Secure kernel transactions

US 20050091502A1
Filed: 10/23/2003
Published: 04/28/2005
Est. Priority Date: 10/23/2003
Status: Active Grant

First Claim

Patent Images

1. A kernel-level transaction system, comprising:

plural kernel objects to implement a transaction having plural operations; and

a security descriptor, applied to at least one of the kernel objects, to identify at least one user, to identify one of the operations of the transaction that may be performed on the kernel object to which the security descriptor is applied, and to identify a right indicating that the identified user is permitted or prohibited to perform the operation.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Kernel objects for implementing a transaction have a security descriptor applied thereto. The kernel objects include, at least, a transaction object, a resource management object, and an enlistment object. The security descriptor, otherwise known as an access control list, identifies at least one user, an operation to be performed on the kernel object to which the security descriptor is applied, and a right indicating that the identified user is permitted or prohibited to perform the operation.

Citations

33 Claims

1. A kernel-level transaction system, comprising:
- plural kernel objects to implement a transaction having plural operations; and
  
  a security descriptor, applied to at least one of the kernel objects, to identify at least one user, to identify one of the operations of the transaction that may be performed on the kernel object to which the security descriptor is applied, and to identify a right indicating that the identified user is permitted or prohibited to perform the operation.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. A system according to claim 1, wherein the plural kernel objects include:
    - a transaction object to represent a transaction;
      
      a resource manager object to represent a resource participating in the transaction; and
      
      an enlistment object to enlist participants in the transaction.
  - 3. A system according to claim 1, wherein the security descriptor comprises at least one access control entry (ACE), which includes a security identifier (SID) and rights corresponding to the SID.
  - 4. A system according to claim 2, wherein the security descriptor is applied to the transaction object, and the operation identified by the security descriptor includes at least one of:
    - set information regarding the transaction object, enlist the transaction object in the transaction, render data updates in connection with the transaction object durable, abort the operation on the transaction object, transmit data from the transaction object to another object, save the current point of the transaction at the transaction object, and transmit data regarding the transaction to another device.
  - 5. A system according to claim 2, wherein the security descriptor is applied to the resource manager object, and the operation identified by the security descriptor includes at least one of:
    - retrieve information regarding the resource manager object, set information regarding the resource manager object, determine the state of a transaction at a moment of transaction failure, enlist the resource manager object in a transaction, register the resource manager object in the transaction, receive notification upon resolution of a transaction at the resource manager object, and set resource data in accordance with the transaction resolution.
  - 6. A system according to claim 2, wherein the security descriptor is applied to the enlistment object, and the operation identified by the security descriptor includes at least one of:
    - get information regarding the enlistment object, set information regarding the enlistment object, determine a state of enlistments at a moment of transaction failure obtain and reference an enlistment key, rollback the transaction and to respond to notifications, and perform operations a superior transaction manager would perform.

7. A method of implementing a kernel-level transaction, comprising:
- attaching a security descriptor to at least one of plural kernel objects utilized in a transaction; and
  
  performing an operation for a transaction on the at least one kernel object in accordance with the rights accorded by the security descriptor attached to the at least one kernel object.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14)
- - 8. A method according to claim 7, wherein the security descriptor includes identification for at least one user, an operation that is able to be performed on the at least one kernel object to which the security descriptor is attached, and a right indicating that the identified user is permitted or prohibited to perform the operation.
  - 9. A method according to claim 8, wherein the at least one kernel object is a transaction object.
  - 10. A method according to claim 8, wherein the at least one kernel object is a resource manager object.
  - 11. A method according to claim 8, wherein the at least one kernel object is an enlistment object.
  - 12. A method according to claim 9, wherein the operation identified by the security descriptor attached to the transaction object includes at least one of:
    - set information regarding the transaction object, enlist the transaction object in the transaction, render data updates in connection with the transaction object durable, abort the operation on the transaction object, transmit data from the transaction object to another object, save the current point of the transaction at the transaction object, and transmit data regarding the transaction to another device.
  - 13. A method according to claim 10, wherein the operation identified by the security descriptor attached to the resource manager object includes at least one of:
    - retrieve information regarding the resource manager object, set information regarding the resource manager object, determine the state of a transaction at a moment of transaction failure, enlist the resource manager object in a transaction, register the resource manager object in the transaction, receive notification upon resolution of a transaction at the resource manager object, and set resource data in accordance with the transaction resolution.
  - 14. A method according to claim 11, wherein the operation identified by the security descriptor includes at least one of:
    - get information regarding the enlistment object, set information regarding the enlistment object, determine a state of enlistments at a moment of transaction failure, obtain and reference an enlistment key, rollback the transaction and to respond to notifications, and perform operations a superior transaction manager would perform.

15. A computer-readable medium having stored thereon an object attached to a kernel object, the object comprising:
- a first data entry identifying at least one user;
  
  a second data entry identifying an operation capable of being performed on the kernel object by the user identified by the first data entry; and
  
  a third data entry indicating a right for the user identified by the first data entry to perform the operation identified by the second data entry.
- View Dependent Claims (16, 17, 18)
- - 16. A computer-readable medium according to claim 15, wherein the kernel object is a transaction object, and the identified operation includes at least one of:
    - set information regarding the transaction object, enlist the transaction object in the transaction, render data updates in connection with the transaction object durable, abort the operation on the transaction object, transmit data from the transaction object to another object, save the current point of the transaction at the transaction object, and transmit data regarding the transaction to another device.
  - 17. A computer-readable medium according to claim 15, wherein the kernel object is a resource manager object, and the identified operation includes at least one of:
    - retrieve information regarding the resource manager object, set information regarding the resource manager object, determine the state of a transaction at a moment of transaction failure, enlist the resource manager object in a transaction, register the resource manager object in the transaction, receive notification upon resolution of a transaction at the resource manager object, and set resource data in accordance with the transaction resolution.
  - 18. A computer-readable medium according to claim 15, wherein the kernel object is an enlistment object, and the identified operation includes at least one of:
    - get information regarding the enlistment object, set information regarding the enlistment object, determine a state of enlistments at a moment of transaction failure, obtain and reference an enlistment key, rollback the transaction and to respond to notifications, and perform operations a superior transaction manager would perform.

19. A transaction method, comprising:
- implementing a transaction among kernel objects; and
  
  securing the transaction utilizing The Microsoft®
  
  Windows®
  
  operating system security model.
- View Dependent Claims (20)
- - 20. A transaction method according to claim 19, wherein The Microsoft®
    - Windows®
      
      operating system security model includes applying a security descriptor to at least one of the kernel objects participating in the transaction, and wherein the security descriptor identifies at least one user, an operation to be performed on the at least one kernel object to which the security descriptor is applied, and a right indicating that the identified user is permitted or prohibited to perform the operation.

21. A method of implementing a transaction, comprising:
- attaching a security descriptor to at least one of plural objects utilized in a transaction; and
  
  performing an operation for a transaction on the at least one object in accordance with the rights accorded by the security descriptor attached to the at least one object.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28)
- - 22. A method according to claim 21, wherein the security descriptor includes identification for at least one user, an operation to be performed on the at least one object to which the security descriptor is attached, and a right indicating that the identified user is permitted or prohibited to perform the operation.
  - 23. A method according to claim 22, wherein the at least one object is a transaction object.
  - 24. A method according to claim 22, wherein the at least one object is a resource manager object.
  - 25. A method according to claim 22, wherein the at least one object is an enlistment object.
  - 26. A method according to claim 23, wherein the operation identified by the security descriptor attached to the transaction object includes at least one of:
    - set information regarding the transaction object, enlist the transaction object in the transaction, render data updates in connection with the transaction object durable, abort the operation on the transaction object, transmit data from the transaction object to another object, save the current point of the transaction at the transaction object, and transmit data regarding the transaction to another device.
  - 27. A method according to claim 24, wherein the operation identified by the security descriptor attached to the resource manager object includes at least one of:
    - retrieve information regarding the resource manager object, set information regarding the resource manager object, determine the state of a transaction at a moment of transaction failure, enlist the resource manager object in a transaction, register the resource manager object in the transaction, receive notification upon resolution of a transaction at the resource manager object, and set resource data in accordance with the transaction resolution.
  - 28. A method according to claim 25, wherein the operation identified by the security descriptor includes at least one of:
    - get information regarding the enlistment object, set information regarding the enlistment object, determine a state of enlistments at a moment of transaction failure, obtain and reference an enlistment key, rollback the transaction and to respond to notifications, and perform operations a superior transaction manager would perform.

29. A kernel-level transaction system, comprising:
- means for implementing a transaction among kernel objects; and
  
  means for securing the transaction by applying a security descriptor to at least one of the kernel objects, wherein the security descriptor identifies at least one user, an operation to be performed on the kernel object to which the security descriptor is applied, and a right indicating that the identified user is permitted or prohibited to perform the operation.
- View Dependent Claims (30, 31, 32, 33)
- - 30. A system according to claim 29, wherein the kernel objects include:
    - a transaction object to represent a transaction;
      
      a resource manager object to represent a resource participating in the transaction; and
      
      an enlistment object to enlist participants in the transaction.
  - 31. A system according to claim 30, wherein the security descriptor is applied to the transaction object, and the operation identified by the security descriptor includes at least one of:
    - set information regarding the transaction object, enlist the transaction object in the transaction, render data updates in connection with the transaction object durable, abort the operation on the transaction object, transmit data from the transaction object to another object, save the current point of the transaction at the transaction object, and transmit data regarding the transaction to another device.
  - 32. A system according to claim 30, wherein the security descriptor is applied to the resource manager object, and the operation identified by the security descriptor includes at least one of:
    - p1 retrieve information regarding the resource manager object, set information regarding the resource manager object, determine the state of a transaction at a moment of transaction failure, enlist the resource manager object in a transaction, register the resource manager object in the transaction, receive notification upon resolution of a transaction at the resource manager object, and set resource data in accordance with the transaction resolution.
  - 33. A system according to claim 30, wherein the security descriptor is applied to the enlistment object, and the operation identified by the security descriptor includes at least one of:
    - get information regarding the enlistment object, set information regarding the enlistment object, and determine a state of enlistments at a moment of transaction failure.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Tipton, William R., Zbikowski, Mark J., Verma, Surendra, Cargille, Jon

Granted Patent

US 7,591,015 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/182
CPC Class Codes

G06F 21/6209   to a single file or object,...

G06F 21/6281   at program execution time, ...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 9/468   Specific access rights for ...

Secure kernel transactions

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Secure kernel transactions

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links