Method for implementing polyinstantiated access control in computer operating systems
First Claim
1. In an operating system on a computing system wherein requests are in the form of encapsulated information, a method for controlling access to actions and objects within the computing system, said computing system providing facilities for the instantiation of said objects and performance of said actions, said method comprising:
- configuring selected domains on said computing system as configured domains, each one of said configured domains comprising a higher-order multidimensional domain space, for segregating system operational functionality according to defined operational boundaries, said operational boundaries defined by mapping attributes of the requests into individual domains;
providing a master daemon, said master daemon selecting said configured domains by utilizing said attributes of the requests; and
causing said master daemon to respond to selected ones of said requests to perform at least one of the following actions on said computing system;
instantiating on said operating system at least one subordinate daemon;
instantiating on said operating system at least one subordinate process;
instantiating on said operating system at least one subordinate thread;
performing at least one other defined action;
wherein said subordinate daemons, said subordinate processes, said subordinate threads, and said other defined actions are constrained to operate within one of said configured domains at least as restrictive as the configured domain of said master daemon.
1 Assignment
0 Petitions
Accused Products
Abstract
A master daemon (a dedicated program component) is provided for a computer operating system which utilizes selected criteria to perform actions in one or more domains, as defined. The master daemon provides application program interfaces (APIs or facilities) and monitors all requests (for which the master daemon is configured) directed to the associated computing base including the operating system. All requests are in the form of encapsulated information as defined. In general, the master daemon, in response to such requests, performs the actions, each constrained to operate exclusively in a single domain. Selected criteria that may be contained in encapsulated information may define a higher-order multidimensional domain space for segregating system operational functionality according to configured boundaries. Multiple instances of actions may exist simultaneously in the same domain in the associated computing base, with the master daemon performing the actions for each request as required in each selected domain. According to a specific embodiment, as prompted by limitations in a purportedly multilevel secure operating system normally directly responsive to autonomous daemons, security is improved through an augmentation applied to the operating system in the form of a master daemon and operative according to a method for controlling access to domains. More specifically, a domain may be configured using constructs of security labels and other criteria.
18 Citations
12 Claims
-
1. In an operating system on a computing system wherein requests are in the form of encapsulated information, a method for controlling access to actions and objects within the computing system, said computing system providing facilities for the instantiation of said objects and performance of said actions, said method comprising:
-
configuring selected domains on said computing system as configured domains, each one of said configured domains comprising a higher-order multidimensional domain space, for segregating system operational functionality according to defined operational boundaries, said operational boundaries defined by mapping attributes of the requests into individual domains;
providing a master daemon, said master daemon selecting said configured domains by utilizing said attributes of the requests; and
causing said master daemon to respond to selected ones of said requests to perform at least one of the following actions on said computing system;
instantiating on said operating system at least one subordinate daemon;
instantiating on said operating system at least one subordinate process;
instantiating on said operating system at least one subordinate thread;
performing at least one other defined action;
wherein said subordinate daemons, said subordinate processes, said subordinate threads, and said other defined actions are constrained to operate within one of said configured domains at least as restrictive as the configured domain of said master daemon. - View Dependent Claims (2, 3, 4)
-
-
5. In an operating system on a computing system connected to a network of computing systems wherein requests are in the form of encapsulated information, a method for controlling access to actions and objects within any of the computing systems, said computing systems providing facilities for the remote instantiation of said objects and performance of said actions, said method comprising:
-
configuring selected domains on at least one of said computing systems as configured domains, each one of said configured domains comprising a higher-order multidimensional domain space for segregating system operational functionality according to defined operational boundaries, said operational boundaries defined by mapping attributes of the requests into individual operating domains;
providing a master daemon, said master daemon selecting said configured domains by utilizing said attributes of the requests; and
causing said master daemon to respond to selected ones of said requests to perform at least one of the following actions on at least one of said computing systems;
instantiating at least one daemon;
instantiating at least one subordinate daemon;
instantiating at least one process;
instantiating at least one subordinate process;
instantiating at least one subordinate thread;
performing at least one other defined action;
wherein said daemons, said subordinate daemons, said processes, said subordinate processes, said subordinate threads, and said other defined actions are constrained to operate within one of said configured domains at least as restrictive as the configured domain of said master daemon. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12)
-
Specification