Data techniques
First Claim
1. A method of performing metadata tag processing in a security policy enforcement system, comprising:
- at an input/output (IO) metadata processor having a cache configured to store one or more rules of a direct memory access (DMA) policy, receiving, from a first untrusted fabric, a direct memory access (DMA) request directed to an address of a trusted second fabric;
generating an unvalidated request based on the DMA request and at least one of the one or more rules;
obtaining DMA data requested by the unvalidated request at the address of the trusted fabric and obtaining metadata tags corresponding to the DMA data, wherein the DMA data comprises one or more metadata tags indicating a state of the untrusted fabric;
querying the cache to identify at least one rule indicating that a device from which the DMA request is received from the untrusted fabric is allowed to access one or more memory ranges, including the address of the trusted fabric, based on the metadata tags obtained;
wherein when no rules from the cache are identified as matching obtained metadata tags, executing rule miss handling by performing at least one of the following;
(i) rejecting the DMA request and (ii) redirecting the DMA request to an address separate from the trusted fabric; and
when the at least one rule is found in the cache matching the obtained metadata tags, allowing the DMA request.
1 Assignment
0 Petitions
Accused Products
Abstract
A method of and system for performing metadata tag compression in security policy enforcement system may comprise conveying a set of data elements, each with an associated metadata tag, from a first processor subsystem to a second processor subsystem. The first processor subsystem may be configured to process conventional tasks, the second processor configured to apply one or more policy decisions to the data element. The conveying may further comprise sending the set of data elements along with an index element that identifies one or more metadata tags, and sending one or more of the metadata tags identified by the index element.
184 Citations
25 Claims
-
1. A method of performing metadata tag processing in a security policy enforcement system, comprising:
-
at an input/output (IO) metadata processor having a cache configured to store one or more rules of a direct memory access (DMA) policy, receiving, from a first untrusted fabric, a direct memory access (DMA) request directed to an address of a trusted second fabric; generating an unvalidated request based on the DMA request and at least one of the one or more rules; obtaining DMA data requested by the unvalidated request at the address of the trusted fabric and obtaining metadata tags corresponding to the DMA data, wherein the DMA data comprises one or more metadata tags indicating a state of the untrusted fabric; querying the cache to identify at least one rule indicating that a device from which the DMA request is received from the untrusted fabric is allowed to access one or more memory ranges, including the address of the trusted fabric, based on the metadata tags obtained; wherein when no rules from the cache are identified as matching obtained metadata tags, executing rule miss handling by performing at least one of the following;
(i) rejecting the DMA request and (ii) redirecting the DMA request to an address separate from the trusted fabric; andwhen the at least one rule is found in the cache matching the obtained metadata tags, allowing the DMA request. - View Dependent Claims (3, 4, 5, 6, 7, 8, 9)
-
-
2. A system for performing metadata tag processing in a security policy enforcement system, comprising:
-
an input/output (IO) cache; and an input/output (IO) metadata processor having a cache configured to store one or more rules of a direct memory access (DMA) policy, the IO metadata processor configured to; receive, from a first untrusted fabric, a direct memory access (DMA) request directed to an address of a trusted second fabric; generate an unvalidated request based on the DMA request and at least one of the one or more rules; obtain DMA data requested by the unvalidated request at the address of the trusted fabric and obtain metadata tags corresponding to the DMA data, wherein the DMA data comprises one or more metadata tags indicating a state of the untrusted fabric; querying the cache of the metadata processor to identify at least one rule indicating that a device from which the DMA request is received from the untrusted fabric is allowed to access one or more memory ranges, including the address of the trusted fabric, based on the metadata tags obtained; wherein when no rules from the cache are identified as matching obtained metadata tags, executing rule miss handling by performing at least one of the following;
(i) rejecting the DMA request and (ii) redirecting the DMA request to an address separate from the trusted fabric; andwhen the at least one rule is found in the cache of the metadata processor matching the obtained metadata tags, allowing the DMA request. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A method comprising acts of:
-
receiving, from a device connected to an untrusted fabric of an untrusted domain, a direct memory access (DMA) request to access data at a memory address of a memory connected to a trusted fabric of a trusted domain, wherein the memory address has a corresponding metadata tag; obtaining one or more metadata tags associated with the DMA request, the one or more metadata tags comprising the metadata tag corresponding to the memory address and a metadata tag indicating a state of the device from which the DMA request is received; using the one or more metadata tags associated with the DMA request to query a rule cache storing one or more rules of a DMA policy for a rule indicating that the device connected to the untrusted fabric is allowed to access one or more memory ranges including the memory address of the memory connected to the trusted fabric; wherein when the one or more metadata tags do not match any rule in the rule cache, triggering an interrupt to be serviced by a processor; and when the rule is found in the rule cache matching the one or more metadata tags associated with the DMA request, allowing the DMA request granting the device connected to the untrusted fabric access to the memory address. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25)
-
Specification