System for secure file access

US 10,404,708 B2
Filed: 06/02/2016
Issued: 09/03/2019
Est. Priority Date: 06/03/2015
Status: Active Grant

First Claim

Patent Images

1. A system for managing access to a plurality of files on a storage module in communication with a computing device, the system comprising:

an access manager stored in a memory of the computing device;

a processor operative to execute the access manager, wherein the access manager is operative to receive a file access call by an operating system on the computing device;

at least one standard file stored on the storage module, wherein each standard file is one of the plurality of files stored on the storage module and each standard file includes metadata and file data;

at least one file container stored on the storage module, wherein each file container is one of the plurality of files stored on the storage module and each file container includes metadata, file data, and a signature and wherein the signature is appended to the file data; and

a file attribute database including access rights to the file data in each of the at least one file containers, wherein the access rights are defined as a function of at least one attribute of the respective file container, wherein;

when the file access call attempts to access one of the at least file containers, the access manager reads the signature from the respective file container,the access manager determines whether access to the file data for the respective file container is authorized as a function of the signature and of the access rights stored in the file attribute database,the access manager returns only the file data as file data via the file access call when access to the file data for the respective file container is authorized, andthe access manager returns the signature and the file data as file data via the file access call when access to the file data for the respective file container is not authorized.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A virtual local file system for managing file access, such as read, write and execute, of files on local media is disclosed. An access manager, executable by the host operating system, is stored on each host device. The access manager interacts with the local file system to control file access permissions and how processes of the host operating system execute, view or modify files accessible to the local file system. The access manager may also dynamically control file access to files on the host operating system using a file attributes repository, which may be stored locally or remotely from the host device. Exemplary attributes for defining permission to access a file include but not are limited to, specific users, a time of day, a number of copies of a file, an allowed process, an IP address range, and a MAC address.

Citations

16 Claims

1. A system for managing access to a plurality of files on a storage module in communication with a computing device, the system comprising:
- an access manager stored in a memory of the computing device;
  
  a processor operative to execute the access manager, wherein the access manager is operative to receive a file access call by an operating system on the computing device;
  
  at least one standard file stored on the storage module, wherein each standard file is one of the plurality of files stored on the storage module and each standard file includes metadata and file data;
  
  at least one file container stored on the storage module, wherein each file container is one of the plurality of files stored on the storage module and each file container includes metadata, file data, and a signature and wherein the signature is appended to the file data; and
  
  a file attribute database including access rights to the file data in each of the at least one file containers, wherein the access rights are defined as a function of at least one attribute of the respective file container, wherein;
  
  when the file access call attempts to access one of the at least file containers, the access manager reads the signature from the respective file container,the access manager determines whether access to the file data for the respective file container is authorized as a function of the signature and of the access rights stored in the file attribute database,the access manager returns only the file data as file data via the file access call when access to the file data for the respective file container is authorized, andthe access manager returns the signature and the file data as file data via the file access call when access to the file data for the respective file container is not authorized.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein the access manager is operative to return a file handle for the respective standard file when the file access call attempts to access one of the at least one standard files.
  - 3. The system of claim 1, wherein the computing device is a first computing device and the file attribute database is stored on a second computing device remote from the first computing device.
  - 4. The system of claim 3, wherein the first computing device is connected to the second computing device via a network, and the file attribute database can be read and updated by the access manager running on the first computing device.
  - 5. The system of claim 1, wherein at least a portion of the file attribute database is stored on the storage module.
  - 6. The system of claim 1, wherein a file permission associated with the at least one attribute for the at least one file container in the file attribute database is dynamically modified by the access manager.
  - 7. The system of claim 1 further comprising an authorized list identifying a plurality of applications that are allowed to access the file data stored in each file container, wherein the access manager is further operative to:
    - receive a file access request from a calling application to access one of the at least one standard file and the at least one file container,determine whether the calling application is present in the authorized list,pass a file handle to the calling application corresponding to one of the at least one standard file and the at least one file container identified in the file access request when the calling application is not in the authorized list, andread the signature from the file container and check the file attribute database when the calling application is present in the authorized list.

8. A method of managing access to file data by a computing device in communication with a storage medium on which the file data is stored, the method comprising the steps of:
- receiving a file access request with an access manager on the computing device from an application executing on the computing device, wherein;
  
  the file access request is a request to access file data from one of a file container and a standard file,the file container and the standard file are both stored on the storage medium,the standard file includes file data, andthe file container includes file data and a signature appended to the file data;
  
  identifying whether the signature is appended to the file data for each file access request with the access manager;
  
  when the signature is appended to the file data reading the signature from the file container;
  
  checking at least one file attribute for the file container to authorize access to the file data in the file container as a function of the signature;
  
  passing only the file data from the file container as file data to the application via the access manager when the at least one file attribute indicates the access request is authorized; and
  
  passing the signature and the file data from the file container as file data to the application via the access manager when the at least one file attribute indicates the access request is not authorized.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The method of claim 8, wherein after receiving the request to access the file container, the method further comprises the steps of:
    - determining whether the application is present in an authorized list, wherein the authorized list identifies a plurality of applications that are allowed to access the file data stored in the file container;
      
      when the application is not in the authorized list, passing a file handle to the calling application corresponding to one of the file container and the standard file identified in the file access request, andwhen the application is in the authorized list, executing the steps of identifying whether the signature is appended to the file data, checking the at least one file attribute, and passing the file data to the application.
  - 10. The method of claim 8 wherein the step of checking the at least one file attribute for the file container to authorize access to the file container as a function of the signature further comprises the steps of:
    - identifying the at least one file attribute in a file attribute database, wherein the at least one file attribute is associated with the signature; and
      
      reading the at least one file attribute and a file permission associated with the at least one file attribute from the file attribute database.
  - 11. The method of claim 10 wherein:
    - the computing device is a first computing device,the file attribute database is located on a second computing device remote from the first computing device, andthe first computing device is in communication with the second computing device via a network.
  - 12. The method of claim 10 wherein at least a portion of the file attribute database is stored on the storage medium.
  - 13. The method of claim 10 further comprising the step of updating the at least one file attribute with the access manager after passing the file data to the application.

14. A system for managing access to a storage module in communication with a computing device, wherein the storage module includes at least one file container and at least one standard file, the system comprising:
- an access manager stored in a memory of the computing device;
  
  a file system operative to manage file storage on the storage module; and
  
  a processor operative to execute an operating system and the access manager, wherein the operating system is configured to;
  
  receive an operating system function call from an application operating on the computing device to access a file, wherein;
  
  the file in the operating system function call is one of the at least one file container and the at least one standard file,the at least one file container includes metadata, file data, and a signature appended to the file data, andthe standard file includes metadata and file data, andgenerate a file access request to the file system responsive to the operating system function call;
  
  wherein the access manager is configured to;
  
  receive each file access request to the file system generated by the operating system,read the file data from the file identified by the operating system function call,identify whether the file is one of the at least one file container and the at least one standard file as a function of whether the signature is present in the file, andread at least one file attribute corresponding to a file permission for the file from a file attribute database when the file is the at least one file container; and
  
  wherein;
  
  the operating system function call is one of a first function call and a second function call,the first function call is a read request,the second function call is a write request,when the operating system function call is the first function call and the file data is stored inside the file container, the access manager is further configured to;
  
  verify that the file permission corresponding to the at least one file attribute permits a read,when a read is permitted, return only the file data as file data via the read request, andwhen a read is not permitted, return the signature and the file data as file data via the read request.
- View Dependent Claims (15, 16)
- - 15. The system of claim 14 wherein when the operating system function call is the second function call and when the file data is stored inside the file container the access manager is further configured to:
    - verify that the file permission corresponding to the at least one file attribute permits a write,when a write is permitted, update the at least one file attribute in the file attribute database, write the signature to the file container, and write the file data to the file container, andwhen a write is not permitted, prohibit writing to the file data by the application operating on the computing device.
  - 16. The system of claim 14, wherein at least a portion of the file attribute database is stored on the storage module.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Crowdstrike, Inc. (CrowdStrike Holdings Incorporated)
Original Assignee
Secure Circle, LLC (CrowdStrike Holdings Incorporated)
Inventors
Capone, Jeffrey
Primary Examiner(s)
Owyang, Michelle N

Application Number

US15/171,134
Publication Number

US 20160359859A1
Time in Patent Office

1,188 Days
Field of Search

707705-788
US Class Current
CPC Class Codes

G06F 16/176   Support for shared access t...

G06F 21/60   Protecting data

G06F 21/6218   to a system of files or obj...

H04L 63/101   Access control lists [ACL]

System for secure file access

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

System for secure file access

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links