Secure gateway communication systems and methods

US 10,361,998 B2
Filed: 08/30/2017
Issued: 07/23/2019
Est. Priority Date: 06/30/2015
Status: Active Grant

First Claim

Patent Images

1. A security system comprising:

a microkernel configured to provide a gateway for communication between a first entity and a second entity, wherein the first entity and second entity are configured to initiate actions subject to monitoring, and wherein the microkernel is further configured to intercept an action along the gateway between the first entity and the second entity;

computing hardware, including at least one processor, a data store, and input/output facilities interfaced with the at least one processor, the data store including a security subsystem executable by the at least one processor, that, when executed, causes the computing hardware to implement;

a security server engine configured to check whether the action is permissible by computing a verdict based on a plurality of policies, wherein the security server is unable to apply the verdict, and wherein each of the plurality of policies are defined by a conjunction of at least a first predefined access mechanism and a second predefined access mechanism;

a first gateway associated with the first entity and configured to apply a first verdict to the first entity; and

a second gateway associated with the second entity and configured to apply a second verdict to the second entity,wherein the first gateway and the second gateway are configured according to a system-level configuration applicable to both the first entity and the second entity, and a reflection configuration specific to the one of the first entity or the second entity, wherein the reflection configuration maps a plurality of entity actions to a security policy.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer security architecture applies selected rules from among a set of rules defining one or more security policies to a given set of security context parameters to produce security verdicts, each representing whether a certain action requested by a subject entity is permissible. Each security policy is associated with a corresponding communication interface. A plurality of gateway engines are each associated with at least one of the subject entities and dedicated to interfacing with the security server. Each of the gateway engines carries out monitoring of requested actions by the associated subject entity and, for each requested action, identifies a security context. A security policy is determined for the requested action based on a corresponding security context, and a security verdict is obtained via a communication interface corresponding to the applicable security policy.

25 Citations

19 Claims

1. A security system comprising:
- a microkernel configured to provide a gateway for communication between a first entity and a second entity, wherein the first entity and second entity are configured to initiate actions subject to monitoring, and wherein the microkernel is further configured to intercept an action along the gateway between the first entity and the second entity;
  
  computing hardware, including at least one processor, a data store, and input/output facilities interfaced with the at least one processor, the data store including a security subsystem executable by the at least one processor, that, when executed, causes the computing hardware to implement;
  
  a security server engine configured to check whether the action is permissible by computing a verdict based on a plurality of policies, wherein the security server is unable to apply the verdict, and wherein each of the plurality of policies are defined by a conjunction of at least a first predefined access mechanism and a second predefined access mechanism;
  
  a first gateway associated with the first entity and configured to apply a first verdict to the first entity; and
  
  a second gateway associated with the second entity and configured to apply a second verdict to the second entity,wherein the first gateway and the second gateway are configured according to a system-level configuration applicable to both the first entity and the second entity, and a reflection configuration specific to the one of the first entity or the second entity, wherein the reflection configuration maps a plurality of entity actions to a security policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The security system of claim 1, wherein the first entity initiates the action and wherein the action is identifiable by a unique security identifier (SID) hidden from the first entity.
  - 3. The security system of claim 2, wherein at least the SID, the action, and an action property are considered by the security server engine in computing the verdict.
  - 4. The security system of claim 3, wherein the first gateway communicates at least the SID, the action, and the action property to the security server engine.
  - 5. The security system of claim 1, wherein each of the first predefined access mechanism and the second predefined access mechanism are described in a configuration language accessible by the security server engine to implement one of the pre-defined policies without recompilation of the security server engine.
  - 6. The security system of claim 1, wherein the reflection configuration is applied according to at least one of:
    - a start of the first entity or the second entity,a communication of a message between the first entity and the second entity, ora request by first entity or the second entity to use a security interface of the first entity or the second entity.
  - 7. The security system of claim 1, wherein the reflection configuration of the first gateway comprises rules of the application of one of the plurality of policies to the first entity.
  - 8. The security system of claim 7, wherein the first gateway is further configured to store a reference to one of the plurality of policies related to the first entity and call the one of the plurality of policies to validate an action of the first entity.
  - 9. The security system of claim 1, wherein the microkernel is configured to create the first gateway and the second gateway.

10. A security server comprising:
- computing hardware, including at least one processor, a data store, and input/output facilities interfaced with the at least one processor, the data store containing an operating system and a plurality of subject entities executable by the at least one processor;
  
  the data store further comprising a security subsystem executable by the at least one processor, that, when executed, causes the computing hardware to implement;
  
  a plurality of security policies, wherein each of the plurality of security policies comprises a set of rules that operate on parameters related to an action requested by a subject entity to produce a security verdict, and wherein each of the plurality of security policies are defined by a conjunction of at least a first predefined access mechanism and a second predefined access mechanism,a plurality of communication interfaces, wherein each of the plurality of communication interfaces is associated with one of the plurality of security policies, and wherein each of the plurality of communication interfaces is configured to receive a request from a specific requesting gateway and return the security verdict to the requesting gateway; and
  
  wherein the security server operates outside of functional logic of the plurality of subject entities and is unable to apply the security verdict, and wherein the requesting gateway is configured according to a system-level configuration applicable a plurality of gateways, and a reflection configuration specific to the requesting gateway, wherein the reflection configuration maps a plurality of entity actions to a security policy.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The security server of claim 10, wherein each of the plurality of security policies corresponds to at least one of a type enforcement (TE), a role-based access control (RBAC), or a multi-level security (MLS).
  - 12. The security server of claim 11, wherein one of the plurality of security policies uses a combination of TE, RBAC, and MLS, and the security verdict is a conjunction of TE, RBAC, and MLS.
  - 13. The security server of claim 10, wherein each of the first predefined access mechanism and the second predefined access mechanism are described in a configuration language accessible by the security subsystem to implement one of the plurality of security policies without recompilation of the security subsystem.
  - 14. The security server of claim 10, wherein each of the plurality of communication interfaces is further configured to receive the parameters related to an action from the requesting gateway.

15. A security gateway comprising:
- computing hardware, including at least one processor, a data store, and input/output facilities interfaced with the at least one processor, the data store containing an operating system and a first entity and a second entity executable by the at least one processor;
  
  the data store further comprising a security subsystem executable by the at least one processor, that, when executed, causes the computing hardware to implement;
  
  a first gateway engine associated with the first entity and comprising a verdicts cache configured to store previously-rendered security verdicts corresponding to the first gateway engine, wherein the first gateway engine is configured to;
  
  provide a channel for the first entity to communicate an event with the second entity or the operating system,determine a particular communication method of the event,determine a security policy corresponding to the particular communication method,identify a security context of the first entity and the second entity or the operating system,determine if a security verdict corresponding to the event exists in the verdicts cache, andif the security verdict exists in the verdicts cache, return the security verdict, and if the security verdict does not exist in the verdicts cache, request a security verdict from the security server based on the security context, wherein the first gateway engine is unable to produce the security verdict;
  
  wherein the first gateway is configured according to a system-level configuration applicable to both the first entity and the second entity, and a reflection configuration specific to the first entity, wherein the reflection configuration maps a plurality of entity actions to a security policy.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The security gateway of claim 15, wherein the first gateway engine comprises a plurality of rule names, wherein the rules are stored on the security server.
  - 17. The security gateway of claim 16, wherein the first verdicts cache comprises different security verdicts than the second verdicts cache.
  - 18. The security gateway of claim 15, wherein determining if the security verdict corresponding to the event exists in the verdicts cache uses:
    - a first entity identifier and a second entity identifier,an event identifier, anda value of method arguments used to compute the security verdict.
  - 19. The security gateway of claim 15, wherein the data store causes the computing hardware further to implement:
    - a second gateway engine associated with the second entity and comprising a second verdicts cache configured to store previously-rendered security verdicts corresponding to the second gateway engine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lab A.O. Kaspersky
Original Assignee
Lab A.O. Kaspersky
Inventors
Doukhvalov, Andrey P., Dyakin, Pavel V., Kulagin, Dmitry A., Lungu, Sergey B., Moiseev, Stanislav V.
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Pan, Peiliang

Application Number

US15/691,155
Publication Number

US 20180006999A1
Time in Patent Office

692 Days
Field of Search

726 17, 726 22, 713164
US Class Current
CPC Class Codes

G06F 21/6281   at program execution time, ...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/0209   Architectural arrangements,...

H04L 63/1408   by monitoring network traff...

H04L 63/20   for managing network securi...

Secure gateway communication systems and methods

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

25 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Secure gateway communication systems and methods

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

25 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links