JP2768834B2 - Method and system for maintaining access security of input / output operations in a computer system - Google Patents

Description

Description: BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates generally to computer security systems and, in particular, to each user who can help users properly classify documents. A computer security system and method for automatically restricting user access to information stored on a computer according to a predefined but changeable user security profile of the operation.

2. Description of Related Art The structure of a traditional security computer workstation requires the use of a special operating system, which may provide security if a commercial off-the-shelf (COTS) software application package is used. could not. It is well known that such systems, commonly referred to as "partitioned workstations", are difficult to use, and do not allow for data merging of documents or confidentiality reduction of documents.

In general, these conventional structures allow the use of multi-purpose COTS applications that (1) do not run on common commercial computers and (2) are security tested and are not licensed "trusted" applications. Without
(3) It does not allow the merging of data of different security levels, and (4) it does not allow the use of standard operating systems.

Objects and Summary of the Invention Accordingly, it is an object of the invention to provide security for documents and data that allows the use of commercially available off-the-shelf software application packages rather than requiring the use of only "trusted" applications. To provide a method and system for doing so.

It is another object of the present invention to provide a method and system for providing security to documents and data that causes a security label to be conveyed as data moves between documents.

It is another object of the present invention to provide a method and system for providing security for documents and data that allows users to control their documents if they have the necessary security access rights.

It is yet another object of the present invention to provide a method and system for providing security to documents and data that facilitates, rather than prevents, the merging of data from documents classified at different security levels.

It is yet another object of the present invention to not only prevent unauthorized access to files and data, but also to allow users to properly classify documents and data retained on the system or processed by the methods of the present invention. It is to provide a method and system that provides security for documents and data that helps to do so.

It is another object of the present invention: to exist as an extension of an existing operating system, rather than requiring the development of a "trusted" operating system; to provide security of documents over a network at the workstation level; In contrast to such "blocking," the user may be given a "weird", "malicious" or "harmful" It is to concentrate on "detection and inspection" of "operation".

The present invention allows a personal computer or workstation to use a commercially available off-the-shelf software application package with a commercially available operating system, while mandating access control and classification levels and information as information moves between documents. Computer systems and methods are provided that can exhibit multi-level security features, including the transmission of codewords. The user can manually re-classify the document as needed (including confidentiality downgrading subject to restrictions). The present invention can also be configured to provide security when the computer is on a network by a security file server.

The superior features of the structure and operation of the present invention will become more apparent from the following description and accompanying drawings, which show preferred embodiments of the device of the present invention and in which the same reference characters indicate the same parts in the drawings. There will be.

BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a flowchart showing the general logic flow of a system including the present invention.

FIG. 2 is an idealized block diagram showing the general general operational flow of a system including the present invention.

FIG. 3 is an idealized schematic diagram illustrating various input / output operations that occur in a system including the present invention.

FIG. 4 is an idealized block diagram showing the structure of the user access table and the allowable subfield structure.

DESCRIPTION OF THE PREFERRED EMBODIMENTS In the following, generation levels are generated, value-based security protection is applied, and each use for pre-selected but modifiable input / output operations on selected data objects in a computer system. A preferred embodiment of the invention implemented in a method and a computer system for restricting a person's access will be described.

In general, as shown in FIG. 1, the present invention is recognized in a computer system that interfaces input / output requests between one or more users identified by a unique user identification symbol, the computer system comprising: Have one or more data objects containing data therein. The method includes operating the computer to automatically perform the following steps.

A data object security access label is set that indicates the security profile that defines the user security access levels and the input / output operations allowed for the data object, and is associated with each data object selected for security protection. (Step 10). Such data objects always include this "security" access label and include "saved" documents or text files generated by application programs running on the computer system.

For each user selected to have input and output access to data objects in the computer system, a first entry identifying the user with a unique user identification symbol, and a user for the particular user. A user security access table having a second entry representing a security profile is also set (step 1).
2). The second entry is used to determine the security access level of the associated user.

A session security level "flag" is set for a pre-selected default state representing one of the security access levels (step 14).

Each user request to the computer system is analyzed to extract its own input / output requests (step 1).
6). For each discovered I / O request,
(1) A user identification symbol unique to the user who made the input / output request, (2) a data object that is the subject of the input / output request, and (3) a requested input / output operation are extracted.

The unique user identification symbol is compared to a first entry in the user security access table. If a match is found, the user security access "flag" in the computer system is set to the "allowed" state and the user security level "flag" is set to the user security access table associated with the user identification symbol. Is set to the security access level defined by the second entry, otherwise each "flag" is set to a "denied" state. (Step 18).

The requested I / O operation being requested is compared to the data object security access label associated with the data subject that is the subject of the I / O request, and if a match is found, the data object security The access "flag" is set to the "permitted" state, otherwise it is set to the "denied" state (step 20).

The session security level “flag” is compared with the user security access level defined in the security profile for the data object that is the subject of the input / output request, and the session security level “flag” is The "high" security level is set (step 22).

When the flag is set, an I / O request is returned to the computer system for processing whenever both the user security access "flag" and the data object security access "flag" are in the "permitted" state ( Step 24).

The method of the present invention includes recording a unique user identification symbol in a computer system whenever a user security access flag, a user security level flag, or a data object security access flag is in the "denied" state. It is also preferable to cancel execution of the analyzed I / O request by the computer system, including writing to the I / O request.

Similarly, in the event that a security breach or attempted breach is discovered, the present invention provides that whenever a user security access flag, user security level flag or data object security access flag is in a "denied" state, It is also preferable to return a preselected message to the computer system user.

In this method, the user security access flag, the user security level flag, and the data object security access flag are respectively set to facilitate changing various security levels of various data objects held in the computer system. Preferably, whenever in the "permitted" state, the computer system user can access and modify the data object security label.

Finally, the data object security access label,
The user security access table and the session security level flag are preferably retained in the computer system until the computer system user logs off the computer system.

In FIG. 2, the present invention is shown in an idealized block diagram illustrating the general general operational flow of a system including the present invention, in which a user 26 assigns two applications 28, 30 respectively. It is running. As shown in the drawing, the user 26 and each application 2
8,30 have associated security labels 26a, 28a,
30a each. A security label is a data structure that defines an access request and transmission restrictions on data and / or files stored in the system. Examples of such security labels include hierarchical classifications such as confidential, secret, top secret and / or a series of categories or “tickets” such as various assigned “codewords”.

Whenever an application requests an I / O operation on a document, such as an application 28 requesting that the document 32 be read, the document label associated with the requested document (here 32a).
Application label 28a)
Is added to The application 28 cannot open a document to which the user 26 does not have access, as determined by the user label 26a and the user identifier associated with the user at logon.

When the application label increases, the session label 34 displayed on the screen for the user also increases.

Conversely, if an application such as 30 writes to a document (shown here as 36), any additional categories will be displayed and the label of the document
Written on 36a. If the security level of the application that subsequently runs is higher than the original security level of the document, the higher security level is displayed. The user can see what the new label is and accept or change it as described below.

3 and 4, the present invention is illustrated in an idealized view, illustrating various input / output operations that occur in a system embodying the present invention. The user 40 generates an operator request 42 to the operating system 44, which results in the execution "instances" of these programs for input / output operations of files 54 available in the system, and one or more system built-ins. Activate the application 46. Then, the application program 46 generates input / output requests 50 and 52 necessary for reading and writing the user request file.

Between the files there is a clipboard 55 which constitutes a temporary holding buffer for the data to be copied and pasted. These read and write operations
56 and 57 are executed by the application instance for each user request.

Further, means are provided for the user 40 to request that the portion of the screen 66 selected by the user by the reading 59 be placed on the clipboard 55 for later pasting the image into any file 54. ing. Each file, clipboard, each application instance, and screen has a security label 58 associated with it that includes various fields of information as shown in FIG. These objects 46, 54,
And 66 associated security labels 58 include classification level, any required access "tickets", "copy prohibition", "print prohibition", "export prohibition" or "only originator downgrade secret". Includes some fields like restriction format. Similarly, the user security access table shown in FIG.
60 is set for user identification and access profile confirmation and includes fields 62 such as "user identifier", "user password", "user level access", "user ticket map". . At logon,
The user access table 60 is accessed by the system to determine and set the identifier and classification access profile of each user 40 requesting to log into the system 65.

The above description highlights the method and system of the present invention in comparing the document access level with the user access level and denying access if the user access does not match. Another important new, unclear point of view exists.

Based on the intended user needs of the system,
One such additional important design consideration is the ability to merge documents of different classifications, to help the user in determining the appropriate classification for the resulting document. is there.

For example, the user wants to give a presentation to show his plan, and to generate a composite presentation document during the presentation, another user with a different security level security label. May copy text and images from documents. The systems and methods of the present invention "watch" or "intercept" all data input to the application being used to prepare the presentation document, and provide a separate document or data that is assembled into the final presentation. Based on the pre-selected weights of all the individual classifications found in the part, determine the classification of all documents written by the application. And upon user request, the present invention provides the user with its proposed classification for the complex presentation document.

If the user does nothing to reclassify the document, the present invention automatically assigns the proposed classification to the document. The invention also provides for the original classification of each document and the creation of a composite presentation document (via various cut and paste and other I / O operations such as reading files) for the user. Distinguish labels that are considered included.

Allow the user to accept the proposed classification label or lower the confidentiality of the document as he deems appropriate,
Or given the ability to raise. This requires users to log in at a particular security level, does not generate documents categorized at any lower level,
Also in contrast to partitioned mode workstations that also do not access documents categorized at a high level, making such workstations unsuitable for the tasks set forth above.

The present invention treats the application as a "black box" and enables the use of commercially available off-the-shelf applications by monitoring all data entering and exiting the application, and running applications in systems implementing the present invention. No special security configuration is required in the software, ie "trusted" or "guaranteed" software.

The operation of the present invention is sometimes more complex than that shown above. For example, not only is the classification level of each application maintained and assigned to documents written by that particular application, but also the classification level of the overall session. Thus, when a user takes a snapshot of the screen and pastes it into a document, an overall session label is given for that document. This is because the portion of the screen owned by any other concurrently running application displaying the data has been included in the screen snapshot.

The following terms are used to describe the further operation of the method and system that includes the present invention: application instance-the application currently running on the system; security label-access request and data held in the system and / or A data structure that defines the transmission restrictions for a file. Examples of such security labels include hierarchical classifications such as confidential, secret, top secret and / or a series of categories such as various assigned "codewords", i.e. "tickets".

Ticket-an additional security label that restricts files or data to a selected group that has been identified as a "ticket" for access.

Clipboard-Cut / Copy / Paste buffer utility between operating system applications; Maximize-Combination of two security labels according to a predetermined algorithm such as a selected set of weighted selection values.

The method and system of the present invention run concurrently with the operating system to intercept any I / O service calls to the operating system as follows: 1. The operating system has "launched" an application (application instance) Sometimes, this interception involves the following steps: A. The security label of the application instance is set to a preselected starting application security label; B. The data that the clipboard buffer cannot lower the classification secret If the security label indicates that it does, either allow reading (thus maximizing the application instance security label with the clipboard security label), or Deletes the contents of the clipboard buffer, urge that the security label of the application instance to leave the original to the user.

C. If the application instance performs an automatic read of the clipboard buffer and the security label indicates that this data does not contain data that cannot be declassified, replace the security label of the application instance with the security label of the clipboard buffer. To maximize.

D. Recalculate the screen security label as a maximization of the security label for all application instances.

2. Whenever an application instance opens a file, this interception involves the following steps: A. Maximize the security label of the application instance with the security label of the file being opened.

B. Recalculate the screen security label as a maximization of the security label for all application instances.

3. Whenever an application instance writes to a file, this interception involves the following steps: A. Set the security label of the application instance to the file's security label.

B. If data or files have "copy prohibition" restrictions, writing is not allowed.

4. Whenever an application instance is terminated, this interception involves the following steps: A. Recalculate the screen security label as a maximization of the security label of all remaining application instances.

5. Whenever an attempt is made to "boot" or start the computer's operating system in the system, this interception involves the following steps: A. Prompt the user for a user name / password.

B. If the user's name / password is not in the user access table, shut down and refuse further access to the system.

C. On the other hand, if the name / password is in the user access table, set the screen security label to the preselected starting screen security label.

6. Whenever an application instance reads from the clipboard, this interception involves the following steps: A. Maximize the application instance security label with the clipboard security label.

B. Recalculate the screen security label as a maximization of the security label for all application instances.

7. Whenever an application instance writes to the clipboard, this interception involves the following steps: A. Set the clipboard security label to the application instance security label.

B. Whenever an application instance prints a file, this interception involves the following steps: A. If the data or file has a "no print" restriction, printing is not allowed.

B. Stamp security labels on all pages.

The following utilities embody the features recognized in the present invention: The first utility displays the security label of the file as follows and allows the user to modify it with restrictions. Provides a means: A. Upon user request, this utility displays the security label of the selected file; B. This utility also provides the user with the security level and ticket given by the security software Provides a means to identify the security level and ticket given to the file by the user; C. This utility prevents certain security label changes based on the user's adjustable restrictions.

Upon user request, the second utility provides a means for displaying the security label of the selected application instance.

A third utility provides a means of displaying a security label on the screen by making it always visible during a user session. Thus, the user is always reminded of the different classification levels of the document appearing on the screen.

A fourth utility provides the user with a means to select a portion of the screen, take a "picture" of it, and enter the results into the clipboard buffer for later manipulation by the user.

A fifth utility provides the operator with a means of defining a user access table, security level and "ticket", start screen security label, and start application security label.

The present invention as set forth above, of course, will readily have numerous variations, modifications, and variations that fall within the scope of the invention. It is to be understood that all such changes, modifications and alterations are within the scope of the invention and the appended claims. Similarly, applicants intend to cover and claim all changes, modifications and variations of the preferred embodiment of the invention described herein for purposes of explanation without departing from the scope of the invention. It will be understood that.

Continuation of the front page (56) References JP-A-3-246647 (JP, A) JP-A-2-194450 (JP, A) JP-A-5-324446 (JP, A) JP-A-2-297182 (JP) U.S. Pat. No. 4,967,695 (US, A) (58) Fields investigated (Int. Cl. ⁶ , DB name) G06F 12/14 G06F 12/00 537 G06F 9/06 550 G06F 17/24

Claims (10)

(57) [Claims] 1. A method for enabling a user to merge documents of different security level classifications in a computer system having a plurality of documents accessible by the computer system having different security labels of different security level classifications. Establishing a security access label representing a security profile defining user security access levels and input / output operations allowed for the document, and associating with each document selected for security protection, Launches the application and, based on a comparison of the user security access level with the security access labels for the first and second documents, A user is allowed to access the first and second documents only when the level indicates permission to access the first and second documents; and from the first and second documents, Allowing a user to generate a third document containing the selected data; monitoring data entering the application from the first and second documents; and individualizing the first and second documents. Determining a suggested security label classification for the third document generated by the application based on a pre-selected weighting for all security access labels to allow a user to merge documents of different security level classifications. The way the way. 2. The system according to claim 1, wherein said first and second
Identifying the original classification of the document and the security label associated with the data embedded in the third document, wherein the user accepts the proposed security label classification of the third document or the third document 2. The method of claim 1, further comprising the step of allowing the security level classification of the proposed security label classification to be declassified or declassified from the proposed security label classification. 3. The method of claim 2, further comprising automatically assigning the proposed security label classification to the third document if the user does not reclassify the security label for the third document. 2
The described method. 4. In a computer system having an operating system that includes a cut / copy / paste buffer utility, whenever one of the operating systems launches an application, one or more users identified by a unique user identification symbol. A method for interfacing an input / output request with a computer operating system, comprising establishing a data object security access label representing a security profile defining user security access levels and input / output operations performed on the data object. Associated with each data object selected for security protection on the computer, and providing security for applications launched by the operating system. The utility label, set to a preselected start application security label, when to include data that can not be clipboard buffer to a secret demotion classification indicated security label clipboard buffer, prompts the user,
Combining the security label of the application with the security label of the data object contained in the clipboard buffer according to a predetermined algorithm to make the clipboard readable, or the data object is included in the clipboard Without allowing the data object contained in the clipboard to be deleted and leaving the security label of the launched application unchanged, the application may be able to delete the data object contained in the clipboard buffer. Performing an automatic read, if the security label of the data object indicates that the data object does not contain data that cannot be declassified, the algorithm according to a predetermined algorithm. Combining the security label of the application with the security label of the clipboard buffer data object, and combining the security label of the application with the security label of the data object contained in the slipboard buffer as a result of the automatic reading. A method for interfacing an input / output request with a computer operating system including recalculating a security label for data to be displayed on a display device of the computer system. 5. When the application executes a file open, the security label of the application is combined with the security label of the file to be opened according to a predetermined algorithm, and the result of the opening of the file is that on the computer system. 5. The method of claim 4 further comprising the step of combining security labels of all applications currently running on the computer to recalculate security labels of data to be displayed on a display of said computer system.
The described method. 6. When an application performs a write operation on a file, the security label of the file to be subjected to the write operation is set to the security label of the application performing the write operation, and the file or the file is written. 5. The method of claim 4, further comprising the step of preventing said write operation if there is a "copy prohibited" restriction on the data to be written. 7. A security label for the clipboard buffer when an application performs a write operation to the clipboard buffer utility.
5. The method of claim 4, further comprising the step of setting the security label of an application that is performing the write operation. 8. Whenever an application currently running on the computer system attempts to perform a printing operation on a file, a "print prohibited" restriction is imposed on the file or a data object contained in the file. 5. The method of claim 4, further comprising: preventing the printing operation from being performed when it is associated with, and stamping a security label of the file on all pages printed as a result of the printing operation. Method. 9. A method for allowing a user to merge documents of different security level classifications in a computer system having a plurality of documents accessible by the computer system having different security labels of different security level classifications. Establishing a security access label representing a security profile defining user security access levels and input / output operations allowed for the document, and associating with each document selected for security protection, Launching an application to access the first and second documents to generate a third document including data selected from the first and second documents; Monitoring data entering the application from first and second documents and security labels associated with each data, based on pre-selected weights for all individual security access labels of the first and second documents, A method for enabling a user to merge documents of different security level classifications, comprising the step of determining a security label classification for the third document generated by an application. 10. The method of claim 9, further comprising automatically assigning the security label classification to the third document if the user does not reclassify the security label for the third document. The described method.