Associating security information with information objects
First Claim
1. A method, in a data processing system, for authorizing information flows between devices of the data processing system, the method comprising:
- receiving a request for authorization of an information flow involving an information object from a first device to a second device;
retrieving contents of the information object from the first device;
generating a hash key based on the contents of the information object;
performing a lookup operation in a hash table based on the hash key to identify a labelset associated with the information object;
determining if an entry in the hash table at an index corresponding to the hash key identifies a labelset for the information object;
storing a labelset, identifying a sensitivity of the information object, in the entry at the index corresponding to the hash key for the information object if a labelset for the information object is not identified in the entry in the hash table;
performing at least one set theory operation on the labelset associated with the information object, a labelset associated with the first device, and a labelset associated with the second device; and
authorizing the information flow based on the at least one set theory operation.
0 Assignments
0 Petitions
Accused Products
Abstract
A hash key is generated based on an information object and a lookup operation is performed in a hash table based on the hash key. A determination is made whether an entry in the hash table at an index corresponding to the hash key identifies a labelset for the information object. A labelset, identifying a sensitivity of the information object, is stored in the entry at the index corresponding to the hash key for the information object if a labelset for the information object is not identified in the entry in the hash table. Information flows involving the information object are authorized based on a lookup of the labelset associated with the information object in the hash table. The hash table may be a multidimensional hash table.
43 Citations
25 Claims
-
1. A method, in a data processing system, for authorizing information flows between devices of the data processing system, the method comprising:
-
receiving a request for authorization of an information flow involving an information object from a first device to a second device; retrieving contents of the information object from the first device; generating a hash key based on the contents of the information object; performing a lookup operation in a hash table based on the hash key to identify a labelset associated with the information object; determining if an entry in the hash table at an index corresponding to the hash key identifies a labelset for the information object; storing a labelset, identifying a sensitivity of the information object, in the entry at the index corresponding to the hash key for the information object if a labelset for the information object is not identified in the entry in the hash table; performing at least one set theory operation on the labelset associated with the information object, a labelset associated with the first device, and a labelset associated with the second device; and authorizing the information flow based on the at least one set theory operation. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A non-transitory computer program product comprising a computer readable storage medium including a computer readable program, wherein the computer readable program, when executed on a computing device, causes the computing device to:
-
receive a request for authorization of an information flow involving an information object from a first device to a second device; retrieve contents of the information object from the first device; generate a hash key based on the contents of the information object; perform a lookup operation in a hash table based on the hash key to identify a labelset associated with the information object; determine if an entry in the hash table at an index corresponding to the hash key identifies a labelset for the information object; store a labelset, identifying a sensitivity of the information object, in the entry at the index corresponding to the hash key for the information object if a labelset for the information object is not identified in the entry in the hash table; perform at least one set theory operation on the labelset associated with the information object, a labelset associated with the first device, and a labelset associated with the second device; and authorize the information flow based on the at least one set theory operation. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. An apparatus for authorizing information flows between devices of the data processing system, the method comprising:
-
an information flow mediator; and a labelset storage device coupled to the information flow mediator, wherein the information flow mediator; receives a request for authorization of an information flow involving the information object from a first device to a second device, retrieves contents of the information object from the first device, generates a hash key based on the contents of the information object, performs a lookup operation in a hash table stored in the labelset storage device based on the hash key to identify a labelset associated with the information object, determines if an entry in the hash table at an index corresponding to the hash key identifies a labelset for the information object, stores a labelset, identifying a sensitivity of the information object, in the entry at the index corresponding to the hash key for the information object if a labelset for the information object is not identified in the entry in the hash table, performs at least one set theory operation on the labelset associated with the information object, a labelset associated with the first device, and a labelset associated with the second device, and authorizes the information flow based on the at least one set theory operation. - View Dependent Claims (20, 21, 22)
-
-
23. A data processing system for authorizing information flows between devices, comprising:
-
a first computing device in a first partition of the data processing system, wherein the first computing device has a source element for communicating information to a target element; a second computing device in a second partition of the data processing system, wherein the second computing device has the target element; and a reference monitor, coupled to the first computing device and the second computing device, that monitors information flows between the first partition and the second partition, wherein the reference monitor; receives a request for authorization of an information flow involving the information object from a first device to a second device, retrieves contents of the information object from the first device, generates a hash key based on the contents of the information object, performs a lookup operation in a hash table based on the hash key to identify a labelset associated with the information object, determines if an entry in the hash table at an index corresponding to the hash key identifies a labelset for the information object, stores a labelset, identifying a sensitivity of the information object, in the entry at the index corresponding to the hash key for the information object if a labelset for the information object is not identified in the entry in the hash table, performs at least one set theory ration on the labelset associated with the information object, a labelset associated with the first device, and a labelset associated with the second device, and authorizes the information flow based on the at least one set theory operation. - View Dependent Claims (24)
-
-
25. A computing device, comprising:
-
a processor; and a memory, wherein the memory contains instructions which, when executed by the processor, cause the processor to; receive a request for authorization of an information flow involving the information object from a first device to a second device; retrieve contents of the information object from the first device; generate a hash key based on the contents of the information object; perform a lookup operation in a hash table based on the hash key to identify a labelset associated with the information object; determine if an entry in the hash table at an index corresponding to the hash key identifies a labelset for the information object; store a labelset, identifying a sensitivity of the information object, in the entry at the index corresponding to the hash key for the information object if a labelset for the information object is not identified in the entry in the hash table; perform at least one set theory operation on the labelset associated with the information object, a labelset associated with the first device, and a labelset associated with the second device; and authorize the information flow based on the at least one set theory operation.
-
Specification