WO2006061481A1 - Dispositif et procede de controle d’acces, noyau a composants le comportant et son utilisation - Google Patents
Dispositif et procede de controle d’acces, noyau a composants le comportant et son utilisation Download PDFInfo
- Publication number
- WO2006061481A1 WO2006061481A1 PCT/FR2005/002927 FR2005002927W WO2006061481A1 WO 2006061481 A1 WO2006061481 A1 WO 2006061481A1 FR 2005002927 W FR2005002927 W FR 2005002927W WO 2006061481 A1 WO2006061481 A1 WO 2006061481A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- access
- subject
- objects
- capacity
- components
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Definitions
- the invention relates to an access control device and method, a component core comprising said access control device and its use in the operating systems of the communication and / or broadcast network stations.
- this component core can be used in the operating systems of user stations, called terminals, of mobile telecommunications networks.
- Telecommunication networks and terminals are showing ever greater dynamism: code downloads, customizable features, and so on. To cope, the systems will have to be more and more open, adaptable and reconfigurable, putting security at risk. However, the reconfigurability of the terminal has recently extended to the operating system, which serves as a basis for the protection of the entire system. Protecting network and terminal resources is therefore a critical issue for service and infrastructure providers to build and maintain the trust of their customers.
- the memory management unit ensures the confinement of applications by defining address spaces - or with safe languages, such as Java, which provide complete mediation and offer relatively flexible solutions allowing easy access control of fine grain but relatively low security.
- the protection mechanism is to the kernel, the greater the security of the system (the mechanism is less likely to be bypassed), but the more complex it will be to implement a reconfiguration.
- the proposed security model uses a reference monitor (monitor reference in English) and a policy manager (policy manager), thus separating access control between implementation and decision-making mechanisms.
- the distribution of component reference monitors provides fine-grain access control.
- This architecture should allow to build trust (minimum kernels), while allowing a simple adaptation of the system to the changes occurring during its life cycle, without endangering its security, the component being at the same time a security unit and reconfiguration.
- this architecture has the disadvantage of generating performance losses because the resource access control systematically passes through the reference monitor, without possibility of optimization, for example using a hardware-only control.
- this approach it is not possible to ensure the non-contortion and inviolability of the reference monitor, as well as the integrity of the security policy manager, because it is still possible to forge memory references directly. , and access all the data and the code of the kernel.
- the present invention makes it possible to obtain a compromise between strong security and reconfigurability without requiring the implementation of the expensive concept of address space. This compromise is achieved by combining access control decision means and an access protection mechanism to protect access to a set of secure or non secured objects.
- An object of the invention is a device for controlling access to objects, secured or not, by subjects for operations comprising an access protection mechanism allowing at least to allow or prohibit a subject in question. requesting access to an object according to the validity of the corresponding access capacity to said object, and access control decision means for validating the access capabilities of unsecured objects and modifying the capacity of the object. access to a secure object based on the access rights of the subject to the object.
- the access protection mechanism makes it possible to avoid the contortion of the access control decision means by making use of said access control decision means when the access capacity to an object is invalid. This clear separation between the implementation of the decision by the access protection mechanism and the decision-making by the access control decision means makes it possible to support various security policies.
- this access control device may comprise means for intercepting requests for access to certain predetermined objects.
- the access protection mechanism may be either a commercially available memory management unit (MMU) or a two-bit table representing the read capabilities for one of the bits, write to the other bit on the objects which allows a compact representation of the security policy.
- MMU memory management unit
- Using the two-bit table rather than a memory management unit reduces manufacturing, usage, and implementation costs while improving performance (at least about 3% on modern processors ). These benefits are all the more critical in mobile embedded environments.
- the access control decision means allow to add, modify or delete access rights.
- Another object of the invention is a method for controlling access to objects by subjects for operations, comprising the following steps: - receiving the subject's access request,
- the protection step may include, when the subject requests access for an operation to an object whose operations do not all have the same access rights:
- Access authorization or access ban based on the validity of the access capacity, and - When the access request is authorized: "an execution of the operation requested by the subject on the object, then" a revocation of the validity of the subject's ability to access the object for the requested operation.
- the invention also relates to a component core, each component comprising a code and data, said core comprising:
- the device for controlling access to objects described above the objects being constituted by said components
- Control components one of said control components comprising the access control decision means of said access control device, said control components constituted by objects having always invalid access capabilities,
- the component cores can be organized into several segments each consisting of a continuous sequence of memory zones:
- a supervisor segment comprising the code and data of the control components
- a segment comprising all the interception means, the access capacity of the objects of this segment being read only
- the invention also relates to a method of manufacturing this component core comprising the following steps:
- a step of decomposing a multi-component system comprising at least code, data and one or more interfaces comprising operations
- a step of defining the security policy a step of creating at least one component comprising access control decision means, said component comprising interfaces with interception means, with a protection mechanism; memory access interface, said interface with the interception means comprising the operations of verifying the access rights of a subject to a component and the revocation of the access capacity allocated during the verification operation,
- a step of associating an interception means with each heterogeneous secure component a step of defining the organization of the memory by segment,
- the invention proposes the use of this component core in the operating systems of the communication and / or multimedia data broadcasting network stations.
- FIG. 1 a block diagram illustrating a set of objects whose access is controlled by the access control device according to the invention
- FIG. 2 an illustration of an example of segmentation of the memory, containing the objects, used by the access protection mechanism of the access control device according to the invention
- FIG. 3 a variant of segmentation of the part of the memory containing the homogeneous secure objects according to the invention
- FIG. 4 a block diagram illustrating an exemplary architecture of the protection mechanism of a secure object according to the invention
- FIG. 5 a block diagram illustrating a detailed view of the interception means according to the invention
- FIG. 6 a block diagram illustrating an example of an access control method according to the invention.
- the application chosen to illustrate the use of the access control device and method is the component kernel.
- ... C q are entities that encapsulate both code 30i ... 30 q and data 40- ⁇ ... 40 q .
- Ci ... C q components can be identity-based and appear in software systems as threads, configuration and administration, deployment, or mobility. They allow system designers to master the complexity of software infrastructures in terms of implementation and configuration.
- the components C ⁇ ⁇ ... C q interact with their environment via a set of operations, also called methods, grouped into access points called interfaces.
- FIG. 1 illustrates the device for controlling access to objects, whether secure or not, by subjects S for operations my , 1 ⁇ i ⁇ q data, according to the invention.
- Objects Ci ... C q , 10, 1 1 AP, 20 m + i ... 20 q are passive entities that contain and receive information.
- the objects of ... C q , 10, 11 PA , 20 01 + 1 ... 20 q are components.
- the subjects S are active entities that trigger an information flow between objects of ... C q , 10, 11 AP , 20 m + i ... 20 q and change the state of the system.
- the access control device comprises an access protection mechanism PA allowing at least to allow or prohibit a subject S by requesting access to an object Ci ...
- Management of the access protection can be performed by an object 11 PA within the access protection mechanism PA.
- This access protection management object 11 PA groups the access capacities corresponding to each object Ci ... C q , 10, 1 1 PA, 20 m + i ... 20 q and / or each operation my feasible on each object.
- the access control device furthermore comprises access control decision means 10 making it possible to validate and modify the validity of the access capacities of the secure objects C n + i ... C q according to the rights of access.
- Said decision means 10 are implemented by the access protection mechanism PA when the access capacities are invalid.
- This access control device clearly separates: - the interception of an invalid access request to an object Q 1 - ⁇ ⁇ -, ⁇ q thanks to the access protection mechanism PA
- the security policy associates a pair (subject S, object Q) with rights access describing the operations my subject S can perform on the object Cj.
- the access control device may further include means for intercepting m + i ... 20 q access requests to certain predetermined objects C m + i ... C q .
- Each of the interception means 2Oj, m + i ⁇ j ⁇ q is associated with a predetermined object Q. In the case of these predetermined objects
- the control device offers two types of access control: one with a big grain with the PA access protection mechanism pair and decision means 10, the other with fine grain with average interception pairs 20 m + 1 ... 20 q and means of decision 10.
- the decision means 10 is common allowing the implementation of a unified security policy, applicable to the entire system.
- Objects Ci ... C q , 10, 11 AP , 20 m + i ... 20 q can be classified into four categories according to the access control that will be applied to them (coarse grain, fine grain, material control, etc.). ) and according to their level of security.
- the control objects 10, 1 1 PA ' This category of objects manages access control policy and access protection. These objects 10, 11 PA can not be accessed by the subjects S that execute. No access capacity to the control objects 10, 11 PA must therefore be created. Thus, during access to the control objects, the access protection mechanism PA uses the decision means 10 which systematically denies access. In the kernel example, these objects or components 10, 11 PA execute in the supervisor mode.
- Unsecured objects HS ⁇ Ct ... C n ⁇ All accesses are allowed for these objects C ⁇
- the access protection mechanism PA uses the decision means 10 which systematically assigns the access capacity to this category of objects% s ⁇ Ci ... C n ⁇ as illustrated. the dashed double-dot arrow in FIG. 1.
- the decision means 10 are not implemented for these unsecured objects d ... C n because the access capacities to these the latter are always granted, and thus automatically validated: the PA access protection mechanism will allow access to these objects of ... C n .
- the access decision is taken once, during the first invocation or the first access to the data 40 n + i ... 40 m from the object.
- the access protection mechanism PA uses the decision means 10, which allocates the access capacity to a homogeneous secure object C n + 1 ... C m if the access rights allow it (double dotted arrow in Figure 1). Subsequently, if the capacity is valid, the protection mechanism PA access will allow access to the object. The access capacity will be valid until the possible revocation by the means of decision 10.
- the access decision is taken at each invocation Ij.
- Access control in this category is finer grain (operation level my) than that of homogeneous secure objects (object level).
- the heterogeneous secure objects may be the predetermined objects whose access requests are intercepted by the interception means 20 m + i ... 20 q .
- the access protection mechanism PA is also used for such an object (see Figure 6, steps [S5-S8]). If the subject S addresses directly to the heterogeneous secure object C m + i ...
- the access protection mechanism PA uses the decision means 10 which systematically maintains the invalid access capacity as the illustrates the double arrow in full line (see Figure 1). Access is not allowed. Thus, the interception means 20 m + i ... 20 q can not be bypassed. If the subject S addresses the interception means 20 m + i ... 20 q to invoke an operation my of a heterogeneous secure object C m + i ... C q , the interception means 20 m + 1 Q use the decision means 10 which allocate or not an ability to access the object. If the access capacity has been validated, the interception means 20 m + i ... 20 q invoke the operation my , then call on the decision means 10 which invalidate the access capacity, thus limiting the access by subject S to this operation my during subsequent invocations.
- the advantage of having two categories of secure objects is the gain in performance because the passage through interception means 2Oj can be reduced to the minimum insofar as, in the case of homogeneous secure objects C n + i. C m , the use of interception means 2Oj is not necessary. Nevertheless, an access check is still provided by at least the access protection mechanism PA.
- the access protection mechanism PA may be a hardware mechanism.
- this access protection mechanism PA may be a memory access protection mechanism PA.
- a memory zone is the smallest contiguous entity of physical memory to which it is possible to associate individually read or write access rights qualified as access capabilities.
- the PA access protection mechanism must be able to allocate and manipulate the access capabilities by memory area and to detect via an exception, called "zone fault", access to the memory areas whose memory capacity is are invalid.
- Access capabilities are used to detect direct illegal access at the object level. This control is performed using the PA access protection mechanism.
- the memory management unit (MMU) mechanism provided by modern processors satisfies these requirements assuming that the memory area is assimilated to the page of the MMU memory management unit and that it is not done distinction between virtual addresses and physical addresses. Thus, for all subjects, the memory address of a component is the same. Nevertheless, the MMU memory management unit mechanism is expensive to use and implement primarily in terms of memory footprint to represent the page tables.
- the access control device according to the invention actually requires only a small part of the functionalities offered by this mechanism, in particular access control.
- an access protection mechanism PA could be content with two bits (read and write) instead of the 32 or 64 bits memory management units to represent the access capabilities.
- the access protection mechanism PA would use a table containing, for each operation on the objects, two bits representing read capacity for one of the bits, in writing for the other bit.
- a segment is a continuous sequence of memory areas.
- the following types of segments can be defined:
- a supervisor segment 1 comprising the code and the data of the control components 10 and 11 PA . This segment is only accessible in mode supervisor to ensure full mediation of the access control device, as well as integrity of rights and access capabilities.
- a segment 2 comprising all the interception means 20 m + 1 ... 20 q whose objective is to make it possible to verify that a call to the decision means 10 comes from the interception means 20 m + i. .20 q , by ensuring that the Mx address of the calling invocation instruction is located in this segment 2.
- This segment is declared read-only in order to avoid: on the one hand, insertion of malicious code into the call sequence; on the other hand, the integrity of the referencing component C m + i ... C q encapsulated.
- Declaring a segment as read-only is equivalent to giving it read-only capabilities. If a segment is made up of more than one memory zone, it is necessary to assign a capacity per zone.
- a segment 3 comprising the codes 30-i ... 30 q of the remaining components C 1 ... C q to prevent a violation of the integrity of the code.
- This segment 3 is declared read-only.
- a segment 4i comprising the data 40i ... 40 n of the unsecured components C ⁇ ⁇ ... C n .
- This segment 4i is declared read and write.
- Figure 3 shows an alternative concerning the segmentation of the SVOH * set of homogeneous secure components.
- the access control device may, in particular, be implemented in a flexible component operating system such as the "Think” core based on the Fractal component model described in the article "Recursive and Dynamic Software Composition with Sharing "by E.
- Think specifies an interface description language (IDL) for defining the interfaces implemented by a component Cj.
- the IDL compiler can be used to generate interception means 2Oj to perform invocation of invocations.
- ADL architecture description language
- ie means interception 2Oj in the case of heterogeneous secure objects or components C m + 1 ... C q .
- “Think” provides the hardware-handling components PA 11, such as a memory management unit, for realizing the hardware access protection mechanism PA.
- the allocation of access capabilities results in manipulation of the permissions at the page tables managed by the memory management unit 11 AP .
- FIG. 4 shows a logical view of the architecture of a pair of decision means 10 - interception means 20i of the control device according to the invention. This pair is used to control access to heterogeneous secure objects s & l. To each heterogeneous secure object Cj, m + 1 ⁇ ⁇ q is associated with one of the interception means 2Oj.
- the interception means 2O 1 supervise the content of the objects Cj to be protected by filtering the incoming calls I. Indeed, the role of the interception means 2Oj is to intercept the invocations I to the operations of this object Q by performing a sequence appeal to the means of decision 10.
- the call sequence received by all the decision means 10 at its interface V may be as follows:
- the access capacity must be revoked by making a call to the operation Revoke M decision means 10 to avoid reuse in new invocations or direct access to data 4Oj.
- This can be achieved by an atomic execution of the call sequence that can be ensured by prohibiting the dynamic modification of the code 2OQ interception means 2Oj.
- the set of decision means 10 exports via its interface V (seen in FIG. 4) two operations that take place, in the case of the kernel, via a call to the supervisor because the component comprising the decision means 10 is a control component. These operations are Check M and Revoke M. In order that the application code can not usurp rights, only the interception means 2Oj can call these two operations.
- the decision means 10 verify whether the call to the operations of its interface V emanates well interception means 2Oj during step [S10] of the method illustrated in FIG. 6, for example by verifying that the call comes from of segment 2 of Figure 2 ..
- the interception means 2Oj are connected to the decision means 10 through two interfaces V and A independent of the authorization model.
- the access control is based on security contexts assigned to both the Q objects and the S subjects.
- the decision means 10 maintain a table of the security contexts of the subjects S, and another table of the contexts of security of the objects. cj.
- the permissions are calculated by the calculation means 103 according to the authorization policy and maintained in an access matrix managed by the administration means 102.
- the component constituting the decision means 10 can thus comprise three primitive components:
- the administration component 102 that manages the access matrix and the security context tables of the subjects S and objects Cj.
- the access matrix is an optimized permission table indexed by a pair of security identifiers (subject S, object Ci). Permissions are implemented as bit vectors. Each bit represents the permission associated with a my operation.
- the administration component 102 provides an interface A for administering the system security policy.
- the decision component 101 which decides whether the current subject S has the right of access to the required object Q or not. Given the security identifiers of the subject S and the object Ci, the decision component 101 requests the administration component 102 the associated access rights.
- the decision component 101 compares the permissions according to the target operation my. It provides a V interface to check permissions and assign access capabilities (Check M), then revoke them (Revoke M).
- the permissions calculation component 103 that defines the authorization policy. It contains a function that calculates the permissions and fills the access matrix. The reconfiguration of the authorization policy then amounts to replacing this calculation component 103, the administration 102 and decision 101 components being independent of the model and the authorization policy.
- This computing component 103 provides the CC interface which calculates the permissions according to the model and the access control policy.
- the decision means 10 are also requested by the access protection mechanism PA during the detection of access to a memory zone whose capacity is invalid, a situation that can occur if the access is illegal or if is a homogeneous secured object O, n ⁇ n à ⁇ the decision means 10 must then determine the access rights of the subject S. while it has the rights, the decision means 10 attribute capacity access to the subject S which continues its execution. Otherwise, the access capacity remains invalid, access is denied, and the execution of the S subject is stopped.
- the decision means 10 can also control access to the registers of the hardware components such as a network device, a card graphic etc.
- Its interface A includes administration operations for adding, modifying or deleting access rights.
- FIG. 5 a block diagram illustrating a detailed view of the interception means 20 1 according to the invention.
- the interception means 2Oj respectively execute the operations mu, m ⁇ 2 and m ⁇ 3 which make use of the decision means 10 which allocates or not the access allowing, if necessary, the execution of these operations on the data of the object Cj.
- the access control device thus obtained proposes a flexible access control making it possible to protect a kernel against certain attacks:
- the access control device is independent of the access control policy and model. It allows the dynamic reconfiguration of the authorization policy, in particular by changing the calculation component 103.
- FIG. 6 shows a block diagram illustrating the access control method according to the invention: it summarizes a sequence of steps executed during the processing an access request to an object Cj. This method can be implemented by the control device described above.
- a subject S has no relative access to the objects: in the case of a component kernel operating system, the subject S has no relative access capacity to the Q components of the system, plus precisely relative to no memory zone. This subject S will have to acquire access abilities on the objects that it requires for its execution. Thus, when this subject S wants to access an object which he does not yet have the ability to access, he will ask the decision means 10 to give him this capacity, either via means of interception 2Oj in the case of a heterogeneous secure object Ci, m + i ⁇ i ⁇ q , or via the detection of access to a homogeneous secure component Q 1 n + 1 ⁇ i ⁇ m by the access protection mechanism PA (generation of the exception of "zone defect").
- the first sequence corresponds to the direct access to an object Ci (whether it is an invocation Ij on one of its operations my - which amounts to an access to the data 4Oj of the object - or of direct access to his data 4Oj).
- a first step [S1] it is examined whether the subject S already has the corresponding access capacity (that is, if the access capacity of the subject S to the object Q is valid). If this is the case, the subject S continues to execute normally, the access being authorized during the step [S2].
- the steps [S1] and [S2] are implemented by the access protection mechanism PA which allows access when the capacity is valid. Otherwise, a "zone fault" exception is generated during a step [S3] and followed by a check (SZ check).
- step [S3] it is the protection mechanism that generates the exception, and transfers the execution flow to the exception processor, ie the decision means 10.
- the processor goes into supervisor mode.
- the object is identified [S5], eg by the decision means 10 from the faulty address of the zone associated with the object.
- FIG. 6 proposes, by way of example, a step [S4] of conversion ZC zone towards object which allows by the following the identification [S5].
- the access control method will continue as follows:
- the decision means 10 verify the category of the object [S5], check if necessary the access rights [S6], allocate the where appropriate, the access capacity of the subject S to the requested object Q [S7], and the access protection mechanism PA authorizing access [S2] or not [S8] depending on the validity of the access capacity .
- the second sequence corresponds to a subject S 5 ⁇ 7 invoking a my operation on a predetermined object Cj, ie a Q object to which individual protection means have been associated (for example, the heterogeneous secure objects Q benefiting from the interception means 2 Oi ).
- the request S 5 ⁇ 7 necessarily passes through the interception means 2Oj which will make an IRM call (in the supervisor mode of the processor in the case of the application to the operating system in the form of a "SHT verification") and executing [S11], a checking operation of the access rights Check M.
- the identification step [S10] is first performed: If the call to the method Check M does not come from the means of interception 2Oj, access is denied [S8].
- the Check M operation determines the access rights of the subject S 55J7 to the operation my of the object Cj. If subject S -5 ⁇ 7 does not have the required rights, access is denied [S8]. Otherwise, the access capacity is assigned [S12].
- the decision means 10 which checked whether the call came from the interception means 2Oj [S10], and checked the access rights [S11], call the access protection mechanism PA (as shown by the dashed box illustrating the action of the access protection mechanism PA ) to assign the capacity [S12].
- the call in supervisor mode ends after the allocation of the capacity (as shown by the shaded areas of Figure 6 illustrating the supervisor mode).
- the interception means 2Oj call the required operation my of the object O, encapsulated [S13], then take over the hand and call the operation Revoke M [S14].
- the operation Revoke M is an operation of the decision means 10 which, in the operating system application, is called in supervisor mode (Cancellation S). After invalidation of the access capacity, the processor exits interception means 20, and then returns to user mode.
- the invention also relates to a method of manufacturing a component core intended in particular for light operating systems.
- This component kernel has a flexible access control policy.
- the manufacturing process comprises the following steps:
- a step of decomposing a system into several components Q comprising at least code 30, and data 40j, each component Cj comprising one or more interfaces comprising a set of operations my performed on the component C 1 . It is nonetheless possible to include non-component code or data, but this code or data can not be controlled and will be treated as non-secure objects.
- Said component comprising the decision means 10 having interfaces with interception means 20j, with a memory access protection mechanism PA, and possibly with the memory registers of the hardware peripherals.
- Said interface V of the decision means 10 with the interception means 2Oj comprises the operations of verifying and revoking the access rights of a subject S to a component Ci for a required operation my.
- a step of associating one of the interception means 20 to each heterogeneous secure component Cj is intercepted by the interception means 20-, which call upon the decision means 10 and, if the decision means 10 allow access, the means of interception 2Oj call the operation my of the object Cj.
- a step of defining the memory organization by segments (for example, according to the segmentation described above).
- step of assembling all the components Cj with the control components 10, 1 1 P A, 20 This assembly can, in particular, be achieved by compilation and editing links.
- the access control device makes it possible to implement secure operating systems without resorting to the concept of addressing.
- This access control device is therefore directly applicable to all the light terminals.
- the component core with the access control device according to the invention can be used in the operating systems of the communication network and / or multimedia data broadcasting stations.
- the device and the access control method according to the invention are applicable to all the applications having strong security needs in the terminals, in particular on-board mobile terminals, or intermediate stations of communication networks and / or broadcast, eg for applications such as electronic commerce, digital broadcasting (such as DRM for the protection of, for example, the contents of MP3 players), protection of personal data in medical informatics ...
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
Description
Claims
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US11/792,900 US20080104695A1 (en) | 2004-12-09 | 2005-11-22 | Device and Method for Controlling Access, Core with Components Comprising Same and Use Thereof |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
FR0413243 | 2004-12-09 | ||
FR0413243 | 2004-12-09 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2006061481A1 true WO2006061481A1 (fr) | 2006-06-15 |
Family
ID=34955390
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/FR2005/002927 WO2006061481A1 (fr) | 2004-12-09 | 2005-11-22 | Dispositif et procede de controle d’acces, noyau a composants le comportant et son utilisation |
Country Status (2)
Country | Link |
---|---|
US (1) | US20080104695A1 (fr) |
WO (1) | WO2006061481A1 (fr) |
Families Citing this family (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8789132B2 (en) * | 2010-06-07 | 2014-07-22 | Oracle International Corporation | Enterprise model for provisioning fine-grained access control |
US9165079B1 (en) * | 2011-09-06 | 2015-10-20 | Google Inc. | Access controls in a search index |
CN103678304B (zh) * | 2012-08-31 | 2017-04-12 | 国际商业机器公司 | 为预定网页推送特定内容的方法、装置 |
US9338522B2 (en) * | 2012-10-18 | 2016-05-10 | Broadcom Corporation | Integration of untrusted framework components with a secure operating system environment |
KR101535792B1 (ko) * | 2013-07-18 | 2015-07-10 | 포항공과대학교 산학협력단 | 운영체제 구성 장치 및 방법 |
US20170329526A1 (en) * | 2016-05-13 | 2017-11-16 | Hewlett Packard Enterprise Development Lp | Interoperable capabilities |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5504814A (en) * | 1991-07-10 | 1996-04-02 | Hughes Aircraft Company | Efficient security kernel for the 80960 extended architecture |
EP0768594A1 (fr) * | 1995-10-10 | 1997-04-16 | Data General Corporation | Sécurité pour système d'ordinateur |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7073059B2 (en) * | 2001-06-08 | 2006-07-04 | Hewlett-Packard Development Company, L.P. | Secure machine platform that interfaces to operating systems and customized control programs |
EP1570330A2 (fr) * | 2002-11-27 | 2005-09-07 | Koninklijke Philips Electronics N.V. | Systeme de protection integre a une puce |
-
2005
- 2005-11-22 US US11/792,900 patent/US20080104695A1/en not_active Abandoned
- 2005-11-22 WO PCT/FR2005/002927 patent/WO2006061481A1/fr not_active Application Discontinuation
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5504814A (en) * | 1991-07-10 | 1996-04-02 | Hughes Aircraft Company | Efficient security kernel for the 80960 extended architecture |
EP0768594A1 (fr) * | 1995-10-10 | 1997-04-16 | Data General Corporation | Sécurité pour système d'ordinateur |
Non-Patent Citations (2)
Title |
---|
"Reconfigurable Access Control for Component-Based OS Kernels", 5 September 2004 (2004-09-05), XP002344522, Retrieved from the Internet <URL:http://e2r.motlabs.com/dissemination/conferences/E2R_Workshop04_Session3_Poster6.pdf> [retrieved on 20050912] * |
PIETRO J A: "THE SECURITY KERNEL: BACKGROUND AND ELEMENTS", INFORMATION AGE, vol. 9, no. 3, July 1987 (1987-07-01), pages 131 - 138, XP009010709, ISSN: 0241-4103 * |
Also Published As
Publication number | Publication date |
---|---|
US20080104695A1 (en) | 2008-05-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Ahmed et al. | Taxonomy for identification of security issues in cloud computing environments | |
US9626502B2 (en) | Method and system for enterprise network single-sign-on by a manageability engine | |
US8769305B2 (en) | Secure execution of unsecured apps on a device | |
US7421500B2 (en) | Grid computing control system | |
KR102166755B1 (ko) | 가상 머신 관리자에 의해 촉진되는 선택적 코드 무결성 강화 기법 | |
US7882352B2 (en) | Secure mobile wireless device | |
US20200089917A1 (en) | Providing differential privacy in an untrusted environment | |
Ouaddah et al. | Harnessing the power of blockchain technology to solve IoT security & privacy issues. | |
WO2015124018A1 (fr) | Procédé et appareil pour l'accès à des applications sur un dispositif terminal intelligent | |
US20080066187A1 (en) | Mobile Wireless Device with Protected File System | |
US11676011B2 (en) | Private transfer learning | |
US20040070604A1 (en) | Plugin architecture for extending polices | |
FR2713803A1 (fr) | Carte à mémoire et procédé de fonctionnement. | |
CN105408912A (zh) | 处理认证和资源许可 | |
WO2006061481A1 (fr) | Dispositif et procede de controle d’acces, noyau a composants le comportant et son utilisation | |
US20150341362A1 (en) | Method and system for selectively permitting non-secure application to communicate with secure application | |
KR20180019057A (ko) | 비인가된 액세스들로부터 디바이스의 도메인들을 보호하는 방법들 및 장치 | |
US9864853B2 (en) | Enhanced security mechanism for authentication of users of a system | |
US11477187B2 (en) | API key access authorization | |
US10719456B2 (en) | Method and apparatus for accessing private data in physical memory of electronic device | |
US10977385B2 (en) | Configurable and non-invasive protection of private information for conversational agents | |
Cuppens et al. | Availability enforcement by obligations and aspects identification | |
FR2822256A1 (fr) | Verification de la conformite d'acces a des objets dans un systeme de traitement de donnees avec une politique de securite | |
US11798001B2 (en) | Progressively validating access tokens | |
Idrees et al. | Dynamic security policies enforcement and adaptation using aspects |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KM KN KP KR KZ LC LK LR LS LT LU LV LY MA MD MG MK MN MW MX MZ NA NG NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU LV MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
WWE | Wipo information: entry into national phase |
Ref document number: 11792900 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 05823062 Country of ref document: EP Kind code of ref document: A1 |
|
WWW | Wipo information: withdrawn in national office |
Ref document number: 5823062 Country of ref document: EP |
|
WWP | Wipo information: published in national office |
Ref document number: 11792900 Country of ref document: US |