Security model for common multiplexed transactional logs
First Claim
1. A method for implementing security for one or more log files in a multiplexed physical log environment, the method comprising the steps of:
- establishing a protected subsystem in which file system operations are exclusively delegated to a principal that accesses container files in an underlying secure file system used to back the multiplexed physical log so that operations on the container files are segregated from operations on the one or more log files;
providing, to log clients, an interface to the protected subsystem, the interface being arranged for enabling the log clients to make I/O requests to the one or more log files through the principal; and
directing the I/O requests on the interface to the underlying secure file system.
2 Assignments
0 Petitions
Accused Products
Abstract
A security model is provided in a transactional logging infrastructure that is arranged as a protected subsystem built on an underlying secure file system. Files in the underlying file system used by virtual log streams are protected from direct user writes, and are written-to only through the protected subsystem that is brokered by a machine-wide principal so that virtual log files sharing the same multiplexed physical log are kept secure from each other. Log file handles and user- and kernel-mode objects are exposed to log clients through interfaces using consistent security semantics for both dedicated and virtual logs. Log clients are agnostic of the underlying secure file system and can only manipulate file system containers—abstract objects that implement the physical log and used to virtualize the file system by normalizing input/output operations—by using the interfaces brokered by the principal in the protected subsystem.
-
Citations
20 Claims
-
1. A method for implementing security for one or more log files in a multiplexed physical log environment, the method comprising the steps of:
-
establishing a protected subsystem in which file system operations are exclusively delegated to a principal that accesses container files in an underlying secure file system used to back the multiplexed physical log so that operations on the container files are segregated from operations on the one or more log files; providing, to log clients, an interface to the protected subsystem, the interface being arranged for enabling the log clients to make I/O requests to the one or more log files through the principal; and directing the I/O requests on the interface to the underlying secure file system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A computer-readable medium containing instructions which, when executed by one or more processors disposed in an electronic device, implements a rule set for governing security for log files in a multiplexed log environment operating over a secure file system, the rule set comprising:
-
a first rule specifying that a creator of a log file is a sole owner of the log file, entitled to full access to the log file, and enabled with an ability to grant or deny permissions for the log file; a second rule specifying that a principal may override the first rule, the principal selected from one of machine-wide-principal, system-principal, principal in an administrative group, or a principal having backup or restore privileges; and a third rule specifying that a log client which is not an owner of a log file shall be granted child creation permissions on a real log file in order to create a virtual log file. - View Dependent Claims (13, 14, 15, 16, 17)
-
-
18. A computer-readable medium containing instructions which, when executed by one or more processors disposed in an electronic device, implements a rule set governing security for container files used to back a physical log in a multiplexed log environment operating over a secure file system, the rule set comprising:
-
a first rule specifying that the container files are created, opened and owned by a machine-wide principal that is provided with exclusive read/write and control access to the container files; a second rule specifying that a principal in an administrative group owns the container files but has no permission to delete the container files, or access data within the container files; and a third rule specifying that a principal that owns a real log file has permission to read and delete container files underlying the real log file. - View Dependent Claims (19, 20)
-
Specification