Environmental security controls to prevent unauthorized access to files, programs, and objects
First Claim
1. A method, comprising:
- receiving, from an application executing on a system, a request to access a data file;
receiving data describing the request, wherein the data describing the request includes data from a runtime stack;
determining, from the data from the runtime stack, (i) a most recent user application in the runtime stack, and (ii) first program statement number, wherein the first program statement number identifies a first machine-level code statement in compiled source code of the most recent user application, wherein the first machine-level code statement is currently being executed;
identifying, in a protected memory block, a first rule that corresponds to the data file, wherein the first rule defines permission to access the data file, and wherein the first rule specifies (i) a first authorized user application and (ii) a first authorized program statement number of the most recent user application, wherein the first authorized program statement number specifies a machine-level code statement in compiled source code of the first authorized user application;
upon determining that the first program statement number from the runtime stack does not match the first authorized program statement number specified in the first rule, restricting access to the data file by the application; and
upon restricting access to the data file, updating an access log to include an entry specifying (i) the most recent user application, (ii) the first program statement number, and (iii) an indication that access was restricted.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems, methods, and computer program products to perform an operation comprising receiving, from an application executing on a system, a request to access a data file, receiving data describing the request, wherein the data describing the request includes data from a runtime stack of the application, wherein the data from the runtime stack includes a program statement number, identifying, in a protected memory block, a first rule for accessing the data file, wherein the first rule specifies a program statement number permitted to access the data file, and upon determining that the program statement number from the runtime stack does not match the program statement number specified in the first rule, restricting access to the data file by the application.
89 Citations
20 Claims
-
1. A method, comprising:
-
receiving, from an application executing on a system, a request to access a data file; receiving data describing the request, wherein the data describing the request includes data from a runtime stack; determining, from the data from the runtime stack, (i) a most recent user application in the runtime stack, and (ii) first program statement number, wherein the first program statement number identifies a first machine-level code statement in compiled source code of the most recent user application, wherein the first machine-level code statement is currently being executed; identifying, in a protected memory block, a first rule that corresponds to the data file, wherein the first rule defines permission to access the data file, and wherein the first rule specifies (i) a first authorized user application and (ii) a first authorized program statement number of the most recent user application, wherein the first authorized program statement number specifies a machine-level code statement in compiled source code of the first authorized user application; upon determining that the first program statement number from the runtime stack does not match the first authorized program statement number specified in the first rule, restricting access to the data file by the application; and upon restricting access to the data file, updating an access log to include an entry specifying (i) the most recent user application, (ii) the first program statement number, and (iii) an indication that access was restricted. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer program product, comprising:
a computer-readable storage medium having computer readable program code embodied therewith, the computer readable program code executable by a processor to perform an operation comprising; receiving, from an application executing on a system, a request to access a data file; receiving data describing the request, wherein the data describing the request includes data from a runtime stack; determining, from the data from the runtime stack, (i) a most recent user application in the runtime stack, and (ii) first program statement number, wherein the first program statement number identifies a first machine-level code statement in compiled source code of the most recent user application, wherein the first machine-level code statement is currently being executed; identifying, in a protected memory block, a first rule that corresponds to the data file, wherein the first rule defines permission to access the data file, and wherein the first rule specifies (i) a first authorized user application and (ii) a first authorized program statement number of the most recent user application, wherein the first authorized program statement number specifies a machine-level code statement in compiled source code of the first authorized user application; upon determining that the first program statement number from the runtime stack does not match the first authorized program statement number specified in the first rule, restricting access to the data file by the application; and upon restricting access to the data file, updating an access log to include an entry specifying (i) the most recent user application, (ii) the first program statement number, and (iii) an indication that access was restricted. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
15. A system, comprising:
-
a processor; and a memory storing one or more instructions which, when executed by the processor, performs an operation comprising; receiving, from an application executing on a system, a request to access a data file; receiving data describing the request, wherein the data describing the request includes data from a runtime stack; determining, from the data from the runtime stack, (i) a most recent user application in the runtime stack, and (ii) first program statement number, wherein the first program statement number identifies a first machine-level code statement in compiled source code of the most recent user application, wherein the first machine-level code statement is currently being executed; identifying, in a protected memory block, a first rule that corresponds to the data file, wherein the first rule defines permission to access the data file, and wherein the first rule specifies (i) a first authorized user application and (ii) a first authorized program statement number of the most recent user application, wherein the first authorized program statement number specifies a machine-level code statement in compiled source code of the first authorized user application; upon determining that the first program statement number from the runtime stack does not match the first authorized program statement number specified in the first rule, restricting access to the data file by the application; and upon restricting access to the data file, updating an access log to include an entry specifying (i) the most recent user application, (ii) the first program statement number, and (iii) an indication that access was restricted. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification