Domain based isolation of objects
    1.
    发明授权
    Domain based isolation of objects 失效
    基于域的隔离对象

    公开(公告)号:US08429191B2

    公开(公告)日:2013-04-23

    申请号:US13006621

    申请日:2011-01-14

    IPC分类号: G07F17/30

    CPC分类号: G06F21/6281 G06F2221/2141

    摘要: Functionality can be implemented in an operating system to increase the granularity of isolation for objects. A domain can be defined to represent each of different entities (e.g., different departments or work groups). User identifiers and/or user credentials can be associated with the appropriate domain or domains. An administrator can then define a set of rules that govern operation(s) that can be performed on the objects based on the domains. Processes running on a system will inherit the domains of a user account logged into the system. When a process running on the system attempts to perform an operation on an object, an operating system process evaluates the domain isolation rules with an identifier of the object and a domain identifier to determine whether the operation is permitted to proceed.

    摘要翻译: 可以在操作系统中实现功能,以增加对象的隔离粒度。 可以定义域以表示不同实体(例如,不同部门或工作组)。 用户标识符和/或用户凭证可以与适当的域或域相关联。 然后,管理员可以定义一组管理基于域的对象执行的操作的规则。 在系统上运行的进程将继承登录系统的用户帐户的域。 当在系统上运行的进程尝试对对象执行操作时,操作系统进程将使用对象的标识符和域标识符来评估域隔离规则,以确定是否允许该操作继续进行。

    VIRTUALIZATION OF FILE SYSTEM ENCRYPTION
    2.
    发明申请
    VIRTUALIZATION OF FILE SYSTEM ENCRYPTION 有权
    文件系统加密的虚拟化

    公开(公告)号:US20080165957A1

    公开(公告)日:2008-07-10

    申请号:US11621800

    申请日:2007-01-10

    IPC分类号: H04L9/00 G06F12/14

    CPC分类号: G06F21/6218 G06F2221/2107

    摘要: A computer implemented method, apparatus, and computer program product for using a virtual file system to encrypt files. The process registers a plurality of file systems on a data processing system with the virtual file system. The virtual file system is enabled to encrypt files without intervention from any file system in the plurality of file systems. The virtual file system identifies whether a file on a given file system is an encrypted file using a map file associated with the given file system. In response to identifying the file as an encrypted file, the virtual file system encrypts all data written to the file in accordance with encryption specifications in the map file.

    摘要翻译: 一种用于使用虚拟文件系统加密文件的计算机实现的方法,装置和计算机程序产品。 该过程使用虚拟文件系统在数据处理系统上注册多个文件系统。 启用虚拟文件系统来加密文件,而不需要在多个文件系统中的任何文件系统的干预。 虚拟文件系统识别给定文件系统上的文件是否是使用与给定文件系统相关联的映射文件的加密文件。 响应于将文件识别为加密文件,虚拟文件​​系统根据地图文件中的加密规范加密写入文件的所有数据。

    Domain based isolation of network ports
    3.
    发明授权
    Domain based isolation of network ports 有权
    基于域的隔离网络端口

    公开(公告)号:US08631123B2

    公开(公告)日:2014-01-14

    申请号:US13006618

    申请日:2011-01-14

    IPC分类号: G06F15/173 G06F15/16

    CPC分类号: H04L63/0236 H04L63/104

    摘要: When an operating system process evaluates a rule for an operation being attempted on a logical network port, the operating system process determines whether the target logical port falls within a range of logical ports, and then determines whether the operation is associated with a permitted domain of the range of logical ports. If the operation is a bind operation, then the process attempting to bind to the target port will be allowed to bind if the target port falls within the range and the operation/process is associated with a permitted domain. Otherwise, the binding operation will not be allowed to proceed.

    摘要翻译: 当操作系统进程评估在逻辑网络端口上尝试的操作的规则时,操作系统进程确定目标逻辑端口是否落入逻辑端口的范围内,然后确定该操作是否与允许的域 逻辑端口的范围。 如果操作是绑定操作,则如果目标端口在范围内,并且操作/进程与允许的域相关联,则尝试绑定到目标端口的进程将被允许绑定。 否则,将不允许绑定操作继续。

    Virtualization of file system encryption
    4.
    发明授权
    Virtualization of file system encryption 有权
    虚拟化文件系统加密

    公开(公告)号:US07908476B2

    公开(公告)日:2011-03-15

    申请号:US11621800

    申请日:2007-01-10

    IPC分类号: H04L29/06 G06F9/00 G06F12/00

    CPC分类号: G06F21/6218 G06F2221/2107

    摘要: A computer implemented method, apparatus, and computer program product for using a virtual file system to encrypt files. The process registers a plurality of file systems on a data processing system with the virtual file system. The virtual file system is enabled to encrypt files without intervention from any file system in the plurality of file systems. The virtual file system identifies whether a file on a given file system is an encrypted file using a map file associated with the given file system. In response to identifying the file as an encrypted file, the virtual file system encrypts all data written to the file in accordance with encryption specifications in the map file.

    摘要翻译: 一种用于使用虚拟文件系统加密文件的计算机实现的方法,装置和计算机程序产品。 该过程使用虚拟文件系统在数据处理系统上注册多个文件系统。 启用虚拟文件系统来加密文件,而不需要在多个文件系统中的任何文件系统的干预。 虚拟文件系统识别给定文件系统上的文件是否是使用与给定文件系统相关联的映射文件的加密文件。 响应于将文件识别为加密文件,虚拟文件​​系统根据地图文件中的加密规范加密写入文件的所有数据。

    DOMAINS BASED SECURITY FOR CLUSTERS
    5.
    发明申请
    DOMAINS BASED SECURITY FOR CLUSTERS 有权
    基于域的基于群集的安全性

    公开(公告)号:US20120185930A1

    公开(公告)日:2012-07-19

    申请号:US13006634

    申请日:2011-01-14

    IPC分类号: G06F21/00

    CPC分类号: G06F21/6218 G06F2221/2141

    摘要: Domains can be used to secure resources of a cluster. An administrator can configure a node of a cluster as a member of a particular domain. Membership in a cluster can be restricted to nodes that are members of the particular domain. When a node generates a cluster message, a kernel process or operating system process of the node will indicate the domain(s) of the node in the cluster message. The cluster message can be a command message to read or write to a storage resource of the cluster. When the cluster storage resource node or node that controls the storage resource receives the command message, the node will examine the command message to ensure the message indicates a domain that aligns with the cluster. If the proper domain is indicated in the command message, then the command message is processed. Otherwise, the command message is denied.

    摘要翻译: 可以使用域来保护群集的资源。 管理员可以将集群的节点配置为特定域的成员。 群集中的成员资格可以限制为属于特定域的成员的节点。 当节点生成集群消息时,节点的内核进程或操作系统进程将指示集群消息中节点的域。 集群消息可以是用于读取或写入集群的存储资源的命令消息。 当控制存储资源的集群存储资源节点或节点接收到命令消息时,节点将检查命令消息,以确保消息指示与集群对齐的域。 如果在命令消息中指示了适当的域,则处理命令消息。 否则命令消息被拒绝。

    DOMAIN BASED ISOLATION OF NETWORK PORTS
    6.
    发明申请
    DOMAIN BASED ISOLATION OF NETWORK PORTS 有权
    基于域的隔离网络端口

    公开(公告)号:US20120185581A1

    公开(公告)日:2012-07-19

    申请号:US13006618

    申请日:2011-01-14

    IPC分类号: G06F15/173 G06F15/16

    CPC分类号: H04L63/0236 H04L63/104

    摘要: When an operating system process evaluates a rule for an operation being attempted on a logical network port, the operating system process determines whether the target logical port falls within a range of logical ports, and then determines whether the operation is associated with a permitted domain of the range of logical ports. If the operation is a bind operation, then the process attempting to bind to the target port will be allowed to bind if the target port falls within the range and the operation/process is associated with a permitted domain. Otherwise, the binding operation will not be allowed to proceed.

    摘要翻译: 当操作系统进程评估在逻辑网络端口上尝试的操作的规则时,操作系统进程确定目标逻辑端口是否落入逻辑端口的范围内,然后确定该操作是否与允许的域 逻辑端口的范围。 如果操作是绑定操作,则如果目标端口在范围内,并且操作/进程与允许的域相关联,则尝试绑定到目标端口的进程将被允许绑定。 否则,将不允许绑定操作继续。

    Privilege management
    7.
    发明授权
    Privilege management 有权
    特权管理

    公开(公告)号:US08136147B2

    公开(公告)日:2012-03-13

    申请号:US11735679

    申请日:2007-04-16

    CPC分类号: G06F21/604

    摘要: A computer implemented method, apparatus, and computer program product for managing privileges on a data processing system. The process initiates a privilege monitor. All other entities in the data processing system are prevented from assigning privileges. The privilege monitor is the only entity authorized to assign privileges. The process monitors for requests for privileges. In response to detecting a request from a user for a privilege, the process selectively assigns the privilege to the user through the privilege monitor.

    摘要翻译: 一种用于管理数据处理系统的特权的计算机实现的方法,装置和计算机程序产品。 该进程启动一个特权监视器。 防止数据处理系统中的所有其他实体分配权限。 特权监视器是授权分配权限的唯一实体。 进程监视权限请求。 响应于检测到来自用户的权限的请求,该过程通过特权监视器向用户选择性地分配特权。

    Domain based access control of physical memory space
    8.
    发明授权
    Domain based access control of physical memory space 有权
    物理内存空间的基于域的访问控制

    公开(公告)号:US08832389B2

    公开(公告)日:2014-09-09

    申请号:US13006626

    申请日:2011-01-14

    IPC分类号: G06F13/00 G06F12/14

    CPC分类号: G06F12/1491

    摘要: Domains can also be used to control access to physical memory space. Data in a physical memory space that has been used by a process sometimes endures after the process stops using the physical memory space (e.g., the process terminates). In addition, a virtual memory manager may allow processes of different applications to access a same memory space. To prevent exposure of sensitive/confidential data, physical memory spaces can be designated for a specific domain or domains when the physical memory spaces are allocated.

    摘要翻译: 域也可用于控制对物理内存空间的访问。 在进程停止使用物理内存空间(例如,进程终止)之后,进程使用的物理内存空间中的数据有时会持续。 此外,虚拟存储器管理器可以允许不同应用的进程访问相同的存储器空间。 为了防止敏感/机密数据的暴露,物理内存空间可以在分配物理内存空间时为特定域或域指定。

    Domains based security for clusters
    9.
    发明授权
    Domains based security for clusters 有权
    基于域的群集安全

    公开(公告)号:US08595821B2

    公开(公告)日:2013-11-26

    申请号:US13006634

    申请日:2011-01-14

    IPC分类号: G06F9/00

    CPC分类号: G06F21/6218 G06F2221/2141

    摘要: Domains can be used to secure resources of a cluster. An administrator can configure a node of a cluster as a member of a particular domain. Membership in a cluster can be restricted to nodes that are members of the particular domain. When a node generates a cluster message, a kernel process or operating system process of the node will indicate the domain(s) of the node in the cluster message. The cluster message can be a command message to read or write to a storage resource of the cluster. When the cluster storage resource node or node that controls the storage resource receives the command message, the node will examine the command message to ensure the message indicates a domain that aligns with the cluster. If the proper domain is indicated in the command message, then the command message is processed. Otherwise, the command message is denied.

    摘要翻译: 可以使用域来保护群集的资源。 管理员可以将集群的节点配置为特定域的成员。 群集中的成员资格可以限制为属于特定域的成员的节点。 当节点生成集群消息时,节点的内核进程或操作系统进程将指示集群消息中节点的域。 集群消息可以是用于读取或写入集群的存储资源的命令消息。 当控制存储资源的集群存储资源节点或节点接收到命令消息时,节点将检查命令消息,以确保消息指示与集群对齐的域。 如果在命令消息中指示了适当的域,则处理命令消息。 否则命令消息被拒绝。

    DOMAIN BASED ISOLATION OF OBJECTS
    10.
    发明申请
    DOMAIN BASED ISOLATION OF OBJECTS 失效
    基于域的分离对象

    公开(公告)号:US20120185510A1

    公开(公告)日:2012-07-19

    申请号:US13006621

    申请日:2011-01-14

    IPC分类号: G06F17/30

    CPC分类号: G06F21/6281 G06F2221/2141

    摘要: Functionality can be implemented in an operating system to increase the granularity of isolation for objects. A domain can be defined to represent each of different entities (e.g., different departments or work groups). User identifiers and/or user credentials can be associated with the appropriate domain or domains. An administrator can then define a set of rules that govern operation(s) that can be performed on the objects based on the domains. Processes running on a system will inherit the domains of a user account logged into the system. When a process running on the system attempts to perform an operation on an object, an operating system process evaluates the domain isolation rules with an identifier of the object and a domain identifier to determine whether the operation is permitted to proceed.

    摘要翻译: 可以在操作系统中实现功能,以增加对象的隔离粒度。 可以定义域以表示不同实体(例如,不同部门或工作组)。 用户标识符和/或用户凭证可以与适当的域或域相关联。 然后,管理员可以定义一组管理基于域的对象执行的操作的规则。 在系统上运行的进程将继承登录系统的用户帐户的域。 当在系统上运行的进程尝试对对象执行操作时,操作系统进程将使用对象的标识符和域标识符来评估域隔离规则,以确定是否允许该操作继续。