EXECUTABLE IDENTITY BASED FILE ACCESS

US 20120310983A1
Filed: 02/11/2010
Published: 12/06/2012
Est. Priority Date: 02/11/2010
Status: Abandoned Application

First Claim

Patent Images

1. A method (110) of allowing an executable to access a data file comprising:

initiating (114) a file access request from the executable (12) to the data file (24);

accessing (126) an executable identity based access control list (26) to determine (126) whether the executable (12) is allowed to access the data file (24);

allowing (132) the executable (12) to access the data file (24) if the executable (12) is allowed to access the data file (24); and

prohibiting (124) the executable (12) from accessing the data file (24) if the executable (12) is not allowed to access the data file (24).

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In examples of the present invention, an executable seeks to access a data file. An executable identity based access control list is accessed to determine whether the executable should be allowed to access the data tile.

48 Citations

View as Search Results

15 Claims

1. A method (110) of allowing an executable to access a data file comprising:
- initiating (114) a file access request from the executable (12) to the data file (24);
  
  accessing (126) an executable identity based access control list (26) to determine (126) whether the executable (12) is allowed to access the data file (24);
  
  allowing (132) the executable (12) to access the data file (24) if the executable (12) is allowed to access the data file (24); and
  
  prohibiting (124) the executable (12) from accessing the data file (24) if the executable (12) is not allowed to access the data file (24).
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method (110) of claim 1 wherein accessing (126) the executable identity based access control list (26) includes verifying executable integrity (128, 130) by comparing (130) a computed executable identity to an executable identity formed by decrypting (128) a stored executable signature with a public key stored in a certificate store (28).
  - 3. The method (110) of claim 2 wherein the executable identity based control list (26) is stored in policy metadata (70) associated with the data file (24), with the executable identity based access control list (26) storing an executable identities (76, 78) that identify the executable (12).
  - 4. The method (110) of claim 3 wherein a stored policy signature (72) is associated with the executable identity based access control list (26), and executable identity based access policies are validated by comparing (122) the stored policy signature (72) decrypted (122) with a public key stored in the certificate store (28) with results of a hash function applied (120) to the executable identity based access control list (26).
  - 5. The method of claim 2 and further comprising:
    - creating (80) the stored executable signature (68) for the executable (12); and
      
      defining (94) executable identity based tile access policies for the data file (24) by storing the executable identity (66) in the executable identity based access control list (26).

6. Readable media (44) having computer executable program segments stored thereon, the computer executable program segments including:
- a policy enforcement manager (20) for determining whether an executable (12) is allowed to access a data file (24) by accessing an executable identity based access control list (26); and
  
  a file system module (18) for servicing a file access request from the executable (12) to the data. file (24), wherein the file system module (18) communicates with the policy enforcement manager (20) to determine whether the executable (12) is allowed to access the data file (24), and services the file access request if access is allowed, and denies the file access request if access is prohibited.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The readable media (44) of claim 6 wherein the policy enforcement manager (20) verifies integrity of the executable (12) by comparing a stored executable signature (68) decrypted by a public key from a certificate store (28) to a computed executable identity formed by applying a hash function to the executable (12).
  - 8. The readable media (44) of claim 7 and further comprising:
    - a signature tool (14) that calculates the stored executable signature (68) by applying the hash function to form an executable identity (66), and encrypting the execution identity (66) with a private key associated with a certificate in a certificate store (28).
  - 9. The readable media (44) of claim 7 wherein the executable identity based access control list (26) is stored in policy metadata (70) associated with the data file (24), with the executable identity based access control list (26) storing an executable identity (76, 78) that identifies the executable (12), and wherein the policy metadata (70) also includes a stored policy signature (72), and executable identity based file access policies are validated by comparing the stored policy signature (72) decrypted with a public key from the certificate store (28) with a result of applying a hash function to the executable identity based access control list (26).
  - 10. The readable media of claim 9 and further comprising:
    - an access policy tool (18) for defining executable identity based file access policies for the data file (24) by storing the executable identity (66) in the executable identity based access control list (26),

11. A computing environment (10, 30) comprising:
- a CPU (34);
  
  persistent media (22) coupled to the CPU (34), the persistent media (22) including a data file (24) and an executable identity based access control list (26);
  
  memory (38) coupled to the CPU (34), wherein an executable (12), a file system module (18) and a policy enforcement manager (20) are executed by the CPU (34) from the memory (38), and wherein the executable (12) initiates an I/O request to the file system module (18) to access the data file (24), the file system module (18) cooperates with the policy enforcement manger (20) to access the executable identity based access control list (26) to determine whether the executable (12) is allowed to access the data file (24), and the file system module (18) allows the executable (12) to access the data file (24) if the executable (12) is allowed to access the data file (24), and prohibits the executable (12) from accessing the data file (24) if the executable (12) is not allowed to access the data file (24).
- View Dependent Claims (12, 13, 14, 15)
- - 12. The computing environment (10, 30) of claim 11 wherein the persistent media (22) includes a certificate store (28), and integrity of the executable (12) is verified by comparing a computed executable identity to an executable identity formed by decrypting a stored executable signature (68) with a public key stored in the certificate store (28).
  - 13. The computing environment (10, 30) of claim 12 wherein the executable identity based access control list (26) is stored in policy metadata (70) associated with the data. file (24), with the executable identity based access control list (26) storing an executable identity (76, 78) that identifies the executable (12).
  - 14. The computing environment (10, 30) of claim 13 wherein a stored policy signature (72) is associated with the executable identity based access control list (26), and executable identity based access policies are validated by comparing the stored policy signature (72) decrypted with a public key stored in the certificate store (28) with results of a hash function applied to the executable identity based access control list (26).
  - 15. The computing environment (10, 30) of claim 12 wherein a signature tool (14) and an access policy tool (16) are also executed by the CPU (34) from the memory (38), with the signature tool (14) creating the stored executable signature (68) for the executable (12), and the access policy tool (16) defining executable identity based file access policies for the data file (24) by storing the executable identity (66) in the executable identity based access control list (26).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Mittal, Hemant, Raman, Shankar

Application Number

US13/577,174
Publication Number

US 20120310983A1
Time in Patent Office

Days
Field of Search
US Class Current

707/785
CPC Class Codes

G06F 21/44   Program or device authentic...

G06F 21/6209   to a single file or object,...

G06F 2221/2141   Access rights, e.g. capabil...

EXECUTABLE IDENTITY BASED FILE ACCESS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

48 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

EXECUTABLE IDENTITY BASED FILE ACCESS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

48 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links