Method for implementing polyinstantiated access control in computer operating systems

US 6,865,739 B1
Filed: 06/06/2000
Issued: 03/08/2005
Est. Priority Date: 06/06/2000
Status: Expired due to Fees

First Claim

Patent Images

1. In an operating system on a computing system wherein requests are in the form of encapsulated information, a method for controlling access to actions and objects within the computing system, said computing system providing facilities for the instantiation of said objects and performance of said actions, said method comprising:

configuring selected domains on said computing system as configured domains, each one of said configured domains comprising a higher-order multidimensional domain space, for segregating system operational functionality according to defined operational boundaries, said operational boundaries defined by mapping attributes of the requests into individual domains;

providing a master daemon, said master daemon selecting said configured domains by utilizing said attributes of the requests; and

causing said master daemon to respond to selected ones of said requests to perform at least one of the following actions on said computing system;

instantiating on said operating system at least one subordinate daemon;

instantiating on said operating system at least one subordinate process;

instantiating on said operating system at least one subordinate thread;

performing at least one other defined action;

wherein said subordinate daemons, said subordinate processes, said subordinate threads, and said other defined actions are constrained to operate within one of said configured domains at least as restrictive as the configured domain of said master daemon.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A master daemon (a dedicated program component) is provided for a computer operating system which utilizes selected criteria to perform actions in one or more domains, as defined. The master daemon provides application program interfaces (APIs or facilities) and monitors all requests (for which the master daemon is configured) directed to the associated computing base including the operating system. All requests are in the form of encapsulated information as defined. In general, the master daemon, in response to such requests, performs the actions, each constrained to operate exclusively in a single domain. Selected criteria that may be contained in encapsulated information may define a higher-order multidimensional domain space for segregating system operational functionality according to configured boundaries. Multiple instances of actions may exist simultaneously in the same domain in the associated computing base, with the master daemon performing the actions for each request as required in each selected domain. According to a specific embodiment, as prompted by limitations in a purportedly multilevel secure operating system normally directly responsive to autonomous daemons, security is improved through an augmentation applied to the operating system in the form of a master daemon and operative according to a method for controlling access to domains. More specifically, a domain may be configured using constructs of security labels and other criteria.

18 Citations

View as Search Results

12 Claims

1. In an operating system on a computing system wherein requests are in the form of encapsulated information, a method for controlling access to actions and objects within the computing system, said computing system providing facilities for the instantiation of said objects and performance of said actions, said method comprising:
- configuring selected domains on said computing system as configured domains, each one of said configured domains comprising a higher-order multidimensional domain space, for segregating system operational functionality according to defined operational boundaries, said operational boundaries defined by mapping attributes of the requests into individual domains;
  
  providing a master daemon, said master daemon selecting said configured domains by utilizing said attributes of the requests; and
  
  causing said master daemon to respond to selected ones of said requests to perform at least one of the following actions on said computing system;
  
  instantiating on said operating system at least one subordinate daemon;
  
  instantiating on said operating system at least one subordinate process;
  
  instantiating on said operating system at least one subordinate thread;
  
  performing at least one other defined action;
  
  wherein said subordinate daemons, said subordinate processes, said subordinate threads, and said other defined actions are constrained to operate within one of said configured domains at least as restrictive as the configured domain of said master daemon.
- View Dependent Claims (2, 3, 4)
- - 2. The method according to claim 1, wherein said master daemon is further operative to:
    - control functionality of all said instantiated subordinate daemons, subordinate processes, subordinate threads and said defined actions on said operating system in said computer system.
  - 3. In an operating system on a computing system according to claim 1, wherein said master daemon is further operative to:
    - interface with said computing system to maintain centralized and coordinated unconditional access to auditing subsystems of said operating system.
  - 4. The method according to claims 1-3 wherein said selected domains are further defined by at least one of a security label, a set of security labels, a lattice of security labels, a group of security labels, a range of security labels, a combination of collections of security labels, and other defined constructs.

5. In an operating system on a computing system connected to a network of computing systems wherein requests are in the form of encapsulated information, a method for controlling access to actions and objects within any of the computing systems, said computing systems providing facilities for the remote instantiation of said objects and performance of said actions, said method comprising:
- configuring selected domains on at least one of said computing systems as configured domains, each one of said configured domains comprising a higher-order multidimensional domain space for segregating system operational functionality according to defined operational boundaries, said operational boundaries defined by mapping attributes of the requests into individual operating domains;
  
  providing a master daemon, said master daemon selecting said configured domains by utilizing said attributes of the requests; and
  
  causing said master daemon to respond to selected ones of said requests to perform at least one of the following actions on at least one of said computing systems;
  
  instantiating at least one daemon;
  
  instantiating at least one subordinate daemon;
  
  instantiating at least one process;
  
  instantiating at least one subordinate process;
  
  instantiating at least one subordinate thread;
  
  performing at least one other defined action;
  
  wherein said daemons, said subordinate daemons, said processes, said subordinate processes, said subordinate threads, and said other defined actions are constrained to operate within one of said configured domains at least as restrictive as the configured domain of said master daemon.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12)
- - 6. The method according to claim 5 wherein at least one of said computing systems is local to said master daemon.
  - 7. The method according to claim 6 wherein at least one of said computing systems is on said network and is remote from said master daemon.
  - 8. The method according to claim 5 wherein at least one of said computing systems is on said network and is remote from said master daemon.
  - 9. The method according to claim 8 further including the step of:
    - causing said master daemon to respond to selected ones of said requests to perform a defined action on said remote computing system.
  - 10. The method according to claim 9, wherein said master daemon is further operative to:
    - control functionality of all said instantiated daemons, subordinate daemons, processes, subordinate processes, subordinate threads and said defined actions on selected ones of said operating systems on computer systems connected to said network.
  - 11. In an operating system on a computing system connected to a network of computing systems according to claim 10, wherein said master daemon is further operative to:
    - interface with said local computing system and said remote computing systems to maintain centralized and coordinated unconditional access to auditing subsystems of said computing systems connected to said network of computing systems.
  - 12. The method according to claims 5-11 wherein said selected domains are further defined by at least one of a security label, a set of security labels, a lattice of security labels, a group of security labels, a range of security labels, a combination of collections of security labels, and other defined constructs.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Polysecure Systems Incorporated
Original Assignee
Polysecure Systems Incorporated
Inventors
Bourgeois, Fred J. III
Primary Examiner(s)
An, Meng-Al T.
Assistant Examiner(s)
ZHEN, LI B

Application Number

US09/588,801
Time in Patent Office

1,736 Days
Field of Search

718/101, 713/200, 709/225, 709/222
US Class Current

718/101
CPC Class Codes

G06F 21/52 during program execution, e...

G06F 9/468 Specific access rights for ...

Method for implementing polyinstantiated access control in computer operating systems

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

18 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Method for implementing polyinstantiated access control in computer operating systems

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

18 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links