Computer system security method and apparatus for creating and using program authorization information data structures
DCFirst Claim
1. In a computer system including processing means for executing a plurality of programs and memory means coupled to said processing means for storing data and for storing at least one program, said computer system having a plurality of computer resources and being capable of performing a wide range of information processing related functions under program control, a method for protecting a computer user from operations typically performable by a program while it is executing on behalf of a user, comprising the steps of:
- establishing a program authorizing information data structure for storing a plurality of authorization entries each indicating at least one of those computer resources and information processing related functions which may be used by an associated program;
storing said program authorizing information data structure; and
associating the program authorizing information data structure with at least one program to be executed by said computer system to thereby protect the computer user from operations that might be performed by said at least one program, whereby the program authorizing information is available to be monitored when its associated program is executed.
5 Assignments
Litigations
0 Petitions
Accused Products
Abstract
Method and apparatus are disclosed including a system monitor which limits the ability of a program about to be executed to the use of predefined resources (e.g., data files, disk writing capabilities, etc.). The system monitor processes a data structure including a set of authorities defining that which a program is permitted to do and/or that which the program is precluded from doing. The set of authorities and/or restrictions assigned to a program to be executed are referred to as "program authorization information" (or "PAI"). Once defined, the program authorization information is thereafter associated with at least one program to be executed to thereby delineate the resources and functions that the program is allowed to utilize and/or is not allowed to utilize. The PAI associated with a particular program may be assigned by a computer system owner/user or by someone who the computer system owner/user implicitly trusts. The PAI permits an associated program to access what has been authorized and nothing else. The program may be regarded as being placed in a program capability limiting "safety box". This "safety box" is thereafter associated with the program such that when the system monitor runs the program, the PAI for that program is likewise loaded and monitored. When the program is to perform a function or access a resource, the associated PAI is monitored to confirm that the operation is within the defined program limits. If the program is prevented from doing anything outside the authorized limits.
486 Citations
77 Claims
-
1. In a computer system including processing means for executing a plurality of programs and memory means coupled to said processing means for storing data and for storing at least one program, said computer system having a plurality of computer resources and being capable of performing a wide range of information processing related functions under program control, a method for protecting a computer user from operations typically performable by a program while it is executing on behalf of a user, comprising the steps of:
-
establishing a program authorizing information data structure for storing a plurality of authorization entries each indicating at least one of those computer resources and information processing related functions which may be used by an associated program; storing said program authorizing information data structure; and associating the program authorizing information data structure with at least one program to be executed by said computer system to thereby protect the computer user from operations that might be performed by said at least one program, whereby the program authorizing information is available to be monitored when its associated program is executed. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41)
-
-
42. In a computer system having means for executing a plurality of programs and a memory means coupled to said means for executing, for storing data and program instructions, said computer system being capable of performing a wide range of information processing related operations under program control, a method for executing programs by said means for executing for a computer user comprising the steps of:
-
identifying a program to be executed; determining whether a program authorizing information data structure has been associated with the program, wherein said program authorizing information qualifies the ability of the program from performing information processing related operations which are available to said computer user; examining said program authorizing information data structure if one has been associated with said program; determining from an examination of said program authorization information whether the associated program is allowed to perform an attempted information processing related operation; and suppressing performance of said operation if said program authorizing information data structure indicates that said program is not allowed to perform an attempted operation. - View Dependent Claims (43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77)
-
Specification