Method and apparatus for implementing process-based security in a computer system
First Claim
1. A method of providing security to a resource of a computer, comprising:
- receiving a request from a process having a requesting process path to access the resource of the computer, wherein the requesting process path does not identify the resource;
accessing data stored in a memory area in response to the received request, the data comprising a resource access table having an ordered list of entries specifying process paths using one or more meta symbols, and specifying access rights to resources available to requesting processes having matching paths;
determining, based on the requesting process path and the resource access table, a level of access to the resource for the requesting process by searching the list of entries in order to find a first entry in the resource access table matching the requesting process path, wherein the determining comprises;
evaluating a process path specified by an entry in the resource allocation table by using the one or more meta symbols, wherein the one or more meta symbols represent one or more of the following;
substituting an identification of a user of the requesting process for one or more meta symbols in the evaluated path, ignoring one or more parts of the requesting process path when determining if the requesting process path matches the evaluated path, and specifying a directory, resource name, and/or filename extension in the evaluated path to which the requesting process path is to be matched; and
determining if the requesting process path matches the evaluated process path; and
providing, to the process, access rights to the resource specified by the matching first entry.
2 Assignments
0 Petitions
Accused Products
Abstract
A method is disclosed for providing process-based security in a special purpose computer system, comprising the steps of: configuring the special purpose computer with an operating system and at least one application for operation as a computer appliance; associating a resource access table with the at least one application, addressable by the at least one application, containing statements corresponding to predetermined requests for access to at least a one specified resource during running of the at least one application wherein the resource access table statements include information defining an execution path for the at least one application; interpreting the resource access table statements upon a request for the specified resource by the at least one application, wherein at least one of the statements in the resource access table provides for performing a security check prior to granting access to the specified resource; and causing the execution of the at least one application, upon granting access to the requested resource, including the use of the requested resource according to the execution path statements in the resource access table.
76 Citations
25 Claims
-
1. A method of providing security to a resource of a computer, comprising:
-
receiving a request from a process having a requesting process path to access the resource of the computer, wherein the requesting process path does not identify the resource; accessing data stored in a memory area in response to the received request, the data comprising a resource access table having an ordered list of entries specifying process paths using one or more meta symbols, and specifying access rights to resources available to requesting processes having matching paths; determining, based on the requesting process path and the resource access table, a level of access to the resource for the requesting process by searching the list of entries in order to find a first entry in the resource access table matching the requesting process path, wherein the determining comprises; evaluating a process path specified by an entry in the resource allocation table by using the one or more meta symbols, wherein the one or more meta symbols represent one or more of the following; substituting an identification of a user of the requesting process for one or more meta symbols in the evaluated path, ignoring one or more parts of the requesting process path when determining if the requesting process path matches the evaluated path, and specifying a directory, resource name, and/or filename extension in the evaluated path to which the requesting process path is to be matched; and determining if the requesting process path matches the evaluated process path; and providing, to the process, access rights to the resource specified by the matching first entry. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system for providing security to a resource of a computer, comprising:
-
a memory area for storing data, the data comprising a resource access table having an ordered list of entries specifying process paths using one or more meta symbols and specifying access rights to resources available to requesting processes having matching paths; an interface module for receiving a request from a process having a requesting process path to access the resource of the computer, wherein the requesting process path does not identify the resource; an assessment module for determining, based on the requesting process path and the resource access table, a level of access to the resource for the process by searching the list of entries in order to find a first entry matching the requesting process path, the assessment module adapted to evaluate a process path specified by an entry in the resource allocation table by using the one or more meta symbols, and to determine if the requesting process path matches the evaluated process path, wherein the one or more meta symbols represent one or more of the following; substituting an identification of a user of the requesting process for one or more meta symbols in the evaluated path, ignoring one or more parts of the requesting process path when determining if the requesting process path matches the evaluated path, and specifying a directory, resource name, and/or filename extension in the evaluated path to which the requesting process path is to be matched; and a security module for providing, to the process, access rights to the resource specified by the first matching entry. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
-
-
18. A computer program product having a computer-readable storage medium having embodied thereon program code for providing security to a resource of a computer, the program code comprising:
-
an interface module for receiving a request from a process having a requesting process path to access the resource of the computer, wherein the requesting process path does not identify the resource; an assessment module for determining, based on the requesting process path and data stored in a memory area, a level of access to the resource for the process, the stored data comprising a resource access table having an ordered list of entries specifying process paths and specifying access rights to resources available to processes-having matching paths, the assessment module adapted to evaluate a process path specified by an entry in the resource allocation table by using one or more meta symbols, and to determine if the requesting process path matches the evaluated process path, wherein the one or more meta symbols represent one or more of the following; substituting an identification of a user of the requesting process for one or more meta symbols in the evaluated path, ignoring one or more parts of the requesting process path when determining if the requesting process path matches the evaluated path, and specifying a directory, resource name, and/or filename extension in the evaluated path to which the requesting process path is to be matched; and a security module for providing, to the process, access rights to the resource specified by the matching first entry. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25)
-
Specification