Method and system for implementing mandatory file access control in native discretionary access control environments

US 9,350,760 B2
Filed: 01/23/2014
Issued: 05/24/2016
Est. Priority Date: 02/08/2007
Status: Active Grant

First Claim

Patent Images

1. A computer system configured to act as a Domain Controller (DC) for a computer network comprising plurality of client computers, the plurality of client computers running an operating system that uses a discretionary access policy regarding file operations, the computer system comprising:

one or more hardware processors communicatively coupled to a non-transitory computer readable storage medium wherein the non-transitory computer readable storage medium comprises instructions stored thereon that when executed by the one or more processors cause the one or more processors to;

receive a login request associated with a first user on a first client computer of the plurality of client computers; and

receive an indication from a mandatory access control agent executing on the first client computer to modify a login session in response to the login request, the login session configured to exclude the first user from a default user group and to associate the first user with a second user group for a duration of the login session;

wherein protected files accessible on the computer network are associated with an access control list that denies access to the default user group and allows access to the second user group; and

wherein the access control agent and the DC implement a security policy regarding file operations within the computer network that is configured by default with the discretionary access policy regarding file operations.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is provided for implementing a mandatory access control model in operating systems which natively use a discretionary access control scheme. A method for implementing mandatory access control in a system comprising a plurality of computers, the system comprising a plurality of information assets, stored as files on the plurality of computers, and a network communicatively connecting the plurality of computers, wherein each of the plurality of computers includes an operating system that uses a discretionary access control policy, and wherein each of a subset of the plurality of computers includes a software agent component operable to perform the steps of intercepting a request for a file operation on a file from a user of one of the plurality of computers including the software agent, determining whether the file is protected, if the file is protected, altering ownership of the file from the user to another owner, and providing access to the file based on a mandatory access control policy.

15 Citations

21 Claims

1. A computer system configured to act as a Domain Controller (DC) for a computer network comprising plurality of client computers, the plurality of client computers running an operating system that uses a discretionary access policy regarding file operations, the computer system comprising:
- one or more hardware processors communicatively coupled to a non-transitory computer readable storage medium wherein the non-transitory computer readable storage medium comprises instructions stored thereon that when executed by the one or more processors cause the one or more processors to;
  
  receive a login request associated with a first user on a first client computer of the plurality of client computers; and
  
  receive an indication from a mandatory access control agent executing on the first client computer to modify a login session in response to the login request, the login session configured to exclude the first user from a default user group and to associate the first user with a second user group for a duration of the login session;
  
  wherein protected files accessible on the computer network are associated with an access control list that denies access to the default user group and allows access to the second user group; and
  
  wherein the access control agent and the DC implement a security policy regarding file operations within the computer network that is configured by default with the discretionary access policy regarding file operations.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computer system of claim 1, wherein the instructions to cause the one or more processors to receive an indication to modify a login session comprise instructions to cause the one or more processors to receive a user identification and determine using the user identification to create the login session.
  - 3. The computer system of claim 1, wherein the discretionary access policy comprises a discretionary access control policy.
  - 4. The computer system of claim 1, wherein the security policy regarding file operations comprises a mandatory access control policy.
  - 5. The computer system of claim 1, wherein the instructions to cause the one or more processors to receive an indication to modify a login session comprise instructions to cause the one or more processors to receive an indication that the first client computer is configured with a mandatory access control agent.
  - 6. The computer system of claim 1, wherein a second user can authenticate to the DC from a second client computer system without having the login session configured.
  - 7. The computer system of claim 6, wherein the second client computer system is not configured with the access control agent and the second client computer system conforms to the discretionary access policy regarding file operations.
  - 8. The computer system of claim 1, wherein the first user can authenticate to the DC from a second client computer system without having the login session configured based, at least in part, on a condition that the second client computer system is not executing the access control agent.
  - 9. The computer system of claim 1, wherein the DC concurrently provides authentication services for the plurality of client computers and the plurality of client computers comprises at least one client configured with the access control agent and at least one client configured without the access control agent.

10. One or more non-transitory computer readable media comprising instructions stored thereon that when executed by a programmable device configure the programmable device to act as a Domain Controller (DC) for a computer network comprising a plurality of client computers, the plurality of client computers running an operating system that uses a discretionary access policy regarding file operations, the instructions further comprising instructions to configure the programmable device to:
- receive a login request associated with a first user on a first client computer selected from the plurality of client computers; and
  
  accept an indication from a mandatory access control agent executing on the first client computer to modify a login session in response to the login request, the login session configured to exclude the first user from a default user group and to associate the first user with a second user group for a duration of the login session;
  
  wherein protected files accessible on the computer network include an access control list that denies access to the default user group and allows access to the second user group; and
  
  wherein the access control agent and the DC implement an security policy regarding file operations within the computer network that is configured by default with the discretionary access policy regarding file operations.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The one or more computer readable media of claim 10, wherein the instructions to cause the programmable device to receive an indication to modify a login session comprise instructions to cause the programmable device to receive a user identification and determine using the user identification to create the login session.
  - 12. The one or more computer readable media of claim 10, wherein the discretionary access policy comprises a discretionary access control policy.
  - 13. The one or more computer readable media of claim 10, wherein the security policy regarding file operations comprises a mandatory access control policy.
  - 14. The one or more computer readable media of claim 10, wherein the instructions to cause the programmable device to receive an indication to modify a login session comprise instructions to cause the programmable device to receive an indication that the first client computer is configured with a mandatory access control agent.
  - 15. The one or more computer readable media of claim 10, wherein a second user can authenticate to the DC from a second client computer system without having the login session configured.
  - 16. The one or more computer readable media of claim 15, wherein the second client computer system is not configured with the mandatory access control agent and the second client computer system conforms to the discretionary access policy regarding file operations.
  - 17. The one or more computer readable media of claim 10, wherein the first user can authenticate to the DC from a second client computer system without having the login session configured based, at least in part, on a condition that the second client computer system is not executing the mandatory access control agent.
  - 18. The one or more computer readable media of claim 10, wherein the DC concurrently provides authentication services for the plurality of client computers and the plurality of client computers comprises at least one client configured with the mandatory access control agent and at least one client configured without the mandatory access control agent.

19. A method for configuring a programmable device to act as a Domain Controller (DC) for a computer network comprising a plurality of client computers, the plurality of client computers running an operating system that uses a discretionary access policy regarding file operations, the method comprising:
- receiving a login request associated with a first user on a first client computer selected from the plurality of client computers; and
  
  accepting an indication from a mandatory access control agent executing on the first client computer to modify a login session in response to the login request, the login session configured to exclude the first user from a default user group and to associate the first user with a second user group for a duration of the login session;
  
  wherein protected files accessible on the computer network include an access control list that denies access to the default user group and allows access to the second user group; and
  
  wherein the access control agent and the DC implement an security policy regarding file operations within the computer network that is configured by default with the discretionary access policy regarding file operations.
- View Dependent Claims (20, 21)
- - 20. The method of claim 19, wherein receiving an indication to modify a login session comprises:
    - receiving a user identification; and
      
      determining using the user identification to create the login session.
  - 21. The method of claim 19, wherein receiving an indication to modify a login session comprises receiving an indication that the first client computer is configured with a mandatory access control agent.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Tirosh, Oren, Werner, Eran
Primary Examiner(s)
CHEN, SHIN HON

Application Number

US14/162,549
Publication Number

US 20140137185A1
Time in Patent Office

852 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 21/62   Protecting access to data v...

G06F 21/6218   to a system of files or obj...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/102   Entity profiles

H04L 63/104   Grouping of entities

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

Method and system for implementing mandatory file access control in native discretionary access control environments

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

15 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for implementing mandatory file access control in native discretionary access control environments

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

15 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links