The invention relates to a method of memory addressing as well as a corresponding data-processing apparatus, computer program, data carrier, and data structure.
In the context of security technology and information governance, by information security is meant the practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information. Information security of data-processing apparatuses is termed cybersecurity, computer security, or IT security. State-of-the-art cybersecurity encompasses control of physical or network access to data-processing apparatuses as well as protection from disruption or misdirection of the services they provide, data manipulation, and code injection.
As an example of the latter class of attacks,
This property is reflected in the processor's instruction set architecture (ISA), which is predominantly embodied in its instruction decoder (12). While
Said hardware and basic OS functionality (11, 12, 13) constitute the foundation for any software adapted to the data-processing apparatus (10), such software typically comprising multiple layers (14) of middleware that culminate in the actual application (15). Where the software is faulty in any of said layers, an attacker—in what is known as a cyber-attack (17)—may leverage this vulnerability and cause the data-processing apparatus (10) to crash. Even more severely, to seize control of the apparatus (10), an exploit of the vulnerability could enable the attacker to maliciously bypass (18) all lower software layers of the technology stack in order to directly access the instruction decoder (12), thereby usurping unrestricted power over all resources offered by the insecure “bare-metal” hardware system (11, 12). To this end, once having breached the designated flow of control, the attacker may redirect it to machine instructions of his choosing that have been injected into or selected from memory by a technique referred to as return-oriented programming (ROP). Once such “malware” is fed to the instruction decoder (12), the data-processing apparatus (10) may exhibit unintended or unanticipated behavior, and may even become completely controlled by the attacker.
Conventional approaches to detecting or preventing code injections include marking of memory areas to the apparatus as non-executable. Another countermeasure particularly suited for buffer overflow attacks is known in the art as “stack canaries”. Return address overwrites such as seen during exploitation of stack buffer overflows may further be mitigated by so-called shadow stacks. These and other techniques are employed by the artisan to maintain control-flow integrity (CFI), that is, prevent malware attacks from redirecting or hi-jacking the flow of execution of a program.
The invention as claimed is hereinafter disclosed in such a way that the technical problem with which it deals can be appreciated and the solution can be understood.
The problem to be solved is to seek an alternative to known concepts which provides the same or similar effects or is more secure.
To elucidate the nature of the solution, reference is made to the characterizing portion of the independent claims.
The invention gives rise to efficient data processing, efficient data storage, and enhanced security.
Referring to
Where the data-processing apparatus (10) takes the form of a concurrent system, this approach allows for a virtual memory layout (30) as exemplified in
Vertically, the grid of the present example comprises eight rows, each row being uniquely associated with a memory segment. For any among the tasks (31, 32, 33, 34), one such segment remains hidden to and inaccessible for the software itself, and contains a stack exclusively dedicated to subroutine return addresses and controlled by hardware. Especially in a stack machine, that task (31, 32, 33, 34) may also entail a segment (r) containing a working stack that stores subroutine contexts, call, return, and local variables, and intermediate computational results. A segment (d) containing an ancillary data stack is optional. Finally, the task (31, 32, 33, 34) could possess any number of heap (h), file (f), write-only channel output (o), or read-only channel input (i) segments as needed.
A mandatory code (c) segment, hidden and inaccessible by the software itself, serves as read-only input to the instruction decoder (12), otherwise being protected from reading and writing. This feature may be considered an implementation of the Harvard computer architecture as it imposes distinct code and data address spaces, rendering the memory layout (30) invulnerable to code injection.
Attention is now directed to
Once generated, the local virtual address (45) is augmented, such as through concatenation, by an identifier (43) of the task (31, 32, 33, 34) and an identifier (44) of the memory segment (s, r, d, h, f, o, i, c), both identifiers being essentially hardware-controlled (42), identifier (43) by the scheduler, and identifier (44) by the safe pointer operator (41). Based on this composite augmented virtual address—hyperaddress—(46), the pointer may finally be dereferenced via the memory management unit (MMU) and its data accessed safely and securely. By design, each task (31, 32, 33, 34) thus benefits from its own data privacy sphere as well as full memory access integrity and control flow integrity and hence resides in what in the art is known as a “trust zone” that is maintained by a per-task virtual processing scheme (as opposed to known coarser—and more vulnerable—two-virtual-processor schemes).
In a preferred embodiment explained regarding
The eminent benefit of the type word (52) is best gathered from
Since type information is henceforth contained in a segment (r) containing data space as opposed to a segment (c) containing code space, CPU execution may be guided by type, reducing the required instruction set to a minimum. The resulting ability to use universal standard code for all—even vector or otherwise special—data types confers extreme flexibility to the data processing apparatus (10). In programming languages and type theory, such provision of a single interface to entities of different types is known as polymorphism.
In the draft at hand, bit 9 of the type word (52) marks the—contained or referencing—data as being either of an elementary or composite, further structured type. In the former case, the type word (52) may also provide guidance on aspects like the following:
The invention may be applied, inter alia, throughout the semiconductor industry.
This application is a continuation of U.S. patent application Ser. No. 16/079,667, filed on Aug. 24, 2018, hereby incorporated by reference, which is a national stage entry of Patent Cooperation Treaty Application No. PCT/EP2017/054535, filed on Feb. 27, 2017, which is a continuation of Patent Cooperation Treaty Application No. PCT/EP2016/000344, filed on Feb. 27, 2016 and a continuation of PCT/EP2016/000345, filed on Feb. 27, 2016.
Number | Name | Date | Kind |
---|---|---|---|
4525780 | Bratt | Jun 1985 | A |
4575795 | Boothroyd | Mar 1986 | A |
5107457 | Hayes | Apr 1992 | A |
5280614 | Munroe | Jan 1994 | A |
5325496 | Hays | Jun 1994 | A |
5509131 | Smith | Apr 1996 | A |
5564031 | Amerson | Oct 1996 | A |
5644709 | Austin | Jul 1997 | A |
5852762 | Lin | Dec 1998 | A |
5855010 | Wavish | Dec 1998 | A |
6035391 | Isaman | Mar 2000 | A |
6446034 | Egolf | Sep 2002 | B1 |
6574721 | Christenson | Jun 2003 | B1 |
6886085 | Shuf | Apr 2005 | B1 |
9032174 | Nishiguchi | May 2015 | B2 |
9798873 | Glew | Oct 2017 | B2 |
10146707 | Kawai | Dec 2018 | B2 |
20010044891 | McGrath | Nov 2001 | A1 |
20020144091 | Widigen | Oct 2002 | A1 |
20030037037 | Adams | Feb 2003 | A1 |
20030065929 | Milliken | Apr 2003 | A1 |
20030154363 | Soltis, Jr. et al. | Aug 2003 | A1 |
20040003208 | Damron | Jan 2004 | A1 |
20040015876 | Applin | Jan 2004 | A1 |
20050102494 | Grochowski et al. | May 2005 | A1 |
20050108497 | Bridges | May 2005 | A1 |
20050257051 | Richard | Nov 2005 | A1 |
20060020946 | Alexander | Jan 2006 | A1 |
20070106885 | Rychlik | May 2007 | A1 |
20080104325 | Narad | May 2008 | A1 |
20080177974 | Chiang | Jul 2008 | A1 |
20080222397 | Wilkerson | Sep 2008 | A1 |
20100161948 | Abdallah | Jun 2010 | A1 |
20140281398 | Rash | Sep 2014 | A1 |
20150293767 | Michishita | Oct 2015 | A1 |
20180004678 | Bogusz | Jan 2018 | A1 |
Number | Date | Country |
---|---|---|
0676691 | Oct 1995 | EP |
0793179 | Sep 1997 | EP |
1764682 | Mar 2007 | EP |
2211285 | Jul 2010 | EP |
WO-1981002477 | Sep 1981 | WO |
WO-2007048128 | Apr 2007 | WO |
Entry |
---|
Wichtel et al.: “Mondrix: Memory Isolation for Linux Using Mondriaan Memory Protection”, SOSP'05, Oct. 23-26, 2005, Brighton, United Kingdom., Oct. 23, 2005 (Oct. 23, 2005),-Oct. 26, 2005 (Oct. 26, 2005), pp. 31-44, XP040029779, ACM, 2 Penn Plaza, Suite701—New York USA. |
International Search Report and Written Opinion for PCT/EP2017/054535 dated May 31, 2017. |
Hand, Tom, “The Harris RTX 2000 Microcontroller”, Journal of Forth Application and Research, (1990), vol. 6.1, pp. 5-13. |
International Search Report and Written Opinion for PCT/EP2017/054532 dated May 18, 2017. |
Juneja, B.L.. Programming with C++, New Age International, 2009. ProQuest Ebook Central, https://ebookcentral.proquest.com/lib/uspto-ebooks/detail.action?docID=437715. (Year: 2009). |
Witchel, Emmett; Mondrix: Memory Isolation for Linux using Mondriaan Memory Protection, 2005, ACM Symposium on Operating System Principles, pp. 3-4. (Year: 2005). |
Number | Date | Country | |
---|---|---|---|
20200387459 A1 | Dec 2020 | US |
Number | Date | Country | |
---|---|---|---|
Parent | 16079667 | US | |
Child | 16998169 | US | |
Parent | PCT/EP2016/000345 | Feb 2016 | US |
Child | 16079667 | US | |
Parent | PCT/EP2016/000344 | Feb 2016 | US |
Child | PCT/EP2016/000345 | US |