Automated mechanism to analyze elevated authority usage and capability

US 10,346,625 B2
Filed: 10/31/2016
Issued: 07/09/2019
Est. Priority Date: 10/31/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for an operating system kernel to secure file access by automatically identifying and removing non-essential privileges to files, the computer-implemented method comprising, by operation of one or more computer processors:

monitoring, by the operating system kernel, a set of file access requests to a file from a first application to obtain permission, identity, and call information related to the monitored requests, wherein monitoring the set of file access requests includes obtaining a runtime stack from the first application based on a predefined call selected from a system object call and a microcode call, wherein the runtime stack has associated environment information specifying;

(i) the system object call;

(ii) programs on the runtime stack;

(iii) program statement numbers of calling and called subroutines;

(iv) names of calling and called subroutines;

(v) an order in which applications are called;

(vi) whether each called application invoked any owner privileges;

(vii) thread and job information pertaining to the first application; and

(viii) a runtime context of the first application;

determining a set of user privileges available to a user, wherein the set of user privileges is available to the first application when the user causes execution of the first application, the first application having an owner other than the user;

determining a set of owner privileges of the owner and available to the user only for conditional use as a fallback when the set of user privileges is insufficient for accessing the file when executing the first application, wherein the fallback is greater, lesser, or equal in scope relative to the set of user privileges;

upon determining, by the operating system kernel, that the fallback is not used to access the file because the set of user privileges is sufficient to access the file and that the fallback is also sufficient to access the file, causing the fallback to be used in subsequently accessing the file, by automatically removing, from the set of user privileges, at least one existing user privilege to the file as being non-essential;

wherein the operating system kernel is configured such that;

upon a determination that the fallback is not used to access the file because the set of user privileges is sufficient to access the file and that the fallback is actually insufficient to access the file, at least one existing user privilege to the file is preserved in the set of user privileges, as being essential; and

upon a determination that the fallback is used to access the file because the set of user privileges is insufficient to access the file, one or more existing user privileges to the file are removed altogether from the set of user privileges, as being non-essential;

storing the call information as first call information in the data file;

receiving, from a second application different from the first application, a request for access to the file;

obtaining second call information from a runtime stack from the second application;

determining the request for access is an abnormal request, based on comparing the first and second call information, wherein the comparing is based on at least the programs on the runtime stack and the program statement numbers of the calls, wherein the determining the request is abnormal comprises determining that the second application has owner privileges that are elevated relative to the set of owner privileges of the first application; and

upon determining that the request for access is an abnormal request, automatically taking a predefined action comprising;

(i) logging information related to the abnormal request and (ii) denying the request for access.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and computer program products to perform an operation comprising monitoring a set of file access requests to a file from an application to obtain permission and identity information related to the monitored requests, wherein the monitoring includes obtaining a runtime stack from the application, determining, based on environment information in the runtime stack, whether a first set of privileges available to the application are greater than a second set of privileges available to a the user of the application, storing the permission and identity information and an indication of whether the first set of privileges is greater than the second set of privileges in a data file, and adjusting the privileges for the user based on the determination.

Citations

20 Claims

1. A computer-implemented method for an operating system kernel to secure file access by automatically identifying and removing non-essential privileges to files, the computer-implemented method comprising, by operation of one or more computer processors:
- monitoring, by the operating system kernel, a set of file access requests to a file from a first application to obtain permission, identity, and call information related to the monitored requests, wherein monitoring the set of file access requests includes obtaining a runtime stack from the first application based on a predefined call selected from a system object call and a microcode call, wherein the runtime stack has associated environment information specifying;
  
  (i) the system object call;
  
  (ii) programs on the runtime stack;
  
  (iii) program statement numbers of calling and called subroutines;
  
  (iv) names of calling and called subroutines;
  
  (v) an order in which applications are called;
  
  (vi) whether each called application invoked any owner privileges;
  
  (vii) thread and job information pertaining to the first application; and
  
  (viii) a runtime context of the first application;
  
  determining a set of user privileges available to a user, wherein the set of user privileges is available to the first application when the user causes execution of the first application, the first application having an owner other than the user;
  
  determining a set of owner privileges of the owner and available to the user only for conditional use as a fallback when the set of user privileges is insufficient for accessing the file when executing the first application, wherein the fallback is greater, lesser, or equal in scope relative to the set of user privileges;
  
  upon determining, by the operating system kernel, that the fallback is not used to access the file because the set of user privileges is sufficient to access the file and that the fallback is also sufficient to access the file, causing the fallback to be used in subsequently accessing the file, by automatically removing, from the set of user privileges, at least one existing user privilege to the file as being non-essential;
  
  wherein the operating system kernel is configured such that;
  
  upon a determination that the fallback is not used to access the file because the set of user privileges is sufficient to access the file and that the fallback is actually insufficient to access the file, at least one existing user privilege to the file is preserved in the set of user privileges, as being essential; and
  
  upon a determination that the fallback is used to access the file because the set of user privileges is insufficient to access the file, one or more existing user privileges to the file are removed altogether from the set of user privileges, as being non-essential;
  
  storing the call information as first call information in the data file;
  
  receiving, from a second application different from the first application, a request for access to the file;
  
  obtaining second call information from a runtime stack from the second application;
  
  determining the request for access is an abnormal request, based on comparing the first and second call information, wherein the comparing is based on at least the programs on the runtime stack and the program statement numbers of the calls, wherein the determining the request is abnormal comprises determining that the second application has owner privileges that are elevated relative to the set of owner privileges of the first application; and
  
  upon determining that the request for access is an abnormal request, automatically taking a predefined action comprising;
  
  (i) logging information related to the abnormal request and (ii) denying the request for access.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computer-implemented method of claim 1, wherein the determination is based on authentication environment information recorded on the runtime stack.
  - 3. The computer-implemented method of claim 1, further comprising determining the set of owner privileges is sufficient to allow the first application to access the file for each file access request in the set of file access requests.
  - 4. The computer-implemented method of claim 1, further comprising:
    - determining, based on the environment information in the runtime stack, when the set of owner privileges is different from the set of user privileges;
      
      storing, in a data file, the permission and identity information, information related to the sets of owner and user privileges, and an indication of when the set of owner privileges is greater in scope than the set of user privileges;
      
      wherein the determination that the fallback is not used because the set of user privileges is used is made based on, in respective instances;
      
      (i) the set of user privileges being used and (ii) the set of owner privileges not being used;
      
      wherein whether the set of owner privileges is used is determined based on information in the runtime stack, wherein the at least one existing user privilege is removed without having received any request specifying to remove the at least one existing user privilege;
      
      wherein the computer-implemented method further comprises;
      
      generating an indication that the at least one existing user privilege is automatically removed, whereafter the indication is output.
  - 5. The computer-implemented method of claim 4, wherein the determination that the fallback is not used is based on authentication environment information recorded on the runtime stack, wherein the computer-implemented method further comprises determining that the fallback is sufficient to permit the first application to access the file for each file access request in the set of file access requests, wherein the computer-implemented still further comprises, in respective instances:
    - (i) determining, based on the set of user privileges being used, that the fallback is not used to access the file because the set of user privileges is sufficient to access the file, wherein the at least one existing user privilege is removed from the user based on the determination and as being a non-essential privilege sufficient to access the file;
      
      (ii) determining, based on the set of owner privileges being used, that the fallback is used to access the file because the set of user privileges is insufficient to access the file, wherein the one or more existing user privileges are removed altogether from the user based on the determination and as being one or more non-essential privileges insufficient to access the file;
      
      wherein the runtime stack information is obtained based on, in respective instances;
      
      (i) the system object call into the operating system kernel and (ii) the microcode call.
  - 6. The computer-implemented method of claim 5, further comprising, prior to determining whether the set of owner privileges is different from the set of user privileges, performing an operation to set privileges for the user, the operation comprising:
    - determining a set of needed privileges needed by the first application to access the file based on the stored data file;
      
      automatically selecting privileges to assign to the user, based on the set of needed privileges and the set of owner privileges;
      
      assigning the automatically selected privileges to the user as existing privileges of the user;
      
      upon determining, based on the set of owner privileges being used, that the fallback used to access the file because the set of user privileges is insufficient to access the file, automatically removing all existing user privileges from the user as being non-essential; and
      
      upon determining (i), based on the set of owner privileges being used, that the fallback is not used to access the file the file because the set of user privileges is sufficient to access the file and (ii) the fallback includes the set of needed privileges, automatically removing all existing user privileges from the user as being non-essential;
      
      wherein the automatically selected privileges to assign to the user are derived from, in respective instances, a user authority, a group authority, and an access control list.
  - 7. The computer-implemented method of claim 6, wherein the operating system kernel is of an operating system having user space, kernel space, and microcode space, the operating system having a plurality of modules including:
    - (i) a file permission check module resident in the kernel space, the file permission check module including an authority collection module configured to determine the sets of elevated, user, and needed privileges;
      
      (ii) an authority adjustment module resident in the kernel space and configured to automatically adjust user privileges for the user; and
      
      (iii) a security module resident in the microcode space and configured to handle the microcode call in order to obtain the runtime stack;
      
      wherein the user space includes a system library and one or more user applications including the first application, wherein the user space provides a runtime environment in which the first application executes, wherein the runtime information pertains to the runtime environment, wherein the kernel space includes a kernel, a system call interface, and one or more drivers, wherein the kernel includes a file system interface for a file system, wherein the file system stores the file and permissions associated therewith.
  - 8. The computer-implemented method of claim 1, further comprising:
    - determining, based on environment information in the runtime stack, whether the set of owner privileges is different from the set of user privileges.
  - 9. The computer-implemented method of claim 1, further comprising:
    - storing, in the data file;
      
      the permission, identity, and call information;
      
      information related to the sets of owner and user privileges; and
      
      an indication of whether the set of owner privileges is greater in scope than the set of user privileges.

10. A system to secure file access by automatically identifying and removing non-essential privileges to files, the system comprising:
- one or more computer processors;
  
  a memory containing a program comprising an operating system kernel which, when executed by the one or more computer processors, performs an operation comprising;
  
  monitoring, by the operating system kernel, a set of file access requests to a file from a first application to obtain permission, identity, and call information related to the monitored requests, wherein monitoring the set of file access requests includes obtaining a runtime stack from the first application based on a predefined call selected from a system object call and a microcode call, wherein the runtime stack has associated environment information specifying;
  
  (i) the system object call;
  
  (ii) programs on the runtime stack;
  
  (iii) program statement numbers of calling and called subroutines;
  
  (iv) names of calling and called subroutines;
  
  (v) an order in which applications are called;
  
  (vi) whether each called application invoked any owner privileges;
  
  (vii) thread and job information pertaining to the first application; and
  
  (viii) a runtime context of the first application;
  
  determining a set of user privileges available to a user, wherein the set of user privileges is available to the first application when the user causes execution of the first application, the first application having an owner other than the user;
  
  determining a set of owner privileges of the owner and available to the user only for conditional use as a fallback when the set of user privileges is insufficient for accessing the file when executing the first application, wherein the fallback is greater, lesser, or equal in scope relative to the set of user privileges; and
  
  upon determining, by the operating system kernel, that the fallback is not used to access the file because the set of user privileges is sufficient to access the file and that the fallback is also sufficient to access the file, causing the fallback to be used in subsequently accessing the file, by automatically removing, from the set of user privileges, at least one existing user privilege to the file as being non-essential;
  
  wherein the operating system kernel is configured such that;
  
  upon a determination that the fallback is not used to access the file because the set of user privileges is sufficient to access the file and that the fallback is actually insufficient to access the file, at least one existing user privilege to the file is preserved in the set of user privileges, as being essential; and
  
  upon a determination that the fallback is used to access the file because the set of user privileges is insufficient to access the file, one or more existing users privilege to the file are removed altogether from the set of user privileges, as being non-essential;
  
  storing the call information as first call information in the data file;
  
  receiving, from a second application different from the first application, a request for access to the file;
  
  obtaining second call information from a runtime stack from the second application;
  
  determining the request for access is an abnormal request, based on comparing the first and second call information, wherein the comparing is based on at least the programs on the runtime stack and the program statement numbers of the calls, wherein the determining the request is abnormal comprises determining that the second application has owner privileges that are elevated relative to the set of owner privileges of the first application; and
  
  upon determining that the request for access is an abnormal request, automatically taking a predefined action comprising;
  
  (i) logging information related to the abnormal request and (ii) denying the request for access.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The system of claim 10, wherein the determination is based on authentication environment information recorded on the runtime stack.
  - 12. The system of claim 10, wherein the operation further comprises determining the set of owner privileges is sufficient to allow the first application to access the file for each file access request in the set of file access requests.
  - 13. The system of claim 10, wherein the operation further comprises:
    - determining, based on environment information in the runtime stack, whether the set of owner privileges is different from the set of user privileges.
  - 14. The system of claim 10, wherein the operation further comprises:
    - storing, in the data file;
      
      the permission, identity, and call information;
      
      information related to the sets of owner and user privileges; and
      
      an indication of whether the set of owner privileges is greater in scope than the set of user privileges.

15. A computer program product for securing file access by automatically identifying and removing non-essential privileges to files, the computer program product comprising:
- a computer readable storage medium having embodied therewith computer-readable program code of an operating system kernel, the computer-readable program code executable by one or more computer processors to perform an operation comprising;
  
  monitoring, by the operating system kernel, a set of file access requests to a file from a first application to obtain permission, identity, and call information related to the monitored requests, wherein monitoring the set of file access requests includes obtaining a runtime stack from the first application based on a predefined call selected from a system object call and a microcode call, wherein the runtime stack has associated environment information specifying;
  
  (i) the system object call;
  
  (ii) programs on the runtime stack;
  
  (iii) program statement numbers of calling and called subroutines;
  
  (iv) names of calling and called subroutines;
  
  (v) an order in which applications are called;
  
  (vi) whether each called application invoked any owner privileges;
  
  (vii) thread and job information pertaining to the first application; and
  
  (viii) a runtime context of the first application;
  
  determining a set of user privileges available to a user, wherein the set of user privileges is available to the first application when the user causes execution of the first application, the first application having an owner other than the user;
  
  determining a set of owner privileges of the owner and available to the user only for conditional use as a fallback when the set of user privileges is insufficient for accessing the file when executing the first application, wherein the fallback is greater, lesser, or equal in scope relative to the set of user privileges; and
  
  upon determining, by the operating system kernel, that the fallback is not used to access the file because the set of user privileges is sufficient to access the file and that the fallback is also sufficient to access the file, causing the fallback to be used in subsequently accessing the file, by automatically removing, from the set of user privileges, at least one existing user privilege to the file as being non-essential;
  
  wherein the operating system kernel is configured such that;
  
  upon a determination that the fallback is not used to access the file because the set of user privileges is sufficient to access the file and that the fallback is actually insufficient to access the file, at least one existing user privilege to the file is preserved in the set of user privileges, as being essential; and
  
  upon a determination that the fallback is used to access the file because the set of user privileges is insufficient to access the file, one or more existing user privileges to the file are removed altogether from the set of user privileges, as being non-essential;
  
  storing the call information as first call information in the data file;
  
  receiving, from a second application different from the first application, a request for access to the file;
  
  obtaining second call information from a runtime stack from the second application;
  
  determining the request for access is an abnormal request, based on comparing the first and second call information, wherein the comparing is based on at least the programs on the runtime stack and the program statement numbers of the calls, wherein the determining the request is abnormal comprises determining that the second application has owner privileges that are elevated relative to the set of owner privileges of the first application; and
  
  upon determining that the request for access is an abnormal request, automatically taking a predefined action comprising;
  
  (i) logging information related to the abnormal request and (ii) denying the request for access.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer program product of claim 15, wherein the determination is based on authentication environment information recorded on the runtime stack.
  - 17. The computer program product of claim 15, wherein the operation further comprises determining the set of owner privileges is sufficient to allow the first application to access the file for each file access request in the set of file access requests.
  - 18. The computer program product of claim 15, wherein the operation further comprises:
    - determining, based on environment information in the runtime stack, whether the set of owner privileges is different from the set of user privileges.
  - 19. The computer program product of claim 15, wherein the operation further comprises:
    - storing, in the data file;
      
      the permission, identity, and call information;
      
      information related to the sets of owner and user privileges; and
      
      an indication of whether the set of owner privileges is greater in scope than the set of user privileges.
  - 20. The computer program product of claim 15, wherein the operation further comprises:
    - storing, in the data file, and an indication of whether the set of owner privileges is greater in scope than the set of user privileges.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Anderson, Mark J., Budnik, Carol S., Dietenberger, Anna P., Forstie, Scott, Hasselbeck, Brian J., Mei, Allen K., Streifel, Ellen B., Uehling, Jeffrey M.
Primary Examiner(s)
Shaw, Yin Chen
Assistant Examiner(s)
Cruz-Franqui, Richard W

Application Number

US15/339,675
Publication Number

US 20180121665A1
Time in Patent Office

981 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/6209 to a single file or object,...

Automated mechanism to analyze elevated authority usage and capability

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Automated mechanism to analyze elevated authority usage and capability

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links