METHOD OF SECURE MEMORY ADDRESSING

Abstract

Problem

The problem to be solved is to seek an alternative to known addressing methods which provides the same or similar effects or is more secure.

Solution

The problem is solved by a method (40) of addressing memory in a data-processing apparatus (10) comprising, when a central processing unit (11), while performing a task (31, 32, 33, 34) of the apparatus (10), executes an instruction involving a pointer (57) into a segment (r, d, h, f, o, i, c) of the memory: decoding the instruction by means of an instruction decoder (12), generating an address (45) within the memory by means of a safe pointer operator (41) operating on the pointer (57), augmenting the address (45) by an identifier (43) of the task (31, 32, 33, 34) and an identifier (44) of the segment (r, d, h, f, o, i, c), said identifiers (43, 44) being hardware-controlled (42), and, based on the augmented address (45), dereferencing the pointer (57) via a memory management unit (13).

Claims

1. A method (40) of addressing memory in a data-processing apparatus (10) comprising: when a central processing unit (11), while performing a task (31, 32, 33, 34) of the apparatus (10), executes an instruction involving a pointer (57) to or a direct memory address located in a segment (r, d, h, f, o, i, c) of the memory or in unsegmented memory: decoding the instruction by means of an instruction decoder (12), generating an address (45) within the memory of said task by means of a safe pointer operator (41) operating on the pointer (57) or using a direct memory address (45), augmenting the address (45) by an identifier (43) of the task (31, 32, 33, 34) or an identifier (44) of the segment (r, d, h, f, o, i, c), or both identifiers (43, 44), said identifier or identifiers being hardware-controlled (42); and translating the augmented address (46) by a memory management unit (MMU) to a corresponding physical address.

2. The method (40) of claim 1 wherein the apparatus (10) maintains a working stack (r), and the central processing unit (11), when executing the instruction involving a pointer, extracts the pointer (57) from a pointer word (50) on said working stack (r), the pointer word (50) further comprising type information (56) to be processed by the hardware and/or an operating system (11, 12, 13) of the apparatus (10).

3. The method (40) of claim 2 comprising: upon dereferencing the pointer (57) for data load to the stack, loading onto the stack a binary data word (61) referenced by the pointer (57); and complementing the data word (61) with a type word (52), the type word (52) being copied from the pointer (57) and henceforth indicating to the hardware and/or operating system (11, 12, 13) the type of the data word (61).

4. The method (40) of claim 3 wherein the data word (61) is referenced by means of a handle (53) referring to a page within one of the segments (r, d, h, f, o, i, c) or within unsegmented memory and an index (54) referring, within the page, to a data record holding the data word (61).

5. The method (40) of claim 2 wherein a type word (52) comprising the tvyc information (56) indicates whether the data word (61) contains data by value or contains a pointer (57) referencing either data by value or a further pointer or contains a descriptor belonging to a pointer and whether that either contained or referencing data is of an elementary or composite type.

6. The method (40) of claim 5 wherein, if the type word (52) indicates that the type is an elementary data word, the type word (52) also indicates any or all of the following: a width of the data expressed in a unit of information such as bits, whether the data constitutes a vector of multiple data points preferably to be processed with a single instruction of the central processing unit (11), whether the data is of a standard ornullableinterval type, whether the data is of a numeric type, such as a floating-point or either unsigned or signed integer number, or is user-defined or otherwise special, such as a character, index of a pointer, function pointer, semaphore or inter-task communication channel, whether the data has been loaded into the stack from a buffer or cache memory or such a load is pending, whether the data has been added to or changed on the stack since last its last load from buffer or cache memory.

7. The method (40) of claim 5 wherein, if the type word (52) indicates that the data word (61) contains the further pointer (57), the pointer word (50) further comprises information for safeguarding memory accesses from hazards such as dangling pointers or for organizing inter-task channel communications.

8. The method (40) of claim 5 wherein, if the type word (52) further indicates that the type is a descriptor belonging to a pointer, the data word (61) contains a descriptor (55) which describes any or all of the following: the pointer arithmetic in terms of being either linear (array pointer) or cyclic (ring buffer pointer), a stride, preferably expressed as a multiple of the increment, a base address and a size of the range allowed for access by the pointer (57).

9. A data-processing apparatus (10) having: memory, a central processing unit (11), an instruction decoder (12), a low-level operating system (LLOS) layer comprising at least task, process, and memory management facilities and implemented in software, in hardware, or in a mixture of both (13), and means adapted to execute the steps of the method (40) of claim 1.

10. The data-processing apparatus (10) of claim 9 wherein the instruction decoder (12) and the LLOS layer (13) are arranged such that the instruction decoder (12) entirely isolates the LLOS layer (13) from any direct software access.

11. The data-processing apparatus (10) of claim 10 wherein the software comprises: multiple layers (14); and an application (15) based upon the layers (14).

12. A computer readable medium having instructions stored thereon, wherein when executed by a processor, the instructions execute the steps of the method (40) of claim 1.

13. (canceled)

14. A computer-implemented data structure (30) for use in the method (40) of claim 1, the structure (30) having a virtually at least two-dimensional grid layout of columns and rows of memory pages, the grid being arranged such that the memory pages are manageable, particularly isolable, by the memory management unit (13), each among the columns being uniquely associated with one among several tasks (31, 32, 33, 34) of the apparatus (10) and each among the rows being uniquely associated with one among several segments (r, d, h, f, o, I, c) of the memory such as a preferably hardware-controlled return stack (s), working stack (r), data stack (d), heap (h), file (f), channel output (o), channel input (i), or code (c) segment.

15. The data structure (30) of claim 14 wherein, for each task (31, 32, 33, 34) among the tasks (31, 32, 33, 34), the column associated with that task (31, 32, 33, 34) comprises multiple levels, each being associated with an execution thread of the respective task (31, 32, 33, 34).

Description

BRIEF DESCRIPTION OF DRAWINGS

[0011] FIG. 1 shows a data-processing apparatus in accordance with the prior art.

[0012] FIG. 2 shows a data-processing apparatus as per the invention.

[0013] FIG. 3 shows a data structure used in the apparatus.

[0014] FIG. 4 shows a method of addressing memory in the apparatus.

[0015] FIG. 5 shows pointer and descriptor words used in the method.

[0016] FIG. 6 shows a data word used in the method.

[0017] FIG. 7 shows a type word used in the method.

DESCRIPTION OF EMBODIMENTS

[0018] Referring to FIG. 2, the invention mitigates the impact of a cyber-attack (17) by introduction of what may be considered a cybersecure ISA. By virtually swapping, in terms of their levels within the technology stack, the instruction decoder (12) for the task, process, and memory management layer, this layer (13) and the instruction decoder (12) are arranged such that the latter isolates the former from direct access by potentially malicious software, all while leaving the higher parts of the technology stack intact. In a preferred embodiment, recognizing the indispensability of task separation for the design of a fully secure apparatus (10), the scheduler is even at least partly implemented in hardware and said partbeing in charge of all process switching activities of the schedulerdirectly wired to the memory management unit (MMU).

[0019] Where the data-processing apparatus (10) takes the form of a concurrent system, this approach allows for a virtual memory layout (30) as exemplified in FIG. 3. The structure (30) shown is laid out in a two-dimensional grid of at least four columns of virtual memory pages, each column being uniquely associated with one among the tasks (31, 32, 33, 34). In an alternative embodiment that extends upon this concept, any column associated with a multi-threaded task would split into multiple columns, each being associated with an execution thread of the respective task (31, 32, 33, 34) and effectively rendering the grid three-dimensional. When hereinafter reference is made to a task (31, 32, 33, 34), such a task may be understood to comprise any number of threads, the generalizations necessary for multi-threaded task processing being regarded as obvious and part of the scope of the invention.

[0020] Vertically, the grid of the present example comprises eight rows, each row being uniquely associated with a memory segment. For any among the tasks (31, 32, 33, 34), one such segment remains hidden to and inaccessible for the software itself, and contains a stack (s) exclusively dedicated to subroutine return addresses and controlled by hardware. Especially in a stack machine, that task (31, 32, 33, 34) may also entail a working stack (r) that stores subroutine contexts, call, return, and local variables, and intermediate computational results. An ancillary data stack (d) is optional. Finally, the task (31, 32, 33, 34) could possess any number of heap (h), file (f), write-only channel output (o), or read-only channel input (i) segments as needed.

[0021] A mandatory code (c) segment, hidden to and inaccessible for the software itself, serves as read-only input to the instruction decoder (12), otherwise being protected from reading and writing. This feature may be considered an implementation of the Harvard computer architecture as it imposes distinct code and data address spaces, rendering the memory layout (30) invulnerable to code injection.

[0022] Attention is now directed to FIG. 4, which highlights the address resolution per the proposed ISA. When the central processing unit (11), while performing one of the tasks (31, 32, 33, 34), executes an instruction involving a pointer into one of the memory segments (r, d, h, f, o, i, c), it decodes the instruction by means of the instruction decoder (12), as would in and of itself be expected in a conventional system. Characteristically of this embodiment however, the instruction decoder (12) now generates an address within virtual memory by means of a safe pointer, dereference, or indirection operator (41) that is preferably implemented in hardware. The ISA defines a pointer instruction subset specifically dedicated to this purpose.

[0023] Once generated, the virtual address (45) is augmented, such as through concatenation, by an identifier (43) of the task (31, 32, 33, 34) and an identifier (44) of the memory segment (r, d, h, f, o, i, c), both identifiers being essentially hardware-controlled (42), identifier (43) by the scheduler, and identifier (44) by the safe pointer operator (41). Based on this augmented virtual address (46), the pointer may finally be dereferenced via the memory management unit (MMU) and its data accessed safely and securely. By design, each task (31, 32, 33, 34) thus benefits from its own data privacy sphere as well as full memory access integrity and control flow integrity and hence resides in what in the art is known as a trust zone that is maintained by a per-task virtual processing scheme (as opposed to known coarserand more vulnerabletwo-virtual-processor schemes).

[0024] In a preferred embodiment explained regarding FIG. 5, the apparatus (10) takes the form of a stack machine, wherein pointers are always kept on a protected working stack (r) and never in unprotected memory or file (d, h, f, o, i). In this scenario, the central processing unit (11), when executing the instruction, extracts the pointer (57) from a typed pointer word (50) on the working stack (r), the typed pointer word (50) comprising information (56) regarding the pointer typeto be evaluated by the safe pointer operator (41)and protection statusto be checked by the instruction decoder (12)and further information necessary for the low-level operating system layer (13) e.g. to safeguard memory accesses from hazards like dangling pointers or to organize inter-task channel communications. The pointer (57) in turn comprises a second type word (52) indicating the type of the data it references (either data by value or a further pointer) as well as a handle (53) referring to a virtual page within the destination segment (r, d, h, f, o, i, c) and an index (54) referring, within said page, to the memory location of that data record which holds the binary data word referenced by the pointer (57). Of these components, only the index (54) information can be loaded into or retrieved from the pointer (57) by software. This capability proves useful for structures that contain pointer values, as may be used in C or similar programming languages.

[0025] The eminent benefit of the type word (52) is best gathered from FIG. 6 where that word is employed to assemble what could be called a typed data word (60): Upon dereferencing the pointer (57) by loading the raw, that is type-less, data word (61)via the memory management unitfrom RAM or any other memory location onto the stack, the result is complemented with the type word (52), which can simply be copied from the pointer (57) that referenced it. The binary data loaded to the stack is now complete with information on how to handle and interpret it. Hence, metaphorically speaking, the pointer (57) knows the data type it references.

[0026] Since type information is henceforth contained in data space (r) as opposed to code space (c), CPU execution may be guided by type, reducing the required instruction set to a minimum. The resulting ability to use universal standard code for alleven vector or otherwise specialdata types confers extreme flexibility to the data processing apparatus (10). In programming languages and type theory, such provision of a single interface to entities of different types is known as polymorphism.

[0027] FIG. 7 demonstrates how even a compact 12-bit type word (52) may convey an abundance of type information. For instance, in the draft depicted, bits 10 and 11 of the type word (52) indicate whether the ensuing data word (61) contains binary data by value or a pointer (57) to either data or some other pointer. This type information is respected by all instructions of the data processing apparatus (10) which in a preferred embodiment are designed to either target data words (data instructions) or pointer words (pointer instructions) or on none of both and which, when applied to the wrong type of word, raise an exception. By this device, numerical data held on the stack (r) is protected from being mistaken as a pointer and pointers are protected from being overwritten or tampered with by operations not specifically designed for this purpose within the instruction set architecture (ISA), the operating system task (OS) being an exception of this generic safety-of-operation rule. Where that pointer (57) represents a range of addresses within memory rather than a fixed address, bits 10 and 11 would also designate whether the pointer (57) have read/write or read only or write only permissions, the latter two options offering hardware support for e.g. ring buffers for inter-task channel communication via hardware-coupledand hence functionally safewrite and read pointer pairs. A subsequent descriptor word (58) on the stack may arithmetically describe the address range itself in terms of certain structural propertiese.g., linear as in an array or cyclic as in a ring buffer, specify an incremental stride to be used when advancing the pointer (57) throughout the range, the size of the range, or its base address (55). Herein, stride and size should preferably be expressed as multiples of the width of the respective data, that is, the size of the record holding them. Note that these parameters, when considered in their entirety, implicitly define the boundaries of the represented address range. Based on this knowledge, the hardware may practically guarantee functional safety of all pointer accesses including protection from unauthorized reading or overwriting. In the context of abstract data types, the outlined concept would commonly be referred to as a smart pointer.

[0028] In the draft at hand, bit 9 of the type word (52) marks thecontained or referencingdata as being either of an elementary or composite, further structured type. In the former case, the type word (52) may also provide guidance on aspects like the following: [0029] the width of the data expressed in a unit of raw information such as bits (bits 6, 7, 8), [0030] whether the data constitutes a vector unit or sub-unit of multiple data points (bit 5) preferably to be processed with a parallel single SIMD instruction of the central processing unit (11), [0031] whether the data type is standard or apreferably nullableinterval type (bit 4), [0032] whether the data is a floating-point or an unsigned or signed integer number or otherwise specialsuch as a character, index of a pointer, function pointer, semaphore or inter-task communication channel(bits 2, 3), [0033] whether the data has been loaded from a buffer or cache memory into the stackand hence is validor such load is pending (lazy loading bit 1), and [0034] whether the data has been newly added to or changed on the stack since last loaded from buffer or cache memoryand hence is out-of-sync with said buffer or cache memory (dirty bit 0).

INDUSTRIAL APPLICABILITY

[0035] The invention may be applied, inter alia, throughout the semiconductor industry.