CN101336415A - Access control - Google Patents
Access control Download PDFInfo
- Publication number
- CN101336415A CN101336415A CN200680052134.1A CN200680052134A CN101336415A CN 101336415 A CN101336415 A CN 101336415A CN 200680052134 A CN200680052134 A CN 200680052134A CN 101336415 A CN101336415 A CN 101336415A
- Authority
- CN
- China
- Prior art keywords
- access control
- constraint
- resources
- application
- service
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/468—Specific access rights for resources, e.g. using capability register
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2101—Auditing as a secondary aspect
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Storage Device Security (AREA)
Abstract
Access control is provided for a data processing terminal having various resources and capable of executing arbitrary computer executable applications using the resources. A set of conditional access control constraints is maintained for defining permissible combinations of the resources usable in conjunction by the applications. The applications are allowed to run only within the constraints of permissible combinations of resources used by the applications that are run in conjunction. The constraints are defined using access logs assigned to different access objects and using service identifiers stored into access logs corresponding to services used. Propositional logics are applied to determine allowable combinat ions of resources and / or services usable in conjunction.
Description
Technical field
Relate generally to access control of the present invention.More specifically, but not exclusively, the present invention relates to access control based on software to different subjects (principal).
Background technology
The mobile device of current for example mobile phone is constantly being implanted more complex features (for example music and video player and e-book function), and these features are used the shielded content of copyright, and the sale of this content should be protected.The visit that limits by accident or permanently some feature of the equipment of similar computing machine is useful, thereby avoids computer virus, worm and purpose and the propagation of other so-called Malwares of designing from malevolence.
The certain operations system has used resource-based access control, and it is used for the program of authentication or user's reliability rating are mapped to access strategy.Each that also can require to use used to be proved by certificate reliably and authenticated.This supports the restrict access of each application to only to the resource of given permission.Yet, if should be able to using, the user uses the resource that (may be unverified program) visits some very important access-controlled systems for certain specific operation arbitrarily, such access control mechanisms has problem.
For example, the user of various device is equipped with the media player that should be able to handle the data that are subjected to digital copyright management (DRM) protection.In order to meet some DRM schemes, media player should be certified or certificate prove.Yet, authenticate each media player and be expensive and trouble, even because after each small patch installing or upgrading, all need media player recertification and signature.It is necessary that certificate proves, thereby guarantee will not be passed to another program, equipment or user by the arbitrary data of program management.
Summary of the invention
The objective of the invention is to avoid or alleviate prior art problems at least and/or new technology replacement scheme is provided.
According to a first aspect of the invention, provide a kind of being used for can carry out the method for application, comprising the visit of resource at any computing machine of data processing terminal control with various resources:
Safeguard the set of conditional access control constraint, it is used to define the admissible combination of resources that can be united use by application; And
Make only in the constraint of admissible combination of resources, to move and use that this admissible combination of resources is united use by the application of operation.
Advantageously, can be based on access control constraint to any application control that conducts interviews.
When resource can simultaneously and/or be used in order, this resource can be defined as uniting use.
Admissible combination can come remote definition by defining non-admissible combination.
Advantageously, the definition of non-admissible combination can support to get rid of the combination of resources of forbidding, particularly by the application use that can not be believed for the non-certificate proof that designs in accordance with copyright.
Access control constraint can define the combination of the functional block of the functional block of at least two mutual exclusions or at least two mutual exclusions.
Define described access control constraint by the access control object.Different service assignment has corresponding service identifier, different access objects and corresponding access log and be associated at the service call of access object, and the service identifier that calls service thus correspondingly is stored in the access log of invoked service.The access control constraint can be such function, and each function can return single Boolean based on one or more access logs.
Provide have indication use given access control object service service identifier access log and calculate Boolean and can obtain calculating as the output of access control constraint and go up simple access control mechanisms.
Use the visit that the difference that can unite use is served arbitrarily and also can be controlled by making only to move to use in the constraint of admissible Services Combination by the conditional access control constraint of safeguarding, this admissible Services Combination is united use by the application of operation.
According to a second aspect of the invention, provide a kind of data processing terminal, it has various resources and can use resource to carry out the executable application of any computing machine, comprising:
Storer is used to safeguard the set of conditional access control constraint, and the sets definition of this conditional access control constraint can be united the admissible combination of resources of use by application; And
Processor is configured to only operation application in the constraint of admissible combination of resources, and this admissible combination of resources is united use by the application of operation.
According to a third aspect of the invention we, provide a kind of being used for can carry out the computer program of application so that control any computing machine, comprising the visit of resource in data processing terminal control operation with various resources:
Computer program code is used to make terminal to safeguard the set of conditional access control constraint, and it is used to define the admissible combination of resources that can be united use by application; And
Computer program code, it makes terminal only to move and uses that this admissible combination of resources is united use by the application of operation in the constraint of admissible combination of resources.
According to a forth aspect of the invention, provide a kind of being used for can carry out the sub-component of application to the visit of resource in the data processing terminal control operation with various resources so that control any computing machine, this sub-component comprises:
Be used to make terminal to safeguard the device of the set of conditional access control constraint, the set of this conditional access control constraint is used to define the admissible combination of resources that can be united use by application; And
Be used to make terminal only to move the device of using in the constraint of admissible combination of resources, this admissible combination of resources is united use by the application of operation.
Be used for making that device that terminal safeguards that the device and/or be used to of the set of conditional access control constraint makes that terminal can only operation be used in the constraint of admissible combination of resources can be based on following combination in any: chipset circuit and be stored in the computer code of one or more chipsets.
According to a fifth aspect of the invention, make and data processing terminal that control has various resources is controlled any computing machine and can be carried out the method for application to the visit of resource, comprising thereby provide a kind of:
Storage computation machine program code in described terminal, this computer program code are used to make terminal to safeguard the set of conditional access control constraint, and the set of this conditional access control constraint is used to define the admissible combination of resources that can be united use by application; And
Storage computation machine program code in described terminal, this computer program code are used to make terminal only to move application in the constraint of admissible combination of resources, and this admissible combination of resources is united use by the application of operation.
Computer program code or software can be provided as and carries and/or be stored on the data medium or be embedded in one or more computer products in the data-signal.Software also can carry out master control in distributed mode by one or more equipment.
Dependent claims relates to different embodiment of the present invention with above-mentioned embodiment.The theme that embodiment comprised and relate to particular aspects of the present invention can be applied to other aspects of the present invention doing under the situation of necessary correction.
Description of drawings
Now will be by example, with reference to the accompanying drawings embodiments of the present invention are described, wherein:
Fig. 1 illustrates the block diagram according to the transfer table of an embodiment of the invention;
Fig. 2 illustrates the exemplary system according to the primary clustering of an embodiment of the invention; And
Fig. 3 illustrates the process flow diagram of representative according to the operation of an embodiment of the invention.
Embodiment
Fig. 1 illustrates the block diagram of the transfer table (MS) 100 according to an embodiment of the invention.MS 100 comprises radio block 110, comprise and be used to store the nonvolatile memory 121 of long period of operation instruction 122 and the storer 120 of working storage 123.MS 100 further comprises processor 130 and user interface 140.These all parts all are connected to processor 130.Processor is configured to read long period of operation instruction 122 and use working storage 123 to move the application and service of expectation from nonvolatile memory 121.Transfer table for example can be a smart phone, and it can move the specific and/or user-defined application of operator.Transfer table can move the software that meets open specification.Yet the physical arrangement of transfer table 100 is unimportant, as long as it allows some unit visits each other based on different software of control.
Describe specific implementations of the present invention in detail, comprise optimal mode known for inventor.When using non-authentication or untrusted software, these embodiments are attempted restriction provides specific service, and does not need the operation that each service routine is separately carried out is controlled comprehensively or limited.Some services can be prevented from, although it comprises the software of not the transmitting of interoperability, untrusted.Therefore, thus the grain size category that may cause the more meticulous access control of the service do not expected than the visit of using existing known simple prevention to specific resources should be provided.
When describing example, make following hypothesis:
1. access control mechanisms can not stop the termination of any process.
2. the required state of each main body is fixed.
3. on calculated amount, this method is seldom.
Hereinafter, frame description of the present invention according to an embodiment shown in Figure 2, its notion based on service 201, service identifier 202, access control constraint 203 (being also referred to as the sandbox constraint), main body collection 204, access log 205, service pipeline (conduit) 206 and main body 207 provides.The purpose of this framework provides a kind of like this function, and the configurable constraint to the behavior of transmission and non-convey program collection promptly is provided.
Before further describing embodiments of the present invention, below some term will be described.When reading with reference to figure 2, these terms can be understood best.
Service comprises any mechanism in the operating system, and it can be used for to main body or serves the use that pipeline provides feature, resource or the function of operating system.These mechanism comprise that operating system is called, device driver and/or server program.
Service identifier is any unique name of any service.This identifier can distribute statically or dynamically generate.When dynamically generating, service identifier can comprise a kind of structure or meet given layering, so that uniqueness is provided.Service identifier can for example be expressed as bit vector arbitrarily.Service identifier should identify a service reliably.
Resource pipeline or service pipeline, its expression can be used for transmitting data or any local service of service is provided.These local services or object can for example be file or the programs with control (IPC) ability between process.If in MS 100, use Symbian
Operating system (OS) is then served pipeline and can be comprised server program.The service pipeline is similar to main body (describing hereinafter), and it can be that live or dead.
Main body is represented access control, and (that is, constraint) object is for example used or program.Main body can be that service pipeline and service pipeline can be main bodys.Each main body is related with access log separately.When main body is present in the system, its be live and its access log can be used for check.Dead main body has been carried out its function and has been removed from system.For dead main body, there is not access log must be used for check.Also there is no need to have so available any information, promptly carried out what function, when carry out and/or how to have carried out about dead main body.Main body is called as the termination of main body to the change of dead state from the state of living.
Access object is to use main body covered and the two the collective's term of service pipeline of adopted name.
By for example attached access log is associated with each access object.Access log has been enumerated the service identifier of all services, and these services provide service or information to access object.
Sometimes, independently non-transmission main body may collective be broken the access control constraint.Therefore, expectation is associated main body with the main body collection, can calculate the access control constraint by this main body collection.These set do not need not occur simultaneously, and, do not need not have public element that is.
Can be comprised main body alive by the main body collection of explicit calculating.Comprise that the set of main body alive and zero or a plurality of dead main body is called as the history of main body.The complete history of main body needn't present to avoid storer to overflow by explicitly.On the contrary, all information that retrain about the access control that relates to main body history must propagate into main body alive from dead main body.Suppose that this was feasible when the access control constraint had certain character.For example, if the relation of the interior service identifier of the access control daily record of single main body in the main body history is indifferent in the access control constraint, then can creates single access log and simply service identifier be copied to this access log from all dead main bodys for all the dead main bodys in the main body history.
Assessment access control constraint, i.e. access constraints on the access log of the main body in main body collection or main body history.Access constraints is preferably returned the function of Boolean true or false.Access constraints for example uses logical equatiion to realize.Access control constraint at the main body collection should obtain identical value, even the member that main body is concentrated stops.Otherwise access constraints may be unable to cope with the unexpected termination of main body.
Fig. 2 illustrates the example system according to the primary clustering of an embodiment of the invention.Especially, Fig. 2 illustrates the relation between the different units of access constraints system.Should be appreciated that and have difference by service pipeline calculation services supply stream with between by service pipeline computing information stream.
Based on the transmit leg and the recipient relationship of single worker or duplex relation, the direction of computing information stream fast.Yet, under the situation of the specific knowledge of the character that does not have given service, unlikely determine in information flow it is that transmit leg or take over party are providing service.Implement under the help that service may exchange in the agreement of complexity, comprise a plurality of signals of both sides, initiate by this service providers or consumer.Do not knowing under the situation of agreement syntax and semantics accurately which side calculates is that consumer and which side are that the producer of this service is infeasible.Suggestion solves with following dual mode: annotated for serving (determine easily or calculate which side be the consumer which side be the producer) or the hypothesis service (that is, the both sides in the exchange all be consumer be again the producer) is provided on both direction.
Basically, native system can be described in following statement:
1. for each service identifier, have related services set, this services set exclusively allows service identifier is input to access log.
2. if access object visit or use service, then the service identifier of this service is affixed to the access log of access object.
3. if main body is used or the access services pipeline, then the access log of main body is affixed to the access log of service pipeline, and vice versa.
4. if the service pipeline is visited or used another service pipeline, then access logs of these service pipelines are additional mutually.
5., then assess the access control constraint if service identifier will be imported into the access log of main body first.If the access control constraint is assessed as vacation behind the Additional Services identifier, then current operation is rejected.
The assessment of access control constraint is based at the main body collection and calculates the access control constraint.This calculating can be carried out in many ways.For example, access control constraint itself can provide enough expressiveness and information implicitly to define these set.Alternatively, the main body collection can be via using based on the branch set of equations of for example propositional logic to come in the intrafascicular approximately explicitly definition of access control.
Under normal conditions, can use and have predicate P (main body, propositional logic equation on the service identifier) first-order predicate logic is expressed the access control constraint, when assessing on the service identifier in the access log in main body, this predicate P is defined as the value of the propositional logic equation on the service identifier.
The access control constraint can provide in every way, for example, by fixedly access control constraint during the manufacturing of embodiments of the present invention, or allows instant policy update, for example the over-the-air updating of the authentication of so-called security strategy.For example, can provide the access control constraint by using interim PKI or shared secret to authenticate the access control updating message and send them by the Internet or cellular network (for example GSM).Removing of the one or more insertions can comprise new constraint and/or old constraint upgraded in this type of authentication access control.
Being evaluated in the calculating of first-order predicate logic is heavy (use deterministic algorithm, need the exponential time), and after this manner, compromise solution is favourable and below will describes to calculate and go up feasible grouping main body and assessment access control constraint.
The dynamic aspect of system influences the definition of access control constraint.In fact inevitably be included in any main body in the supply of service after it has carried out function, or even when it should carry out its function, may have a mind to or by mistake stopped immediately.For example, event chain can be to make the main body of winning at first write data into first file and termination.Second main body begins this data forwarding subsequently to second file.This obviously hints the transfer of the service identifier in the access log, but does not have tangible influence to how forming the main body collection.
The access control constraint should not stop the termination of main body.Sometimes, main body may stop suddenly.This can involve the access control constraint of assessing on the main body collection, may stop because may comprise in the set more than one member's element and in them any one.
On the contrary, the statement that can steadily and surely be expressed may be limited to these statements, and these statements are limited to following form:
Should not have such main body history, wherein the access log of main body of Huoing and dead main body unconditionally comprises the logical multiplication of the service identifier of definition.
The main body that should not have single work makes access log and main body can not satisfy the access control constraint of the definition that can express with propositional logic.
The example of tractable form in the calculating of expressing the access control constraint is described below.Each access control constraint is divided into branch set of equations and access control equation.The purpose of branch set of equations is to calculate the main body collection, and wherein the access control equation must be on this main body collection effectively.
Use the propositional logic on the available proposition universe that relates to the main body attribute to define the branch set of equations.For example, if the scalar value of indication reliability rating can be related with each main body, then to can be used as value for example be that 42 reliability rating threshold value provides to the branch set of equations.Main body can have the mandate of one group of static state.Main body also can have the founder of authentication.Correspondingly, can such form state the branch set of equations, promptly " have authentication X " and " by Y open " or even " have<42 reliability rating ".The branch set of equations also can comprise the proposition of access control constrained in the main body of single definition.
The access control constraint indication is_singleton (being singleton) that definition in an embodiment of the invention is additional.If for the access control constraint, the is_singleton indication is defined as true, and then grouping constraint produces the main body collection, and this main body collection just in time comprises makes that the branch set of equations is evaluated as a genuine main body.If indication is_singleton is false, all main bodys that then satisfy the grouping constraint G of access control constraint are placed to the common of main body and concentrate.This means that if corresponding to grouping constraint G is_singleton is false, then in any preset time, has zero or history of main body for G.If for grouping constraint G, is_singleton is true, then constantly arbitrarily, may have many (or not having) singleton set of (living) main body, and each set comprises a main body that lives at G just.The mechanism of establishment as singleton is to allow to use the access control equation of such form, i.e. " if be not present in the access log of main body by the service of id_x sign, then the service by the id_y sign allows to be used for this main body ".Add accounting equation to by the expressiveness that will exceed conventional propositional logic, similarly feature is implemented in the optional embodiment of the present invention.The standard propositional logic is used in the use support of is_singleton.Use the advantage of independent is_singleton position also to be to infer simply how to recover from attempting violating strategy (that is, attempting violating the access control constraint).With the access control constraint representation be<is_singleton G, S 〉, wherein G is that branch set of equations and S are the access control equations.Grouping algorithm is can basic representation as follows:
1. for each access control constraint C=<is_singleton, G, S 〉
If is_singleton is false, and S can not be expressed as logical multiply non-of literal (service identifier), then notification error.
If is_singleton is false, then create main body collection Set_C.
2. for each main body: P
For each access control constraint C=<is_singleton, G, S 〉
If P satisfies G, and is_singleton is false, then
Add P to Set_C
If P satisfies G, and is_singleton is true, then
Create new Singleton_C_P
When main body collection or access control constraint change, should move this algorithm.When considering bookkeeping, also can carry out optimization.When adding the access control constraint, time complexity is O (1), and when adding main body, time complexity is O (n) (wherein n is the quantity of access control constraint), and when main body was killed, time complexity was O (1).
Can define the access control equation by the assessment on the union of the service identifier in the access list, use propositional logic.So, for the entire body collection, the access control equation is true or false inherently.
The life cycle of main body collection and the history of main body (the two the following history that only is expressed as main body) can followingly illustrate:
The historical H of each of main body and access control constraint C=<is_singleton, G, S〉association.
If we have the history of main body, can suppose that then is_singleton is false.
For each historical H, we are also with the individual access daily record L association of " dead main body ".
In the life cycle of H, this visit daily record L is attached on the historical H.In an embodiment of the invention, only after being removed, H just L is removed from system.This embodiment is especially suitable when the size as L is constant.
If main body P satisfies the grouping constraint G of access control constraint C, then P is added to H.
If the main body P among the H is dead, then be copied to the access log l of the dead main body related with H from the service identifier of the access log of P.If resource need be retained, then all vestiges of P can be wiped from system.
If the main body P access resources among the H, cause new service identifier " x " to be added to its access log, " thereby x " do not appearing in the access log of any main body among the H before, even then systems inspection " x " is added to the access log of P, access control equation S also will be satisfied, otherwise access denied.
Then access control equation S can not be interested in the relation of the service identifier in the access log of the single main body among the given H, but must assess on the union of the access log of the main body among the described H.This allows to express significant constraint, and dead main body can remove fully from system simultaneously, thus free system resources.
Example on the Symbian operating system (OS)
Use the function digit among the Symbian OS Platsec to assess at constraint<is_singleton G, S〉in the propositional logic of item " G ".These comprise following function at least: network service, local service, read user data, write user data and position.These (and other) function digit description in this article after a while.
If is_singleton is false, then illegal state is can not all event set in the life cycle of single main body collection in the access log basically.Access control retrains the part on the Trusted Computing basis (TCB) that advantageously Symbian is known and only can be by modification of program, establishment, interpolation and the deletion of supporting TCB.The constraint be stored under the secure path, for example sys sandboxes.
In order to handle effectively, service identifier is integer normally.Sys sandboxes among the identifiers table definition secure identifier (SID) and the required function of service identifier in the access log is set.Each identifier is advantageously given human-readable names, so that for example the combined with access governing equation is quoted.
Service identifiers below the definition:
Microphone: microphone is used in expression.
Loudspeaker: loudspeaker is used in expression.
Networking: networked capabilities is used in expression.
File system is write: expression uses file system to come write data
File system is read: expression uses file system to come read data
DRM: the data that are subjected to the DRM protection are read in expression
Non-UI (user interface): this service identifier is provided with by all not related with UI function system functions.
Available attribute is the function of SID and program in the branch set of equations.Available attribute is function and service identifier in the access control equation.
Access log according to an embodiment of the invention simply is a bit vector, and this bit vector has a position at each service identifier.Can use step-by-step OR to operate the union of calculating two access logs simply, wherein step-by-step operation is such operation, and wherein each is independent of all other position and handles.Two access logs can use step-by-step OR to operate to connect.The service pipeline is process, service and file normally.Access log and each process and file association.For each service, be the initiator/response side relation of its note with respect to communication stream, service is provided on the direction identical with information flow, and is still two-way on the opposite direction.
Any file can be regarded as serving pipeline.If program is read or written to file, then according to the note updating file of service identifier and the access log of program.
Will appreciate that interprocess communication has more problem a little, because, infer the direction that service is provided in sane mode not too easily because the client-server relation can be arbitrarily.Therefore, executive routine and server capability are divided to the strictness of service and service pipeline.
Belonging to believable computing environment and not allowing the program of transmission information between program and system call is the service of considering
Every other program and system are the service pipelines of considering.
For example, the system call that allows to be provided with color of pixel can be used to snugly visit be passed to the service by the access control constraint.Normally, any private communication channel between program can be used for this purpose.If serving and be not to carry out IPC between the program of serving, then the service identifier of described service is affixed to the access log of program.
Networking protocol can be used in addition this framework in this master operating system outside main body between communicate.Identical situation also is applicable to packaged type medium or analog channel, for example from the loudspeaker to the microphone or from the display screen to the camera.This should consider in the definition of access control constraint.This is applicable to any system that attempts access control information under the situation of externally communication channel (they are analog or digitals) existence.Notice that many user interface functions can be altogether as the Simulation with I between program/O channel.
To describe the enforcement of access control below in detail.Create independent access control server.Access control server can calculate main body collection and assessment access control constraint.Access control server can be based on software and be provided by processor 130.No matter when new service identifier will be added to access log, revise IPC and file system foundation structure with propagation and management access daily record, and the inquiry access control server.
The service that needs to revise is the part of trusted computation environment.Especially should pay close attention to the private communication channel of any existence.Have the support to DRM among the Symbian 9, it can solve the not situation of interoperability of process, but at the interoperability process, more senior realization should be further considered private communication channel.Even private communication channel can not be completely blocked, but make their relative nullity in an embodiment of the invention.
Two kinds of main situations are arranged, and this framework wherein of the present invention or embodiment are especially effective for the state that improves the DRM on the Symbian.
At first, when existence had the process that is provided with the DRM service identifier in its access log, this type of access control constraint can be defined as stoping the use of microphone.This has stoped use just internally to hold " digitizing again " at the identical mobile phone of play content basically.
Secondly, can define following constraint: if read the DRM content, then forbid use, except for " file reads " identifier to the service that " non--UI " service identifier is set by the program that does not have the DRM function setting.Therefore, this type of supports that the player of non-certificate verification DRM can be moved, thereby can be from file reading command and/or order.This constraint stops this player to transmit information by any other modes except user interface.
In an embodiment of the invention, also require not have three service identifiers below identical main body is concentrated use: microphone, loudspeaker and network, unless software is believable, that is, software satisfies the non-of predetermined packet of packets equation.Known in the prior art various minutes set of equations Negotiation Technology.The present embodiment support stops uses the VoIP service, for example under the situation that does not weaken entire I P stack.
At reader's interest, will be further described below a kind of framework that is used in the behavior of the operating system access control program of for example Symbian 9.
The OS function is divided into two classifications, user function and systemic-functions.User function is the little and relatively easy function collection of understanding, and when application was installed, user function can be presented to the owner of equipment.User function supports the user to check that when using application, application should not carried out any unexpected operation.Systemic-function can not presented to the user pellucidly.On the contrary, systemic-function is hidden for the user.This is can both understand easily because of all connotation users that are not systemic-function.
Most of functions that may be used for different embodiments of the present invention below identified in list go out, together with the visit of the controllable operation power of these functions.
Network service-under not to any restriction of its physical location is to the visit of remote service.Usually, the telephone subscriber does not know this position.In addition, this type of service may cause expense to the telephone subscriber.
Local service-near the visit of the remote service the phone.The position of remote service is known for the telephone subscriber.Under most situation, this type of service can not cause expense to the telephone subscriber.
Read user data
*-data of secret for the telephone subscriber are carried out read access.This function is supported the management of user's privacy.Contact person, message and agreement always are considered to the data of user's secret.Other guide for for example image or sound plays by ear.
Write user data
*The integrality of-leading subscriber data.Please note that this function is not with to read user data symmetrical.For example, a people may wish to stop the rogue to use the deletion music track, but may not wish to limit the read access to them.If knowing all private datas is user data, but the selection of confidential data is more random and may depend on that UI realizes.
The position-to the visit of device location.This function support comes the privacy of leading subscriber according to phone location.
*Attention: provide and read user data function and write the privacy that user data function is protected the user.For example, not that all data of mobile phone all must be protected by these functions.Have multiple use-case, wherein with regard to the user, specific application data can be privately owned or publicly-owned.For example still image and video film film can be quite neutral or very sensitive, and this depends on their theme.Contact person, mail and calendar normally individual.Whether the someone has seen that publicly-owned data are unimportant, but usually private data should be protected in case the visit that the software (that is Malware) of other people and malice is not expected.The UI standard should address these problems and be provided for protecting the means of private data.For example can by use password protection, according to data being divided into different files to the expectation visit (for example, the type of data) of giving given data, or by these combination in any, thereby implement protection.
In an embodiment of the invention, systemic-function comprises one or more in the following project:
The read-only resource that-write access can be carried out and share.Usually, the same very important function granted access executable file with this function and the function of therefore visiting them.
-direct accessing communication device driver.
-power management promptly, kills the right of any process in the system, turning off the not peripherals of usefulness, thereby machine is switched to holding state, wakes it or outage fully once more up.
-at for example multimedia equipment of sound device, camera, video equipment, visit multimedia equipment driver.
-read access Virtual network operator, phone manufacturer and equipment secret are provided with or data.For example, the pin lock code has been installed the tabulation of application.Such as system time is not that secret setting need not protected by this function.
The setting of the behavior of-write access opertaing device.For example, equipment locking setting, system time, time zone, alarm clock.
-visit shielded content.DRM agency uses this function to determine whether this visit DRM content of application.The application of being authorized by DRM can be believed and is to observe with the right of this relevance.
-create the right of believable UI session, and therefore in the UI of safety environment, show dialogue.When confidentiality and safety were very important, believable UI talked with seldom, main and for example password dialog use.Routine visit to user interface and display screen does not need this function.
The right of the shielded title of-server registration.Shielded title with "! " beginning.Kernel will stop the server that does not have the ProtServ function to use this type of title and therefore will prevent that shielded server is imitated.
-to the visit of disk management operation, this influences a more than file system elements (file or catalogue) or has influence on whole file system integrity and/or behavior etc.For example, the right of reformatting dish subregion.
The right of-modification or the control of accesses network agreement.Usually when action can change all existing behaviors that will be connected with future, it should be protected by network control.For example, force the existing connections of on the specific protocol all to disconnect or change the priority of calling out.
-to the read access of whole file system.
-generation Ruan Jianmiyao ﹠amp; Alternative events and catch any one in them and the right of the state not considering to use.When having focus, conventional application will not need SwEvent to become a key and an alternative events of assignment.
Sometimes need to discern reliably and use and/or its businessman.Symbian platform safety model permission server is controlled the visit to their API under the requesting party's who does not know them situation, and therefore needing to avoid maintenance access control tabulation.At need occasionally to identify uniquely use and even its source, secure identifier (SID) and merchant identifier (VID) are provided.SID guarantees local unique identifier.VID is comprised by executable file, thereby the unique identification in the source of given executable file is provided.Under most situation, this VID is zero,, does not need the source of executable file for safety inspection arbitrarily that is.
Fig. 3 illustrates the process flow diagram of representative according to the operation of an embodiment of the invention.Process flow diagram starts from step 300, wherein the terminal free time.In step 310, start first and use arbitrarily below.This functional block using the use radio block is so that the downward transmitting media content of streaming.After beginning first was used arbitrarily, in step 320, the terminal inspection did not have access constraints to forbid that first uses the use radio block.If find any constraint of forbidding, then access denied and application may be stopped and/or use error message may be provided, and process is resumed at step 300.On the contrary, in step 330, terminal recognition goes out the type of the media content that will receive and starts third party's media player, and it is configured to be used for the preferred player of this medium type by the user.After having started media player, terminal checks whether 340 contents are protected.If do not have protectedly, then carry out advancing to step 350 and terminal allows to start record, jump to step 360 otherwise carry out.In step 360, check and whether violated any access constraints.Supposing does not have, and then terminal advances to step 350.Then, service of calling or resource start, and for example use media player playing back content (it is transmitted by streaming) downwards.If the check result of step 360 is for being that then terminal stops 370 records, because forbid the associating of used function.Then, operation is resumed at step 310.
Should be noted that in the typical multitask environment that for example uses in nokia communicator, a plurality of streams shown in Figure 3 can move simultaneously.
An embodiment of the invention are included in the access consideration of creating mutual exclusion in the access control system.Embodiment can optionally support to carry out separately any one in a plurality of operations, but not in conjunction with another operation.
Specific implementation of the present invention and embodiment have been described.The very clear details that the invention is not restricted to above-mentioned embodiment of those skilled in the art is equal to means and realizes in other embodiments but can use under the situation that does not depart from characteristic of the present invention.Scope of the present invention is only limited by appended patent claims.
Claims (18)
1. one kind is used for can carrying out the method for application to the visit of resource at any computing machine of data processing terminal control with various resources, comprising:
Safeguard the set of conditional access control constraint, it is used to define the admissible combination of resources that can be united use by application; And
Make only in the constraint of admissible combination of resources, to move and use that this admissible combination of resources is united use by the application of operation.
2. method according to claim 1, wherein said admissible combination comes remote definition by defining non-admissible combination.
3. method according to claim 1 and 2, the combination of the functional block of at least two mutual exclusions of wherein said access control constraint definition or the functional block of at least two mutual exclusions.
4. according to any described method of aforementioned claim, wherein define described access control constraint by the access control object.
5. method according to claim 4, wherein different service assignment has corresponding service identifier, different access objects and corresponding access log and be associated at the service call of access object, and the service identifier that calls service thus correspondingly is stored in the access log of invoked service.
6. method according to claim 5, wherein said access control constraint is defined by Boolean logic.
7. according to any described method of aforementioned claim, wherein use arbitrarily the visit of the difference service that can unite use is also controlled by only making that operation is used in the constraint of admissible combination of resources by the conditional access control constraint of described maintenance, the combination of this admissible resource is united use by the application of operation.
8. a data processing terminal (100), it has various resources and can use resource to carry out the executable application of any computing machine, comprising:
Storer (120);
Be stored in the set (122 of the conditional access control constraint in the storer (120); 203), its definition can be united the admissible combination of resources of use by application; And
Processor (130) is configured to only operation application in the constraint of admissible combination of resources, and the combination of this admissible resource is united use by the application of operation.
9. terminal according to claim 8 (100), wherein said admissible combination comes remote definition by defining non-admissible combination.
10. wherein said access control constraint (122 according to Claim 8 or 9 described terminals (100); 203) combination of the functional block of the functional block of at least two mutual exclusions of definition or at least two mutual exclusions.
11., wherein define described access control constraint (122 by access control object (207) according to Claim 8 to any described terminal (100) of 10; 203).
12. terminal according to claim 11, wherein different service assignment has corresponding service identifier (202), different access object (207) is called with corresponding access log (205) with at the service (201) of access object (207) and is associated, and the service identifier (202) that calls service thus correspondingly is stored in the access log (205) of invoked service.
13. terminal according to claim 12 (100), wherein said access control constraint (122; 203) define by Boolean logic.
14., wherein use visit to the difference service (201) that can unite use arbitrarily also by the conditional access control constraint of safeguarding (122 according to Claim 8 to any described terminal (100) of 13; 203) control by making only to move to use in the constraint of admissible combination of resources, this admissible combination of resources is united use by the application of operation.
15. one kind is used for can carrying out the computer program of application to the visit of resource in the data processing terminal control operation with various resources so that control any computing machine, comprises:
Computer program code is used to make terminal to safeguard the set of conditional access control constraint, and it is used to define the admissible combination of resources that can be united use by application; And
Computer program code is used to make terminal only to move and uses that the combination of this admissible resource is united use by the application of operation in the constraint of admissible combination of resources.
16. one kind is used for can carrying out the sub-component of application to the visit of resource in the data processing terminal control operation with various resources so that control any computing machine, this sub-component comprises:
Be used to make terminal to safeguard the device of the set of conditional access control constraint, the set of this conditional access control constraint is used to define the admissible combination of resources that can be united use by application; And
Be used to make terminal only to move the device of using in the constraint of admissible combination of resources, this admissible combination of resources is united use by the application of operation.
17. sub-component according to claim 16 wherein is used for making device that terminal safeguards that the device and/or be used to of the set of conditional access control constraint makes that terminal can only operation be used in the constraint of admissible combination of resources based on following combination in any: chipset circuit and be stored in the computer code of one or more chipsets.
18. one kind is used to make and has various resources and can control any computing machine and can carry out the method for application to the data processing terminal of the visit of resource, comprising:
Storage computation machine program code in described terminal, this computer program code are used to make terminal to safeguard the set of conditional access control constraint, and the set of this conditional access control constraint is used to define the admissible combination of resources that can be united use by application; And
Storage computation machine program code in described terminal, this computer program code are used to make terminal only to move application in the constraint of admissible combination of resources, and this admissible combination of resources is united use by the application of operation.
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| PCT/FI2006/050050 WO2007088237A1 (en) | 2006-02-01 | 2006-02-01 | Access control |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101336415A true CN101336415A (en) | 2008-12-31 |
Family
ID=38327146
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200680052134.1A Pending CN101336415A (en) | 2006-02-01 | 2006-02-01 | Access control |
Country Status (4)
| Country | Link |
|---|---|
| EP (1) | EP1979812A4 (en) |
| JP (1) | JP2009524864A (en) |
| CN (1) | CN101336415A (en) |
| WO (1) | WO2007088237A1 (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103379114A (en) * | 2012-04-28 | 2013-10-30 | 国际商业机器公司 | Method and device for protecting private data in MapReduce system |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6044466A (en) * | 1997-11-25 | 2000-03-28 | International Business Machines Corp. | Flexible and dynamic derivation of permissions |
| US6948183B1 (en) * | 1998-06-18 | 2005-09-20 | General Instrument Corporation | Dynamic security for digital television receivers |
| US7051366B1 (en) * | 2000-06-21 | 2006-05-23 | Microsoft Corporation | Evidence-based security policy manager |
| US6981281B1 (en) * | 2000-06-21 | 2005-12-27 | Microsoft Corporation | Filtering a permission set using permission requests associated with a code assembly |
| US7076557B1 (en) * | 2000-07-10 | 2006-07-11 | Microsoft Corporation | Applying a permission grant set to a call stack during runtime |
| US7257815B2 (en) * | 2001-09-05 | 2007-08-14 | Microsoft Corporation | Methods and system of managing concurrent access to multiple resources |
| CN101044739A (en) * | 2004-10-18 | 2007-09-26 | 皇家飞利浦电子股份有限公司 | Authorized domain management with enhanced flexibility |
-
2006
- 2006-02-01 CN CN200680052134.1A patent/CN101336415A/en active Pending
- 2006-02-01 JP JP2008551809A patent/JP2009524864A/en not_active Withdrawn
- 2006-02-01 WO PCT/FI2006/050050 patent/WO2007088237A1/en active Application Filing
- 2006-02-01 EP EP06708954A patent/EP1979812A4/en not_active Withdrawn
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103379114A (en) * | 2012-04-28 | 2013-10-30 | 国际商业机器公司 | Method and device for protecting private data in MapReduce system |
| CN103379114B (en) * | 2012-04-28 | 2016-12-14 | 国际商业机器公司 | For the method and apparatus protecting private data in Map Reduce system |
Also Published As
| Publication number | Publication date |
|---|---|
| JP2009524864A (en) | 2009-07-02 |
| WO2007088237A1 (en) | 2007-08-09 |
| EP1979812A4 (en) | 2010-01-06 |
| EP1979812A1 (en) | 2008-10-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Ghorbel et al. | Privacy in cloud computing environments: a survey and research challenges | |
| US9501666B2 (en) | Polymorphic computing architectures | |
| Nadkarni et al. | Preventing accidental data disclosure in modern operating systems | |
| CN103403669B (en) | App is made to become safe method and the method preventing app damage equipment | |
| US9135434B2 (en) | System and method for third party creation of applications for mobile appliances | |
| US20140189880A1 (en) | System and method for administrating access control rules on a secure element | |
| JP5837219B2 (en) | Method and system for lending digital content | |
| US11695650B2 (en) | Secure count in cloud computing networks | |
| Alpers et al. | PRIVACY-AVARE: An approach to manage and distribute privacy settings | |
| Abdella et al. | CA‐ARBAC: privacy preserving using context‐aware role‐based access control on Android permission system | |
| US20230074455A1 (en) | System and method for monitoring delivery of messages passed between processes from different operating systems | |
| CN101336415A (en) | Access control | |
| US20120042353A1 (en) | Access control | |
| CN111737725A (en) | User marking method, device, server and storage medium | |
| Abdullah et al. | Sealed computation: a mechanism to support privacy-aware trustworthy cloud service | |
| CN104054088B (en) | Manage across circumference access | |
| US20220092193A1 (en) | Encrypted file control | |
| KR20080091189A (en) | Access control | |
| Hon et al. | Cloud Computing Demystified (Part 2): Control, Security, and Risk in the Cloud | |
| US20230195905A1 (en) | Multi-tenant cryptography implementation compliance | |
| Zavalyshyn | Building private-by-design IoT systems | |
| Amirgaliev et al. | Android security issues | |
| KR20140118199A (en) | System and method for operating drm contents, and apparatus applied to the same | |
| Andow et al. | A distributed Android security framework | |
| WO2015102714A2 (en) | Polymorphic computing architectures |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Open date: 20081231 |