In the art of computing, it may be desirable to restrict access to a data file. One method known in the art is user based file access control. An executable executes with the access privileges associated with a particular user or group of users, and a data file may be configured so that only executables executing with the credentials of an authorized user or group of users may access the data file. For example, if an executable is executing with the credentials of User A, and the data file is configured to only allow access to executables executing with the credentials of User B, the executable will not be allowed to access the data file. Similarly, user based file access control may be applied to a class of users. For example, Users A, B, and C may be part of a class of ordinary users, and a data file may be configured to only allow access to users that are part of an Administrator class.
Another method known in the art is to only allow an executable to execute if the integrity of the executable is verified using a certificate. The executable is signed with a certificate issued by a Certificate Authority, and the signature of the executable is verified against the certificate before the executable is allowed to execute.
The Figures depict embodiments, implementations, and configurations of the invention, and not the invention itself.
In the foregoing description, numerous details are set forth to provide an understanding of the present invention. However, it will be understood by those skilled in the art that the present invention may be practiced without these details. While the invention has been disclosed with respect to a limited number of examples, implementations, and embodiments, those skilled in the art will appreciate numerous modifications and variations therefrom. It is intended that the appended claims cover such modifications and variations as fall within the true spirit and scope of the invention.
Examples of the present invention provide executable identity based file access control to determine whether a particular executable is allowed to access a particular data file. in essence, a “whitelist” is associated with each data file that defines which executables are allowed to access the data file. As discussed above in the Background section, it is known in the art to provide user identity based file access control such that only executables operating with proper user credentials may access a data file. It is also known it use digital certificates to determine whether a particular executable may be allowed to execute. However, these mechanisms do not allow data file access to be restricted based on the identity of the executable.
Consider an on-line retailer that operates a web-based storefront. Typically, a suite of executables are used to operate the storefront, including executables for displaying products offered for sale, entering and displaying customer reviews, taking orders, initiating credit card transactions, calculating shipping costs for various shipping options, and the like. These executables may be provided by a variety of vendors. Furthermore, assume that the on-line retailer maintains a customer database that includes customer user IDs, shipping addresses, email addresses, phone numbers, and credit card numbers. If all executables in the suite are executing with the same user credentials, each executable will have access to the customer database. Accordingly, if malicious code is introduced into any of the executables, that malicious code may access the customer database, and the information contained therein may be comprised. Using examples of the invention, access to the customer database can be limited to the executables that process orders and initiate credit card transactions. These executables may be provided by vendors that are inherently more trustworthy than the executables that perform other functions, such as maintaining customer reviews. Accordingly, examples of the present invention enhance security for the on-line vendor and the vendor's customers.
Certificates are stored in certificate store 28. Certificates are used to validate integrity, and a typical certificate includes the following items:
Note that certificates include public keys. A corresponding private key is associated with each certificate, and is kept private. The process of signing an object, such as an executable, comprises performing a function on the object using a function such as a 256-bit SHA2 hash function, The result of the function is encrypted with the private key to form the signature, and the signature is stored in a place where it can later be retrieved by one seeking to verify the integrity of the object. Often the signature is stored with the object.
The process of verifying the object comprises accessing the certificate to get the public key stored with the certificate, and performing the same function is performed on the object. The signature is decrypted with the public key and compared to the result of the function. A match verifies the integrity of the object, and a mismatch indicates that the object (or the signature or the certificate) has been altered, and therefore the integrity of the object cannot be verified.
In an enterprise computing environment, typically a user is defined to act as an Information Technology (IT) Security Officer. The Security Officer defines various policies relating to IT security. The Security Officer uses signature tool 14 to digitally sign an executable using a private key, and the certificate associated with the private key is stored in certificate store 28. The Security Officer also uses access policy toot 16 to define which executables are allowed to access various data files. The stored policy is also protected by a certificate. With reference to
When executable 12 is executing and seeks to open an I/O stream to data file 24, executable 12 passes an I/O request to file system module 18, In turn, file system module 18 passes a reference of executable 12 and a reference of data file 24 to policy in enforcement manager 20, Policy enforcement manager 20 accesses executable identity based access control list 26 and retrieves executable identity based file access policies for data file 24. Accordingly, policy enforcement manager 20 determines whether access should be permitted, and verifies the integrity of executable 12 and executable identity based access control list 26. If access is allowed and the integrity of executable 12 and executable identity based access control list 26 are verified, policy enforcement manager 20 signals file system module 18 to service the I/O request and open the I/O stream. Otherwise, policy enforcement manager 20 signals file system module 18 to deny the I/O request.
Before discussing the invention in greater detail, first consider a typical computer system in which examples of the invention may be deployed.
Although bus 32 is shown generically as a single bus, those skilled in the art will recognize that typically a variety of busses and fabrics are used to connect the components shown in
For the purposes of describing examples of the present invention, core logic 36 also includes other components found in a typical computer system, such as firmware and I/O components, disk controllers for local persistent storage, USB ports, video controllers coupled to monitors, keyboards, mice, and the like. To illustrate generically devices such as monitors, keyboards, mice, trackballs, touchpads, speakers, and the like, core logic 36 is shown as being connected to human interface devices. Note that such human interface devices may also be provided remotely via, network interface controller 40. In a server, some of these components may not be utilized.
Persistent storage 44 represents storage used to store local copies of the operating system, executables, and data. Persistent storage 44 may represent devices (and appropriate corresponding media) such as hard disk drives, solid state drives, tape drives, optical drives, floppy drives, and the like. Alternatively, persistent storage may be provided external to computer 30 via storage controller 42 or network interface controller 40. For example, storage controller 42 may be coupled to a storage area network (SAN), which in turn is coupled to a disk array subsystem. Similarly, network interface controller 40 may be coupled to a local area. network (LAN) or wide area network (WAN), which in turn is coupled to network attached storage.
Also note that executable 12, signature tool 14, access policy tool 16, file system module 18, policy enforcement manager 20, data. file 24, executable identity based access control list 26, and certificate store 28, all of
In
Virtual file system 46 provides access to executables operating in user space, as shown in
Stackable file system filter module 50 is coupled to policy enforcement manager 20. Stackable file system filter module 50 traps requests and determines, via communication with policy enforcement manager 20, whether the executable initiating the I/O request is authorized to access the data file that is the subject of the I/O request. Note that by providing a separate stackable module, examples of the present invention can be provided in present file system stacks without requiring significant alteration of the other modules in the file system stack.
Physical file system 52 manages access to physical files. The files may be present on local persistent storage, or storage coupled by a SAN, LAN, or WAN, as discussed above. Finally, volume manager 54 manages disk volumes found on persistent media. For example, volume manager 54 may manage multiple partitions on a single physical disk drive, mirrored volumes that mirror data to two or more physical disk drives, or other type of volumes known in the art.
If examples of the present invention are used with operating systems having executable formats that are not capable of storing metadata, the metadata shown in
Executable 12 includes an ELF header 56 that contains information such as:
Note that the list above includes a program header offset that identifies the location of the program header table. The program header table identifies segments containing executable code and data used at runtime, In
Also note that the list above includes a section header offset, which identifies the location of the section header table. The section header table identifies sections containing metadata associated with the executable, such as data related to linking and relocation. Additional sections may be defined, and in accordance with examples of the present invention, a signature metadata section 64 is defined. Section header table 60 includes an entry that identifies signature metadata section 64, Note that additional sections are represented by the three dots above signature metadata section 64.
Signature metadata section 64 includes executable identity field 66, executable signature field 68, and certificate name field 70. Executable identity field 66 stores an executable identity that uniquely identifies executable 12. For example, the executable identity may be generated by applying a hash function to the segments identified by program header table 58, such as executable segment 62. Certificate name field 70 stores a certificate name that identifies a certificate stored in certificate store 28 of
As mentioned above, data file 24 is associated with policy metadata 70. Policy metadata 70 includes policy signature field 72, certificate name field 74, and executable identity based access control list 26 (which is also shown in
Executable identity based access control list 26 stores the executable identity of each executable that is authorized to access data file 24, such as the executable identities stored in fields 76 and 78. As mentioned above, the executable identities may be generated by applying a hash function to the segments identified by program header table 58, such as executable segment 62. Executable identity based access control list 26 may be populated by access policy tool 16, as will be discussed in greater detail below.
Flowchart 80 starts at Start block 82, and control passes to block 84. At block 84, the private key associated with the certificate stored in certificate store 28 is retrieved. Note that the private key is kept private, and will typically be provided by the Security Officer. Typically certificates and the associated keys may be obtained from a Certificate Authority, such as VeriSign, Inc. Control passes to block 86.
At block 86, ELF header 56 and program header table 58 of
At block 88, using the private key retrieved in block 84, a hash function is applied to the segments identified in block 86 to form the executable identity. In one example, a one way 256-bit SHA2 hash is performed. The executable identity is signed with the private key to form the executable signature. Control passes to block 90.
At block 90, the executable identity, executable signature, and certificate name are stored in signature metadata section 64 of
If access policy tool 16 is being used to define data file access policies fir a data file for which such policies were not defined previously, policy metadata 70 of
At block 102, the executable identities for authorized executables are stored in the executable identity based access control list (list 26 in
At block 104, a hash function is applied to executable identity based access control list 26, and the result is signed using the private key retrieved in block 98 to generate the policy signature. In one example, the hash function is a one-way 256-bit SHA2 hash function. Control passes to block 106.
At block 106, the policy signature and the certificate name are stored in the policy metadata, as shown in
At block 114, the file system module receives an I/O request from the executable, such as executable 112 of
Decision block 116 determines whether policy metadata has been defined for the data file. Many data files in computing environment 10 of
At block 120, the certificate name and the stored policy signature are retrieved from the policy metadata, The certificate name is used to retrieve the proper public key from certificate store 28. The hash function is applied to the executable identity based access control list. Control passes to decision block 122.
At decision block 122, the hash result is compared to the policy signature decrypted with the public key. if they are different, then the executable identity based access control list has been altered. Note that the alteration may indicate a security breach, since the hash result and decrypted policy signature should match. If they do not match, the NO branch is taken to block 124. At block 124, the I/O request is denied, and the Security Officer is alerted to the possibility that there has been a security breach. Control then passes back to block 114 to wan for the next I/O request. if they do match, then the integrity of the executable identity based access control list has been verified and the YES branch is taken to decision block 126.
Decision block 126 determines whether the identity of the executable has been stored in the executable identity based access control list. If the executable identity is not present, the executable is not authorized to access the data file, and the NO branch is taken to block 124. As discussed above, block 124 will deny the I/O request and alert the Security Office that there may be a possible security breach. However, the potential security breach may be less severe than the possible breach detected at block 122. At block 122, it was determined that the policy metadata was subjected to an unauthorized alteration. However, the fact that an executable is not authorized to access a data file may have a more innocent cause, such as a user accidently trying to open the data file, Accordingly, it may be desirable to bypass the alert to the Security Officer, and in the alternative, log the failed access attempt. Control then passes back to block 114 to wait for the next I/O request. If the executable identity is present in the executable identity based access control list, the YES branch is taken to block 128.
At block 128, the certificate name and the stored executable signature are retrieved from the signature metadata section of the executable, and the public key identified by the certificate name is retrieved from the certificate store. A computed executable identity is calculated from the segments identified by the ELF header and the program header table (shown in
Decision block 130 determines whether the stored executable identity and the decrypted executable identity match. If they do not match, than there has been a possible security breach since the executable may have been subjected to a malicious alteration. Accordingly, the NO branch is taken to block 124, where the I/O request is denied and the Security Officer is alerted, as discussed above. Control then passes to block 114 to wait for the next I/O request.
If the computed and decrypted executable identities do match, then the I/O request has been authorized. Accordingly, the YES branch is taken to block 132, which services the I/O request, and control is passed back to block 114 to wait for the next I/O request.
In the foregoing description, numerous details are set forth to provide an understanding of the present invention. However, it will be understood by those skilled in the art that the present invention may be practiced without these details. While the invention has been disclosed with respect to a limited number of examples, implementations, and embodiments, those skilled in the art will appreciate numerous modifications and variations therefrom. It is intended that the appended claims cover such modifications and variations as fall within the true spirit and scope of the invention.
Filing Document | Filing Date | Country | Kind | 371c Date |
---|---|---|---|---|
PCT/US10/23895 | 2/11/2010 | WO | 00 | 8/3/2012 |