Hierarchical security mechanism for dynamically assigning security levels to object programs
First Claim
1. An electronic computing system having a hierarchical security mechanism incorporated therein, said system including a memory for storing both instructions and data, an instruction execution unit for extracting series of instructions from the memory and executing same, and a processing unit for performing the data operations required by said instructions, said hierarchical security mechanism being dynamically actuable by application programs and includingmeans actuable by an application programmer for assigning a hierarchical protection level for each program instruction sequence included in an overall running program, wherein successive hierarchical protection levels have successively reduced privelege to access storage locations in said memory,means for assigning a unique protection field to each such instruction sequence,means for storing the particular protection field assigned to each instruction sequence in every storage location in said memory to which it is intended that access by said instruction sequence is to be permitted, andmeans actuable during the running of a program for ascertaining that the protection field of each memory access matches the protection field of the instruction sequence which initiated said access, which comprises means for comparing the protection field of a requesting instruction with the stored protection field of the accessed location in memory and predicating access on a successful comparison, said comparison being a function of the hierarchical protection level of the requesting instruction.
0 Assignments
0 Petitions
Accused Products
Abstract
A computer system organization which allows a program to specify a predetermined security level for other programs which it invokes, while at the same time being subject to security restraints placed on it either by a higher priority level invoking program or by the operating system. A plurality of security levels organized as a hierarchy which may be established by both problem programmers, and the operating system are then controlled by the operating system. A program cannot change its previously assigned level. Only a higher level invoking program can make such an alteration. A new program'"'"'s security level indicator must be validated and then a protection code or `mask` of a predetermined size related to the security level must be validated. The system utilizes a plurality of special purpose bits in every data word which bits contain the protection field. Level indicators for the particular program determine the use of the protection field. A series of linking registers or a `Link Stack` having appropriate logic circuitry connected thereto is utilized for keeping track of the security level of all programs in a hierarchical sequence currently running on the system. The stack allows proper branching back to an originating program and prevents violation of security rules. The hardware additionally provides a mechanism for automatically checking each and every memory access, whether read or write, to assure that a correct protection field is present in each of the memory data words which is to be accessed or stored into.
-
Citations
23 Claims
-
1. An electronic computing system having a hierarchical security mechanism incorporated therein, said system including a memory for storing both instructions and data, an instruction execution unit for extracting series of instructions from the memory and executing same, and a processing unit for performing the data operations required by said instructions, said hierarchical security mechanism being dynamically actuable by application programs and including
means actuable by an application programmer for assigning a hierarchical protection level for each program instruction sequence included in an overall running program, wherein successive hierarchical protection levels have successively reduced privelege to access storage locations in said memory, means for assigning a unique protection field to each such instruction sequence, means for storing the particular protection field assigned to each instruction sequence in every storage location in said memory to which it is intended that access by said instruction sequence is to be permitted, and means actuable during the running of a program for ascertaining that the protection field of each memory access matches the protection field of the instruction sequence which initiated said access, which comprises means for comparing the protection field of a requesting instruction with the stored protection field of the accessed location in memory and predicating access on a successful comparison, said comparison being a function of the hierarchical protection level of the requesting instruction.
-
14. In an electronic computing system wherein said system includes a main memory for storing both instruction and data, an instruction execution unit for accessing and executing instructions from said main memory, an arithmetic and logic unit, and input/output devices selectively connectable to said system, wherein said system utilizes a data word format having a width including at least n bits which may be selectively utilized for security control purposes, the improvement which may be selectively utilized for security control purposes, the improvement which comprises a hierarchical security mechanism for controlling all memory accesses in said system, said mechanism including means for accessing an assigned predetermined hierarchical protection level and protection field for an instruction sequence currently running on the system wherein successive hierarchical protection levels have successively reduced privelege to access storage locations in said memory,
means for accessing the protection level and protection field assigned to a called instruction sequence, means for checking the protection level and protection field of said called instruction sequence to determine if 1) the called protection level is less than the calling protection level and 2) a specified portion of the two protection fields match before the called instruction sequence can proceed and means for producing a security violation if either the protection level or protection field do not match.
Specification