System and method for restricting access to secured data

US 20030033303A1
Filed: 07/19/2002
Published: 02/13/2003
Est. Priority Date: 08/07/2001
Status: Abandoned Application

First Claim

Patent Images

1. A method of restricting access to secured data on a computer system comprising:

intercepting a file system operation seeking access to secured data; and

determining if the intercepted file system operation originated from an application program comprising executable program code stored within the secured data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for restricting the use of secure data on a computer system are provided. An interception program may be added as part of an interface program. The interception program may control access to the content of storage media such as an extension to the file system program of the operating system of the computer system. The secured data may be encrypted, and requested data may be decrypted by the interception program before it is returned. If the intercepted file system access operation is to open the secured data, but does not originate from an application program including executable program code stored within the secured data, the file system access operation may fail. In addition, an error message may be displayed implying that the user does not have sufficient privilege to access the requested data.

73 Citations

View as Search Results

56 Claims

1. A method of restricting access to secured data on a computer system comprising:
- intercepting a file system operation seeking access to secured data; and
  
  determining if the intercepted file system operation originated from an application program comprising executable program code stored within the secured data.

2. A method, comprising:
- providing a set of files identified as secured data;
  
  providing an interception program coupled to an operating system of the computer system, wherein the interception program is configured to control access to a memory medium containing the secured data; and
  
  intercepting file system operations with the interception program.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 3. The method of claim 2, wherein a file system operation comprises an application termination operations.
  - 4. The method of claim 2, wherein the interception program comprises an extension to a file system program of the operating system.
  - 5. The method of claim 2, further comprising:
    - determining if an intercepted file system operation is allowed to access the secured data; and
      
      determining if the operation originates from an application program comprising executable program code stored within the secured data.
  - 6. The method of claim 5, further comprising determining if the file system operation is allowed to read from the secured data.
  - 7. The method of claim 5, further comprising determining if the operation is allowed to open the secured data.
  - 8. The method of claim 5, further comprising inhibiting processing of the file system operation if the operation does not originate from the application program comprising program code stored within the secured data.
  - 9. The method of claim 5, further comprising monitoring processes of the application program for execution and termination.
  - 10. The method of claim 5, further comprising monitoring processes of the application program within the operating system for open executable program code files within the secured data.
  - 11. The method of claim 5, further comprising, if the intercepted file system operation originated from an application program comprising executable program code stored within the secured data:
    - reading from the secured data, decrypting the secured data; and
      
      returning the secured data to the application program.
  - 12. The method of claim 11, wherein decrypting the data comprises using specific values from a digital signature on a secured storage media, and wherein the digital signature is inhibited from being copied whenever the media is copied.
  - 13. The method of claim 11, wherein the secured data comprises an executable file, and wherein the method further comprises marking a current process as authorized such that the current process can further access the secured data.
  - 14. The method of claim 13, wherein, if the file system operation comprises an indication of the termination of authorization of the application program, the method further comprises:
    - unmarking the current process as authorized to deny further access by the process to the secured data.
  - 15. The method of claim 5, wherein, if an intercepted file system operation originated from an application program comprising executable program code stored within the secured data, the method further comprises inhibiting writing to the secured data by the application program.
  - 16. The method of claim 5, wherein, if the file system operation comprises a request to access an executable file, the method further comprises:
    - constructing an open file handle that identifies the executable file; and
      
      returning the open file handle to the application program.
  - 17. The method of claim 5, wherein, if the file system operation includes a request to open secured data that does not include an executable file, the method further comprises:
    - determining if a current process is marked as authorized such that the current process can further access the secured data.
  - 18. The method of claim 17, further comprising inhibiting opening of the secured data if the current process is not marked as authorized.
  - 19. The method of claim 17, wherein, if the current process is marked as authorized, the method further comprises:
    - constructing an open file handle that identifies the secured data; and
      
      returning the open file handle to the application program.

20. A system configured to restrict access to secured data on a computer system, comprising:
- a CPU; and
  
  a system memory coupled to the CPU, wherein the system memory stores one or more computer programs executable by the CPU;
  
  wherein one or more computer programs are executable to;
  
  intercept a file system operation seeking access to secured data; and
  
  determine if the intercepted file system operation originated from an application program comprising executable program code stored within the secured data.

21. A system configured to restrict access to secured data on a computer system, comprising:
- a CPU; and
  
  a system memory coupled to the CPU, wherein the system memory stores one or more computer programs executable by the CPU;
  
  wherein one or more computer programs are executable to;
  
  identify a set of files as secured data;
  
  intercept file system access operations with an interception program, wherein the interception program is coupled to an operating system of the computer system, and wherein the interception program controls access to a memory medium containing the secured data.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
- - 22. The system of claim 21, wherein the one or more computer programs are further executable to intercept application termination operations.
  - 23. The system of claim 21, wherein the interception program comprises an extension to a file system program of the operating system.
  - 24. The system of claim 21, wherein the one or more computer programs are further executable to:
    - determine if an intercepted file system operation is allowed to access the secured data; and
      
      determine if the operation originates from an application program comprising executable program code stored within the secured data.
  - 25. The system of claim 24, wherein the one or more computer programs are further executable to determine if the file system operation is allowed to read from the secured data.
  - 26. The system of claim 24, wherein the one or more computer programs are further executable to determine if the operation is allowed to open the secured data.
  - 27. The system of claim 24, wherein the one or more computer programs are further executable to inhibit processing of the file system operation if the operation does not originate from the application program comprising program code stored within the secured data.
  - 28. The system of claim 24, wherein the one or more computer programs are further executable to:
    - monitor processes of the application program for execution and termination.
  - 29. The system of claim 24, wherein the one or more computer programs are further executable to:
    - monitor processes of the application program within the operating system for open executable program code files within the secured data
  - 30. The system of claim 24, wherein, if the intercepted file system operation originated from an application program comprising executable program code stored within the secured data, the one or more computer programs are further executable to:
    - read from the secured data, decrypt the secured data; and
      
      return the secured data to the application program.
  - 31. The system of claim 30, wherein decrypting the data comprises using specific values from a digital signature on a secured storage media, and wherein the digital signature is inhibited from being copied whenever the media is copied.
  - 32. The system of claim 30, wherein the secured data comprises an executable file, and wherein the one or more computer programs are further executable to mark a current process as authorized such that the current process can further access the secured data.
  - 33. The system of claim 31, wherein, if the file system operation comprises an indication of the termination of authorization of the application program, the one or more computer programs are further executable to:
    - unmark the current process as authorized to deny further access by the process to the secured data.
  - 34. The system of claim 24, wherein, if an intercepted file system operation originated from an application program comprising executable program code stored within the secured data, the one or more computer programs are further executable to inhibit writing to the secured data by the application program.
  - 35. The system of claim 24, wherein, if the file system operation comprises a request to access an executable file, the one or more computer programs are further executable to:
    - construct an open file handle that identifies the executable file; and
      
      return the open file handle to the application program.
  - 36. The system of claim 24, wherein, if the file system operation includes a request to open secured data that does not include an executable file, the one or more computer programs are further executable to:
    - determine if a current process is marked as authorized such that the current process can further access the secured data.
  - 37. The system of claim 36, wherein the one or more computer programs are further executable to inhibit opening of the secured data if the current process is not marked as authorized.
  - 38. The system of claim 36, wherein, if the current process is marked as authorized, the one or more computer programs are further executable to:
    - construct an open file handle that identifies the secured data; and
      
      return the open file handle to the application program.

39. A carrier medium configured to store program instructions, wherein the program instructions are executable to implement a method, comprising:
- intercepting a file system operation seeking access to secured data; and
  
  determining if the intercepted file system operation originated from an application program comprising executable program code stored within the secured data.

40. A carrier medium configured to store program instructions, wherein the program instructions are executable to implement a method, comprising:
- providing a set of files identified as secured data;
  
  providing an interception program coupled to an operating system of the computer system, wherein the interception program is configured to control access to a memory medium containing the secured data; and
  
  intercepting file system operations with the interception program.
- View Dependent Claims (41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56)
- - 41. The carrier medium of claim 40, wherein a file system operation comprises an application termination operations.
  - 42. The carrier medium of claim 40, wherein the interception program comprises an extension to a file system program of the operating system.
  - 43. The carrier medium of claim 40, wherein the method further comprises:
    - determining if an intercepted file system operation is allowed to access the secured data; and
      
      determining if the operation originates from an application program comprising executable program code stored within the secured data.
  - 44. The carrier medium of claim 43, wherein the method further comprises determining if the file system operation is allowed to read from the secured data. The carrier medium of claim 43, wherein the method further comprises determining if the operation is allowed to open the secured data.
  - 45. The carrier medium of claim 43, wherein the method further comprises inhibiting processing of the file system operation if the operation does not originate from the application program comprising program code stored within the secured data.
  - 46. The carrier medium of claim 43, wherein the method further comprises monitoring processes of the application program for execution and termination.
  - 47. The carrier medium of claim 43, wherein the method further comprises monitoring processes of the application program within the operating system for open executable program code files within the secured data.
  - 48. The carrier medium of claim 43, wherein the method further comprises, if the intercepted file system operation originated from an application program comprising executable program code stored within the secured data:
    - reading from the secured data, decrypting the secured data; and
      
      returning the secured data to the application program.
  - 49. The carrier medium of claim 48, wherein decrypting the data comprises using specific values from a digital signature on a secured storage media, and wherein the digital signature is inhibited from being copied whenever the media is copied.
  - 50. The carrier medium of claim 48, wherein the secured data comprises an executable file, and wherein the method further comprises marking a current process as authorized such that the current process can further access the secured data.
  - 51. The carrier medium of claim 50, wherein, if the file system operation comprises an indication of the termination of authorization of the application program, the method further comprises:
    - unmarking the current process as authorized to deny further access by the process to the secured data.
  - 52. The carrier medium of claim 43, wherein, if an intercepted file system operation originated from an application program comprising executable program code stored within the secured data, the method further comprises inhibiting writing to the secured data by the application program.
  - 53. The carrier medium of claim 43, wherein, if the file system operation comprises a request to access an executable file, the method further comprises:
    - constructing an open file handle that identifies the executable file; and
      
      returning the open file handle to the application program.
  - 54. The carrier medium of claim 43, wherein, if the file system operation includes a request to open secured data that does not include an executable file, the method further comprises:
    - determining if a current process is marked as authorized such that the current process can further access the secured data.
  - 55. The carrier medium of claim 54, wherein the method further comprises inhibiting opening of the secured data if the current process is not marked as authorized.
  - 56. The carrier medium of claim 54, wherein, if the current process is marked as authorized, the method further comprises:
    - constructing an open file handle that identifies the secured data; and
      
      returning the open file handle to the application program.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Iora Limited (Infonic Plc)
Original Assignee
Iora Limited (Infonic Plc)
Inventors
Collins, Brian

Application Number

US10/200,016
Publication Number

US 20030033303A1
Time in Patent Office

Days
Field of Search
US Class Current

707/9
CPC Class Codes

G06F 21/602 Providing cryptographic fac...

G06F 21/6281 at program execution time, ...

System and method for restricting access to secured data

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

73 Citations

56 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for restricting access to secured data

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

73 Citations

56 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links