Program-based authorization
First Claim
Patent Images
1. A method, comprising:
- intercepting a file system action attempt, which is associated with an action by a process relating to a file in a computer system;
determining a program file that attempts the file system action, wherein the determining comprises;
identifying a process context of the process; and
associating the process context with the program file, the associating comprising;
placing hooks in a process creation code path and a process termination code path;
creating an entry in a data structure when the process starts executing a code represented by the program file, wherein the entry is deleted when the process stops executing the code, wherein the entry includes associations between the process context and a file handle of the program file; and
determining the program file associated with the process context from the entry in the data structure;
allowing the action to proceed if it is authorized by an authorization policy; and
blocking the action when it is not authorized by the authorization policy and when the computer system is operating in a first mode, wherein the computer system includes a second mode that is configured to allow the action when it is not authorized according to the authorization policy.
9 Assignments
0 Petitions
Accused Products
Abstract
Techniques which allow definition and enforcement of program-based action authorization policies. On a computer, an action or execution attempt is intercepted in real-time. The subject process, the program file of the subject process, the attempted action and the object of the attempted action are determined. An authorization policy considering the program file indicates whether the attempted action is authorized or not. In a tracking mode, the attempted action and its authorization are logged and the attempted action is allowed to proceed. In an enforcement mode, unauthorized attempts are blocked and logged, thereby enforcing the authorization policy.
-
Citations
20 Claims
-
1. A method, comprising:
-
intercepting a file system action attempt, which is associated with an action by a process relating to a file in a computer system; determining a program file that attempts the file system action, wherein the determining comprises; identifying a process context of the process; and associating the process context with the program file, the associating comprising; placing hooks in a process creation code path and a process termination code path; creating an entry in a data structure when the process starts executing a code represented by the program file, wherein the entry is deleted when the process stops executing the code, wherein the entry includes associations between the process context and a file handle of the program file; and determining the program file associated with the process context from the entry in the data structure; allowing the action to proceed if it is authorized by an authorization policy; and blocking the action when it is not authorized by the authorization policy and when the computer system is operating in a first mode, wherein the computer system includes a second mode that is configured to allow the action when it is not authorized according to the authorization policy. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. Logic encoded in non-transitory tangible media that includes code for execution and when executed by a processor is operable to perform operations comprising:
-
intercepting a file system action attempt, which is associated with an action by a process relating to a file in a computer system; determining a program file that attempts the file system action, wherein the determining comprises; identifying a process context of the process; and associating the process context with the program file, the associating comprising; placing hooks in a process creation code path and a process termination code path; creating an entry in a data structure when the process starts executing a code represented by the program file, wherein the entry is deleted when the process stops executing the code, wherein the entry includes associations between the process context and a file handle of the program file; and determining the program file associated with the process context from the entry in the data structure; allowing the action to proceed if it is authorized by an authorization policy; and blocking the action when it is not authorized by the authorization policy and when the computer system is operating in a first mode, wherein the computer system includes a second mode that is configured to allow the action when it is not authorized according to the authorization policy. - View Dependent Claims (10, 11, 12, 13, 14)
-
-
15. A computer system, comprising:
-
a processor; and a memory, wherein the computer system is configured for; intercepting a file system action attempt, which is associated with an action by a process relating to a file in a computer system; determining a program file that attempts the file system action, wherein the determining comprises; identifying a process context of the process; and associating the process context with the program file, the associating comprising; placing hooks in a process creation code path and a process termination code path; creating an entry in a data structure when the process starts executing a code represented by the program file, wherein the entry is deleted when the process stops executing the code, wherein the entry includes associations between the process context and a file handle of the program file; and determining the program file associated with the process context from the entry in the data structure; allowing the action to proceed if it is authorized by an authorization policy; and blocking the action when it is not authorized by the authorization policy and when the computer system is operating in a first mode, wherein the computer system includes a second mode that is configured to allow the action when it is not authorized according to the authorization policy. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification