Methods, Systems, and Products for Secure Acces to File System Structures
Methods, systems, and products secure access to a file system. A directory is established in a hierarchical file structure having access permission defined by a first owner. A subdirectory is established in the directory. A sub-level subdirectory is established in the subdirectory having access permissions defined by a second owner. The subdirectory is publically accessible to anyone satisfying the access permission defined by the first owner, such that a change directory system call is executed for a user in the subdirectory, even though the user has not authenticated the access permission defined by the second owner.
Latest AT&T Patents:
- METHOD AND SYSTEM FOR DYNAMIC LINK AGGREGATION
- DUAL SUBSCRIBER IDENTITY MODULE RADIO DEVICE AND SERVICE RECOVERY METHOD
- CARRIER AGGREGATION - HANDOVER SYNERGISM
- APPARATUSES AND METHODS FOR FACILITATING AN INDEPENDENT SCELL TOPOLOGY IN RESPECT OF COMMUNICATIONS AND SIGNALING
- Protection Against Relay Attack for Keyless Entry Systems in Vehicles and Systems
This application is a continuation of U.S. application Ser. No. 12/326,232 filed Dec. 2, 2008, since issued as U.S. Pat. No. ______, and incorporated herein by reference in its entirety.
BACKGROUNDExemplary embodiments generally relate to electrical computers and digital processing systems and, more particularly, to file protection and security levels.
Computer and network security is a common concern. Nearly every day some virus, threat, or “hacker” makes the news. Many computer experts thus devote themselves to developing schemes that improve the security of sensitive data and files. These past and current schemes, though, are all based on monitoring or alerting when suspicious access patterns are detected. These conventional schemes are thus best-effort and can only limit the amount of data stolen. These conventional schemes cannot prevent data from being stolen. Other conventional schemes also protect using a single user identification per document repository.
Exemplary embodiments provide methods, systems, and products for securing access to a file system. Exemplary embodiments describe a hierarchical file structure having an access scheme that provides scalable protection for shared, electronic documents. Exemplary embodiments establish a publically-accessible subdirectory in the hierarchical file structure. That is, if a user successfully authenticates the access permissions of an upper-level directory, then the user has global search permissions in a lower-level subdirectory. Here, though, the user is held in the subdirectory until the user successfully authenticates any access permissions for lower-level subdirectories. The user, then, must satisfy directory-level access permissions to access the publically-accessible subdirectory. The user, though, is prevented from accessing lower-level subdirectories until further access permissions are satisfied. Here, then, the user is required to authenticate two separate times in order to traverse the hierarchical file structure from the directory, to the subdirectory, and then to the lower-level subdirectory. This access scheme is scalable, such that N different layers in the hierarchical file structure may require N different authentications.
Exemplary embodiments include a method for securing access to a file system. A directory is traversed in a hierarchical file structure having a first access permission requirement. A subdirectory in the directory is established that has a global search permission. A sub-level subdirectory in the subdirectory is also established having a second access permission requirement. When a user successfully authenticates to the first access permission requirement of the directory, then the user is permitted to execute a change directory system call in the subdirectory, even though the user has not authenticated the second access permission requirement for the sub-level subdirectory.
More exemplary embodiments include a system for securing access to a file system. Means are disclosed for establishing a directory in a hierarchical file structure having access permission defined by a first owner. Means for establishing a subdirectory in the directory is included. Means are also included for establishing a sub-level subdirectory in the subdirectory having access permissions defined by a second owner. When a user successfully authenticates the access permission of the directory, then means are included for executing a change directory system call in the subdirectory, even though the user has not successfully authenticated the access permissions defined by the second owner.
Still more exemplary embodiments include a computer readable medium that stores instructions for performing a method of securing access to a file system. A processor executes an operating system stored in memory, and the operating system has a hierarchical file structure. A directory in the hierarchical file structure is accessed having access permission defined by a first owner. A subdirectory in the directory is accessed. A sub-level subdirectory in the subdirectory is read having access permission defined by a second owner. A change directory system call is executed in the subdirectory for a user that successfully authenticates the access permission of the directory, even though the user has not successfully authenticated the access permissions defined by the second owner for the sub-level subdirectory. An access time for an invalid directory path is compared to a threshold access time. When the access time equals or exceeds the threshold access time, then the method notifies of a security threat.
Other systems, methods, and/or computer program products according to the exemplary embodiments will be or become apparent to one with ordinary skill in the art upon review of the following drawings and detailed description. It is intended that all such additional systems, methods, and/or computer program products be included within this description, be within the scope of the claims, and be protected by the accompanying claims.
BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWINGS
These and other features, aspects, and advantages of the exemplary embodiments are better understood when the following Detailed Description is read with reference to the accompanying drawings, wherein:
The exemplary embodiments will now be described more fully hereinafter with reference to the accompanying drawings. The exemplary embodiments may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. These embodiments are provided so that this disclosure will be thorough and complete and will fully convey the exemplary embodiments to those of ordinary skill in the art. Moreover, all statements herein reciting embodiments, as well as specific examples thereof, are intended to encompass both structural and functional equivalents thereof. Additionally, it is intended that such equivalents include both currently known equivalents as well as equivalents developed in the future (i.e., any elements developed that perform the same function, regardless of structure).
Thus, for example, it will be appreciated by those of ordinary skill in the art that the diagrams, schematics, illustrations, and the like represent conceptual views or processes illustrating the exemplary embodiments. The functions of the various elements shown in the figures may be provided through the use of dedicated hardware as well as hardware capable of executing associated software. Those of ordinary skill in the art further understand that the exemplary hardware, software, processes, methods, and/or operating systems described herein are for illustrative purposes and, thus, are not intended to be limited to any particular named manufacturer.
As used herein, the singular forms “a,” “an,” and “the” are intended to include the plural forms as well, unless expressly stated otherwise. It will be further understood that the terms “includes,” “comprises,” “including,” and/or “comprising,” when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof. It will be understood that when an element is referred to as being “connected” or “coupled” to another element, it can be directly connected or coupled to the other element or intervening elements may be present. Furthermore, “connected” or “coupled” as used herein may include wirelessly connected or coupled. As used herein, the term “and/or” includes any and all combinations of one or more of the associated listed items.
It will also be understood that, although the terms first, second, etc. may be used herein to describe various elements, these elements should not be limited by these terms. These terms are only used to distinguish one element from another. For example, a first device could be termed a second device, and, similarly, a second device could be termed a first device without departing from the teachings of the disclosure.
Here, though, exemplary embodiments establish a scalable and secure access scheme for the hierarchical file structure 40. Before a user of the device 20 may traverse the hierarchical file structure 40 to access the lower-level subdirectory 48, the user must first satisfy one or more different authentication requirements. The user, for example, may need to successfully authenticate any access permissions 60 associated with the upper level directory 44. The traversing user, for example, may be required to input a correct password before the user may continue traversing the hierarchical file structure 40 to other files and/or levels. When the user satisfies the access permissions 60, then the user is permitted to traverse the hierarchical file structure 40 to the mid-level subdirectory 46. If the user wishes to continue traversing the hierarchical file structure 40 into the lower-level subdirectory 48, then the user must satisfy different access permissions 62 associated with the lower-level subdirectory 48. That is, the user is required to authenticate two separate times in order to traverse the hierarchical file structure 40 from the upper level directory 44 to the lower-level subdirectory 48.
The mid-level subdirectory 46 may thus be publicly accessible. If a user successfully authenticates the access permissions 60 of the upper level directory 44, then exemplary embodiments allow the user to have global search permissions in the mid-level subdirectory 46. That is, the user is “held” in the mid-level subdirectory 46 until the user successfully authenticates the different access permissions 62 associated with the lower-level subdirectory 48. Even though the user has global search permissions in the mid-level subdirectory 46, exemplary embodiments may prevent the user from accessing the lower-level subdirectory 48 until the different access permissions 62 are satisfied. The user must therefore successfully authenticate two separate times in order to traverse the hierarchical file structure 40. As later paragraphs will explain, this access scheme is scalable, such that N different layers in the hierarchical file structure 40 may require N different authentications. Progress through the hierarchical file structure 40 is impeded by the successive requirements to authenticate. Different owners may establish different permissions for each hierarchical level in the hierarchical file structure 40.
Exemplary embodiments may be explained using path notation. The hierarchical file structure 40 illustrated in
d1/hold/d2/hold,
where “d1,” “d2,” and “hold” are directories. The “d1” and “d2” directories may only allow access to their respective owners. That is, directory “d1” may have its own access permission (such as the access permissions 60 associated with the upper level directory 44), while directory “d2” has its own and different access permissions (such as the different access permissions 62 associated with the lower-level subdirectory 48). The “hold” directory, however, allows access to anyone (as the mid-level subdirectory 46 permits). If a user wants to traverse from directory “d1” to directory “d2,” the user must first successfully authenticate the access permissions of directory “d1.” If the user, for example, enters the correct password for directory “d1,” then the user traverses to the “d1/hold” directory. Here, though, the user is “held” in the “d1/hold” directory until the user successfully authenticates the different access permissions required by the “d1/hold/d2” directory. That is, exemplary embodiments may allow the user to have global search permissions in the “d1/hold” directory, but the user may need to again authenticate before accessing the “d1/hold/d2” directory. The user must therefore successfully authenticate two separate times in order to traverse from directory “d1” to directory “d1/hold/d2.”
An analogy may help explain the different authentications. The above access scheme can be analogized to the cockpit of a jet airliner. When a co-pilot needs to access the cockpit, the co-pilot's access procedure may be written as
firstclasscabin/door1/hold/door2.
Imagine a co-pilot walking from the jet way, through the fuselage access door, and onto the jet airliner. The co-pilot enters the first class cabin area. The first class cabin (e.g., directory “firstclasscabin”) may share the same space as a first doorway (e.g., directory “door1”) to the jet's cockpit. When the co-pilot unlocks the first doorway (directory “door1”), the co-pilot enters a holding area (e.g., directory “hold”). The co-pilot then closes and locks the first doorway (directory “door1”) to prevent unauthorized entry to the holding area (directory “hold”). The pilot in the cockpit scans the holding area (directory “hold”) and authenticates the co-pilot. When the co-pilot is authenticated, a second door (e.g., directory “door2”) to the cockpit unlocks, thus allowing the co-pilot to enter the jet's cockpit.
Exemplary embodiments thus describe a two-phase access scheme. A first phase describes authenticating, accessing, and “holding” in the “d1/hold” directory. When the user successfully performs a second authentication, then the user is permitted access to the “d1/hold/d2” directory. The user, then, must first authenticate against the access credentials established by an owner of the “d1” directory. If the user is successful, the user enters the “d1/hold” directory. Here, though, the user is required to authenticate against the access credentials of an owner of the “d2” directory. If the access permissions or credentials of directories “d1” and “d2” are different (e.g., different owners for each directory), then the user must successfully authenticate two different times. That is, the user must twice succeed to access the “d2” directory. This two-phase access scheme greatly complicates a potential hacker's efforts and, thus, improves the security of files stored in the “d2” directory.
Exemplary embodiments may be incorporated into any operating system. As those of ordinary skill in the art understand, the operating system 24 may be considered a master control program for the device 20. When the device 20 is powered, the operating system 24 loads from the memory 26 (perhaps using an auto-executing “boot” program). The operating system 24 (commonly abbreviated “OS” or “O/S”) manages the software and hardware components of the device 20. There are many different operating systems (such as MICROSOFT® WINDOWS®, MAC® OS, UNIX®, LINUX®, and SOLARIS® ), and exemplary embodiments may be integrated or incorporated into any operating system. Because operating systems are well known, no further explanation is needed.
The device 20 is only simply illustrated. Because the architecture and operating principles of processor-controlled devices are well known, their hardware and software components are not further shown and described. If the reader desires more details, the reader is invited to consult the following sources: A
Exemplary embodiments thus change access permissions. If a user wishes to traverse the path “ . . . /d1/d2/ . . . ,” the POSIX semantics concerning the “change directory” system call may prevent changing directories if the “current directory” (e.g., the directory from which a “setuid” system call was executed) is not accessible to a new identity. Exemplary embodiments, though, may change the permissions assigned to each of the directories. The intermediate directory “d1/hold” has access permissions that allow at least access to both a current identity and a new identity. The intermediate directory “d1/hold” forces the user to “hold” with global search permissions. The user is “held” in the intermediate directory “d1/hold” until the user successfully authenticates for the “d1/hold/d2” directory.
The hacker is thus presented with multiple choices and, thus, multiple authentication requirements. The hacker will not know the correct path sequence, so the hacker will have to guess which of the paths contains the desired file or data. Authorized users, however, will know the correct path and correctly authenticate to the desired directory location. Exemplary embodiments thus confine the hacker in one of multiple mid-level subdirectories 46 (e.g., {hold1, hold2, . . . hold(N)}) until a sublevel access permission is satisfied (such as the different access permissions 62). This confine-and-authenticate feature provides a more secure access structure for sensitive documents.
As
The log 92 may be used to determine security threats. Exemplary embodiments may read or scan the log 92 for offending entries that may indicate security threats. As the above paragraphs explained, each access time 70 may be compared to the threshold time 72. If the access time 70 equals or exceeds the threshold time 72, then the offending access time 70 may indicate a security threat. Exemplary embodiments may also access more stringent rules, such as the number 110 of access attempts within a predetermined time 112. If a user exceeds a maximum number 114 of access attempts, for example, the user may be attempting to hack into the hierarchical file structure 40. A simple rule may even restrict the user to the maximum number 114 of access attempts before flagging a potential threat.
Exemplary embodiments are scalable. The public access permissions of the intermediate directory “d1/hold” may be contiguously applied in the hierarchical file structure (illustrated as reference numeral 40 in
d1/hold/d2/hold/ . . . /d(N)/hold/sensitivedocument,
with N representing an integer. Each directory {d1, d2, . . . d(N)} only allows access to its respective owner. That is, each directory d(N) may require different access permissions (e.g., passwords). Each “hold” directory may have the same permissions (such as 555 r-xr-xr-x). The path repository is thus 2N deep, with each directory d(N) being owned by a different user with access restricted to a single owner (i.e., chmod 700 d[1 . . N] rwx------). A complete traversal of the hierarchical file structure 40 (or “tree”) may require successfully authenticating N different times. Increasing the protection strength means increasing the depth N and, correspondingly, the number of authentication attempts.
As
Exemplary embodiments may be applied regardless of networking environment. The communications network 122 may be a cable network operating in the radio-frequency domain and/or the Internet Protocol (IP) domain. The communications network 122, however, may also include a distributed computing network, such as the Internet (sometimes alternatively known as the “World Wide Web”), an intranet, a local-area network (LAN), and/or a wide-area network (WAN). The communications network 122 may include coaxial cables, copper wires, fiber optic lines, and/or hybrid-coaxial lines. The communications network 122 may even include wireless portions utilizing any portion of the electromagnetic spectrum and any signaling standard (such as the I.E.E.E. 802 family of standards, GSM/CDMA/TDMA or any cellular standard, and/or the ISM band). The communications network 122 may even include powerline portions, in which signals are communicated via electrical wiring. The concepts described herein may be applied to any wireless/wireline communications network, regardless of physical componentry, physical configuration, or communications standard(s).
d1/hold2/d2/hold1/potofgold.
If a potential hacker gains access to directory “d1” (illustrated as reference numeral 150), then the hacker is immediately presented with a choice of subdirectories “d1/hold1” and “d1/hold2” (illustrated, respectively, as reference numerals 152 and 154). The subdirectories “d1/hold1” and “d2/hold2” are owned by a different user (e.g., “user 2”). The hacker must now successfully complete another authentication attempt (as defined by “user 2”), and the hacker must also select the correct path. If the hacker satisfies the “user 2” permissions for directory “d2,” and the hacker correctly chooses path d1/hold2, then the hacker encounters more path choices. The subdirectories “d1/hold2/d2/hold1” and “d1/hold2/d2/hold2” (illustrated, respectively, as reference numerals 156 and 158) are owned by yet another different user (e.g., “user 3”). The hacker must again successfully complete another authentication attempt (as defined by “user 3”), and the hacker must also select the correct path. If the hacker satisfies the “user 3” permissions, and if the hacker chooses the correct path, then the hacker may access the desired file 42 (e.g., the “pot of gold”).
Exemplary embodiments thus provide strong and scalable access protection in access file systems. Exemplary embodiments also provide programmatic access protection by combining operating system security at the file system layer with public key encryption. Exemplary embodiments also provide an alternative to file encryption, as a loss of an encryption key renders an electronic file unusable. Exemplary embodiments may also reduce or eliminate the chance of stolen data if a breach occurs, as long as the number of stolen passwords is less than N, where N corresponds to the directory layers d(1 . . . N), as explained above. As long as the number of stolen passwords is less than N, the sensitive document repository is inaccessible.
The flowchart continues with
Exemplary embodiments may be physically embodied on or in a computer-readable storage medium. This computer-readable medium may include CD-ROM, DVD, tape, cassette, floppy disk, memory card, and large-capacity disks. This computer-readable medium, or media, could be distributed to end-subscribers, licensees, and assignees. These types of computer-readable media, and other types not mention here but considered within the scope of the exemplary embodiments. A computer program product comprises processor-executable instructions for securing access to a file system.
While the exemplary embodiments have been described with respect to various features, aspects, and embodiments, those skilled and unskilled in the art will recognize the exemplary embodiments are not so limited. Other variations, modifications, and alternative embodiments may be made without departing from the spirit and scope of the exemplary embodiments.
Claims
1. A system, comprising:
- a hardware processor; and
- a memory device, the memory device storing an operating system associated with a hierarchical file structure, the operating system when executed causing the hardware processor to perform operations, the operations comprising:
- establishing a directory in the hierarchical file structure;
- establishing multiple directory paths associated with the directory, each one of the multiple directory paths associated with a different access permission, and some of the multiple directory paths purposefully invalid as invalid directory paths;
- summing a count of the invalid directory paths selected during authentication attempts associated with the directory;
- comparing the count of the invalid directory paths to a threshold value; and
- generating a security threat in response to the count of the invalid directory paths exceeding the threshold value.
2. The system of claim 1, wherein the operations further comprise generating an alarm in response to the security threat.
3. The system of claim 1, wherein the operations further comprise generating a notification in response to the security threat.
4. The system of claim 1, wherein the operations further comprise determining a time associated with the authentication attempts.
5. The system of claim 4, wherein the operations further comprise comparing the time to a threshold access time.
6. The system of claim 5, wherein the operations further comprise generating another security threat in response to the time exceeding the threshold access time.
7. The system of claim 1, wherein the operations further comprise associating the threshold value to a user.
8. A method, comprising:
- establishing, by a server, a directory in the hierarchical file structure;
- establishing, by the server, multiple directory paths associated with the directory, each one of the multiple directory paths associated with a different access permission, and some of the multiple directory paths purposefully invalid as invalid directory paths;
- summing, by the server, a count of the invalid directory paths selected during authentication attempts associated with the directory;
- comparing, by the server, the count of the invalid directory paths to a threshold value; and
- generating, by the server, a security threat in response to the count of the invalid directory paths exceeding the threshold value.
9. The method of claim 8, further comprising generating an alarm in response to the security threat.
10. The method of claim 8, further comprising generating a notification in response to the security threat.
11. The method of claim 8, further comprising determining a time associated with the authentication attempts.
12. The method of claim 11, further comprising comparing the time to a threshold access time.
13. The method of claim 12, further comprising generating another security threat in response to the time exceeding the threshold access time.
14. The method of claim 8, further comprising associating the threshold value to a user.
15. A memory device storing instructions that when executed cause a hardware processor to perform operations, the operations comprising:
- establishing a directory in the hierarchical file structure;
- establishing multiple directory paths associated with the directory, each one of the multiple directory paths associated with a different access permission, and some of the multiple directory paths purposefully invalid as invalid directory paths;
- summing a count of the invalid directory paths selected during authentication attempts associated with the directory;
- comparing the count of the invalid directory paths to a threshold value; and
- generating a security threat in response to the count of the invalid directory paths exceeding the threshold value.
16. The memory device of claim 15, wherein the operations further comprise generating an alarm in response to the security threat.
17. The memory device of claim 15, wherein the operations further comprise generating a notification in response to the security threat.
18. The memory device of claim 15, wherein the operations further comprise determining a time associated with the authentication attempts.
19. The memory device of claim 18, wherein the operations further comprise comparing the time to a threshold access time.
20. The memory device of claim 19, wherein the operations further comprise generating another security threat in response to the time exceeding the threshold access time.
Type: Application
Filed: Feb 10, 2017
Publication Date: Jun 1, 2017
Applicant: AT&T Intellectual Property I, L.P. (Atlanta, GA)
Inventors: Arthur Zaifman (Millburn, NJ), Govind Chidambaram (Parsippany, NJ), Jim Tant (Union, NJ), Suraj Kumar Verma (Patna)
Application Number: 15/429,226