Security model for common multiplexed transactional logs

US 20080208924A1
Filed: 02/28/2007
Published: 08/28/2008
Est. Priority Date: 02/28/2007
Status: Active Grant

First Claim

Patent Images

1. A method for implementing security for one or more log files in a multiplexed physical log environment, the method comprising the steps of:

establishing a protected subsystem in which file system operations are exclusively delegated to a principal that accesses container files in an underlying secure file system used to back the multiplexed physical log so that operations on the container files are segregated from operations on the one or more log files;

providing, to log clients, an interface to the protected subsystem, the interface being arranged for enabling the log clients to make I/O requests to the one or more log files through the principal; and

directing the I/O requests on the interface to the underlying secure file system.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security model is provided in a transactional logging infrastructure that is arranged as a protected subsystem built on an underlying secure file system. Files in the underlying file system used by virtual log streams are protected from direct user writes, and are written-to only through the protected subsystem that is brokered by a machine-wide principal so that virtual log files sharing the same multiplexed physical log are kept secure from each other. Log file handles and user- and kernel-mode objects are exposed to log clients through interfaces using consistent security semantics for both dedicated and virtual logs. Log clients are agnostic of the underlying secure file system and can only manipulate file system containers—abstract objects that implement the physical log and used to virtualize the file system by normalizing input/output operations—by using the interfaces brokered by the principal in the protected subsystem.

Citations

20 Claims

1. A method for implementing security for one or more log files in a multiplexed physical log environment, the method comprising the steps of:
- establishing a protected subsystem in which file system operations are exclusively delegated to a principal that accesses container files in an underlying secure file system used to back the multiplexed physical log so that operations on the container files are segregated from operations on the one or more log files;
  
  providing, to log clients, an interface to the protected subsystem, the interface being arranged for enabling the log clients to make I/O requests to the one or more log files through the principal; and
  
  directing the I/O requests on the interface to the underlying secure file system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1 in which the principal is one of machine-wide principal, common log file system-principal, system-principal or security-principal.
  - 3. The method of claim 1 in which the interface includes one of kernel-mode interface or user-mode interface.
  - 4. The method of claim 1 in which a cryptographically-secure signature is associated with each of the one or more log files and each of the container files, the cryptographically-secure signature being arranged to protect log file metadata, the log file metadata including a container list.
  - 5. The method of claim 1 in which a security descriptor is associated with each of the one or more log files and each of the container files.
  - 6. The method of claim 4 in which the cryptographically-secure signature associated with each of the one or more log files is stored in a base log file.
  - 7. The method of claim 6 including a further step of validating log file integrity by confirming that the cryptographically-secure signature stored in the base log file is identical to the cryptographically-secure signature associated with each of the container files.
  - 8. The method of claim 5 which the security descriptor associated with each of the one or more log files is stored in a base log file and including a further step of validating log file integrity by confirming that the stored security descriptor is identical to the security descriptor associated with each of the container files.
  - 9. The method of claim 6 including a further step of atomically updating a cryptographically-secure signature for each of the container files.
  - 10. The method of claim 9 including a further step of rolling back the cryptographically-secure signature to an original value in each of the container files upon occurrence of a failure.
  - 11. The method of claim 1 including a further step of providing a user-mode API set to enable log file import and export functionality.

12. A computer-readable medium containing instructions which, when executed by one or more processors disposed in an electronic device, implements a rule set for governing security for log files in a multiplexed log environment operating over a secure file system, the rule set comprising:
- a first rule specifying that a creator of a log file is a sole owner of the log file, entitled to full access to the log file, and enabled with an ability to grant or deny permissions for the log file;
  
  a second rule specifying that a principal may override the first rule, the principal selected from one of machine-wide-principal, system-principal, principal in an administrative group, or a principal having backup or restore privileges; and
  
  a third rule specifying that a log client which is not an owner of a log file shall be granted child creation permissions on a real log file in order to create a virtual log file.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The computer-readable medium of claim 12 in which the rule set further comprises a fourth rule specifying that default security for a real log file is inherited from the secure file system.
  - 14. The computer-readable medium of claim 13 in which the rule set further comprises a fifth rule specifying that default security for a virtual log file is inherited from the real log file
  - 15. The computer-readable medium of claim 14 in which the rule set further comprises a sixth rule specifying that null security for a log file enables full access to the log file by any log client.
  - 16. The computer-readable medium of claim 15 in which the rule set further comprises a seventh rule specifying that no part of metadata or log client data in a secure log file shall be stored on a non-secure file system.
  - 17. The computer-readable medium of claim 16 in which the rule set further comprises an eighth rule specifying that a log file with null security can be created on either a secure file system or a non-secure file system.

18. A computer-readable medium containing instructions which, when executed by one or more processors disposed in an electronic device, implements a rule set governing security for container files used to back a physical log in a multiplexed log environment operating over a secure file system, the rule set comprising:
- a first rule specifying that the container files are created, opened and owned by a machine-wide principal that is provided with exclusive read/write and control access to the container files;
  
  a second rule specifying that a principal in an administrative group owns the container files but has no permission to delete the container files, or access data within the container files; and
  
  a third rule specifying that a principal that owns a real log file has permission to read and delete container files underlying the real log file.
- View Dependent Claims (19, 20)
- - 19. The computer-readable medium of claim 18 in which the rule set further comprises a fourth rule specifying that the first, second, and third rules are always applicable irrespective as to whether or not security is specified on the real log file.
  - 20. The computer-readable medium of claim 19 in which the rule set further comprises a fifth rule specifying that container files may be backed up or restored by a principal having backup or restoration privileges.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Tipton, William R., Vacheri, Zoheb, Groff, Dana, Bradshaw, Dexter P.

Granted Patent

US 8,321,667 B2
Time in Patent Office

Days
Field of Search
US Class Current

707/202
CPC Class Codes

G06F 21/6218 to a system of files or obj...

G06F 9/455 Emulation; Interpretation; ...

Security model for common multiplexed transactional logs

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Security model for common multiplexed transactional logs

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links