Policies for secure software execution
First Claim
1. A computer-implemented method, comprising:
- receiving a request to access a software file that includes executable code, the request including a type of access desired by a user for the software file;
performing a user-credential based access check to determine normal security privileges and access rights of the user for the software file;
thereafter, performing a file-classification based access check to determine whether the user'"'"'s normal security privileges and access rights should be modified to include a subset of the user'"'"'s normal security privileges and access rights for the software file, comprising;
obtaining a file classification corresponding to the software file for which the access request was received;
searching a rule set for the received file classification, the rule set providing security rules for a variety of software files which may have executable code, and the security rules being based on file classifications corresponding to the variety of software files; and
locating a rule in the rule set which matches the received file classification, the rule having a security level associated therewith;
associating the security level with the software file; and
controlling execution of the executable code of the software file based on the security level associated with the software file.
2 Assignments
0 Petitions
Accused Products
Abstract
A system and method that automatically, transparently and securely controls software execution by identifying and classifying software, and locating a rule and associated security level for executing executable software. The security level may disallow the software'"'"'s execution, restrict the execution to some extent, or allow unrestricted execution. To restrict software, a restricted access token may be computed that reduces software'"'"'s access to resources, and/or removes privileges, relative to a user'"'"'s normal access token. The rules that control execution for a given machine or user may be maintained in a restriction policy, e.g., locally maintained and/or in a group policy object distributable over a network. Software may be identified/classified by a hash of its content, by a digital signature, by its file system or network path, and/or by its URL zone. For software having multiple classifications, a precedence mechanism is provided to establish the applicable rule/security level.
290 Citations
74 Claims
-
1. A computer-implemented method, comprising:
-
receiving a request to access a software file that includes executable code, the request including a type of access desired by a user for the software file; performing a user-credential based access check to determine normal security privileges and access rights of the user for the software file; thereafter, performing a file-classification based access check to determine whether the user'"'"'s normal security privileges and access rights should be modified to include a subset of the user'"'"'s normal security privileges and access rights for the software file, comprising; obtaining a file classification corresponding to the software file for which the access request was received; searching a rule set for the received file classification, the rule set providing security rules for a variety of software files which may have executable code, and the security rules being based on file classifications corresponding to the variety of software files; and locating a rule in the rule set which matches the received file classification, the rule having a security level associated therewith; associating the security level with the software file; and controlling execution of the executable code of the software file based on the security level associated with the software file. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
-
-
40. Computer storage media having computer-executable instructions stored thereon that when executed by a computing system perform a method comprising:
-
receiving, a request to access a software file that includes executable code the request including a type of access desired by a user for the software file; performing a user-credential based access check to determine normal security privileges and access rights of the user for the software file; thereafter, performing a file-classification based access check to determine whether the user'"'"'s normal security privileges and access rights should be modified to include a subset of the user'"'"'s normal security privileges and access rights for the software file, comprising; obtaining a file classification corresponding to the software file for which the access request was received; searching a rule set for the received file classification, the rule set providing security rules for a variety of software files which may have executable code, and the security rules being based on file classifications corresponding to the variety of software files; and locating a rule in the rule set which matches the received file classification, the rule having a security level associated therewith; associating the security level with the software file; and
controlling execution of the executable code of the software file based on the security level associated with the software file.
-
-
41. A computer-implemented method, comprising:
-
providing a plurality of rules for executable software files, each rule having a security level associated therewith; receiving a request to access a particular software file that include code; performing a user-credential based access check to determine normal security privileges and access rights of the user for the particular software file; thereafter, performing a file-classification based access check to determine whether the user'"'"'s normal security privileges and access rights should be modified to include a subset of the user'"'"'s normal security privileges and access rights for the particular software file, comprising; searching a rule set for an applicable rule to apply to the software file, the rule set providing security rules for a variety of software files which may have executable code, and the security rules being based on file classifications corresponding to the variety of software files; determining which rule applies to the particular software file based on a file classification of that software file, and; associating the particular software file with execution information corresponding to the security level to control the software file'"'"'s runtime capabilities. - View Dependent Claims (42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52)
-
-
53. Computer storage media having computer-executable instructions stored thereon that when executed by a computing system, perform a method comprising:
-
providing a plurality of rules for executable software files, each rule having a security level associated therewith; receiving a request to access a particular software file that includes executable code; performing a user-credential based access check to determine normal security privileges and access rights of the user for the software file; thereafter, performing a file-classification based access check to determine whether the user'"'"'s normal security privileges and access rights should be modified to include a subset of the user'"'"'s normal security privileges and access rights for the software file, comprising; searching a rule set for an applicable rule to apply to the software file, the rule set providing security rules for a variety of software files which may have executable code, and the security rules being based on file classifications corresponding to the variety of software files; and determining which rule applies to the particular software file based on a file classification of that software file; and associating the particular software file with execution information corresponding to the security level to control the software file'"'"'s runtime capabilities.
-
-
54. A computer system having a processor that executes a security mechanism, the computer system comprising:
-
means for implementing a set of at least one function, each function of the set being configured to receive a request relating to executing a software file, the software file being associated with software classification information, the software classification information being indicative of at least some executable code within the software file; means for establishing a policy container having a plurality of rules therein, the plurality of rules applying to a variety of software files which may have executable code and being based on a file classification corresponding to the variety of software files, each rule being associated with a security level; and means for implementing an enforcement mechanism configured for communication with each function of the set of functions, the implemented enforcement mechanism being further configured to; perform a user-credential based access check to determine normal security privileges and access rights of the user for the software file; obtain software classification information associated with the software file from a function of the set, after performing the user-credential based access check, consult the policy container to locate a rule based on the software classification, and associate security information with the software file, the security information based on the security level associated with the rule. - View Dependent Claims (55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74)
-
Specification