Associating security information with information objects

US 7,975,295 B2
Filed: 05/30/2008
Issued: 07/05/2011
Est. Priority Date: 12/15/2005
Status: Expired due to Fees

First Claim

Patent Images

1. A method, in a data processing system, for authorizing information flows between devices of the data processing system, the method comprising:

receiving a request for authorization of an information flow involving an information object from a first device to a second device;

retrieving contents of the information object from the first device;

generating a hash key based on the contents of the information object;

performing a lookup operation in a hash table based on the hash key to identify a labelset associated with the information object;

determining if an entry in the hash table at an index corresponding to the hash key identifies a labelset for the information object;

storing a labelset, identifying a sensitivity of the information object, in the entry at the index corresponding to the hash key for the information object if a labelset for the information object is not identified in the entry in the hash table;

performing at least one set theory operation on the labelset associated with the information object, a labelset associated with the first device, and a labelset associated with the second device; and

authorizing the information flow based on the at least one set theory operation.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A hash key is generated based on an information object and a lookup operation is performed in a hash table based on the hash key. A determination is made whether an entry in the hash table at an index corresponding to the hash key identifies a labelset for the information object. A labelset, identifying a sensitivity of the information object, is stored in the entry at the index corresponding to the hash key for the information object if a labelset for the information object is not identified in the entry in the hash table. Information flows involving the information object are authorized based on a lookup of the labelset associated with the information object in the hash table. The hash table may be a multidimensional hash table.

43 Citations

View as Search Results

25 Claims

1. A method, in a data processing system, for authorizing information flows between devices of the data processing system, the method comprising:
- receiving a request for authorization of an information flow involving an information object from a first device to a second device;
  
  retrieving contents of the information object from the first device;
  
  generating a hash key based on the contents of the information object;
  
  performing a lookup operation in a hash table based on the hash key to identify a labelset associated with the information object;
  
  determining if an entry in the hash table at an index corresponding to the hash key identifies a labelset for the information object;
  
  storing a labelset, identifying a sensitivity of the information object, in the entry at the index corresponding to the hash key for the information object if a labelset for the information object is not identified in the entry in the hash table;
  
  performing at least one set theory operation on the labelset associated with the information object, a labelset associated with the first device, and a labelset associated with the second device; and
  
  authorizing the information flow based on the at least one set theory operation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the hash table is a multidimensional hash table and the hash key comprises a plurality of hash keys generated by a plurality of hash functions, at least one hash function and hash key for each dimension of the multidimensional hash table.
  - 3. The method of claim 1, wherein the hash table is stored in a trusted computing base which is separate from a source of the information object.
  - 4. The method of claim 1, wherein storing a labelset, identifying a sensitivity of the information object, in the entry at the index corresponding to the hash key for the information object comprises storing a labelset associated with a source of the information object in the entry in association with the information object.
  - 5. The method of claim 1, wherein the labelset comprises a labellist element providing one or more labels of the labelset.
  - 6. The method of claim 5, wherein the labels in the labellist are composed of a policy type and a value, wherein the policy type identifies a security policy to be applied to the labelset and the value identifies a value to be used in evaluating the security policy identified by the policy type.
  - 7. The method of claim 5, wherein each labelset further comprises a version element indicating a version of the labelset and a count element indicating a number of labels included in the labelset.
  - 8. The method of claim 1, wherein the hash key is generated using at least one hash function on content of the information object.
  - 9. The method of claim 1, wherein the information object is a computer file.

10. A non-transitory computer program product comprising a computer readable storage medium including a computer readable program, wherein the computer readable program, when executed on a computing device, causes the computing device to:
- receive a request for authorization of an information flow involving an information object from a first device to a second device;
  
  retrieve contents of the information object from the first device;
  
  generate a hash key based on the contents of the information object;
  
  perform a lookup operation in a hash table based on the hash key to identify a labelset associated with the information object;
  
  determine if an entry in the hash table at an index corresponding to the hash key identifies a labelset for the information object;
  
  store a labelset, identifying a sensitivity of the information object, in the entry at the index corresponding to the hash key for the information object if a labelset for the information object is not identified in the entry in the hash table;
  
  perform at least one set theory operation on the labelset associated with the information object, a labelset associated with the first device, and a labelset associated with the second device; and
  
  authorize the information flow based on the at least one set theory operation.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The computer program product of claim 10, wherein the hash table is stored in a trusted computing base which is separate from a source of the information object.
  - 12. The computer program product of claim 10, wherein the computer readable program causes the computing device to store a labelset in the entry at the index corresponding to the hash key for the information object by storing a labelset associated with a source of the information object in the entry in association with the information object.
  - 13. The computer program product of claim 10, wherein the hash table is a multidimensional hash table and the hash key comprises a plurality of hash keys generated by a plurality of hash functions, at least one hash function and hash key for each dimension of the multidimensional hash table.
  - 14. The computer program product of claim 10, wherein the hash key is generated using at least one hash function on content of the information object.
  - 15. The computer program product of claim 10, wherein the information object is a computer file.
  - 16. The computer program product of claim 10, wherein the labelset comprises a labellist element providing one or more labels of the labelset.
  - 17. The computer program product of claim 10, wherein the labels in the labellist are composed of a policy type and a value, wherein the policy type identifies a security policy to be applied to the labelset and the value identifies a value to be used in evaluating the security policy identified by the policy type.
  - 18. The computer program product of claim 10, wherein each labelset further comprises a version element indicating a version of the labelset and a count element indicating a number of labels included in the labelset.

19. An apparatus for authorizing information flows between devices of the data processing system, the method comprising:
- an information flow mediator; and
  
  a labelset storage device coupled to the information flow mediator, wherein the information flow mediator;
  
  receives a request for authorization of an information flow involving the information object from a first device to a second device,retrieves contents of the information object from the first device,generates a hash key based on the contents of the information object,performs a lookup operation in a hash table stored in the labelset storage device based on the hash key to identify a labelset associated with the information object,determines if an entry in the hash table at an index corresponding to the hash key identifies a labelset for the information object,stores a labelset, identifying a sensitivity of the information object, in the entry at the index corresponding to the hash key for the information object if a labelset for the information object is not identified in the entry in the hash table,performs at least one set theory operation on the labelset associated with the information object, a labelset associated with the first device, and a labelset associated with the second device, andauthorizes the information flow based on the at least one set theory operation.
- View Dependent Claims (20, 21, 22)
- - 20. The apparatus of claim 19, wherein the hash table is a multidimensional hash table and the hash key comprises a plurality of hash keys generated by a plurality of hash functions, at least one hash function and hash key for each dimension of the multidimensional hash table.
  - 21. The apparatus of claim 19, wherein the hash table is stored in a trusted computing base which is separate from a source of the information object.
  - 22. The apparatus of claim 19, wherein the information flow mediator stores a labelset in the entry at the index corresponding to the hash key for the information object by storing a labelset associated with a source of the information object in the entry in association with the information object.

23. A data processing system for authorizing information flows between devices, comprising:
- a first computing device in a first partition of the data processing system, wherein the first computing device has a source element for communicating information to a target element;
  
  a second computing device in a second partition of the data processing system, wherein the second computing device has the target element; and
  
  a reference monitor, coupled to the first computing device and the second computing device, that monitors information flows between the first partition and the second partition, wherein the reference monitor;
  
  receives a request for authorization of an information flow involving the information object from a first device to a second device,retrieves contents of the information object from the first device,generates a hash key based on the contents of the information object,performs a lookup operation in a hash table based on the hash key to identify a labelset associated with the information object,determines if an entry in the hash table at an index corresponding to the hash key identifies a labelset for the information object,stores a labelset, identifying a sensitivity of the information object, in the entry at the index corresponding to the hash key for the information object if a labelset for the information object is not identified in the entry in the hash table,performs at least one set theory ration on the labelset associated with the information object, a labelset associated with the first device, and a labelset associated with the second device, andauthorizes the information flow based on the at least one set theory operation.
- View Dependent Claims (24)
- - 24. The data processing system of claim 23, wherein the reference monitor comprises:
    - a communication manager having a listener for listening for information flow requests from elements of the data processing system;
      
      an information flow mediator coupled to the communication manager for determining whether an information flow is to be authorized or denied;
      
      a security data structure storage device coupled to the information flow mediator that stores security information for elements of the data processing system; and
      
      a security policy framework coupled to the information flow mediator for applying one or more security policies to security information for elements of the data processing system.

25. A computing device, comprising:
- a processor; and
  
  a memory, wherein the memory contains instructions which, when executed by the processor, cause the processor to;
  
  receive a request for authorization of an information flow involving the information object from a first device to a second device;
  
  retrieve contents of the information object from the first device;
  
  generate a hash key based on the contents of the information object;
  
  perform a lookup operation in a hash table based on the hash key to identify a labelset associated with the information object;
  
  determine if an entry in the hash table at an index corresponding to the hash key identifies a labelset for the information object;
  
  store a labelset, identifying a sensitivity of the information object, in the entry at the index corresponding to the hash key for the information object if a labelset for the information object is not identified in the entry in the hash table;
  
  perform at least one set theory operation on the labelset associated with the information object, a labelset associated with the first device, and a labelset associated with the second device; and
  
  authorize the information flow based on the at least one set theory operation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Blakley, George R. III, Simon, Kimberly D., Arroyo, Diana J., Muppidi, Sridhar R., Jamsek, Damir A., Williams, Ronald B.
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
YALEW, FIKREMARIAM A

Application Number

US12/130,027
Publication Number

US 20080229412A1
Time in Patent Office

1,131 Days
Field of Search

None
US Class Current

726/21
CPC Class Codes

G06F 21/6218 to a system of files or obj...

Associating security information with information objects

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

43 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Associating security information with information objects

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

43 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links