Multilevel security port methods, apparatuses, and computer program products
First Claim
1. A computer program product comprising:
- a computer useable medium having a computer readable program code mechanism embodied therein for generating a plurality of ports, said ports being associated with a common port number, each of said ports having a selected sensitivity label, said port number and said sensitivity label defining a selected port identifier for at least one of said ports, permitting multiple, simultaneous access to the port, said computer code mechanism comprising;
first computer readable code mechanism for constructing a communications packet comprising a protocol header in turn comprising at least source machine identification, source port number, and destination port identifier region, said destination port identifier region including a destination port number and sensitivity label subregion; and
second computer readable code mechanism for permitting reception communications packets for establishing receiver ports.
2 Assignments
0 Petitions
Accused Products
Abstract
A multilevel port system on a computer operating under a multilevel operating system to permit contemporaneously opening a plurality of sockets having the same port number while meeting the requirements of an appropriate security policy, thus allowing third party applications to run as if they were unimpeded by the security policy, and methods thereby. The computer system having an operating system adhering to an access control security mechanism. Such systems include government systems wherein a hierarchy of security classification levels are defined (e.g., top secret, secret, classified, unclassified), and commercial systems. Sensitivity labels pursuant to an access control security mechanism include at least hierarchical security classifications, and may include non-hierarchical categories or compartments which represent distinct areas of information in a system. A port is characterized by a port number and a sensitivity label thus permitting opening a plurality of ports having identical port numbers and unique sensitivity labels.
-
Citations
10 Claims
-
1. A computer program product comprising:
a computer useable medium having a computer readable program code mechanism embodied therein for generating a plurality of ports, said ports being associated with a common port number, each of said ports having a selected sensitivity label, said port number and said sensitivity label defining a selected port identifier for at least one of said ports, permitting multiple, simultaneous access to the port, said computer code mechanism comprising; first computer readable code mechanism for constructing a communications packet comprising a protocol header in turn comprising at least source machine identification, source port number, and destination port identifier region, said destination port identifier region including a destination port number and sensitivity label subregion; and second computer readable code mechanism for permitting reception communications packets for establishing receiver ports.
-
2. A first program storage device readable by a machine, tangibly embodying a program of instructions executable by the machine to establish a multilevel port for enabling multiple, simultaneous access of a resource in a multilevel trusted system, said first program storage device comprising:
-
first computer readable code devices configured to receive a communications packet from a source machine running an application instantiated in a first process, said packet comprising at least a first destination port number and a first sensitivity label; second computer readable code devices configured to examine said packet for identifying said port number and said sensitivity label, said port number and said sensitivity label, together providing a port identifier; third computer readable code devices configured to compare said port identifier to port identifiers associated with pre-existing open ports; and fourth computer readable code devices configured to open a port having the same port number as pre-existing open ports when said sensitivity label of said port identifier is unique as compared to sensitivity labels of pre-existing open ports, said opening permitting contemporaneous processes associated with a plurality of ports having the same port number, and a unique sensitivity label. - View Dependent Claims (3, 4)
-
-
5. A computer having a multi-level trusted operating system, comprising:
a computer useable medium having a computer readable program code mechanism embodied therein for generating a plurality of ports, said ports being associated by a common port number, each of said ports having a unique sensitivity label, the combination of said port number and said sensitivity label defining a unique port identifier for each of said ports, said plurality of ports permitting multiple, simultaneous access of said common port number, said computer readable code mechanism in said multi level-trusted system. - View Dependent Claims (6)
-
7. A multilevel port for permitting simultaneous access by a plurality of processes, each process having a different sensitivity label, the multilevel port defined by a common port number and a plurality of selected, unique sensitivity labels to permit two-way simultaneous communication between said port and ones of the plurality of processes having the same sensitivity labels as ones of said plurality of unique sensitivity labels.
-
8. A method for enabling simultaneous access of a port by a plurality of processes in a multilevel trusted system, comprising the steps of:
-
intercepting a first communications packet in a second computer system, said communications packet generated by the kernel of a first computer system, said communications packet comprising a destination port number and a first sensitivity label; examining the communications packet to extract and identify said port number and said sensitivity label, said port number and said sensitivity label combination defining a port identifier; comparing said port identifier to the port numbers and sensitivity labels of pre-existing open ports; establishing a port in the event no pre-existing open port has the same port identifier as defined in said communication packet; establishing another port when one of the pre-existing ports has the same port identifier and a different sensitivity label as defined in said communication packet, said another port and said one of the pre-existing ports being simultaneously accessible by said plurality of processes; and passing the data portion of said communication package to an applications process in said second computer system, said applications process having a port number and sensitivity label equivalent to said port identifier. - View Dependent Claims (9, 10)
-
Specification