AUTOMATED MECHANISM TO ANALYZE ELEVATED AUTHORITY USAGE AND CAPABILITY
First Claim
1. A computer-implemented method for securing file access, the computer-implemented method comprising, by operation of one or more computer processors:
- monitoring a set of file access requests to a file from an application to obtain permission and identity information related to the monitored requests, wherein monitoring the set of file access requests includes obtaining a runtime stack from the application based on a predefined call selected from a system object call and a microcode call;
determining a set of user privileges available to a user, wherein the set of user privileges is available to the application when the user causes execution of the application;
determining a set of elevated privileges available to the application when the set of user privileges is insufficient;
determining, based on environment information in the runtime stack, whether the set of elevated privileges is different from the set of user privileges;
storing, in a data file, the permission and identity information, information related to the sets of elevated and user privileges, and an indication of whether the set of elevated privileges is greater in scope than the set of user privileges; and
upon determining that the set of user privileges rather than the set of elevated privileges is used to access the file, automatically adjusting the set of user privileges, including removing at least one user privilege from the set of user privileges, whereafter the set of elevated privileges is used to access the file.
2 Assignments
0 Petitions
Accused Products
Abstract
Systems, methods, and computer program products to perform an operation comprising monitoring a set of file access requests to a file from an application to obtain permission and identity information related to the monitored requests, wherein the monitoring includes obtaining a runtime stack from the application, determining, based on environment information in the runtime stack, whether a first set of privileges available to the application are greater than a second set of privileges available to a the user of the application, storing the permission and identity information and an indication of whether the first set of privileges is greater than the second set of privileges in a data file, and adjusting the privileges for the user based on the determination.
65 Citations
25 Claims
-
1. A computer-implemented method for securing file access, the computer-implemented method comprising, by operation of one or more computer processors:
-
monitoring a set of file access requests to a file from an application to obtain permission and identity information related to the monitored requests, wherein monitoring the set of file access requests includes obtaining a runtime stack from the application based on a predefined call selected from a system object call and a microcode call; determining a set of user privileges available to a user, wherein the set of user privileges is available to the application when the user causes execution of the application; determining a set of elevated privileges available to the application when the set of user privileges is insufficient; determining, based on environment information in the runtime stack, whether the set of elevated privileges is different from the set of user privileges; storing, in a data file, the permission and identity information, information related to the sets of elevated and user privileges, and an indication of whether the set of elevated privileges is greater in scope than the set of user privileges; and upon determining that the set of user privileges rather than the set of elevated privileges is used to access the file, automatically adjusting the set of user privileges, including removing at least one user privilege from the set of user privileges, whereafter the set of elevated privileges is used to access the file. - View Dependent Claims (2, 3, 4, 5, 21, 22, 23, 24, 25)
-
-
6-7. -7. (canceled)
-
8. A system for securing file access, the system comprising:
-
one or more computer processors; a memory containing a program which, when executed by the one or more computer processors, performs an operation comprising; monitoring a set of file access requests to a file from an application to obtain permission and identity information related to the monitored requests, wherein monitoring the set of file access requests includes obtaining a runtime stack from the application based on a predefined call selected from a system object call and a microcode call; determining a set of user privileges available to a user, wherein the set of user privileges is available to the application when the user causes execution of the application; determining a set of elevated privileges available to the application when the set of user privileges is insufficient; determining, based on environment information in the runtime stack, whether the set of elevated privileges is different from the set of user privileges; storing, in a data file, the permission and identity information, information related to the sets of elevated and user privileges, and an indication of whether the set of elevated privileges is greater in scope than the set of user privileges; and upon determining that the set of user privileges rather than the set of elevated privileges is used to access the file, automatically adjusting the set of user privileges, including removing at least one user privilege from the set of user privileges, whereafter the set of elevated privileges is used to access the file. - View Dependent Claims (9, 10, 11, 12)
-
-
13-14. -14. (canceled)
-
15. A computer program product for securing file access, the computer program product comprising:
a computer readable storage medium having computer-readable program code embodied therewith, the computer-readable program code executable by one or more computer processors to perform an operation comprising; monitoring a set of file access requests to a file from an application to obtain permission and identity information related to the monitored requests, wherein monitoring the set of file access requests includes obtaining a runtime stack from the application based on a predefined call selected from a system object call and a microcode call; determining a set of user privileges available to a user, wherein the set of user privileges is available to the application when the user causes execution of the application; determining a set of elevated privileges available to the application when the set of user privileges is insufficient; determining, based on environment information in the runtime stack, whether the set of elevated privileges is different from the set of user privileges; storing, in a data file, the permission and identity information, information related to the sets of elevated and user privileges, and an indication of whether the set of elevated privileges is greater in scope than the set of user privileges; and upon determining that the set of user privileges rather than the set of elevated privileges is used to access the file, automatically adjusting the set of user privileges, including removing at least one user privilege from the set of user privileges, whereafter the set of elevated privileges is used to access the file. - View Dependent Claims (16, 17, 18, 19)
-
20. (canceled)
Specification