The present disclosure relates to security in processing devices.
Processing systems can include operating system programs that allow utilities and application programs to be written for a common computing environment, even when executed on different processing platforms. Operating systems also provide for multitasking that allows the simultaneous execution of multiple applications and utilities, etc. Examples of such operating systems include Microsoft Windows, Mac OS, Linux and Solaris. The flexibility of these operating systems provides several drawbacks. For instance, authors of malicious code such as viruses, worms, Trojan horses and other harmful code have taken advantage of the open nature of operating systems such as Microsoft windows.
Processing systems typically include memory registers for facilitating the communication of data between devices of the systems. Memory registers are one point of vulnerability for malicious code. In addition, improper access to memory registers during the processing video applications can provide an authorized access to media content in an unprotected format.
The processing system 100 includes a plurality of clients such as embedded processors, hardware interfaces, etc. One of these processors executes an operating system having a plurality of operating system processes, wherein each of the plurality of operating system processes is designated as a corresponding one of a plurality of virtual clients. A memory module includes a plurality of memory blocks. A memory arbitration module receives a request to access a selected one of the plurality of memory blocks from at least one of the plurality of actual or virtual clients and determines whether or not to grant or deny the request, based on whether the selected memory block is designated for trusted or untrusted access and based on whether the actual or virtual client is trusted or untrusted.
The processing system 100 also includes a register space for storing a plurality of register data in a plurality of registers and secure access data corresponding to the register space. A register arbitration module receives a request to access a selected one of the plurality of registers from at least one of the plurality of actual or virtual clients and determines whether or not to grant or deny the request, based on whether the selected register is designated for trusted or untrusted access and based on whether the actual or virtual client is trusted or untrusted.
In this fashion, the memory and register arbitration modules can help prevent unauthorized access to the register space and the memory blocks to prevent tampering and/or unauthorized copying. Processing system 100 will be described in greater detail in conjunction with
In operation, the video processing system 100 can perform one or more video processing functions implemented via one or more routines running on processing module 130 or one or more dedicated video processing engines included as one or more embedded processors 132, 134 . . . of processing module 130.
In one example, interface module 120 receives a video signal 110 and outputs a processed video signal 112 based on an encoding of the video signal 110, a decoding of the video signal 110 and/or a transcoding of the video signal 110. While referred to as video signals, video signal 110 and processed video signal 112 can each include an associated audio component. As used herein, transcoding can include transrating, transcrypting, and/or transcaling the video signal 110 to generate processed video signal 112 in addition to transcoding the video signal 110 from one encoded video format into another encoded video format (MPEG1,2,4 to H.264, etc.) to form processed video signal 112. Transcoding can further include transcoding the audio portion of video signal 110 to a different sample rate, encoding standard or other digital format, stereo to mono, etc.
Interface module 120 can receive video signal 110 via a wireless receiver via a WLAN, Bluetooth connection, infrared connection, wireless telephony receiver or other wireless data connection, or a wired modem or other network adaptors that uses a wired receiver or other device to receive the decrypted signal from a LAN, the Internet, cable network, telephone network or other network or from another device. Interface module 120 can also receive video signal 110 in accordance with an Ethernet protocol, a memory card protocol, USB protocol, Firewire (IEEE 1394) protocol, SCSI protocol, PCMCIA protocol, or other protocol either standard or proprietary.
Video signal 110 and processed video signal 112 can each be analog or digital video signals in any of a number of video formats with or without an associated audio component. Such analog video signal can include formats such as National Television Systems Committee (NTSC), Phase Alternating Line (PAL) or Sequentiel Couleur Avec Memoire (SECAM). Such digital video formats can include formats such as H.264, MPEG-4 Part 10 Advanced Video Coding (AVC) or other digital format such as a Moving Picture Experts Group (MPEG) format (such as MPEG1, MPEG2 or MPEG4), Quicktime format, Real Media format, Windows Media Video (WMV), Audio Video Interleave (AVI), high definition media interface (HDMI) or another compressed or uncompressed digital video format, either standard or proprietary.
Video signal 110 and/or processed video signal 112 can be generated in association with a set-top box, television receiver, personal computer, cable television receiver, satellite broadcast receiver, broadband modem, 3G transceiver, a broadcast satellite system, internet protocol (IP) TV system, the Internet, a digital video disc player, a digital video recorder, a video conferencing system, a video security system, a video camera or other video device. In an embodiment of the present disclosure, the video signals 110 and or 112 can include a broadcast video signal, such as a television signal, high definition television signal, enhanced high definition television signal or other broadcast video signal that has been transmitted over a wireless medium, either directly or through one or more satellites or other relay stations or through a cable network, optical network or other transmission network. In addition, the video signal 110 and/or processed video signal 112 can be locally generated via a video camera, generated from a stored video file, played back from a recording medium such as a magnetic tape, magnetic disk or optical disk, and can include a streaming video signal that is transmitted over a public or private network such as a local area network, wide area network, metropolitan area network or the Internet.
Memory module 140 includes a general memory space 142 that is segregated into a plurality of memory blocks. A first subset of the plurality of memory blocks are designated for trusted access and a second subset of the plurality of memory blocks are designated for untrusted access. The memory module also includes a register space 144 that includes a plurality of registers. A first subset of the plurality of registers are designated for trusted access and a second subset of the plurality of registers are designated for untrusted access.
The memory module 140 also stores, in one or more of the memory blocks of the general memory space 142 for example, an operating system such as a Linux, Mac OS, MS Windows, Solaris or other operating system and one or more applications to be executed by processing system 100. When executed, the operating system includes a plurality of processes that are treated as virtual clients for purposes of determining which registers and which memory blocks can be accessed by each process. A “process” is an instance of a program running in a computer. Multiple processes can be executed simultaneously in most operating systems. In UNIX, Linux and some other operating systems, a process is started whenever a program is initiated (either by a user entering a shell command or by another program). Like a task, a process is a running program with which a particular set of data is associated so that the process can be kept track of. An application that is being shared by multiple users will generally have one process at some stage of execution for each user. A process can spawn a subprocess, which is a called a child process (and the initiating process is sometimes referred to as its parent). A child process can be a replica of the parent process and shares some of its resources, but cannot exist if the parent is terminated. Processes can exchange information or otherwise synchronize their operation through several methods of inter-process communication.
In addition, the memory module 140 stores secure access data 146 that is used by register arbitration module 150 to arbitrate requests for accessing the register space and by the memory arbitration module 155 to arbitrate requests for accessing the memory blocks. While not specifically shown, the memory module 140 can store program files and other data files, system data, buffers, drivers, utilities and other system programs, and other data. Memory module 140 may be a single memory device or a plurality of memory devices. Such a memory device can include a hard disk drive or other disk drive, read-only memory, random access memory, volatile memory, non-volatile memory, static memory, dynamic memory, flash memory, cache memory, and/or any device that stores digital information.
The processing module 130 can be implemented using one or more embedded processors 132, 134 . . . that operate as a secure system/ main CPU. Each of the processors can be implemented as one or more physical processors, virtual hardware blocks, interface devices or any other device that is capable of issuing a request to access one or more memory blocks and/or registers. Other ones of the embedded processors 132, 134 operate as other clients to perform other functions of the processing system 100. Interface module 120 includes one or more interfaces to other devices that are either included or coupled to a device that hosts processing system 100. These interfaces 122, 124, etc., can include a personal computer interface (PCI), personal computer memory card international association (PCMCIA) interface, universal serial bus (USB) interface an Ethernet interface, Firewire (IEEE 1394) interface, small computer system interface (SCSI), a device test interface such as a joint test action group (JTAG) interface, or other interface, either standard or proprietary. While not specifically shown, the interface module 120 can include other serial or parallel interfaces to other devices or modules of processing system 100.
The interfaces 122, 124 . . . and the embedded processors 132, 134 . . . can each be considered actual (non-virtual) clients that may request access to the general memory space 142 and the register space 144. Each of the actual clients may also request access to the general memory space 142 and the register space 144. These clients can be designated as either trusted or untrusted. Some clients, for example clients that are more susceptible to tampering by a hacker or other unauthorized user, can be designated as untrusted, while other more secure clients can be designated as trusted.
Similarly, virtual clients corresponding to the various processes of the operating system can also be designated as either trusted or untrusted. Some processes, for example processes that are more susceptible to tampering by a hacker or other unauthorized user, can be designated as untrusted, while other more secure processes can be designated as trusted.
Trusted clients and virtual clients are allowed to access trusted and untrusted registers and memory blocks. Untrusted clients and virtual clients are allowed to access only untrusted registers and memory blocks. In this fashion, unsecure clients and processes can be denied access to secure registers and portions of memory to avoid tampering with or loss of secure information, while other processes can safely access this information.
As introduced in conjunction with
In an embodiment, the memory arbitration module 155 provides a central hardware mechanism responsible for arbitrating memory access requests, such as read and write requests from all clients (virtual or actual) and enumerating the address of the targeted memory block. All clients and virtual clients can be arbitrated equally using a balanced arbitration scheme. In an embodiment of the present disclosure, the addressable units of each of the memory are not uniquely identified for purposes of security. A request to access any one of the addressable units of a memory block is treated similarly as a request for any or all of the remaining units of that memory block.
In an example of operation, the memory arbitration module 155 receives a request to access a memory block of general memory space 142 that includes an address of one or more of the addressable memory units of that memory block. The memory arbitration module 155 determines the particular memory block that corresponds to the request based on the address or addresses. The memory arbitration module 155 evaluates the secure access data 146 to determine if the client making the request is trusted. If so, the read or write operation is allowed to be completed unhindered. If however the client is untrusted, the targeted address is decoded to determine the particular memory block to be accessed. If the targeted address is to a memory block designated only for trusted access, the operation is discarded. For example, read commands can be returned with NULL data. Write commands can be discarded. If however the secure access data 146 indicates that the targeted address is a memory block designated for untrusted access, the operation is allowed to be completed unhindered.
In addition, to the access restrictions above, memory arbitration module 155 operates to designate, such as on a per actual or virtual client basis, regions of memory that may be classed as executable. In regions classed as executable for a given virtual or actual client, every instruction fetch outside of the permitted region(s) results in an interrupt event or other mechanism by the secure system/main CPU. In addition to generating an interrupt or other security in the event of instruction read requests outside of executable regions, write requests to the executable regions may be conditionally discarded. These executable regions are a unique set, which may or may not be mutually exclusive of trusted/untrusted designation. However, trusted and untrusted designations are mutually exclusive by definition.
With these controls, the memory arbitration module 155 can segment and designate blocks of memory into segments of code which are executable only by specific virtual or actual clients and further to define which memory clients are permitted to otherwise access/alter these memory blocks. For example, these controls can be used to define code spaces where specific clients (i.e. CPU's or O/S processes) are permitted to execute from and to only permit trusted clients or processes to alter the code space.
The memory scrubbing module 165 operates as a Secure Boot Controller (SBC) CPU which is responsible for securely booting the system (i.e. decrypting and signing code which runs in the processing system 100). After boot up, this processor may be tasked to perform a background scrubbing of code spaces such as general memory spaces 142 and secure access data 146. The memory scrubbing module 165 can, for example, run SHA-256 signature checks on these code spaces. In this way if a hacker somehow alters the code which a processor is intended to execute then the SBC processor can detect the attack and take action to prevent the hacker from executing their code—for example by resetting the secure system/main processor.
The obfuscation module 170 performs a hardware obfuscation function to alter every read and write command to all of the memory modules 140 or external memory devices of the memory module 140. The hardware obfuscation function can implement an address obfuscation and/or code obfuscation based on a random key. The obfuscation module 170 can generate and/or use a new random key every time the processing system 100 is reset. This technique is used to prevent hackers from altering the code space of memory module 140 or to protect other data.
The processing system 100 also includes a register space 144 for storing a plurality of register data in a plurality of registers and secure access data corresponding to the register space. A register arbitration module 150 receives a request to access a selected one of the plurality of registers from at least one of the plurality of virtual or actual clients and determines whether or not to grant or deny the request, based on whether the selected register is designated for trusted or untrusted access and based on whether the virtual or actual client is trusted or untrusted.
In an embodiment of the present disclosure, register arbitration module 150 can be implemented via a state machine, digital logic circuitry or other hardware to enhance the security of processing system 100. However, in alternative embodiments, software or firmware can be used in the implementation of register arbitration module 150. It should be noted that register arbitration module 150 can be implemented as a standalone device or as part of the memory arbitration module 155, a memory manager or other module.
In an embodiment, the register arbitration module 150 provides a central hardware mechanism responsible for arbitrating register access requests, such as register read and register write requests from all clients and enumerating the address of the targeted register space. All clients and virtual clients may be arbitrated equally using a balanced arbitration scheme. In an embodiment of the present disclosure, the addressable units of each of the registers are not uniquely identified for purposes of security. A request to access any one of the addressable units of a register is treated similarly as a request for any or all of the remaining units of that register.
In an example of operation, the register arbitration module 150 receives a request to access a register of register space 144 that includes an address of one or more of the addressable memory units of that register. The register arbitration module 150 determines the particular register that corresponds to the request based on the address or addresses. The register arbitration module 150 evaluates the secure access data 146 to determine if the client making the request is trusted. If so, the read or write operation is allowed to be completed unhindered. If however the client is untrusted, the targeted address is decoded to determine the register to be accessed. If the targeted address is to a register designated only for trusted access, the operation is discarded. For example, read commands can be returned with NULL data. Write commands can be discarded. If however the secure access data 146 indicates that the targeted address is a register designated for untrusted access, the operation is allowed to be completed unhindered.
Further details regarding the operation of processing system 100 including optional functions and features and optional formats of general memory space 142, register space 144, secure access data 146 are presented in conjunction with the example discussed in association with
As previously discussed, the registers of register space 144 can be segmented into banks for trusted and untrusted access. The register banks are defined by register setting as either Trusted or Untrusted. The restriction may be applied to any register client within the SOC and can be enforced in hardware via the register arbitration module 150 (i.e. every register read/write (R/W) must be to a permitted bank of registers). In this example, trusted actual and virtual clients may R/W any bank of registers. Untrusted virtual and actual clients attempts to R/W to trusted Banks of registers are denied. The secure access data 146 can be stored in one or more registers designated as trusted.
In an embodiment, the registers banks are segmented into 1K banks. Individual register clients may be designated as trusted or untrusted, either globally or on a register by register basis. The trusted or untrusted status of a virtual or actual client can be designated by a sticky status bit or other mechanism for this designation to persist—e.g. once a client is defined as untrusted, this designation may not be changed until the chip is reset.
The registers which set the trusted or untrusted state of register banks may themselves be restricted to trusted clients—e.g. after being configured only a trusted client may change the settings for which register banks are trusted. In one example of operation, the register arbitration module 150 only permits trusted clients to access specific register banks which are allocated in functional groups. For example the registers which control the Ethernet interface may be made accessible to just the client which operates the TCP stack. This provides for a high degree of granularity when allocating specific R/W functions to specific virtual and/or actual clients.
While register status designations were described above as being implemented as sticky or persistent, other security mechanisms are possible. The status indicators for the register space can reside “in” the register space itself, and therefore be protected by the same Trusted/Untrusted mechanisms as other spaces. Hence, Trusted clients may change the access rights for Trusted and Untrusted clients dynamically if desired. Untrusted clients would (in general) be prevented from accessing the register that contains these status indicators. The register that contains these indicators may further be optionally “locked” by means of sticky register bit(s).
In an embodiment, the regions are defined by register setting (Low and High Watermark) which define the trusted and untrusted regions of memory. The restriction may be applied to any actual or virtual client with the SOC and is enforced by the memory arbitration module 155 (i.e. every memory read/write must be to a permitted region). In particular, Trusted Clients may R/W any region of the memory space 142. Untrusted Clients may only R/W to the untrusted region of memory space 142.
In one mode of operation, the Hi/Lo Watermark is set by registers of the register space 144 with a granularity of 1 megabyte. After the Hi/Lo watermarks are set, these designations can be protected by a sticky bit which disables any change to the Hi/Lo watermark until a reset of the chip, by storing the Hi/Lo addresses in secure register space or by other security mechanisms.. In this way the memory partitioning may be set on power up by a trusted software and never changed thereafter until the processing system 100 is reset or changes are can be made by only trusted clients.
While the foregoing discussion has referred to Hi/Lo watermarks, it should be noted that this terminology generally refers to the high and low bounds of particular memory blocks, or more generally to the limits or ranges of addresses in memory for one or more particular memory blocks, memory partitions or memory segments that can be delineated by these memory addresses. More generally, each memory block or other segment or memory partition can be designated by its own top and bottom address. Considering n+1 memory blocks (0, 1, . . . n), the addresses of the Hi and Lo bounds can be represented by:
For example, individual processes running within an operating system such as Linux and the operating system itself can be secured using the register arbitration module 150 and memory arbitration module 155. A hardware signal exported from one or more processors that execute Linux processes can indicate the trusted/untrusted status of each process. This signal will be used by the register arbitration module 150 and memory arbitration module 155 to restrict memory/register access and to perform sandboxing similar to the restrictions applied to actual memory/register clients on a per Linux process basis.
In an embodiment, trusted/untrusted designations assigned to each client and virtual client can be set for each separate register or register bank and for each separate memory block. In particular, client filter data 147 can include M bits of data that represent the designation of each client device for each register and R bits of data that represent the designation of each client device for each memory block.
The transmission path 122 can include a wireless path that operates in accordance with a wireless local area network protocol such as an 802.11 protocol, a WIMAX protocol, a Bluetooth protocol, etc. Further, the transmission path can include a wired path that operates in accordance with a wired protocol such as a USB protocol, high-definition multimedia interface (HDMI) protocol an Ethernet protocol or other protocol.
While video encoding system 200 is shown as a separate device, it can further be incorporated into device 11. While these particular devices are illustrated, video storage system 179 can include a hard drive, flash memory device, computer, DVD burner, or any other device that is capable of generating, storing, decoding and/or displaying a video signal in accordance with the methods and systems described in conjunction with the features and functions of the present disclosure as described herein.
It is noted that terminologies as may be used herein such as bit stream, stream, signal sequence, etc. (or their equivalents) have been used interchangeably to describe digital information whose content corresponds to any of a number of desired types (e.g., data, video, speech, audio, etc. any of which may generally be referred to as ‘data’).
As may also be used herein, the term(s) “configured to”, “operably coupled to”, “coupled to”, and/or “coupling” includes direct coupling between items and/or indirect coupling between items via an intervening item (e.g., an item includes, but is not limited to, a component, an element, a circuit, and/or a module) where, for an example of indirect coupling, the intervening item does not modify the information of a signal but may adjust its current level, voltage level, and/or power level. As may further be used herein, inferred coupling (i.e., where one element is coupled to another element by inference) includes direct and indirect coupling between two items in the same manner as “coupled to”. As may even further be used herein, the term “configured to”, “operable to”, “coupled to”, or “operably coupled to” indicates that an item includes one or more of power connections, input(s), output(s), etc., to perform, when activated, one or more its corresponding functions and may further include inferred coupling to one or more other items. As may still further be used herein, the term “associated with”, includes direct and/or indirect coupling of separate items and/or one item being embedded within another item.
As may also be used herein, the terms “processing module”, “processing circuit”, “processor”, and/or “processing unit” may be a single processing device or a plurality of processing devices. Such a processing device may be a microprocessor, micro-controller, digital signal processor, microcomputer, central processing unit, field programmable gate array, programmable logic device, state machine, logic circuitry, analog circuitry, digital circuitry, and/or any device that manipulates signals (analog and/or digital) based on hard coding of the circuitry and/or operational instructions. The processing module, module, processing circuit, and/or processing unit may be, or further include, memory and/or an integrated memory element, which may be a single memory device, a plurality of memory devices, and/or embedded circuitry of another processing module, module, processing circuit, and/or processing unit. Such a memory device may be a read-only memory, random access memory, volatile memory, non-volatile memory, static memory, dynamic memory, flash memory, cache memory, and/or any device that stores digital information. Note that if the processing module, module, processing circuit, and/or processing unit includes more than one processing device, the processing devices may be centrally located (e.g., directly coupled together via a wired and/or wireless bus structure) or may be distributedly located (e.g., cloud computing via indirect coupling via a local area network and/or a wide area network). Further note that if the processing module, module, processing circuit, and/or processing unit implements one or more of its functions via a state machine, analog circuitry, digital circuitry, and/or logic circuitry, the memory and/or memory element storing the corresponding operational instructions may be embedded within, or external to, the circuitry comprising the state machine, analog circuitry, digital circuitry, and/or logic circuitry. Still further note that, the memory element may store, and the processing module, module, processing circuit, and/or processing unit executes, hard coded and/or operational instructions corresponding to at least some of the steps and/or functions illustrated in one or more of the Figures. Such a memory device or memory element can be included in an article of manufacture.
One or more embodiments have been described above with the aid of method steps illustrating the performance of specified functions and relationships thereof. The boundaries and sequence of these functional building blocks and method steps have been arbitrarily defined herein for convenience of description. Alternate boundaries and sequences can be defined so long as the specified functions and relationships are appropriately performed. Any such alternate boundaries or sequences are thus within the scope and spirit of the claims. Further, the boundaries of these functional building blocks have been arbitrarily defined for convenience of description. Alternate boundaries could be defined as long as the certain significant functions are appropriately performed. Similarly, flow diagram blocks may also have been arbitrarily defined herein to illustrate certain significant functionality.
To the extent used, the flow diagram block boundaries and sequence could have been defined otherwise and still perform the certain significant functionality. Such alternate definitions of both functional building blocks and flow diagram blocks and sequences are thus within the scope and spirit of the claims. One of average skill in the art will also recognize that the functional building blocks, and other illustrative blocks, modules and components herein, can be implemented as illustrated or by discrete components, application specific integrated circuits, processors executing appropriate software and the like or any combination thereof.
In addition, a flow diagram may include a “start” and/or “continue” indication. The “start” and “continue” indications reflect that the steps presented can optionally be incorporated in or otherwise used in conjunction with other routines. In this context, “start” indicates the beginning of the first step presented and may be preceded by other activities not specifically shown. Further, the “continue” indication reflects that the steps presented may be performed multiple times and/or may be succeeded by other activities not specifically shown. Further, while a flow diagram indicates a particular ordering of steps, other orderings are likewise possible provided that the principles of causality are maintained.
The one or more embodiments are used herein to illustrate one or more aspects, one or more features, one or more concepts, and/or one or more examples. A physical embodiment of an apparatus, an article of manufacture, a machine, and/or of a process may include one or more of the aspects, features, concepts, examples, etc. described with reference to one or more of the embodiments discussed herein. Further, from figure to figure, the embodiments may incorporate the same or similarly named functions, steps, modules, etc. that may use the same or different reference numbers and, as such, the functions, steps, modules, etc. may be the same or similar functions, steps, modules, etc. or different ones.
Unless specifically stated to the contra, signals to, from, and/or between elements in a figure of any of the figures presented herein may be analog or digital, continuous time or discrete time, and single-ended or differential. For instance, if a signal path is shown as a single-ended path, it also represents a differential signal path. Similarly, if a signal path is shown as a differential path, it also represents a single-ended signal path. While one or more particular architectures are described herein, other architectures can likewise be implemented that use one or more data buses not expressly shown, direct connectivity between elements, and/or indirect coupling between other elements as recognized by one of average skill in the art.
The term “module” is used in the description of one or more of the embodiments. A module implements one or more functions via a device such as a processor or other processing device or other hardware that may include or operate in association with a memory that stores operational instructions. A module may operate independently and/or in conjunction with software and/or firmware. As also used herein, a module may contain one or more sub-modules, each of which may be one or more modules.
While particular combinations of various functions and features of the one or more embodiments have been expressly described herein, other combinations of these features and functions are likewise possible. The present disclosure is not limited by the particular examples disclosed herein and expressly incorporates these other combinations.
The present application claims priority under 35 U.S.C 119(e) to the provisionally filed application entitled, “MEMORY PROTECTION SYSTEM AND PROCESS”, having application Ser. No. 61/893,116, filed on Oct. 18, 2013, the contents of which are incorporated herein by reference for any and all purposes.
Number | Date | Country | |
---|---|---|---|
61893116 | Oct 2013 | US |