AUTOMATED MECHANISM TO ANALYZE ELEVATED AUTHORITY USAGE AND CAPABILITY

US 20180121665A1
Filed: 10/31/2016
Published: 05/03/2018
Est. Priority Date: 10/31/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for securing file access, the computer-implemented method comprising, by operation of one or more computer processors:

monitoring a set of file access requests to a file from an application to obtain permission and identity information related to the monitored requests, wherein monitoring the set of file access requests includes obtaining a runtime stack from the application based on a predefined call selected from a system object call and a microcode call;

determining a set of user privileges available to a user, wherein the set of user privileges is available to the application when the user causes execution of the application;

determining a set of elevated privileges available to the application when the set of user privileges is insufficient;

determining, based on environment information in the runtime stack, whether the set of elevated privileges is different from the set of user privileges;

storing, in a data file, the permission and identity information, information related to the sets of elevated and user privileges, and an indication of whether the set of elevated privileges is greater in scope than the set of user privileges; and

upon determining that the set of user privileges rather than the set of elevated privileges is used to access the file, automatically adjusting the set of user privileges, including removing at least one user privilege from the set of user privileges, whereafter the set of elevated privileges is used to access the file.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and computer program products to perform an operation comprising monitoring a set of file access requests to a file from an application to obtain permission and identity information related to the monitored requests, wherein the monitoring includes obtaining a runtime stack from the application, determining, based on environment information in the runtime stack, whether a first set of privileges available to the application are greater than a second set of privileges available to a the user of the application, storing the permission and identity information and an indication of whether the first set of privileges is greater than the second set of privileges in a data file, and adjusting the privileges for the user based on the determination.

65 Citations

View as Search Results

25 Claims

1. A computer-implemented method for securing file access, the computer-implemented method comprising, by operation of one or more computer processors:
- monitoring a set of file access requests to a file from an application to obtain permission and identity information related to the monitored requests, wherein monitoring the set of file access requests includes obtaining a runtime stack from the application based on a predefined call selected from a system object call and a microcode call;
  
  determining a set of user privileges available to a user, wherein the set of user privileges is available to the application when the user causes execution of the application;
  
  determining a set of elevated privileges available to the application when the set of user privileges is insufficient;
  
  determining, based on environment information in the runtime stack, whether the set of elevated privileges is different from the set of user privileges;
  
  storing, in a data file, the permission and identity information, information related to the sets of elevated and user privileges, and an indication of whether the set of elevated privileges is greater in scope than the set of user privileges; and
  
  upon determining that the set of user privileges rather than the set of elevated privileges is used to access the file, automatically adjusting the set of user privileges, including removing at least one user privilege from the set of user privileges, whereafter the set of elevated privileges is used to access the file.
- View Dependent Claims (2, 3, 4, 5, 21, 22, 23, 24, 25)
- - 2. The computer-implemented method of claim 1, wherein the determination is based on the authentication environment information recorded on the runtime stack.
  - 3. The computer-implemented method of claim 1, further comprising determining the set of elevated privileges is sufficient to allow the application to access the file for each file access request in the set of file access requests.
  - 4. The computer-implemented method of claim 3, further comprising determining that the set of user privileges is used to access the file, wherein the at least one user privilege is removed from the user based on the determination that the set of user privileges is used to access the file.
  - 5. The computer-implemented method of claim 3, further comprising determining that the set of elevated privileges is not used to access the file, wherein the at least one user privilege is removed from the user based on the determination that the set of elevated privileges is not used to access the file.
  - 21. The computer-implemented method of claim 1, wherein the determination that the set of user privileges rather than the set of elevated privileges is used to access the file is made based on, in respective instances:
    - (i) the set of user privileges being used to access the file and (ii) the set of elevated privileges not being used to access the file;
      
      wherein whether the set of elevated privileges is used is determined based on information in the runtime stack, wherein automatically adjusting the privileges of the user based on the determination comprises adjusting the privileges of the user based on the determination and without having received any request specifying to adjust the privileges of the user;
      
      wherein the computer-implemented method further comprises;
      
      generating an indication that the privileges for the user is automatically adjusted, whereafter the indication is output;
      
      wherein the determination is based on the authentication environment information recorded on the runtime stack;
      
      wherein the computer-implemented method further comprises determining the set of elevated privileges is sufficient to allow the application to access the file for each file access request in the set of file access requests.
  - 22. The computer-implemented method of claim 21, further comprising, in respective instances:
    - (i) determining that the set of user privileges is used to access the file, wherein the at least one user privilege is removed from the user based on the determination that the set of user privileges is used to access the file;
      
      (ii) determining that the set of elevated privileges is not used to access the file, wherein the at least one user privilege is removed from the user based on the determination that the set of elevated privileges is not used to access the file;
      
      wherein the runtime stack information is obtained based on, in respective instances;
      
      (i) the system object call into an operating system kernel and (ii) the microcode call.
  - 23. The computer-implemented method of claim 22, further comprising, prior to determining whether the set of elevated privileges is different from the set of user privileges, performing a first operation to set privileges for the user, the first operation comprising:
    - determining a set of needed privileges needed by the application to access the file based on the stored data file;
      
      automatically selecting privileges to assign to the user, based on the set of needed privileges and the set of elevated privileges;
      
      assigning the automatically selected privileges to the user;
      
      upon determining that the set of elevated privileges is used to access the file, automatically removing all user privileges from the user; and
      
      upon determining (i) the set of elevated privileges is not used to access the file and (ii) the set of elevated privileges includes the set of needed privileges, automatically removing all user privileges from the user;
      
      wherein the automatically selected privileges to assign to the user are derived from, in respective instances, a user authority, a group authority, and an access control list.
  - 24. The computer-implemented method of claim 23, wherein the application comprises a first application, wherein the set of file access requests to the file from the first application is further monitored to obtain a set of call information based on runtime stack information related to calls of the first application requesting access to the file, wherein the runtime stack information includes the environment information;
    - wherein the environment information specifies;
      
      (i) the system object call;
      
      (ii) programs on the runtime stack;
      
      (iii) program statement numbers of calling and called subroutines;
      
      (iv) names of calling and called subroutines;
      
      (v) an order in which applications are called;
      
      (vi) whether each called application invoked any elevated privileges;
      
      (vii) thread and job information pertaining to the first application;
      
      and (viii) a runtime context of the first application;
      
      wherein the computer-implemented method further comprises performing a second operation for auditing file access, the second operation comprising;
      
      storing the set of call information in the data file;
      
      receiving, from a second application different from the first application, a request for access to the file;
      
      obtaining call information from a runtime stack from the second application;
      
      determining the request for access is an abnormal request, based on comparing the call information with the set of call information, wherein the comparing is based on at least the programs on the runtime stack and the program statement numbers of the calls, wherein the determining the request is abnormal comprises determining that the second application has elevated privileges as compared to the first application; and
      
      upon determining that the request for access is an abnormal request, automatically taking a predefined action comprising;
      
      (i) logging information related to the abnormal request and (ii) denying the request for access.
  - 25. The computer-implemented method of claim 24, wherein the operating system kernel is of an operating system having user space, kernel space, and microcode space, the operating system having a plurality of modules including:
    - (i) a file permission check module resident in the kernel space, the file permission check module including an authority collection module configured to determine the sets of elevated, user, and needed privileges;
      
      (ii) an authority adjustment module resident in the kernel space and configured to automatically adjust user privileges for the user; and
      
      (iii) a security module resident in the microcode space and configured to handle the microcode call in order to obtain the runtime stack;
      
      wherein the user space includes a system library and one or more user applications including the application, wherein the user space provides a runtime environment in which the application executes, wherein the runtime information pertains to the runtime environment, wherein the kernel space includes a kernel, a system call interface, and one or more drivers, wherein the kernel includes a file system interface for a file system, wherein the file system stores the file and permissions associated therewith.

6-7. -7. (canceled)

8. A system for securing file access, the system comprising:
- one or more computer processors;
  
  a memory containing a program which, when executed by the one or more computer processors, performs an operation comprising;
  
  monitoring a set of file access requests to a file from an application to obtain permission and identity information related to the monitored requests, wherein monitoring the set of file access requests includes obtaining a runtime stack from the application based on a predefined call selected from a system object call and a microcode call;
  
  determining a set of user privileges available to a user, wherein the set of user privileges is available to the application when the user causes execution of the application;
  
  determining a set of elevated privileges available to the application when the set of user privileges is insufficient;
  
  determining, based on environment information in the runtime stack, whether the set of elevated privileges is different from the set of user privileges;
  
  storing, in a data file, the permission and identity information, information related to the sets of elevated and user privileges, and an indication of whether the set of elevated privileges is greater in scope than the set of user privileges; and
  
  upon determining that the set of user privileges rather than the set of elevated privileges is used to access the file, automatically adjusting the set of user privileges, including removing at least one user privilege from the set of user privileges, whereafter the set of elevated privileges is used to access the file.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The system of claim 8, wherein the determination is based on the authentication environment information recorded on the runtime stack.
  - 10. The system of claim 8, wherein the operation further comprises determining the set of elevated privileges is sufficient to allow the application to access the file for each file access request in the set of file access requests.
  - 11. The system of claim 10, wherein the operation further comprises determining that the set of user privileges is used to access the file, wherein the at least one user privilege is removed from the user based on the determination that the set of user privileges is used to access the file.
  - 12. The system of claim 8, wherein the operation further comprises determining that the set of elevated privileges is not used to access the file, wherein the at least one user privilege is removed from the user based on the determination that the set of elevated privileges is not used to access the file.

13-14. -14. (canceled)

15. A computer program product for securing file access, the computer program product comprising:
- a computer readable storage medium having computer-readable program code embodied therewith, the computer-readable program code executable by one or more computer processors to perform an operation comprising;
  
  monitoring a set of file access requests to a file from an application to obtain permission and identity information related to the monitored requests, wherein monitoring the set of file access requests includes obtaining a runtime stack from the application based on a predefined call selected from a system object call and a microcode call;
  
  determining a set of user privileges available to a user, wherein the set of user privileges is available to the application when the user causes execution of the application;
  
  determining a set of elevated privileges available to the application when the set of user privileges is insufficient;
  
  determining, based on environment information in the runtime stack, whether the set of elevated privileges is different from the set of user privileges;
  
  storing, in a data file, the permission and identity information, information related to the sets of elevated and user privileges, and an indication of whether the set of elevated privileges is greater in scope than the set of user privileges; and
  
  upon determining that the set of user privileges rather than the set of elevated privileges is used to access the file, automatically adjusting the set of user privileges, including removing at least one user privilege from the set of user privileges, whereafter the set of elevated privileges is used to access the file.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The computer program product of claim 15, wherein the determination is based on the authentication environment information recorded on the runtime stack.
  - 17. The computer program product of claim 15, wherein the operation further comprises determining the set of elevated privileges is sufficient to allow the application to access the file for each file access request in the set of file access requests.
  - 18. The computer program product of claim 17, wherein the operation further comprises determining that the set of user privileges is used to access the file, wherein the at least one user privilege is removed from the user based on the determination that the set of user privileges is used to access the file.
  - 19. The computer program product of claim 17, wherein the operation further comprises determining that the set of elevated privileges is not used to access the file, wherein the at least one user privilege is removed from the user based on the determination that the set of elevated privileges is not used to access the file.

20. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
ANDERSON, Mark J., BUDNIK, Carol S., DIETENBERGER, Anna P., FORSTIE, Scott, HASSELBECK, Brian J., MEI, Allen K., STREIFEL, Ellen B., UEHLING, Jeffrey M.

Granted Patent

US 10,346,625 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/6209 to a single file or object,...

AUTOMATED MECHANISM TO ANALYZE ELEVATED AUTHORITY USAGE AND CAPABILITY

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

65 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

AUTOMATED MECHANISM TO ANALYZE ELEVATED AUTHORITY USAGE AND CAPABILITY

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

65 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links