NL2028534B1 - Processor for secure data processing - Google Patents
Processor for secure data processing Download PDFInfo
- Publication number
- NL2028534B1 NL2028534B1 NL2028534A NL2028534A NL2028534B1 NL 2028534 B1 NL2028534 B1 NL 2028534B1 NL 2028534 A NL2028534 A NL 2028534A NL 2028534 A NL2028534 A NL 2028534A NL 2028534 B1 NL2028534 B1 NL 2028534B1
- Authority
- NL
- Netherlands
- Prior art keywords
- data unit
- processor
- tag
- data
- label
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
Abstract
A processor for secure data processing, wherein the processor is configured for loading, from one or more memories operably connectable to the processor, at least one data unit of a plurality of 5 data units and at least one data unit label associated With said at least one data unit, each data unit label being settable according to a plurality of settable data unit labels; retrieving a processing reference label among processing reference labels, each processing reference label being settable corresponding to the plurality of settable data unit labels, comparing each of the at least one data unit label to the processing reference label; on the basis of said comparison, exclusively executing 10 a processor operation With the at least one data unit When the at least one associated respective data unit label corresponds to the processing reference label. Figure 1
Description
Processor for secure data processing Field of Invention The field of the invention relates to a processor for secure data processing, a processor system and a method. Particular embodiments relate to secure data processing between domains comprising at least a first domain and a second domain.
Background Protecting crucial infrastructure and data from the increasing threat of digital destructive forces and from the unwanted actions of unauthorized users is becoming more and more problematic. Both software-based and hardware-based security mechanisms are available for protecting data. Software-based security solutions encrypt the data to protect it from theft. However, a malicious program or a hacker could corrupt the data in order to make it unrecoverable, thus making the data unusable. Hardware-based security mechanisms prevent read and write access to data, hence offering very strong protection against tampering and unauthorized access. Process isolation is a combination of such hardware and software mechanisms and is designed to protect each process from other processes on an operating system. It does so by preventing a first process from writing to a second process. Process isolation is typically implemented with a virtual address space, where the first process address’s space is different from the second process’s address space.
Security is enforced by disallowing inter-process memory access, in contrast with less secure architectures such as DOS in which any process can write to any memory during any other process. Process isolation is highly dependent on software that controls the isolation hardware at runtime. Process isolation is also situated at a high level. Process isolation is susceptible to code injection, return oriented programming, data oriented programming and compiler failures which all pose substantial risk to data security.
Summary The object of embodiments of the present invention is to improve security for processing of data at a low-level.
According to a first aspect of the present invention there is provided a processor for secure data processing, wherein the processor is configured for loading, from one or more memories operably connectable to the processor, at least one data unit of a plurality of data units and at least one data unit label associated with said at least one data unit, wherein each data unit label being settable according to a plurality of settable data unit labels. The processor is further configured for retrieving a processing reference label among processing reference labels, each processing reference label being settable corresponding to the plurality of settable data unit labels, comparing each of the at least one data unit label to the processing reference label. The processor is configured to exclusively execute, on the basis of said comparison, a processor operation with the at least one data unit when the at least one associated respective data unit label corresponds to the processing reference label.
By comparing each data unit label to a processing reference level, and only executing the processor operation on a positive comparison, a finely grained secure processing of data is achieved. More in particular, data is isolated preferably at a processor word based level. In other words, the data unit may be a word. In general, the data unit may be a fixed-sized piece of data handled as a unit by the processor, for example by the instruction set and/or the hardware of the IO processor. The comparison at a processor word based level. e.g. comparing binary bits, is relatively simple and fast. In this way a simple, yet effective evaluation of an execution of the data unit label is obtained. The processor provides isolation of information (data) with a different security access or usage level, e.g. within a secure computer system, on a fine grained (e.g. processor word based) scale. The different security or usage levels may be seen as different security domains in which the data resides. Beneficially, information (data) does not cross the isolation (i.e. security domain) boundary in either direction unless explicitly intended. In addition, such an execution prevents that malicious code causes unintentional data leakages. Also, a specific dependency on software which would isolate an entire process at runtime is avoided.
Although the invention could, in principle, be implemented at least partially on a software basis, it is preferred that the processors according to the invention being “configured to” indicates that the electronic circuitry of the processor is configured to perform the various steps/functionalities, such as the loading, retrieving, comparing and exclusively executing. In other words, the indicated effects are hardware enforced, adding increased security.
In a preferred embodiment, the processor comprises one of the one or more memories comprising a plurality of data memory locations for storing the at least one data unit, and wherein each of the plurality of data memory locations has an associated respective label memory location for storing the associated respective data unit label. The data memory locations and the label memory locations are, in other words, internal processor memory. Such an embodiment allows to increase the operating efficiency of the processor. This advantage is based on the insight that memories external to the processor are typically slower. Also external memory is arranged at a relatively long distance away which increases the time it takes for electrical signals to travel back and forth from the external memory to the processor. Data units may, in such a case, take several processor cycles to arrive from the external memory. Having internal processor memory allows to perform operations on the data units and data anit labels more quickly.
Preferably, the label memory locations are inaccessible to a processing unit (e.g. an arithmetic logic unit, ALU) of the processor, but only accessible to the label control unit described further below. More preferred is that the label memory locations alternatively or additionally reside on a physically separated memory module. These options reduce the attack surface for hardware attacks like ‘row hammer’ significantly.
Preferably, the processor is configured to inhibit write access from program logic to the label memory locations at rantime. Most preferred is that the processor is configured to allow write access from program logic to the label memory locations only during an initialisation (or boot) phase or mode.
In a preferred embodiment, the loading comprises reading the at least one data unit and the associated respective data unit label from the one or more memories operably connected to the processor. The loading further comprises storing the read at least one data unit and the associated respective data unit label in at least one of the plurality of data memory locations and in at least one of the label memory locations, respectively. Put differently, loading propagates the data units and the associated data unit labels from one memory to another memory. This ensures data integrity.
In a preferred embodiment, the executing further comprises exclusively executing an instruction defined in the at least one data unit, stored in at least one of the plurality of memory locations, when the associated respective data unit label corresponds to the processing reference label. Preferably, when the instruction defined by the at least one data unit describes a processor operation requiring a plurality of data units, the instruction is exclusively executed when each of the associated and respective data unit labels corresponds to the processing reference label. In this way only instructions using the data units are enforced by comparing the data unit label to the processing reference label. Because only the operation on the data units is enforced, a typical instruction pipeline, such as fetching, or decoding is substantially not inhibited by the comparison. This increases the performance of the processor and allows to reduce complexity of the processor data and control paths while maintaining a secure processing of data. Additionally, because each data unit label is compared to the processing reference label and must correspond therewith, security of the data processing is further improved.
In a preferred embodiment, the executing further comprises storing a result of the executed processor operation as at least one data unit and at least one associated respective data unit label in the one or more data memory locations and the associated label memory locations, respectively. In this way the data unit labels are further propagated, even after performing an operation such as a bitwise operation. This further ensures data integrity.
In a preferred embodiment, the at least one respective data unit label associated with the at least one data unit storing the result of the executed processor operation is set to the retrieved processing reference label. In this way, it is ensured that the data is written to the correct domain, even further ensuring that data is processed in the selected label, e.g. data of a selected domain.
In view of the above, the label propagates from the one or more memories through the processor and back to the one or more memories. In this way, the labels can be maintained in the processor in its memory (register file) and pipeline.
The processor is preferably configured such that the label of a register in the processor register file changes on a register load (e.g. register read from memory) to be the same as its originating memory and, on a register store (i.e. register write to memory), the label of a memory location changes to be the same label as the register the write originates from. Effectively, this means that the label (and, optionally also the sublabels and flags described below) travel with the data and the two cannot be separated.
In a preferred embodiment, the processor is further configured to load the stored at least one data unit and the at least one associated respective data unit label to one or more memories operably connectable to the processor. By loading the data unit and associated respective data unit label to a memory operably connectable to the processor, i.e. an external memory, the processor can securely process data and provide said securely processed data to instruments, machines or applications interfacing with the processor.
In a preferred embodiment the processor comprises a label control unit configured for storing the processing reference label. The label control unit allows to further isolate the processor reference label from potential outside attacks.
In a preferred embodiment the processor is further configured for secure data processing between domains comprising at least a first domain and a second domain, wherein the plurality of settable data unit labels comprise a first data unit label associated with the first domain and a second data unit label associated with the second domain. The processor is further configured to receive the at least one data unit from one of the domains; and store the received at least one data unit and at least one associated respective data unit label on the one or more memories, wherein the at least one associated respective data unit label is associated with the domain from which the at least one data unit is received, wherein the processing reference label is set to a processing reference label corresponding to the data unit label associated with a domain of which data is to be processed, wherein preferably the processor operation comprises an instruction for cross domain 5 data transfer with the at least one data unit.
By associating the first and second domain with a respective first and second data unit label a secure domain isolation can be achieved. Based on the above, it will be apparent that each data unit is associated with a data unit label. In the context of data processing between domains, a data unit from a first domain is associated with a data unit label corresponding to the first data unit label of the first domain. For example, the first domain can be a first administrative building having a respective internal network. When data is transferred from the first domain, i.e. from the first administrative building, to a second domain, which can, for example, be a second administrative building having a respective internal network, said data will only be transferred to the second domain when the corresponding instruction for cross domain data transfer corresponds to the reference label of the second domain. In other words, data units can only be transferred from the first domain to the second domain if the data unit label associated with the data unit corresponds to data unit label of the second domain. If the first and second data unit label is the same, the corresponding data unit will be securely transferred.
In a preferred embodiment, the reference labels comprise a first reference sublabel and a second reference sublabel which are mutually associated for each processing reference label. In other words, the processing reference label is further settable to a first reference sublabel and a second reference sublabel which are mutually associated for each of the plurality of settable data unit labels. The processor is preferably configured to only allow a conversion of a data unit label different from the current processing label when the processing reference label comprises the first reference sublabel. The second reference sublabel may indicate a normal mode wherein the processor operation is exclusively executed only with data units having respective associated data unit labels that correspond to the retrieved processing reference label, Preferably, the processor is configured to update the processing reference label to the first reference sublabel associated the retrieved processing reference label. The processor is preferably further configured to exclusively convert, when the processing reference label comprises the first reference sublabel, the data unit label associated with the stored at least one data unit to the another data unit label corresponding to the retrieved processing reference label and to subsequently update the processing reference label from the first reference sublabel to the second reference sublabel.
. Note that the first reference sublabel and the second reference sublabel are mutually associated. The first and second reference sublabels indicate a control flow and are correlated to the processing reference label. The first and second reference sublabel are subsidiary to the processing reference label. When the processing reference label comprises the first reference sublabel, the processor exclusively converts data unit labels. Note that other instructions are excluded from being performed when the processing reference label comprises the first reference sublabel. In other words, the processor runs in a first operating mode in which it is limited to exclusively convert data unit labels to second reference sublabel mutually associated with the current processing reference label.
In a preferred embodiment the reference labels further comprise a third reference sublabel mutually associated with the first and second reference sublabel for each reference label, wherein the processor is further configured for updating the processing reference label to the third processing reference sublabel. Additionally the exclusively converting comprises exclusively storing, when the processing reference label comprises the third reference sublabel, the result of the executed processing operation as at least one data unit with at least one associated data unit label corresponding to a reference label associated with the intended domain of the cross domain data transfer independent of the current processing reference label. Moreover, the exclusively converting comprises exclusively converting, when the processing reference label comprises the first reference sublabel, the data unit label associated with the fetched at least one data unit to the current processing reference label. This further ensures that the control flow of the processor during cross domain data transfer is maintained. In other words, in a preferred embodiment, the processing reference label may be further settable to a third reference sublabel mutually associated with the first and second reference sublabel for each of the plurality of settable data unit labels, wherein the processor is further configured to update the processing reference label to the third processing reference sublabel: and to exclusively store, when the processing reference label comprises the third reference sublabel, the at least one respective data unit label associated with the result of the executed processing operation as a reference label associated with an intended domain of the cross domain data transfer independent of the current processing reference label. Preferably, the processor is configured to only update the processing reference label to the third processing reference sublabel from the second processing reference sublabel. In this way, the control flow from the first, to the second, and then to the third processing reference sublabel is ensured.
In a preferred embodiment, the domains comprise a third domain, wherein the plurality of settable data unit labels comprise a third data unit label associated with the third domain.
In a preferred embodiment, the processor is further configured to perform the operation for cross domain data transfer in a data transfer domain associated with a respective reference label. In this way, the date flow is always through a further domain, and not directly from the first to the second domains, further securing the data processing and domain separation.
In a preferred embodiment, the processor is further configured to perform the exclusively converting only when the processing reference label corresponds to the third domain. In this way, the data flow is always through a further domain, and not directly from the first to the second domains, further securing the data processing and domain separation. Beneficially, if the first domain concerns unencrypted data and the second domain encrypted data, the third domain is used to execute an encrypt function in. Then all intermediate results of the encrypt function are not accessible by both the first and second domain. This encrypt function needs data from the first domain and needs to store the final result in the second domain. The use of the first, second and third reference sublabels ensures the flow of data firstly from the first to the third domain (conversion of read data units to the third domain when the processing reference label comprises the first reference sublabel associated with the third domain), and then from the third to the second domain (conversion of data unit labels of data units to be written to the second domain only when the processing reference label comprises the third reference sublabel associated with the third domain). A similar data flow would then occur when data needs to go from the second to the first domain, while then an decrypt function would be used in the third domain.
An encryption key for encryption and unencryption is optionally stored as one or more data units having a separate data unit label, ¢.g. a distinct domain. The processor is preferably configured such that only the encrypt and unencrypt functions have access to data having this separate data unit label for the encryption key.
In a preferred embodiment, the processor is further configured to perform the exclusively storing only when the processing reference label corresponds to the third domain. In this way, the date flow including the writing of the processing operation result is always through a further domain, and not directly from the first to the second domains, further securing the data processing and domain separation.
In a preferred embodiment, the processor is further configured to subsequently update the processor reference label to the reference label associated with the data transfer domain.
In a preferred embodiment, the processor is further configured to exclusively set, in an initialization mode, a code indicator, such as a code bit, associated with a selected memory address of an associated selected memory location to indicate that the data contained by the selected unit of memory is code for execution in a runtime mode; and set, in the runtime mode, when the at least one data unit is loaded to a memory location identified by a memory address the code indicator associated with said memory address to indicate that the data unit contained by the memory IO location is not code. In this way, the security is further improved, as code injection becomes at least more difficult, if not impossible, so that malicious data to be processed. e.g. from one of the domains that is untrusted, can not be executed but only processed as data. If a memory location having code/instructions to be executed by the processor is overwritten, then preferably the processor enters a mode wherein data processing is halted until a reset is performed. Alternatively, the processor may force a reset such that the original code stored as firmware is reloaded.
In a preferred embodiment, the processor is further configured to exclusively set, in an initialization mode, a callable indicator, such as a callable bit, associated with a selected memory address of an associated selected memory location to indicate that the data contained by the selected unit of memory indicates a callable memory address to be used in a runtime mode: and set, in the runtime mode, when the at least one data unit is loaded to a memory location identified by a memory address, a callable indicator associated with said memory address to indicate that the data unit contained by the associated memory location does not indicate a callable memory address. Also this embodiment improves the security of the device, since only predefined (selected) memory locations store callable data. If the data of that memory location is overwritten at runtime, the callable indicator is set to indicate that the data is not callable, and the processor is unable to call to that data.
In a preferred embodiment, in the initialization mode, the callable indicator is exclusively set for memory locations having a memory address referring to a compile time known constant or to a return address generated by a jump-and-link instruction.
According to a further aspect, there is provided a processor system comprising a processor according to any one of the embodiments described above and/or below, the processor system comprising a plurality of controllers configured to access at least a part of the one or more memories, wherein the processing system is configured such that each of the plurality of controllers is associated with a selected single data unit label of the plurality of settable data unit labels and is allowed access only to data units of the plurality of data units having an associated data unit label that is the same as the selected single data unit label. According to an embodiment, the plurality of controllers comprise at least one of a direct memory access, DMA, controller and a network interface controller. Preferably, the processor is configured to have a load-store architecture, such as a reduced instruction set computer (RISC) architecture, e.g. a RISC-V architecture. In this way, processor operations are divided into operations for memory access (load and store between memory and registers), and ALU operations, which only occur between registers. Beneficially, this provides an especially effective way of propagating the data unit labels from the memory to the registers and vice versa, while the ALU operations are performed only for data units having the associated data unit labels corresponding to the current processing reference label.
According to a further aspect, there is provided a method in a processor for secure data processing, wherein the processor is configured to be operably connectable to one or more memories, the method comprising loading, from the one or more memories operably connectable to the processor, at least one data unit of a plurality of data units and at least one data unit label associated with said at least one data unit, each data unit label being settable according to a plurality of settable data unit labels; retrieving a processing reference label among processing reference labels, each processing reference label being settable corresponding to the plurality of settable data unit labels; comparing cach of the at least one data unit label to the processing reference label; and on the basis of said comparison, exclusively executing a processor operation (500) with the at least one data unit when the at least one associated respective data unit label corresponds to the processing reference label. Preferably, in the method the processor is a processor according to any one of the embodiments described above and/or below.
It will be appreciated that any feature and/or advantage thereof of the various aspects apply to corresponding features of other aspects and vice versa. Brief description of the figures The accompanying drawings are used to illustrate presently preferred non-limiting exemplary embodiments of devices of the present invention. The above and other advantages of the features and objects of the present invention will become more apparent and the present invention will be better understood from the following detailed description when read in conjunction with the accompanying drawings, in which: Figure 1 schematically illustrates an embodiment of a processor according to an embodiment; Figure 2 schematically illustrates a processor architecture according to a preferred embodiment of the processor shown in Figure 1; Figure 3 schematically illustrates a cross domain data transfer according to a preferred embodiment; Figure 4 schematically illustrates a flowchart of an embodiment of transferring data between domains using an intermediate domain.
Description of embodiments The description and drawings merely illustrate the principles of the present invention. It will thus be appreciated that those skilled in the art will be able to devise various arrangements that, although not explicitly described or shown herein, embody the principles of the present invention and are included within its scope. Furthermore, all examples recited herein are principally intended expressly to be only for pedagogical purposes to aid the reader in understanding the principles of the present invention and the concepts contributed by the inventor(s) to furthering the art, and are to be construed as being without limitation to such specifically recited examples and conditions. Moreover, all statements herein reciting principles, aspects, and embodiments of the present invention, as well as specific examples thereof, are intended to encompass equivalents thereof.
It should be appreciated by those skilled in the art that any block diagrams herein represent conceptual views of illustrative circuitry embodying the principles of the present invention.
It should be noted that the above-mentioned embodiments illustrate rather than limit the present invention and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word “comprising” does not exclude the presence of elements or steps not listed in a claim. The word “a” or “an” preceding an element does not exclude the presence of a plurality of such elements. The present invention can be implemented by means of hardware comprising several distinct elements and by means of a suitably programmed computer. In claims enumerating several means, several of these means can be embodied by one and the same item of hardware. The usage of the words “first”, “second”,
“third”, etc. does not necessarily indicate any ordering or priority. These words are to be interpreted as names used for convenience.
In the present invention, expressions such as “comprise”, “include”, “have”, “may comprise”, “may include”, or “may have” indicate existence of corresponding features but do not exclude existence of additional features.
Whilst the principles of the present invention have been set out above in connection with specific embodiments, it is to be understood that this description is merely made by way of example and not as a limitation of the scope of protection which is determined by the appended claims.
In the drawings the same or analogous element is assigned the same reference numeral.
Fetching may, in the context of this application, be defined as obtaining an instruction from a memory. Loading may, in the context of this application, be defined as moving a data unit from a first memory to a second memory. Loading of a data unit may also be performed with respect to a single memory, i.e. a data unit may be moved from said single memory and back again to the same {5 memory. Storing may, in the context of this application, be defined as the retaining of data in a memory, either temporarily or permanently.
Figure 1 schematically illustrates a processor 100 for secure data processing. The processor 100 may be interchangeably expressed as a central processing unit, central processor or microprocessor. A processor as mentioned throughout this patent disclosure may also be more generally referred to as electronic circuitry. Those skilled in the art will appreciate that the principles of the above-mentioned embodiments may be applied to a plurality of processor designs. The processor 100 may for example be a general-purpose processor which is typically used to perform basic arithmetic, logic, controlling, and input/output operations specified by instructions in aprogram. The processor 100 may also be designed according to a plurality of architectures such as Complex Instruction Set Computer, CISC, Reduced Instruction Set Computer, RISC, Application Specific Integrated Circuit, ASIC, Superscalar, Digital Signal Processing, DSP. The processor is distinguished from external components such as a main memory and VO circuitry.
Secure data processing may be defined as the protection of data such as confidential information from unwanted actions of unauthorized instances and/or users, such as cyberattacks or data breaches. A cyberattack is for example any attempt to expose, alter, disable, destroy, steal or gain unauthorized access to or make unauthorized use of said data. A data breach is for example a security violation in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so.
According to the embodiment of figure 1 the processor 100 is configured for loading 1100 at least one data unit 200 and at least one data unit label 300 from a memory 110. The data unit 200 is a natural unit of information used by the processor.
In other words, the data unit is a fixed-sized piece data which is handled as a single unit by the processor 100, and/or an instruction set or hardware of the processor 100. The data unit 200 may for example comprise name information, payment information, schedule information etc.
It will be appreciated by those skilled in the art that a size of the data unit 200 may be relative to processors architecture and design.
The data unit 200 may for example be an 8 bit, a 32 bit, a 64 bit, etc. piece of data.
In the field of computer architecture, the data unit 200 is also be commonly referred to as a word.
The at least one data unit label 300 is associated with the at least one data unit 200. The data unit 200 and the data unit label 300 are in other words, correlated.
The data unit label 300 is settable according to a plurality of settable data unit labels.
While the data unit label is settable according to a plurality of settable data unit labels, the data unit label 300 preferably can only be set to one data unit label at a time.
The plurality of settable data unit labels 300 are preferably associated with an origin or security level of the data unit 200. The data unit label 300 may, for example, represent that the data unit 200 originates from a trusted network or an untrusted network.
The plurality of settable data unit labels, according to this exemplary embodiment may thus comprise a trusted data unit label and an untrusted data unit label.
The data unit label 300 may furthermore also be representable for a required security level clearance.
For example, the data unit Jabel 300 may represent that only a user with the highest level of access clearance may use the data unit 200. According to yet a further example, the data unit label 300 may represent a security level.
The security level may be a safety-critical level or a non-safety critical level.
The data unit label may also represent different safety integrity levels, SIL, such as SIL1, SIL2, SIL3, etc.
SIL is a measurement of performance required for a safety instrumented function, SIF, for, for example mixed criticality systems.
The skilled person appreciates that a plurality of settable data unit labels 300 may be associated with the data unit 200 depending on the application of the processor.
For example, a first data unit label may define that the data unit 200 originates from a trusted network and a second data unit label may define that said data unit 200 is representative for S1L3, or, in other words, that the data unit 200 is used in for high-risk applications.
The data unit labels thus provide meta-information regarding, for example, domain separation and/or control flow integrity.
The processor 100 is further configured for retrieving 1200 a processing reference label 400 among processing reference labels.
According to a preferred embodiment, the processing reference label is settable during initialisation of the processor 100. Once the processing reference label has been set, the processor can only change said processor reference 400 based on a specific instruction as will be elaborated here below.
Each of the processing reference labels 400 is settable corresponding to the plurality of settable data unit labels 300. The processing reference label 400 is thus preferably associated with an origin or security level of an application of the processor.
The processing reference label 400 may, for example, represent the only a user with the highest level of access will be allowed clearance. According to yet a further example, the processing reference label 400 may represent a safety-critical level or a non-safety critical level and/or different safety integrity levels, SIL, such as SIL1, SIL2, SIL3, etc. For example, the processing reference label may indicate that the processor is used for SIL3 applications, or, in other words, that only data used for high-risk applications will be processed, as will be explained here below.
The processor 100 further compares 1300 each at least one data unit label 300 to the processing reference label 400 and exclusively executes 1400 a processor operation 500 with the data unit 200 when the associated respective data unit label 300 corresponds to the processing reference label 400, based on the comparison 1300. By comparing each respectively associated IO data unit label 300 to the processing reference label 400 and only executing 1400 the processor operation 500 with the data unit 200, an improved level of assurance with respect to data security, isolation and prevention of information leakage, or, in other words, data processing is provided. Those skilled in the art will appreciate that the enforcement of the data processing occurs exclusively on a hardware scale of the processor 100 without a specific dependency on software i5 which, for example, controls data isolation hardware at runtime as is the case with an Operating System. This solution is thus orthogonal to known isolation concepts like process isolation and processor supervisor mode. In the event that the comparison 1300 is negative, i.e. when the associated respective data unit label 300 does not match processing reference label 400, no execution is performed.
Loading 1100, retrieving 1200, comparing 1300 and executing 1400 are each instructions which form a portion of an instruction cycle of the processor 100. According to a preferred embodiment only the executing of instructions is enforced as will be elaborated here below. Figure I illustrates that the instruction cycle is performed sequentially, wherein each instruction is processed before the next instruction is started. Those skilled in the art will appreciate that the instructions may also be performed concurrently and/or in parallel through an instruction pipeline. In this way, the throughput of the processor can be increased.
Figure 2 illustrates a processor microarchitecture according to a preferred embodiment. The processor microarchitecture is illustrated as a Harvard architecture. It is noted that said Harvard architecture is used as exemplary computer architecture and that other architectures for storage and signal pathways, such as a von Neumann architecture are also possible. The exemplary embodiment of figure 2 illustrates that the processor 100 is operably connected to an instruction memory 111 and a memory 112. The processor 100 may comprise a separate bus for instructions and a separate bus for data such that the processor 100 may access instructions and read/write data units at the same time. It will be clear that the processor 100 may alternatively be operably connectable to a memory simultaneously comprising instructions and data units, for example in a processor having a von Neumann architecture.
Figure 2 illustrates that the processor 100 is operably connectable to multiple memories 111, 112, 113, 114. The multiple memories 111, 112, 113, 114 are operably connected via a plurality of data paths. A data path for data units 201, 202, 203, 204 is distinct from a data path for data unit labels 301, 302, 303, 304. In this way, isolation of said data units and data unit labels is further improved in a hardware enforced way. This further improves the secure data processing of the data units.
Preferably, the processor 100 comprises a memory 113 comprising a plurality of data memory locations 10, rl, r2, 13, ..., r31 for storing the at least one data unit 200. Those skilled in the art will appreciate that the processor 100 may comprise more than one memory. The processor may comprise, for example, a memory data register, MDR. The plurality of 10, rl, 12, 13, .... 131 may form a register 113. It is noted that for explanatory purposes two registers 113, 113” are shown. However, those skilled in the art will appreciate that a single register may be provided.
Figure 2 illustrates the plurality of data memory locations 10, rl, 12, 13, ..., 131 as a register 113 comprising, in particular, thirty-two data memory locations TÔ, rl, 12, r3, .... r31. Each memory location has a memory size which may be configured to store any number of bits, for example 8- bits, 32-bits or 64-bits. According to a further example, the MDR may also be configured to break down the memory size into a smaller memory size, for example a 64-bit memory size may be broken down into eight 8-bit memory sizes.
Moreover, each of the plurality of data memory locations r0, rl, 12, £3, ..., r31 of the memory 113 has an associated respective label memory location 10, 11, 12, 13, ..., 131 for storing the associated respective data unit label 301, 302, 303, 304. Similarly to the data memory locations, the associated label memory locations 10, 11,12, 13, ..., 131 are configured for storing the data unit label 301, 302, 303, 304 may be embodied as a data unit label register 114. The plurality of memory locations 10, rl, 12, 13, ..., r31 for storing the data units 201, 202, 203, 204 and the associated respective label memory location 10, 11, 12, 13, ..., 131 for storing the associated respective data unit labels 301, 302, 303, 304 are preferably comprised in a register file. It is noted that the data memory locations TO, rl, r2, £3, ..., r31 and label memory locations 10, 11, 12, 13, …, 131 are strictly separated in a hardware way. In other words, the memory locations r0, rl, 12, 3, ..., r31 are not accessible from the label memory locations 10, 11, 12,13, ..., 131 and vice versa. While said data memory locations TO, rl, 12, 13, ..., r31 and label memory locations 10, 11, 12, 13, ..., 131 are isolated in a hardware way, they are still mutually associated. For example, each respective data memory location TO, rl, 12, 13, ..., 131 and label memory location 10, 11, 12, 13, ..., 131 may comprise the same address in order to retain the correlation between each data unit 201, 202, 203, 204 and its associated data unit label 301, 302, 303, 304.
According to a preferred embodiment the processor 100 is further configured to read 1110 the data unit labels 201, 202, 203, 204 and the associated respective data unit labels 301, 302, 303, 304 from the memory 111, Additionally, the processor 100 is configured to store 1120 the read data units 201, 202, 203, 204 and the associated respective data unit labels 301, 302, 303, 304 in the memory locations r0, rl, r2, 13, ..., 131 and in at least one of the label memory locations 10, 11, 12, 13, ..., 131, respectively.
In this way the processor copies the data comprised in the data unit and the respective associated data unit label to the corresponding memory locations.
Reading 1110 and loading 1120 the data unit labels 201, 202, 203, 204 and the associated respective data unit labels 301, 302, 303, 304 from the memory 111 is alternatively expressed as a register load.
The register load propagates the data unit labels 301, 302, 303, 304 from the memory 111 to the label memory location 10, 11, 12, 13, ..., 131. More in particular the data contained by the data unit label is propagated in an unmodifiable way during the register load.
By propagating the data unit labels in an unmodifiable way, data integrity is assured.
It is noted that all data unit labels, including potentially errant data unit labels are propagated.
For example, in the case that data unit 203 is associated with the respective data unit label 303 and the data unit label 303 does not correspond to processing reference label, the processor will not perform a processor operation 500 using said data unit 203. The processor 100 is configured to exclusively execute 1410 a processor operation with the at least one data unit 200 when the associated respective data unit label 300 corresponds to the processing reference label 400. The processor is for this reason configured to compare 1300 each data unit label to the processing reference label 400. Based on the comparison 1300 being positive the processor may execute 1410 the function defined in the at least one data unit 201. According to a preferred embodiment of the processor 100, the executing of a processor operation further comprises exclusively executing an instruction defined in the at least one data unit when the associated respective data unit label 301, 302, 303, 304 corresponds to the processing reference label 400. Executing an instruction is, according the present application, defined as performing arithmetic, bitwise operations using the data unit 201. In the event that the instruction requires a plurality of data units, for example, data anit, 201, 202, 204, each of the associated data unit labels 301, 302, 304 will be compared to the processing reference label 400. Put differently, the instruction may require a plurality of operands which are comprised in a plurality of data units.
Only when all of the data unit labels 301, 302, 304 of the operands correspond to the processing reference label 400 will the instruction be executed.
Contrarily, when the instruction requires for example the arithmetic operation of data units 201, 202, 203, 204, and the associated data unit label 303 of data unit 203 does not correspond to the processing reference label 400,the respective instruction will not be allowed to be performed.
Executing the instruction is thus distinctly distinguishable from read and write operations. Also, fetching is distinguishable from execution an instruction. By exclusively executing 1410 the instructions when the data unit label corresponds to the processing reference label 400 a security policy is enforced on use of on the operands contained by the data units rather than on register loads and stores or store operations in general. Because the register load and store signal paths are typically the longest paths in the design of a processor, a policy enforcement, i.e. exclusively executions the instractions when the associated respective data unit label corresponds to the processing reference label 400 allows to improve a clock-frequency of the processor. Thus improving processor performance while increasing the assurance of secure data. In summary, load, store, and fetch operations may always be performed irrespective of the comparison 1300 but instructions using operands comprised in the data units are enforced. In this way, the processing of the data is more secure and reduces a required trust in, for example, the compiler. Also, when the compiler produces errors, for example in the context of an x86 architecture, secure data processing is still ensured because data security is enforced on use of the data unit without a specific dependency of software.
The processor 100 may further comprise an arithmetic logic unit, ALU, 120. The ALU is configured to perform the arithmetic and bitwise operations on the data units. Also a label control unit may be provided. The label control unit is configured for storing the processing reference label. The label control unit is configured such that only a data path for the data unit labels interconnects the data unit register 114 or the memory 112 to the label control unit and thus not to the ALU. The label control unit may also be configured to compare the processing reference label to each data unit label.
Further, a result of the executed processing operation may be stored as at least one data unit 200 and an associated respective data unit label 300 in the one or more memories 113, 114, 113’, 114’, The data unit label of the result corresponds to each of the data unit labels used in the instruction. In other words, the data unit labels propagate through the processor after performing instructions thereon. The result may be stored in the memory 114° being a register. The result may also be directly stored in the memory 112.
Figure 3 schematically illustrates a processor configured for secure data processing of and between multiple domains. Said domains comprise a first domain D1 and a second domain D2. It will be clear that more than two domains may be comprised. For example, an optional third domain D3 is illustrated. Said third domain D3 can be a data transfer domain, as will be elaborated here below. The steps for performing secure data processing between domains will also be elaborated with regards to figure 4 below. The first and second domain D1 and D2 are associated with a respective first data unit label and a second data unit label. It will be apparent that said first and second data unit label is settable from a plurality of data unit labels as has been elaborated with regards to figure 1. The processor 100 initially receives 1100 a data unit 200 and an associated respective data unit label 300 from the first domain D1. Said data unit 200 may also be a packet. The packet comprises a plurality of data units. The data unit label 300 of the data unit 200 is associated or, in other words, correlated, to the first domain D1. More in particular, the data unit label is associated with the domain from which the data unit is received. In the exemplary embodiment of figure 3, the data unit label 300 of the data unit 200 is associated with the first data unit label of domain D1. The data unit 200 and the associated respective data unit label are stored 1120 on a memory (not IO shown in figure 3) of the processor 100.
The data unit 200 may comprise an instruction to transfer said packet received from the first domain D1 to the second domain D2, i.e. an instruction for cross-domain transfer. As has been elaborated with regards to figures 1 and 2, the processor 100 is allowed to fetch instructions and load and store data units irrespective of the corresponding data unit labels. The processor will further retrieve the processing reference label {not illustrated) among reference labels corresponding to the data unit labels. The processor reference label is set to a reference label associated with a domain of which data is to be processed. In the exemplary case, the processing reference label is associated with the first data unit label of domain D1.
When the data unit label 300 corresponds to the processing reference label of the processor, the processor will execute the instruction for cross domain transfer with the at least one data unit to domain D2.
According to the exemplary case, it will be clear that the receipt of a potentially malicious packet by the processor will be received and stored, however the instructions comprised by the malicious packet will not be executed because the data unit label of said packet does not corresponds to the processing reference label. This is based on the insight that a hacker has no knowledge of the processing reference label and no physical access to said processing reference label.
In order to further prevent data leakage between domains, said domains D1 and D2 may have a respective first and second data unit label different from each other. A secure conversion of said data unit labels while continuously preventing data leakages is thus required. Said conversion will be explained with regards to figure 4.
Figure 4 illustrates converting of data unit labels for cross domain transfer according to a preferred embodiment. Figure 4 illustrates three domains D1, D2 and D3. Domain D3 here is a data transfer domain distinct from domain D2 and D3. Further details with regards to domain D3 will be elaborated here below. Figure 4 illustrates in particular that the processor reference label 400 for each domain comprise a first reference sublabel 400A, a second reference sublabel 400B and a third reference sublabel 400B. Said reference sublabels are mutually associated with regards to the processing reference label. For example, in analogy with a color, the second reference sublabel 400B may be a normal color red. The first reference sublabel 400A and the third reference sublabel 400C are, according to said analogy, a tint of the color red. The first reference sublabel may, for example, be light red and the third reference sublabel may, for example, be dark red. The first 400A and third 400C reference sublabels are thus subsidiary to the second reference sublabel 400B.
When the data unit 200 is to be transferred to the second domain, the processor 100 IO updates 1510 the processing reference label 400 to the first reference sublabel 400A of data transfer domain D3. According to the exemplary colour analogy, the second reference sublabel 400B of the third domain D3 is normally tinted blue. The first reference sublabel 400A would be light blue and the third reference sublabel 400C would be dark blue.
Following the updating 1510 of the processing reference label 400 to the first reference sublabel 400A corresponding to the third domain, the processor 100 exclusively converts 1520 the data unit label associated with the stored at least one data unit 200 to the processing reference label associated with the current processing reference label, i.e. corresponding to the reference label of domain D3. Calls to other functions, except for converting the data unit labels and updating the processor reference sublabel to the second reference sublabel, are not allowed when the processing reference label comprises the first reference sublabel. The processor 100 thus operates in a first processing mode, which can be seen as a conversion mode wherein registers are converted from any label to the current processor reference label. In other words, the operations of the processor in the first processing mode are limited. At the same time, the input data units are guaranteed to have the specified label corresponding to the intended domain, in this example the third domain D3.
After converting the data unit label associated with the stored data unit, the processor updates 1525 the processing reference label 400 to the second reference sublabel 400B associated with the current processing reference label corresponding to the third domain. In this way, the data unit label of the data unit 200 is effectively converted from being associated with the first domain D1 to the third domain D3. Domain D3 is distinct from either domain D1 or domain D2. It will be clear that the data unit 200 presently associated with a data unit label of the third domain D3 cannot be leaked to any one of the domains D1 and D2, since data units associated with either those domains are not the same as the current processing reference label corresponding to the third domain D3. Additionally, since the data unit label associated with the data units to be processed have been updated 1525 to correspond to the second reference sublabel 400B corresponding to domain D3 and the processing reference label 400 is also associated with the second reference sublabel 400B corresponding to domain D3, the processor is no longer limited to exclusively convert data unit labels. In other words, instructions performed in the third domain D3 can be performed similarly to instructions in any one of the domain D1 and D2. The processor 100 thus operates in a second processing mode, wherein the input data units are processed 1528. In this way domain D3 supplies a further security layer which is unreachable from an unwanted source. Therefore, the use of a third domain D3 is advantageous because said third domain D3 can, for example, be used to encrypt or decrypt the data comprised by the data unit.
It will be clear to those skilled in the art that the above steps for converting data unit labels from one label to another label may be performed irrespective of the domain from which the data is received or of the domain for which the data is intended. While, the above exemplary embodiment illustrates a conversion between the first and third domain, it will be clear that said steps for converting the data unit labels may also be used more generically to directly convert data unit labels from the first domain to the second domain, for example.
Additionally, it is an option that the data unit labels of the data unit can also be set to the first. second and third sublabels. This may in particular be effective for the data units of the instruction memory, comprising data specifically intended to be executed when the processor is in a the processor mode corresponding to the first and third reference sublabels. This may be used to separate and thus to limit which functions can be called for the current processor reference sublabel.
For cross domain data transfer from the third domain D3 to the second domain D2 the processor 100 is configured to update 1530 the processing reference sublabel 400 to the third reference sublabel mutually associated with the current processing reference label, e.g. the third reference sublabel of the third domain D3. Following the updating of the processing reference label 400 to the third reference sublabel 400C corresponding to the third domain, the processor 100 exclusively converts 1540 the data anit label associated with the stored at least one data unit 200 to the processing reference label associated with the domain intended for the cross domain data transfer, i.e. domain D2 in this example. Similarly to the above, the processor 100 thus operates in the first processing mode in which calls to other instructions or functions thereof are strictly limited. At the same time, the resulting processed data is guaranteed to have the specified label corresponding to the intended domain, in this example the second domain D2.
Based on the above it will be clear that a processor operating with a processing reference label corresponding to a first or second reference sublabel of a domain is limited in it’s functions. Further, in the processor operating with a processing reference label corresponding to a first or second reference sublabel guarantees that the data unit are label with a specific data unit label, i.e. the data unit label of the intended domain of the cross domain data transfer.
To further improve securing the data transfer a workflow order in which the processing reference label is updated is fixed. A workflow of updating the processor reference labels and, by extension,
converting the data unit labels is thus enforced. This is achieved by only allowing the updating of the processing reference label to be updated from the first reference sublabel to the second reference label. Consecutively, the processor reference label is updated from the second reference label to the third reference label. Such a sequential workflow ensures control flow integrity in the processor. It is noted that the updated between the first, second and third reference sublabel is enforced between mutually associated reference sublabels. In other words, reference sublabels associated with the third domain may be updated between each one and another. Further features and advantages of the described embodiments are as follows. The security domains and therefore their isolation may be determined at compile time by the developer. The security domains may be enforced in hardware at runtime without a dependency on software that controls the isolation hardware at runtime (like an OS). As a result the evaluation of the separation can concentrate only on the correctness of (specific elements of) the application binary and the separation hardware. For the generation of the application binary, the source code can be annotated with additional attributes that provide the information to generate the needed meta information regarding the domain separation and control flow requirements.
The disclosure comprises the following embodiments.
I. A processor (100) for secure data processing, wherein the processor (100) is configured to be operably connectable to one or more memories (110), wherein the processor (100) is configured to: — load (1100), from the one or more memories (110) operably connectable to the processor (100), at least one data unit (200) of a plurality of data units and at least one data unit label (300) associated with said at least one data unit, each data unit label (300) being settable according to a plurality of settable data unit labels: — retrieve (1200) a processing reference label (400) among processing reference labels, each processing reference label being settable corresponding to the plurality of settable data unit labels: — compare (1300) each of the at least one data unit label to the processing reference label; and — on the basis of said comparison, exclusively execute (1400) a processor operation (500) with the at least one data unit when the at least one associated respective data unit label corresponds to the processing reference label.
2. The processor (100) according to embodiment 1, wherein the processor (100) comprises one of the one or more memories comprising a plurality of data memory locations (10, rl, r2, 13, ..., 131) for storing the at least one data unit (200), and wherein each of the plurality of data memory locations (10, rl, r2, r3, ..., 131) has an associated respective label memory location (10, 11, 12, 13, ..., 131) for storing the associated respective data unit label (300).
3. The processor according to the previous embodiment, wherein the loading (1100) comprises: — reading (1110) the at least one data unit and the associated respective data unit label from the one or more memories (110; 111, 112) operably connected to the processor (100); — storing (1120) the read at least one data unit and the associated respective data unit label in at least one of the plurality of data memory locations (10, ri, 12,13, ..., r31) and in at least one of the label memory locations (10, 11, 12, 13, ..., 131), respectively.
4. The processor (100) according to the previous embodiment, wherein the executing further comprises: — exclusively executing (1400) an instruction defined in the at least one data unit, stored in at least one of the plurality of memory locations, when the associated respective data unit label (300; 301, 302, 303, 304) corresponds to the processing reference label (400).
5. The processor (100) according to the previous embodiment, wherein, when the instruction defined by the at least one data unit describes a processor operation requiring a plurality of data units, the instruction is exclusively executed when each of the associated and respective data unit labels correspond to the processing reference label.
6. The processor (100) according to any one of the previous embodiments, wherein the executing further comprises storing (1420) a result of the executed processor operation as at least one data unit and at least one associated respective data unit label in the one or more data memory locations and the associated label memory locations, respectively.
7. The processor (100) according to embodiment 6, wherein the at least one respective data unit label associated with the at least one data unit storing the result of the executed processor operation is set to the retrieved processing reference label.
8. The processor (100) according to any one of the previous embodiments and embodiment 3, being further configured to load (1120) the at least one data unit and the at least one associated respective data unit label to one or more memories (110; 112) operably connectable to the processor.
9, The processor (100) according to any one of the previous embodiments, further comprising a label control unit configured for storing the processing reference label.
10. The processor (100) according to any one of the previous embodiments, wherein the processor is further configured for secure data processing between domains comprising at least a first domain (D1) and a second domain (D2), wherein the plurality of settable data unit labels comprise a first data unit label associated with the first domain and a second data unit label associated with the second domain, wherein the processor is further configured to: — receive (1100) the at least one data unit from one of the domains; and — store (1120) the received at least one data unit and at least one associated respective data unit label on the one or more memories, wherein the at least one associated respective data unit label is associated with the domain from which the at least one data unit is received, wherein the processing reference label is set to a processing reference label corresponding to the data unit label associated with a domain of which data is to be processed, wherein the processor operation (500) comprises an instruction for cross domain data transfer with the at least one data unit.
11. The processor according to any one of the previous embodiments, wherein the processing reference label is further settable to a first reference sublabel and a second reference sublabel which are mutually associated for each of the plurality of settable data unit labels.
12. The processor according to the previous embodiment and embodiment 10, wherein the processor is configured to: — update (1510) the processing reference label to the first reference sublabel associated with the retrieved processing reference label; — exclusively convert, when the processing reference label comprises the first reference sublabel, the data unit Jabel associated with the stored at least one data unit to another data unit label corresponding to the retrieved processing reference label (400); and — subsequently update (1520) the processing reference label from the first reference sublabel to the second reference sublabel (302B).
13. The processor according to embodiment 11 or 12 and embodiment 6, wherein the processing reference label is further settable to a third reference sublabel mutually associated with the first and second reference sublabel for each of the plurality of settable data unit labels, wherein the processor is further configured to: update (1530) the processing reference label to the third processing reference sublabel; and exclusively store, when the processing reference label comprises the third reference sublabel, the at least one respective data unit label associated with the result of the executed processing operation as a reference label associated with an intended domain of the cross domain data transfer independent of the current processing reference label.
14. The processor according to any one of embodiments 10-13, wherein the domains comprise a third domain, wherein the plurality of settable data unit labels comprise a third data unit label associated with the third domain.
15. The processor according to embodiment 14 and at least embodiment 12, wherein the processor is further configured to perform the exclusively converting only when the processing reference label corresponds to the third domain.
16. The processor according to any one of embodiment 14 and 15 and at least embodiment 13, wherein the processor is further configured to perform the exclusively storing only when the processing reference label corresponds to the third domain.
17. The processor according to any one of the previous embodiments, farther configured to — exclusively set, in an initialization mode, a code indicator associated with a selected memory address of an associated selected memory location to indicate that the data contained by the selected unit of memory is code for execution in a runtime mode; and — set, in the runtime mode, when the at least one data unit (200) is loaded to a memory location identified by a memory address the code indicator associated with said memory address to indicate that the data unit contained by the memory location is not code.
18. The processor according to any one of the previous embodiments, further configured to — exclusively set, in an initialization mode, a callable indicator associated with a selected memory address of an associated selected memory location to indicate that the data contained by the selected unit of memory indicates a callable memory address to be used in a runtime mode; and — set, in the runtime mode, when the at least one data unit is loaded to a memory location identified by a memory address, a callable indicator associated with said memory address to indicate that the data unit contained by the associated memory location does not indicate a callable memory address.
19. The processor according to the previous embodiment, wherein, in the initialization mode, the callable indicator is exclusively set for memory locations having a memory address referring to a compile time known constant or to a return address generated by a jump-and- link instruction.
20. The processor (100) according to any one of the preceding embodiments, wherein the data unit is a fixed-sized piece of data handled as a unit by the processor.
21. Processor system comprising a processor according to any one of embodiments 1-20, the processor system comprising a plurality of controllers configured to access at least a part of the one or more memories, wherein the processing system is configured such that each of the plarality of controllers is associated with a selected single data unit label of the plurality of settable data unit labels and is allowed access only to data units of the plurality of data units having an associated data unit label that is the same as the selected single data unit label.
22. Processor system according to embodiment 21, wherein the plurality of controllers comprise at least one of a direct memory access, DMA, controller and a network interface controller.
23. Method in a processor (100) for secure data processing, wherein the processor (100) is configured to be operably connectable to one or more memories (110), the method comprising: — loading (1100), from the one or more memories (110) operably connectable to the processor (100), at least one data unit (200) of a plurality of data units and at least one data unit label (300) associated with said at least one data unit, each data unit label (300) being settable according to a plurality of settable data unit labels;
— retrieving (1200) a processing reference label (400) among processing reference labels, each processing reference label being settable corresponding to the plurality of settable data unit labels: — comparing (1300) each of the at least one data unit label to the processing reference label; and — on the basis of said comparison, exclusively executing (1400) a processor operation (500) with the at least one data unit when the at least one associated respective data unit label corresponds to the processing reference label.
24. Method according to embodiment 23, wherein the processor is a processor according to any one of embodiments 1-20. Based on the above description, those skilled in the art will understand that the invention can be carried out in various ways and on the basis of different principles. In addition, the {5 invention is not limited to the above-described embodiments. The above-described embodiments as well as the figures are merely illustrative and serve only to enhance the understanding of the invention. The invention, therefore, is not to be limited to the embodiments described herein, but is defined in the claims.
Claims (24)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| NL2028534A NL2028534B1 (en) | 2021-06-24 | 2021-06-24 | Processor for secure data processing |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| NL2028534A NL2028534B1 (en) | 2021-06-24 | 2021-06-24 | Processor for secure data processing |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| NL2028534B1 true NL2028534B1 (en) | 2023-01-02 |
Family
ID=77711392
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| NL2028534A NL2028534B1 (en) | 2021-06-24 | 2021-06-24 | Processor for secure data processing |
Country Status (1)
| Country | Link |
|---|---|
| NL (1) | NL2028534B1 (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150248357A1 (en) * | 2014-02-28 | 2015-09-03 | Advanced Micro Devices, Inc. | Cryptographic protection of information in a processing system |
| US20150356294A1 (en) * | 2014-06-09 | 2015-12-10 | Lehigh University | Methods for enforcing control flow of a computer program |
| US20190042799A1 (en) * | 2018-06-29 | 2019-02-07 | Intel Corporation | Memory tagging for side-channel defense, memory safety, and sandboxing |
| US20200159888A1 (en) * | 2018-11-15 | 2020-05-21 | The Research Foundation For The State University Of New York | Secure processor for detecting and preventing exploits of software vulnerability |
-
2021
- 2021-06-24 NL NL2028534A patent/NL2028534B1/en active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150248357A1 (en) * | 2014-02-28 | 2015-09-03 | Advanced Micro Devices, Inc. | Cryptographic protection of information in a processing system |
| US20150356294A1 (en) * | 2014-06-09 | 2015-12-10 | Lehigh University | Methods for enforcing control flow of a computer program |
| US20190042799A1 (en) * | 2018-06-29 | 2019-02-07 | Intel Corporation | Memory tagging for side-channel defense, memory safety, and sandboxing |
| US20200159888A1 (en) * | 2018-11-15 | 2020-05-21 | The Research Foundation For The State University Of New York | Secure processor for detecting and preventing exploits of software vulnerability |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11741196B2 (en) | Detecting and preventing exploits of software vulnerability using instruction tags | |
| US11620391B2 (en) | Data encryption based on immutable pointers | |
| US11403234B2 (en) | Cryptographic computing using encrypted base addresses and used in multi-tenant environments | |
| US11733880B2 (en) | Memory region allocation to a software program | |
| US9989043B2 (en) | System and method for processor-based security | |
| Shanbhogue et al. | Security analysis of processor instruction set architecture for enforcing control-flow integrity | |
| US20220382885A1 (en) | Cryptographic computing using encrypted base addresses and used in multi-tenant environments | |
| TW201941049A (en) | Systems and methods for transforming instructions for metadata processing | |
| CN112149114A (en) | Memory protection with hidden inline metadata for indicating data type | |
| US10255204B2 (en) | Key-based data security management | |
| US20230018585A1 (en) | Updating encrypted security context in stack pointers for exception handling and tight bounding of on-stack arguments | |
| Kim et al. | RIMI: instruction-level memory isolation for embedded systems on RISC-V | |
| Nagarajan et al. | Dynamic information flow tracking on multicores | |
| US10866908B2 (en) | System and method for probabilistic defense against remote exploitation of memory | |
| Delshadtehrani et al. | Sealpk: Sealable protection keys for risc-v | |
| NL2028534B1 (en) | Processor for secure data processing | |
| Shrobe et al. | Trust-management, intrusion-tolerance, accountability, and reconstitution architecture (TIARA) | |
| CN113536293A (en) | Apparatus and method for efficiently managing and processing shadow stacks | |
| Novković | A Taxonomy of Defenses against Memory Corruption Attacks | |
| Hossain et al. | Software security with hardware in mind | |
| LI et al. | A technique preventing code reuse attacks based on RISC processor | |
| US20220342830A1 (en) | Safe execution of programs that make out-of-bounds references | |
| Jahanshahi | A brief review on some architectures providing support for dift | |
| Sullivan et al. | ISP—Hardware Enforcement of Security Policies | |
| Hiet | Security at the Hardware/Software Interface |