Environmental security controls to prevent unauthorized access to files, programs, and objects

US 10,650,156 B2
Filed: 04/26/2017
Issued: 05/12/2020
Est. Priority Date: 04/26/2017
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving, from an application executing on a system, a request to access a data file;

receiving data describing the request, wherein the data describing the request includes data from a runtime stack;

determining, from the data from the runtime stack, (i) a most recent user application in the runtime stack, and (ii) first program statement number, wherein the first program statement number identifies a first machine-level code statement in compiled source code of the most recent user application, wherein the first machine-level code statement is currently being executed;

identifying, in a protected memory block, a first rule that corresponds to the data file, wherein the first rule defines permission to access the data file, and wherein the first rule specifies (i) a first authorized user application and (ii) a first authorized program statement number of the most recent user application, wherein the first authorized program statement number specifies a machine-level code statement in compiled source code of the first authorized user application;

upon determining that the first program statement number from the runtime stack does not match the first authorized program statement number specified in the first rule, restricting access to the data file by the application; and

upon restricting access to the data file, updating an access log to include an entry specifying (i) the most recent user application, (ii) the first program statement number, and (iii) an indication that access was restricted.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and computer program products to perform an operation comprising receiving, from an application executing on a system, a request to access a data file, receiving data describing the request, wherein the data describing the request includes data from a runtime stack of the application, wherein the data from the runtime stack includes a program statement number, identifying, in a protected memory block, a first rule for accessing the data file, wherein the first rule specifies a program statement number permitted to access the data file, and upon determining that the program statement number from the runtime stack does not match the program statement number specified in the first rule, restricting access to the data file by the application.

89 Citations

View as Search Results

20 Claims

1. A method, comprising:
- receiving, from an application executing on a system, a request to access a data file;
  
  receiving data describing the request, wherein the data describing the request includes data from a runtime stack;
  
  determining, from the data from the runtime stack, (i) a most recent user application in the runtime stack, and (ii) first program statement number, wherein the first program statement number identifies a first machine-level code statement in compiled source code of the most recent user application, wherein the first machine-level code statement is currently being executed;
  
  identifying, in a protected memory block, a first rule that corresponds to the data file, wherein the first rule defines permission to access the data file, and wherein the first rule specifies (i) a first authorized user application and (ii) a first authorized program statement number of the most recent user application, wherein the first authorized program statement number specifies a machine-level code statement in compiled source code of the first authorized user application;
  
  upon determining that the first program statement number from the runtime stack does not match the first authorized program statement number specified in the first rule, restricting access to the data file by the application; and
  
  upon restricting access to the data file, updating an access log to include an entry specifying (i) the most recent user application, (ii) the first program statement number, and (iii) an indication that access was restricted.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the data from the runtime stack further includes an indication of:
    - (i) a user executing the application, (ii) a most recent program in the runtime stack, wherein the most recent program is more recent than the most recent user application, (iii) a second program statement number of the most recent program in the runtime stack, and (iv) a system object call.
  - 3. The method of claim 2, wherein a second rule specifies a user account permitted to execute the application, wherein a third rule specifies a permitted most recent program in the runtime stack, wherein a fourth rule specifies a statement number of the most recent program in the runtime stack permitted to access the data file, wherein a fifth rule specifies a permitted system object call, wherein the access to the data file is further restricted upon determining that the collected data does not satisfy at least one of the second, third, fourth, and fifth rules.
  - 4. The method of claim 1, further comprising prior to receiving the request:
    - installing an operating system on the system; and
      
      during installation of the operating system;
      
      receiving login credentials and a biometric identifier of a trusted user; and
      
      storing an indication of the login credentials and the biometric identifier in the protected memory block.
  - 5. The method of claim 4, further comprising subsequent to storing the indication of the login credentials and the biometric identifier in the protected memory block:
    - receiving, from the trusted user, the login credentials and the biometric identifier;
      
      authenticating the trusted user based on the login credentials and the biometric identifier;
      
      generating a graphical user interface (GUI) for defining access rules;
      
      receiving, by the graphical user interface, at least one parameter of the first rule, wherein the at least one parameter includes the first authorized program statement number of the machine-level code statement in the first authorized user application; and
      
      storing the at least one parameter of the first rule in the protected memory block.
  - 6. The method of claim 1, further comprising:
    - receiving, from the application, a second request to access a second data file;
      
      receiving data describing the second request, wherein the data describing the second request includes data from the runtime stack of the application, wherein the data from the runtime stack includes a second program statement number associated with the second request; and
      
      upon determining that the second program statement number from the runtime stack matches the first program statement number specified in the first rule, permitting access to the data file by the application.
  - 7. The method of claim 1, wherein the access to the data file is restricted by at least one of:
    - (i) an operating system, and (ii) a microcode of the system.

8. A computer program product, comprising:
- a computer-readable storage medium having computer readable program code embodied therewith, the computer readable program code executable by a processor to perform an operation comprising;
  
  receiving, from an application executing on a system, a request to access a data file;
  
  receiving data describing the request, wherein the data describing the request includes data from a runtime stack;
  
  determining, from the data from the runtime stack, (i) a most recent user application in the runtime stack, and (ii) first program statement number, wherein the first program statement number identifies a first machine-level code statement in compiled source code of the most recent user application, wherein the first machine-level code statement is currently being executed;
  
  identifying, in a protected memory block, a first rule that corresponds to the data file, wherein the first rule defines permission to access the data file, and wherein the first rule specifies (i) a first authorized user application and (ii) a first authorized program statement number of the most recent user application, wherein the first authorized program statement number specifies a machine-level code statement in compiled source code of the first authorized user application;
  
  upon determining that the first program statement number from the runtime stack does not match the first authorized program statement number specified in the first rule, restricting access to the data file by the application; and
  
  upon restricting access to the data file, updating an access log to include an entry specifying (i) the most recent user application, (ii) the first program statement number, and (iii) an indication that access was restricted.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer program product of claim 8, wherein the data from the runtime stack further includes an indication of:
    - (i) a user executing the application, (ii) a most recent program in the runtime stack, wherein the most recent program is more recent than the most recent user application, (iii) a second program statement number of the most recent program in the runtime stack, and (iv) a system object call.
  - 10. The computer program product of claim 9, wherein a second rule specifies a user account permitted to execute the application, wherein a third rule specifies a permitted most recent program in the runtime stack, wherein a fourth rule specifies a statement number of the most recent program in the runtime stack permitted to access the data file, wherein a fifth rule specifies a permitted system object call, wherein the access to the data file is further restricted upon determining that the collected data does not satisfy at least one of the second, third, fourth, and fifth rules.
  - 11. The computer program product of claim 8, the operation further comprising prior to receiving the request:
    - installing an operating system on the system; and
      
      during installation of the operating system;
      
      receiving login credentials and a biometric identifier of a trusted user; and
      
      storing an indication of the login credentials and the biometric identifier in the protected memory block.
  - 12. The computer program product of claim 11, the operation further comprising subsequent to storing the indication of the login credentials and the biometric identifier in the protected memory block:
    - receiving, from the trusted user, the login credentials and the biometric identifier;
      
      authenticating the trusted user based on the login credentials and the biometric identifier;
      
      generating a graphical user interface (GUI) for defining access rules;
      
      receiving, by the graphical user interface, at least one parameter of the first rule, wherein the at least one parameter includes the first authorized program statement number of the machine-level code statement in the first authorized user application; and
      
      storing the at least one parameter of the first rule in the protected memory block.
  - 13. The computer program product of claim 8, the operation further comprising:
    - receiving, from the application, a second request to access a second data file;
      
      receiving data describing the second request, wherein the data describing the second request includes data from the runtime stack of the application, wherein the data from the runtime stack includes a second program statement number associated with the second request; and
      
      upon determining that the second program statement number from the runtime stack matches the first program statement number specified in the first rule, permitting access to the data file by the application.
  - 14. The computer program product of claim 8, wherein the access to the data file is restricted by at least one of:
    - (i) an operating system, and (ii) a microcode of the system.

15. A system, comprising:
- a processor; and
  
  a memory storing one or more instructions which, when executed by the processor, performs an operation comprising;
  
  receiving, from an application executing on a system, a request to access a data file;
  
  receiving data describing the request, wherein the data describing the request includes data from a runtime stack;
  
  determining, from the data from the runtime stack, (i) a most recent user application in the runtime stack, and (ii) first program statement number, wherein the first program statement number identifies a first machine-level code statement in compiled source code of the most recent user application, wherein the first machine-level code statement is currently being executed;
  
  identifying, in a protected memory block, a first rule that corresponds to the data file, wherein the first rule defines permission to access the data file, and wherein the first rule specifies (i) a first authorized user application and (ii) a first authorized program statement number of the most recent user application, wherein the first authorized program statement number specifies a machine-level code statement in compiled source code of the first authorized user application;
  
  upon determining that the first program statement number from the runtime stack does not match the first authorized program statement number specified in the first rule, restricting access to the data file by the application; and
  
  upon restricting access to the data file, updating an access log to include an entry specifying (i) the most recent user application, (ii) the first program statement number, and (iii) an indication that access was restricted.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, wherein the data from the runtime stack further includes an indication of:
    - (i) a user executing the application, (ii) a most recent program in the runtime stack, wherein the most recent program is more recent than the most recent user application, (iii) a second program statement number of the most recent program in the runtime stack, and (iv) a system object call.
  - 17. The system of claim 16, wherein a second rule specifies a user account permitted to execute the application, wherein a third rule specifies a permitted most recent program in the runtime stack, wherein a fourth rule specifies a statement number of the most recent program in the runtime stack permitted to access the data file, wherein a fifth rule specifies a permitted system object call, wherein the access to the data file is further restricted upon determining that the collected data does not satisfy at least one of the second, third, fourth, and fifth rules.
  - 18. The system of claim 15, the operation further comprising prior to receiving the request:
    - installing an operating system on the system; and
      
      during installation of the operating system;
      
      receiving login credentials and a biometric identifier of a trusted user; and
      
      storing an indication of the login credentials and the biometric identifier in the protected memory block.
  - 19. The system of claim 18, the operation further comprising subsequent to storing the indication of the login credentials and the biometric identifier in the protected memory block:
    - receiving, from the trusted user, the login credentials and the biometric identifier;
      
      authenticating the trusted user based on the login credentials and the biometric identifier;
      
      generating a graphical user interface (GUI) for defining access rules;
      
      receiving, by the graphical user interface, at least one parameter of the first rule, wherein the at least one parameter includes the first authorized program statement number of the machine-level code statement in the first authorized user application; and
      
      storing the at least one parameter of the first rule in the protected memory block.
  - 20. The system of claim 15, wherein the access to the data file is restricted by at least one of:
    - (i) an operating system, and (ii) a microcode of the system, the operation further comprising;
      
      receiving, from the application, a second request to access a second data file;
      
      receiving data describing the second request, wherein the data describing the second request includes data from the runtime stack of the application, wherein the data from the runtime stack includes a second program statement number associated with the second request; and
      
      upon determining that the second program statement number from the runtime stack matches the first program statement number specified in the first rule, permitting access to the data file by the application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Anderson, Mark J., Forstie, Scott, Uehling, Jeffrey M.
Primary Examiner(s)
Potratz, Daniel B
Assistant Examiner(s)
Straub, D'Arcy Winston

Application Number

US15/498,115
Publication Number

US 20180314845A1
Time in Patent Office

1,112 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/32   using biometric data, e.g. ...

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 8/61   Installation

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

Environmental security controls to prevent unauthorized access to files, programs, and objects

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

89 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Environmental security controls to prevent unauthorized access to files, programs, and objects

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

89 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links