Program-based authorization

US 8,321,932 B2
Filed: 12/22/2010
Issued: 11/27/2012
Est. Priority Date: 04/07/2006
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

intercepting a file system action attempt, which is associated with an action by a process relating to a file in a computer system;

determining a program file that attempts the file system action, wherein the determining comprises;

identifying a process context of the process; and

associating the process context with the program file, the associating comprising;

placing hooks in a process creation code path and a process termination code path;

creating an entry in a data structure when the process starts executing a code represented by the program file, wherein the entry is deleted when the process stops executing the code, wherein the entry includes associations between the process context and a file handle of the program file; and

determining the program file associated with the process context from the entry in the data structure;

allowing the action to proceed if it is authorized by an authorization policy; and

blocking the action when it is not authorized by the authorization policy and when the computer system is operating in a first mode, wherein the computer system includes a second mode that is configured to allow the action when it is not authorized according to the authorization policy.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques which allow definition and enforcement of program-based action authorization policies. On a computer, an action or execution attempt is intercepted in real-time. The subject process, the program file of the subject process, the attempted action and the object of the attempted action are determined. An authorization policy considering the program file indicates whether the attempted action is authorized or not. In a tracking mode, the attempted action and its authorization are logged and the attempted action is allowed to proceed. In an enforcement mode, unauthorized attempts are blocked and logged, thereby enforcing the authorization policy.

227 Citations

20 Claims

1. A method, comprising:
- intercepting a file system action attempt, which is associated with an action by a process relating to a file in a computer system;
  
  determining a program file that attempts the file system action, wherein the determining comprises;
  
  identifying a process context of the process; and
  
  associating the process context with the program file, the associating comprising;
  
  placing hooks in a process creation code path and a process termination code path;
  
  creating an entry in a data structure when the process starts executing a code represented by the program file, wherein the entry is deleted when the process stops executing the code, wherein the entry includes associations between the process context and a file handle of the program file; and
  
  determining the program file associated with the process context from the entry in the data structure;
  
  allowing the action to proceed if it is authorized by an authorization policy; and
  
  blocking the action when it is not authorized by the authorization policy and when the computer system is operating in a first mode, wherein the computer system includes a second mode that is configured to allow the action when it is not authorized according to the authorization policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. A method as recited in claim 1, wherein a first log is generated for the file system action attempt.
  - 3. A method as recited in claim 1, wherein a second log is subsequently generated to identify the unauthorized action as having occurred when the computer system is operating in the second mode.
  - 4. A method as recited in claim 1, wherein the authorization policy includes data indicative of a set of differences between one or more parts of content of an object sought to be altered by the action, and wherein the differences identify changes between the content before and after the action.
  - 5. A method as recited in claim 1, wherein the determining further includes determining an attribute associated with the program file.
  - 6. A method as recited in claim 1, wherein the action indicates a read operation on the file.
  - 7. A method as recited in claim 1, wherein the action indicates a write, append, or truncate operation on the file.
  - 8. A method as recited in claim 1, wherein the action indicates a delete, move, or rename operation on the file.

9. Logic encoded in non-transitory tangible media that includes code for execution and when executed by a processor is operable to perform operations comprising:
- intercepting a file system action attempt, which is associated with an action by a process relating to a file in a computer system;
  
  determining a program file that attempts the file system action, wherein the determining comprises;
  
  identifying a process context of the process; and
  
  associating the process context with the program file, the associating comprising;
  
  placing hooks in a process creation code path and a process termination code path;
  
  creating an entry in a data structure when the process starts executing a code represented by the program file, wherein the entry is deleted when the process stops executing the code, wherein the entry includes associations between the process context and a file handle of the program file; and
  
  determining the program file associated with the process context from the entry in the data structure;
  
  allowing the action to proceed if it is authorized by an authorization policy; and
  
  blocking the action when it is not authorized by the authorization policy and when the computer system is operating in a first mode, wherein the computer system includes a second mode that is configured to allow the action when it is not authorized according to the authorization policy.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The logic as recited in claim 9, wherein a first log is generated for the file system action attempt, and wherein a second log is subsequently generated to identify the unauthorized action as having occurred when the computer system is operating in the second mode.
  - 11. The logic as recited in claim 9, wherein the authorization policy includes data indicative of a set of differences between one or more parts of content of an object sought to be altered by the action, and wherein the differences identify changes between the content before and after the action.
  - 12. The logic as recited in claim 9, wherein the action indicates a read operation on the file.
  - 13. The logic as recited in claim 9, wherein the action indicates a write, append, or truncate operation on the file.
  - 14. The logic as recited in claim 9, wherein the action indicates a delete, move, or rename operation on the file.

15. A computer system, comprising:
- a processor; and
  
  a memory, wherein the computer system is configured for;
  
  intercepting a file system action attempt, which is associated with an action by a process relating to a file in a computer system;
  
  determining a program file that attempts the file system action, wherein the determining comprises;
  
  identifying a process context of the process; and
  
  associating the process context with the program file, the associating comprising;
  
  placing hooks in a process creation code path and a process termination code path;
  
  creating an entry in a data structure when the process starts executing a code represented by the program file, wherein the entry is deleted when the process stops executing the code, wherein the entry includes associations between the process context and a file handle of the program file; and
  
  determining the program file associated with the process context from the entry in the data structure;
  
  allowing the action to proceed if it is authorized by an authorization policy; and
  
  blocking the action when it is not authorized by the authorization policy and when the computer system is operating in a first mode, wherein the computer system includes a second mode that is configured to allow the action when it is not authorized according to the authorization policy.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system as recited in claim 15, wherein a first log is generated for the file system action attempt, and wherein a second log is subsequently generated to identify the unauthorized action as having occurred when the computer system is operating in the second mode.
  - 17. The system as recited in claim 15, wherein the authorization policy includes data indicative of a set of differences between one or more parts of content of an object sought to be altered by the action, and wherein the differences identify changes between the content before and after the action.
  - 18. The system as recited in claim 15, wherein the action indicates a read operation on the file.
  - 19. The system as recited in claim 15, wherein the action indicates a write, append, or truncate operation on the file.
  - 20. The system as recited in claim 15, wherein the action indicates a delete, move, or rename operation on the file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Bhargava, Rishi, Sebes, E. John
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Tran, Tongoc

Application Number

US12/975,745
Publication Number

US 20110093950A1
Time in Patent Office

706 Days
Field of Search

726 1- 7, 726 22- 30, 713165-167
US Class Current

726/21
CPC Class Codes

G06F 21/52   during program execution, e...

H04L 63/0236   Filtering by address, proto...

H04L 63/102   Entity profiles

Program-based authorization

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

227 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Program-based authorization

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

227 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links