Methods and apparatus providing security for multiple operational states of a computerized device
First Claim
1. A method for controlling security during operation of a computerized device, the method comprising:
- enforcing a first security policy during first operational state of the computerized device, enforcement of the first security policy providing a first level access to resources within the computerized device by processes operating in the computerized device;
detecting a transition operation of the computerized device that occurs during enforcement of the first security policy, the transition operation indicating that operation of the computerized device is transitioning from the first operational state to a second operational state;
in response to detection of the transition operation, enforcing a second security policy corresponding to the second operational state to provide a level of access to the resources within the computerized device that corresponds to the second operational state during operation of the second operational state; and
repeating the steps of detecting a transition operation and enforcing a second security policy corresponding to the second operational state for a plurality of operational states of the computerized device such that as operation of the computer system transitions from operational state to operational state, different security policies corresponding to those operational states are enforced during operation of those states.
1 Assignment
0 Petitions
Accused Products
Abstract
A system controls security during operation of a computerized device by enforcing a first security policy during first operational state of the computerized device. Enforcement of the first security policy provides a first level access to resources within the computerized device by processes operating in the computerized device. The system detects a transition operation of the computerized device that occurs during enforcement of the first security policy indicating that operation of the computerized device is transitioning from the first operational state to a second operational state and in response, enforces a second security policy corresponding to the second operational state to provide a level of access to the resources within the computerized device that corresponds to the second operational state during operation of the second operational state. This can be repeated for many different states including boot time, normal runtime, installation, shutdown, and a compromised state.
-
Citations
27 Claims
-
1. A method for controlling security during operation of a computerized device, the method comprising:
-
enforcing a first security policy during first operational state of the computerized device, enforcement of the first security policy providing a first level access to resources within the computerized device by processes operating in the computerized device;
detecting a transition operation of the computerized device that occurs during enforcement of the first security policy, the transition operation indicating that operation of the computerized device is transitioning from the first operational state to a second operational state;
in response to detection of the transition operation, enforcing a second security policy corresponding to the second operational state to provide a level of access to the resources within the computerized device that corresponds to the second operational state during operation of the second operational state; and
repeating the steps of detecting a transition operation and enforcing a second security policy corresponding to the second operational state for a plurality of operational states of the computerized device such that as operation of the computer system transitions from operational state to operational state, different security policies corresponding to those operational states are enforced during operation of those states. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A computerized device comprising:
-
a memory storing installation and non-installation security policies;
a processor;
a communications interface coupled to a network;
an interconnection mechanism coupling the memory, the processor and the communications interface;
wherein the memory is encoded with a security agent that controls security during operations of a computerized device, that when executed on the processor, causes the computerized device to perform the operations of;
enforcing a first security policy during first operational state of the computerized device, enforcement of the first security policy providing a first level access to resources within the computerized device by processes operating in the computerized device;
detecting a transition operation of the computerized device that occurs during enforcement of the first security policy, the transition operation indicating that operation of the computerized device is transitioning from the first operational state to a second operational state;
in response to detection of the transition operation, enforcing a second security policy corresponding to the second operational state to provide a level of access to the resources within the computerized device that corresponds to the second operational state during operation of the second operational state; and
repeating the steps of detecting a transition operation and enforcing a second security policy corresponding to the second operational state for a plurality of operational states of the computerized device such that as operation of the computer system transitions from operational state to operational state, different security policies corresponding to those operational states are enforced during operation of those states. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
-
-
26. A computer readable medium including computer program logic instruction encoded thereon, that when executed on a processor in a computerized device, causes the computerized device to perform the operations of:
-
enforcing the non-installation security policy during non-installation operation of the computerized device, enforcement of the non-installation security policy providing non-installation level access to resources within the computerized device by processes operating in the computerized device;
detecting an installation operation of the computerized device that occurs during enforcement of the non-installation security policy, the installation operation indicating that at least one installation is to be performed in the computerized device;
in response to detection of the installation operation, enforcing an installation security policy to provide installation level access to the resources within the computerized device during the installation operation; and
in response to an end-installation event, re-enforcing the non-installation security policy.
-
-
27. A computerized device comprising:
-
a memory storing installation and non-installation security policies;
a processor;
a communications interface coupled to a network;
an interconnection mechanism coupling the memory, the processor and the communications interface;
wherein the memory is encoded with a security agent that controls security during installation operations of a computerized device, that when executed on the processor, causes the computerized device to provide means including;
means for enforcing the non-installation security policy during non-installation operation of the computerized device, enforcement of the non-installation security policy providing non-installation level access to resources within the computerized device by processes operating in the computerized device;
means for detecting an installation operation of the computerized device that occurs during enforcement of the non-installation security policy, the installation operation indicating that at least one installation is to be performed in the computerized device;
in response to detection of the installation operation, means for enforcing an installation security policy to provide installation level access to the resources within the computerized device during the installation operation; and
in response to an end-installation event, means for re-enforcing the non-installation security policy.
-
Specification