Dynamically controlling permissions
First Claim
1. A method of controlling file and/or directory operations and/or controlling network connections from a process or task running in an Application Security Environment (where an Application Security Environment is an environment in which one or more processes or tasks can be run and the privileges of the processes or tasks in the Application Security Environment can be a subset of the privileges of the user or the user-group who owns that Application Security Environment) which is owned by a user or a user-group (where a user-group is a group of users) based on:
- i. The current state of that Application Security Environment and/orii. The current state of that user or user-group who owns that Application Security Environment and/oriii. The current state of one or more privilege objects. A privilege object has one or more states such that these states can be mapped to permissions which processes or tasks have to perform operations on one or more objects.
0 Assignments
0 Petitions
Accused Products
Abstract
A high level of computer security can be achieved by controlling read/write/execute access to files, controlling incoming or outgoing network connections, controlling incoming or outgoing network traffic and controlling privileged operations based on states of Application Security Environments and/or based on states of users or groups of users and/or based on states of privilege objects. These states can be controlled dynamically by software or by one or more hardware devices.
21 Citations
22 Claims
-
1. A method of controlling file and/or directory operations and/or controlling network connections from a process or task running in an Application Security Environment (where an Application Security Environment is an environment in which one or more processes or tasks can be run and the privileges of the processes or tasks in the Application Security Environment can be a subset of the privileges of the user or the user-group who owns that Application Security Environment) which is owned by a user or a user-group (where a user-group is a group of users) based on:
-
i. The current state of that Application Security Environment and/or ii. The current state of that user or user-group who owns that Application Security Environment and/or iii. The current state of one or more privilege objects. A privilege object has one or more states such that these states can be mapped to permissions which processes or tasks have to perform operations on one or more objects. - View Dependent Claims (6, 7, 8, 9, 10, 11, 21)
-
-
2. A method of controlling file and/or directory operations and/or controlling network connections from a process or task which is owned by a user or a user-group based on:
-
i. The current state of that user or user-group and/or ii. The current state of one or more privilege objects. - View Dependent Claims (12, 13, 14, 15, 16, 22)
-
-
3. When the states of the privilege objects and/or the state of the user or user-group and/or the state of the Application Security Environment are used to control the permissions which a process or a task has to perform an operation on an object as claimed in (1) then:
-
i. Preferably, the selection of the permissions should be based on the priority of those privilege objects and/or that user or user-group and/or that Application Security Environment. ii. Optionally, the permissions can be obtained by performing AND or OR operations on the permissions corresponding to the current states of those privilege objects and/or that user or user-group and/or that Application Security Environment. iii. Optionally, the permissions can be obtained by using a combination of; a. The priority between privilege objects and/or that user or user-group and/or that Application Security Environment, and b. Performing AND or OR operations on the permissions corresponding to the current states of those privilege objects and/or that user or user-group and/or that Application Security Environment.
-
-
4. When the states of the privilege objects and/or the state of the user or user-group are used to control the permissions which a process or a task has to perform an operation on an object as claimed in (2) then:
-
i. Preferably, the selection of the permissions should be based on the priority of those privilege objects and/or that user or user-group. ii. Optionally, the permissions can be obtained by performing AND or OR operations on the permissions corresponding to the current states of those privilege objects and/or that user or user-group. iii. Optionally, the permissions can be obtained by using a combination of; a. The priority between privilege objects and/or that user or user-group, and b. Performing AND or OR operations on the permissions corresponding to the current states of those privilege objects and/or that user or user-group.
-
-
5. The privileges of a user or a user-group or an Application Security Environment can be changed dynamically by changing the states as claimed in (1) even when the user or the user-group does-not have write access to the corresponding permission data structures.
- 17. A device supporting one or more users and/or one or more user-groups and/or one or more privilege objects. This device supporting none or one state for one or more supported users, none or one or more states for each supported user-group and none or one or more states for each supported privilege object such that these states can be used for controlling permissions which processes or tasks have to perform operations on different objects in the operating system and/or permissions for controlling access to the devices attached to the computer. Optionally, the privilege object states of the device can be mapped to the states of modules in the operating system and/or the states of the computer partition and/or the states of the computer and/or the states of one or more devices attached to the computer.
Specification