PROCESS CONTROL SOFTWARE SECURITY ARCHITECTURE BASED ON LEAST PRIVILEGES

US 20160026813A1
Filed: 07/25/2014
Published: 01/28/2016
Est. Priority Date: 07/25/2014
Status: Active Grant

First Claim

Patent Images

1. A computer device including;

a processor; and

an operating system that executes on the processor according to configuration data to implement service processes, wherein the configuration data causes each of the service processes to be assigned to one of a plurality of custom service accounts that each have a preset set of operating system privileges associated therewith, wherein the preset set of operating system privileges for each the plurality of custom service accounts is defined based on the privileges needed by the services that are assigned to the custom service account, and wherein, custom service accounts do not have interactive logon privileges.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A process control system software security architecture, that is more effective at preventing zero-day or other types of malware attacks, implements the use of “least privileges” when executing the applications and services run within a computer device. The least privileges based architecture separates “service” processes from desktop applications that run on behalf of a logged-on user by partitioning the global namespace of the software system into service namespaces and logged-on user namespaces, and by strictly controlling communications between the applications and services in these different namespaces using interprocess communications. Moreover, the security architecture uses custom accounts to assure that each service process has the least set of privileges that are needed for implementing its function regardless of the privileges associated with the calling application or user.

Citations

70 Claims

1. A computer device including;
- a processor; and
  
  an operating system that executes on the processor according to configuration data to implement service processes, wherein the configuration data causes each of the service processes to be assigned to one of a plurality of custom service accounts that each have a preset set of operating system privileges associated therewith, wherein the preset set of operating system privileges for each the plurality of custom service accounts is defined based on the privileges needed by the services that are assigned to the custom service account, and wherein, custom service accounts do not have interactive logon privileges.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The computer device of claim 1, wherein the computer device further includes one or more communications ports and a local memory storage unit, and wherein each of the service processes that is capable of communicating with a communications port does not have privilege to write to the local memory storage unit.
  - 3. The computer device of claim 2, wherein the computer device further includes an external media port, and wherein one or more of the service processes that is capable of communicating with a communications port does not have privilege to communicate with a removable storage unit via the external media port.
  - 4. The computer device of claim 2, wherein the computer device further includes an external media port, and wherein one or more of the service processes that is capable of communicating with the communications port does not have privilege to communicate directly with a further service process that has privilege to communicate with a removable storage unit via the external media port.
  - 5. The computer device of claim 4, wherein the computer device further includes an external media port and a local memory storage unit, and wherein one of the service processes that is capable of communicating with a removable storage unit via the external media port does not have privilege to write to the local memory storage unit.
  - 6. The computer device of claim 5, wherein the computer device further includes a communications port, and wherein one or more of the service processes that is capable of communicating with a removable storage unit via the external media port does not have privilege to communicate directly with a further service process that has privilege to communicate via the communications port.
  - 7. The computer device of claim 1, further including a desktop environment, and wherein the operating system executes to enforce a service namespace that is separate from a desktop namespace and operates to execute the service processes in the service namespace and one or more desktop applications in the desktop namespace.
  - 8. The computer device of claim 7, wherein the operating system enforces a requirement that processes running in the desktop namespace must communicate with processes running in the service namespace via interprocess communications.
  - 9. The computer device of claim 7, wherein the operating system executes on the processor according to configuration data to implement configuration data to implement desktop processes, wherein the configuration data causes each of the desktop processes to be assigned to one of a plurality of user accounts that each have a preset set of operating system privileges associated therewith, wherein the preset set of operating system privileges for each the plurality of user accounts includes interactive logon privileges
  - 10. The computer device of claim 9, wherein the set of operating system privileges assigned to standard user accounts does not include elevated or administrative operating system privileges.
  - 11. The computer device of claim 9, wherein the set of operating system privileges assigned to desktop applications when they are started are restricted to standard user privileges even if the user account under which the desktop application is started has elevated operating system privileges, and wherein processes started by processes running in the desktop namespace inherit the privileges of the starting process.
  - 12. The computer device of claim 9, wherein the operating system enforces a rule that processes running in the desktop namespace cannot be elevated in operating system privileges without explicit authorization of an authenticated user whose account has the elevated privileges.
  - 13. The computer device of claim 7, wherein the operating system enforces a requirement that all processes running in the service namespace must communicate with other processes running in the service namespace via interprocess communications.
  - 14. The computer device of claim 7, wherein the computer device further includes a local memory storage unit that stores service files or service folders, and wherein the operating system enforces a rule that prevents processes running in the desktop namespace from writing to service files or service folders stored in the local memory storage unit.
  - 15. The computer device of claim 7, further including a desktop in the desktop namespace including a user interface, and wherein the operating system enforces a rule that prevents any of the service processes from directly accessing that desktop.
  - 16. The computer device of claim 7, wherein messages originating at desktop applications include user identity information that identifies a user of a desktop application, and wherein the user identity information follows messages through multiple processes to their final destination, including through a service process that accesses the communications port to send the message via a communications link.
  - 17. The computer device of claim 16, wherein the user identity information does not control the operating system privileges and/or access permissions associated with one or more processes used to forward the message to a message recipient, and wherein the user identity information does control access permissions to process control objects.

18. A computer device comprising:
- a processor;
  
  a communications port;
  
  a local memory storage unit; and
  
  an operating system that executes on the processor according to configuration data to implement service processes including a service process that is capable of communicating with the communications port, wherein the service process that is capable of communicating with the communications port does not have the privilege to write to the local memory storage unit.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 19. The computer device of claim 18, wherein the local memory storage unit stores service process files or service process folders.
  - 20. The computer device of claim 19, wherein the local memory storage unit further stores desktop applications files.
  - 21. The computer device of claim 18, wherein the computer device further includes an external media port, and wherein the one of the service processes that is capable of communicating with the communications port does not have privileges to communicate with a removable storage unit via the external media port.
  - 22. The computer device of claim 18, wherein the computer device further includes an external media port, and wherein the one of the service processes that is capable of communicating with the communications port does not have privileges to communicate directly with a further service process that has privileges to communicate with a removable storage unit via the external media port.
  - 23. The computer device of claim 22, wherein the further service process that is capable of communicating with a removable storage unit via the external media port does not have privileges to write to the local memory storage unit.
  - 24. The computer device of claim 18, further including a desktop environment, and wherein the operating system executes to enforce a service namespace that is separate from a desktop namespace and operates to execute the service processes in the service namespace and one or more desktop applications in the desktop namespace.
  - 25. The computer device of claim 24, wherein the operating system enforces a requirement that processes running in the desktop namespace must communicate with processes running in the service namespace via interprocess communications.
  - 26. The computer device of claim 25, wherein desktop applications are assigned a set of operating system privileges that is set separately from a set of operating system privileges associated with a user account that starts the desktop application and wherein the set of operating system privileges to which the desktop applications are assigned do not include administrator operating system privileges.
  - 27. The computer device of claim 25, wherein the operating system enforces a rule that the desktop applications cannot be elevated in operating system privileges.
  - 28. The computer device of claim 25, wherein the operating system enforces a rule that prevents the desktop applications from writing to service files or service folders stored in a local memory storage unit.
  - 29. The computer device of claim 24, wherein a message originating at a desktop application includes user identity information that identifies a user of the desktop application, and wherein the user identity information follows the message through the service process that accesses the communications network port to send the message via a communications network.
  - 30. The computer device of claim 18, further including a desktop including a user interface, and wherein the operating system enforces a rule that prevents any of the service processes from directly accessing the desktop.

31. A computer device including;
- a processor;
  
  an external media port;
  
  a local memory storage unit; and
  
  an operating system that executes on the processor according to configuration data to implement service processes including a service process that is capable of communicating with a removable memory device via external media port, wherein the service process that is capable of communicating with a removable memory device via the external media port does not have the privilege to write to the local memory storage unit.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39)
- - 32. The computer device of claim 31, wherein the local memory storage unit stores service process files or service process folders.
  - 33. The computer device of claim 32, wherein the local memory storage unit further stores desktop applications files.
  - 34. The computer device of claim 31, wherein the computer device further includes a communications port, and wherein the one of the service processes that is capable of communicating with a removable memory via the external media port does not have privileges to communicate directly with a further service process that has privileges to communicate via the communications port.
  - 35. The computer device of claim 31, further including a desktop environment, and wherein the operating system executes to enforce a service namespace that is separate from a desktop namespace and operates to execute the service processes in the service namespace and one or more desktop applications in the desktop namespace.
  - 36. The computer device of claim 35, wherein the operating system enforces a requirement that processes running in the desktop namespace must communicate with processes running in the service namespace via interprocess communications.
  - 37. The computer device of claim 36, wherein desktop applications are assigned a set of operating system privileges that is set separately from a set of operating system privileges associated with a user account that starts the desktop application and wherein the set of operating system privileges to which the desktop applications are assigned do not include administrator operating system privileges.
  - 38. The computer device of claim 37, wherein the operating system enforces a rule that the desktop applications cannot be elevated in operating system privileges.
  - 39. The computer device of claim 31, further including a desktop including a user interface, and wherein the operating system enforces a rule that prevents any of the service processes from directly accessing the desktop.

40. A computer device including;
- a processor;
  
  an external media port;
  
  a communications port; and
  
  an operating system that executes on the processor according to configuration data to implement service processes including a service process that is capable of communicating with a removable memory device via external media port, wherein the service process that is capable of communicating with a removable memory device via the external media port does not have the privilege to access the communications port.
- View Dependent Claims (41, 42, 43, 44)
- - 41. The computer device of claim 40, wherein the service process that is capable of communicating with a removable memory device via the external media port does not have the privilege to directly access another service that is capable of accessing the communications port.
  - 42. The computer device of claim 40, further including a desktop environment, and wherein the operating system executes to enforce a service namespace that is separate from a desktop namespace and operates to execute the service processes in the service namespace and one or more desktop applications in the desktop namespace.
  - 43. The computer device of claim 42, wherein the operating system enforces a requirement that processes running in the desktop namespace must communicate with processes running in the service namespace via interprocess communications.
  - 44. The computer device of claim 40, wherein the operating system enforces a requirement that services must communicate with other services via interprocess communications.

45. A computer device including;
- a processor; and
  
  an operating system that executes on the processor according to configuration data to implement service processes and one or more desktop processes;
  
  wherein the operating system executes to enforce a service namespace that is separate from a desktop namespace and operates to execute the service processes in a service namespace and the one or more desktop applications in a desktop namespace that is separate from the service namespace, and wherein all processes implemented in the service namespace must communicate with processes in the desktop namespace via interprocess communications.
- View Dependent Claims (46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57)
- - 46. The computer device of claim 45, wherein the one or more desktop applications are assigned a set of operating system privileges that is set separately from a set of operating system privileges associated with a user account that starts the desktop application.
  - 47. The computer device of claim 45, wherein the one or more desktop applications are assigned the same set of operating system privileges which are not dependent on the operating system privileges associated with a user account that starts the desktop application.
  - 48. The computer device of claim 47, wherein the set of operating system privileges to which the desktop applications are assigned do not include administrator operating system privileges.
  - 49. The computer device of claim 48, wherein the set of operating system privileges to which the desktop applications are assigned are operating system privileges associated with a general user.
  - 50. The computer device of claim 47, wherein the operating system enforces a rule that desktop applications cannot be elevated in operating system privileges.
  - 51. The computer device of claim 45, wherein the computer device includes a local memory storage unit and wherein the operating system enforces a rule that prevents desktop applications from writing to service files or service folders stored in the local memory storage unit.
  - 52. The computer device of claim 45, further including a desktop including a user interface, and wherein the operating system enforces a rule that prevents any of the service processes from accessing the desktop.
  - 53. The computer device of claim 45, wherein messages originating at desktop applications include user identity information that identifies a user of a desktop application, and wherein the user identity information follows messages through multiple processes associated with sending the messages.
  - 54. The computer device of claim 53, wherein the user identity information does not control the operating system privileges associated with one or more processes used to forward the message to a message recipient.
  - 55. The computer device of claim 45, wherein the computer device further includes a communications port and a local memory storage unit, and wherein one of the service processes that is capable of communicating with the communication port does not have privilege to write to the local memory storage unit.
  - 56. The computer device of claim 45, wherein the computer device further includes an external media port, and wherein the one of the service processes that is capable of communicating with the communications port does not have privilege to communicate with a removable storage unit via the external media port.
  - 57. The computer device of claim 45, wherein the computer device further includes a communications port, a local memory storage unit, and an external media port, and wherein one of the service processes that is capable of communicating with the communication network port does not have privilege to write to the local memory storage unit or to communicate with a removable storage unit via the external media port, wherein one of the service processes that is capable of communicating with a removable storage unit via the external media port does not have privilege to write to the local memory storage unit and does not have privilege to communicate with the communications port, and wherein the one of the service processes that is capable of communicating with the communications port does not have privilege to directly communicate with the one of the service processes that is capable of communicating with a removable storage unit via the external media port.

58. A computer device including;
- a processor; and
  
  an operating system that executes on the processor according to configuration data to implement service processes and one or more desktop processes;
  
  wherein the operating system enforces operating system privileges for the service processes based on custom service accounts to which each service process is assigned regardless of the process that calls the service process, wherein the operating system enforces operating system privileges for each of the one or more desktop applications using a standard set of operating system privileges defined for the desktop applications to be used for the desktop applications regardless of which of a set of user accounts calls the desktop application, and wherein a sending desktop application sends a message to a recipient processes such that the message includes a user identity that identifies a user of the desktop application, wherein the user identity flows with the message as the message is processed by each of a number of different service processes as the message is relayed from the sending desktop application to the receiving process.
- View Dependent Claims (59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70)
- - 59. The computer device of claim 58, wherein the user identity information follows messages through multiple processes to their final destination, including through a service process that accesses the communications port to send the message via a communications link.
  - 60. The computer device of claim 59, wherein the user identity information does not control the operating system privileges and/or access permissions associated with one or more processes used to forward the message to a message recipient.
  - 61. The computer device of claim 60, wherein the user identity information controls access permissions to process control objects in a process control network.
  - 62. The computer device of claim 58, wherein the standard set of operating system privileges defined for the desktop applications do not include administrator operating system privileges.
  - 63. The computer device of claim 62, wherein the operating system enforces a rule that desktop applications cannot be elevated in operating system privileges.
  - 64. The computer device of claim 58, wherein the computer device includes a local memory storage unit and wherein the operating system enforces a rule that prevents desktop applications from writing to service files or service folders stored in the local memory storage unit.
  - 65. The computer device of claim 58, further including a desktop including a user interface, and wherein the operating system enforces a rule that prevents any of the service processes from accessing the desktop.
  - 66. The computer device of claim 58, wherein the user identity information does not affect the operating system privileges associated with one or more processes used to forward the message to the receiving process.
  - 67. The computer device of claim 58, wherein the computer device further includes a communications port and a local memory storage unit, and wherein one of the service processes that is capable of communicating with the communication port does not have privilege to write to the local memory storage unit.
  - 68. The computer device of claim 58, wherein the computer device further includes an external media port, and wherein the one of the service processes that is capable of communicating with the communications port does not have privilege to communicate with a removable storage unit via the external media port.
  - 69. The computer device of claim 58, wherein the computer device further includes a communications port, a local memory storage unit, and an external media port, and wherein one of the service processes that is capable of communicating with the communication port does not have privilege to write to the local memory storage unit, wherein one of the service processes that is capable of communicating with a removable storage unit via the external media port does not have privilege to write to the local memory storage unit, and wherein the one of the service processes that is capable of communicating with the communications port does not have privilege to directly communicate with the one of the service processes that is capable of communicating with a removable storage unit via the external media port.
  - 70. The computer device of claim 58, wherein the operating system executes to enforce a service namespace that is separate from a desktop namespace and operates to execute the service processes in a service namespace and the one or more desktop applications in a desktop namespace that is separate from the service namespace, and wherein all processes implemented in the service namespace must communicate with processes in the desktop namespace via interprocess communications.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fisher-Rosemount Systems Incorporated (Emerson Electric Company)
Original Assignee
Fisher-Rosemount Systems Incorporated (Emerson Electric Company)
Inventors
Neitzel, Lee Allen, Ussing, Dan Halver

Granted Patent

US 11,275,861 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/604 Tools and structures for ma...

G06F 21/6218 to a system of files or obj...

PROCESS CONTROL SOFTWARE SECURITY ARCHITECTURE BASED ON LEAST PRIVILEGES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

70 Claims

Specification

Solutions

Use Cases

Quick Links

PROCESS CONTROL SOFTWARE SECURITY ARCHITECTURE BASED ON LEAST PRIVILEGES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

70 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links