Page protection in multithreaded systems

With reference to a classical address translation scheme supporting the notion of a paged virtual address space, and a program execution environment in which programs are allowed to have multiple concurrent threads of execution, we present a low-cost addition to the usual hardware inside the memory management unit aimed at supporting page protection at the thread level. The resulting protection system makes it possible to define several distinct protection domains within the boundaries of the same virtual space. Different threads of the same process can have different domains, and the access rights of a given thread can change dynamically as a consequence of actions of amplification and reduction of access privileges, so that at any given time the running thread is given the smallest set of access rights that is necessary for that thread at that time to carry out its job. Rather than protecting applications from software attacks of malicious code, our protection environment is aimed at limiting the consequences of programming errors, for instance, when an otherwise secure program is extended by the addition of unverified foreign code, e.g. a plugin that is prone to corrupt and even crash the main process, or a device driver executed in the same virtual space as the operating system kernel. We do not force the user to adhere to a specific protection model. Instead, our protection system features a set of hardware/software mechanisms that makes it possible to implement different protection paradigms at little effort.