System for secure file access
First Claim
1. A system for managing access to a plurality of files on a storage module in communication with a computing device, the system comprising:
- an access manager stored in a memory of the computing device;
a processor operative to execute the access manager, wherein the access manager is operative to receive a file access call by an operating system on the computing device;
at least one standard file stored on the storage module, wherein each standard file is one of the plurality of files stored on the storage module and each standard file includes metadata and file data;
at least one file container stored on the storage module, wherein each file container is one of the plurality of files stored on the storage module and each file container includes metadata, file data, and a signature and wherein the signature is appended to the file data; and
a file attribute database including access rights to the file data in each of the at least one file containers, wherein the access rights are defined as a function of at least one attribute of the respective file container, wherein;
when the file access call attempts to access one of the at least file containers, the access manager reads the signature from the respective file container,the access manager determines whether access to the file data for the respective file container is authorized as a function of the signature and of the access rights stored in the file attribute database,the access manager returns only the file data as file data via the file access call when access to the file data for the respective file container is authorized, andthe access manager returns the signature and the file data as file data via the file access call when access to the file data for the respective file container is not authorized.
4 Assignments
0 Petitions
Accused Products
Abstract
A virtual local file system for managing file access, such as read, write and execute, of files on local media is disclosed. An access manager, executable by the host operating system, is stored on each host device. The access manager interacts with the local file system to control file access permissions and how processes of the host operating system execute, view or modify files accessible to the local file system. The access manager may also dynamically control file access to files on the host operating system using a file attributes repository, which may be stored locally or remotely from the host device. Exemplary attributes for defining permission to access a file include but not are limited to, specific users, a time of day, a number of copies of a file, an allowed process, an IP address range, and a MAC address.
-
Citations
16 Claims
-
1. A system for managing access to a plurality of files on a storage module in communication with a computing device, the system comprising:
-
an access manager stored in a memory of the computing device; a processor operative to execute the access manager, wherein the access manager is operative to receive a file access call by an operating system on the computing device; at least one standard file stored on the storage module, wherein each standard file is one of the plurality of files stored on the storage module and each standard file includes metadata and file data; at least one file container stored on the storage module, wherein each file container is one of the plurality of files stored on the storage module and each file container includes metadata, file data, and a signature and wherein the signature is appended to the file data; and a file attribute database including access rights to the file data in each of the at least one file containers, wherein the access rights are defined as a function of at least one attribute of the respective file container, wherein; when the file access call attempts to access one of the at least file containers, the access manager reads the signature from the respective file container, the access manager determines whether access to the file data for the respective file container is authorized as a function of the signature and of the access rights stored in the file attribute database, the access manager returns only the file data as file data via the file access call when access to the file data for the respective file container is authorized, and the access manager returns the signature and the file data as file data via the file access call when access to the file data for the respective file container is not authorized. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method of managing access to file data by a computing device in communication with a storage medium on which the file data is stored, the method comprising the steps of:
-
receiving a file access request with an access manager on the computing device from an application executing on the computing device, wherein; the file access request is a request to access file data from one of a file container and a standard file, the file container and the standard file are both stored on the storage medium, the standard file includes file data, and the file container includes file data and a signature appended to the file data; identifying whether the signature is appended to the file data for each file access request with the access manager; when the signature is appended to the file data reading the signature from the file container; checking at least one file attribute for the file container to authorize access to the file data in the file container as a function of the signature; passing only the file data from the file container as file data to the application via the access manager when the at least one file attribute indicates the access request is authorized; and passing the signature and the file data from the file container as file data to the application via the access manager when the at least one file attribute indicates the access request is not authorized. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A system for managing access to a storage module in communication with a computing device, wherein the storage module includes at least one file container and at least one standard file, the system comprising:
-
an access manager stored in a memory of the computing device; a file system operative to manage file storage on the storage module; and a processor operative to execute an operating system and the access manager, wherein the operating system is configured to; receive an operating system function call from an application operating on the computing device to access a file, wherein; the file in the operating system function call is one of the at least one file container and the at least one standard file, the at least one file container includes metadata, file data, and a signature appended to the file data, and the standard file includes metadata and file data, and generate a file access request to the file system responsive to the operating system function call; wherein the access manager is configured to; receive each file access request to the file system generated by the operating system, read the file data from the file identified by the operating system function call, identify whether the file is one of the at least one file container and the at least one standard file as a function of whether the signature is present in the file, and read at least one file attribute corresponding to a file permission for the file from a file attribute database when the file is the at least one file container; and
wherein;the operating system function call is one of a first function call and a second function call, the first function call is a read request, the second function call is a write request, when the operating system function call is the first function call and the file data is stored inside the file container, the access manager is further configured to; verify that the file permission corresponding to the at least one file attribute permits a read, when a read is permitted, return only the file data as file data via the read request, and when a read is not permitted, return the signature and the file data as file data via the read request. - View Dependent Claims (15, 16)
-
Specification