Policy-driven kernel-based security implementation

US 20030105951A1
Filed: 12/05/2001
Published: 06/05/2003
Est. Priority Date: 12/05/2001
Status: Active Grant

First Claim

Patent Images

1. A method of improving security processing in a computing network, comprising steps of:

providing security processing in an operating system kernel;

providing an application program which makes use of the operating system kernel during execution;

providing security policy information;

executing the application program; and

selectably securing at least one communication of the executing application program using the provided security processing in the operating system kernel, under conditions specified by the security policy information.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Improvements in security processing are disclosed which enable security processing to be transparent to the application. Security processing (such as Secure Sockets Layer, or “SSL”, or Transport Layer Security, or “TLS”) is performed in (or controlled by) the stack. A decision to enable security processing on a connection can be based on configuration data or security policy, and can also be controlled using explicit enablement directives. Directives may also be provided for allowing applications to communicate with the security processing in the stack for other purposes. Functions within the protocol stack that need access to clear text can now be supported without loss of security processing capability. No modifications to application code, or in some cases only minor modifications (such as inclusion of code to invoke directives), are required to provide this security processing. Improved offloading of security processing is also disclosed, which provides processing efficiencies over prior art offloading techniques.

45 Citations

View as Search Results

18 Claims

1. A method of improving security processing in a computing network, comprising steps of:
- providing security processing in an operating system kernel;
  
  providing an application program which makes use of the operating system kernel during execution;
  
  providing security policy information;
  
  executing the application program; and
  
  selectably securing at least one communication of the executing application program using the provided security processing in the operating system kernel, under conditions specified by the security policy information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method according to claim 1, wherein the security policy information is stored in a security repository.
  - 3. The method according to claim 2, wherein the security policy information is usable for more than one executing application program.
  - 4. The method according to claim 1, wherein the conditions include network addresses.
  - 5. The method according to claim 4, wherein the network addresses specify one or more of server addresses and destination addresses.
  - 6. The method according to claim 4, wherein the network addresses include ranges of source addresses and/or ranges of destination addresses.
  - 7. The method according to claim 1, wherein the conditions include one or more port numbers and/or one or more port number ranges.
  - 8. The method according to claim 1, wherein the conditions include one or more job names.
  - 9. The method according to claim 1, wherein the conditions include one or more client identifiers.
  - 10. The method according to claim 1, further comprising the step of checking the security policy information when the executing application program establishes a connection, and wherein the selectably securing step communicates on that connection according to a result of the checking step.
  - 11. The method according to claim 1, whereby communications from the executing application program may be secured even though the provided application program has no code for security processing.
  - 12. The method according to claim 1, wherein the provided application program includes invocation of one or more security directives, and further comprising the step of executing, during execution of the provided application program, one or more of the invoked security directives.
  - 13. The method according to claim 1, wherein, when a result of evaluating the security policy information so indicates, the selectably securing step thereby secures only some sockets of a port.
  - 14. The method according to claim 1, wherein the provided security processing operates in a Transmission Control Protocol layer of the operating system kernel.
  - 15. The method according to claim 1, wherein the provided security processing implements Secure Sockets Layer.
  - 16. The method according to claim 1, wherein the provided security processing implements Transaction Layer Security.

17. A system for improving security processing in a computing network, comprising:
- means for performing security processing in an operating system kernel;
  
  security policy information specifying one or more conditions under which the means for performing security processing is to be activated;
  
  means for executing an application program which makes use of the operating system kernel during execution; and
  
  means for selectably securing, according to the conditions specified by the security policy information, at least one communication of the executing application program using the means for performing security processing.

18. A computer program product for improving security processing in a computing network, the computer program product embodied on one or more computer-readable media and comprising:
- computer-readable program code means for performing security processing in an operating system kernel;
  
  computer-readable program code means for accessing security policy information, the security policy information specifying one or more conditions under which the computer-readable program code means for performing security processing is to be activated;
  
  computer-readable program code means for executing an application program which makes use of the operating system kernel during execution; and
  
  computer-readable program code means for selectably securing, according to the conditions specified by the security policy information, at least one communication of the executing application program using the computer-readable program code means for performing security processing.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
International Business Machines Corporation
Inventors
Brabson, Roy F., Overby, Linwood Hugh Jr.

Granted Patent

US 7,246,233 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/151
CPC Class Codes

H04L 63/04   for providing a confidentia...

H04L 63/08   for authentication of entit...

H04L 63/166   at the transport layer

Policy-driven kernel-based security implementation

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

45 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Policy-driven kernel-based security implementation

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

45 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links