A data processing system comprises in general hardware components such as one or more processors, volatile memories RAM (Random Access Memory), cache memories, non volatile writable memories (flash, disks, etc.) and non-volatile read-only memories ROM (Read Only Memory). The data processing system operates in most of the cases under control of an operating system by executing program instructions by using one or more software resources or applications. The applications may be stored in a non-volatile memory and loaded into a volatile memory during execution when required. During execution of an application, the data required by the application or data which is produced by the application may be stored in the non-volatile memory or volatile memory or transferred from one memory to another.
With the advent of multiple connectivity options for data processing systems, including wireless connectivity, and with the huge growth in the use of mobile data processing systems, the need to protect these systems from malicious attacks has become increasingly important. Malicious attacks can be aimed at interfering with system booting, modifying the operating system, intercepting and/or modifying data produced by or utilized by some application.
In fact, it has now become a necessary requirement to protect data processing systems against fraudulent manipulations and attacks on their integrity. Such malicious attacks may come in the form of software designed to take over a data processing system's operating system or otherwise interfere with the normal processing sequence of the data processing system without the user's knowledge or approval. Such software is generally known as malware. The presence of malware in a data processing system is generally difficult to remedy and can lead to complete system failure or even to irreparable damage to the system.
Computer viruses, worms, Trojan horses, spyware etc. are all different types of malware. The different types of malware can attack the processing system in various ways such as by intercepting data which was meant for another application or by monitoring key strokes in order to steal passwords or other information which is meant to be kept secret, modifying or otherwise altering data or corrupting files, modifying a program in order to cause it to crash or to execute some function which was not originally intended by the user.
Systems to combat against malware attacks exist and generally use a memory management unit, which is configurable by the system's processor or secure processors provided with access control modules. Because of the increasing complexity of the processors, the additional security functions which would be required in order to minimize the possibility of such malware attacks would lead to a significant cost increase in terms of the extra on-chip real estate necessary to implement such functions and would lead to computing overhead and therefore compromise the speed of operation. Therefore, it would be desirable to have a cost-efficient and size-efficient solution providing secure management of data or applications loading or unloading into or out of memories in a data processing system.
Some solutions exist such as, for example, the one disclosed in document U.S. Pat. No. 5,825,878, where an integrated secured memory management unit is used by a microprocessor for transferring encrypted data and instructions from an external memory. The security is carried out by a direct memory access controller integrated on the same chip as the microprocessor. The instructions and the commands are thus difficult to access for a malicious third party from inside the microprocessor where the data are in clear form. However, no means is available for guaranteeing that the data stored in the integrated memory are accessible only by the authorized processor operating in a particular mode. Therefore, it is still possible for a malicious third party to replace the content of the memory by an illegal content.
The document US2003/037220A1 discloses a memory management unit using a data addressing method by segments in which the stored data comprise a segment descriptor making the address mapping easier by eliminating a separated loader, but without solving problems related to security.
In the context of trusted computing platforms, it is important to ensure not only the authenticity of program instructions being executed by a target processor but also data which are used by the program instructions to execute particular actions. Solutions to the problem of the program instructions have been presented so far in the literature (refer to the publication “Caches and Merkle Trees for Efficient Memory Authentication”; Blaise Gassend, Dwaine Clarke, Marten van Dijk, Srinivas Devadas, Ed Suh). This approach suggests digitally signing and storing a list of page integrity figures (hashes) externally. A signed root hash is also stored externally but loaded to a memory management unit of the secure processor. In fact hash trees and caches are used to efficiently verify memory content. One drawback of the solution proposed in this publication is real applicability to data, because data is not static like program instructions could be, but it may vary during the execution of the program instructions. This publication does not discuss with appropriate details how the problem of preventing replay attacks is solved in a generic way, i.e. independently of the chosen integrity-providing primitive.
Therefore it would be desirable to extend the existing solutions in a way to include a new data protection mechanism consisting of verifying freshness of new data and supporting multi-thread with a same level of protection. Such a multi-thread mechanism allows concurrent application software creating their private protected data storage.