Computer system security method and apparatus having program authorization information data structures
INFORMATION PROTECTION AND AUTHENTICATION OF TEXAS, LLCThe holder of the '717 patent has sued Microsoft, Symantec, CA, F-Secure, McAfee, Kaspersky, Sophos, Novell, and PC Tools for infringing this patent.
Summary / Description
| Summary / Description | The Ketcham patent describes a system which prevents a program from generating executable code files by associating the privilege to do so with said program. |
Basic Information
| Type of Prior Art | Issued Patents - US |
| Country | United States of America |
| Patent/Application # | 5111390 |
| Kind Code | United States (US) - United STATES Patent - A |
| Patentee Name | Larry R. Ketcham |
| Relevant Pages, Columns, or Lines | Col 2 line 43 to 58 |
| URL | http://patft.uspto.gov/netacgi/... |
| Publication Date | August 22, 1988 |
| Additional Information | The publication date given is actually the filing date. |
Notes / To Do
| Notes | This patent describes a system which was commercially available, and thus probably evolved over time to add new features, etc. Finding marketing information about the system would probably be very helpful. |
Excerpt
In the presently described system, the right to generate code is restricted to only properly authorized compilers. The enforcement mechanism in the operating system uses the FILEKIND attribute of files in order to recognize compilers. The FILEKIND is a file attribute that describes the internal structure and the purpose of a given file. The value of the FILEKIND attribute indicates whether a file is a data file, a code file, a system file or an "authorized" compiler.
Only the operating system itself can assign the FILEKIND value that "authorizes" a program as a compiler, and only a user or process with the highest privilege on the system can request that the operating system authorize a compiler. The operating system will create or modify a code file only when requested by an authorized compiler.
Relevance
Claims
Claim 86
Apparatus for protecting a digital computer user in accordance with Claim 61, wherein said means for storing authorization information includes means for storing an indication of the set of data to which said associated program has authority to process.
Relevance
To the extent that "nature of the allowed processing" can mean "create, write and mark as executable", then the Unisys system practices the claim. By storing the COMPILERCODEFILE value in the FILEKIND attribute of a program file, the program is granted authority to create, write, and mark as executable other program files (files included in the set of all files marked as executable).
To the extent that "nature of the allowed processing" can mean "create, write and mark as executable", then the Unisys system practices the claim. By storing the COMPILERCODEFILE value in the FILEKIND attribute of a program file, the program is granted authority to create, write, and mark as executable other program files (files included in the set of all files marked as executable).
Claim Chart
All
Claim 4
Apparatus for protecting a digital computer user according to Claim 1, wherein said at least one segment includes means for storing an identifier indicating the type of object to which program authorization information is associated.
Relevance
In the Unisys patent, if a FILEKIND attribute is stored containing the COMPILERCODEFILE attribute then this indicates that the associated program file is of type "compiler".
In the Unisys patent, if a FILEKIND attribute is stored containing the COMPILERCODEFILE attribute then this indicates that the associated program file is of type "compiler".
Claim Chart
All
Claim 11
Apparatus for protecting a digital computer user according to Claim 1, wherein the means for storing a plurality of authorization entries includes means for storing a qualification of authority which has been granted to the program.
Relevance
In the Unisys patent, if a FILEKIND attribute is stored NOT containing the COMPILERCODEFILE attribute then this indicates that the associated program file does NOT have the authorization to create a new program file, regardless of the user's privileges.
In the Unisys patent, if a FILEKIND attribute is stored NOT containing the COMPILERCODEFILE attribute then this indicates that the associated program file does NOT have the authorization to create a new program file, regardless of the user's privileges.
Claim Chart
All
Claim 61
In a digital computer system for providing improved computer security having digital data processing means for executing a plurality of digital computer programs for a computer user and memory means for storing digital program instructions and digital data, apparatus for protecting a digital computer user from operations typically performable by a digital computer program executing on behalf of a user comprising:
a) means for storing digital authorization information in said memory means which restricts an associated program from performing operations, when executed by said processing means, which are available to said computer user; and
b) means for storing in at least one segment digital data for associating said authorization information with at least one program to be executed by said processing means.
Relevance
The Ketcham patent describes a system that implements all the steps in this claim. The authorizing entries are called "FILEKIND" and are associated with a program file. If the FILEKIND contains "COMPILERCODEFILE", then the program file has authorization to generate other program files; otherwise, it does not. A FILEKIND authorizing entry is stored on the file system, and is associated with the program file.
The Ketcham patent describes a system that implements all the steps in this claim. The authorizing entries are called "FILEKIND" and are associated with a program file. If the FILEKIND contains "COMPILERCODEFILE", then the program file has authorization to generate other program files; otherwise, it does not. A FILEKIND authorizing entry is stored on the file system, and is associated with the program file.
Claim Chart
All
Claim 66
Apparatus for protecting a digital computer user according to Claim 61, wherein said at least one segment includes means for storing the name of the program.
Relevance
The Unisys patent describes a system in which the program authorization entries are stored in the same data structure as the program directory listings, which include file names.
The Unisys patent describes a system in which the program authorization entries are stored in the same data structure as the program directory listings, which include file names.
Claim Chart
All
Claim 82
Apparatus for protecting a digital computer user in accordance with Claim 61, wherein said means for storing authorization information includes means for storing an indication of the set of data to which said associated program has authority access.
Relevance
To the extent the term "access" can mean "create","write" and/or "mark as executable", and the term "set" can mean "a collection of items defined by their properties", then the Unisys patent describes a system which implements this claim. The "set of data" that can be accessed by a non-compiler program is restricted to non-program files. The "set of data" that can be accessed (created and written to) by compiler programs includes program files.
To the extent the term "access" can mean "create","write" and/or "mark as executable", and the term "set" can mean "a collection of items defined by their properties", then the Unisys patent describes a system which implements this claim. The "set of data" that can be accessed by a non-compiler program is restricted to non-program files. The "set of data" that can be accessed (created and written to) by compiler programs includes program files.
Claim Chart
All
Claim 3
Apparatus for protecting a digital computer user according to Claim 1, wherein said at least one segment includes means for storing an indication of the type of program to which the data structure is associated.
Relevance
In the Unisys patent, if a FILEKIND attribute is stored containing the COMPILERCODEFILE attribute then this indicates that the associated program file is of type "compiler".
In the Unisys patent, if a FILEKIND attribute is stored containing the COMPILERCODEFILE attribute then this indicates that the associated program file is of type "compiler".
Claim Chart
All
Claim 10
Apparatus for protecting a digital computer user according to Claim 1, wherein the means for storing a plurality of authorization entries includes means for indicating at least one of the type of function and resource said at least one program is permitted to perform for each of said entries.
Relevance
In the Unisys patent, if a FILEKIND attribute is stored containing the COMPILERCODEFILE attribute then this indicates that the associated program file (a compiler) is allowed to perform the functions of creating, writing, and marking as executable a new file resource (thus, creating a new program file).
In the Unisys patent, if a FILEKIND attribute is stored containing the COMPILERCODEFILE attribute then this indicates that the associated program file (a compiler) is allowed to perform the functions of creating, writing, and marking as executable a new file resource (thus, creating a new program file).
Claim Chart
All
Claim 26
Apparatus for protecting a digital computer user in accordance with Claim 1, wherein said means for storing a plurality of authorization entries includes means for storing an indication of the set of data to which said associated program has authority to process and an indication of the nature of the allowed processing.
Relevance
This claim is particularly vague.
To the extent that "nature of the allowed processing" can mean "create, write and mark as executable", then the Unisys system practices the claim. By storing the COMPILERCODEFILE value in the FILEKIND attribute of a program file, the program is granted authority to create, write, and mark as executable other program files (files included in the set of all files marked as executable).
This claim is particularly vague.
To the extent that "nature of the allowed processing" can mean "create, write and mark as executable", then the Unisys system practices the claim. By storing the COMPILERCODEFILE value in the FILEKIND attribute of a program file, the program is granted authority to create, write, and mark as executable other program files (files included in the set of all files marked as executable).
Claim Chart
All
Claim 64
Apparatus for protecting a .digital computer user according to Claim 61, wherein said at least one segment includes means for storing an identifier indicating the type of object to which program authorization information is associated.
Relevance
In the Unisys patent, if a FILEKIND attribute is stored containing the COMPILERCODEFILE attribute then this indicates that the associated program file is of type "compiler".
In the Unisys patent, if a FILEKIND attribute is stored containing the COMPILERCODEFILE attribute then this indicates that the associated program file is of type "compiler".
Claim Chart
All
Claim 71
Apparatus for protecting a digital computer user according to Claim 61, wherein the means for storing authorization information includes means for storing a qualification of authority which has been granted to the program.
Relevance
In the Unisys patent, if a FILEKIND attribute is stored NOT containing the COMPILERCODEFILE attribute then this indicates that the associated program file does NOT have the authorization to create a new program file, regardless of the user's privileges.
In the Unisys patent, if a FILEKIND attribute is stored NOT containing the COMPILERCODEFILE attribute then this indicates that the associated program file does NOT have the authorization to create a new program file, regardless of the user's privileges.
Claim Chart
All
Claim 1
In a digital computer system having a digital data processing means for executing a plurality of digital programs and a memory means for storing digital program instructions and digital data, apparatus for protecting a digital computer user from operations typically performable by a digital computer program executing on behalf of a user comprising:
a) means for storing a plurality of digital authorization entries in said memory means, wherein said entries qualify operations which an associated program is permitted to perform when executed by said processing means; and
b) means for storing in at least one segment, digital data for associating said authorization entries with at least one program.
Relevance
The Ketcham patent describes a system that implements all the steps in this claim. The authorizing entries are called "FILEKIND" and are associated with a program file. If the FILEKIND contains "COMPILERCODEFILE", then the program file has authorization to generate other program files; otherwise, it does not. A FILEKIND authorizing entry is stored on the file system, and is associated with the program file.
The Ketcham patent describes a system that implements all the steps in this claim. The authorizing entries are called "FILEKIND" and are associated with a program file. If the FILEKIND contains "COMPILERCODEFILE", then the program file has authorization to generate other program files; otherwise, it does not. A FILEKIND authorizing entry is stored on the file system, and is associated with the program file.
Claim Chart
All
Claim 6
Apparatus for protecting a digital computer user according to Claim 1, wherein said at least one segment includes means for storing the name of the program.
Relevance
The Unisys patent describes a system in which the program authorization entries are stored in the same data structure as the program directory listings, which include file names.
The Unisys patent describes a system in which the program authorization entries are stored in the same data structure as the program directory listings, which include file names.
Claim Chart
All
Claim 22
Apparatus for protecting a digital computer user in accordance with Claim 1, wherein said means for storing a plurality of authorization entries includes means for storing an indication of the set of data to which said associated program has authority to access.
Relevance
To the extent the term "access" can mean "create","write" and/or "mark as executable", and the term "set" can mean "a collection of items defined by their properties", then the Unisys patent describes a system which implements this claim. The "set of data" that can be accessed by a non-compiler program is restricted to non-program files. The "set of data" that can be accessed (created and written to) by compiler programs includes program files.
To the extent the term "access" can mean "create","write" and/or "mark as executable", and the term "set" can mean "a collection of items defined by their properties", then the Unisys patent describes a system which implements this claim. The "set of data" that can be accessed by a non-compiler program is restricted to non-program files. The "set of data" that can be accessed (created and written to) by compiler programs includes program files.
Claim Chart
All
Claim 63
Apparatus for protecting a digital computer user according to Claim 61, wherein said at least one segment includes means for storing an indication of the type of program to which the data structure is associated.
Relevance
In the Unisys patent, if a FILEKIND attribute is stored containing the COMPILERCODEFILE attribute then this indicates that the associated program file is of type "compiler".
In the Unisys patent, if a FILEKIND attribute is stored containing the COMPILERCODEFILE attribute then this indicates that the associated program file is of type "compiler".
Claim Chart
All
Claim 70
Apparatus for protecting a digital computer user according to Claim 61, wherein the means for storing authorization information includes means for indicating at least one of the type of function and resource.
Relevance
In the Unisys patent, if a FILEKIND attribute is stored containing the COMPILERCODEFILE attribute then this indicates that the associated program file (a compiler) is allowed to perform the functions of creating, writing, and marking as executable a new file resource (thus, creating a new program file).
In the Unisys patent, if a FILEKIND attribute is stored containing the COMPILERCODEFILE attribute then this indicates that the associated program file (a compiler) is allowed to perform the functions of creating, writing, and marking as executable a new file resource (thus, creating a new program file).
Claim Chart
All
