Search

US-12619712-B2 - Secure computer architecture using state machines

US12619712B2US 12619712 B2US12619712 B2US 12619712B2US-12619712-B2

Abstract

A computing architecture using at least one state machine to apply security rules to an execution pipeline of a computing device (e.g., microprocessor) and generate error notifications (e.g., hardware exceptions) when content within the execution pipeline impacts computer security.

Inventors

  • Patrick W. Jungwirth

Assignees

  • U.S. Army DEVCOM Army Research Laboratory

Dates

Publication Date
20260505
Application Date
20220218

Claims (20)

  1. 1 . A computing device comprising: an execution pipeline comprising at least one information flow; wherein the at least one information flow is tagged with at least one tag field which may include one or more subfields to track and monitor information flows, wherein security rules are encoded in said at least one tag field, a register and memory architecture with at least one level tag field which may include one or more subfields and at least one tag field to track and monitor instruction and memory operations in real-time, at least one state machine-based operating system adapted to read tag fields and apply security rules to content of the at least one information flow in real time, an execution pipeline virtualized by the at least one information flow, at least one state machine-based operating system kernel and at least one tag field which may include one or more subfields, and a real-time, hardware level exception mechanism to block any illegal operation before the operation modifies any system state.
  2. 2 . The computing device of claim 1 wherein the at least one state machine is located at security level 0.
  3. 3 . The computing device of claim 1 wherein the at least one state machine performs at least one, or any combination, of the following functions: an instruction execution monitor (IEM), a memory page monitor (MPM), a control flow monitor (CFM), a data flow monitor (DFM), an exception monitor (EM), a stack monitor (SM), or an interrupt monitor (IM).
  4. 4 . The computing device of claim 1 wherein the computing device is a microprocessor.
  5. 5 . The computing device of claim 1 wherein a violation of a security rule causes a hardware exception.
  6. 6 . The computing device of claim 1 wherein the at least one state machine is formed in hardware.
  7. 7 . The computing device of claim 1 wherein the at least one information flow comprises at least one of: an instruction flow, a control flow, a memory access flow, a data flow or any combination thereof.
  8. 8 . The computing device of claim 1 wherein, upon the occurrence of a rule violation, a mediation action will be taken by the computing device.
  9. 9 . The computing device of claim 8 wherein the mediation action taken depends upon a severity level of the rule violation.
  10. 10 . A method of providing security for a computing device, where the computing device comprises a completely virtualized execution pipeline having at least one information flow having content, at least one tag field to track and monitor system security state, a register and memory tag field architecture to track and monitor instruction execution in real time, an operating system to monitor instruction execution in real-time and apply at least one tag field and at least one security rule to the content of the at least one information flow and at least one hardware level state machine operating system kernel adapted to monitor the execution pipeline, the method comprising: Applying and using the state machine to the content of the at least one information flow; generating a real-time rule violation notification upon the content violating a security rule, and blocking any action that would cause an illegal change in the system state in-real time.
  11. 11 . The method of claim 10 wherein the at least one state machine is located at security level 0.
  12. 12 . The method of claim 10 further comprising performing at least one, or any combination, of the following functions: an instruction execution monitor (IEM), a memory page monitor (MPM), a control flow monitor (CFM), a data flow monitor (DFM), an exception monitor (EM), a stack monitor (SM), or an interrupt monitor (IM).
  13. 13 . The method of claim 10 wherein a violation of a security rule causes a hardware exception.
  14. 14 . The method of claim 10 wherein the at least one state machine is formed in hardware.
  15. 15 . The method of claim 10 wherein the at least one information flow comprises at least one of: an instruction flow, a control flow, a memory access flow, a data flow or any combination thereof.
  16. 16 . The method of claim 10 further comprising, upon the occurrence of a rule violation, taking a mediation action.
  17. 17 . The method of claim 16 wherein the mediation action taken depends upon a severity level of the rule violation.
  18. 18 . A microprocessor comprising: an execution pipeline comprising at least one information flow including at least one of an instruction flow, a control flow, a memory access flow, a data flow or any combination thereof; at least one hardware state machine located at security level 0 and adapted to apply security rules to content of the at least one information flow, and, upon an occurrence of a security rule violation, generating a hardware exception in real-time, wherein hardware exceptions can range from a single exception to a plurality of exceptions, wherein detecting a single exception allows a second attempt at executing a portion of code where an error occurred, and wherein detecting a plurality of exceptions halts execution of the code where errors occurred.
  19. 19 . The computing device of claim 18 wherein the at least one hardware state machine performs at least one, or any combination, of the following functions: an instruction execution monitor (IEM), a memory page monitor (MPM), a control flow monitor (CFM), a data flow monitor (DFM), an exception monitor (EM), a stack monitor (SM), or an interrupt monitor (IM) that provide virtualization of the execution pipeline.
  20. 20 . The computing device of claim 18 wherein, in respond to the hardware exception, a mediation action will be taken by the microprocessor and the mediation action taken depends upon a severity level of the rule violation.

Description

RELATED APPLICATION This application claims benefit to U.S. Provisional Patent Application Ser. No. 63/152,083 filed 22 Feb. 2021 entitled “Aberdeen Architecture High Assurance, Hardware State Machine Microprocessor,” which is hereby incorporated herein in its entirety. GOVERNMENT INTEREST The invention described herein may be manufactured, used and licensed by or for the U.S. Government. BACKGROUND Field Embodiments of the present invention generally relate to computing devices and, more specifically, to secure computer architectures using state machines. Description of the Related Art In a traditional computer, an operating system manages computer system resources. Current microprocessors execute or run instructions without any verification or authentication. The computer treats all instructions in the same manner, i.e., there is no difference between safe instructions, coding errors, and malicious instructions. The principle of complete mediation is a computer security principle that has not been fulfilled in current microprocessors. Complete mediation requires verification of access rights and authority for every operation before the operation is executed (completed). Current microprocessors mix objects with different security attributes into the same class ignoring computer separation and isolation principles. Current microprocessor do not use information flow principles for computer security. Current microprocessors do not utilize a hardware-software co-design approach to take full advantage of separation and isolation security principles. Information leakage is a common problem for current computing environments. Within a microprocessor, there are many information flows, including: instruction flow, memory access flow, control flow, and data flow. Malicious software may attack any of these information flows and unscrupulously leak information. Therefore, there is a need in the art for improved computing architecture for microprocessors to enhance security and mitigate information leakage. SUMMARY Embodiments of the present invention generally comprise a computing architecture that uses at least one state machine to monitor information flow within a computing device and enforce information flow integrity policies based upon content and properties of the information. BRIEF DESCRIPTION OF THE DRAWINGS So that the manner in which the above recited features of the present invention can be understood in detail, a more particular description of the invention, briefly summarized above, may be had by reference to embodiments, some of which are illustrated in the appended drawings. It is to be noted, however, that the appended drawings illustrate only typical embodiments of this invention and are therefore not to be considered limiting of its scope, for the invention may admit to other equally effective embodiments. FIG. 1 depicts block diagram of a computer having a computer architecture using state machines in accordance with at least one embodiment of the invention; FIG. 2 depicts a high-level flow diagram of a method of operation of the computer in accordance with at least one embodiment of the invention; FIG. 3 depicts a block diagram of RISC execution pipeline coupled with state machines in accordance with at least one embodiment of the invention; FIG. 4 is a state diagram of an exemplary embodiment of an instruction execution state machine; FIG. 5 is a state diagram of an exemplary embodiment of a stack monitoring state machine; FIG. 6 illustrates one embodiment of sequential instruction class control flow links; FIG. 7 illustrates one embodiment of jump class instruction control flow links; FIG. 8 illustrates one embodiment of conditional branch class instruction control flow links; FIG. 9 illustrates an embodiment of control flow links, single entry and exit points, and code blocks; FIG. 10 shows an exemplar flow chart for control flow verification; FIG. 11 presents an example architecture showing program instruction memory, register file, and data memory; FIG. 12 presents an example instruction showing memory access information flow and data information flow; FIG. 13 presents a flow chart showing data flow integrity validation; FIG. 14 presents an example data flow integrity tracking; FIG. 15 presents an example information flow diagram for a load from memory instruction; FIG. 16 shows an example line of code illustrating security tag fields before and after execution in accordance with at least one embodiment of the invention; and FIGS. 17A, 17B, and 17C show an example program running on a microprocessor operating in accordance with one or more embodiments of the invention. DETAILED DESCRIPTION Embodiments of the present invention comprise a computing architecture using at least one state machine to apply security rules to an execution pipeline of a computing device (e.g., microprocessor) and generate error notifications (e.g., hardware exceptions) when content within the execution pipeline impacts