Bubble-protected system for automatic decryption of file data on a per-use basis and automatic re-encryption
First Claim
1. A machine system for protecting information from unauthorized access by way of unauthorized programs, said machine system comprising:
- (a) data-providing means for providing data of an identified one of two or more digital data files, where each of said files is identifiable by a file name;
(b) an interceptable access mechanism through which data of an identified file of the data-providing means is accessed by identifiable, requesting programs;
(c) bubble-control means coupled to intercept data access attempts made through said interceptable access mechanism by said identifiable, requesting programs,(c.1) wherein the bubble-control means includes deny/approve means, which if active, is provided for testing all the intercepted data access attempts and responsively denying or approving data access to the data of a pre-classified subset of said files based on one or both of the identity of one or more access-attempting programs and the time of the access attempt, wherein at least one pre-classified subset of said files has plural files, wherein the deny/approve means further includes;
list searching means for searching one or more bubble lists, where the bubble lists define a deny or approve decision based on the satisfaction of one or more pre-defined first conditions by the identities of one or more programs that caused the data access attempt and the satisfaction of one or more pre-defined second conditions by the identity of the requested data file,wherein the bubble lists include one or more linked trunk_lists, wherein each linked trunk_list has one or more target-query blocks and an end-of-trunk_list marker, wherein each target-query block includes a file-name definition and each target-query block is associated with a corresponding one or more causation-query blocks that each defines a respective query for a cause of the attempted access to the data of a requested data file, wherein each target-query block points to a corresponding causation-query branch list, wherein each causation-query branch list has one or more causation-query blocks and an end-of-branch list marker, wherein each causation-query block has a program-name definition and wherein the list searching means comprises;
causation-query branch list following means for searching along one or more of the linked causation-query branch lists for a causation-query block having a program-name definition satisfied by the identities of the one or more programs that caused the data access attempt, and wherein the list searching means comprises;
linked-trunk_list following means for searching along one or more of the linked trunk_lists for a target-query block having a file-name definition satisfied by the identity of the requested data file.
3 Assignments
0 Petitions
Accused Products
Abstract
A machine system includes bubble protection for protecting the information of certain classes of files from unauthorized access by way of unauthorized classes of programs at unauthorized periods of time. The machine system additionally may have On-The-Fly (OTF) mechanisms for automatic decryption of confidential file data on a per-use basis and automatic later elimination of the decrypted data by scorching and/or re-encrypting is disclosed. The system can operate within a multi-threaded environment. The machine system additionally may have a digital signature mechanism for protecting file data from unauthorized tampering. The machine system additionally may have a volume-encryption mechanism for protecting plaintext versions of file data from exposure in events of power outages.
-
Citations
42 Claims
-
1. A machine system for protecting information from unauthorized access by way of unauthorized programs, said machine system comprising:
-
(a) data-providing means for providing data of an identified one of two or more digital data files, where each of said files is identifiable by a file name; (b) an interceptable access mechanism through which data of an identified file of the data-providing means is accessed by identifiable, requesting programs; (c) bubble-control means coupled to intercept data access attempts made through said interceptable access mechanism by said identifiable, requesting programs, (c.1) wherein the bubble-control means includes deny/approve means, which if active, is provided for testing all the intercepted data access attempts and responsively denying or approving data access to the data of a pre-classified subset of said files based on one or both of the identity of one or more access-attempting programs and the time of the access attempt, wherein at least one pre-classified subset of said files has plural files, wherein the deny/approve means further includes; list searching means for searching one or more bubble lists, where the bubble lists define a deny or approve decision based on the satisfaction of one or more pre-defined first conditions by the identities of one or more programs that caused the data access attempt and the satisfaction of one or more pre-defined second conditions by the identity of the requested data file, wherein the bubble lists include one or more linked trunk_lists, wherein each linked trunk_list has one or more target-query blocks and an end-of-trunk_list marker, wherein each target-query block includes a file-name definition and each target-query block is associated with a corresponding one or more causation-query blocks that each defines a respective query for a cause of the attempted access to the data of a requested data file, wherein each target-query block points to a corresponding causation-query branch list, wherein each causation-query branch list has one or more causation-query blocks and an end-of-branch list marker, wherein each causation-query block has a program-name definition and wherein the list searching means comprises; causation-query branch list following means for searching along one or more of the linked causation-query branch lists for a causation-query block having a program-name definition satisfied by the identities of the one or more programs that caused the data access attempt, and wherein the list searching means comprises; linked-trunk_list following means for searching along one or more of the linked trunk_lists for a target-query block having a file-name definition satisfied by the identity of the requested data file. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 30, 31, 32, 33)
-
-
12. For use in a machine system having a data-providing means that provides data of an identified one of plural digital data files, where each of said files is identifiable by a file name, a machine-implemented method for protecting the information of said files from unauthorized access by way of unauthorized ones of identifiable programs, said method comprising the steps of:
-
(a) intercepting data access attempts made by access requesting programs for data in an identified one of said files; (b) first testing each intercepted data access attempt for satisfaction of a first predefined, classifying condition that classifies one or both of the identity of one or more of the access requesting programs and the time of the access request; (c) second testing each intercepted data access attempt for satisfaction of a second predefined, classifying condition that classifies the identity of the requested file, wherein at least one said second predefined, classifying condition classifies the identities of plural ones of the digital data files, wherein the second testing further comprises searching one or more bubble lists, where the bubble lists define a deny or approve decision based on the satisfaction of one or more pre-defined first conditions by the identities of one or more programs that caused the data access attempt and the satisfaction of one or more pre-defined second conditions by the identity of the requested file, wherein the bubble lists include one or more linked trunk_lists, wherein each linked trunk_list has one or more target-query blocks and an end-of-trunk_list marker, wherein each target-query block includes a file-name definition and each target-query block is associated with a corresponding one or more causation-query blocks that each defines a respective query for a cause of the attempted access to the data of a requested file, wherein each target-query block points to a corresponding causation-query branch list, wherein each causation-query branch list has one or more causation-query blocks and an end-of-branch list marker, wherein each causation-query block has a program-name definition and wherein the second testing further comprises; searching along one or more of the linked causation-query branch lists for a causation-query block having a program-name definition satisfied by the identities of the one or more programs that caused the data access attempt, and wherein the second testing further comprises searching along one or more of the linked trunk_lists for a target-query block having a file-name definition satisfied by the identity of the requested file; and (d) in response to said first and second testing steps, denying or approving access to the data of the requested file. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
-
-
24. An instruction conveying apparatus for operatively instructing a predefined, instructable machine to carry out bubble protection actions, said bubble protection actions comprising:
-
(a) intercepting a data access request caused by one or more causation-sourcing events for access to targeted data having a unique identity; (b) first testing the identity of the targeted data for satisfaction of a predefined target classifying condition, wherein at least one predefined target classifying condition covers plural ones of said targeted data that have corresponding, unique identities, wherein the first testing further comprises searching one or more bubble lists, where the bubble lists define a deny or approve decision based on the satisfaction of one or more pre-defined first conditions by the identities of one or more programs that caused the data access attempt and the satisfaction of one or more pre-defined second conditions by the identity of the requested file, wherein the bubble lists include one or more linked trunk_lists, wherein each linked trunk_list has one or more target-query blocks and an end-of-trunk_list marker, wherein each target-query block includes a file-name definition and each target-query block is associated with a corresponding one or more causation-query blocks that each defines a respective query for a cause of the attempted access to the data of a requested file, wherein each target-query block points to a corresponding causation-query branch list, wherein each causation-query branch list has one or more causation-query blocks and an end-of-branch list marker, wherein each causation-query block has a program-name definition, and wherein the first testing further comprises searching along one or more of the linked trunk_lists for a target-query block having a file-name definition satisfied by the identity of the requested file; (c) second testing at least one of the identity of the one or more causation sourcing events or the locations of the one or more causation-sourcing events or the timing of the corresponding data access request for satisfaction of a predefined causation classifying condition, wherein the second testing further comprises; searching along one or more of the linked causation-query branch lists for a causation-query block having a program-name definition satisfied by the identities of the one or more programs that caused the data access attempt; and (d) in response to said first and second testings, approving or denying the intercepted data access request. - View Dependent Claims (25, 26, 27, 28, 29)
-
-
34. A machine system for protecting in-file information from unauthorized access through unauthorized entities making access-opening attempts at potentially unauthorized times and/or from potentially unauthorized locations, said machine system comprising:
-
(a) data-providing means for providing data of an identified one of plural digital data files, where each of said files is identifiable by a unique file pathname; (b) system memory into which executable code can be stored; (c) an interceptable, data-access providing mechanism through which data of identified files of the data-providing means can be opened for access by data-requesting programs; (c) bubble-control means coupled to intercept file-opening attempts made through said interceptable access mechanism by said data-requesting programs, (c.1) wherein the bubble-control means includes deny/approve means, which if active, is provided at least partially within said system memory and is used for testing all the intercepted file-opening attempts and responsively denying or approving opening of access to the data of a predefined one or more classes of said files based on membership of the identified files in one predefined classes of files and further based on one or more of; (c.1a) the identity of one or more programs that are directly or indirectly responsible for the making of the access-attempt; (c.1b) the origination time of the access attempt; (c.1c) the respective geographic execution locations of one or more programs which are directly or indirectly causing the making of the access-attempt; (c.1d) the respective serial numbers of one or more machines executing one or more of the programs which are directly or indirectly causing the making of the access-attempt; and (c.1e) the respective names of one or more machines executing one or more of the programs which are directly or indirectly causing the making of the access-attempt; wherein at least one said predefined classes of files has plural members, wherein the deny/approve means further includes; list searching means for searching one or more bubble lists, where the bubble lists define a deny or approve decision based on the satisfaction of one or more pre-defined first conditions by the identities of one or more programs that caused the data access attempt and the satisfaction of one or more pre-defined second conditions by the identity of the requested data file, wherein the bubble lists include one or more linked trunk_lists, wherein each linked trunk_list has one or more target-query blocks and an end-of-trunk_list marker, wherein each target-query block includes a file-name definition and each target-query block is associated with a corresponding one or more causation-query blocks that each defines a respective query for a cause of the attempted access to the data of a requested data file, wherein each target-query block points to a corresponding causation-query branch list, wherein each causation-query branch list has one or more causation-query blocks and an end-of-branch list marker, wherein each causation-query block has a program-name definition and wherein the list searching means comprises; causation-query branch list following means for searching along one or more of the linked causation-query branch lists for a causation-query block having a program-name definition satisfied by the identities of the one or more programs that caused the data access attempt, and wherein the list searching means comprises; linked-trunk_list following means for searching along one or more of the linked trunk_lists for a target-query block having a file-name definition satisfied by the identity of the requested data file. - View Dependent Claims (35, 36, 37, 38, 39, 40, 41, 42)
-
Specification