Method and apparatus for implementing process-based security in a computer system

US 7,249,379 B2
Filed: 02/01/2002
Issued: 07/24/2007
Est. Priority Date: 02/01/2002
Status: Active Grant

First Claim

Patent Images

1. A method of providing security to a resource of a computer, comprising:

receiving a request from a process having a requesting process path to access the resource of the computer, wherein the requesting process path does not identify the resource;

accessing data stored in a memory area in response to the received request, the data comprising a resource access table having an ordered list of entries specifying process paths using one or more meta symbols, and specifying access rights to resources available to requesting processes having matching paths;

determining, based on the requesting process path and the resource access table, a level of access to the resource for the requesting process by searching the list of entries in order to find a first entry in the resource access table matching the requesting process path, wherein the determining comprises;

evaluating a process path specified by an entry in the resource allocation table by using the one or more meta symbols, wherein the one or more meta symbols represent one or more of the following;

substituting an identification of a user of the requesting process for one or more meta symbols in the evaluated path, ignoring one or more parts of the requesting process path when determining if the requesting process path matches the evaluated path, and specifying a directory, resource name, and/or filename extension in the evaluated path to which the requesting process path is to be matched; and

determining if the requesting process path matches the evaluated process path; and

providing, to the process, access rights to the resource specified by the matching first entry.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is disclosed for providing process-based security in a special purpose computer system, comprising the steps of: configuring the special purpose computer with an operating system and at least one application for operation as a computer appliance; associating a resource access table with the at least one application, addressable by the at least one application, containing statements corresponding to predetermined requests for access to at least a one specified resource during running of the at least one application wherein the resource access table statements include information defining an execution path for the at least one application; interpreting the resource access table statements upon a request for the specified resource by the at least one application, wherein at least one of the statements in the resource access table provides for performing a security check prior to granting access to the specified resource; and causing the execution of the at least one application, upon granting access to the requested resource, including the use of the requested resource according to the execution path statements in the resource access table.

76 Citations

View as Search Results

25 Claims

1. A method of providing security to a resource of a computer, comprising:
- receiving a request from a process having a requesting process path to access the resource of the computer, wherein the requesting process path does not identify the resource;
  
  accessing data stored in a memory area in response to the received request, the data comprising a resource access table having an ordered list of entries specifying process paths using one or more meta symbols, and specifying access rights to resources available to requesting processes having matching paths;
  
  determining, based on the requesting process path and the resource access table, a level of access to the resource for the requesting process by searching the list of entries in order to find a first entry in the resource access table matching the requesting process path, wherein the determining comprises;
  
  evaluating a process path specified by an entry in the resource allocation table by using the one or more meta symbols, wherein the one or more meta symbols represent one or more of the following;
  
  substituting an identification of a user of the requesting process for one or more meta symbols in the evaluated path, ignoring one or more parts of the requesting process path when determining if the requesting process path matches the evaluated path, and specifying a directory, resource name, and/or filename extension in the evaluated path to which the requesting process path is to be matched; and
  
  determining if the requesting process path matches the evaluated process path; and
  
  providing, to the process, access rights to the resource specified by the matching first entry.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the requesting process path is an execution path.
  - 3. The method of claim 1, wherein a single resource access table is stored in the memory area for each process.
  - 4. The method of claim 1, wherein evaluating the process path comprises:
    - expanding the one or more meta symbols.
  - 5. The method of claim 1, wherein the data stored in the memory area includes a plurality of resource access tables, each of the plurality of resource access tables corresponding to a particular process and specifying one or more dynamic paths associated with the particular process, each of the one or more dynamic paths corresponding to a particular resource that is accessible by the particular process.
  - 6. The method of claim 5, wherein accessing the data stored in the memory area comprises:
    - accessing a resource access table corresponding to the process that requests access to the resource.
  - 7. The method of claim 6, wherein determining the level of access to the resource comprises:
    - searching the accessed resource access table for a dynamic path that corresponds to the resource to which the process requests access.
  - 8. The method of claim 1, wherein the resource of the computer is access to functionality provided by a second process executing on the computer.
  - 9. The method of claim 1, further comprising:
    - binding the specified access rights to the process at the time the process is initiated.

10. A system for providing security to a resource of a computer, comprising:
- a memory area for storing data, the data comprising a resource access table having an ordered list of entries specifying process paths using one or more meta symbols and specifying access rights to resources available to requesting processes having matching paths;
  
  an interface module for receiving a request from a process having a requesting process path to access the resource of the computer, wherein the requesting process path does not identify the resource;
  
  an assessment module for determining, based on the requesting process path and the resource access table, a level of access to the resource for the process by searching the list of entries in order to find a first entry matching the requesting process path, the assessment module adapted to evaluate a process path specified by an entry in the resource allocation table by using the one or more meta symbols, and to determine if the requesting process path matches the evaluated process path, wherein the one or more meta symbols represent one or more of the following;
  
  substituting an identification of a user of the requesting process for one or more meta symbols in the evaluated path, ignoring one or more parts of the requesting process path when determining if the requesting process path matches the evaluated path, and specifying a directory, resource name, and/or filename extension in the evaluated path to which the requesting process path is to be matched; and
  
  a security module for providing, to the process, access rights to the resource specified by the first matching entry.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The system of claim 10, wherein the first process path is an execution path.
  - 12. The system of claim 10, wherein a single resource access table is stored in the memory area for each requesting process.
  - 13. The system of claim 10, wherein the assessment module is adapted to evaluate the process path by expanding the one or more meta symbols.
  - 14. The system of claim 10, wherein the data stored in the memory area includes a plurality of resource access tables, each of the plurality of resource access tables corresponding to a particular process and specifying one or more dynamic paths associated with the particular process, each of the one or more dynamic paths corresponding to a particular resource that is accessible by the particular process.
  - 15. The system of claim 14, wherein the assessment module is adapted to:
    - access a resource access table corresponding to the process that requests access to the resource; and
      
      search the accessed resource access table for a dynamic path that corresponds to the resource to which the process requests access.
  - 16. The system of claim 10, wherein the resource of the computer is access to functionality provided by a second process executing on the computer.
  - 17. The system of claim 10, wherein the security module is adapted to bind the specified access rights to the process at the time the process is initiated.

18. A computer program product having a computer-readable storage medium having embodied thereon program code for providing security to a resource of a computer, the program code comprising:
- an interface module for receiving a request from a process having a requesting process path to access the resource of the computer, wherein the requesting process path does not identify the resource;
  
  an assessment module for determining, based on the requesting process path and data stored in a memory area, a level of access to the resource for the process, the stored data comprising a resource access table having an ordered list of entries specifying process paths and specifying access rights to resources available to processes-having matching paths, the assessment module adapted to evaluate a process path specified by an entry in the resource allocation table by using one or more meta symbols, and to determine if the requesting process path matches the evaluated process path, wherein the one or more meta symbols represent one or more of the following;
  
  substituting an identification of a user of the requesting process for one or more meta symbols in the evaluated path, ignoring one or more parts of the requesting process path when determining if the requesting process path matches the evaluated path, and specifying a directory, resource name, and/or filename extension in the evaluated path to which the requesting process path is to be matched; and
  
  a security module for providing, to the process, access rights to the resource specified by the matching first entry.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25)
- - 19. The computer program product of claim 18, wherein the requesting process path is an execution path.
  - 20. The computer program product of claim 18, wherein a single resource access table is stored in the memory area for each process.
  - 21. The computer program product of claim 18, wherein the assessment module is adapted to evaluate the process path by expanding the one or more meta symbols.
  - 22. The computer program product of claim 18, wherein the data stored in the memory area includes a plurality of resource access tables, each of the plurality of resource access tables corresponding to a particular process and specifying one or more dynamic paths associated with the particular process, each of the one or more dynamic paths corresponding to a particular resource that is accessible by the particular process.
  - 23. The computer program product of claim 22, wherein the assessment module is adapted to:
    - access a resource access table corresponding to the process that requests access to the resource; and
      
      search the accessed resource access table for a dynamic path that corresponds to the resource to which the process requests access.
  - 24. The computer program product of claim 18, wherein the resource of the computer is access to functionality provided by a second process executing on the computer.
  - 25. The computer program product of claim 18, wherein the security module is adapted to bind the specified access rights to the process at the time the process is initiated.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAGEFirst, Inc.
Original Assignee
Systems Advisory Group Enterprises Incorporated
Inventors
Larsen, Vincent Alan
Primary Examiner(s)
Sheikh; Ayaz
Assistant Examiner(s)
Chen; Shin-Hon

Application Number

US10/061,701
Publication Number

US 20030154397A1
Time in Patent Office

1,999 Days
Field of Search

713/193, 713/202, 713164-167, 709/229, 709/223, 726 16- 20, 726/27, 726/22
US Class Current

726/22
CPC Class Codes

G06F 21/6218 to a system of files or obj...

G06F 2221/2141 Access rights, e.g. capabil...

Method and apparatus for implementing process-based security in a computer system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

76 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for implementing process-based security in a computer system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

76 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links