1. Technical Field
This disclosure relates generally to securing resources in a distributed computing environment, such as a transaction processing environment.
2. Background of the Related Art
In a computing environment, a “system call” is a mechanism by which a program or process requests a service from an operating system's kernel. In a typical operating system (OS), such as Linux, the operating system segregates virtual memory into kernel space and user space, the former being reserved for running the OS kernel, kernel extensions, and device drivers, the latter being where all user mode applications work. System calls provide the interface between programs or processes executing in user space and the operating system kernel executing in kernel space.
For security reasons, it can be beneficial to analyze and modify data that is read or written by a program. If filtering or redaction (or, more generally, some other transformation) is required, then the data flowing through the system needs to be intercepted and acted upon. When system calls are intercepted, this data can be sent out for analysis and even modified according to pre-configured rules. When redaction is required, the most simplistic approach is to apply the redaction inside a one-to-one (1:1) mapping of intercepted to real system calls. Several existing commercial products perform this function.
Often, however, a single transaction's data can be split across multiple system calls. When intercepting system calls, e.g., for the purpose of applying transformations on the data sent and received through the operating system, there is no guarantee that the amount of data intercepted encompasses the entire logical packet. For example, consider a MySQL database that is receiving TCP packets. The packets are received in two parts; first, the header is received, and then the packet body. Typically, the packet header is received first and indicates a number of bytes in the following packet. Now, suppose it is desired to redact queries to a database to restrict the results to a particular column (e.g., a SQL statement such as ‘where EMPLOYEE=20’). To do this, the database query is modified to fit the additional clause. In a 1:1 mapping of intercepted-to-real system calls, however, the header will have already passed to the database, and thus it will be too late to change the size of the packet. More generally, a single query (e.g., to read from the database) could be split up across multiple system calls. Irrespective of the nature of the query or the function required, once the data read or written in the system call is returned to the user process, it is too late to modify it. This limitation has prevented existing solutions from rewriting or redacting intercepted data that spans more than a single system call.