WikiPatents - Community Patent Review
Create Free Account  |  License or Sell Your Patent  |  WikiPatents Marketplace  |  WikiPatents Blog
Username:  Password:  
    
Advanced Search
Computer system security method and apparatus having program authorization information data structures    
United States Patent5412717   
Link to this pagehttp://www.wikipatents.com/5412717.html
Inventor(s)Fischer; Addison M. (60 14th Ave. South, Naples, FL 33942)
AbstractMethod and apparatus are disclosed including a system monitor which limits the ability of a program about to be executed to the use of predefined resources (e.g., data files, disk writing capabilities, etc.). The system monitor processes a data structure including a set of authorities defining that which a program is permitted to do and/or that which the program is precluded from doing. The set of authorities and/or restrictions assigned to a program to be executed are referred to as "program authorization information" (or "PAI"). Once defined, the program authorization information is thereafter associated with at least one program to be executed to thereby delineate the resources and functions that the program is allowed to utilize and/or is not allowed to utilize. The PAI associated with a particular program may be assigned by a computer system owner/user or by someone who the computer system owner/user implicitly trusts. The PAI permits an associated program to access what has been authorized and nothing else. The program may be regarded as being placed in a program capability limiting "safety box". This "safety box" is thereafter associated with the program such that when the system monitor runs the program, the PAI for that program is likewise loaded and monitored. When the program is to perform a function or access a resource, the associated PAI is monitored to confirm that the operation is within the defined program limits. If the program is prevented from doing anything outside the authorized limits.
   














 Title Information Submit all comments and votes
 
Patent Text Patent PDF Print Page Summary File History
Plain text PDF images Print Summary File History
Inventor     Fischer; Addison M. (60 14th Ave. South, Naples, FL 33942)
Owner/Assignee    
Patent assignment
All assignments
Publication Date     May 2, 1995
Application Number     07/883,868
PAIR File History     Application Data   Transaction History
Image File Wrapper   Patent Term   Fees
Litigation
Filing Date     May 15, 1992
US Classification     713/156 713/167 713/176
Int'l Classification     H04L 009/00
Examiner     Cain; David C.
Assistant Examiner    
Attorney/Law Firm     Nixon & Vanderhye
Address
Parent Case    
Priority Data    
USPTO Field of Search     380/23 380/24 380/25 380/4
Patent Tags     computer security program authorization information data structures
   
Enter a comma (,) or semicolon (;) between multiple tag words/phrases.
Describe this patent:
 Amusing   
 Clever   
 Complex   
 Efficient   
 Historic   
 Important   
 Innovative   
 Interesting   
 Practical   
 Simple   
[no votes]
Patent WIKI

Share information and news about this patent, including information and news about the technology, inventors, company, ligation and licensing.
 References Submit all comments and votes
 
*references marked with an asterisk below are user-added references
 U.S. References
 
Add a new US reference:  
ReferenceRelevancyCommentsReferenceRelevancyComments
5164988
Matyas
713/156
Nov,1992
[0 after 0 votes]		5142578
Matyas
380/280
Aug,1992
[0 after 0 votes]
5109413
Comerford
705/54
Apr,1992
[0 after 0 votes]		5005200
Fischer
380/30
Apr,1991
[0 after 0 votes]
4652990
Pailen
705/56
Mar,1987
[0 after 0 votes]		5047928
Wiedemer
705/52
Dec,1969
[0 after 0 votes]
 Foreign References
 Other References
 Market Review Submit all comments and votes
   
Market Size
Estimate the gross annual revenues of the relevant market sector:
> $10B
$5B - $10B
$2B - $5B
$500M - $2B
$100M - $500M
$10M - $100M
$1M - $10M
$500K - $1M
$100K - $500K
< $100K
[No votes]
$0
 
$0   $2.5B   $5B   $7.5B   $10B
Market Share
Estimate the percentage of the relevant market sector this invention will capture:
75% - 100%
50% - 74.99%
25% - 49.99%
10 - 24.99%
5 - 9.99%
2 - 4.99%
1 - 1.99%
< 1%
[No votes]
0.0%
 
0%   25%   50%   75%   100%
Reasonable Royalty
What percentage of gross sales should the inventor or assignee be paid?
75% - 100%
50% - 74.99%
25% - 49.99%
10 - 24.99%
5 - 9.99%
2 - 4.99%
1 - 1.99%
< 1%
[No votes]
0.0%
 
0%   25%   50%   75%   100%
Public's "Guesstimation" of Royalty Value
Market SizeN/A[No votes]
xMarket ShareN/A[No votes]
xReasonable RoyaltyN/A[No votes]
N/A
License Availablity
If you are NOT the owner or assignee, answer here:
Yes, license is available for purchase

No, license is not currently available



 [No votes]
License Availablity
If you ARE the owner or assignee, answer here:
Yes, license is available for purchase

No, license is not currently available



 [No votes]
Competitive Advantage
Does this invention have a significant competitive advantage over similar technologies?
Yes

No



 [No votes]
Most helpful competitive advantage comment
[No comments]
Commercial Alternatives
Are there viable commercial alternatives for this invention?
Yes

No



 [No votes]
Most helpful commercial alternative comment
[No comments]
 Technical Review Submit all comments and votes
 Claims Submit all comments and votes
 


What is claimed is:

1. In a digital computer system having a digital data processing means for executing a plurality of digital programs and a memory means for storing digital program instructions and digital data, apparatus for protecting a digital computer user from operations typically performable by a digital computer program executing on behalf of a user comprising:

means for storing a plurality of digital authorization entries in said memory means, wherein said entries qualify operations which an associated program is permitted to perform when executed by said processing means; and

means for storing in at least one segment, digital data for associating said authorization entries with at least one program.

2. Apparatus for protecting a digital computer user according to claim 1, wherein said at least one segment includes means for storing a hash of said associated program.

3. Apparatus for protecting a digital computer user according to claim 1, wherein said at least one segment includes means for storing an indication of the type of program to which the data structure is associated.

4. Apparatus for protecting a digital computer user according to claim 1, wherein said at least one segment includes means for storing an identifier indicating the type of object to which program authorization information is associated.

5. Apparatus for protecting a digital computer user according to claim 2, wherein said at least one segment further includes means for storing an identifier of the algorithm used to hash the program.

6. Apparatus for protecting a digital computer user according to claim 1, wherein said at least one segment includes means for storing the name of the program.

7. Apparatus for protecting a digital computer user according to claim 1, wherein said at least one segment includes means for storing the date of authorization.

8. Apparatus for protecting a digital computer user according to claim 1, further including means for storing an indication of the size of the authorization information contained in the data structure.

9. Apparatus for protecting a digital computer user according to claim 1, wherein the means for storing a plurality of authorization entries includes means for storing an indication of the size of each entry.

10. Apparatus for protecting a digital computer user according to claim 1, wherein the means for storing a plurality of authorization entries includes means for indicating at least one of the type of function and resource said at least one program is permitted to perform for each of said entries.

11. Apparatus for protecting a digital computer user according to claim 1, wherein the means for storing a plurality of authorization entries includes means for storing a qualification of authority which has been granted to the program.

12. Apparatus for protecting a digital computer user according to claim 1, further including means for storing a digital signature.

13. Apparatus for protecting a digital computer user according to claim 12, wherein said means for storing a digital signature includes means for storing an indicator to identify a signer's certificate.

14. Apparatus for protecting a digital computer user according to claim 12, further including means for storing at least an indication of the authority granted to the signing party.

15. Apparatus for protecting .a digital computer user in accordance with claim 1, further including means for storing data indicating a money limit.

16. Apparatus for protecting a digital computer user in accordance with claim 15, wherein said money limit limits the operation of said associated program.

17. Apparatus for protecting a digital computer user in accordance with claim 15, wherein said money limit defines the limits of a transaction.

18. Apparatus for protecting a digital computer user in accordance with claim 15, further including means for storing a digital signature, wherein said money limit reflects an authority limit of the party digitally signing the program.

19. Apparatus for protecting a digital computer user according to claim 12, further including means for storing an indication that a plurality of digital signatures are necessary for at least one signature to be considered valid.

20. Apparatus for protecting a digital computer user according to claim 12, wherein said means for storing a digital signature includes means for storing a hash of at least part of said plurality of authorization entries.

21. Apparatus for protecting a digital computer user according to claim 12, wherein said means for storing a digital signature includes means for storing a result of a signer's private key operation.

22. Apparatus for protecting a digital computer user in accordance with claim 1, wherein said means for storing a plurality of authorization entries includes means for storing an indication of the set of data to which said associated program has authority to access.

23. Apparatus for protecting a digital computer user in accordance with claim 1, wherein said means for storing a plurality of authorization entries includes means for storing an indication of the set of fields of at least one file to which said associated program has the authority to access.

24. Apparatus for protecting a digital computer user in accordance with claim 1, wherein said means for storing a plurality of authorization entries includes means for storing an indication of the set of files to which said associated program has the authority to access.

25. Apparatus for protecting a digital computer user in accordance with claim 1, wherein said means for storing a plurality of authorization entries includes means for storing an indication of the set of data to which said associated program has authority to read.

26. Apparatus for protecting a digital computer user in accordance with claim 1, wherein said means for storing a plurality of authorization entries includes means for storing an indication of the set of data to which said associated program has authority to process and an indication of the nature of the allowed processing.

27. Apparatus for protecting a digital computer user in accordance with claim 1, wherein said means for storing a plurality of authorization entries includes means for storing an indication of the set of data to which said associated program has authority to modify.

28. Apparatus for protecting a digital computer user in accordance with claim 1, wherein said means for storing a plurality of authorization entries includes means for storing an indication of the set of data to which said associated program has authority to erase.

29. Apparatus for protecting a digital computer user in accordance with claim 1, wherein said means for storing a plurality of authorization entries includes means for storing an indication of the set of data to which said associated program has authority to transmit.

30. Apparatus for protecting a digital computer user in accordance with claim 1, wherein said means for storing a set of authorization entries includes means for storing whether said associated program has the ability to call programs.

31. Apparatus for protecting a digital computer user in accordance with claim 30, further including means for storing an indication of the authority to call programs with more extensive program authorization information authority than the associated program.

32. Apparatus for protecting a digital computer user in accordance with claim 30, further including means for storing an indication of the authority to call programs with different program authorization information authority than the associated program.

33. Apparatus for protecting a digital computer user in accordance with claim 1, further including means for storing whether said associated program has the ability to call programs and for storing an indication of the set of programs which said associated program is permitted to call.

34. Apparatus for protecting a digital computer user in accordance with claim 1, further including means for storing an indication of the method of combining the authority of said associated program and the programs it is permitted to call.

35. Apparatus for protecting a digital computer user in accordance with claim 34, wherein said indicated method of combining involves using an authority associated with said associated program.

36. Apparatus for protecting a digital computer user in accordance with claim 34, wherein said indicated method of combining involves using an authority associated with the called program.

37. Apparatus for protecting a digital computer user in accordance with claim 34, wherein said indicated method of combining involves using the lesser of the authority indicated for the invoked program and the authority indicated for the associated program.

38. Apparatus for protecting a digital computer user in accordance with claim 1, wherein said means for storing a plurality of authorization entries includes means for storing an indication as to whether the associated program can be invoked by another program.

39. Apparatus for protecting a digital computer user in accordance with claim 38, further including means for storing an indication of the set of programs by which said associated program is permitted to be invoked.

40. Apparatus for protecting a digital computer user in accordance with claim 38, further including means for storing an indication of the method of combining the authority of said associated program and the programs by which it is permitted to be invoked.

41. Apparatus for protecting a digital computer user in accordance with claim 38, wherein a method of combining program authority is used which involves an authority associated with said associated program.

42. Apparatus for protecting a digital computer user in accordance with claim 38, wherein a method of combining program authority is used which involves an authority associated with the invoking program.

43. Apparatus for protecting a digital computer user in accordance with claim 40, wherein the indicated method of combining involves using the lesser of the authority indicated for the invoking program and the authority indicated for the associated program.

44. Apparatus for protecting a digital computer user in accordance with claim 1, wherein said means for storing a plurality of authorization entries includes means for storing an indication as to whether the associated program can be invoked by another program having a different program authorizing information than said associated program.

45. Apparatus for protecting a digital computer user in accordance with claim 1, wherein said means for storing a plurality of authorization entries includes means for storing an indication of whether the associated program has authority to generate electronic mail.

46. Apparatus for protecting a digital computer user in accordance with claim 45, wherein said means for storing an indication of whether the associated program has authority to generate electronic mail includes means for storing an indication of a set of allowed recipients.

47. Apparatus for protecting a digital computer user in accordance with claim 1, wherein said means for storing a plurality of authorization entries includes means for storing an indication of whether said associated program has authority to transmit data to other users.

48. Apparatus for protecting a digital computer user in accordance with claim 47, wherein said means for storing an indication of whether the associated program has authority to transmit data to other users includes means for storing an indication of a set of allowed recipients.

49. Apparatus for protecting a digital computer user according to claim 1, wherein said means for storing a plurality of authorization entries includes means for storing an indication as to whether said associated program has authority to perform document release operations.

50. Apparatus for protecting a digital computer user according to claim 1, wherein said means for storing a plurality of authorization entries includes means for storing an indication of whether said associated program has authority to execute machine language programs.

51. Apparatus for protecting a digital computer user according to claim 1, wherein said means for storing a plurality of authorization entries further includes means for storing an indication of the memory access privileges authorized to the associated program.

52. Apparatus for protecting a digital computer user according to claim 1, wherein said means for storing a plurality of authorization entries includes means for storing an indication of at least one qualification on said associated program regarding the ability to display information to a user.

53. Apparatus for protecting a digital computer user according to claim 1, wherein said means for storing a plurality of authorization entries includes means for storing an indication of at least one qualification on said associated program regarding the ability to solicit input from a user.

54. Apparatus for protecting a digital computer user according to claim 1, wherein said means for storing a plurality of authorization entries includes means for storing an indication of at least one qualification on the program regarding the ability to solicit digital signatures from a user.

55. Apparatus for protecting a digital computer user according to claim 1, wherein said means for storing a plurality of authorization entries includes means for storing an indication that digital signatures must be collected from a plurality of users.

56. Apparatus for protecting a digital computer user according to claim 1, wherein said means for storing a plurality of authorization entries includes means for storing an indication of at least one qualification on the program regarding the ability to control other devices.

57. Apparatus for protecting a digital computer user according to claim 56, wherein said other devices includes robot devices.

58. Apparatus for protecting a digital computer user according to claim 1, wherein said means for storing a plurality of authorization entries includes means for storing an indication that access is limited by a security clearance.

59. Apparatus for protecting a digital computer user according to claim 1, wherein said plurality of authorization entries are included as part of a digital signature.

60. Apparatus for protecting a digital computer user according to claim 1, wherein said plurality of authorization entries are included as part of a digital signature and wherein said associated data structure includes an indication of authority which is possessed by the signer.

61. In a digital computer system for providing improved computer security having digital data processing means for executing a plurality of digital computer programs for a computer user and memory means for storing digital program instructions and digital data, apparatus for protecting a digital computer user from operations typically performable by a digital computer program executing on behalf of a user comprising:

means for storing digital authorization information in said memory means which restricts an associated program from performing operations, when executed by said processing means, which are available to said computer user; and

means for storing in at least one segment digital data for associating said authorization information with at least one program to be executed by said processing means.

62. Apparatus for protecting a digital computer user according to claim 61 further including means for storing a hash of said associated computer program.

63. Apparatus for protecting a digital computer user according to claim 61, wherein said at least one segment includes means for storing an indication of the type of program to which the data structure is associated.

64. Apparatus for protecting a .digital computer user according to claim 61, wherein said at least one segment includes means for storing an identifier indicating the type of object to which program authorization information is associated.

65. Apparatus for protecting a digital computer user according to claim 62, wherein said at least one segment further includes means for storing an identifier of the algorithm used to hash the program.

66. Apparatus for protecting a digital computer user according to claim 61, wherein said at least one segment includes means for storing the name of the program.

67. Apparatus for protecting a digital computer user according to claim 61, wherein said at least one segment includes means for storing the date of authorization.

68. Apparatus for protecting a digital computer user according to claim 61, further including means for storing an indication of the size of the authorization information.

69. Apparatus for protecting a digital computer user according to claim 61, wherein the means for storing authorization information includes means for storing a plurality of authorization information and an indication of the size of each entry.

70. Apparatus for protecting a digital computer user according to claim 61, wherein the means for storing authorization information includes means for indicating at least one of the type of function and resource.

71. Apparatus for protecting a digital computer user according to claim 61, wherein the means for storing authorization information includes means for storing a qualification of authority which has been granted to the program.

72. Apparatus for protecting a digital computer user according to claim 61, further including means for storing a digital signature.

73. Apparatus for protecting a digital computer user according to claim 72, wherein said means for storing a digital signature includes means for storing an indicator to identify a signer's certificate.

74. Apparatus for protecting a digital computer user according to claim 72, further including means for storing at least an indication of the authority granted to the signing party.

75. Apparatus for protecting a digital computer user according to claim 61, further including means for storing a money qualification indication.

76. Apparatus for protecting a digital computer user in accordance with claim 75, wherein said money limit governs the operation of said associated program.

77. Apparatus for protecting a digital computer user in accordance with claim 75, wherein said money qualification defines the limits of a transaction.

78. Apparatus for protecting a digital computer user in accordance with claim 75, further including means for storing a digital signature, wherein said money qualification reflects an authority limit of the party digitally signing the program.

79. Apparatus for protecting a digital computer user according to claim 72, further including means for storing a cosignature requirement which is necessary for the signature to be considered valid.

80. Apparatus for protecting a digital computer user according to claim 72, wherein said means for storing a digital signature includes means for storing a hash of at least part of said authorization.

81. Apparatus for protecting a digital computer user according to claim 72, wherein said means for storing a digital signature includes means for storing a result of a signer's private key operation.

82. Apparatus for protecting a digital computer user in accordance with claim 61, wherein said means for storing authorization information includes means for storing an indication of the set of data to which said associated program has authority access.

83. Apparatus for protecting a digital computer user in accordance with claim 61, wherein said means for storing authorization information includes means for storing an indication of the set of fields of at least one file to which said associated program has the authority to access.

84. Apparatus for protecting a digital computer user in accordance with claim 61, wherein said means for storing authorization information includes means for storing an indication of the set of data to which said associated program has the authority to access and the nature of the operations to said data which the program is permitted to perform.

85. Apparatus for protecting a digital computer user in accordance with claim 61, wherein said means for storing authorization information includes means for storing an indication of the set of data to which said associated program has authority to read.

86. Apparatus for protecting a digital computer user in accordance with claim 61, wherein said means for storing authorization information includes means for storing an indication of the set of data to which said associated program has authority to process.

87. Apparatus for protecting a digital computer user in accordance with claim 61, wherein said means for storing authorization information includes means for storing an indication of the set of data to which said associated program has authority to modify.

88. Apparatus for protecting a digital computer user in accordance with claim 61, wherein said means for storing authorization information includes means for storing an indication of the set of data to which said associated program has authority to erase.

89. Apparatus for protecting a digital computer user in accordance with claim 61, wherein said means for storing authorization information includes means for storing an indication of the set of data to which said associated program has authority to transmit.

90. Apparatus for protecting a digital computer user in accordance with claim 61, wherein said means for storing authorization information includes means for storing whether said associated program has the ability to call programs.

91. Apparatus for protecting a digital computer user in accordance with claim 61, further including means for storing an indication of the set of programs which the associated program is allowed to invoke.

92. Apparatus for protecting a digital computer user in accordance with claim 61, further including means for storing an indication of the authority to call programs with different program authorization information authority than the associated program.

93. Apparatus for protecting a digital computer user in accordance with claim 61, further including means for storing authorization information reflecting a combination of the authorization of the calling program and that associated with the called program.

94. Apparatus for protecting a digital computer user in accordance with claim 61, further including means for storing an indication of the method of combining the authority of said associated program and the programs it is permitted to call.

95. Apparatus for protecting a digital computer user in accordance with claim 94, wherein said indicated method of combining involves using an authority associated with said associated program.

96. Apparatus for protecting a digital computer user in accordance with claim 94, wherein said indicated method of combining involves using an authority associated with the called program.

97. Apparatus for protecting a digital computer user in accordance with claim 94, wherein said indicated method of combining involves using the lesser of the authority indicated for the invoked program and the authority indicated for the associated program.

98. Apparatus for protecting a digital computer user in accordance with claim 61, wherein said means for storing authorization information includes means for storing an indication of the set of programs which are allowed to invoke said associated program.

99. Apparatus for protecting a digital computer user in accordance with claim 98, further including means for storing an indication of the set of programs by which said associated program is permitted to be invoked.

100. Apparatus for protecting a digital computer user in accordance with claim 98, further including means for storing an indication of the method of combining the authority of said associated program and the programs by which it is permitted to be invoked.

101. Apparatus for protecting a digital computer user in accordance with claim 61, wherein the indicated method of combining involves using an authority associated with said associated program.

102. Apparatus for protecting a digital computer user in accordance with claim 100, wherein the indicated method of combining involves using an authority associated with the invoking program.

103. Apparatus for protecting a digital computer user in accordance with claim 100, wherein the indicated method of combining involves using the lesser of the authority specified for the invoking program and the authority associated with the associated program.

104. Apparatus for protecting a digital computer user in accordance with claim 61, wherein said means for storing authorization information includes means for storing an indication as to whether the associated program can be invoked by another program having a different program authorizing information than said associated program.

105. Apparatus for protecting a digital computer user in accordance with claim 61, wherein said means for storing authorization information includes means for storing an indication of at least one rule governing the authority of the associated program to generate electronic mail.

106. Apparatus for protecting a digital computer user in accordance with claim 105, wherein said means for storing an indication of at least one rule governing the authority of the associated program to generate electronic mail includes means for indicating a set of allowed recipients.

107. Apparatus for protecting a digital computer user in accordance with claim 61, wherein said means for storing authorization information includes means for storing an indication of at least one rule governing the authority of said associated program to transmit data to other users.

108. Apparatus for protecting a digital computer user in accordance with claim 107, wherein said means for storing an indication of at least one rule governing the authority of said associated program transmit data to other users includes means for indicating a set of allowed recipients.

109. Apparatus for protecting a digital computer user according to claim 61, wherein said means for storing at least one rule governing the authority of said authorization information includes means for storing an indication of associated program to perform document release.

110. Apparatus for protecting a digital computer user according to claim 61, wherein said means for storing authorization information includes means for storing an indication of at least one rule governing the authority of said associated program to execute machine language programs.

111. Apparatus for protecting a digital computer user according to claim 61, wherein said means for storing authorization information further includes means for storing an indication of at least one rule governing the authority of said associated program to access memory.

112. Apparatus for protecting a digital computer user according to claim 61, wherein said means for storing authorization information includes means for storing an indication of at least one rule governing the authority of said associated program to display information to a user.

113. Apparatus for protecting a digital computer user according to claim 61, wherein said means for storing authorization information includes means for storing an indication of at least one rule governing the authority of said associated program to solicit input from a user.

114. Apparatus for protecting a digital computer user according to claim 61, wherein said means for storing authorization information includes means for storing an indication of at least one rule governing the authority of said associated program to solicit digital signatures from a user.

115. Apparatus for protecting a digital computer user according to claim 61, wherein said means for storing authorization information includes means for storing an indication of at least one rule governing the authority of said associated program to control other devices.

116. Apparatus for protecting a digital computer user according to claim 115, wherein said other devices includes robot devices.

117. Apparatus for protecting a digital computer user according to claim 61, wherein said means for storing authorization information includes means for storing an indication of at least one rule indicating that access is governed by a security clearance.

118. Apparatus for protecting a digital computer user according to claim 61, wherein said authorization information is included as part of a digital signature.

119. Apparatus for protecting a digital computer user according to claim 118, further including means for storing an indication of the authority possessed by the signer.

120. In a digital computer system having digital data processing means for executing a plurality of digital computer programs for a computer user and memory means for storing digital program instructions and digital data, a method for providing improved computer security comprising the steps of:

storing digital authorization information in said memory means which restricts an associated program from accessing resources when executed by said digital data processing means which are accessible to said computer user; and

storing in at least one segment, digital data for associating said authorization information with at least one program to be executed by said processing means for said computer user.

121. A method according to claim 120 further including storing a hash of said associated computer program.

122. A method according to claim 120, further including storing an indication of the type of program to which the authorization information is associated.

123. A method according to claim 120, further including storing an identifier indicating the type of object to which program authorization information is associated.

124. A method according to claim 121, further including storing an identifier of the algorithm used to hash the program.

125. A method according to claim 120, further including storing the name of the program.

126. A method according to claim 120, further including storing the date of authorization.

127. A method according to claim 120, further including storing an indication of the size of the authorization information.

128. A method according to claim 120 wherein the step of storing authorization information includes the steps of storing a plurality of authorization entries and storing an indication of the size of each entry.

129. A method according to claim 120, wherein the step of storing authorization information includes indicating at least one of the type of function and resource.

130. A method according to claim 120, wherein the step of storing authorization information includes storing a qualification of authority which has been granted to the program.

131. A method according to claim 120, further including storing a digital signature.

132. A method according to claim 131, wherein said step of storing a digital signature includes storing an indicator to identify a signer's certificate.

133. A method according to claim 131, further including storing at least an indication of the authority granted to the signing party.

134. A method according to claim 120, further including storing a money limit indication.

135. A method in accordance with claim 134, wherein said money limit limits the operation of said associated program.

136. A method in accordance with claim 134, wherein said money limit defines the limits of a user transaction.

137. A method in accordance with claim 134, further including storing a digital signature wherein said money limit reflects an authority limit of the party digitally signing the program.

138. A method according to claim 131, further including storing a cosignature requirement which is necessary for the signature to be considered valid.

139. A method according to claim 131 wherein said step of storing a digital signature includes the step of storing a hash of at least part of said authorization information.

140. A method according to claim 131, wherein said step of storing a digital signature includes storing a result of a signer's private key operation.

141. A method in accordance with claim 133, wherein said step of storing authorization information includes storing an indication of the set of data to which said associated program has authority access.

142. A method in accordance with claim 120, wherein said step of storing authorization information includes storing an indication of the set of fields of at least one file to which said associated program has the authority to access.

143. A method in accordance with claim 120, wherein said step of storing authorization information Includes storing an indication of the set of files to which said associated program has the authority to access.

144. A method in accordance with claim 120, wherein said step of storing authorization information includes storing an indication of the set of data to which said associated program has authority to read.

145. A method in accordance with claim 120, wherein said step of storing authorization information Includes storing an indication of the set of data to which said associated program has authority to process and the rules for processing.

146. A method in accordance with claim 120, wherein said step of storing authorization information includes storing an indication of the set of data to which said associated program has authority to modify.

147. A method in accordance with claim 120, wherein said step of storing authorization information includes storing an indication of the set of data to which said associated program has authority to erase.

148. A method in accordance with claim 120, wherein said step of storing authorization information includes storing an indication of the set of data to which said associated program has authority to transmit.

149. A method in accordance with claim 120, wherein said step of storing authorization information includes storing whether said associated program has the ability to call programs.

150. A method in accordance with claim 120, further including storing an indication of the set of programs which the associated program is allowed to invoke.

151. A method in accordance with claim 120, further including storing an indication of the authority to call programs with different program authorization information authority than the associated program.

152. A method in accordance with claim 120, further including storing authorization information reflecting a combination of the authorization of the calling program and that associated with the called program.

153. A method in accordance with claim 120, further including storing an indication of the authority to call programs with more extensive program authorization information authority than the associated program

154. A method in accordance with claim 120 further including storing an indication of the authority to call programs with different program authorization information authority than the associated program

155. A method according to claim 120 further including storing an indication of the set of programs which said associated program is permitted to call.

156. A method in accordance with claim 120, further including storing an indication of the method of combining the authority of said associated program with the programs it calls.

157. A method in accordance with claim 156, wherein said indicated method of combining involves using an authority associated with said associated program.

158. A method in accordance with claim 156, wherein said indicated method of combining involves using an authority associated with the called program.

159. A method in accordance with claim 156, wherein said indicated method of combining involves using the lesser of the authority indicated for the invoked program and the authority indicated for the associated program.

160. A method in accordance with claim 120, wherein said step of storing authorization information includes storing an indication of the set of programs which are allowed to invoke.

161. A method in accordance with claim 160, further including storing an indication of the set of programs by which said associated program is permitted to be invoked.

162. A method in accordance with claim 160, further including storing an indication of the method of combining the authority of said associated program with the programs by which it is invoked.

163. A method in accordance with claim 162, wherein the indicated method of combining involves using an authority associated with said associated program.

164. A method in accordance with claim 162, wherein the indicated method of combining involves using an authority associated with the invoking program.

165. A method in accordance with claim 162, wherein the indicated method of combining involves using the lesser of the authority specified for the invoking program and the authority associated with the associated program.

166. A method in accordance with claim 120, wherein said step of storing authorization information includes storing an indication as to whether the associated program can be invoked by another program having a different program authorizing information than said associated program.

167. A method in accordance with claim 120, wherein said the step of storing authorization information includes storing an indication of at least one rule governing the authority of the associated program to generate electronic mail.

168. A method in accordance with claim 167, wherein said indication of at least one rule governing the authority of the associated program to generate electronic mail includes the indication of a set of allowed recipients.

169. A method in accordance with claim 120, wherein said step of storing authorization information includes storing an indication of at least one rule governing the authority of said associated program to transmit data to other users.

170. A method in accordance with claim 169, wherein said indication of at least one rule governing the authority of said associated program transmit data to other users includes an indication a set of allowed recipients.

171. A method according to claim 120, wherein said at least one rule governing the authority of said authorization information includes an indication of associated program to perform document release.

172. A method according to claim 120, wherein said authorization information includes an indication of at least one rule governing the authority of said associated program to execute machine language programs.

173. A method according to claim 120, wherein said step of storing authorization information further includes the step of storing an indication of at least one rule governing the authority of said associated program has special memory access privileges.

174. A method according to claim 120, wherein said step of storing authorization information includes storing an indication of at least one rule governing the authority of said associated program to display information to a user.

175. A method according to claim 120, wherein said step of storing authorization information includes storing an indication of at least one rule governing the authority of said associated program to solicit input from a user.

176. A method according to claim 120, wherein said step storing authorization information includes storing an indication of at least one rule governing the authority of said associated program to solicit digital signatures from a user.

177. A method according to claim 120, wherein said step of storing authorization information includes storing an indication of at least one rule governing the authority of said associated program to control other devices.

178. A method according to claim 177, wherein said other devices includes robot devices.

179. A method according to claim 120, wherein said step of storing authorization information includes storing an indication of at least one rule indicating that access is limited by a security clearance.

180. A method according to claim 120, wherein said authorization information is included as part of a digital signature.

181. A data structure according to claim 180, further including the step of storing an indication of the authority possessed by the signer.
 Description Submit all comments and votes
 


RELATED APPLICATION

This application is related to the applicant's application Ser. No. 08/070,787, which is a continuation of application Ser. No. 07/883,867 now abandoned, filed May 15, 1992 and entitled "COMPUTER SYSTEM SECURITY METHOD AND APPARATUS FOR CREATING AND USING PROGRAM AUTHORIZATION INFORMATION DATA STRUCTURES".

FIELD OF THE INVENTION

The present invention generally relates to a method and apparatus for providing digital information with enhanced security and protection. More particularly, the invention relates to a method and apparatus for providing enhanced computer system security while processing computer programs, particularly those of unknown origin, which are transmitted among users.

BACKGROUND AND SUMMARY OF THE INVENTION

The potentially devastating consequences of computer "viruses" have been widely publicized. A computer virus may be viewed as a computer program which, when executed, results in the performance of not only operations expected by the user, but also unexpected, often destructive, operations built into the program. A compu