US20160378962A1 - Method and Apparatus for Controlling Access to a Resource in a Computer Device - Google Patents
Method and Apparatus for Controlling Access to a Resource in a Computer Device Download PDFInfo
- Publication number
- US20160378962A1 US20160378962A1 US15/260,521 US201615260521A US2016378962A1 US 20160378962 A1 US20160378962 A1 US 20160378962A1 US 201615260521 A US201615260521 A US 201615260521A US 2016378962 A1 US2016378962 A1 US 2016378962A1
- Authority
- US
- United States
- Prior art keywords
- access
- resource
- proxy
- user
- user process
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
- 238000000034 method Methods 0.000 title claims abstract description 160
- 230000008569 process Effects 0.000 claims abstract description 142
- 230000004044 response Effects 0.000 claims description 4
- 230000007246 mechanism Effects 0.000 description 16
- 238000010586 diagram Methods 0.000 description 12
- 230000006870 function Effects 0.000 description 7
- 238000004891 communication Methods 0.000 description 2
- 238000010200 validation analysis Methods 0.000 description 2
- 241001393742 Simian endogenous retrovirus Species 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000015556 catabolic process Effects 0.000 description 1
- 238000006731 degradation reaction Methods 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 208000015181 infectious disease Diseases 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/33—User authentication using certificates
- G06F21/335—User authentication using certificates for accessing specific resources, e.g. using Kerberos tickets
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/54—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by adding security routines or objects to programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6227—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6281—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database at program execution time, where the protection is within the operating system
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Definitions
- the present invention relates generally to the field of computers and computer devices. More particularly, the present invention relates to a method and apparatus for controlling access to a resource in a computer device by providing an improved resource access mechanism.
- a computer device executes a process using a plurality of physical and logical resources, such as system services, drivers, files and registry settings.
- Many operating systems include a security module that enforces access rights for each process, whereby the process is permitted (or denied) access to each of the resources, consistent with a set of security privileges allocated to that process. For example, a process of an ordinary user level is able to read from a particular file, but is not permitted to write to that file. Meanwhile, a process of a local administrator level typically has a higher privilege, e.g. is able to both read from and write to that file.
- the security model applies the access privileges based on the user's account.
- the operating system may define privilege levels appropriate to different classes, or groups, of users, and then apply the privileges of the relevant class or group to the particular logged-in user (e.g., ordinary user, super-user, local administrator, system administrator and so on).
- the user is authenticated by logging in to the computer device, and the user, via their previously prepared security account, acts as a security principal in the security model.
- the operating system then grants appropriate privileges to processes which execute in that user's security context.
- a computer device which includes an execution environment for a user process and a security unit which selectively controls access to a plurality of resources.
- a proxy resource access unit includes a proxy hook module embedded within the user process, and a proxy service module executing in another security context.
- the proxy hook intercepts system calls by the user process requesting access to a desired resource and, in response, generates a proxy resource access request.
- the proxy service module selectively validates the request and, if valid, obtains a resource handle from the security unit that permits access to the desired resource.
- the resource handle is returned to the user process via the proxy hook module thereby permitting subsequent access by the user process to the desired resource.
- the proxy service module is arranged to operate the desired resource on behalf of the user process.
- a computer device which includes an execution environment arranged to execute a user process according to a user security context which defines access privileges of the user process; a security unit arranged to selectively control access by the user process to a plurality of resources available in the execution environment according to the user security context, wherein the user process is arranged to request access to a desired resource of the plurality of resources by making a system call to the security unit; and a proxy resource access unit comprising: a proxy hook module embedded within the user process, wherein the proxy hook module is arranged to intercept the system call made by the user process to request access to the desired resource and to generate and send a proxy resource access request in response thereto; and a proxy service module arranged to execute in a privileged security context different from the user security context of the user process, wherein the proxy service module is arranged to receive and validate the proxy resource access request from the proxy hook module and, if validated, to obtain from the security unit a resource handle that permits access to the desired resource and to return the resource handle to the user process
- the proxy resource access unit is arranged to selectively control access by the user process to the resources as exceptions to the access control by the security unit.
- the proxy resource access unit is arranged to selectively enable access by the user process to the desired resource whereas access to the desired resource otherwise would not be permitted by the security unit, and/or the proxy resource access unit is arranged to selectively deny access by the user process to the desired resource whereas access to the desired resource otherwise would be permitted by the security unit.
- the proxy resource access unit is arranged to validate the proxy resource access request against a policy list comprising a plurality of predetermined policies which define access to the resources by the user process.
- the user process is arranged to declare a desired access level in the system call.
- the access levels may depend on the nature or type of the desired resource.
- the desired access levels include create, read and/or write access with respect to the desired resource.
- the proxy hook module is arranged to record the desired access level in the proxy resource access request.
- the proxy service module is arranged to allow, or deny, access to the desired resource by comparing the desired access level against one or more access levels recorded in the predetermined policies of the policy list.
- the proxy resource access request comprises an identity of the user process and the proxy service module allows, or respectively denies, access to the desired resource by comparing the identity of the user process against one or more user process identities recorded in the predetermined policies.
- the policy list records whether a requested form of access is to be permitted or denied.
- the proxy service module is arranged to obtain the resource handle which permits access to the desired resource. In one example, the proxy service module is arranged to duplicate the resource handle into a context of the user process as a duplicate handle to be used by the user process to access the desired resource.
- the proxy service module is arranged to return an error code to the proxy hook module. In one example, the proxy service module is arranged to return an error code to the proxy hook module where the proxy resource access request is not permitted. In one example, the proxy hook module is arranged to pass the system call from the user process to the security unit to be processed according to the user security context.
- the proxy hook module is further arranged to intercept system calls made by the user process to operate the desired resource.
- the proxy service module is arranged to operate the desired resource on behalf of the user process.
- the proxy hook module is arranged to maintain a record of a system resource handle that has been opened by the proxy service module on its behalf with respect to a desired resource.
- the desired resource is provided as a system service.
- the proxy hook module is arranged to selectively intercept system calls made by the user process to request an operation of the desired resource.
- the proxy service module is arranged to perform the requested operation on behalf of the proxy hook module.
- the proxy service module is arranged to return a result of performing the requested operation in a return message.
- the proxy hook module is provided as a dynamic linked library component which hooks into the user process when the user process is started.
- the user process is arranged to make the system call though an application programming interface.
- a method of controlling access to a resource in a computer device includes executing a user process in an execution environment of the computer device according to a user security context which defines access privileges of the user process; controlling access by the user process to a plurality of resources available in the execution environment according to the user security context by a security unit of the computer device, wherein the user process is arranged to request access to a desired resource of the plurality of resources by making a system call to the security unit; intercepting the system call made by the user process to request access to the desired resource by a proxy hook module embedded within the user process; generating a proxy resource access request by the proxy hook module in response to intercepting the system call and sending the proxy resource access request to a proxy service module executing in a privileged security context different from the user security context of the user process; validating the proxy resource access request by the proxy service module and, if validated, obtaining from the security unit a resource handle that permits access to the desired resource; and returning the resource handle from the proxy service module to user
- a computer-readable storage medium having recorded thereon instructions which, when implemented by a computer device, cause the computer device to be arranged as set forth herein and/or which cause the computer device to perform the method as set forth herein.
- FIG. 1 is a schematic overview of an example computer device in which the example embodiments may be applied;
- FIG. 2 is a schematic diagram showing the example computer device in more detail concerning access to resources by a process
- FIG. 3 is a schematic diagram showing the example computer device in more detail concerning a process privilege management mechanism
- FIG. 4 is a schematic diagram showing the example computer device in more detail concerning the operating system
- FIG. 5 is a schematic diagram showing the example computer device in more detail concerning a resource access management mechanism
- FIG. 6 is a schematic diagram showing the example computer device in more detail concerning a resource access management mechanism and a method of accessing resources in the computer device;
- FIG. 7 is a schematic diagram showing the example computer device in more detail concerning a resource access management mechanism and a method of accessing resources in the computer device.
- example embodiments of the present invention will be discussed in detail in relation to MicrosoftTM WindowsTM operating systems. However, the teachings, principles and techniques of the present invention are also applicable in other example embodiments. For example, the example embodiments are also applicable to other operating systems, in particular those having a discretionary access control security model.
- FIG. 1 is a schematic overview of a computer device 200 according to an example embodiment of the present invention.
- the host computer device 200 includes physical hardware (HW) 201 such as memory, processors, I/O interfaces, backbone, power supply and so on as are found in, for example, a typical server computer.
- An operating system (OS) 202 provides a multitude of components, modules and units that coordinate to provide a runtime environment (RTE) 203 which supports execution of a plurality of processes.
- the processes may include a one or more user processes (USRP) 120 .
- the user processes 120 may relate to one or more application programs which the user desires to execute on the computer device 200 .
- the computer device 200 includes a plurality of resources 115 , 125 .
- These resources 115 , 125 are the components of the computer device that the processes 120 will rely upon in order to carry out their execution.
- the resources 115 , 125 may include installed software, system services, drivers, files and/or registry settings.
- the operating system 202 includes a security module (SECO) 210 which is provided to enforce security within the computer device 200 .
- the security module 210 is provided by the WindowsTM operating system as supplied by Microsoft Corp of Redmond, Wash., USA, under the trade marks Windows NT, Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, and Windows 7, amongst others.
- the security module 210 also termed a security sub-system or security manager, suitably enacts the Windows security model as described, for example, in “Windows Security Overview” published 10 Jun. 2011 by Microsoft Corporation, which is incorporated herein by reference in its entirety.
- Each process 120 that a user initiates will be run in a security context 121 that derives access rights and permissions from the user's account.
- each process 120 is provided with an access token (AT) 122 .
- the access token 122 typically carries the security identity (SID) of the user and SIDs of any other security groups to which the user belongs. The access token 122 thus defines the privileges as held on this host computer 200 by the user and the relevant security groups.
- the security module 210 is arranged to perform an access check when a user process 120 requests access to any of the resource 115 , 125 .
- the security module 210 performs the access check by comparing the access token 122 of the process 120 against a security descriptor, such as an access control list (ACL) 116 , 126 , associated with the relevant resource 115 , 125 .
- ACL access control list
- the access control list 116 , 126 is suitably a Discretionary Access Control List (DACL) which identifies SIDs of users and groups that are allowed, or denied, various types of access (read, write, etc.) as appropriate for that resource.
- DCL Discretionary Access Control List
- the security module (SECO) 210 in the operating system 202 is sufficient to prevent the user process 120 from tampering with certain key resources 115 while allowing the user process 120 to access appropriate user resources 125 , according to the respective access control list 116 , 126 .
- the user process 120 is able to read from, but not write to, a file of the key resources 115 .
- the defined access types will depend upon the type of resource being accessed. For example, storage is typically defined by read and write access rights, while a process may have terminate access rights which determine whether or not a request to terminate that process will be actioned by the operating system 202 .
- a user-level security context 121 is based on the user as the security principal and the access token 122 is set accordingly.
- the user-level security context 121 is deliberately restricted to a minimal set of access rights.
- FIG. 2 is a schematic diagram showing the example computer device in more detail.
- the user process is able to access both the permitted user resources 125 and also the key resources 115 .
- the key resources 115 are any resources of the computer device where it is desired to protect those resources against access by the user processes 120 .
- a user In practice, it is common for a user to be included in a security group, such as the local administrator security group, so that application programs desired by the user will install and operate correctly without needing additional support from a higher-authorized user (such as IT administrator personnel). Where a user is included in such a privileged security group, all of the user process 120 initiated by that user will then be granted the higher-level privilege rights, such as local administrator rights, indiscriminately. Thus, granting local administrator rights, or similar higher privileges, generally allows all user processes 120 to access many of the key resources 115 of the computer system in an indiscriminate manner.
- FIG. 3 is a schematic diagram showing the example computer device in more detail.
- the computer device includes a privilege management module (PPMAN) 110 .
- This module 110 is arranged to perform dynamic process privilege reassignment, whereby the user process 120 is examined and selectively provided with an adjusted set of privileges.
- the privileges of the user process 120 are elevated above an initial level.
- the user process 120 is granted a privileged user security context 121 a by the privilege management module 110 .
- This can be considered as a dynamic elevation of the privilege level of the user process 120 , so that the specific user process 120 is able to achieve a desired, legitimate function which requires greater access rights than were available initially.
- the process 120 is to be elevated is provided with a new access token 122 a , which is created based on the initial access token 122 of that process.
- the SID of the local administrator group is added to this new access token 122 a , and consequently the process 120 now obtains the privileges and integrity level of the local administrator.
- the user process 120 is then assigned the new access token 122 a , such as by stopping and restarting the process, and thus the privileged user security context 121 a is now applied to that user process 120 .
- a local administrator should be able to access all of the key resources 115 legitimately, whereas a user process 120 , even when dynamically elevated to the local administrator level, should not have those same access privileges with respect to all of the key resources 115 .
- FIG. 4 is a schematic diagram showing the example computer device 200 in more detail.
- FIG. 4 shows internal components within the operating system OS 202 in more detail.
- the operating system 202 is based on Windows NT and includes two main components, namely the user mode 220 and the kernel mode 230 .
- the user mode 220 includes integral subsystems (INT SUB) 221 such as workstation service, server service and the security module 210 as discussed above.
- the user mode 220 also includes environment subsystems (ENV SUB) 223 such as a Win32 environment subsystem, a POSIX environment subsystem and an OS/2® environment subsystem to support user programs, including the user processes 120 as discussed above. These programs and subsystems in the user mode 220 have limited access to system resources.
- the kernel mode 230 has unrestricted access to the computer device, including system memory and external devices, etc.
- the kernel mode 230 includes a hardware abstraction layer (HAL) 231 which interfaces with the physical hardware H/W 201 , and a plurality of services, which together are termed the Executive 233 .
- the Executive 233 may include an Object Manager (OBJ MAN) 235 and other services (EXE SERV) 237 .
- OBJ MAN Object Manager
- EXE SERV other services
- the object manager 235 is an executive subsystem which controls access to objects.
- the object manager 235 considers each of the resources 115 , 125 as an object, including both physical resources such as storage device or peripheral devices and a logical resource such as files or containers. All other executive subsystems, including particularly system calls, pass through the object manager 235 in order to gain access to the resources 115 , 125 .
- the object manager 235 creates and inserts new objects, which makes the object accessible through a handle.
- the handle is a unique numerical identifier which identifies that object (resource) to the object manager 235 .
- Each object created by the object manager 235 is stored in an object table, and each entry in the object table may include the object name, security attributes, a pointer to its object type, and other parameters.
- the operating system 202 is configured so that every request to access a resource passes through the object manager 235 . If the resource 115 , 125 is requested by name, then the request is subject to security checks by the security module 210 as discussed above. However, a request to access a resource through an existing, open object handle will generally be allowed without further security checks, provided that the requested access does not exceed the level of access requested when the object was opened or created.
- the computer 200 provides a security unit which in the example embodiments includes the security module 210 and the object manager 235 .
- the security module 210 is arranged to control access to the resources 115 , 125 when access to the resource is requested by a user process, according to the security context of that process.
- the object manager 235 may directly permit access to the resources 115 , 125 upon the condition that access to the desired resource is subsequently requested using a valid resource handle as issued previously by the object manager 235 .
- FIG. 5 is a schematic diagram showing the example computer device in more detail concerning an example embodiment of a proxy resource access mechanism. As shown in FIG. 5 , the example embodiment provides a proxy resource access unit 300 comprising a proxy hook module 310 and a proxy service module 320 .
- the example computer device 200 provides the execution environment 203 to execute the user process 120 according to the user security context 121 .
- the user security context 121 ordinarily defines the access privileges of the user process 120 with respect to the plurality of resources 115 , 125 that are available in the execution environment 203 .
- a security unit 250 is arranged to selectively permit, or deny, access by the user process 120 to the plurality of resources 115 , 125 .
- the security unit 250 includes the security module 210 and the object manager 235 as discussed above.
- FIG. 6 is a schematic diagram showing the example computer device in more detail concerning the example proxy resource access unit.
- FIG. 6 shows a flow of control to proxy access to privileged resources and a respective method of accessing resources in the computer device.
- the user process 120 makes a system call toward the security unit 250 to request access to a desired resource 115 amongst the plurality of available resources 115 , 125 within the execution environment 203 .
- the system call is represented by the arrow at step 501 .
- a proxy hook 310 is embedded within the user process 120 .
- the proxy hook 310 is a DLL (dynamic linked library) component that will hook into each user process.
- the proxy hook 310 suitably hooks into the user process 120 as that process is started within the execution environment 203 .
- the proxy hook 310 is arranged to intercept all relevant system calls that open resources.
- the Windows API application programming interface
- Table 1 Table 1
- the proxy hook 310 is arranged to generate a proxy resource access request as shown by the arrow at step 502 .
- This request message suitably includes the name of the desired resource 115 .
- the request message at step 502 may further identify the user process 120 that is trying to open the desired resource.
- the request message at step 502 may further identify the desired access (i.e. the type of access which is desired such as read or write).
- the request message at step 502 may further identify any other relevant parameters that would ordinarily be passed to the API call. These other parameters may depend particularly upon the type of the resource.
- a proxy service 320 is arranged to receive the proxy resource access request message at step 502 from the proxy hook 310 .
- the proxy hook 310 and the proxy service 320 communicate by any suitable form of inter-process communication (IPC).
- the proxy service 320 executes in a privileged security context 111 .
- the proxy service 320 may run in the privileged security context 111 of the SYSTEM account.
- this privileged security context 111 gives unrestricted access to local resources.
- the privileges of the SYSTEM account also enable the proxy service 320 to impersonate the security context of a logged on user or a local administrator, if this is necessary to access specific resources.
- the proxy service 320 is arranged to validate the proxy resource access request message at step 502 from the proxy hook 310 as represented by the arrow at step 503 .
- the validation may take any suitable form.
- the proxy service 320 validates the request against a plurality of policies 330 .
- the validation may include checking a file name of the user process 120 , the owner of the process 120 (i.e. the user), or other suitable criteria.
- the policy 330 provides a configurable mechanism to determine whether or not the requested access will be permitted or denied.
- the policies 330 suitably identify the resources 115 , 125 which are to be permitted, or respectively denied, access by the user process 120 .
- the resources 115 , 125 can be identified within the policies 330 by providing a name of the resource.
- non-exact matching is also permitted within the policies 330 , such as by wild card matching against resource names.
- the proxy service 320 suitably identifies whether or not a predetermined policy 330 exists with reference to this request, i.e. identifying the relevant user process 120 and the desired resource 115 .
- the proxy service 320 validates the request at step 503 , the proxy service 320 will then obtain a resource handle from the security unit 250 that permits access to the desired resource 115 .
- the proxy service 320 executing in the privileged security context 111 is permitted by the security unit 250 to obtain access to the desired resource 115 .
- the security unit 250 returns the resource handle which permits access to the desired resource 115 .
- the proxy service 320 comprises a proxy open resource function which requests access to the desired resource 115 through the security unit 250 as represented by arrow at step 504 .
- the proxy service resource access request at step 504 from the proxy service 320 to the security unit 250 defines a most restricted access right (following least-access principles), when considering the access as requested in the request message at step 502 passed from the proxy hook 310 and the access as permitted by the policies 330 with respect to the desired resource 115 .
- a handle to that object (a resource handle) is returned by the security unit 250 at step 505 .
- the resource handle is returned by the proxy service 320 to the proxy hook 310 at step 506 .
- the proxy hook 310 returns the resource handle to the user process 120 at step 507 .
- the user process 120 is able to access the desired resource 115 using the resource handle that has been obtained through this proxy resource access mechanism.
- the proxy service 320 duplicates the resource handle 505 into the context of the user process 120 .
- the proxy service 320 duplicates the resource handle obtained from the security unit 250 into the address space of the user process 120 .
- the proxy service 320 at step 503 does not validate the original request message as sent at step 502 from the proxy hook 310 , then the proxy service 320 suitably returns an error message to the proxy hook 310 at step 506 .
- an appropriate error code is suitably returned to the proxy hook 310 .
- an appropriate error code is suitably returned to the proxy hook 310 .
- the proxy service 320 is arranged to send the reply at step 506 immediately when the request message at step 502 cannot be validated with respect to the policies 330 at step 503 . In this situation, the proxy service 320 does not attempt to make a request to the security unit 250 at step 504 .
- the proxy service 320 at step 504 does not obtain a handle to the desired resource, then the proxy service 320 suitably returns an error message to the proxy hook 310 at step 506 .
- the security unit 250 denies access to the desired resource 115 (such as by returning a NULL handle at step 505 ), then an appropriate error code is suitably returned to the proxy hook 310 at step 506 .
- the proxy hook 310 at step 508 is arranged to selectively pass through the system call made by the user process 120 .
- this pass-through is a failsafe procedure which allows the user process 120 to request access to the desired resource from its own security context 121 .
- the system call is then made to the security unit 250 and a reply is received at step 510 , which may be an error code denying access to the resource or a handle provided directly from the security unit 250 .
- the reply is returned via the proxy hook 310 at step 511 and provided to the user process at step 507 .
- the proxy hook 310 is arranged, as a primary path, to pass through the system call made by the user process 120 to the OS as at step 508 and, if that system call fails, the proxy hook will then initiate the proxy resource access request as at steps 502 et seq as a secondary path.
- the WIN32 API functions will call their native API counterparts.
- the native API provides the interface between the user mode 220 and the kernel mode 230 within the operating system 202 as noted above. Therefore, in the example embodiments, the proxy hook 310 may be implemented by intercepting the Win32 API or the native API functions. For example, a file can be created or opened through the Wn32 API via the CreateFile function or through the native API via the ZwCreateFile and ZwOpenFile functions.
- the proxy resource access unit 300 is provided in conjunction with the privilege management module 110 as discussed above.
- the privilege management module 110 is able to selectively apply an alternate set of access rights specifically to the particular user process 120 of interest.
- the proxy resource access unit 300 controls access by that user process 120 to specific resources 115 , 125 .
- the example computer device provides powerful yet flexible mechanisms to control access to resources by the user process.
- FIG. 7 is a schematic diagram showing the example computer device in more detail concerning the example proxy resource access unit and resource access control method.
- some of the resources 115 , 125 may be associated with a resource handle which is not capable of being duplicated from one process context into another process context, i.e. which cannot be duplicated into the address space of a user process 120 by the proxy service 320 .
- a resource handle which is not capable of being duplicated from one process context into another process context, i.e. which cannot be duplicated into the address space of a user process 120 by the proxy service 320 .
- opening Systems Services returns a SC_HANDLE which cannot be duplicated.
- the proxy hook 310 is suitably arranged to intercept all of the system calls relevant to manipulating the relevant resource 115 .
- the proxy services 320 will open the System Service on behalf of the proxy hook 310 (and thus on behalf of the user process 120 ) and will return a system resource handle (SC_HANDLE) that the proxy service 320 has opened with the security unit 250 .
- SC_HANDLE system resource handle
- the steps 501 - 507 , and optionally steps 508 - 511 are performed as noted above.
- the proxy hook 310 maintains a table of system resource handles (a table of SC_HANDLEs) that have been opened by the proxy service 320 on its behalf. Whenever a System Service operation is performed on one of these system resource handles, the proxy hook 310 then proxies the relevant system call (API call) to the proxy service 320 .
- API call relevant system call
- the proxy service 320 then performs the requested operation on behalf of the proxy hook 310 and returns the results in a corresponding return message.
- the proxy service 320 not only requests access to the relevant resource on behalf of the user process 120 but further accesses and manipulates the resource 115 on behalf of the user process 120 .
- the System Services would require the system calls as shown in Table 2 below to be intercepted and proxied.
- the proxy resource access mechanism as described herein has many advantages.
- the proxy resource access method and apparatus provides exceptions to the resource access control which would otherwise be enforced by the security unit 250 .
- the proxy resource access mechanism may define exceptional elevation, or exceptional degradation, of the access rights of the user process 120 with respect to the desired resource 115 .
- these exceptions provide a finely granulated level of control.
- At least some embodiments of the invention may be constructed, partially or wholly, using dedicated special-purpose hardware.
- Terms such as ‘component’, ‘module’ or ‘unit’ used herein may include, but are not limited to, a hardware device, such as a Field Programmable Gate Array (FPGA) or Application Specific Integrated Circuit (ASIC), which performs certain tasks.
- FPGA Field Programmable Gate Array
- ASIC Application Specific Integrated Circuit
- elements of the invention may be configured to reside on an addressable storage medium and be configured to execute on one or more processors.
- functional elements of the invention may in some embodiments include, by way of example, components, such as software components, object-oriented software components, class components and task components, processes, functions, attributes, procedures, subroutines, segments of program code, drivers, firmware, microcode, circuitry, data, databases, data structures, tables, arrays, and variables.
- components such as software components, object-oriented software components, class components and task components, processes, functions, attributes, procedures, subroutines, segments of program code, drivers, firmware, microcode, circuitry, data, databases, data structures, tables, arrays, and variables.
- the example embodiments have described an improved mechanism to control access to a resource within a computer device.
- the industrial application of the example embodiments will be clear from the discussion herein.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Health & Medical Sciences (AREA)
- Databases & Information Systems (AREA)
- Automation & Control Theory (AREA)
- Storage Device Security (AREA)
Abstract
Description
- The present application is a continuation of U.S. patent application Ser. No. 13/630,667, which was filed on Sep. 28, 2012, which application claims priority from foreign application GB1116838.2, which was filed in the United Kingdom on Sep. 30, 2011, the disclosures of each of which are incorporated herein by reference in their entirety.
- The present invention relates generally to the field of computers and computer devices. More particularly, the present invention relates to a method and apparatus for controlling access to a resource in a computer device by providing an improved resource access mechanism.
- A computer device executes a process using a plurality of physical and logical resources, such as system services, drivers, files and registry settings. Many operating systems include a security module that enforces access rights for each process, whereby the process is permitted (or denied) access to each of the resources, consistent with a set of security privileges allocated to that process. For example, a process of an ordinary user level is able to read from a particular file, but is not permitted to write to that file. Meanwhile, a process of a local administrator level typically has a higher privilege, e.g. is able to both read from and write to that file.
- In many operating systems, the security model applies the access privileges based on the user's account. The operating system may define privilege levels appropriate to different classes, or groups, of users, and then apply the privileges of the relevant class or group to the particular logged-in user (e.g., ordinary user, super-user, local administrator, system administrator and so on). The user is authenticated by logging in to the computer device, and the user, via their previously prepared security account, acts as a security principal in the security model. The operating system then grants appropriate privileges to processes which execute in that user's security context.
- It is desirable to implement a least-privilege access model, whereby each user is granted the minimal set of access privileges which is just sufficient for the user's desired processes to operate on the computer device. However, in practice, many application programs require a relatively high privilege level, such as the local administrator level, in order to install and operate correctly. Hence, there is a widespread tendency to grant additional privilege rights, such as the local administrator level, and thus user processes gain greater access to the resources of the computer device than is desirable or appropriate from a security viewpoint. For example, these additional privilege rights may then enable accidental tampering with key resources of the computer device, leading to errors or corruption within the device. Further, a particular user process (e.g. an infection or malware) may maliciously access key resources of the computer device with the deliberate intention of subverting security or causing damage.
- Therefore, there is a need to provide a mechanism which allows the least-privilege principle to be implemented while still enabling the desired, legitimate, processes to execute on the computer device by accessing the relevant resources. In particular, there is a need to enable higher-level access rights, such as local administrator rights, but without compromising security of the computer device.
- The example embodiments have been provided with a view to addressing at least some of the difficulties that are encountered in current computer devices, whether those difficulties have been specifically mentioned above or will otherwise be appreciated from the discussion herein.
- According to the present invention there is provided a computer device, a method and a computer-readable storage medium as set forth in the appended claims. Other, optional, features of the invention will be apparent from the dependent claims, and the description which follows.
- At least some of the following example embodiments provide an improved mechanism for controlling access to a resource in a computer device. There now follows a summary of various aspects and advantages according to embodiments of the invention. This summary is provided as an introduction to assist those skilled in the art to more rapidly assimilate the detailed discussion herein and does not and is not intended in any way to limit the scope of the claims that are appended hereto.
- In one aspect there is provided a computer device which includes an execution environment for a user process and a security unit which selectively controls access to a plurality of resources. A proxy resource access unit includes a proxy hook module embedded within the user process, and a proxy service module executing in another security context. The proxy hook intercepts system calls by the user process requesting access to a desired resource and, in response, generates a proxy resource access request. The proxy service module selectively validates the request and, if valid, obtains a resource handle from the security unit that permits access to the desired resource. The resource handle is returned to the user process via the proxy hook module thereby permitting subsequent access by the user process to the desired resource. In one embodiment, the proxy service module is arranged to operate the desired resource on behalf of the user process.
- In one aspect, a computer device is provided which includes an execution environment arranged to execute a user process according to a user security context which defines access privileges of the user process; a security unit arranged to selectively control access by the user process to a plurality of resources available in the execution environment according to the user security context, wherein the user process is arranged to request access to a desired resource of the plurality of resources by making a system call to the security unit; and a proxy resource access unit comprising: a proxy hook module embedded within the user process, wherein the proxy hook module is arranged to intercept the system call made by the user process to request access to the desired resource and to generate and send a proxy resource access request in response thereto; and a proxy service module arranged to execute in a privileged security context different from the user security context of the user process, wherein the proxy service module is arranged to receive and validate the proxy resource access request from the proxy hook module and, if validated, to obtain from the security unit a resource handle that permits access to the desired resource and to return the resource handle to the user process via the proxy hook module thereby permitting access by the user process to the desired resource.
- In one example, the proxy resource access unit is arranged to selectively control access by the user process to the resources as exceptions to the access control by the security unit.
- In one example, the proxy resource access unit is arranged to selectively enable access by the user process to the desired resource whereas access to the desired resource otherwise would not be permitted by the security unit, and/or the proxy resource access unit is arranged to selectively deny access by the user process to the desired resource whereas access to the desired resource otherwise would be permitted by the security unit.
- In one example, the proxy resource access unit is arranged to validate the proxy resource access request against a policy list comprising a plurality of predetermined policies which define access to the resources by the user process. In one example, the user process is arranged to declare a desired access level in the system call. The access levels may depend on the nature or type of the desired resource. In one example, the desired access levels include create, read and/or write access with respect to the desired resource. In one example, the proxy hook module is arranged to record the desired access level in the proxy resource access request. In one example, the proxy service module is arranged to allow, or deny, access to the desired resource by comparing the desired access level against one or more access levels recorded in the predetermined policies of the policy list. In one example, the proxy resource access request comprises an identity of the user process and the proxy service module allows, or respectively denies, access to the desired resource by comparing the identity of the user process against one or more user process identities recorded in the predetermined policies. In one example, the policy list records whether a requested form of access is to be permitted or denied.
- In one example, the proxy service module is arranged to obtain the resource handle which permits access to the desired resource. In one example, the proxy service module is arranged to duplicate the resource handle into a context of the user process as a duplicate handle to be used by the user process to access the desired resource.
- In one example, the proxy service module is arranged to return an error code to the proxy hook module. In one example, the proxy service module is arranged to return an error code to the proxy hook module where the proxy resource access request is not permitted. In one example, the proxy hook module is arranged to pass the system call from the user process to the security unit to be processed according to the user security context.
- In one example, the proxy hook module is further arranged to intercept system calls made by the user process to operate the desired resource. In one example, the proxy service module is arranged to operate the desired resource on behalf of the user process.
- In one example, the proxy hook module is arranged to maintain a record of a system resource handle that has been opened by the proxy service module on its behalf with respect to a desired resource. In one example, the desired resource is provided as a system service. In one example, the proxy hook module is arranged to selectively intercept system calls made by the user process to request an operation of the desired resource. In one example, the proxy service module is arranged to perform the requested operation on behalf of the proxy hook module. In one example, the proxy service module is arranged to return a result of performing the requested operation in a return message.
- In one example, the proxy hook module is provided as a dynamic linked library component which hooks into the user process when the user process is started. In one example, the user process is arranged to make the system call though an application programming interface.
- In one aspect there is provided a method of controlling access to a resource in a computer device. The method includes executing a user process in an execution environment of the computer device according to a user security context which defines access privileges of the user process; controlling access by the user process to a plurality of resources available in the execution environment according to the user security context by a security unit of the computer device, wherein the user process is arranged to request access to a desired resource of the plurality of resources by making a system call to the security unit; intercepting the system call made by the user process to request access to the desired resource by a proxy hook module embedded within the user process; generating a proxy resource access request by the proxy hook module in response to intercepting the system call and sending the proxy resource access request to a proxy service module executing in a privileged security context different from the user security context of the user process; validating the proxy resource access request by the proxy service module and, if validated, obtaining from the security unit a resource handle that permits access to the desired resource; and returning the resource handle from the proxy service module to user process via the proxy hook module thereby permitting access by the user process to the desired resource.
- In one aspect, a computer-readable storage medium is provided having recorded thereon instructions which, when implemented by a computer device, cause the computer device to be arranged as set forth herein and/or which cause the computer device to perform the method as set forth herein.
- Of course, those skilled in the art will appreciate that the present invention is not limited to the above contexts or examples, and will recognize additional features and advantages upon reading the following detailed description and upon viewing the accompanying drawings.
- For a better understanding of the invention, and to show how example embodiments may be carried into effect, reference will now be made to the accompanying drawings in which:
-
FIG. 1 is a schematic overview of an example computer device in which the example embodiments may be applied; -
FIG. 2 is a schematic diagram showing the example computer device in more detail concerning access to resources by a process; -
FIG. 3 is a schematic diagram showing the example computer device in more detail concerning a process privilege management mechanism; -
FIG. 4 is a schematic diagram showing the example computer device in more detail concerning the operating system; -
FIG. 5 is a schematic diagram showing the example computer device in more detail concerning a resource access management mechanism; -
FIG. 6 is a schematic diagram showing the example computer device in more detail concerning a resource access management mechanism and a method of accessing resources in the computer device; -
FIG. 7 is a schematic diagram showing the example computer device in more detail concerning a resource access management mechanism and a method of accessing resources in the computer device. - The example embodiments of the present invention will be discussed in detail in relation to Microsoft™ Windows™ operating systems. However, the teachings, principles and techniques of the present invention are also applicable in other example embodiments. For example, the example embodiments are also applicable to other operating systems, in particular those having a discretionary access control security model.
-
FIG. 1 is a schematic overview of acomputer device 200 according to an example embodiment of the present invention. In this example, thehost computer device 200 includes physical hardware (HW) 201 such as memory, processors, I/O interfaces, backbone, power supply and so on as are found in, for example, a typical server computer. An operating system (OS) 202 provides a multitude of components, modules and units that coordinate to provide a runtime environment (RTE) 203 which supports execution of a plurality of processes. Here, the processes may include a one or more user processes (USRP) 120. The user processes 120 may relate to one or more application programs which the user desires to execute on thecomputer device 200. - The
computer device 200 includes a plurality ofresources resources processes 120 will rely upon in order to carry out their execution. For example, theresources - As shown in
FIG. 1 , theoperating system 202 includes a security module (SECO) 210 which is provided to enforce security within thecomputer device 200. As one example, thesecurity module 210 is provided by the Windows™ operating system as supplied by Microsoft Corp of Redmond, Wash., USA, under the trade marks Windows NT, Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, and Windows 7, amongst others. Thesecurity module 210, also termed a security sub-system or security manager, suitably enacts the Windows security model as described, for example, in “Windows Security Overview” published 10 Jun. 2011 by Microsoft Corporation, which is incorporated herein by reference in its entirety. - Each
process 120 that a user initiates will be run in asecurity context 121 that derives access rights and permissions from the user's account. To this end, eachprocess 120 is provided with an access token (AT) 122. Theaccess token 122 typically carries the security identity (SID) of the user and SIDs of any other security groups to which the user belongs. Theaccess token 122 thus defines the privileges as held on thishost computer 200 by the user and the relevant security groups. - In the example embodiment, the
security module 210 is arranged to perform an access check when auser process 120 requests access to any of theresource security module 210 performs the access check by comparing theaccess token 122 of theprocess 120 against a security descriptor, such as an access control list (ACL) 116, 126, associated with therelevant resource access control list - In
FIG. 1 , the security module (SECO) 210 in theoperating system 202 is sufficient to prevent theuser process 120 from tampering with certainkey resources 115 while allowing theuser process 120 to accessappropriate user resources 125, according to the respectiveaccess control list user process 120 is able to read from, but not write to, a file of thekey resources 115. Typically, the defined access types will depend upon the type of resource being accessed. For example, storage is typically defined by read and write access rights, while a process may have terminate access rights which determine whether or not a request to terminate that process will be actioned by theoperating system 202. As noted above, a user-level security context 121 is based on the user as the security principal and theaccess token 122 is set accordingly. Suitably, in a system which adopts the least-privilege access model, the user-level security context 121 is deliberately restricted to a minimal set of access rights. -
FIG. 2 is a schematic diagram showing the example computer device in more detail. In this example, the user process is able to access both the permitteduser resources 125 and also thekey resources 115. In this example, thekey resources 115 are any resources of the computer device where it is desired to protect those resources against access by the user processes 120. - In practice, it is common for a user to be included in a security group, such as the local administrator security group, so that application programs desired by the user will install and operate correctly without needing additional support from a higher-authorized user (such as IT administrator personnel). Where a user is included in such a privileged security group, all of the
user process 120 initiated by that user will then be granted the higher-level privilege rights, such as local administrator rights, indiscriminately. Thus, granting local administrator rights, or similar higher privileges, generally allows alluser processes 120 to access many of thekey resources 115 of the computer system in an indiscriminate manner. -
FIG. 3 is a schematic diagram showing the example computer device in more detail. In this example, the computer device includes a privilege management module (PPMAN) 110. Thismodule 110 is arranged to perform dynamic process privilege reassignment, whereby theuser process 120 is examined and selectively provided with an adjusted set of privileges. Typically, the privileges of theuser process 120 are elevated above an initial level. However, it is also possible to selectively degrade the privilege level of a particular user process using the same adjustment mechanism. - As shown in
FIG. 3 , theuser process 120 is granted a privilegeduser security context 121 a by theprivilege management module 110. This can be considered as a dynamic elevation of the privilege level of theuser process 120, so that thespecific user process 120 is able to achieve a desired, legitimate function which requires greater access rights than were available initially. Theprocess 120 is to be elevated is provided with a new access token 122 a, which is created based on theinitial access token 122 of that process. As one example, the SID of the local administrator group is added to this new access token 122 a, and consequently theprocess 120 now obtains the privileges and integrity level of the local administrator. Theuser process 120 is then assigned the new access token 122 a, such as by stopping and restarting the process, and thus the privilegeduser security context 121 a is now applied to thatuser process 120. - As noted above, there is a potentially undesirable side-effect of this privilege management mechanism, because the
user process 120 is now provided in a privilegeduser security context 121 a having an access token 122 a denoting access rights capable of accessing thekey resources 115. In this situation, thesecurity module 210 of theoperating system 202 is now incapable of denying access by theuser process 120 to all of the plurality ofkey resources 115. In other words, even assigning security privileges perindividual user process 120 still does not discriminate between individualkey resources 115. As one example, it is desired that a local administrator should be able to access all of thekey resources 115 legitimately, whereas auser process 120, even when dynamically elevated to the local administrator level, should not have those same access privileges with respect to all of thekey resources 115. -
FIG. 4 is a schematic diagram showing theexample computer device 200 in more detail. - In particular,
FIG. 4 shows internal components within theoperating system OS 202 in more detail. In the example embodiment, theoperating system 202 is based on Windows NT and includes two main components, namely the user mode 220 and thekernel mode 230. The user mode 220 includes integral subsystems (INT SUB) 221 such as workstation service, server service and thesecurity module 210 as discussed above. The user mode 220 also includes environment subsystems (ENV SUB) 223 such as a Win32 environment subsystem, a POSIX environment subsystem and an OS/2® environment subsystem to support user programs, including the user processes 120 as discussed above. These programs and subsystems in the user mode 220 have limited access to system resources. Meanwhile, thekernel mode 230 has unrestricted access to the computer device, including system memory and external devices, etc. Thekernel mode 230 includes a hardware abstraction layer (HAL) 231 which interfaces with the physical hardware H/W 201, and a plurality of services, which together are termed theExecutive 233. TheExecutive 233 may include an Object Manager (OBJ MAN) 235 and other services (EXE SERV) 237. - The
object manager 235 is an executive subsystem which controls access to objects. Theobject manager 235 considers each of theresources object manager 235 in order to gain access to theresources object manager 235 creates and inserts new objects, which makes the object accessible through a handle. Generally speaking, the handle is a unique numerical identifier which identifies that object (resource) to theobject manager 235. Each object created by theobject manager 235 is stored in an object table, and each entry in the object table may include the object name, security attributes, a pointer to its object type, and other parameters. Typically, theoperating system 202 is configured so that every request to access a resource passes through theobject manager 235. If theresource security module 210 as discussed above. However, a request to access a resource through an existing, open object handle will generally be allowed without further security checks, provided that the requested access does not exceed the level of access requested when the object was opened or created. - As shown in
FIG. 4 , thecomputer 200 provides a security unit which in the example embodiments includes thesecurity module 210 and theobject manager 235. Thesecurity module 210 is arranged to control access to theresources object manager 235 may directly permit access to theresources object manager 235. -
FIG. 5 is a schematic diagram showing the example computer device in more detail concerning an example embodiment of a proxy resource access mechanism. As shown inFIG. 5 , the example embodiment provides a proxyresource access unit 300 comprising aproxy hook module 310 and aproxy service module 320. - As shown in
FIG. 5 , theexample computer device 200 provides theexecution environment 203 to execute theuser process 120 according to theuser security context 121. As noted above, theuser security context 121 ordinarily defines the access privileges of theuser process 120 with respect to the plurality ofresources execution environment 203. Asecurity unit 250 is arranged to selectively permit, or deny, access by theuser process 120 to the plurality ofresources security unit 250 includes thesecurity module 210 and theobject manager 235 as discussed above. -
FIG. 6 is a schematic diagram showing the example computer device in more detail concerning the example proxy resource access unit. In particular,FIG. 6 shows a flow of control to proxy access to privileged resources and a respective method of accessing resources in the computer device. - In operation, the
user process 120 makes a system call toward thesecurity unit 250 to request access to a desiredresource 115 amongst the plurality ofavailable resources execution environment 203. InFIG. 6 , the system call is represented by the arrow atstep 501. - In the example embodiment, a
proxy hook 310 is embedded within theuser process 120. In one example, theproxy hook 310 is a DLL (dynamic linked library) component that will hook into each user process. Theproxy hook 310 suitably hooks into theuser process 120 as that process is started within theexecution environment 203. In the example embodiment, theproxy hook 310 is arranged to intercept all relevant system calls that open resources. In the Windows operating system, the Windows API (application programming interface) provides a plurality of system calls as shown in Table 1. These are examples of the system calls that may be made by theuser process 120 in order to request access to therelevant resources -
TABLE 1 Resource Win32 API Calls Native API Calls File CreateFile ZwCreateFile OpenFile ZwOpenFile Registry Key RegCreateKeyEx ZwCreateKey RegOpenKeyEx ZwOpenKey Process OpenProcess ZwOpenProcess Event CreateEvent ZwCreateEvent CreateEventEx ZwOpenEvent OpenEvent Mutex CreateMutex ZwCreateMutat CreateMutexEx ZwOpenMutant OpenMutex Semaphore CreateSempahore ZwCreateSemaphore CreateSemapthoreEx ZwOpenSemaphore OpenSemaphore Communications CreateFile ZwCreateFile Device File Mapping CreateFileMapping ZwCreateSection ZwOpenSection Job CreateJobObject ZwCreateJobObject ZwOpenJobObject Mailslot CreateMailslot ZwCreateMailslotFile Pipe CreateNamedPipe ZwCreateNamedPipeFile CreateFile ZwCreateFile Timer CreateWaitableTimer ZwCreateTimer OpenWaitableTimer ZwOpenTimer - The
proxy hook 310 is arranged to generate a proxy resource access request as shown by the arrow atstep 502. This request message suitably includes the name of the desiredresource 115. The request message atstep 502 may further identify theuser process 120 that is trying to open the desired resource. The request message atstep 502 may further identify the desired access (i.e. the type of access which is desired such as read or write). The request message atstep 502 may further identify any other relevant parameters that would ordinarily be passed to the API call. These other parameters may depend particularly upon the type of the resource. - A
proxy service 320 is arranged to receive the proxy resource access request message atstep 502 from theproxy hook 310. Theproxy hook 310 and theproxy service 320 communicate by any suitable form of inter-process communication (IPC). Theproxy service 320 executes in aprivileged security context 111. As an example, theproxy service 320 may run in theprivileged security context 111 of the SYSTEM account. Typically, thisprivileged security context 111 gives unrestricted access to local resources. Further, the privileges of the SYSTEM account also enable theproxy service 320 to impersonate the security context of a logged on user or a local administrator, if this is necessary to access specific resources. - The
proxy service 320 is arranged to validate the proxy resource access request message atstep 502 from theproxy hook 310 as represented by the arrow atstep 503. The validation may take any suitable form. In the example embodiments, theproxy service 320 validates the request against a plurality ofpolicies 330. The validation may include checking a file name of theuser process 120, the owner of the process 120 (i.e. the user), or other suitable criteria. Thepolicy 330 provides a configurable mechanism to determine whether or not the requested access will be permitted or denied. Thepolicies 330 suitably identify theresources user process 120. Theresources policies 330 by providing a name of the resource. In an example embodiment, non-exact matching is also permitted within thepolicies 330, such as by wild card matching against resource names. In the example embodiment, theproxy service 320 suitably identifies whether or not apredetermined policy 330 exists with reference to this request, i.e. identifying therelevant user process 120 and the desiredresource 115. - Where the
proxy service 320 validates the request atstep 503, theproxy service 320 will then obtain a resource handle from thesecurity unit 250 that permits access to the desiredresource 115. In the example embodiment, theproxy service 320 executing in theprivileged security context 111 is permitted by thesecurity unit 250 to obtain access to the desiredresource 115. As a result, thesecurity unit 250 returns the resource handle which permits access to the desiredresource 115. In one example embodiment, theproxy service 320 comprises a proxy open resource function which requests access to the desiredresource 115 through thesecurity unit 250 as represented by arrow atstep 504. Suitably, the proxy service resource access request atstep 504 from theproxy service 320 to thesecurity unit 250 defines a most restricted access right (following least-access principles), when considering the access as requested in the request message atstep 502 passed from theproxy hook 310 and the access as permitted by thepolicies 330 with respect to the desiredresource 115. - Assuming that the API call by the
proxy service 320 atstep 504 is successful, then a handle to that object (a resource handle) is returned by thesecurity unit 250 atstep 505. The resource handle is returned by theproxy service 320 to theproxy hook 310 atstep 506. Theproxy hook 310 returns the resource handle to theuser process 120 atstep 507. Subsequently, theuser process 120 is able to access the desiredresource 115 using the resource handle that has been obtained through this proxy resource access mechanism. - In one example embodiment, the
proxy service 320 duplicates the resource handle 505 into the context of theuser process 120. Suitably, theproxy service 320 duplicates the resource handle obtained from thesecurity unit 250 into the address space of theuser process 120. - Where the
proxy service 320 atstep 503 does not validate the original request message as sent atstep 502 from theproxy hook 310, then theproxy service 320 suitably returns an error message to theproxy hook 310 atstep 506. For example, if there is no match within thepolicies 330 for theuser process 120 and/or for the desiredresource 115, then an appropriate error code is suitably returned to theproxy hook 310. As another example, if there is match within thepolicies 330 for theuser process 120 and/or for the desiredresource 115, but the match indicates that the requested access should be denied, then an appropriate error code is suitably returned to theproxy hook 310. - In one example, the
proxy service 320 is arranged to send the reply atstep 506 immediately when the request message atstep 502 cannot be validated with respect to thepolicies 330 atstep 503. In this situation, theproxy service 320 does not attempt to make a request to thesecurity unit 250 atstep 504. - Where the
proxy service 320 atstep 504 does not obtain a handle to the desired resource, then theproxy service 320 suitably returns an error message to theproxy hook 310 atstep 506. For example, if thesecurity unit 250 denies access to the desired resource 115 (such as by returning a NULL handle at step 505), then an appropriate error code is suitably returned to theproxy hook 310 atstep 506. - In the example embodiments, the
proxy hook 310 atstep 508 is arranged to selectively pass through the system call made by theuser process 120. For example, if theproxy service 320 returned an error code indicating that no policy was set, that the request is denied, or that the proxy service was unable to obtain a handle, then it may be prudent to allow theuser process 120 to continue with the original request for that desiredresource 115. In the example embodiments, this pass-through is a failsafe procedure which allows theuser process 120 to request access to the desired resource from itsown security context 121. The system call is then made to thesecurity unit 250 and a reply is received atstep 510, which may be an error code denying access to the resource or a handle provided directly from thesecurity unit 250. Here, the reply is returned via theproxy hook 310 atstep 511 and provided to the user process atstep 507. - In another example embodiment, the
proxy hook 310 is arranged, as a primary path, to pass through the system call made by theuser process 120 to the OS as atstep 508 and, if that system call fails, the proxy hook will then initiate the proxy resource access request as atsteps 502 et seq as a secondary path. - As noted in Table 1, in the example embodiments the WIN32 API functions will call their native API counterparts. Here the native API provides the interface between the user mode 220 and the
kernel mode 230 within theoperating system 202 as noted above. Therefore, in the example embodiments, theproxy hook 310 may be implemented by intercepting the Win32 API or the native API functions. For example, a file can be created or opened through the Wn32 API via the CreateFile function or through the native API via the ZwCreateFile and ZwOpenFile functions. - In one example embodiment, the proxy
resource access unit 300 is provided in conjunction with theprivilege management module 110 as discussed above. Thus, theprivilege management module 110 is able to selectively apply an alternate set of access rights specifically to theparticular user process 120 of interest. Meanwhile as discussed below, the proxyresource access unit 300 controls access by thatuser process 120 tospecific resources -
FIG. 7 is a schematic diagram showing the example computer device in more detail concerning the example proxy resource access unit and resource access control method. - In the example implementation of
FIG. 7 , some of theresources user process 120 by theproxy service 320. For example, opening Systems Services returns a SC_HANDLE which cannot be duplicated. In this situation, theproxy hook 310 is suitably arranged to intercept all of the system calls relevant to manipulating therelevant resource 115. - Initially, the
proxy services 320 will open the System Service on behalf of the proxy hook 310 (and thus on behalf of the user process 120) and will return a system resource handle (SC_HANDLE) that theproxy service 320 has opened with thesecurity unit 250. Suitably, the steps 501-507, and optionally steps 508-511, are performed as noted above. However, in this example embodiment, theproxy hook 310 maintains a table of system resource handles (a table of SC_HANDLEs) that have been opened by theproxy service 320 on its behalf. Whenever a System Service operation is performed on one of these system resource handles, theproxy hook 310 then proxies the relevant system call (API call) to theproxy service 320. Theproxy service 320 then performs the requested operation on behalf of theproxy hook 310 and returns the results in a corresponding return message. In this example, theproxy service 320 not only requests access to the relevant resource on behalf of theuser process 120 but further accesses and manipulates theresource 115 on behalf of theuser process 120. In the example embodiment, the System Services would require the system calls as shown in Table 2 below to be intercepted and proxied. -
TABLE 2 OpenService ChangeServiceConfig ChangeServiceConfig2 ControlService ControlServiceEx DeleteService EnumDependentServices NotifyServiceStatusChange QueryServiceConfig QueryServiceConfig2 QueryServiceObjectSecurity QueryServiceStatusEx SetServiceObjectSecurity StartService CloseServiceHandle - It will be appreciated that the proxy resource access mechanism as described herein has many advantages. The proxy resource access method and apparatus provides exceptions to the resource access control which would otherwise be enforced by the
security unit 250. Hence, the proxy resource access mechanism may define exceptional elevation, or exceptional degradation, of the access rights of theuser process 120 with respect to the desiredresource 115. In the example embodiments, these exceptions provide a finely granulated level of control. - At least some embodiments of the invention may be constructed, partially or wholly, using dedicated special-purpose hardware. Terms such as ‘component’, ‘module’ or ‘unit’ used herein may include, but are not limited to, a hardware device, such as a Field Programmable Gate Array (FPGA) or Application Specific Integrated Circuit (ASIC), which performs certain tasks. Alternatively, elements of the invention may be configured to reside on an addressable storage medium and be configured to execute on one or more processors. Thus, functional elements of the invention may in some embodiments include, by way of example, components, such as software components, object-oriented software components, class components and task components, processes, functions, attributes, procedures, subroutines, segments of program code, drivers, firmware, microcode, circuitry, data, databases, data structures, tables, arrays, and variables. Further, although the example embodiments have been described with reference to the components, modules and units discussed herein, such functional elements may be combined into fewer elements or separated into additional elements.
- In summary, the example embodiments have described an improved mechanism to control access to a resource within a computer device. The industrial application of the example embodiments will be clear from the discussion herein.
- Although a few preferred embodiments have been shown and described, it will be appreciated by those skilled in the art that various changes and modifications might be made without departing from the scope of the invention, as defined in the appended claims. Therefore, the present embodiments are to be considered in all respects as illustrative and not restrictive, and all changes coming within the meaning and equivalency range of the appended claims are intended to be embraced therein.
Claims (1)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US15/260,521 US20160378962A1 (en) | 2011-09-30 | 2016-09-09 | Method and Apparatus for Controlling Access to a Resource in a Computer Device |
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
GB1116838.2 | 2011-09-30 | ||
GB1116838.2A GB2490374B (en) | 2011-09-30 | 2011-09-30 | Method and apparatus for controlling access to a resource in a computer device |
US13/630,667 US9443081B2 (en) | 2011-09-30 | 2012-09-28 | Method and apparatus for controlling access to a resource in a computer device |
US15/260,521 US20160378962A1 (en) | 2011-09-30 | 2016-09-09 | Method and Apparatus for Controlling Access to a Resource in a Computer Device |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US13/630,667 Continuation US9443081B2 (en) | 2011-09-30 | 2012-09-28 | Method and apparatus for controlling access to a resource in a computer device |
Publications (1)
Publication Number | Publication Date |
---|---|
US20160378962A1 true US20160378962A1 (en) | 2016-12-29 |
Family
ID=44994218
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US13/630,667 Active 2032-12-31 US9443081B2 (en) | 2011-09-30 | 2012-09-28 | Method and apparatus for controlling access to a resource in a computer device |
US15/260,521 Abandoned US20160378962A1 (en) | 2011-09-30 | 2016-09-09 | Method and Apparatus for Controlling Access to a Resource in a Computer Device |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US13/630,667 Active 2032-12-31 US9443081B2 (en) | 2011-09-30 | 2012-09-28 | Method and apparatus for controlling access to a resource in a computer device |
Country Status (4)
Country | Link |
---|---|
US (2) | US9443081B2 (en) |
EP (1) | EP2748753B1 (en) |
GB (1) | GB2490374B (en) |
WO (1) | WO2013045928A1 (en) |
Cited By (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107635011A (en) * | 2017-10-17 | 2018-01-26 | 上海哎媲媲网络技术有限公司 | A kind of Android platform realizes the system and method for the interior network Transparent Proxy of application |
GB2566949A (en) * | 2017-09-27 | 2019-04-03 | Avecto Ltd | Computer device and method for managing privilege delegation |
GB2568919A (en) * | 2017-11-30 | 2019-06-05 | Avecto Ltd | Managing removal and modification of installed programs on a computer device |
US20210049276A1 (en) * | 2017-03-21 | 2021-02-18 | Mcafee, Llc | Automatic detection of software that performs unauthorized privilege escalation |
US10963557B2 (en) | 2017-09-08 | 2021-03-30 | Avecto Limited | Computer device and method for controlling process components |
US10963237B2 (en) | 2017-09-01 | 2021-03-30 | Avecto Limited | Managing installation of applications on a computing device |
US10983845B2 (en) | 2018-09-12 | 2021-04-20 | Avecto Limited | Controlling applications by an application control system in a computer device |
US11151286B2 (en) | 2017-06-02 | 2021-10-19 | Avecto Limited | Computer device and method for managing privilege delegation |
US11270013B2 (en) * | 2018-02-08 | 2022-03-08 | Avecto Limited | Managing privilege delegation on a computer device |
US11321455B2 (en) | 2018-04-18 | 2022-05-03 | Avecto Limited | Protecting a computer device from escalation of privilege attacks |
US11366931B2 (en) | 2018-02-12 | 2022-06-21 | Avecto Limited | Managing registry access on a computer device |
US11379622B2 (en) | 2018-01-31 | 2022-07-05 | Avecto Limited | Managing privilege delegation on a server device |
Families Citing this family (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP2738709A1 (en) * | 2012-11-28 | 2014-06-04 | Alcatel Lucent | An improved method and device for enforcing privacy policies |
JP2014149606A (en) * | 2013-01-31 | 2014-08-21 | Fujitsu Ltd | Resource usage totaling program, resource usage totaling method and resource usage totaling device |
US10356047B2 (en) | 2013-12-05 | 2019-07-16 | Crowdstrike, Inc. | RPC call interception |
US10394602B2 (en) * | 2014-05-29 | 2019-08-27 | Blackberry Limited | System and method for coordinating process and memory management across domains |
US11275861B2 (en) * | 2014-07-25 | 2022-03-15 | Fisher-Rosemount Systems, Inc. | Process control software security architecture based on least privileges |
US9819683B2 (en) * | 2016-03-15 | 2017-11-14 | Bank Of America Corporation | Automated control of technology resources |
CN107480513B (en) * | 2017-08-17 | 2020-09-11 | 深信服科技股份有限公司 | Authentication implementation method and device, computer device and readable storage medium |
US11423163B2 (en) | 2020-06-11 | 2022-08-23 | Bank Of America Corporation | System for controlling computing process execution by users with elevated access privilege |
KR102455742B1 (en) * | 2020-07-09 | 2022-10-17 | 유아이패스, 인크. | Robotic Access Control and Governance for Robotic Process Automation |
US12019421B2 (en) | 2020-07-09 | 2024-06-25 | UiPath, Inc. | Robot access control and governance for robotic process automation |
US11733668B2 (en) | 2020-07-09 | 2023-08-22 | UiPath, Inc. | Robot access control and governance for robotic process automation |
CN112632171B (en) * | 2020-12-30 | 2024-05-28 | 中国农业银行股份有限公司 | Interception auditing method and system for data access |
Citations (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5497463A (en) * | 1992-09-25 | 1996-03-05 | Bull Hn Information Systems Inc. | Ally mechanism for interconnecting non-distributed computing environment (DCE) and DCE systems to operate in a network system |
US20030160709A1 (en) * | 2001-12-20 | 2003-08-28 | Jan Westlund | Centreline identification in a docking guidance system |
US20040000670A1 (en) * | 2002-06-28 | 2004-01-01 | Kopin Corporation | Bonding pad for gallium nitride-based light-emitting device |
US20060007546A1 (en) * | 2000-08-07 | 2006-01-12 | Lee Benjamin L | Two-dimensional blazed MEMS granting |
US20080095370A1 (en) * | 2006-10-18 | 2008-04-24 | Rose Gregory G | Method for securely extending key stream to encrypt high-entropy data |
US20100017655A1 (en) * | 2008-07-16 | 2010-01-21 | International Business Machines Corporation | Error Recovery During Execution Of An Application On A Parallel Computer |
US20100026297A1 (en) * | 2008-03-26 | 2010-02-04 | Phillip Zhe Sun | Method for relaxation-compensated fast multi-slice chemical exchange saturation transfer mri |
WO2010025377A1 (en) * | 2008-08-29 | 2010-03-04 | Google Inc. | Altered token sandboxing |
US7698713B2 (en) * | 2001-09-20 | 2010-04-13 | Google Inc. | Altered states of software component behavior |
US20100256994A1 (en) * | 2005-01-10 | 2010-10-07 | International Business Machines Corporation | Privacy entitlement protocols for secure data exchange, collection, monitoring and/or alerting |
US20110153969A1 (en) * | 2009-12-18 | 2011-06-23 | William Petrick | Device and method to control communications between and access to computer networks, systems or devices |
US20110283095A1 (en) * | 2010-05-12 | 2011-11-17 | International Business Machines Corporation | Hardware Assist Thread for Increasing Code Parallelism |
US20120278883A1 (en) * | 2011-04-28 | 2012-11-01 | Raytheon Company | Method and System for Protecting a Computing System |
US20130117864A1 (en) * | 2011-11-08 | 2013-05-09 | Samsung Electronics Co., Ltd. | Authentication system |
US20130145139A1 (en) * | 2011-12-01 | 2013-06-06 | Microsoft Corporation | Regulating access using information regarding a host machine of a portable storage drive |
US20140032910A1 (en) * | 2012-07-26 | 2014-01-30 | Yuji Nagai | Storage system in which fictitious information is prevented |
Family Cites Families (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5802590A (en) * | 1994-12-13 | 1998-09-01 | Microsoft Corporation | Method and system for providing secure access to computer resources |
US20040006706A1 (en) * | 2002-06-06 | 2004-01-08 | Ulfar Erlingsson | Methods and systems for implementing a secure application execution environment using derived user accounts for internet content |
US8181219B2 (en) * | 2004-10-01 | 2012-05-15 | Microsoft Corporation | Access authorization having embedded policies |
US7734914B1 (en) * | 2005-09-02 | 2010-06-08 | Adobe Systems Incorporated | System and method for allowing applications to securely access files |
US8136153B2 (en) * | 2007-11-08 | 2012-03-13 | Samsung Electronics Co., Ltd. | Securing CPU affinity in multiprocessor architectures |
US8752130B2 (en) * | 2007-12-21 | 2014-06-10 | Samsung Electronics Co., Ltd. | Trusted multi-stakeholder environment |
KR100997802B1 (en) * | 2008-10-20 | 2010-12-01 | 한국전자통신연구원 | Apparatus and method for security managing of information terminal |
EP2194456A1 (en) * | 2008-12-05 | 2010-06-09 | NTT DoCoMo, Inc. | Method and apparatus for performing a file operation |
US8782670B2 (en) * | 2009-04-10 | 2014-07-15 | Open Invention Network, Llc | System and method for application isolation |
-
2011
- 2011-09-30 GB GB1116838.2A patent/GB2490374B/en active Active
-
2012
- 2012-09-27 EP EP12773104.0A patent/EP2748753B1/en active Active
- 2012-09-27 WO PCT/GB2012/052394 patent/WO2013045928A1/en active Application Filing
- 2012-09-28 US US13/630,667 patent/US9443081B2/en active Active
-
2016
- 2016-09-09 US US15/260,521 patent/US20160378962A1/en not_active Abandoned
Patent Citations (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5497463A (en) * | 1992-09-25 | 1996-03-05 | Bull Hn Information Systems Inc. | Ally mechanism for interconnecting non-distributed computing environment (DCE) and DCE systems to operate in a network system |
US20060007546A1 (en) * | 2000-08-07 | 2006-01-12 | Lee Benjamin L | Two-dimensional blazed MEMS granting |
US7698713B2 (en) * | 2001-09-20 | 2010-04-13 | Google Inc. | Altered states of software component behavior |
US20030160709A1 (en) * | 2001-12-20 | 2003-08-28 | Jan Westlund | Centreline identification in a docking guidance system |
US20040000670A1 (en) * | 2002-06-28 | 2004-01-01 | Kopin Corporation | Bonding pad for gallium nitride-based light-emitting device |
US20100256994A1 (en) * | 2005-01-10 | 2010-10-07 | International Business Machines Corporation | Privacy entitlement protocols for secure data exchange, collection, monitoring and/or alerting |
US20080095370A1 (en) * | 2006-10-18 | 2008-04-24 | Rose Gregory G | Method for securely extending key stream to encrypt high-entropy data |
US20100026297A1 (en) * | 2008-03-26 | 2010-02-04 | Phillip Zhe Sun | Method for relaxation-compensated fast multi-slice chemical exchange saturation transfer mri |
US20100017655A1 (en) * | 2008-07-16 | 2010-01-21 | International Business Machines Corporation | Error Recovery During Execution Of An Application On A Parallel Computer |
WO2010025377A1 (en) * | 2008-08-29 | 2010-03-04 | Google Inc. | Altered token sandboxing |
US20110153969A1 (en) * | 2009-12-18 | 2011-06-23 | William Petrick | Device and method to control communications between and access to computer networks, systems or devices |
US20110283095A1 (en) * | 2010-05-12 | 2011-11-17 | International Business Machines Corporation | Hardware Assist Thread for Increasing Code Parallelism |
US20120278883A1 (en) * | 2011-04-28 | 2012-11-01 | Raytheon Company | Method and System for Protecting a Computing System |
US20130117864A1 (en) * | 2011-11-08 | 2013-05-09 | Samsung Electronics Co., Ltd. | Authentication system |
US20130145139A1 (en) * | 2011-12-01 | 2013-06-06 | Microsoft Corporation | Regulating access using information regarding a host machine of a portable storage drive |
US20140032910A1 (en) * | 2012-07-26 | 2014-01-30 | Yuji Nagai | Storage system in which fictitious information is prevented |
Cited By (29)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US12013940B2 (en) * | 2017-03-21 | 2024-06-18 | Mcafee, Llc | Automatic detection of software that performs unauthorized privilege escalation |
US20210049276A1 (en) * | 2017-03-21 | 2021-02-18 | Mcafee, Llc | Automatic detection of software that performs unauthorized privilege escalation |
US11151286B2 (en) | 2017-06-02 | 2021-10-19 | Avecto Limited | Computer device and method for managing privilege delegation |
US11868753B2 (en) * | 2017-09-01 | 2024-01-09 | Avecto Limited | Managing installation of applications on a computing device |
US20230168876A1 (en) * | 2017-09-01 | 2023-06-01 | Avecto Limited | Managing installation of applications on a computing device |
US10963237B2 (en) | 2017-09-01 | 2021-03-30 | Avecto Limited | Managing installation of applications on a computing device |
US11604634B2 (en) | 2017-09-01 | 2023-03-14 | Avecto Limited | Managing installation of applications on a computing device |
US11226802B2 (en) | 2017-09-01 | 2022-01-18 | Avecto Limited | Managing installation of applications on a computing device |
US11797664B2 (en) | 2017-09-08 | 2023-10-24 | Avecto Limited | Computer device and method for controlling process components |
US10963557B2 (en) | 2017-09-08 | 2021-03-30 | Avecto Limited | Computer device and method for controlling process components |
US20230315909A1 (en) * | 2017-09-27 | 2023-10-05 | Avecto Limited | Computer device and method for managing privilege delegation |
GB2566949B (en) * | 2017-09-27 | 2020-09-09 | Avecto Ltd | Computer device and method for managing privilege delegation |
GB2566949A (en) * | 2017-09-27 | 2019-04-03 | Avecto Ltd | Computer device and method for managing privilege delegation |
US11062055B2 (en) | 2017-09-27 | 2021-07-13 | Avecto Limited | Computer device and method for managing privilege delegation |
US11687674B2 (en) | 2017-09-27 | 2023-06-27 | Avecto Limited | Computer device and method for managing privilege delegation |
CN107635011A (en) * | 2017-10-17 | 2018-01-26 | 上海哎媲媲网络技术有限公司 | A kind of Android platform realizes the system and method for the interior network Transparent Proxy of application |
GB2568919B (en) * | 2017-11-30 | 2020-07-15 | Avecto Ltd | Managing removal and modification of installed programs on a computer device |
US11301228B2 (en) | 2017-11-30 | 2022-04-12 | Avecto Limited | Managing removal and modification of installed programs on a computer device |
GB2568919A (en) * | 2017-11-30 | 2019-06-05 | Avecto Ltd | Managing removal and modification of installed programs on a computer device |
US11379622B2 (en) | 2018-01-31 | 2022-07-05 | Avecto Limited | Managing privilege delegation on a server device |
US11797704B2 (en) | 2018-02-08 | 2023-10-24 | Avecto Limited | Managing privilege delegation on a computer device |
US20240037268A1 (en) * | 2018-02-08 | 2024-02-01 | Avecto Limited | Managing privilege delegation on a computer device |
US11270013B2 (en) * | 2018-02-08 | 2022-03-08 | Avecto Limited | Managing privilege delegation on a computer device |
US12135813B2 (en) * | 2018-02-08 | 2024-11-05 | Avecto Limited | Managing privilege delegation on a computer device |
US11366931B2 (en) | 2018-02-12 | 2022-06-21 | Avecto Limited | Managing registry access on a computer device |
US11720712B2 (en) | 2018-02-12 | 2023-08-08 | Avecto Limited | Managing registry access on a computer device |
US12039085B2 (en) | 2018-02-12 | 2024-07-16 | Avecto Limited | Managing registry access on a computer device |
US11321455B2 (en) | 2018-04-18 | 2022-05-03 | Avecto Limited | Protecting a computer device from escalation of privilege attacks |
US10983845B2 (en) | 2018-09-12 | 2021-04-20 | Avecto Limited | Controlling applications by an application control system in a computer device |
Also Published As
Publication number | Publication date |
---|---|
GB2490374B (en) | 2013-08-07 |
EP2748753B1 (en) | 2018-08-22 |
US9443081B2 (en) | 2016-09-13 |
EP2748753A1 (en) | 2014-07-02 |
WO2013045928A1 (en) | 2013-04-04 |
US20130086696A1 (en) | 2013-04-04 |
GB201116838D0 (en) | 2011-11-09 |
GB2490374A (en) | 2012-10-31 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9443081B2 (en) | Method and apparatus for controlling access to a resource in a computer device | |
US9996703B2 (en) | Computer device and method for controlling access to a resource via a security system | |
US9917863B2 (en) | Method and system for implementing mandatory file access control in native discretionary access control environments | |
US8181219B2 (en) | Access authorization having embedded policies | |
EP2748755B1 (en) | Computer device with anti-tamper resource security | |
US10102371B2 (en) | Computer device and method for isolating untrusted content on a clipboard | |
US12135813B2 (en) | Managing privilege delegation on a computer device | |
US10963557B2 (en) | Computer device and method for controlling process components | |
EP2786545B1 (en) | Method and computer device to control software file downloads | |
JP2010176690A (en) | Method and system for secure running of untrusted content | |
US8819766B2 (en) | Domain-based isolation and access control on dynamic objects | |
US9171183B2 (en) | Method and computer device for handling COM objects having elevated privileges | |
Job | Computer Security CS 426 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: AVECTO LIMITED, UNITED KINGDOM Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:AUSTIN, MARK JAMES;REEL/FRAME:040307/0698 Effective date: 20161003 |
|
AS | Assignment |
Owner name: JEFFERIES FINANCE LLC, AS THE COLLATERAL AGENT, NE Free format text: FIRST LIEN PATENT SECURITY AGREEMENT;ASSIGNOR:AVECTO LTD;REEL/FRAME:047190/0202 Effective date: 20181003 |
|
AS | Assignment |
Owner name: JEFFERIES FINANCE LLC, AS THE COLLATERAL AGENT, NE Free format text: SECOND LIEN PATENT SECURITY AGREEMENT;ASSIGNOR:AVECTO LTD;REEL/FRAME:047193/0542 Effective date: 20181003 |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |
|
AS | Assignment |
Owner name: AVECTO LTD, UNITED KINGDOM Free format text: RELEASE OF SECOND LIEN PATENT SECURITY AGREEMENT;ASSIGNOR:JEFFERIES FINANCE LLC;REEL/FRAME:065697/0239 Effective date: 20231128 Owner name: AVECTO LTD, UNITED KINGDOM Free format text: RELEASE OF FIRST LIEN PATENT SECURITY AGREEMENT;ASSIGNOR:JEFFERIES FINANCE LLC;REEL/FRAME:065696/0980 Effective date: 20231128 |