1. Field of the Invention
This invention relates generally to data processing systems which possess system files. Such files can be viewed as consisting of one or more segments, which in turn consist of fields, wherein segments, data objects, and fields are logical aggregates of information which may have a variety of physical manifestations including the format of the data. This invention relates particularly to secure data processing systems, in which access or manipulation of data objects, and the labeling and display of data objects can be performed only by programs executing on behalf of user entities which possess authorization and only by programs which are permitted to perform specific tasks. Authorization is determined by a security policy, which includes a set of pre-existing relationship that exist between security attributes associated, at the time access or manipulation is attempted, with the aforesaid user entities and data objects. Such security attributes can, for example, represent the degree of sensitivity of information contained in the data object with which one security attribute is associated and the degree of trustworthiness of a user entity with which a second security attribute is associated. Those tasks which a program are permitted to perform are also determined by the security policy, by having the policy include a set of pre-existing relationships that exist between programs or groups of programs (i.e., subsystems) which perform the tasks, the formats of the data objects that those programs (or groups of programs) may access, and the modes of access to the aforesaid data objects. A security policy, and a secure data processing system which enforces it, can be used in this case to mandate that sensitive information is accessed or manipulated only by appropriate programs executed on behalf of user entities which possess sufficient trustworthiness.
2. Description of the Related Art
It is known in related art to provide means whereby the modes or manners in which a program can access or manipulate a data object can be restricted to a fixed set, as for example, permitting or denying of the ability to read (access) information, write (enter) information, and/or other modes singly and in combination. An instance of such a set shall be referred to herein as an access right. In this techinique, access rights are granted by programs for data objects under their control, by setting values of fields within distinguished data objects, said distinguished data objects being differentiated from ordinary ones by being located within distinguished segments. The distanguished data objects are fetched by the data processing system prior to access or manipulation, and the data processing system will only perform the access or manipulations permitted by the contents of their access rights fields. The above technique suffers from two weaknesses. First, the existence of distinguished segments adds complication to the programs executed by the data processing system, because the programs must treat distinguished and ordinary segments in different ways. Second, programs are permitted to grant access without regard for the user entity on whose behalf the program is being executed, or any security attributes currently possessed by said user entity. Thus a user entity may execute a program which grants an access right to another program executing on behalf of said user entity, which access right is not authorized by pre-existing security policy. It is further known within related art to permit only highly trusted programs to grant access rights. When a program executing on behalf of a given user entity wishes a given access right to a given ordinary data object, said program invokes the highly trusted program, which obtains the current security attributes associated with the given user entity and the given ordinary data object and insures that an access right is granted which is authorized by the security policy. The above technique suffers from the weakness that the compromise of software programs, such as the highly trusted program described above, is known to be relatively easy to accomplish, such compromise can go undetected, and demonstration that a program has not been compromised is known to be extremely difficult.
It is still further known in related art to provide apparatus which is capable of recognizing distinguished data objects, thereby permitting the mixing of distinguished and ordinary data objects within segments, and to restrict the setting of access rights to highly trusted programs in the manner described above. This technique suffers from two weaknesses. First, the highly trusted program is subject to compromise as described above. Second, even if the highly trusted program is not compromised, a program executing on behalf of one user entity may establish an access right to some ordinary data object, which access right is unauthorized according to security policy. Such compromise is effected by having the program obtain a distinguished data object which grants an access right to a given ordinary data object, said access right being authorized by security policy, and then having the program place said distinguished data object in a segment which can be accessed by a program executing on behalf of a second user entity, which second user entity has current security attributes different from the first user entity, and which second user entity security attributes do not authorize, according to security policy, the access right thereby obtained.
It is yet further known in the related art to provide, in addition to the mixing of distinguished and ordinary data objects in segments, and in addition to the providing of highly trusted software to set the values of distinguished data objects in the manner described above, apparatus which restricts the placement of distainguished data objects to segments which are accessed in common only by programs executing on behalf of user entities whose possible security attributes would authorize, according to security policy, the access rights granted by such distinguished data objects. The above technique suffers from three weaknesses. First, the highly trusted software is subject to compromise as described above. Second, the restriction on the storage of distinguished data objects limits the activity of programs executing on behalf of user entities, and thereby reduces the effectiveness and efficiency of those programs. Third, the consequences of a malfunction in the apparatus which enforces such restriction is catastrophic, in that once a distinguished data object is placed in a segment to which access is freely shared, said distinguished data object can be moved and copied among segments in the data processing system in a manner impossible to trace and reverse.
All of the aforementioned techniques suffer from the additional weakness that a malicious user entity may place in the system a program which can be executed on the behalf of an unsuspecting user entity. The malicious program may then use the access rights authorized to the unsuspecting user entity to copy information in a manner such that the malicious user entity would, in effect, obtain unauthorized access to data objects and such copying would not be detected by said unsuspecting user entity.
It is still further known in the related art to permit only highly trusted programs to access system files, and to require that programs executing on behalf of user entities invoke said highly trusted program upon each attempt to access system files. This technique suffers from three weaknesses. First, the highly trusted program is subject to compromise as described above, and the demonstration that the program has not been compromised is virtually impossible, owing to the number of functions performed by the program. Second, even if the highly trusted program is not subject to compromise, it is extermely difficult to demonstrate that access to system files cannot be gained by means outside said highly trusted program. Third, the use of an intermediary program to perform accesses to system files severely degrades the performance of the programs which execute on behalf of user entities.
It is yet further known in the related art to permit users to store a distinguished data object describing a segment within other segments, the distinguished data object containing access rights information, and to permit users to retrieve the distinguished data object and subsequently to access the contents of the described segment in accordance with the access rights information retrieved from the distinguished data object. The above technique suffers from the weakness that since the user's access rights for a segment are determined when the distinguished data object is constructed, that user's access rights cannot effectively be revoked if the user can retain obsolete access rights for use after revocation.
A further weakness of these prior techniques is that one authorized by the security policy to access a data object may output such data in an unmarked format, then use or copy the data in contravention of the security status of the data.