WO1995014266A1 - A method and system for maintaining access security of input and output operations in a computer system - Google Patents

A method and system for maintaining access security of input and output operations in a computer system Download PDF

Info

Publication number
WO1995014266A1
WO1995014266A1 PCT/US1994/012457 US9412457W WO9514266A1 WO 1995014266 A1 WO1995014266 A1 WO 1995014266A1 US 9412457 W US9412457 W US 9412457W WO 9514266 A1 WO9514266 A1 WO 9514266A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
security
flag
computer system
input
Prior art date
Application number
PCT/US1994/012457
Other languages
French (fr)
Inventor
John L. Hayes
Paul M. Hyman
Original Assignee
Hughes Aircraft Company
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hughes Aircraft Company filed Critical Hughes Aircraft Company
Priority to AU80967/94A priority Critical patent/AU8096794A/en
Priority to CA002149866A priority patent/CA2149866C/en
Priority to EP94932122A priority patent/EP0679270A1/en
Publication of WO1995014266A1 publication Critical patent/WO1995014266A1/en
Priority to NO952789A priority patent/NO952789L/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2113Multi-level security, e.g. mandatory access control
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Definitions

  • This invention relates in general to computer security systems, and, more particularly, to a computer security system and a method for automatically limiting user access to information stored in the computer in accordance with a predetermined, but variable, user security profile of permissible operations for each user that aids the user in properly classifying documents.
  • Other objects of the present invention are: it does not require the development of a "trusted” operating system, but rather exists as an extension to the existing operating system; provides security of documents on a network at the workstation level; concentrates on "detection and audit” of "curious,” “hostile” or “mischievous” action by users as opposed to “prevention” of such so that more trust is placed on the users allowing for a more user friendly system.
  • the present invention provides a computer system and a method under which a personal computer or a workstation may use commercial off-the-shelf software application packages with a commercially available operating system while providing features of multi-level security including mandatory access controls and propagation of classification levels and codewords when information is moved between documents. Users are allowed to manually reclassify documents (including downgrading subject to restrictions) as necessary.
  • the present invention may also be embodied to provide security when computer are on a network by means of a secure file server.
  • FIGURE 1 is a block diagram flowchart showing the general overall logic flow through a system incorporating the present invention
  • FIGURE 2 is an idealized block diagram flowchart showing the general overall operational flow through a system incorporating the present invention
  • FIGURE 3 is an idealized diagram showing the various input/output operations occurring in a system embodying the present invention
  • FIGURE 4 is an idealized block diagram showing a structure for the User Access Table and acceptable sub- field structure.
  • FIGURE 1 A preferred form of the invention as embodied in a method and computing system for providing occurrence level, value based security protection, limiting for each user access to preselected, but variable Input/Output operations on selected data objects in the computer system is now described.
  • the invention is found in a computer system interfacing Input/Output requests between at least one user, identified by a unique user identification symbol, and the computer system having at least one data object containing data therein.
  • the method comprises operating the computer to automatically perform the following steps.
  • a data object security access label representing a security profile defining a user security access level and the Input/Output operations permitted on the data object, is established and associated with each data object selected for security protection 10.
  • Such data objects are always given this security access label and include "saved" documents or text files generated by the application programs that may be running on the computer system.
  • a user security access table is also established 12 that has, for each user selected to have Input/Output access to the data objects in the computer system, a first entry identifying the user by the unique user identification symbol, and a second entry representing a user security profile for the particular user. The second entry is used to define the security access level of the associated user.
  • a session security level "flag" is set to a preselected default condition representing one of the security access levels 14.
  • Each user request to the computer system is parsed to extract each Input/Output request 16.
  • the unique user identification symbol of the user making the Input/Output request (2) the data object that is the subject of the Input/Output request; and (3) the requested Input/Output operation are then extracted.
  • the unique user identification symbol is compared with the first entry of the user security access table, a user security access "flag" at the computer system is set to an "allowed” condition and a user security level “flag” is set to the security access level defined by the second entry of the user security access table associated with the user identification symbol if a match is found, and otherwise setting each "flag" to a "denied” condition 18.
  • the requested Input/Output operation being requested is compared with the data object security access label associated with the data object that is the subject of the Input/Output request, and at the computer system a data object security access "flag" is set to an "allowed” condition if a match is found and otherwise to a "denied” condition 20.
  • the session security level "flag” is compared to the user security access level defined in the security profile for the data object that is the subject of the Input/Output request, and the session security level "flag” is set to the predetermined "higher” security level 22.
  • the Input/Output request is returned to the computer system for processing whenever the user security access "flag" and the data object security access “flag” are both in the "allowed” condition 24.
  • the method of the present invention including writing at the computer system to a security violation log the unique user identification symbol whenever the user security access flag, the user security level flag or the data object security access flag is in said "denied” condition, and canceling the execution of the parsed Input/Output request by the computer system.
  • the invention returns a preselected message to the computer system user whenever the user security access flag, the user security level flag or the data object security access flag is in the "denied” condition.
  • the method allow the computer system user to access and modify the data object security label whenever the user security access flag, the user security level flag, and the data object security access flag are each in an "allowed" condition.
  • the data object security access label, the user security access table and session security level flags are preferably retained at the computer system until the computer system user logs off the computer system.
  • the present invention is shown in an idealized block diagram flowchart showing the general overall operational flow through a system incorporating the present invention where a user 26 has launched two applications 28, 30, respectively. As shown in the drawing, the user 26 and each application 28, 30, has a Security Label 26a, 28a, 30a respectively, associated with it.
  • the Security Labels are a data structure which defines access requirements, and propagation restrictions for data and/or files retained on the system.
  • Examples of such Security Labels include hierarchial classifications such as Confidential, Secret, Top Secret and/or a series of categories or "Tickets" such as various assigned "codewords”.
  • a user 40 generates an operator request 42 to
  • the Security Label 58 3 associated with of these objects 46, 54, 55 and 59, may 4 contain several fields, such as a Classification Level, any 5 required access “Tickets”, and a Restrictions format such 6 as “no copy", “no print”, “no export”, or “originator only 7 downgrade”.
  • a User Access Table 60 is 8 established for verification of the user's identity and 9 access profile and includes such fields 62 as: "user 0 identification”, “user password”, “user level access", 1 "user tickets map”. At logon, the User Access Table 60 is accessed by the system to determine and establish the 3 identity and classification access profile of the 4 individual user 40 requesting to login to the system 65.
  • the system and method of the present invention "observes" or intercepts all data which enters the application being used to prepare the presentation document, and determines a classification for all documents written by the application based upon a preselected weighing of all of the individual classifications found in each separate document or piece of data being assembled into the final presentation.
  • the invention offers its suggested classification for the composite presentation document to the user. If the user does nothing to reclassify the document, the present invention automatically assigns the document its suggested classification.
  • the invention also distinguishes for the user the original classification of each document and the labels which it believes may have been included in creating the composite presentation document (via various cut and paste, and other I/O operations such as reading a file) .
  • the user is given the capability to accept the suggested classification label or to downgrade or upgrade the document as he sees fit.
  • This is in contrast to compartmented-mode workstations which require the user to log in at a particular security level and not create any documents classified at any lower level nor access documents classified at a higher level, making such workstations unsuitable for the task outlined above.
  • the present invention allows the use of commercial-off-the -shelf applications and does not require any special security features in the applications software being run on a system embodying the present invention, i.e., "trusted” or "certified” software.
  • the actions of t.ie invention are at times more complex than that outlined above.
  • Security Labels include hierarchial classifications such as Confidential, Secre'-, Top Secret and/or a series of categories or "Tickets" such as various assigned "codewords”. Tickets - additional Security Labels restricting a file or data to a select group granted a "ticket" for access.
  • Clipboard the operating system's inter-application cut/copy/paste buffer utility; Maximize - the combining of two security labels in accord with a pre-determined algorithm such as a selected set of weighted selection values.
  • the method and system of the present invention runs concurrently with the operating system to intercept any Input/output service calls to the operating system as follows: 1.
  • this interception entails the following steps: A. The Security Label of the Application Instance is set to the preselected Startup Application Security Label; B. If the Security Label indicates that the Clipboard buffer contains data which cannot be downgraded in classification, it prompts the user to either allow the read (and thus Maximize the Security Label of the Application Instance with that of the Clipboard) or to delete the contents of the Clipboard buffer, leaving the Security Label of the Application Instance as it originally was. C. If the Application Instance performs an automatic read of the Clipboard buffer, and the Security Label indicates that the data does not contain data which cannot be downgraded, then Maximize the Security Label of the Application Instance with that of the Clipboard buffer. D.
  • this interception entails the following steps: A. Recalculate the Security Label of the screen as a Maximization of the Security Labels of all the remaining Application Instances. 5. Whenever an attempt is made to "boot" or start-up the operating system of the computer in the system, this interception entails the following steps: A. Prompt the user for username/password. B. If username/password does not exist in the User Access Table, then shutdown and deny any further access to the system. C. Otherwise, if the username/password is found in the User Access Table, then set the Security Label of the screen to the preselected Startup Screen Security Label. 6.
  • this interception entails the following steps: A. Maximize the Security Label of the Application Instance with the Security Label of the Clipboard. B. Recalculate the Security Label of the screen as a Maximization of the Security Labels of all Application Instances. 7. Whenever an Application Instance performs a write to the Clipboard, this interception entails the following steps: A. Set the Security Label of the Clipboard to the Security Label of the Application Instance. 8. Whenever an Application Instance performs a print of a file, this interception entails the following steps: A. Do not allow the print if a "no print" restriction on the data or file. B. Stamp the Security Label on all pages.
  • a first Utility provides a means to display and allow the user to modify, with restrictions, the Security Label of a file as follows: A. Upon user request, the utility displays the Security Label of the selected file; B. The utility also provides a means to differentiate for the user the Security Level and Tickets applied by the security software from the Security Level and Tickets applied by the user to the file. C. The utility prohibits certain Security Label changes based on user-tailorable Restrictions.
  • a second Utility upon user request, provides a means to display the Security Label of a selected Application Instance.
  • a third Utility provides a means to display the Security Label of the screen by making it always visible during a user session. Thus, constantly reminding the user of the various classification levels of documents appearing on the screen.
  • a fourth Utility provides a means for the user to select a portion of the screen and take a "picture” of it, putting the results into the Clipboard buffer for later manipulation by the user.
  • a fifth Utility provides a means for the operator to define the User Access Table, the Security Levels and "Tickets", the Startup Screen Security label, and the Startup Application Security Label.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

Disclosed is a computer system and a method under which a personal computer or a workstation may use commercial off-the-shelf software application packages with a commercially available operating system while providing features of multi-level security including mandatory access controls and propagation of classification levels and codewords when information is moved between documents. Users are allowed to manually reclassify documents (including downgrading) as necessary. The present invention may also be embodied to provide security when computer are on a network by means of a secure file server.

Description

A METHOD AND SYSTEM FOR MAINTAINING ACCESS SECURITY OF INPUT AND OUTPUT OPERATIONS IN A COMPUTER SYSTEM
BACKGROUND OF THE INVENTION 1. Field of the Invention This invention relates in general to computer security systems, and, more particularly, to a computer security system and a method for automatically limiting user access to information stored in the computer in accordance with a predetermined, but variable, user security profile of permissible operations for each user that aids the user in properly classifying documents.
2. Description of the Related Art Previous implementations of secure computer workstations required the use of a special operating system and could not provide security when commercial off-the- shelf ("COTS") software application packages were used. Such systems, commonly called "Compartmented Workstations", are notoriously inconvenient to use and do not allow for data merger of documents and downgrading of documents. In general, these previous implementations do not: (1) run on the popular, commercially available computers; (2) allow usage of a broad spectrum of COTS applications and not just "trusted" applications that have been security tested or qualified; (3) allow merger of data of different security levels; (4) allow usage of the standard operating system.
OBJECTS AND SUMMARY OF THE INVENTION Therefore, it is an object of the present invention to provide a method and system for providing security for documents and data that does not require the use of "trusted" applications only, but allows usage of commercial off-the-shelf software application packages. It is still another object of the present invention to provide a method and system for providing security for documents and data that provides propagation of security labels when data is moved between documents. It is still another object of the present invention to provide a method and system for providing security for documents and data that puts the users in control of their documents provided that they have necessary security access rights. It is another object of the present invention to provide a method and system for providing security for documents and data that facilitates, rather than prevents, data merger of documents classified at different security levels. It is yet another object of the present invention to provide a method and system for providing security for documents and data that not only prevents unauthorized access to files and data, but which also aids the user in properly classifying documents and data retained on the system or manipulated by the method of the present invention. Other objects of the present invention are: it does not require the development of a "trusted" operating system, but rather exists as an extension to the existing operating system; provides security of documents on a network at the workstation level; concentrates on "detection and audit" of "curious," "hostile" or "mischievous" action by users as opposed to "prevention" of such so that more trust is placed on the users allowing for a more user friendly system. The present invention provides a computer system and a method under which a personal computer or a workstation may use commercial off-the-shelf software application packages with a commercially available operating system while providing features of multi-level security including mandatory access controls and propagation of classification levels and codewords when information is moved between documents. Users are allowed to manually reclassify documents (including downgrading subject to restrictions) as necessary. The present invention may also be embodied to provide security when computer are on a network by means of a secure file server. The novel features of construction and operation of the invention will be more clearly apparent during the course of the following description, reference being had to the accompanying drawings wherein has been illustrated a preferred form of the device of the invention and wherein like characters of reference designate like parts throughout the drawings.
BRIEF DESCRIPTION OF THE FIGURES FIGURE 1 is a block diagram flowchart showing the general overall logic flow through a system incorporating the present invention; FIGURE 2 is an idealized block diagram flowchart showing the general overall operational flow through a system incorporating the present invention; FIGURE 3 is an idealized diagram showing the various input/output operations occurring in a system embodying the present invention; and, FIGURE 4 is an idealized block diagram showing a structure for the User Access Table and acceptable sub- field structure.
DESCRIPTION OF THE PREFERRED EMBODIMENT A preferred form of the invention as embodied in a method and computing system for providing occurrence level, value based security protection, limiting for each user access to preselected, but variable Input/Output operations on selected data objects in the computer system is now described. In general, as shown in FIGURE 1, the invention is found in a computer system interfacing Input/Output requests between at least one user, identified by a unique user identification symbol, and the computer system having at least one data object containing data therein. The method comprises operating the computer to automatically perform the following steps. A data object security access label, representing a security profile defining a user security access level and the Input/Output operations permitted on the data object, is established and associated with each data object selected for security protection 10. Such data objects are always given this security access label and include "saved" documents or text files generated by the application programs that may be running on the computer system. A user security access table is also established 12 that has, for each user selected to have Input/Output access to the data objects in the computer system, a first entry identifying the user by the unique user identification symbol, and a second entry representing a user security profile for the particular user. The second entry is used to define the security access level of the associated user. A session security level "flag" is set to a preselected default condition representing one of the security access levels 14. Each user request to the computer system is parsed to extract each Input/Output request 16. For each of the found Input/Output requests (1) the unique user identification symbol of the user making the Input/Output request; (2) the data object that is the subject of the Input/Output request; and (3) the requested Input/Output operation are then extracted. The unique user identification symbol is compared with the first entry of the user security access table, a user security access "flag" at the computer system is set to an "allowed" condition and a user security level "flag" is set to the security access level defined by the second entry of the user security access table associated with the user identification symbol if a match is found, and otherwise setting each "flag" to a "denied" condition 18. The requested Input/Output operation being requested is compared with the data object security access label associated with the data object that is the subject of the Input/Output request, and at the computer system a data object security access "flag" is set to an "allowed" condition if a match is found and otherwise to a "denied" condition 20. The session security level "flag" is compared to the user security access level defined in the security profile for the data object that is the subject of the Input/Output request, and the session security level "flag" is set to the predetermined "higher" security level 22. Once the flags have been set, the Input/Output request is returned to the computer system for processing whenever the user security access "flag" and the data object security access "flag" are both in the "allowed" condition 24. It is also preferred that the method of the present invention including writing at the computer system to a security violation log the unique user identification symbol whenever the user security access flag, the user security level flag or the data object security access flag is in said "denied" condition, and canceling the execution of the parsed Input/Output request by the computer system. Similarly, it is also preferred that when a violation or attempted breach of security is discovered, the invention returns a preselected message to the computer system user whenever the user security access flag, the user security level flag or the data object security access flag is in the "denied" condition. Also, for ease of changing the various security levels on the various data objects held in the computer system, it is preferred that the method allow the computer system user to access and modify the data object security label whenever the user security access flag, the user security level flag, and the data object security access flag are each in an "allowed" condition. Finally, the data object security access label, the user security access table and session security level flags are preferably retained at the computer system until the computer system user logs off the computer system. In Figure 2, the present invention is shown in an idealized block diagram flowchart showing the general overall operational flow through a system incorporating the present invention where a user 26 has launched two applications 28, 30, respectively. As shown in the drawing, the user 26 and each application 28, 30, has a Security Label 26a, 28a, 30a respectively, associated with it. The Security Labels are a data structure which defines access requirements, and propagation restrictions for data and/or files retained on the system. Examples of such Security Labels include hierarchial classifications such as Confidential, Secret, Top Secret and/or a series of categories or "Tickets" such as various assigned "codewords". Whenever an application requests an input/output operation on a document, such as a application 28 requesting to read a document 32, the document labels (here shown as 32a) associated with the requested documents are added to the application's label 28a. The application 28 cannot open any document to which the user 26 does not have access as determined by the user label 26a associated with the user at logon and user identification. When an application label increases, the session label 34, displayed on the screen for the user, is also increased. Conversely, when an application such as 30 writes a document (here shown as 36) , any additional categories are noted and written into the document's label 36a. If the security level of the application as then running is higher than the document's original security level, the higher security level is noted. The user can see what the new label is and either accept it or change it as described below. 1 In Figures 3 and 4, the present invention is shown in
2 an idealized diagram showing the various input/output
3 operations occurring in a system embodying the present
4 invention. A user 40 generates an operator request 42 to
5 the operating system 44 to launch one or more system
6 included applications 46 resulting in an executing
7 "Instance" of those programs, for input/output operation on
8 files 54 available on the system. The applications
9 programs in turn make the necessary input/output requests 0 50 and 52 to read and write the user requested files. 1 There exists a Clipboard 55 which implements a 2 temporary holding buffer for data that is to be copied and 3 pasted between files. These read and write operations 56 4 and 57 are performed by the application instance per user 5 request. 6 In addition there is a means, for the user 40 to 7 request that a user-selected portion of the screen 66 by 8 read 59 into the Clipboard 55 for subsequent pasting of ? that image into any file 54. Each file, the Clipboard, -> each Application Instance and the Screen has a Security 1 Label 58 associated with it as shown in Figure 3 containing 2 various fields of information. The Security Label 58 3 associated with of these objects 46, 54, 55 and 59, may 4 contain several fields, such as a Classification Level, any 5 required access "Tickets", and a Restrictions format such 6 as "no copy", "no print", "no export", or "originator only 7 downgrade". Likewise, a User Access Table 60 is 8 established for verification of the user's identity and 9 access profile and includes such fields 62 as: "user 0 identification", "user password", "user level access", 1 "user tickets map". At logon, the User Access Table 60 is accessed by the system to determine and establish the 3 identity and classification access profile of the 4 individual user 40 requesting to login to the system 65. 5 While the above description emphasizes the method and 6 system of the present invention in comparing user access levels with document access levels and disallowing access when the user access does not match, there are other important novel and non-obvious aspects of the present invention described below. One such additional important design consideration, based on the needs of the users for which the system is intended, is the capability to merge documents of different classifications while aiding the user in determining the proper classification for the resulting document. For example, a user may wish to make a presentation describing a plan that he is working on, and may copy text and pictures from other documents having security labels of different security levels to create a composite presentation document in the course of making the presentation. The system and method of the present invention "observes" or intercepts all data which enters the application being used to prepare the presentation document, and determines a classification for all documents written by the application based upon a preselected weighing of all of the individual classifications found in each separate document or piece of data being assembled into the final presentation. Upon user request the invention then offers its suggested classification for the composite presentation document to the user. If the user does nothing to reclassify the document, the present invention automatically assigns the document its suggested classification. The invention also distinguishes for the user the original classification of each document and the labels which it believes may have been included in creating the composite presentation document (via various cut and paste, and other I/O operations such as reading a file) . The user is given the capability to accept the suggested classification label or to downgrade or upgrade the document as he sees fit. This is in contrast to compartmented-mode workstations which require the user to log in at a particular security level and not create any documents classified at any lower level nor access documents classified at a higher level, making such workstations unsuitable for the task outlined above. By treating applications as a "black box" and observing all data going in and out of the applications, the present invention allows the use of commercial-off-the -shelf applications and does not require any special security features in the applications software being run on a system embodying the present invention, i.e., "trusted" or "certified" software. The actions of t.ie invention are at times more complex than that outlined above. For example, not only is the classification level of each application maintained and assigned to documents written by that particular application, but the classification level of the entire session is maintained as well. Therefore, if the user takes a screen snapshot and pastes it in a document, the entire session label is applied to that document, since portions of the screen owned by any other concurrently running applications displaying data, may have been included in the screen snapshot. The further operation of a method and system embodying the present invention is now described using the following terms: Application Instance - an application currently executing on the system; Security Label - a data structure which defines access requirements, and propagation restrictions for data and/or files retained on the system. Examples of such Security Labels include hierarchial classifications such as Confidential, Secre'-, Top Secret and/or a series of categories or "Tickets" such as various assigned "codewords". Tickets - additional Security Labels restricting a file or data to a select group granted a "ticket" for access. Clipboard - the operating system's inter-application cut/copy/paste buffer utility; Maximize - the combining of two security labels in accord with a pre-determined algorithm such as a selected set of weighted selection values. The method and system of the present invention runs concurrently with the operating system to intercept any Input/output service calls to the operating system as follows: 1. Whenever the operating system "launches" an application (an Application Instance) , this interception entails the following steps: A. The Security Label of the Application Instance is set to the preselected Startup Application Security Label; B. If the Security Label indicates that the Clipboard buffer contains data which cannot be downgraded in classification, it prompts the user to either allow the read (and thus Maximize the Security Label of the Application Instance with that of the Clipboard) or to delete the contents of the Clipboard buffer, leaving the Security Label of the Application Instance as it originally was. C. If the Application Instance performs an automatic read of the Clipboard buffer, and the Security Label indicates that the data does not contain data which cannot be downgraded, then Maximize the Security Label of the Application Instance with that of the Clipboard buffer. D. Recalculate the Security Label of the screen as a Maximization of the Security Labels of all Application Instances. 2. Whenever an Application Instance performs an open of a file, this interception entails the following steps: A. Maximize the Security Label of the Application Instance with the Security Label of the file being opened. B. Recalculate the Security Label of the screen as a Maximization of the Security Labels of all Application Instances. 3. Whenever an Application Instance performs a write to a file, this interception entails the following steps: A. Set the Security Label of the file to the Security Label of the Application Instance. B. Do not allow any write if there is a "no copy" restriction on the data or file. 4. Whenever an Application Instance terminates, this interception entails the following steps: A. Recalculate the Security Label of the screen as a Maximization of the Security Labels of all the remaining Application Instances. 5. Whenever an attempt is made to "boot" or start-up the operating system of the computer in the system, this interception entails the following steps: A. Prompt the user for username/password. B. If username/password does not exist in the User Access Table, then shutdown and deny any further access to the system. C. Otherwise, if the username/password is found in the User Access Table, then set the Security Label of the screen to the preselected Startup Screen Security Label. 6. Whenever an Application Instance performs a read from the Clipboard, this interception entails the following steps: A. Maximize the Security Label of the Application Instance with the Security Label of the Clipboard. B. Recalculate the Security Label of the screen as a Maximization of the Security Labels of all Application Instances. 7. Whenever an Application Instance performs a write to the Clipboard, this interception entails the following steps: A. Set the Security Label of the Clipboard to the Security Label of the Application Instance. 8. Whenever an Application Instance performs a print of a file, this interception entails the following steps: A. Do not allow the print if a "no print" restriction on the data or file. B. Stamp the Security Label on all pages. The following Utilities embody features found in the present invention: A first Utility provides a means to display and allow the user to modify, with restrictions, the Security Label of a file as follows: A. Upon user request, the utility displays the Security Label of the selected file; B. The utility also provides a means to differentiate for the user the Security Level and Tickets applied by the security software from the Security Level and Tickets applied by the user to the file. C. The utility prohibits certain Security Label changes based on user-tailorable Restrictions. A second Utility, upon user request, provides a means to display the Security Label of a selected Application Instance. A third Utility provides a means to display the Security Label of the screen by making it always visible during a user session. Thus, constantly reminding the user of the various classification levels of documents appearing on the screen. A fourth Utility provides a means for the user to select a portion of the screen and take a "picture" of it, putting the results into the Clipboard buffer for later manipulation by the user. A fifth Utility provides a means for the operator to define the User Access Table, the Security Levels and "Tickets", the Startup Screen Security label, and the Startup Application Security Label. The invention described above is, of course, susceptible to many variations, modifications and changes, all of which are within the skill of the art. It should be understood that all such variations, modifications and changes are within the spirit and scope of the invention and of the appended claims. Similarly, it will be understood that Applicant intends to cover and claim all changes, modifications and variations of the example of the preferred embodiment of the invention herein disclosed for the purpose of illustration which do not constitute departures from the spirit and scope of the present invention.

Claims

WHAT IS CLAIMED IS: 1. In a computer system interfacing Input/Output requests between at least one user, identified by a unique user identification symbol, and the computer system having at least one data object containing data therein, a method for providing occurrence level, value based security protection, limiting for each user access to preselected, but variable Input/Output operations on selected data objects in the computer system, said method comprising operating the computer to automatically perform the steps of: establishing and associating with each data object selected for security protection, a data object security access label representing a security profile defining a user security access level and the Input/Output operations permitted on the data object; establishing a user security access table having, for each user selected to have Input/Output access to the data objects in the computer system, a first entry identifying the user by the unique user identification symbol, and a second entry representing a user security profile associated therewith, said second entry defining the security access level of the associated user; set a session security level "flag" to a preselected default condition representing one of said security access levels; parsing each Input/Output request from the user to the computer system and extracting therefrom (1) the unique user identification symbol of the user making the Input/Output request; (2) the data object that is the subject of the Input/Output request; and (3) the requested Input/Output operation; comparing the unique user identification symbol with the first entry of the user security access table and setting at the computer system a user security access "flag" to an "allowed" condition and a user security level "flag" to the security access level defined by the second entry of the user security access table associated with the user identification symbol if a match is found, and otherwise setting each "flag" to a "denied" condition; comparing the requested Input/Output operation being requested with the data object security access label associated with the data object that is the subject of the Input/Output request, and setting at the computer system a data object security access "flag" to an "allowed" condition if a match is found and otherwise to a "denied" condition; comparing the session security level "flag" to the user security access level defined in the security profile for the data object that is the subject of the Input/Output request, and setting the session security level "flag" to the predetermined "higher" security level; returning the Input/Output request to the computer system for processing whenever said user security access "flag" and said data object security access "flag" are both in said "allowed" condition.
2. A method as in claim 1, further including the steps of: writing at the computer system to a security violation log the unique user identification symbol whenever said user security access flag, said user security level flag or said data object security access flag is in said "denied" condition and canceling the execution of the parsed Input/Output request by the computer system.
3. A method as in claim 1, further including the steps of: returning a preselected message to the computer system user whenever said user security ace -s flag, said user security level flag or said data obj ct security access flag is in said "denied" condition and canceling the execution of the parsed Input/Output request by the computer system.
4. A method as in claim 1, further including the steps of: allowing the computer system user to access and modify the data object security label whenever said user security access flag, said user security level flag, and said data object security access flag are each in said "allowed" condition.
5. A method as in claim 1, further including the steps of: retaining said data object security access label, said user security access table and said session security level flag until the computer system user logs off the computer system.
6. In a computer system interfacing Input/Output requests between at least one user, identified by a unique user identification symbol, and the computer system having at least one data object containing data therein, a method for providing occurrence level, value based security protection, limiting for each user access to preselected, but variable Input/Output operations on selected data objects in the computer system, said method comprising operating the computer to automatically perform the steps of: establishing and associating with each data object selected for security protection, a data object security access label representing a security profile defining a user security access level and the Input/Output operations permitted on the data object; establishing a user security access table having, for each user selected to have Input/Output access to the data objects in the computer system, a first entry identifying the user by the unique user identification symbol, and a second entry representing a user security profile associated therewith, said second entry defining the security access level of the associated user; set a session security level "flag" to a preselected default condition representing one of said security access levels; parsing each Input/Output request from the user to the computer system and extracting therefrom (1) the unique user identification symbol of the user making the Input/Output request; (2) the data object that is the subject of the Input/Output request; and (3) the requested Input/Output operation; comparing the unique user identification symbol with the first entry of the user security access table and setting at the computer system a user security access "flag" to an "allowed" condition and a user security level "flag" to the security access level defined by the second entry of the user security access table associated with the user identification symbol if a match is found, and otherwise setting each "flag" to a "denied" condition; comparing the requested Input/Output operation being requested with the data object security access label associated with the data object that is the subject of the Input/Output request, and setting at the computer system a data object security access "flag" to an "allowed" condition if a match is found and otherwise to a "denied" condition; comparing the session security level "flag" to the user security access level defined in the security profile for the data object that is the subject of the Input/Output request, and setting the session security level "flag" to the predetermined "higher" security level; returning the Input/Output request to the computer system for processing whenever said user security access "flag" and said data object security access "flag" are both in said "allowed" condition; writing at the computer system to a security violation log the unique user identification symbol whenever said user security access flag, said user security level flag or said data object security access flag is in said "denied" condition and canceling the execution of the parsed Input/Output request by the computer system; returning a preselected message to the computer system user whenever said user security access flag, said user security level flag or said data object security access flag is in said "denied" condition and canceling the execution of the parsed Input/Output request by the computer system; allowing the computer system user to access and modify the data object security label whenever said user security access flag, said user security level flag, and said data object security access flag are each in said "allowed" condition; retaining said data object security access label, said user security access table and said session security level flag until the computer system user logs off the computer system.
PCT/US1994/012457 1993-11-15 1994-10-28 A method and system for maintaining access security of input and output operations in a computer system WO1995014266A1 (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
AU80967/94A AU8096794A (en) 1993-11-15 1994-10-28 A method and system for maintaining access security of input and output operations in a computer system
CA002149866A CA2149866C (en) 1993-11-15 1994-10-28 A method and system for maintaining access security of input and output operations in a computer system
EP94932122A EP0679270A1 (en) 1993-11-15 1994-10-28 A method and system for maintaining access security of input and output operations in a computer system
NO952789A NO952789L (en) 1993-11-15 1995-07-13 Method and System for Maintaining Access Security for Input and Output Operations in a Computer System

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US15280493A 1993-11-15 1993-11-15
US152,804 1993-11-15

Publications (1)

Publication Number Publication Date
WO1995014266A1 true WO1995014266A1 (en) 1995-05-26

Family

ID=22544522

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US1994/012457 WO1995014266A1 (en) 1993-11-15 1994-10-28 A method and system for maintaining access security of input and output operations in a computer system

Country Status (6)

Country Link
EP (1) EP0679270A1 (en)
JP (1) JP2768834B2 (en)
AU (1) AU8096794A (en)
CA (1) CA2149866C (en)
NO (1) NO952789L (en)
WO (1) WO1995014266A1 (en)

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2355323A (en) * 1999-10-05 2001-04-18 Authoriszor Ltd Information security profile and policy system
US6292798B1 (en) 1998-09-09 2001-09-18 International Business Machines Corporation Method and system for controlling access to data resources and protecting computing system resources from unauthorized access
FR2826472A1 (en) * 2001-06-22 2002-12-27 Gemplus Card Int METHOD FOR VERIFYING ACCESS RIGHTS TO COMPUTER FILES
US6594263B1 (en) 1995-07-06 2003-07-15 Telefonaktiebolaget Lm Ericsson (Publ) ATM throttling
GB2398656A (en) * 2003-01-27 2004-08-25 Hewlett Packard Development Co Operating system data management
US6823338B1 (en) 1998-11-19 2004-11-23 International Business Machines Corporation Method, mechanism and computer program product for processing sparse hierarchical ACL data in a relational database
EP1628269A2 (en) * 2004-07-23 2006-02-22 Landis+Gyr Limited Improvements in or relating to prepayment facilities
WO2006081628A1 (en) * 2005-02-07 2006-08-10 Actewagl Method and system of applying user permissions to an application program environment
US7181490B1 (en) * 2001-02-14 2007-02-20 Cisco Technology, Inc. Method and apparatus for mapping network events to names of network devices
US7401082B2 (en) * 1999-09-23 2008-07-15 Agile Software Corporation Method and apparatus for providing controlled access to software objects and associated documents
US8402281B2 (en) 1996-06-20 2013-03-19 Protegrity Corporation Data security system for a database
US9053333B2 (en) 2011-06-23 2015-06-09 International Business Machines Corporation Managing confidential information

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP3927376B2 (en) * 2001-03-27 2007-06-06 日立ソフトウエアエンジニアリング株式会社 Data export prohibition program
CN100556203C (en) * 2003-06-10 2009-10-28 哈曼国际工业有限公司 Audio amplifier with local interface system

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4956769A (en) * 1988-05-16 1990-09-11 Sysmith, Inc. Occurence and value based security system for computer databases
EP0421409A2 (en) * 1989-10-06 1991-04-10 International Business Machines Corporation Transaction system security method and apparatus

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4956769A (en) * 1988-05-16 1990-09-11 Sysmith, Inc. Occurence and value based security system for computer databases
EP0421409A2 (en) * 1989-10-06 1991-04-10 International Business Machines Corporation Transaction system security method and apparatus

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
M.B.THURAISINGHAM: "Security Checking in Relational Database Management Systems Augmented with Inference Engines", COMPUTERS & SECURITY, vol. 6, no. 6, December 1987 (1987-12-01), AMSTERDAM, NL;, pages 479 - 492 *

Cited By (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6594263B1 (en) 1995-07-06 2003-07-15 Telefonaktiebolaget Lm Ericsson (Publ) ATM throttling
US8402281B2 (en) 1996-06-20 2013-03-19 Protegrity Corporation Data security system for a database
US6292798B1 (en) 1998-09-09 2001-09-18 International Business Machines Corporation Method and system for controlling access to data resources and protecting computing system resources from unauthorized access
US6823338B1 (en) 1998-11-19 2004-11-23 International Business Machines Corporation Method, mechanism and computer program product for processing sparse hierarchical ACL data in a relational database
US7401082B2 (en) * 1999-09-23 2008-07-15 Agile Software Corporation Method and apparatus for providing controlled access to software objects and associated documents
US7634455B1 (en) 1999-09-23 2009-12-15 Agile Software Corporation Method and apparatus for providing controlled access to software objects and associated documents
GB2355323A (en) * 1999-10-05 2001-04-18 Authoriszor Ltd Information security profile and policy system
US7181490B1 (en) * 2001-02-14 2007-02-20 Cisco Technology, Inc. Method and apparatus for mapping network events to names of network devices
WO2003003317A1 (en) * 2001-06-22 2003-01-09 Gemplus Method for verifying access rights to computer files
FR2826472A1 (en) * 2001-06-22 2002-12-27 Gemplus Card Int METHOD FOR VERIFYING ACCESS RIGHTS TO COMPUTER FILES
GB2398656A (en) * 2003-01-27 2004-08-25 Hewlett Packard Development Co Operating system data management
GB2398656B (en) * 2003-01-27 2006-06-14 Hewlett Packard Development Co Improvements in and relating to computer operating system data management
EP1628269A2 (en) * 2004-07-23 2006-02-22 Landis+Gyr Limited Improvements in or relating to prepayment facilities
EP1628269A3 (en) * 2004-07-23 2006-03-01 Landis+Gyr Limited Improvements in or relating to prepayment facilities
GB2416618B (en) * 2004-07-23 2008-10-15 Landis & Gyr Ag Improvements in or relating to pre-payment facilities
WO2006081628A1 (en) * 2005-02-07 2006-08-10 Actewagl Method and system of applying user permissions to an application program environment
US9053333B2 (en) 2011-06-23 2015-06-09 International Business Machines Corporation Managing confidential information

Also Published As

Publication number Publication date
CA2149866C (en) 1999-04-27
AU8096794A (en) 1995-06-06
NO952789D0 (en) 1995-07-13
EP0679270A1 (en) 1995-11-02
NO952789L (en) 1995-09-11
JPH08504287A (en) 1996-05-07
CA2149866A1 (en) 1995-05-26
JP2768834B2 (en) 1998-06-25

Similar Documents

Publication Publication Date Title
Jaeger Operating system security
US6088801A (en) Managing the risk of executing a software process using a capabilities assessment and a policy
Saltzer et al. The protection of information in computer systems
DE69812139T2 (en) METHOD AND DEVICE FOR FORCEING SOFTWARE LICENSE
US6412070B1 (en) Extensible security system and method for controlling access to objects in a computing environment
US5311591A (en) Computer system security method and apparatus for creating and using program authorization information data structures
US7065784B2 (en) Systems and methods for integrating access control with a namespace
US6023765A (en) Implementation of role-based access control in multi-level secure systems
US8458770B2 (en) Application context based access control
US5504814A (en) Efficient security kernel for the 80960 extended architecture
US9183289B2 (en) Document classification toolbar in a document creation application
JP3880607B2 (en) Program authorization information data structure
DE69731714T2 (en) Dynamic service classes for an international cryptographic structure
US8312459B2 (en) Use of rules engine to build namespaces
CA2149866C (en) A method and system for maintaining access security of input and output operations in a computer system
JP2002517852A (en) Method and system for securely executing untrusted content
Sandhu Lattice-based enforcement of chinese walls
Sandhu¹ A lattice interpretation of the Chinese Wall policy
JP2004158007A (en) Computer access authorization
CN107209841B (en) Method, system, and medium for enabling classification and IRM in software applications
US6480851B1 (en) Efficient computation of aggregated data in containers supporting item level access control
Coulouris et al. A security model for cooperative work
Stallings Operating system security
JP2013025495A (en) Dynamic icon overlay system and method for creating dynamic overlay
Fraim Secure office management system: The first commodity application on a trusted system

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 2149866

Country of ref document: CA

AK Designated states

Kind code of ref document: A1

Designated state(s): AU CA JP KR NO

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): AT BE CH DE DK ES FR GB GR IE IT LU MC NL PT SE

WWE Wipo information: entry into national phase

Ref document number: 1994932122

Country of ref document: EP

121 Ep: the epo has been informed by wipo that ep was designated in this application
WWP Wipo information: published in national office

Ref document number: 1994932122

Country of ref document: EP

WWW Wipo information: withdrawn in national office

Ref document number: 1994932122

Country of ref document: EP