This invention relates to access control technology suitable for preventing unauthorized access to information under the control of information processing units.
In most ordinary computer systems, confidential data files are protected using a user authentication system incorporated in a multi-user multi-task OS and a file access control system based on results of the authentication. Specifically, each time an information processing unit in which the OS is installed is used, the user must enter their user ID and password for authentication. An access control list is allocated to every file under the control of the information processing unit as security attribute information where, for each access type (file read or write, etc.), the list defines users who are authorized to access the file using user IDs and group IDs. If the user accesses a file through an application program, the OS checks the ID of the user as the access request source, as well as the ID of the group he or she belongs to, against the access control list allocated to the file being accessed, and only when the list includes the user ID, is access authorized.
On the other hand, as a technique to transmit or collect information or provide various services through the Internet, the World Wide Web (WWW) is being widely used. In the WWW system, a communication protocol known as Hyper Text Transfer Protocol (HTTP) is used to transmit request data and response data. Also, in the WWW system, several security techniques are available to prevent illegal substitution of content or leakage of confidential information through the network.
Among the security systems provided by HTTP is what is called “Basic Authentication.” In this basic authentication system, a user ID and a password are preregistered in the WWW server as authentication information, and a user ID and a password transmitted via a browser from the user are compared with the above authentication information to authenticate the user. A policy file which describes access rights to each content and an access control system based on the policy are also loaded in the WWW server. It is also possible to have the Common Gateway Interface (CGI) program incorporate a similar system for user authentication and control of access to contents.
In recent years, the number of illegal accesses utilizing security holes or bugs latent in Internet service programs and so on has been increasing. Information about these security holes and bugs is available from such sites as http://www.cert.org/and debugging programs are distributed by manufacturers. However, attackers or intruders use every possible technique for intrusion into information processing units from external networks, so a technique for more effective access control is needed.