公开(公告)号：US20090119507A1

公开(公告)日：2009-05-07

申请号：US12350327

申请日：2009-01-08

申请人： Diana J. Arroyo ,  George R. Blakley, III ,  Damir A. Jamsek ,  Sridhar R. Muppidi ,  Kimberly D. Simon ,  Ronald B. Williams

发明人： Diana J. Arroyo ,  George R. Blakley, III ,  Damir A. Jamsek ,  Sridhar R. Muppidi ,  Kimberly D. Simon ,  Ronald B. Williams

IPC分类号： H04L9/00 ,  G06F7/04 ,  G06F12/14

CPC分类号： G06F21/6218

摘要： A reference monitor that authorizes information flows between elements of a data processing system is provided. The elements of the data processing system are associated with security data structures in a reference monitor. An information flow request is received from a first element to authorize an information flow from the first element to a second element. A first security data structure associated with the first element and a second security data structure associated with the second element are retrieved. At least one set theory operation is then performed on the first security data structure and the second security data structure to determine if the information flow from the first element to the second element is to be authorized. The security data structures may be labelsets having one or more labels identifying security policies to be applied to information flows involving the associated element.

摘要翻译： 提供了一种在数据处理系统的元素之间授权信息流的参考监视器。 数据处理系统的元件与参考监视器中的安全数据结构相关联。 从第一元素接收信息流请求，以授权从第一元素到第二元素的信息流。 检索与第一元素相关联的第一安全数据结构和与第二元素相关联的第二安全数据结构。 然后对第一安全数据结构和第二安全数据结构执行至少一组理论操作，以确定是否授权从第一元素到第二元素的信息流。 安全数据结构可以是具有标识要应用于涉及相关元素的信息流的安全策略的一个或多个标签的标签集。

公开(公告)号：US07512792B2

公开(公告)日：2009-03-31

申请号：US11304853

申请日：2005-12-15

申请人： Diana J. Arroyo ,  George R. Blakley, III ,  Damir A. Jamsek ,  Sridhar R. Muppidi ,  Kimberly D. Simon ,  Ronald B. Williams

发明人： Diana J. Arroyo ,  George R. Blakley, III ,  Damir A. Jamsek ,  Sridhar R. Muppidi ,  Kimberly D. Simon ,  Ronald B. Williams

IPC分类号： H04L9/00 ,  G06F7/04 ,  G06F12/14

CPC分类号： G06F21/6218

摘要： A reference monitor system, apparatus, computer program product and method are provided. In one illustrative embodiment, elements of the data processing system are associated with security data structures in a reference monitor. An information flow request is received from a first element to authorize an information flow from the first element to a second element. A first security data structure associated with the first element and a second security data structure associated with the second element are retrieved. At least one set theory operation is then performed on the first security data structure and the second security data structure to determine if the information flow from the first element to the second element is to be authorized. The security data structures may be labelsets having one or more labels identifying security policies to be applied to information flows involving the associated element.

摘要翻译： 提供了参考监视器系统，装置，计算机程序产品和方法。 在一个说明性实施例中，数据处理系统的元件与参考监视器中的安全数据结构相关联。 从第一元素接收信息流请求，以授权从第一元素到第二元素的信息流。 检索与第一元素相关联的第一安全数据结构和与第二元素相关联的第二安全数据结构。 然后对第一安全数据结构和第二安全数据结构执行至少一组理论操作，以确定是否授权从第一元素到第二元素的信息流。 安全数据结构可以是具有标识要应用于涉及相关元素的信息流的安全策略的一个或多个标签的标签集。

公开(公告)号：US08024565B2

公开(公告)日：2011-09-20

申请号：US12130252

申请日：2008-05-30

申请人： Diana J. Arroyo ,  George R. Blakley, III ,  Damir A. Jamsek ,  Sridhar R. Muppidi ,  Kimberly D. Simon ,  Ronald B. Williams

发明人： Diana J. Arroyo ,  George R. Blakley, III ,  Damir A. Jamsek ,  Sridhar R. Muppidi ,  Kimberly D. Simon ,  Ronald B. Williams

IPC分类号： H04L9/00

CPC分类号： G06F21/6218

摘要： Authorizing information flows between devices of a data processing system is provided. In one illustrative embodiment, an information flow request is received from a first device to authorize an information flow from the first device to a second device. The information flow request includes an identifier of the second device. Based on an identifier of the first device and the second device, security information identifying an authorization level of the first device and second device is retrieved. A sensitivity of an information object that is to be transferred in the information flow is determined and the information flow is authorized or denied based only on the sensitivity of the information object and the authorization level of the first and second devices irregardless of the particular action being performed on the information object as part of the information flow.

摘要翻译： 提供了数据处理系统的设备之间的信息流授权。 在一个说明性实施例中，从第一设备接收信息流请求，以授权从第一设备到第二设备的信息流。 信息流请求包括第二设备的标识符。 基于第一设备和第二设备的标识符，检索识别第一设备和第二设备的授权级别的安全信息。 确定要在信息流中传送的信息对象的灵敏度，并且仅基于信息对象的灵敏度和第一和第二设备的授权级别而不管特定动作是否被授权或拒绝信息流 作为信息流的一部分对信息对象执行。

公开(公告)号：US07647630B2

公开(公告)日：2010-01-12

申请号：US11304971

申请日：2005-12-15

申请人： Diana J. Arroyo ,  George R. Blakley, III ,  Damir A. Jamsek ,  Sridhar R. Muppidi ,  Kimberly D. Simon ,  Ronald B. Williams

发明人： Diana J. Arroyo ,  George R. Blakley, III ,  Damir A. Jamsek ,  Sridhar R. Muppidi ,  Kimberly D. Simon ,  Ronald B. Williams

IPC分类号： G06F7/04 ,  G06F12/00

CPC分类号： G06F21/6218

摘要： A method for authorizing information flows based on security information associated with information objects is provided. A hash key is generated based on an information object and a lookup operation is performed in a hash table based on the hash key. A determination is made whether an entry in the hash table at an index corresponding to the hash key identifies a labelset for the information object. A labelset, identifying a sensitivity of the information object, is stored in the entry at the index corresponding to the hash key for the information object if a labelset for the information object is not identified in the entry in the hash table. Information flows involving the information object are authorized based on a lookup of the labelset associated with the information object in the hash table. The hash table may be a multidimensional hash table.

摘要翻译： 提供了一种基于与信息对象相关联的安全信息来授权信息流的方法。 基于信息对象生成散列密钥，并且基于散列密钥在哈希表中执行查找操作。 确定散列表中与散列键相对应的索引处的条目是否识别信息对象的标签集。 如果在散列表中的条目中没有标识信息对象的标签集，则标识信息对象的敏感度的标签集存储在与信息对象的散列键相对应的索引的条目中。 基于与哈希表中的信息对象相关联的标签集的查找来授权涉及信息对象的信息流。 散列表可以是多维哈希表。

公开(公告)号：US08527754B2

公开(公告)日：2013-09-03

申请号：US13213799

申请日：2011-08-19

申请人： Diana J. Arroyo ,  George R. Blakley, III ,  Damir A. Jamsek ,  Sridhar R. Muppidi ,  Kimberly D. Simon ,  Ronald B. Williams

发明人： Diana J. Arroyo ,  George R. Blakley, III ,  Damir A. Jamsek ,  Sridhar R. Muppidi ,  Kimberly D. Simon ,  Ronald B. Williams

IPC分类号： H04L29/06

CPC分类号： G06F21/6218

摘要： A system, apparatus, computer program product and method for authorizing information flows between devices of a data processing system are provided. In one illustrative embodiment, an information flow request is received from a first device to authorize an information flow from the first device to a second device. The information flow request includes an identifier of the second device. Based on an identifier of the first device and the second device, security information identifying an authorization level of the first device and second device is retrieved. A sensitivity of an information object that is to be transferred in the information flow is determined and the information flow is authorized or denied based only on the sensitivity of the information object and the authorization level of the first and second devices irregardless of the particular action being performed on the information object as part of the information flow.

摘要翻译： 提供了一种用于在数据处理系统的设备之间授权信息流的系统，设备，计算机程序产品和方法。 在一个说明性实施例中，从第一设备接收信息流请求，以授权从第一设备到第二设备的信息流。 信息流请求包括第二设备的标识符。 基于第一设备和第二设备的标识符，检索识别第一设备和第二设备的授权级别的安全信息。 确定要在信息流中传送的信息对象的灵敏度，并且仅基于信息对象的灵敏度和第一和第二设备的授权级别而不管特定动作是否被授权或拒绝信息流 作为信息流的一部分对信息对象执行。

公开(公告)号：US20110302413A1

公开(公告)日：2011-12-08

申请号：US13213799

申请日：2011-08-19

申请人： Diana J. Arroyo ,  George R. Blakley, III ,  Damir A. Jamsek ,  Sridhar R. Muppidi ,  Kimberly D. Simon ,  Ronald B. Williams

发明人： Diana J. Arroyo ,  George R. Blakley, III ,  Damir A. Jamsek ,  Sridhar R. Muppidi ,  Kimberly D. Simon ,  Ronald B. Williams

IPC分类号： H04L29/06

CPC分类号： G06F21/6218

摘要： A system, apparatus, computer program product and method for authorizing information flows between devices of a data processing system are provided. In one illustrative embodiment, an information flow request is received from a first device to authorize an information flow from the first device to a second device. The information flow request includes an identifier of the second device. Based on an identifier of the first device and the second device, security information identifying an authorization level of the first device and second device is retrieved. A sensitivity of an information object that is to be transferred in the information flow is determined and the information flow is authorized or denied based only on the sensitivity of the information object and the authorization level of the first and second devices irregardless of the particular action being performed on the information object as part of the information flow.

摘要翻译： 提供了一种用于在数据处理系统的设备之间授权信息流的系统，设备，计算机程序产品和方法。 在一个说明性实施例中，从第一设备接收信息流请求，以授权从第一设备到第二设备的信息流。 信息流请求包括第二设备的标识符。 基于第一设备和第二设备的标识符，检索识别第一设备和第二设备的授权级别的安全信息。 确定要在信息流中传送的信息对象的灵敏度，并且仅基于信息对象的灵敏度和第一和第二设备的授权级别而不管特定动作是否被授权或拒绝信息流 作为信息流的一部分对信息对象执行。

公开(公告)号：US07975295B2

公开(公告)日：2011-07-05

申请号：US12130027

申请日：2008-05-30

申请人： Diana J. Arroyo ,  George R. Blakley, III ,  Damir A. Jamsek ,  Sridhar R. Muppidi ,  Kimberly D. Simon ,  Ronald B. Williams

发明人： Diana J. Arroyo ,  George R. Blakley, III ,  Damir A. Jamsek ,  Sridhar R. Muppidi ,  Kimberly D. Simon ,  Ronald B. Williams

IPC分类号： G06F11/00

CPC分类号： G06F21/6218

摘要： A hash key is generated based on an information object and a lookup operation is performed in a hash table based on the hash key. A determination is made whether an entry in the hash table at an index corresponding to the hash key identifies a labelset for the information object. A labelset, identifying a sensitivity of the information object, is stored in the entry at the index corresponding to the hash key for the information object if a labelset for the information object is not identified in the entry in the hash table. Information flows involving the information object are authorized based on a lookup of the labelset associated with the information object in the hash table. The hash table may be a multidimensional hash table.

摘要翻译： 基于信息对象生成散列密钥，并且基于散列密钥在哈希表中执行查找操作。 确定散列表中与散列键相对应的索引处的条目是否识别信息对象的标签集。 如果在散列表中的条目中没有标识信息对象的标签集，则标识信息对象的敏感度的标签集存储在与信息对象的散列键相对应的索引的条目中。 基于与哈希表中的信息对象相关联的标签集的查找来授权涉及信息对象的信息流。 散列表可以是多维哈希表。

公开(公告)号：US07793100B2

公开(公告)日：2010-09-07

申请号：US12350327

申请日：2009-01-08

申请人： Diana J. Arroyo ,  George R. Blakley, III ,  Damir A. Jamsek ,  Sridhar R. Muppidi ,  Kimberly D. Simon ,  Ronald B. Williams

发明人： Diana J. Arroyo ,  George R. Blakley, III ,  Damir A. Jamsek ,  Sridhar R. Muppidi ,  Kimberly D. Simon ,  Ronald B. Williams

IPC分类号： H04L9/00 ,  G06F7/04 ,  G06F12/14

CPC分类号： G06F21/6218

摘要： A reference monitor that authorizes information flows between elements of a data processing system is provided. The elements of the data processing system are associated with security data structures in a reference monitor. An information flow request is received from a first element to authorize an information flow from the first element to a second element. A first security data structure associated with the first element and a second security data structure associated with the second element are retrieved. At least one set theory operation is then performed on the first security data structure and the second security data structure to determine if the information flow from the first element to the second element is to be authorized. The security data structures may be labelsets having one or more labels identifying security policies to be applied to information flows involving the associated element.

摘要翻译： 提供了一种在数据处理系统的元素之间授权信息流的参考监视器。 数据处理系统的元件与参考监视器中的安全数据结构相关联。 从第一元素接收信息流请求，以授权从第一元素到第二元素的信息流。 检索与第一元素相关联的第一安全数据结构和与第二元素相关联的第二安全数据结构。 然后对第一安全数据结构和第二安全数据结构执行至少一组理论操作，以确定是否授权从第一元素到第二元素的信息流。 安全数据结构可以是具有标识要应用于涉及相关元素的信息流的安全策略的一个或多个标签的标签集。

公开(公告)号：US20080229413A1

公开(公告)日：2008-09-18

申请号：US12130252

申请日：2008-05-30

申请人： Diana J. Arroyo ,  George R. Blakley ,  Damir A. Jamsek ,  Sridhar R. Muppidi ,  Kimberly D. Simon ,  Ronald B. Williams

发明人： Diana J. Arroyo ,  George R. Blakley ,  Damir A. Jamsek ,  Sridhar R. Muppidi ,  Kimberly D. Simon ,  Ronald B. Williams

IPC分类号： G06F21/00

CPC分类号： G06F21/6218

摘要： Authorizing information flows between devices of a data processing system is provided. In one illustrative embodiment, an information flow request is received from a first device to authorize an information flow from the first device to a second device. The information flow request includes an identifier of the second device. Based on an identifier of the first device and the second device, security information identifying an authorization level of the first device and second device is retrieved. A sensitivity of an information object that is to be transferred in the information flow is determined and the information flow is authorized or denied based only on the sensitivity of the information object and the authorization level of the first and second devices irregardless of the particular action being performed on the information object as part of the information flow.

摘要翻译： 提供了数据处理系统的设备之间的信息流授权。 在一个说明性实施例中，从第一设备接收信息流请求，以授权从第一设备到第二设备的信息流。 信息流请求包括第二设备的标识符。 基于第一设备和第二设备的标识符，检索识别第一设备和第二设备的授权级别的安全信息。 确定要在信息流中传送的信息对象的灵敏度，并且仅基于信息对象的灵敏度和第一和第二设备的授权级别而不管特定动作是否被授权或拒绝信息流 作为信息流的一部分对信息对象执行。

公开(公告)号：US20080229412A1

公开(公告)日：2008-09-18

申请号：US12130027

申请日：2008-05-30

申请人： Diana J. Arroyo ,  George R. Blakley ,  Damir A. Jamesk ,  Sridhar R. Muppidi ,  Kimberly D. Simon ,  Ronald B. Williams

发明人： Diana J. Arroyo ,  George R. Blakley ,  Damir A. Jamesk ,  Sridhar R. Muppidi ,  Kimberly D. Simon ,  Ronald B. Williams

IPC分类号： G06F12/14

CPC分类号： G06F21/6218

摘要： A hash key is generated based on an information object and a lookup operation is performed in a hash table based on the hash key. A determination is made whether an entry in the hash table at an index corresponding to the hash key identifies a labelset for the information object. A labelset, identifying a sensitivity of the information object, is stored in the entry at the index corresponding to the hash key for the information object if a labelset for the information object is not identified in the entry in the hash table. Information flows involving the information object are authorized based on a lookup of the labelset associated with the information object in the hash table. The hash table may be a multidimensional hash table.

摘要翻译： 基于信息对象生成散列密钥，并且基于散列密钥在哈希表中执行查找操作。 确定散列表中与散列键相对应的索引处的条目是否识别信息对象的标签集。 如果在散列表中的条目中没有标识信息对象的标签集，则标识信息对象的敏感度的标签集存储在与信息对象的散列键相对应的索引的条目中。 基于与哈希表中的信息对象相关联的标签集的查找来授权涉及信息对象的信息流。 散列表可以是多维哈希表。