Associating Security Information with Information Objects

US 20080229412A1
Filed: 05/30/2008
Published: 09/18/2008
Est. Priority Date: 12/15/2005
Status: Active Grant

First Claim

Patent Images

1. A method, in a data processing system, for authorizing information flows between devices of the data processing system, the method comprising:

generating a hash key based on an information object;

performing a lookup operation in a hash table based on the hash key;

determining if an entry in the hash table at an index corresponding to the hash key identifies a labelset for the information object;

storing a labelset, identifying a sensitivity of the information object, in the entry at the index corresponding to the hash key for the information object if a labelset for the information object is not identified in the entry in the hash table; and

authorizing information flows involving the information object based on a lookup of the labelset associated with the information object in the hash table.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A hash key is generated based on an information object and a lookup operation is performed in a hash table based on the hash key. A determination is made whether an entry in the hash table at an index corresponding to the hash key identifies a labelset for the information object. A labelset, identifying a sensitivity of the information object, is stored in the entry at the index corresponding to the hash key for the information object if a labelset for the information object is not identified in the entry in the hash table. Information flows involving the information object are authorized based on a lookup of the labelset associated with the information object in the hash table. The hash table may be a multidimensional hash table.

Citations

38 Claims

1. A method, in a data processing system, for authorizing information flows between devices of the data processing system, the method comprising:
- generating a hash key based on an information object;
  
  performing a lookup operation in a hash table based on the hash key;
  
  determining if an entry in the hash table at an index corresponding to the hash key identifies a labelset for the information object;
  
  storing a labelset, identifying a sensitivity of the information object, in the entry at the index corresponding to the hash key for the information object if a labelset for the information object is not identified in the entry in the hash table; and
  
  authorizing information flows involving the information object based on a lookup of the labelset associated with the information object in the hash table.
- View Dependent Claims (2, 5, 6, 7, 8, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the hash table is a multidimensional hash table and the hash key comprises a plurality of hash keys generated by a plurality of hash functions, at least one hash function and hash key for each dimension of the multidimensional hash table.
  - 5. The method of claim 1, wherein the hash table is stored in a trusted computing base which is separate from a source of the information object.
  - 6. The method of claim 1, wherein authorizing information flows involving the information object based on a lookup of the labelset associated with the information object in the hash table comprises:
    - receiving a request for authorization of an information flow involving the information object from a first device to a second device;
      
      retrieving contents of the information object from a source of the information object;
      
      generating a hash key based on the contents of the information object;
      
      performing a lookup operation in the hash table based on the hash key to identify a labelset associated with the information object; and
      
      performing one or more authorization operation based on the labelset associated with the information object.
  - 7. The method of claim 6, wherein performing one or more authorization operation comprises comparing the labelset associated with the information object and a labelset of a source of the information object with a labelset associated with a target of the information flow.
  - 8. The method of claim 7, wherein comparing the labelset associated with the information object and the labelset of the source with a labelset associated with a target of the information flow comprises performing at least one set theory operation on the labelsets.
  - 10. The method of claim 1, wherein storing a labelset, identifying a sensitivity of the information object, in the entry at the index corresponding to the hash key for the information object comprises storing a labelset associated with a source of the information object in the entry in association with the information object.
  - 11. The method of claim 1, wherein the labelset comprises a labellist element providing one or more labels of the labelset.
  - 12. The method of claim 11, wherein the labels in the labellist are composed of a policy type and a value, wherein the policy type identifies a security policy to be applied to the labelset and the value identifies a value to be used in evaluating the security policy identified by the policy type.
  - 13. The method of claim 11, wherein each labelset further comprises a version element indicating a version of the labelset and a count element indicating a number of labels included in the labelset.

3. (canceled)

4. (canceled)

9. (canceled)

14. A computer program product comprising a computer usable medium including a computer readable program, wherein the computer readable program, when executed on a computing device, causes the computing device to:
- generate a hash key based on an information object;
  
  perform a lookup operation in a hash table based on the hash key;
  
  determine if an entry in the hash table at an index corresponding to the hash key identifies a labelset for the information object;
  
  store a labelset, identifying a sensitivity of the information object, in the entry at the index corresponding to the hash key for the information object if a labelset for the information object is not identified in the entry in the hash table; and
  
  authorize information flows involving the information object based on a lookup of the labelset associated with the information object in the hash table.
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. The computer program product of claim 14, wherein the hash table is stored in a trusted computing base which is separate from a source of the information object.
  - 19. The computer program product of claim 14, wherein the computer readable program causes the computing device to authorize information flows involving the information object based on a lookup of the labelset associated with the information object in the hash table by:
    - receiving a request for authorization of an information flow involving the information object from a first device to a second device;
      
      retrieving contents of the information object from a source of the information object;
      
      generating a hash key based on the contents of the information object;
      
      performing a lookup operation in the hash table based on the hash key to identify a labelset associated with the information object; and
      
      performing one or more authorization operation based on the labelset associated with the information object.
  - 20. The computer program product of claim 19, wherein the computer readable program causes the computing device to perform one or more authorization operation by comparing the labelset associated with the information object and a labelset of a source of the information object with a labelset associated with a target of the information flow.
  - 21. The computer program product of claim 20, wherein the computer readable program causes the computing device to compare the labelset associated with the information object and the labelset of the source with a labelset associated with a target of the information flow by performing at least one set theory operation on the labelsets.
  - 22. The computer program product of claim 21, wherein the at least one set theory operation is performed by at least one security policy module identified in the labelset associated with the information object and the labelset associated with the target of the information flow, and wherein results generated by each of the at least one security policy module are combined to generate a single result indicating whether the information flow is authorized.
  - 23. The computer program product of claim 14, wherein the computer readable program causes the computing device to store a labelset in the entry at the index corresponding to the hash key for the information object by storing a labelset associated with a source of the information object in the entry in association with the information object.

15. (canceled)

16. (canceled)

17. (canceled)

24. (canceled)

25. (canceled)

26. (canceled)

27. An apparatus for authorizing information flows between devices of the data processing system, the method comprising:
- an information flow mediator; and
  
  a labelset storage device coupled to the information flow mediator, wherein the information flow mediator;
  
  generates a hash key based on an information object,performs a lookup operation in a hash table stored in the labelset storage device based on the hash key,determines if an entry in the hash table at an index corresponding to the hash key identifies a labelset for the information object,stores a labelset, identifying a sensitivity of the information object, in the entry at the index corresponding to the hash key for the information object if a labelset for the information object is not identified in the entry in the hash table, andauthorizes information flows involving the information object based on a lookup of the labelset associated with the information object in the hash table.
- View Dependent Claims (28, 31, 32, 33, 34)
- - 28. The apparatus of claim 27, wherein the hash table is a multidimensional hash table and the hash key comprises a plurality of hash keys generated by a plurality of hash functions, at least one hash function and hash key for each dimension of the multidimensional hash table.
  - 31. The apparatus of claim 27, wherein the information flow mediator authorizes information flows involving the information object based on a lookup of the labelset associated with the information object in the hash table by:
    - receiving a request for authorization of an information flow involving the information object from a first device to a second device;
      
      retrieving contents of the information object from a source of the information object;
      
      generating a hash key based on the contents of the information object;
      
      performing a lookup operation in the hash table based on the hash key to identify a labelset associated with the information object; and
      
      performing one or more authorization operation based on the labelset associated with the information object.
  - 32. The apparatus of claim 31, wherein the information flow mediator performs one or more authorization operation by comparing the labelset associated with the information object and a labelset of a source of the information object with a tabelset associated with a target of the information flow.
  - 33. The apparatus of claim 32, wherein the information flow mediator compares the labelset associated with the information object and the labelset of the source with a labelset associated with a target of the information flow by performing at least one set theory operation on the labelsets.
  - 34. The apparatus of claim 33, wherein the at least one set theory operation is performed by at least one security policy module identified in the labelset associated with the information object and the labelset associated with the target of the information flow, and wherein results generated by each of the at least one security policy module are combined to generate a single result indicating whether the information flow is authorized.

29. (canceled)

30. (canceled)

35. (canceled)

36. A data processing system for authorizing information flows between devices, comprising:
- first computing device in a first partition of the data processing system, wherein the first computing device has a source element for communicating information to a target element;
  
  a second computing device in a second partition of the data processing system, wherein the second computing device has the target element; and
  
  a reference monitor, coupled to the first computing device and the second computing device, that monitors information flows between the first partition and the second partition, wherein the reference monitor;
  
  generates a hash key based on an information object,performs a lookup operation in a hash table based on the hash key,determines if an entry in the hash table at an index corresponding to the hash key identifies a labelset for the information object,stores a labelset, identifying a sensitivity of the information object, in the entry at the index corresponding to the hash key for the information object if a labelset for the information object is not identified in the entry in the hash table, andauthorizes information flows involving the information object based on a lookup of the labelset associated with the information object in the hash table.

37. (canceled)

38. A computing device, comprising:
- a processor; and
  
  a memory, wherein the memory contains instructions which, when executed by the processor, cause the processor to;
  
  generate a hash key based on an information object;
  
  perform a lookup operation in a hash table based on the hash key;
  
  determine if an entry in the hash table at an index corresponding to the hash key identifies a labelset for the information object;
  
  store a labelset, identifying a sensitivity of the information object, in the entry at the index corresponding to the hash key for the information object if a labelset for the information object is not identified in the entry in the hash table; and
  
  authorize information flows involving the information object based on a lookup of the labelset associated with the information object in the hash table.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Arroyo, Diana J., Muppidi, Sridhar R., Williams, Ronald B., Simon, Kimberly D., Blakley, George R., Jamesk, Damir A.

Granted Patent

US 7,975,295 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/21
CPC Class Codes

G06F 21/6218 to a system of files or obj...

Associating Security Information with Information Objects

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

38 Claims

Specification

Solutions

Use Cases

Quick Links

Associating Security Information with Information Objects

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

38 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links