Method and system for providing restricted access to a storage medium

DC CAFC

US 7,536,524 B2
Filed: 07/07/2006
Issued: 05/19/2009
Est. Priority Date: 07/31/1998
Status: Expired due to Term

- Alert
- Pin

Associated Cases

Associated Defendants

First Claim

Patent Images

1. A method for applying an operation access privilege to a storage medium, comprising:

associating an access privilege with at least a portion of the storage medium;

intercepting an attempted operation on said at least a portion of the storage medium, wherein said intercepting occurs regardless of an identity of a user attempting the attempted operation;

comparing the attempted operation to the access privilege; and

allowing, or denying the attempted operation based on comparing the attempted operation to the access privilege.

View all claims

2 Assignments

Timeline View

Assignment View

Litigations

2 Petitions

Accused Products

Abstract

A method of restricting file access is disclosed wherein a set of file write access commands are determined from data stored within a storage medium. The set of file write access commands are for the entire storage medium. Any matching file write access command provided to the file system for that storage medium results in an error message. Other file write access commands are, however, passed onto a device driver for the storage medium and are implemented. In this way commands such as file delete and file overwrite can be disabled for an entire storage medium.

Citations

32 Claims

1. A method for applying an operation access privilege to a storage medium, comprising:
- associating an access privilege with at least a portion of the storage medium;
  
  intercepting an attempted operation on said at least a portion of the storage medium, wherein said intercepting occurs regardless of an identity of a user attempting the attempted operation;
  
  comparing the attempted operation to the access privilege; and
  
  allowing, or denying the attempted operation based on comparing the attempted operation to the access privilege.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 2. The method according to claim 1, further comprising enforcing at least one policy.
  - 3. The method according to claim 2, further comprising managing an operation in regards to said at least one policy.
  - 4. The method according to claim 3, wherein said operation comprises at least one of:
    - creating a sub-directory, renaming a sub-directory, moving a sub-directory out, moving a sub-directory in, deleting-a subdirectory, creating a file, moving a file in, moving a file out, renaming a file, deleting a file, changing file attributes, changing file permissions, reading a file, writing a file, executing a file, appending a file, changing file permissions, overwriting a file, or browsing a directory.
  - 5. The method according to claim 2, wherein said at least one policy regards a new logical file, said policy comprising at least one of:
    - creating the new logical file with at least one associated access privilege for an operation enabled;
      
      ordisabling at least one enabled associated access privilege upon at least one of a close operation on said new logical file or an occurrence of an event.
  - 6. The method according to claim 2, wherein said enforcing comprises storing said at least one policy with at least one of:
    - an alternate data stream, an extended attribute, or a private data.
  - 7. The method according to claim 2, wherein said enforcing comprises at least one of:
    - including or excluding application of said at least one policy to said at least a portion of the storage medium based on an attribute of data.
  - 8. The method according to claim 7, wherein said attribute of data comprises at least one of:
    - a type comprising at least one of a MP3 file, an audio file, a multi-media file, a video file, a text file, or an image file;
      
      a data path;
      
      a data mask;
      
      a unique file identifier;
      
      ora logical data path.
  - 9. The method according to claim 2, wherein the policy comprises a retention policy comprising:
    - applying a restricted state to the portion of the storage medium;
      
      preventing modification of the restricted state portion of the storage medium; and
      
      associating a time of expiration with the restricted state portion of the storage medium.
  - 10. The method according to claim 9, wherein said applying a restricted state comprises at least one of:
    - triggering initiation of said applying;
      
      triggering initiation of said applying upon a occurrence of an event or a state of a data attribute;
      
      triggering initiation of said applying on a user command;
      
      triggering initiation of said applying on a file when it is first created;
      
      triggering initiation of said applying on a file when it is first opened and closed;
      
      triggering initiation of said applying on a file when a read-only attribute is set;
      
      setting a restricted state flag associated with a file;
      
      orsetting a read-only attribute associated with a file.
  - 11. The method according to claim 9, wherein preventing modification of the restricted state portion of the storage medium comprises at least one of:
    - preventing renaming, preventing moving, preventing overwriting, preventing overwriting zero length, preventing deleting, preventing at least one form of modification, preventing at least one form of modification of user data, preventing all forms of modification, preventing all forms of modification of user data, or allowing modification of non-user data, of the restricted state portion of the storage medium in the restricted state.
  - 12. The method according to claim 9, wherein the retention policy comprises:
    - determining the restricted state portion of the storage medium is in an unexpired restricted state when the associated time of expiration is associated with at least one of;
      
      a fixed point in time in the future, an indefinite time of expiration, or an infinite time of expiration; and
      
      preventing modification of the unexpired restricted state portion of the storage medium.
  - 13. The method according to claim 9, wherein the retention policy comprises:
    - determining the restricted state portion of the storage medium is in an expired restricted state when the associated time of expiration is associated with a fixed time of expiration in the past;
      
      preventing modification of the expired restricted state portion of the storage medium; and
      
      allowing deletion of the expired restricted state portion of the storage medium.
  - 14. The method according to claim 9, wherein said associating a time of expiration comprises at least one of:
    - assigning said time of expiration by at least one of a user or an external application;
      
      assigning a fixed point in time for said time of expiration;
      
      assigning a fixed point in time for said time of expiration, wherein the fixed point in time is offset by a period of time;
      
      assigning a fixed point in time in the past for said time of expiration;
      
      assigning a fixed point in time in the future for said time of expiration;
      
      assigning an indefinite time of expiration;
      
      assigning an infinite time of expiration;
      
      preventing assigning a fixed point in time associated with a point in time before an existing associated fixed point in time; and
      
      preventing assigning a fixed point in time if the time of expiration is associated with an infinite time of expiration.
  - 15. The method according to claim 9 wherein said retention policy comprises at least one of:
    - deriving said time of expiration from a last access date and time of the portion of the storage medium wherein the retention policy comprises at least one of;
      
      associating an infinite time of expiration with said last access date and time equaling zero;
      
      associating an indefinite time of expiration with said last access date and time equaling said last modification time;
      
      associating said time of expiration with said last access date and time;
      
      orassociating said time of expiration with an offset of said last access date and time;
      
      orproviding said time of expiration from an independent time of the portion of the storage medium wherein the retention policy comprises at least one of;
      
      associating an infinite time of expiration with said independent time equaling 0xFFFFFFFFFFFFF or a maximum supported value;
      
      associating an indefinite time of expiration with said independent time equaling 00;
      
      00;
      
      00 Thursday. Jan, 1, 1970 or 0x0000000000000;
      
      associating said time of expiration with said independent time;
      
      orassociating said time of expiration with an offset of said independent time.
  - 16. The method according to claim 9, wherein said retention policy further comprises providing for holding a restricted state, wherein said holding comprises at least one of:
    - suspending expiration of the restricted state portion of the storage medium;
      
      suspending an unexpired restricted state portion of the storage medium from entering an expired restricted state;
      
      suspending the clearing of a read only attribute of the restricted state portion of the storage medium by setting a temporary attribute of the restricted state portion of the storage medium;
      
      orsuspending deletion of an expired restricted state portion of the storage medium.
  - 17. The method according to claim 9, wherein the retention policy further comprises a secure time routine, the routine comprising at least one of:
    - using a secure clock;
      
      maintaining a system clock comprising using a secure clock;
      
      verifying operation of a secure clock or authenticating a secure clock;
      
      denying at least one attempted operations if a secure clock can not be at least one of;
      
      verified or authenticated;
      
      orrunning a secure clock independent of a server.
  - 18. The method according to claim 1, wherein the allowing or denying said attempted operation further comprises identifying an attribute of data associated with said attempted operation.
  - 19. The method according to claim 1, further comprising creating at least one hash key to validate authenticity of said portion of the storage medium.
  - 20. The method according to claim 19, wherein said creating comprises creating said at least one hash key for all portions of the storage medium.
  - 21. The method according to claim 19, further comprising validating said at least one hash key in regards to said attempted operation.
  - 22. The method according to claim 1, further comprising at least one of:
    - encrypting or decrypting user data.
  - 23. The method according to claim 22, wherein said encrypting or decrypting is independent of a user or an application.
  - 24. The method according to claim 1, further comprising forcing a secure erasure for a delete operation on said at least a portion of the storage medium, wherein secure erasure comprises overwriting the contents of said at least a portion of the storage medium.
  - 25. The method according to claim 1, further comprising obfuscating user data by storing said user data in at least one of:
    - an alternate data stream or an alternate location.
  - 26. The method according to claim 1, further comprising preventing at least one of deinstallation or deletion of at least one of said intercepting, said comparing, or said allowing.
  - 27. The method according to claim 1, wherein said intercepting occurs at a file system layer.
  - 28. The method according to claim 1, further comprising prior to said step of intercepting an attempted operation, associating an application with said at least a portion of the storage medium and determining the application is permitted to attempt operations on said at least a portion of the storage medium.

29. A computer program product for applying an operation access privilege to a storage medium, the computer program product including program logic, which when executed on a computer performs a method, the method comprising:
- associating an access privilege with at least a portion of the storage medium;
  
  intercepting an attempted operation on said at least a portion of the storage medium, wherein said intercepting occurs regardless of an identity of a user attempting the attempted operation;
  
  comparing the attempted operation to the access privilege;
  
  allowing, or denying the attempted operation based on comparing the attempted operation to the access privilege; and
  
  enforcing at least one retention policy comprising;
  
  applying a restricted state to said at least a portion of the storage medium;
  
  preventing modification of the restricted state portion of the storage medium; and
  
  associating a time of expiration with the restricted state portion of the storage medium.
- View Dependent Claims (30, 31)
- - 30. The computer program product of claim 29, wherein the retention policy comprises:
    - determining the restricted state portion of the storage medium is in an unexpired restricted state when the associated time of expiration is associated with at least one of;
      
      a fixed point in time in the future, an indefinite time of expiration, or an infinite time of expiration; and
      
      preventing modification of the unexpired restricted state portion of the storage medium.
  - 31. The computer program product of claim 29, wherein the retention policy comprises:
    - determining the restricted state portion of the storage medium is in an expired restricted state when the associated time of expiration is associated with a fixed time of expiration in the past;
      
      preventing modification of the expired restricted state portion of the storage medium; and
      
      allowing deletion of the expired restricted state portion of the storage medium.

32. A system for applying an operation access privilege to a storage medium, comprising:
- means for associating an access privilege with at least a portion of the storage medium;
  
  means for intercepting an attempted operation on said at least a portion of the storage medium, wherein said intercepting occurs regardless of an identity of a user attempting the attempted operation;
  
  means for comparing the attempted operation to the access privilege;
  
  means for allowing, or denying the attempted operation based on comparing the attempted operation to the access privilege; and
  
  means for enforcing at least one retention policy comprising applying a restricted state to said at least a portion of the storage medium and preventing modification of the restricted state portion of the storage medium.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
KOM Software Inc.
Original Assignee
KOM Networks, Inc.
Inventors
Lulu, Yasser, Walker, Tony, Yaqun, Fu, Gossage, Jonathan, Shaath, Kamel
Primary Examiner(s)
Nguyen, Hiep T

Application Number

US11/482,115
Publication Number

US 20070094471A1
Time in Patent Office

1,047 Days
Field of Search

711/163
US Class Current

711/163
CPC Class Codes

G06F 12/1466   Key-lock mechanism

G06F 21/6227   where protection concerns t...

G06F 2221/2141   Access rights, e.g. capabil...

Method and system for providing restricted access to a storage medium

First Claim

2 Assignments

Litigations

2 Petitions

Accused Products

Abstract

Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for providing restricted access to a storage medium

First Claim

2 Assignments

Subscription Required

Subscription Required

Litigations

2 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links