Systems and methods for control realised by means of access at level of minor structural units over data stored in relational databases

FIELD: information technologies.

SUBSTANCE: inventions are related to computer systems and methods for provision of protected access to database. System comprises memory device for protection descriptors, which store information about protection, related to at least one line of database, besides database contains at least one table that includes at least one line and two columns, in one of columns there is a protection descriptor stored, being related to line, information stored in protection descriptor comprises data about which type of access and to which principal is permitted or prohibited; database processor that issues response to query of database, based at least partially on information about protection stored in protection descriptor, which is assessed on the basis of information stored in database, and context of user that makes query; query component that contains optimiser of queries, which defines optimal route for response provision to query.

EFFECT: improved protection of access to database.

20 cl, 9 dwg, 2 tbl

 

Cross-reference to related application

In this application claimed priority claim application No. 60/557239 on provisional U.S. patent filed on March 29, 2004, entitled "SYSTEMS AND METHODS FOR FINE GRAINED ACCESS CONTROL OF DATA STORED IN RELATIONAL DATABASES" ("SYSTEMS AND METHODS THROUGH ACCESS TO the FINE-grained LEVEL of CONTROL DATA STORED IN RELATIONAL DATABASES") and referred to here in its entirety for reference.

The technical field to which the invention relates

The present invention relates generally to computing systems, and more particularly to a system (systems) and how (methods)that are associated with computer databases.

The level of technology

Technological advances in hardware, software, and networking of computers (computer networks) has led to increased demand for the exchange of information by electronic means, and not by conventional methods, such as sending correspondence on paper or exchange of information by telephone. Electronic communication can provide carried out in fractions of a second reliable data transfer, essentially, between any two points around the world. Many businesses and consumers intensively apply this technology to improve efficiency and reduce for the rat using services, based on the web (for example, online information services). For example, consumers can buy products, view online banking, to find products and companies to get real-time stock quotes, download brochures, etc. doing it with a mouse click from the comfort of home.

Because the amount of available electronic data grows, it becomes more difficult to store such data in a controlled manner, which facilitates the user with easy and fast search and retrieve data. Today, the usual approach is to store electronic data in one or more databases. Generally speaking, a typical database can be called an organized collection of information in which data is structured in such a way that, for example, a computer program can quickly find and select the requested data blocks. Traditionally, data within a database organized by one or more tables, and the corresponding tables contain a set of records, and the records contain a set of fields. The records are usually indexed as rows within a table, and the fields of the records are usually indexed as columns, so a couple of indices denoting the row and column, you can name a specific mark the beginning of the count in the table.

The data stored in the database, often include personalno is (for example, Bank account numbers and insurance policy, social security) and security information (e.g., extracts from medical records) and may not be duplicated through the printed (hard) copies. Consequently, increases the importance of security-related databases and data stored in them. However, in most modern methods of protection of databases, you can find gaps, for example, because of the "holes" in the software and/or malicious hackers.

Disclosure of invention

Below is a brief summary of the invention to provide a basic understanding of some aspects of the invention. This summary is not an advanced overview of the invention. It is not intended to identify key and/or critical elements of the invention or to limit the scope of the claims of the invention. Its simple aim is to present some inventive ideas in a simplified form as a prelude to the more detailed description that is presented below.

In the present invention the proposed system and method of facilitating secure access to the database (databases) data. In connection with the growing popularity of computers, more and more data are kept in databases, such as relational databases. In relational databases b the most data is stored as rows in one or more tables. Access databases can be obtained by using one of the set of objects. Due to the nature of data stored in databases, permitting selective access (for example, deny access, access to read and/or access for read and write) to the data is important.

The basis of the popularity of relational databases is the ability to implement associative queries on tables. Access to sets of objects stored in tables, it is possible by using the processing language sets (e.g., SQL - structured query language). This language provides the assignment of one or more tables as a data source and issue - if it happens - only the row or rows that or that meet some specified condition.

In addition, many relational database optimize such queries based on various access routes or indexes that are present in the table. In accordance with one aspect of the present invention provides a new method of establishing secure access to rows in these tables so that it can not get tricked, and you can still access the implementation of various optimization techniques that currently exist.

In accordance with one aspect of the brew is his invention of the proposed system, which facilitates secure access to the database with the database engine, which provides access to the database, and a mass storage device descriptors protection. The selection system may include a database.

The database stores data in a structured format. For example, the database may be a relational database, object database and/or object-relational database. In connection with relational databases note that the set of objects with the same structure called a table, and each object is called a string. Components of a structure are called columns. A relational database may not include tables or include one table or set of tables.

In one aspect the present invention provides that at least one of the tables associated with the database includes a column that stores security information, for example, the descriptor of protection (for example, the identifier associated with the security information stored in the storage device for descriptors protection).

Mass storage device descriptors protection keeps one descriptor of protection or a set of descriptors protection. Each descriptor security controls selective access to one or more sources that are associated with it. Information is on the protection, embodied in the descriptor of protection may include, for example, the list of items that specify: (1) permitted or denied access; (2) the type of access (e.g., resolution of, say, only read and/or read access); and (3) the principal applies to information protection. For example, mass storage device descriptors protection can be ordered collection of objects for access control.

Handle protection (e.g., access control list (ACL) can quickly become very long due to the requirements of data protection of the nature, which are stored in the string, and the complexity of the application, through which there is access to these data. In addition, in most cases, the number of different access control lists associated with the rows of the table, much less than the actual number of rows. For example, when simulating a file system in the form of a table, and each row in this table refers to the file or folder, there is the potential to have hundreds or thousands of rows in this table. But the number of different access control lists is of the order of hundreds. In other words, many of the rows have the same security policy associated with them.

The database engine receives the request information, for example, from the user. The query information includes C the question, to be run in the database, and the user context associated with the requester (e.g., user name, user ID and/or user type).

When the query processor of the database uses the handle of protection associated with the line (s) of the database to which (who) is accessed during query processing, and the user context information associated with the request, to determine whether the user requested access to the line. Thus, the requester will receive this information from the database, access rights (e.g., viewing and/or modification of data to which the user has.

In another aspect of the present invention as part of the technical specification of the strategy proposed a programming language SQL (for example, TSQL), complemented by a new set of operators that provide the creation, modification, and deletion descriptor (descriptor) of protection, such as access control lists. This handle protection (these descriptors protection, such as access control lists (ACLs) may include other information associated with protection. For example, the descriptors protection can be provided temporarily independent of the rows in tables that can be shared and can embodied the substance of the strategy, determines what and to whom is granted the permissions when they are associated with some string.

In traditional relational data protection algorithms not associated with the rows in the tables. Thus, in accordance with one aspect of the present invention to indicate that the rows in a certain table in the database system protected by the protection algorithm, the SQL statements for creating and replacing tables expanded to indicate this fact. One of the columns in the definition of these tables is extended on the choice of a certain attribute, which indicates that this column represents the security policy. The value of this column refers to the identification parameter is a handle to protect discussed earlier (for example, a four-byte code). In one example, if the column value is a ZERO, then the string is not protected by any strategy. On the other hand, the access control strategy for the row selected on the basis of the corresponding descriptor protection and related information stored in the storage device descriptors for protection.

In order to achieve the above and related objectives, certain illustrative aspects of the invention are described below in connection with the following description and the accompanying drawings. However, these aspects characterize only a few different Uta, which can embody principles of the invention, and the present invention should be deemed to include all such aspects and their equivalents. Other advantages and features of the invention with novelty, can be found from the following detailed description of the invention, viewing it in conjunction with the drawings.

Brief description of drawings

Figure 1 presents a block diagram of a system that facilitates secure access to the database in accordance with one aspect of the present invention.

Figure 2 presents the scheme of the possible tables in accordance with one aspect of the present invention.

Figure 3 presents a scheme of the possible memory for descriptors protection in accordance with one aspect of the present invention.

4 shows a block diagram of a system that facilitates secure access to the database in accordance with one aspect of the present invention.

Figure 5 presents a block diagram of a system that facilitates secure access to the database in accordance with one aspect of the present invention.

Figure 6 presents the precedence diagram method secure access to data stored in the database in accordance with one aspect of the present invention.

Figure 7 presents the scheme consequently the particular operations of way secure access to data, stored in the database in accordance with one aspect of the present invention.

On Fig presents the precedence diagram method for facilitating the creation of a secure database in accordance with one aspect of the present invention.

Figure 9 shows the possible operating environment, which can operate the present invention.

Detailed description of the invention

Now will be described the present invention with reference to the accompanying drawings. In the following description, in order to explain the numerous specific details to provide a comprehensive understanding of the present invention. However, it should be apparent that the present invention can be implemented without these specific details. In other instances, well known structures and devices are shown in the form of block diagrams to facilitate description of the present invention.

In the sense in which they are used in this application, the terms "component", "program", "model", "system", etc. should be considered for the associated computer object either hardware, a combination of hardware and software, software, or are in the process of executing commands software is. For example, the component may be - but not in a restrictive sense is a process running on a processor, a processor, an object, an executable, a thread running tasks, the program and/or computer. As an illustration, we note that the component may be an active application on the server, and the server itself. One or more components can always participate in the implementation process and/or thread tasks, and a component may be localized on one computer and/or distributed between two or more computers. In addition, these components can be powered by various machine-readable media having various data structures stored on them. Components can communicate via local and/or remote processes such as in accordance with a signal having one or more data packets (e.g., data from one component interacting with another component in a local system, distributed system, and/or communicating via a network such as the Internet with other systems via the signal). In accordance with the present invention of the computer components can be stored, for example, on machine-readable media, including - but not in a restrictive sense - integrated circuit applied orientation (ASIC), a compact disc (CD), digital video is the claim (DVD) permanent memory (ROM), floppy disk, hard disk drive, electrically erasable programmable read-only memory (EEPROM) and the memory type of “memory stick.”

Referring to figure 1, note that here depicts a system 100 that facilitates secure access to the database in accordance with one aspect of the present invention. System 100 includes processor 110 of the database, which provides access to the base data 120, and a storage device 130 descriptors for protection. The selection system 100 can optionally include a base 120 of the data.

With the growing popularity of computers, more and more data are kept in databases, such as relational databases. In relational databases most of the data are stored as rows in one or more tables. The access database can be obtained by using one of the set of objects. Due to the nature of data stored in databases, permitting selective access (for example, deny access, access to read and/or access for read and write) to the data is important.

The basis of the popularity of relational databases is the ability to implement associative queries on tables. Access to sets of objects stored in tables, it is possible by using the processing language sets (for example, the SQL language is ructuring requests). This language provides the assignment of one or more tables as a data source and issue - if it happens - only the row or rows that or that meet some specified condition.

In addition, many relational database optimize such queries based on various access routes or indexes that are present in the table. In accordance with one aspect of the present invention, the system 100 provides a new method of establishing secure access to rows in these tables so that it can not get tricked, and you can still access the implementation of various optimization techniques that currently exist.

The base data 120 stores data in a structured format. For example, the base data 120 may be a relational database, object database and/or object-relational database. In connection with relational databases note that the set of objects with the same structure called a table, and each object is called a string. Components of a structure are called columns. A relational database may include a single table or set of tables.

In accordance with one aspect of the present invention, at least one of the tables associated with the base data 120 includes a column that keep the camping information on the protection, for example, the descriptor of protection (for example, the identifier associated with the security information stored in the storage device 130 for descriptors protection, discussed below).

Referring now to figure 2, note that here illustrates the possible table 200 in accordance with one aspect of the present invention. Table 200 includes columns 210 and data lines 220 data. In addition, the table 200 includes a column 230 descriptors protection. For example, column 230 descriptors may be stored for some specific string descriptor protection associated with this line. In one example, the handle of protection is the ID associated with the storage device 130 descriptors for protection.

Returning to figure 1, note that the storage device 130 for descriptors protection stores information about the protection, embodied by one or more descriptors protection. The security information may include, for example, clauses that specify: (1) permitted or denied access; (2) the type of access (e.g., resolution of, say, only read and/or read access); and (3) the principal applies to information protection. For example, the storage device 130 for descriptors of protection can be ordered collection of objects for access control.

Turning to a brief description of IG, note that it depicts the storage device 300 for descriptors protection in accordance with one aspect of the present invention. The storage device 300 for descriptors protection includes one or more descriptors 310 protection.

In this example, a specific descriptor 310 protection additionally includes a resolution 330 that identifies the type of access associated with a particular descriptor 310 protection, such as no access, read only and/or access to read and write. The handle 310 of the protection additionally includes principal (principals) 340, which (who) is applied to the handle 310 of the protection (for example, user name (user name) user group (user group), user ID (user ID) and/or user type (user types).

The handle 310 of the protection (for example, access control list (ACL) can quickly become very long due to the requirements of data protection of the nature, which are stored in the string, and the complexity of the application, through which there is access to this data. In addition, in most cases, the number of different access control lists associated with the rows of the table, much less than the actual number of rows. For example, when modeling the filesystem is in the form of a table, and each row in this table refers to the file or folder, there is the potential to have hundreds or thousands of rows in this table. But the number of different descriptors protection is of the order of hundreds. In other words, many of the rows have the same security policy associated with them. In addition, in one example, all the descriptors protection can be cached in memory for quick viewing when accessing the row in the database.

Returning to figure 1, note that the processor 110 of the database receives the query, for example, from the user. Information request includes a request that must be performed in the base data 120, and a user context associated with the requester (e.g., user name, user ID and/or user type).

When the query processor 110 of the database evaluates the descriptor of protection associated with the string (string) base data 120 to which) is accessed, and the user context information associated with the request, to determine whether the user requested access to the line. After that, the processor 110 of the database provides the response to information request on the basis of this request and what important information, the user context. Thus, the requester is provided info is provided only from the base data 120, access rights (e.g., viewing and/or modification of data to which the user has.

For example, it is possible to base data 120 having a table with the following objects:

Table 1
NameStateSalaryHandle protection
JeffOhio$ 50001
JoeWashington$ 100002
SallyOhio$ 250003

and possibly the corresponding storage device 130 descriptors for protection, with the following descriptors protection:

Table 2
Handle protectionThe access control list (Access: Resolution: Principal-holder)
1Right: Read: Jeff; Right: Reading and writing: Editing the tor
2Ban: Reading: Joe; Right: Reading and writing: Admin
3Ban: Reading: Sally; Right: Reading and writing: Admin

In this example, when the user Jeff queries the database 120 data (table 1) for "all items", the word "Jeff" is a user context provided together with the request to the processor 110 of the database. After that, the processor 110 of the database queries the database 120 data and tentatively accepts all three rows. However, the processor 110 of the database then retrieves the security information stored in the storage device 130 for descriptors of protection associated with each of the three rows, and based on the user context, returns only the first line, because the user Jeff has authority only read this line. However, if the Administrator makes the same query (for example, "all items"), it returns all three rows, because the Administrator has the authority to read all rows and/or write to them.

In accordance with one aspect of the present invention as part of the technical specification of the strategy proposed a programming language SQL (for example, TSQL), complemented by a new set of operas is tori, which provide for the creation, modification and deletion (for example, access control lists (ACLs) from a storage device (storage device) 130, 300 descriptors for protection. This storage device, these storage device 130, 300 descriptors for protection (for example, access control lists (ACLs) may include other information associated with protection. For example, the descriptors protection can be temporarily independent of the rows in the tables can be shared by multiple lines or other objects in the database system and can implement the strategy that determines what and to whom are granted and denied permissions when they are associated with some string.

In traditional relational data protection algorithms not associated with the rows in the tables. Thus, in accordance with one aspect of the present invention to indicate that the rows in a certain table in the database system is protected by a security policy, the SQL statements for creating and replacing tables expanded to indicate this fact. One of the columns in the definition of these tables is extended on the choice of a certain attribute, which indicates that this column represents protection algorithm. The value of this column refers to the identification parameter is a handle to protect discussed earlier, for example, four-byte code). In one example, if the column value is a ZERO, then the string is not protected by any strategy. On the other hand, the access control strategy for the row selected on the basis of the corresponding descriptor protection and related information stored in the storage device 130, 300 descriptors for protection. In another example, the default value of the column can be set as the ID parameter descriptor protection, which embodies the protection strategy in the table.

You should take into account that the system 100, the processor 110 of the database, the base data 120 and/or storage device 130 descriptors protection can be computer components in the sense in which that term is defined in this specification.

Turning next to figure 4, note that here depicts a system 400 that facilitates secure access to the database in accordance with one aspect of the present invention. The system 400 includes a processor 110 of the database, the database 120 of the data storage device 130 descriptors for protection and request information component 410. Query component 410 may include block 420 query optimization and block 430 query. The choice of query component 410 may additionally include a component 440 processor database queries.

When the form is associated query in query component 410, block 420 query optimization can determine the "best way" ("optimization") response to this request. For example, the query component 410 can apply a strategy to optimize cost, resulting in the quality of the plan selects the cheapest way to execute the query.

Specialists in the art will understand that the optimization process is complex. Query component 410 can employ a well-known technology in the enumeration of possible plans and cut costly. Indexes in tables play an important role in reducing the cost of access to the data in these tables. You should take into account that you can apply the optimization process of any type suitable for implementing the present invention, and all such types of optimization technologies should be considered as being within the scope of the claims appended claims.

It is important that when you are accessing the rows in the table that is protected by the protection algorithms in the form of descriptors protection, the processor 110 of the database - just before the consideration of rows for input when building survey - forces the execution of the algorithm by verifying that the requester has permission to read the line, based on the strategy defined by the descriptor of protection associated with each row. Specialists in this on the region of the technique will understand the security model described above, equates visual accessibility string for the principal making the request, to the positive assessment of the handle to the protection associated with that string.

Basic database security forced implementation of algorithms of protection by "grafting" the conditions under which a part of the original query is to check that the string is available. In modern relational database systems, a query plan, which is subject to the execution often differs radically from the query actually identify the initiator. To reduce the cost of access to rows, perform the reordering access tables. As a measure against which this reordering virus software can do nothing, we note that a malicious person making the request to see additional data, is able to provide options, gives side effects, as part of the request. The most common security database defenseless against such attempts to gain access through deception, when these systems are used to make management through access to the fine-grained level.

To nip this problem in the Bud and at the same time not to disturb the optimization process, the present invention proposes a new algo is ITM, which ensures that all access paths to the table include a column with handles protection. These access paths to the table include, but are not in a restrictive sense - the table itself stored as a heap (unordered collection), either clustered or nonclustered index on the table and the materialized image, possibly, some on the table. In the presence of column descriptors protection on all access routes the query optimization becomes orthogonal to the forcing protection on the fine-grained level. Therefore, regardless of how the request is reordered (i.e. optimized block 420 query optimization) in this time-line (for example, data elements in tables, indexes, materialized images, and any other access paths - all of them are regarded as "rows") are selected among any specific access paths so that there are two pieces of information, that is, the security policy associated with the row, and the current user context. The result is the compulsion of protection, not subject to destruction by fraud and does not reduce the benefits of optimization (e.g., reordering) of the query.

You should take into account that this algorithm is not subject to destruction by about the Ana, it becomes possible due to the fact that the protection information related to the row is stored physically together with each partially or fully redundant copy of the string (for example, record indexes), and that the compulsion protection is carried out every time when any line is to build the result set.

Thus, the present invention ensures focused on sets operations on sets of permanent objects without a dramatic change in the way in which operating systems define protection strategy for permanent objects, that is, via descriptors protection.

You should take into account that the system 400, the challenge component 410, block 420 query optimization and/or block 430 queries can be computer components in the sense in which that term is defined in this specification.

Turning next to figure 5, note that here depicts a system 500 that facilitates secure access to the database in accordance with one aspect of the present invention. The system 500 includes a processor 110 of the database, the database 120 of the data storage device 130 for descriptors protection, the challenge component 410 and the cache 510 user sessions.

The system 500 uses the cache 510 user sessions associated with the user session. Cache 510 stores the computed result is t, due to the fact whether the current security context specified resolution with respect to some descriptor of protection. Therefore, the result of checking whether the principal access to the object specified by handle to secure this object is only evaluated upon request. If two rows of a table have the same protection strategy, i.e. have the same descriptor defense, the result of checking whether the requester access to the line or not is evaluated first, and the result is stored in the cache 510. The cached result is used for the second row.

Cache 510 becomes extremely useful tool when many rows have the same protection algorithm that can take place, for example, in file systems and similar applications.

You should take into account that the system 500 and/or the cache of user sessions can be computer components in the sense in which that term is defined in this specification.

As mentioned above, system (system) 100, 400 and/or 500 can be used to facilitate secure access to the file (files), folders, contacts, emails, and other permanent objects in databases. For example, a database associated with the file system, may include one or more tables that can store information concerning the WUSA files and/or folders. System (system) 100, 400 and/or 500 may apply a table (table) in such a way that it is possible to justify the need for information and find it using standard relational method (standard relational methods). System (system) 100, 400 and/or 500 may improve file system by addressing the needs in the algorithm permanent file system that requires the security architecture, thereby to define a strategy of selective availability and force them to run on permanent objects, while retaining the possibility of associative queries based on sets.

Turning to a brief description of Fig. 6-9, note that this is an illustration of a methodology that can be implemented in accordance with the present invention. Although for purposes of simplicity of explanation, these methodologies are shown and described in a sequence of blocks, you should understand and take into account that the order of these blocks is not a limiting characteristic of the present invention, since in accordance with the present invention, some blocks can be implemented in different orders and/or concurrently with blocks that differ from those illustrated and described here. Moreover, not all illustrated blocks may be required for the embodiment is ia methodologies in accordance with the present invention.

The invention can be described in the General context for executing computer commands, such as program modules, executed by one or more components. Generally, program modules include routines, programs, objects, data structures, etc. that solve particular tasks or implement particular abstract data types. Typically, the functionality of the software modules may be combined or distributed in accordance with the desired results in different implementation.

Referring to Fig.6, note that here illustrated by way of protected access to the database 600 in accordance with one aspect of the present invention. At step 610 admit information that includes the query and user context. At step 620 execute a query (e.g., via query component 410). At step 630 for each row that satisfies the query, consider this line for input during the build output of the query only if the descriptor of protection associated with the row is satisfied by information that includes the user context.

Next, referring to Fig.7, note that here illustrated by way of protected access to the database 700 in accordance with one aspect of this is bretania. At step 710 admit information that includes the query and user context. At step 714 selects a row to be considered when building the query result. At step 720 determines, be satisfied if the handle of the protection line information, including user context. If the determination at step 720 produces the result "NO", then processing continues at step 730. If the determination at step 720 produces the result "YES", then at step 740 determines does the line contribution in the query result. If the determination at step 740 produces the result "NO", then processing continues at step 714. If the determination at step 740 produces the result "YES", then at step 750 use the string when building the query result.

At step 730 determines whether any other line (any line). If the determination at step 730 produces the result "YES", then processing continues at step 714. If the determination at step 730 produces the result "NO", then no further processing is performed.

Addressing pig, note that there is illustrated a method for facilitating the creation of a secure base 800 data in accordance with one aspect of the present invention. At step 810 creates a table with a column descriptors protection. At step 820 creates the descriptor of protection is provided with the table. At step 830 fill the table (resulting, for example, at least one row of the table becomes with the handle ID protection).

At step 840 admit information that includes the query and user context. At step 850 optimize and execute the query using the information, including user context, and a descriptor (descriptor) protection from the table. At step 860 carry out the issuance of the optimized query in response to this request.

To provide additional context for various aspects of the present invention, figure 9 and the following discussion are intended to provide a brief General description of a suitable operating environment 910, in which it is possible to embody various aspects of the present invention. Although the invention is described in the General context for executing computer commands, such as program modules, executed by one or more computers or other devices, specialists in the art will understand that the invention also can be realized in conjunction with other program modules and/or as a combination of hardware and software. However, in the General case, program modules include routines, programs, objects, data structures, etc. to the which solve particular tasks or implement particular abstract data types. Operating environment 910 is just one example of a suitable operating environment and should not be construed as imposing any limitation on the scope of use or functionality of the invention. Other well known computing systems, environments, and/or configurations that may be suitable for use with this invention include, but are not in the restrictive sense of personal computers, handheld or laptop devices, multiprocessor systems, microprocessor-based, programmable consumer electronic devices, network PCs, mini-computers, main computers, data centers, distributed computing environments that include the above systems or devices, and so on

Referring to figure 9, note that possible environment 910 to implement various aspects of this invention includes a computer 912. The computer 912 includes a processor 914, system memory 916 and the system bus 918. The system bus 918 connects the system components, including - but not in a restrictive sense - system memory 916, processor 914. Processor 914 may be any of various available processors. Processor 914 is also possible to use a dual microprocessors and other multi-processor architecture./p>

The system bus 919 can refer to any of several types of structure (s), tires, including a memory bus or memory controller, a peripheral bus or external bus, and/or a local bus using any set of available bus architectures including - but not in a restrictive sense - the eight-bit bus, industry standard architecture (ISA), micro-channel architecture (MSA), extended ISA (EISA)bus intelligent electronic equipment disk drive (IDE), VLS - local bus, developed by the International Association for standardization in the field of video electronics (VESA), bus the peripheral component interconnect (PCI), universal serial bus (USB)bus, an accelerated graphics port (AGP)bus, developed by the International Association of manufacturers of memory cards for personal computers (PCMCIA)bus, small computer system interface (SCSI).

System memory 916 includes a volatile memory 920 and non-volatile memory 922. The system basic input / output system (BIOS), containing basic routines to transfer between elements within the computer 912 information such as start information is stored in non-volatile memory 922. As an illustration, and not limitation, note that the non-volatile memory may include permanent memory is ü (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable PROM (EEPROM) or flash memory. Volatile memory 920 includes a random access memory (RAM), which acts as external cache memory. As an illustration, and not limitation, we note that the RAM can take many forms such as synchronous RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM)SDRAM double data rate (DDR SDRAM), enhanced SDRAM (ESDRAM), synchronously connected SDRAM (SLDRAM), and RAM direct access developed by Rumbus (DRRAM).

The computer 912 also includes a removable and/or permanent, volatile and/or non-volatile computer storage media. Figure 9 shows, for example, the drive 924 on the disks. Drive 924 disks includes - but not in a restrictive sense - devices such as storage on magnetic disks, hard drive, floppy disks, tape drive, Jaz drive, drive type, Zip, flash memory card or memory type “memory stick”. In addition, the drive 924 drives can include storage media separately or in conjunction with other media, including - but not in a restrictive sense - the optical drive, such as the device ROM on the CD-ROM (CD-ROM), a recordable CD drive (the drive on CD-R), the drive is and rewritable CD drive CD-RW drive) or a memory type ROM on multipurpose digital drives (DVD-ROM). To facilitate the connection of the drives 924 drives to the system bus 918, how to plant, use removable or irremovable interface, such as interface 926.

You should note that figure 9 describes software that acts as an intermediary between users and the basic computer resources described in the appropriate operating environment 910. Such software includes the operating system 928. Operating system 928, which may be stored in memory 924 drives, operates, managing resources of a computer system 912 and distributing them. System application 930 benefit resource management using the operating system 928 through software modules for data and program data 932 934 stored either in system memory 916, or drive 924 on the disks. It should be understood that the present invention can be implemented with various operating systems or combinations of operating systems.

The user enters commands or information into the computer 912 through the device (s) 936 input. Device 936 input include, but are not in a restrictive sense pointing device such as a mouse, ball pointer, trackball, pen, touch pad, keyboard, microphone, linkage pointer (joystick), a round the second panel, satellite dish-a plate, a setup cost of a television receiver, a digital camera, web camera, etc. These and other input devices connected to the processor 914 via a system bus 918 through the ports (ports) 938 interface. Port (s) 938 interface include, for example, a serial port, a parallel port, game port and universal serial bus (USB). Device (s) 940 o use some ports of the same type as the device (s) 936 input. For example, the USB port can be used to provide input to the computer 912 and output information from the computer 912 in device 940 and output. Adapter 942 output is presented to illustrate the existence of some devices 940 output type monitors, speakers and printers (among other devices 940 o)that require special adapters. As an illustration, not restrictive, note that the adapters 942 o include video cards and sound cards, which provide a means of communication between the device 940 and output system bus 918. It should be noted that features and input and output are also other devices and/or systems, such as remote computer (remote computers) 944.

The computer 912 may operate in a networked environment through the use of logical is of such compounds with one or more remote computers, such as remote computer (remote computers) 944. The remote computer (remote computers) 944 may be a personal computer, a server, a router, a network PC, a workstation and the like, and typically includes many or all of the elements described in relation to the computer 912. For brevity of description, illustrated only storage device 946 with a remote computer (remote computers) 944. The remote computer (remote computers) 944 logically connected (connected) computer 912 through a network interface 948, and then physically connected by connecting 950 connection. Network interface 948 covers communication network such as a local area network (LAN) and wide area network (WAN). Technology LAN include distributed data interface fiber optic (FDDI), Ethernet/IEEE 802.3, Token Ring/IEEE 802.5 and other WAN Technologies include, but are not in a restrictive sense - the point-to-point communication lines, networks, circuit-switched type of digital network integrated services (ISDN) and their variants, network with packet switching and digital subscriber line (DSL).

Connection (connection) 950 connection is (are) hardware and/or software used to connect the network interface 948 to the system bus 918. Although glasnost illustrate the connection 950 connection is shown inside the computer 912, it can also be external to the computer 912. Just for clarification, we note that the hardware and/or software required for the network interface 948, includes internal and external technological means, such as, modems including regular telephone modems, cable modems and DSL modems, ISDN adapters, and Ethernet.

What described above includes examples of the present invention. Of course, to describe every conceivable combination of components or methodologies for purposes of describing the present invention it is impossible, but an ordinary specialist in the art will understand that many other combinations are possible and modifications of the present invention. Accordingly, the present invention should be considered as covering all such alterations, modifications and variations which are within the essence and scope of the claims appended claims. In addition, to the extent that the term "includes" is used in either the detailed description or the claims, such term should be interpreted as being inclusive in nature like the term "containing (namely, that)" in the sense in which the term containing (namely, that)" is used as a binder words (linking words) in paragraph form the s inventions.

1. System for providing secure access to a database containing:
mass storage device descriptors protection that stores descriptors protection, embodying the security information associated at least one row in the database, and the database contains at least one table containing at least one row and at least two columns, and one column stores the handle to the protection associated with the string, and the descriptor identifies the protection protection information stored in the storage device for descriptors protection and associated with the row, and the information stored in the descriptor protection contains information about what type of access and which principal permitted or prohibited;
the CPU database, which gives the answer to the query of the database, and this response is based, at least in part on the security information stored in the descriptor of protection, which is estimated on the basis of the information stored in the database, and context of the user making the request; and
query component containing the query optimizer, which determines the optimal way to answer the query.

2. The system according to claim 1, additionally containing the database.

3. The system according to claim 1, in which the database contains at least one of relation the OI database, object database and/or object-relational database.

4. The system according to claim 1, in which the query is based at least partially on the structured query language.

5. The system according to claim 1, in which the query is based at least partially on the additions programming language based on a query, the set of operators that provide the creation, modification and deletion of descriptors protection.

6. The system according to claim 1, in which the information stored in the storage device for descriptors protection, contains information about the access type.

7. The system according to claim 1, in which the information stored in the storage device for descriptors protection, contains information about the principal that applies to the protection information.

8. The system according to claim 7, in which information about the principal contain at least one of user name, user ID and/or user type.

9. The system according to claim 1, in which the handle protection is an ordered set of objects access control.

10. The system according to claim 1, in which the database is made independent from the security information stored in the descriptor of protection.

11. The system according to claim 1, in which the query optimizer uses an optimization strategy based on cost.

12. The system according to claim 1, additionally containing a cache of user sessions, where hranisavljevic the result of answering the question, does the specified protective context of the resolution setting in relation to specific descriptor of protection.

13. The system according to claim 1, used to facilitate secure access to computer files.

14. The system according to claim 1, used to facilitate secure access at least one of the objects, such as folders, contacts and email messages.

15. The way to secure access to the database, namely, that:
create a table with a column descriptors protection, embodying the security information associated at least one row in the database, and the database contains at least one table containing at least one row and at least two columns, and the descriptor identifies the protection protection information stored in the storage device for descriptors protection and associated with the row, and the information stored in the descriptor protection, contains information about what type of access and which principal permitted or prohibited; accept information that includes the query and user context;
produce a response to the request, the response contains table rows, if they exist, which satisfy the request, and for which the security information associated with the string, is satisfied by information that includes the user is Yelsk context; and
optimize the query before issuing the response by the query optimizer uses an optimization strategy based on cost.

16. The method according to clause 15, which provides for the grant of a response to the request, which
for each row of the table to which the access control is satisfied if the handle of protection associated with the row information, including user context.

17. Machine-readable media that stores executable computer commands for implementing the method according to item 15.

18. Method of facilitating the creation of a secure database, which consists in the fact that:
create a table with a column descriptors protection;
create a handle to the protection associated with the said table, fill in at least one row in the table identifier descriptor protect, and handle ID protection identifies the security information stored in the storage device for descriptors protection and associated with the row, and the information stored in the descriptor protection, contains information about what type of access and which principal permitted or prohibited; carry out reception information includes the request and the user context;
produce a response to the request, the response contains the string, if any, is the quiet satisfy the request, and for which the security information associated with the string, is satisfied by information that includes the user context; and
optimize the query by the query optimizer uses an optimization strategy based on cost.

19. The method according to p, when making the request optimize before issuing this request.

20. Machine-readable media that stores executable computer commands for implementing the method according to p.



 

Same patents:

FIELD: information technologies.

SUBSTANCE: there chosen is domain identifier and connection of at least one user (P1, P2, …, PN1), at least one device (D1, D2, …, DM) and at least one information element (C1, C2, …, CN2) to Authorised Domain (AD) specified with domain identifier (Domain_ID). By means of that there have been obtained many checked devices (D1, D2, …, DM) and many checked personalities (P1, P2, …, PN1), which is authorised for access to information element of the above Authorised Domain (100). Thus, access of user who controls the device to information element of authorised domain is obtained either by checking the fact that information element and user are connected to one and the same domain or by checking the fact that device and information element are connected to one and the same domain.

EFFECT: ensuring method and system for providing Authorised Domain structure based both on personalities and on devices.

12 cl, 6 dwg

FIELD: information technologies.

SUBSTANCE: checking method of certificate validity, which includes the key connected to network devices, involves the step of receiving the encoded content and validity index connected to that content in the network. Certificate validity is evaluated from the time index included in the certificate where the time index has the value corresponding to the certificate issuing date, and from validity index connected to the above encoded content.

EFFECT: simplifying the checking process of certificate validity, which provides access to data without reducing data access security.

20 cl, 12 dwg

FIELD: information technologies.

SUBSTANCE: method and device for determining authenticity of the system user is based on comparing coordinates of peculiar features of papillary patterns of fingers at double finger touch of the receiving scanner surface. During the first registration there obtained are pictures of at least two fingerprints, and during the second registration there obtained is the picture of at least one fingerprint, at that, the second registration is performed upon "request-answer" protocol command. Authenticity is considered confirmed in case of non-linear dependence of coordinate offsets of peculiar features of the first and the second pictures. Device for implementing the method consists of a scanner, picture processing unit, database, comparing unit, protocol forming unit connected to the scanner, and comparing unit. Protocol forming unit display panel is located on the scanner front surface.

EFFECT: ensuring high accuracy of authenticity and excluding the access of occasional persons to the protected system.

3 cl, 3 dwg

FIELD: information technologies.

SUBSTANCE: first initial value is known both to the keyboard and the component. Keyboard and component exchange time values. Both the keyboard and the component compute the second initial value and the third initial value on the basis of time values and the first initial value. Both the keyboard and the component make one and the same computation so that both the keyboard and the component have one and the same second and third initial values. The keyboard encodes keystrokes meant for the component by using CBC-3DES method on the basis of the key and the second initial component, as well as creates message authentication code for each keystroke by using CBC-3DESMAC on the basis of the key and the third initial value. The component encodes and verifies keystrokes by using the key and the second and the third initial values.

EFFECT: providing safety connection between two components, such as a keyboard or a related device, and software component via an unsafe communication channel.

26 cl, 6 dwg

FIELD: instrument making.

SUBSTANCE: invention is related to the field of machine access, in particular to identification and authentication of object, user or principal with authenticator for logical entry into local and/or remote machine with operating system. Authenticators are transformed by means of one of multiple different modules of authenticator provides, every of which transforms according different type of authenticators into common protocol. Transformed authenticators are sent through application programming interface (API) to user interface module (UI) of logical entry to operating system (OS) of local machine, which is called by UI module of logical entry for authentication of transformed authenticators according to database of authenticators. User identified with transformed authenticator realises a logical entry for access to local machine in case of successful authentication.

EFFECT: possibility of safe joint application of multiple interacting modules that are fully compatible with operating system of local machine.

18 cl, 22 dwg

FIELD: physics, computer engineering.

SUBSTANCE: invention is related to computer engineering, in particular to system for control of access to resources of Internet network depending on category of requested resources and accepted safety policy. System comprises module of selection of site reference addresses in server database, module of electronic document addresses identification in access list, module of identification of time cycles of addresses selection from access list, module for generation of signals of server database entries selection control, module of selection of access to electronic documents.

EFFECT: improved efficiency of system by localisation of addresses of server database access list records searching by identifiers of electronic documents.

8 dwg, 6 tbl

FIELD: physics; computer engineering.

SUBSTANCE: method of transferring accumulated measured data from a client to a measurement service, where each set of measured data is indexed in the measured data base of the client in accordance with a measurement identifier (MID) and further indexed in the measurement data base in accordance with an identifier, associated with content (KID). To increase effectiveness of protecting the data base from unauthorised access, the client chooses a specific MID, chooses at least part of measured data in the measurement data base, containing the chosen MID, where the chosen measured data are arranged in accordance with KID. The client generates a request based on the chosen measured data and sends the request to the measurement service. The measurement service receives measured data from the request, stores them and generates a response, which should be returned to the client based on the request. The client receives the response from the measurement service, which includes a list of KID of chosen measured data in the request, confirms that the response corresponds to the request, and generates a list of KID in response, for each KID, by deleting measured data from the measurement data base, containing the chosen MID and KID.

EFFECT: more effective protection of data base from unauthorised access.

20 cl, 4 dwg

FIELD: information technology.

SUBSTANCE: invention relates to computer engineering, and generally to computer security. The method of providing for protected input comprises stages on which: a data stream entered by a user is received from a trusted input device in a second program execution environment; the received stream is sent from the second program execution environment to a protected program execution environment; determination is made of whether the protected program execution environment is in standard input mode; the initial data stream entered by the user is sent to the protected program execution environment based on the input mode of the latter; if the protected environment is in standard input mode, then at least the first part of data entered by the user is sent to the second program execution environment; determination is made of whether the data entered by the user contain user instruction for highly reliable input mode (NIM) and if so, and the protected program execution environment is not in highly reliable input mode, the protected program execution environment is switched to highly reliable input mode.

EFFECT: increased security level of computers.

38 cl, 6 dwg

FIELD: information technology.

SUBSTANCE: invention relates to systems and methods of checking and authenticating clients, servers and boot files. A server authenticates a client. The client authenticates the server. Boot files are transferred from the authenticated server to the authenticated client. The client can authenticate boot files before execution to create an operating system.

EFFECT: increased security and stability of booting clients and scanning an operating system.

7 cl, 3 dwg

FIELD: information technology.

SUBSTANCE: invention relates to the architecture of a multi-level firewall and methods of multi-level packet filtering. The firewall infrastructure contains: a set of level processes, where each level process can process level parametres for a packet, associated with that level process, and each level process can also send a classification query, which includes level parametres; and a first firewall tool, which includes: a level interface for receiving first level parametres from the requesting level process and for returning action to the requesting level process, where the requesting level process is one of the said set of level processes, a set of filters and a search component for identification of at least one matching filter from the said set of filters and for identification from this matching filter, action, which is subject to returning by the level interface.

EFFECT: reduced excess execution of syntax analysis and interpretation of packets using levels in a network stack and firewall.

28 cl, 9 dwg

FIELD: information technology.

SUBSTANCE: invention relates to the architecture of a multi-level firewall and methods of multi-level packet filtering. The firewall infrastructure contains: a set of level processes, where each level process can process level parametres for a packet, associated with that level process, and each level process can also send a classification query, which includes level parametres; and a first firewall tool, which includes: a level interface for receiving first level parametres from the requesting level process and for returning action to the requesting level process, where the requesting level process is one of the said set of level processes, a set of filters and a search component for identification of at least one matching filter from the said set of filters and for identification from this matching filter, action, which is subject to returning by the level interface.

EFFECT: reduced excess execution of syntax analysis and interpretation of packets using levels in a network stack and firewall.

28 cl, 9 dwg

FIELD: physics; computer facilities.

SUBSTANCE: invention concerns a way of data record in the environments of identification of various types (IM-X, IM-Y) through the assigned servers of record/reading WR. According to the specified method, virtual independent of the identification environments reference file system RFS is defined. All RKi access keys are replaced by a key of the FSK file system, and all ACi access rights of Bi subsections are paused, and the FS file system corresponding to the RFS reference file system, is initialised or written in the identification environments: (FS(IM-X), FS(IM-Y)). Thus a file system index point (FS-S(IM-X), FS-S(IM-Y)) is defined in the identification environments (IM(FS) and the assigned servers of reading/record WR(RFS) to the end that application (App(RFS) corresponding RFS virtual reference file system could be written in the environments of identification and executed.

EFFECT: possibility reception to write or execute generally defined applications (App(RFS) in the initialised environments of identification of various types (IM-X(FS), IM-Y(FS)) without adapting them.

23 cl, 11 dwg

FIELD: information technology.

SUBSTANCE: present invention relates to management of distributed resources of a network service provider. Description is given of a system and method of delegating access to resources distributed in a distributed computer environment. In one aspect the server distributes a set of resources. The server receives a request from a user for executing an operation in relation to one of the distributed resources. As a response to the received request, the server determines whether the user has already been delegated authority to execute the operation. Delegated authority does not depend on whether the user is a member of a group of administrators, related to any resource of the server.

EFFECT: improved safety of computers and WEB-sites.

38 cl, 3 dwg, 17 tbl

FIELD: information technology.

SUBSTANCE: present invention relates to devices for limiting access to digital data stored on a data carrier. The technical outcome is achieved due to that permission for access to data is checked using a separate device, fitted on the controller board of the data carrier. Change in device parametres, which are program-accessible, can only be done using special software, which is part of the system for limiting access to data. For this purpose in the device there is an extra unit for analysing commands, which verifies authenticity of commands given by the software.

EFFECT: provision for limited access to sectors of a data carrier, distinguished by special attributes, and prevention of unauthorised altering of the attributes themselves.

2 cl, 5 dwg

FIELD: physics, computation technology.

SUBSTANCE: invention concerns method and device of digital rights management. When authorisation on server is not accessible, operations with minimised risk are allowed by implementation of internal authorisation scheme. Authorisation method for operation to be performed on digital element involves definition of first operation group members including first predetermined group of operations on digital element, and second operation group including second predetermined group of operations on digital elements; comparison of predetermined operation to be performed on digital element to operations included in each indicated operation group; external authorisation with access to authorising server if operation belongs to first operation group; internal authorisation by device if operation belongs to second operation group; and authorisation of operation to be performed on digital element if one of listed authorisations brings positive result.

EFFECT: enhanced security level of operations with digital content.

13 cl, 5 dwg

FIELD: physics; control.

SUBSTANCE: present invention relates to information delivery systems with functions of controlling sublicenses and methods of supporting creation of intellectual property together with information users. Second systems SLs1-SLs3 for controlling intellectual property, which are available to second class licensees, holding the sublicense on using the system from first class licensees, request information on intellectual property from the first MLs system of controlling intellectual property available to first class licensees, in response to requests coming from user systems US1-US3, with requirement for creating objects of intellectual property. The first MLs system for controlling intellectual property publishes the results for searching information on intellectual property, obtained in response to requests by user system US4, on a browser screen, set for the very first MLs system for controlling intellectual property, and allows the user system US4 to browse the search results.

EFFECT: provision for use of intellectual valuables together with parties requesting information, in accordance with which several systems of controlling intellectual property are provided with possibility of cooperation on a sublicensed contract.

11 cl, 24 dwg

FIELD: information technologies.

SUBSTANCE: data of serial interface for detection of dual-in-line memory module (DIMM) presence in electronically erasable programmable read-only memory (EEPROM) is encoded using closed key of motherboard with which this dual-in-line memory module (DIMM) is to be used, so that only basic input-output system (BIOS) of specified motherboard could decode presence detection serial (SPD) interface data to complete downloading.

EFFECT: improving protection of computer system integrity by blocking the use of memory modules retrieved from original motherboard in another motherboard.

15 cl, 2 dwg

FIELD: physics, computer engineering.

SUBSTANCE: invention is related to protection systems. Unit of protection and method realise requests for data from USB device or other similar device, at that protected component may realise protected communication to device without variation of underlying USB bus protocol, or device, even where software that controls the bus is not trusted. Protection unit (physically separated or integrated in device or concentrator) intercepts data transmitted from device into protected component in response to request for data. Signal of data reception confirmation unavailability is transmitted into protected component, and data are coded. The following request for data is intercepted, and coded data are sent in response. Confirmation of data reception from protected component in device is allowed to reach the device. In order to process request for installation, permit command that contains coded and decoded installation command is sent to protection unit. If coding is checked successfully, then installation command sent to device (via protection unit), is allowed to reach the device.

EFFECT: provision of improved protection.

32 cl, 6 dwg

FIELD: physics; computer engineering.

SUBSTANCE: present invention pertains to control of generation of cryptographic keys in an information media, comprising a party which generates the key and distributes the key information for the party using the key. Through a given unilateral function of deriving keys, a relationship between key generations is determined, which is such that, earlier generation of keys can be more efficiently derived from later generation, but not the opposite. Each time, when necessary, the party using the key iteratively receives the given unilateral function of deriving keys for outputting the key information of at least, one previous key generation from the key information of new key generation. That way, memory requirements for the party using the key can considerably be reduced.

EFFECT: protection of data during recording.

32 cl, 6 dwg

FIELD: physics, computer facilities.

SUBSTANCE: invention concerns field of protection of computer systems from updating, namely to expedients for interlinking of the software with the given computer system. The identification data of hardware (SHWID) are related to a corresponding secret. Identification data of hardware (SHWID) can be used for guidance of software use on the given computer system depending on a degree of change of hardware in this computer system.

EFFECT: prevention of illegal use of the software is reached by generation of the given hardware identification (SHWID) for the given computer system.

14 cl, 7 dwg

Processor // 2248608

FIELD: computers, data protection.

SUBSTANCE: processor has bus interface device, device for selection/decoding of commands, device for dispatching/execution, program string decoding device, which string is selected from program and loaded in first levels command cash, which contains a set of N two-input elements XOR, keys memory, storing different N-bit decoding keys.

EFFECT: higher efficiency.

2 dwg

Up!