Security model for common multiplexed transactional logs
First Claim
1. A computer-implemented method for facilitating security for one or more log files in a multiplexed physical log that is commonly shared among log clients and implemented using stable storage, the method comprising the steps of:
- establishing a protected subsystem in which file system operations are exclusively delegated to a machine-wide principal that accesses container files in an underlying secure file system used to back the commonly shared multiplexed physical log so that operations on the container files are segregated from operations on the one or more log files, a cryptographically-secure signature being associated with each of the one or more log files and each of the container files, the cryptographically-secure signature being arranged to protect log file metadata, the log file metadata including a container list;
implementing a set of rules applicable to the container files in the secure file system, the rules includinga first rule specifying that the container files are created, opened and owned by the machine-wide principal that is provided with exclusive read/write and control access to the container files,a second rule specifying that a principal in an administrative group owns the container files but has no permission to delete the container files, or access data within the container files,a third rule specifying that a principal that owns a real log file has permission to read and delete container files underlying the real log file;
providing, to log clients, a user-mode interface and a kernel-mode interface to the protected subsystem, the interfaces being arranged for enabling the log clients to make I/O requests in one or more virtual log streams to the one or more log files in the commonly shared multiplexed physical log through the principal;
reserving an individual marshalling area for each of the virtual log streams, each of the individual marshalling areas having a unique address space in volatile memory and being configured to buffer log records written by a log client to a virtual log stream prior to being flushed to the commonly shared multiplexed physical log and to buffer log records read by a log client from the virtual log stream, the protected subsystem including a common log file system (CLFS) driver intercepting the I/O requests from the log clients to the underlying secure file system, the CLFS driver having associated therewith user-mode application programming interfaces (APIs) and kernel-mode APIs that provide the marshalling areas to the log clients;
maintaining security semantics on a per-virtual log stream basis so that each virtual log stream is abstracted to a respective log client to appear as being stored in a dedicated log; and
consolidating the I/O requests in the virtual log streams through the interface to the commonly shared multiplexed physical log in the underlying secure file system.
2 Assignments
0 Petitions
Accused Products
Abstract
A security model is provided in a transactional logging infrastructure that is arranged as a protected subsystem built on an underlying secure file system. Files in the underlying file system used by virtual log streams are protected from direct user writes, and are written-to only through the protected subsystem that is brokered by a machine-wide principal so that virtual log files sharing the same multiplexed physical log are kept secure from each other. Log file handles and user- and kernel-mode objects are exposed to log clients through interfaces using consistent security semantics for both dedicated and virtual logs. Log clients are agnostic of the underlying secure file system and can only manipulate file system containers—abstract objects that implement the physical log and used to virtualize the file system by normalizing input/output operations—by using the interfaces brokered by the principal in the protected subsystem.
45 Citations
11 Claims
-
1. A computer-implemented method for facilitating security for one or more log files in a multiplexed physical log that is commonly shared among log clients and implemented using stable storage, the method comprising the steps of:
-
establishing a protected subsystem in which file system operations are exclusively delegated to a machine-wide principal that accesses container files in an underlying secure file system used to back the commonly shared multiplexed physical log so that operations on the container files are segregated from operations on the one or more log files, a cryptographically-secure signature being associated with each of the one or more log files and each of the container files, the cryptographically-secure signature being arranged to protect log file metadata, the log file metadata including a container list; implementing a set of rules applicable to the container files in the secure file system, the rules including a first rule specifying that the container files are created, opened and owned by the machine-wide principal that is provided with exclusive read/write and control access to the container files, a second rule specifying that a principal in an administrative group owns the container files but has no permission to delete the container files, or access data within the container files, a third rule specifying that a principal that owns a real log file has permission to read and delete container files underlying the real log file; providing, to log clients, a user-mode interface and a kernel-mode interface to the protected subsystem, the interfaces being arranged for enabling the log clients to make I/O requests in one or more virtual log streams to the one or more log files in the commonly shared multiplexed physical log through the principal; reserving an individual marshalling area for each of the virtual log streams, each of the individual marshalling areas having a unique address space in volatile memory and being configured to buffer log records written by a log client to a virtual log stream prior to being flushed to the commonly shared multiplexed physical log and to buffer log records read by a log client from the virtual log stream, the protected subsystem including a common log file system (CLFS) driver intercepting the I/O requests from the log clients to the underlying secure file system, the CLFS driver having associated therewith user-mode application programming interfaces (APIs) and kernel-mode APIs that provide the marshalling areas to the log clients; maintaining security semantics on a per-virtual log stream basis so that each virtual log stream is abstracted to a respective log client to appear as being stored in a dedicated log; and consolidating the I/O requests in the virtual log streams through the interface to the commonly shared multiplexed physical log in the underlying secure file system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
Specification