or programs which they are not permitted to access and (2) by imposing constraints on the software's ability to read or write certain areas of computer memory. Programs which have passed extensive security testing and analysis are called computer security (COMPUSEC) "trusted" programs. Developing and testing COMPUSEC trusted software is very expensive. This development and testing may increase the cost of such software by an order of magnitude. The alternative to this extensive testing and analysis is to impose read and write constraints on the software. Such constraints are typically enforced by a combination of memory management hardware and COMPUSEC trusted software within the operating system. In may cases the functions that the software must perform cannot be accomplished within these constraints, so there is no choice but to develop expensive trusted software. The essence of this invention is to provide memory management hardware that greatly reduces the constraints that must be imposed on the software, thereby allowing the needed software function to be accomplished without requiring the development of trusted software.
Since software today is shared by a large number of users, viruses (programs which damage other programs or data) have proliferated. These viruses read and write information outside the normal bounds of their intended operation. In order to preserve the data's and program's integrity, it is essential that the great body of software that is untrusted be constrained to perform read and write operations in a secure manner.
Accordingly, it is an object of the present invention to provide an apparatus and method for secure execution of untrusted software, obviating the need to develop COMPUSEC trusted software.