Data techniques

US 10,521,230 B2
Filed: 06/07/2018
Issued: 12/31/2019
Est. Priority Date: 12/17/2015
Status: Active Grant

First Claim

Patent Images

1. A method of performing metadata tag processing in a security policy enforcement system, comprising:

at an input/output (IO) metadata processor having a cache configured to store one or more rules of a direct memory access (DMA) policy, receiving, from a first untrusted fabric, a direct memory access (DMA) request directed to an address of a trusted second fabric;

generating an unvalidated request based on the DMA request and at least one of the one or more rules;

obtaining DMA data requested by the unvalidated request at the address of the trusted fabric and obtaining metadata tags corresponding to the DMA data, wherein the DMA data comprises one or more metadata tags indicating a state of the untrusted fabric;

querying the cache to identify at least one rule indicating that a device from which the DMA request is received from the untrusted fabric is allowed to access one or more memory ranges, including the address of the trusted fabric, based on the metadata tags obtained;

wherein when no rules from the cache are identified as matching obtained metadata tags, executing rule miss handling by performing at least one of the following;

(i) rejecting the DMA request and (ii) redirecting the DMA request to an address separate from the trusted fabric; and

when the at least one rule is found in the cache matching the obtained metadata tags, allowing the DMA request.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of and system for performing metadata tag compression in security policy enforcement system may comprise conveying a set of data elements, each with an associated metadata tag, from a first processor subsystem to a second processor subsystem. The first processor subsystem may be configured to process conventional tasks, the second processor configured to apply one or more policy decisions to the data element. The conveying may further comprise sending the set of data elements along with an index element that identifies one or more metadata tags, and sending one or more of the metadata tags identified by the index element.

184 Citations

25 Claims

1. A method of performing metadata tag processing in a security policy enforcement system, comprising:
- at an input/output (IO) metadata processor having a cache configured to store one or more rules of a direct memory access (DMA) policy, receiving, from a first untrusted fabric, a direct memory access (DMA) request directed to an address of a trusted second fabric;
  
  generating an unvalidated request based on the DMA request and at least one of the one or more rules;
  
  obtaining DMA data requested by the unvalidated request at the address of the trusted fabric and obtaining metadata tags corresponding to the DMA data, wherein the DMA data comprises one or more metadata tags indicating a state of the untrusted fabric;
  
  querying the cache to identify at least one rule indicating that a device from which the DMA request is received from the untrusted fabric is allowed to access one or more memory ranges, including the address of the trusted fabric, based on the metadata tags obtained;
  
  wherein when no rules from the cache are identified as matching obtained metadata tags, executing rule miss handling by performing at least one of the following;
  
  (i) rejecting the DMA request and (ii) redirecting the DMA request to an address separate from the trusted fabric; and
  
  when the at least one rule is found in the cache matching the obtained metadata tags, allowing the DMA request.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 9)
- - 3. The method of claim 1, further comprising:
    - when the DMA request is allowed, allowing reading of the address of the trusted fabric; and
      
      when the DMA request is allowed and the DMA request is a write request, allowing write back to the address of the trusted fabric.
  - 4. The method of claim 3, wherein allowing reading of the address and allowing write back is performed over an output channel between the IO metadata processor and the untrusted fabric.
  - 5. The method of claim 1, wherein the at least one rule based on the metadata tags indicates a set of addresses.
  - 6. The method of claim 1, further comprising storing device state information in an untrusted fabric device register file.
  - 7. The method of claim 1 wherein obtaining the DMA data is over an initial channel from the trusted fabric to the IO metadata processor, the channel being private with respect to the untrusted fabric.
  - 8. The method of claim 1, wherein the untrusted fabric is at least one of a network device, ethernet DMA device, universal asynchronous receiver/transmitter (UART), and serial communication device.
  - 9. The method of claim 1, wherein executing rule cache miss handling further includes sending, from the IO metadata processor, an interrupt to a processor connected with the IO metadata processor.

2. A system for performing metadata tag processing in a security policy enforcement system, comprising:
- an input/output (IO) cache; and
  
  an input/output (IO) metadata processor having a cache configured to store one or more rules of a direct memory access (DMA) policy, the IO metadata processor configured to;
  
  receive, from a first untrusted fabric, a direct memory access (DMA) request directed to an address of a trusted second fabric;
  
  generate an unvalidated request based on the DMA request and at least one of the one or more rules;
  
  obtain DMA data requested by the unvalidated request at the address of the trusted fabric and obtain metadata tags corresponding to the DMA data, wherein the DMA data comprises one or more metadata tags indicating a state of the untrusted fabric;
  
  querying the cache of the metadata processor to identify at least one rule indicating that a device from which the DMA request is received from the untrusted fabric is allowed to access one or more memory ranges, including the address of the trusted fabric, based on the metadata tags obtained;
  
  wherein when no rules from the cache are identified as matching obtained metadata tags, executing rule miss handling by performing at least one of the following;
  
  (i) rejecting the DMA request and (ii) redirecting the DMA request to an address separate from the trusted fabric; and
  
  when the at least one rule is found in the cache of the metadata processor matching the obtained metadata tags, allowing the DMA request.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 2, wherein the IO metadata processor is further configured to:
    - when the DMA request is allowed, allow reading of the address of the trusted fabric; and
      
      when the DMA request is allowed and the DMA request is a write request, allow write back to the address of the trusted fabric.
  - 11. The system of claim 10, wherein allowing reading of the address and allowing write back is performed over an output channel between the IO metadata processor and the untrusted fabric.
  - 12. The system of claim 2, wherein the at least one rule based on the metadata tags indicates a set of addresses.
  - 13. The system of claim 2, wherein the IO metadata processor is further configured to store device state information in an untrusted fabric device register file.
  - 14. The system of claim 2, wherein the IO metadata processor is configured to obtain the DMA data over an initial channel from the trusted fabric to the IO metadata processor, the channel being private with respect to the untrusted fabric.
  - 15. The system of claim 2, wherein the untrusted fabric is at least one of a network device, Ethernet DMA device, universal asynchronous receiver/transmitter (UART), and serial communication device.
  - 16. The system of claim 2, wherein execution of rule cache miss handling further includes conveyance, from the IO metadata processor, of an interrupt to a processor connected with the IO metadata processor.

17. A method comprising acts of:
- receiving, from a device connected to an untrusted fabric of an untrusted domain, a direct memory access (DMA) request to access data at a memory address of a memory connected to a trusted fabric of a trusted domain, wherein the memory address has a corresponding metadata tag;
  
  obtaining one or more metadata tags associated with the DMA request, the one or more metadata tags comprising the metadata tag corresponding to the memory address and a metadata tag indicating a state of the device from which the DMA request is received;
  
  using the one or more metadata tags associated with the DMA request to query a rule cache storing one or more rules of a DMA policy for a rule indicating that the device connected to the untrusted fabric is allowed to access one or more memory ranges including the memory address of the memory connected to the trusted fabric;
  
  wherein when the one or more metadata tags do not match any rule in the rule cache, triggering an interrupt to be serviced by a processor; and
  
  when the rule is found in the rule cache matching the one or more metadata tags associated with the DMA request, allowing the DMA request granting the device connected to the untrusted fabric access to the memory address.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25)
- - 18. The method of claim 17, further comprising an act of:
    - in response to allowing the DMA request, inserting a rule into the rule cache, based at least in part on the one or more metadata tags associated with the DMA request.
  - 19. The method of claim 18, wherein:
    - the one or more metadata tags associated with the DMA request comprise one or more input metadata tags;
      
      the processor returns one or more output metadata tags; and
      
      the rule inserted into the rule cache is further based on the one or more output metadata tags.
  - 20. The method of claim 17, wherein:
    - the one or more metadata tags associated with the DMA request comprise one or more input metadata tags;
      
      andthe method further comprises an act of;
      
      determining, based at least in part on the matched rule, one or more output metadata tags.
  - 21. The method of claim 19, wherein:
    - the metadata tag corresponding to the memory address comprises a metadata tag associated with the memory address before the DMA request is serviced; and
      
      the one or more output metadata tags comprise at least one metadata tag selected from a group consisting of;
      
      a metadata tag indicating a state of the device after the DMA request is serviced; and
      
      a metadata tag to be associated with the memory address after the DMA request is serviced.
  - 22. The method of claim 17, wherein the matched rule from the rule cache indicates that the device from which the request is received is allowed to access one or more selected memory ranges.
  - 23. The method of claim 22, wherein:
    - the memory address is in the one or more selected memory ranges;
      
      the one or more metadata tags associated with the DMA request further comprise a metadata tag associated with the device from which the request is received; and
      
      the metadata tag associated with the device and the metadata tag corresponding to the memory address match the rule indicating that the device is allowed to access the one or more selected memory ranges.
  - 24. The method of claim 17, wherein the act of obtaining one or more metadata tags associated with the DMA request comprises acts of:
    - identifying, from a device register file, an entry corresponding to the device from which the DMA request is received; and
      
      obtaining, based at least in part on the identified entry, the metadata tag selected from a group.
  - 25. The method of claim 17, wherein the DMA request comprises at least one request selected from a group consisting of:
    - a request to load data from the memory address; and
      
      a request to store data to the memory address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Charles Stark Draper Laboratory Incorporated
Original Assignee
Charles Stark Draper Laboratory Incorporated
Inventors
DeHon, Andre'
Primary Examiner(s)
Lynch, Sharon S

Application Number

US16/002,987
Publication Number

US 20180341490A1
Time in Patent Office

572 Days
Field of Search
US Class Current
CPC Class Codes

G06F 12/0875   with dedicated cache, e.g. ...

G06F 12/1408   by using cryptography for d...

G06F 12/1458   by checking the subject acc...

G06F 15/78   comprising a single central...

G06F 16/23   Updating

G06F 21/52   during program execution, e...

G06F 21/6218   to a system of files or obj...

G06F 2212/1052   Security improvement

G06F 2212/402   Encrypted data

G06F 2212/452   Instruction code

G06F 9/30072   to perform conditional oper...

G06F 9/30098   Register arrangements

G06F 9/30101   Special purpose registers

G06F 9/3867   using instruction pipelines

Data techniques

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

184 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Data techniques

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

184 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links