WO2014167430A1 - Spooling system call data to facilitate data transformation - Google Patents
Spooling system call data to facilitate data transformation Download PDFInfo
- Publication number
- WO2014167430A1 WO2014167430A1 PCT/IB2014/059621 IB2014059621W WO2014167430A1 WO 2014167430 A1 WO2014167430 A1 WO 2014167430A1 IB 2014059621 W IB2014059621 W IB 2014059621W WO 2014167430 A1 WO2014167430 A1 WO 2014167430A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- data
- system call
- transformation
- destination
- complete set
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/54—Interprogram communication
- G06F9/541—Interprogram communication via adapters, e.g. between incompatible applications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/54—Interprogram communication
- G06F9/545—Interprogram communication where tasks reside in different layers, e.g. user- and kernel-space
Definitions
- the preferred embodiment relates generally to securing resources in a distributed computing environment, such as a transaction processing environment.
- a "system call” is a mechanism by which a program or process requests a service from an operating system's kernel.
- OS operating system
- Linux Linux
- the operating system segregates virtual memory into kernel space and user space, the former being reserved for running the OS kernel, kernel extensions, and device drivers, the latter being where all user mode applications work.
- System calls provide the interface between programs or processes executing in user space and the operating system kernel executing in kernel space.
- the database query is modified to fit the additional clause.
- a 1 : 1 mapping of intercepted -to-real system calls however, the header will have already passed to the database, and thus it will be too late to change the size of the packet.
- a single query e.g., to read from the database
- the preferred embodiment provides a method for processing a system call in a computing system having a memory, the system call having an associated source, and a destination, comprising: upon intercepting a system call, applying a function that executes in a hardware element to spool data associated with two or more real system calls until a complete set of data associated with the system call has been spooled; and responsive to receipt of a result of applying a transform to the complete set of data, releasing the system call by unspooling the result to the destination.
- the source is the system call and the destination is a user space of the memory. More preferably, the source is a user space of the memory and the destination is the system call. Still more preferably, the method further comprises the step of applying a transformation to the complete set of data. Still more preferably, the transformation is one of: examining, analyzing, redacting, preventing, processing and updating.
- the two or more real system calls causes data to be read and the transformation is applied to the complete set of data prior to returning to an application requesting the read.
- the two or more real system calls causes data to be written from an application and the transformation is applied prior initiating a first system call write.
- the techniques herein provide for "time-shifting" of intercepted system calls to enable a one-to-many (1 : n) or a many-to-one (n: 1) mapping of intercepted-to-real system calls. Any action that needs to be applied on the logical boundaries of the data (instead of the physical boundaries) presented upon system call interception spools (buffers) the data before taking the action and then unspools the result when finished. The action may be quite varied, e.g., examining the data, redacting the data, changing the data, restricting the data, processing the data, and updating the data, among others.
- a system call has an associated source, and a destination.
- the source is the original system call itself, and the destination is user space.
- the source is user space, and the destination is the original system call.
- a "hold” is put on the data associated with a system call.
- the hold spools the data and does not return to user space before all the data has been read.
- the hold spools the data until all data that is going to be written is read from user space.
- the holding the data in this manner enables application of a transformation to be done transparently to the user processes calling the intercepted system calls.
- use of this approach enables the processing of the data and application of the transformation to be done remotely, e.g., to avoid memory restrictions and so that different sets of data can be correlated with one another.
- FIG. 1 depicts an exemplary block diagram of a distributed data processing environment in which exemplary aspects of the illustrative embodiments may be
- FIG. 2 is an exemplary block diagram of a data processing system in which exemplary aspects of the illustrative embodiments may be implemented;
- FIG. 3 depicts the high level operation of a known Local Database Access Control System (LDACS) in which the techniques of this disclosure may be practiced in a non-limiting embodiment
- LDACS Local Database Access Control System
- FIG. 4 illustrates a memory of a computing entity and in which a spooling mechanism functionality of this disclosure may be implemented
- FIG. 5 illustrates a process flow for processing a first type (e.g., "read") of system call according to this disclosure
- FIG. 6 illustrates a process flow for processing a second type (e.g., "write") of system call according to this disclosure.
- a second type e.g., "write
- FIGs. 1-2 exemplary diagrams of data processing environments are provided in which illustrative embodiments of the disclosure may be implemented. It should be appreciated that FIGs. 1-2 are only exemplary and are not intended to assert or imply any limitation with regard to the environments in which aspects or embodiments of the disclosed subject matter may be implemented. Many modifications to the depicted environments may be made without departing from the scope of the present invention.
- FIG. 1 depicts a pictorial representation of an exemplary distributed data processing system in which aspects of the illustrative embodiments may be implemented.
- Distributed data processing system 100 may include a network of computers in which aspects of the illustrative embodiments may be implemented.
- the distributed data processing system 100 contains at least one network 102, which is the medium used to provide communication links between various devices and computers connected together within distributed data processing system 100.
- the network 102 may include connections, such as wire, wireless communication links, or fiber optic cables.
- server 104 and server 106 are connected to network 102 along with storage unit 108.
- clients 110, 112, and 114 are also connected to network 102. These clients 110, 112, and 114 may be, for example, personal computers, network computers, or the like.
- server 104 provides data, such as boot files, operating system images, and applications to the clients 110, 112, and 114.
- Clients 110, 112, and 114 are clients to server 104 in the depicted example.
- Distributed data processing system 100 may include additional servers, clients, and other devices not shown.
- distributed data processing system 100 is the Internet with network 102 representing a worldwide collection of networks and gateways that use the Transmission Control Protocol/Internet Protocol (TCP/IP) suite of protocols to communicate with one another.
- network 102 representing a worldwide collection of networks and gateways that use the Transmission Control Protocol/Internet Protocol (TCP/IP) suite of protocols to communicate with one another.
- TCP/IP Transmission Control Protocol/Internet Protocol
- At the heart of the Internet is a backbone of high-speed data
- FIG. 1 is intended as an example, not as an architectural limitation for different embodiments of the disclosed subject matter, and therefore, the particular elements shown in FIG. 1 should not be considered limiting with regard to the environments in which the illustrative
- Data processing system 200 is an example of a computer, such as client 110 in FIG. 1, in which computer usable code or instructions implementing the processes for illustrative embodiments of the disclosure may be located.
- FIG. 2 a block diagram of a data processing system is shown in which illustrative embodiments may be implemented.
- Data processing system 200 is an example of a computer, such as server 104 or client 110 in FIG. 1, in which computer- usable program code or instructions implementing the processes may be located for the illustrative embodiments.
- data processing system 200 includes communications fabric 202, which provides communications between processor unit 204, memory 206, persistent storage 208, communications unit 210, input/output (I/O) unit 212, and display 214.
- Processor unit 204 serves to execute instructions for software that may be loaded into memory 206.
- Processor unit 204 may be a set of one or more processors or may be a multi-processor core, depending on the particular implementation. Further, processor unit 204 may be implemented using one or more heterogeneous processor systems in which a main processor is present with secondary processors on a single chip. As another illustrative example, processor unit 204 may be a symmetric multi-processor (SMP) system containing multiple processors of the same type.
- SMP symmetric multi-processor
- Memory 206 and persistent storage 208 are examples of storage devices.
- a storage device is any piece of hardware that is capable of storing information either on a temporary basis and/or a permanent basis.
- Memory 206 in these examples, may be, for example, a random access memory or any other suitable volatile or non-volatile storage device.
- Persistent storage 208 may take various forms depending on the particular implementation.
- persistent storage 208 may contain one or more components or devices.
- persistent storage 208 may be a hard drive, a flash memory, a rewritable optical disk, a rewritable magnetic tape, or some combination of the above.
- the media used by persistent storage 208 also may be removable.
- a removable hard drive may be used for persistent storage 208.
- Communications unit 210 in these examples, provides for communications with other data processing systems or devices.
- communications unit 210 is a network interface card.
- Communications unit 210 may provide communications through the use of either or both physical and wireless communications links.
- Input/output unit 212 allows for input and output of data with other devices that may be connected to data processing system 200.
- input/output unit 212 may provide a connection for user input through a keyboard and mouse. Further, input/output unit 212 may send output to a printer.
- Display 214 provides a mechanism to display information to a user.
- Instructions for the operating system and applications or programs are located on persistent storage 208. These instructions may be loaded into memory 206 for execution by processor unit 204. The processes of the different embodiments may be performed by processor unit 204 using computer implemented instructions, which may be located in a memory, such as memory 206. These instructions are referred to as program code, computer- usable program code, or computer-readable program code that may be read and executed by a processor in processor unit 204. The program code in the different embodiments may be embodied on different physical or tangible computer-readable media, such as memory 206 or persistent storage 208.
- Program code 216 is located in a functional form on computer-readable media 218 that is selectively removable and may be loaded onto or transferred to data processing system 200 for execution by processor unit 204.
- Program code 216 and computer-readable media 218 form computer program product 220 in these examples.
- computer-readable media 218 may be in a tangible form, such as, for example, an optical or magnetic disc that is inserted or placed into a drive or other device that is part of persistent storage 208 for transfer onto a storage device, such as a hard drive that is part of persistent storage 208.
- computer-readable media 218 also may take the form of a persistent storage, such as a hard drive, a thumb drive, or a flash memory that is connected to data processing system 200.
- the tangible form of computer-readable media 218 is also referred to as computer-recordable storage media. In some instances, computer-recordable media 218 may not be removable.
- program code 216 may be transferred to data processing system 200 from computer-readable media 218 through a communications link to communications unit 210 and/or through a connection to input/output unit 212.
- the communications link and/or the connection may be physical or wireless in the illustrative examples.
- the computer-readable media also may take the form of non-tangible media, such as
- a storage device in data processing system 200 is any hardware apparatus that may store data.
- Memory 206, persistent storage 208, and computer-readable media 218 are examples of storage devices in a tangible form.
- a bus system may be used to implement communications fabric 202 and may be comprised of one or more buses, such as a system bus or an input/output bus.
- the bus system may be implemented using any suitable type of architecture that provides for a transfer of data between different components or devices attached to the bus system.
- a communications unit may include one or more devices used to transmit and receive data, such as a modem or a network adapter.
- a memory may be, for example, memory 206 or a cache such as found in an interface and memory controller hub that may be present in communications fabric 202.
- Computer program code for carrying out operations of the present invention may be written in any combination of one or more programming languages, including an object- oriented programming language such as Java (Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates), Smalltalk, C++ or the like, and conventional procedural programming languages, such as the "C" programming language or similar programming languages.
- the program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer, or entirely on the remote computer or server.
- the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider).
- LAN local area network
- WAN wide area network
- Internet Service Provider an Internet Service Provider
- FIGs. 1-2 may vary depending on the implementation.
- Other internal hardware or peripheral devices such as flash memory, equivalent non-volatile memory, or optical disk drives and the like, may be used in addition to or in place of the hardware depicted in FIGs 1-2.
- the processes of the illustrative embodiments may be applied to a multiprocessor data processing system, other than the symmetric multi-processing (SMP) system mentioned previously, without departing from the scope of the disclosed subject matter.
- SMP symmetric multi-processing
- each client or server machine is a data processing system such as illustrated in FIG. 2 comprising hardware and software, and these entities communicate with one another over a network, such as the Internet, an intranet, an extranet, a private network, or any other communications medium or link.
- a network such as the Internet, an intranet, an extranet, a private network, or any other communications medium or link.
- a data processing system typically includes one or more processors, an operating system, one or more applications, and one or more utilities.
- the applications on the data processing system provide native support for Web services including, without limitation, support for HTTP, SOAP, XML, WSDL, UDDI, and WSFL, among others.
- Information regarding SOAP, WSDL, UDDI and WSFL is available from the World Wide Web
- a transaction-processing system or environment that comprises distributed and mainframe components, working cooperatively to respond to HTTP and Web Service client end-user service or transaction requests.
- a system or environment typically comprises multiple components, configured in a distributed manner.
- a distributed component of a larger multi-component transaction-processing environment typically comprises at least a computer, operating system platform, applications, networking and an associated security engine that provides distributed transaction processing functions, such as networking interactions with the client end-user, and identification and authentication functions in HTTP and Web Services scenarios.
- the transaction-processing system or environment of this type typically also includes a mainframe component that includes at least a computer, operating system platform, applications, networking and associated security engine that provides high performance back-end transaction processing and large database functionality.
- an LDACS database access control system
- An LDACS also facilitates auditing and logging operations with respect to a database that is accessible over a network.
- IPC interprocess communication
- DB database
- Local access attempts to the database are intercepted and transported to a data security device operable for network monitoring of the access attempts. Because the data security device is remote, it is sometimes referred to as an "external security device" (or "ESD").
- ESD external security device
- the IPC intercept performs interception of the local access attempts through a minimal footprint implementation object to mitigate resource overhead.
- the remote network data security device observes both the local access attempts via interception at the DB host and transmission of the intercepted access attempts to the data security device, and the remote access attempts via the network, thereby consolidating analysis and logging of the data access attempts to the database resource via the data security device.
- FIG. 3 illustrates the architecture and operation of an LCADS in which the techniques of this disclosure may be practiced.
- the environment 300 provides a remote user 302 with a database (DB) host 304 for data storage and retrieval operations (DB operations).
- the user 302 connects to the host 304 via an access network 306, which may be any suitable internetworking infrastructure such as a LAN, intranet, extranet or the Internet.
- the DB host 304 includes a database server 308 connected to the database 310, typically a disk array or set of mass storage devices such as disk drives.
- the database 308 includes a DB access gateway 312, which operates as an application programming interface (API) for user 302 access via a variety of access methods.
- API application programming interface
- a user initiates access to the database in the form of a user request 314, which passes through the network 306 for delivery to the DB access gateway 312 as an incoming request 316.
- a data security device 320 is connected via a switch e22 or other connectivity device such as a tap, router or bridge, on the path from the network 306 to the host 304.
- the data security device 320 includes a DB monitor 324 for receiving user requests 314 sent through the switch 322.
- the DB monitor receives and analyzes the incoming user request 314 as a tapped access attempt 318, which the DB monitor 324 analyzes according to a predetermined security or access policy.
- the data security device 320 then passes the tapped access attempt 318 to the access gateway (AG) 312 as an incoming request 116.
- AG access gateway
- the database server 308 expects a substantial portion of DB traffic (user requests 314) to arrive remotely via the network 306, and thus pass scrutiny under the data security device 320.
- a portion of database access attempts emanate locally from a local client 330, executing on the host 304, as local access attempts 332.
- the local access attempts 332 arrive at the access gateway 312 via an Inter-Process Communication (IPC) mechanism 334.
- IPC Inter-Process Communication
- Such local access attempts 332 do not pass through the switch 322, and therefore may otherwise be operable to elude scrutiny of the data security device 320.
- a known LDACS solution employs an IPC intercept 340 for intercepting the local access attempt 332 and transporting the intercepted access attempt 342 to a local agent 350.
- the local agent 350 determines, by interrogating the IPC mechanism 334, a database instruction 352 corresponding to the local access attempts 332. The local agent 350 then transmits the determined database instruction 352 to the data security device 320 for analysis and further operations by the DB monitor 324. In this manner, the data security device 320 receives all local and remote access attempts to the DB server 308 to more fully analyze, monitor, and guard against access attempts that may be undesirable.
- the agent 350 need not be local, but rather may be positioned in other locations or configurations associated with a database host or system.
- the local client 330 may employ a variety of IPC mechanisms 334 to transmit local access attempt 332 to the DB server 308.
- IPC typically is not secure. Alternate configurations may employ other communication mechanisms, such as cryptographic remote method invocation.
- LCADS As noted above, the description of LCADS is not intended to be limiting. The techniques that are now described may be implemented in other types of solutions, e.g., auditing and compliance systems, change control solutions, vulnerability management solutions, fraud prevention solutions, database leak prevention solutions, and others.
- the techniques described herein may be implemented in any computing environment wherein a program or process requests a service (e.g., a read, a write, or the like) from an operating system's kernel, e.g., using a system call, and some action needs to be applied on the logical boundaries of the data associated with the service.
- a service e.g., a read, a write, or the like
- an operating system's kernel e.g., using a system call
- FIG. 4 illustrates the system memory architecture of a representative computing entity in which the techniques herein may be implemented.
- the computing entity may be of the type described above with respect to FIG. 2. It includes a processor (not shown), and a memory 400 that is organized to include a virtual memory 402 that in turn is segregated into a kernel space 404 and a user space 406. Kernel space supports an operating system kernel 408. Processes or programs 410 execute in user space 406. System calls, such as system call 412, provide the interface between the programs or processes 410 executing in user space 406 and the operating system kernel 408 executing in kernel space 404.
- a mechanism 414 is provided for spooling system call data, e.g., for data transformation such as analysis and redaction.
- the spooling mechanism 414 provides for "time-shifting" of intercepted system calls to enable a one-to-many (1 : ⁇ ) or a many-to-one (n: 1) mapping of intercepted-to-real system calls.
- any action that needs to be applied on the logical boundaries of the data (instead of the physical boundaries) presented upon system call interception spools (buffers) the data before taking the action and then unspools the result when finished.
- the action may be quite varied, e.g., examining the data, redacting the data, changing the data, restricting the data, processing the data, and updating the data, among others, and it may be performed locally or remotely.
- An example embodiment of the remote processing approach is that described above with respect to FIG. 3.
- a system call 414 has an associated source, and a destination.
- the source is the original system call itself, and the destination is user space 406.
- the source is user space, and the destination is the original system call.
- the spooling mechanism 414 operates to place a "hold” on the data associated with a system call 412.
- the spooling mechanism 414 spools the data and does not return to user space before all the data has been read.
- the spooling mechanism 414 spools the data until all data that is going to be written is read from user space 406.
- the holding the data in this manner enables application of a transformation to be done transparently to the user processes 410 calling the intercepted system calls.
- use of this approach enables the processing of the data and application of the transformation to be done remotely, e.g., to avoid memory restrictions and so that different sets of data can be correlated with one another.
- the spooling mechanism 414 operates by hooking a system call.
- the mechanism includes an analyzer function, as will be described below in more detail.
- the address of the spooling mechanism function is inserted in place of the address of the original function, and that address (of the original function) is saved by the operating system. Then, when it is necessary to then call (return to) the original system call, the address of the original system call that was saved during the hooking process is then used.
- one or more data constructs or structures are maintained and processed by the spooling mechanism as the time shifting approach of this disclosure is carried out.
- an "original buffer” refers to the data originally passing through the operating system kernel 408 and that is discovered via one or more system calls. There may be multiple original buffers. This data is considered to pass through because, in the read sense, and from the perspective of the system call hook, the data originates from the kernel' s original system call, whereas, in the write sense, the data originates from the user.
- a “changed data buffer” refers to the data from the original buffer or buffer(s) after it has had a transformation applied.
- a “remainder counter” refers to an amount of data left in the original buffer that still needs to be transferred, whether to the original system call (for a read) or to the user (for a write).
- spooling means buffering.
- data (the original buffers) is collected, concatenated together (into a working buffer), the transformation is applied, and the result stored into the changed data buffer, and the changed data buffer is then drained back (or “unspooled") to wherever the original buffers were intended to go (namely, the original system call for a read, or the user for a write).
- the data of interest is the data associated with the call.
- a read system call e.g., recv, read, or the like
- the data is available only after the original system call is called.
- a write system call e.g., send, write, or the like
- the data is passed in as an argument.
- the read and write system calls must be processed differently, although the general concept is similar.
- the application of the spooling/unspooling method is very similar in both cases, primarily differing in where the (1 : n) mapping (of intercepted system calls to actual system calls) occurs.
- the entire logical packet of data e.g. a database query
- needs to be collecting before returning any data to the user
- the user process calling the system call has provided a buffer to be filled with data. Because there is a need to apply a transformation to that data before the user process receives it, the read data is held until the transformation can be applied. Because there is no guarantee that the entire logical packet of data will fit within the provided buffer (nor that the transformed data will fit, either), according to this disclosure the data is saved until the entire packet of original data is received, the data sent out for analysis and modification (or other transformation), and the transformed data drained (unspooled) back to the user. To this end, and as will be described in FIG.
- this is accomplished by repeatedly calling the original system call within the intercepted system call until an analyzer function (within the spooling mechanism) has detected that the packet is complete. Then, the transformation is applied (e.g., by the analyzer) and the changed data is returned back to the intercepted system call.
- the provided buffer is filled with the transformed data and is returned to the user. If the entire transformed packet cannot fit inside the provided buffer, then the buffer is filled to capacity and subsequent system calls by the user process will not call the original system call again, instead simply filling the provided buffers with more data from the transformed packet until the entirety of the packet has been returned, at which point the cycle begins again.
- FIG. 5 illustrates this process in detail for the intercepted read system case upon interception.
- the routine begins at step 500 by testing whether a session is unspooling. If the outcome of the test at step 500 is negative, the routine continues by analyzing the original system call at step 502. At step 504, data in the original system call is saved. A test is then executed at step 506 to determine if the data is complete. If the outcome of the test at step 506 is negative, this portion of the routine cycles back to step 502 to obtain additional data from the original system call. If, however, the outcome of the test at step 506 is positive, which indicates all the data is complete, the routine continues at step 508 to apply a data transformation.
- the nature of the transformation may be quite varied, e.g., examining, redacting, changing, restricting, processing, updating, and the like. There is no restriction on the nature and scope of the transformation, which is a known
- step 510 the routine continues at step 510 to set a remainder counter to the size of a changed data buffer.
- the routine then continues at step 512 to mark the session as unspooling.
- step 514 which step is also reached if the outcome of the test at step 500 is positive.
- step 514 as much of the remaining changed data as will fit in the original buffer is copied, and the remainder counter is decremented.
- a test is then performed at step 516 to determine whether the remainder counter is zero. If so, the session is unmarked as unspooling in step 518.
- step 520 returns to the user, and this step is also reached upon a negative outcome to the test at step 516. This completes the processing of the intercept read system call case.
- the entire logical packet of data needs to be collected before calling the original system call so that a transformation can be applied.
- the user process calling the system call has provided a buffer with data to be sent. Because there is a need to apply a transformation to that data before it is transferred, all of the original packet data needs to be collected together before the transformation can be applied. As noted above, it is possible that the packet is split across multiple system calls. It is also possible that, after the transformation is applied, the new packet will not fit in the buffer provided by the user process. As such, until the analyzer determines that an entire packet has been received, the mechanism collects the data from the user process and returns from the intercepted system call as if the data was transferred successfully.
- the analyzer then applies the transformation and sends the modified data back to the original system call (which is the call from the user process that sent the last portion of the original packet). If the new packet does not fit inside the buffer provided by the calling process, then the system call is called, repeatedly as necessary, without returning to the user until the last part of the transformed packet has been sent.
- FIG. 6 illustrates the detailed process flow for the write system call case upon interception.
- the routine begins at step 600 by saving and analyzing data.
- a test is performed to determine whether the data is complete. If the outcome of the test at step 602 is positive (data is complete), the routine continues at step 604 to unmark the session as spooling. The routine then continues at step 606 to apply a data transformation, as described above.
- the remainder counter is set to a size of the changed data buffer. The routine then continues at step 610 with as much of the remaining changed data as will fit in the original buffer being copied, and the remainder counter being decremented. After step 610, the routine returns to the original system call. This is step 612.
- a test is then performed at step 614 to determine if the remainder counter is zero. If not, control returns back to step 610. If, however, the remainder counter is zero, the control returns to the user at 616. Step 616 is also reached if the outcome of the test at step 602 is negative, in which case the session is marked as spooling in step 618 and the return to user implemented. This completes the processing of the intercept write system call case. [0045] Stated another way, in the read case there is an (1 : n) mapping of intercepted-to- real system calls, wherein the single intercepted system call translates to multiple dispatched calls until the complete data set is retrieved and then is returned back (across m number of intercepted calls) with no corresponding dispatched system call.
- ⁇ n 1) mapping of intercepted-to-real system calls, wherein n-1 intercepted calls have no corresponding dispatched call and the n th intercepted call contains a final portion of the data set such that m number of dispatched calls are performed before the last intercepted call returns.
- the spooling mechanism is a time-shifting device for intercepted system calls, with an optional modification to the original data sent and received.
- the amount of data intercepted encompasses the entire logical packet. For example, when intercepting TCP traffic for a database, a single query could be split up across multiple calls to read.
- one application of this data correlation is protection of a host database against unauthorized access.
- the transformation is used to protect data elements that would otherwise be difficult or impossible to secure using standard access controls. For example, by correlating the data, a user's entire session with the database could be watched by following it from open to close. This authorized user may require access to tables that contain data subsets that they are not authorized to view or modify.
- the protected data can be secured automatically (e.g., instead of 'select * from table', 'select * from table where ...').
- the LDACS solution enables the provision of a separate collector/analyzer for processing the data and relaying that information back to the system call. Because this process needs to be transparent to the user, the technique of this disclosure is then used to "pause" the original system call(s) until the processing is completed.
- the mechanism described here is useful for more than redaction of database queries. This could be useful for firewalling data based on the contents of the data, selective auditing, or the like. More generally, the approach may be used to facilitate any transform that needs to be applied on the logical boundaries of the data (instead of the physical boundaries) presented with system call interception and wherein there is a need to spool the data before applying the transformation (and then to unspool the result when finished).
- the technique herein provides many advantages. By creating the one-to-many (multiplexed) mapping of intercepted to real system calls, transformations can be applied more effectively, even though the intercepted data would otherwise span more than a single system call.
- n mapping the read case
- the real system call is re-called as many times as may be necessary before returning to user space.
- the technique reads until the entire packet is collected, the transformation is then applied, and the modified data (including a modified packet header) is then returned to user space.
- the spooling mechanism functionality described above may be implemented as a kernel modification, as a standalone approach, or some combination thereof.
- the transformation may be implemented as a software-based function executed by a processor, or it may be available as a managed service (including as a web service via a SOAP/XML interface).
- a managed service including as a web service via a SOAP/XML interface.
- a representative LDACS solution in which the approach may be used is IBM ® InfoSphere ® Guardium (IBM, InfoSphere and Guardium are registered trademarks of International Business Machines Corporation) Version 8.0.
- This solution comprises a scalable architecture and includes collector, aggregator and central management appliances, as well as software tap (S-Tap) agents installed on the database servers, and kernel tap (K-Tap) agents installed in association with the kernel.
- S-Tap software tap
- K-Tap kernel tap
- the K-Tap collects the data
- the S-Tap transports the collected data to the point at which the transformation is applied (and receives the result).
- computing devices within the context of the disclosed invention are each a data processing system (such as shown in FIG. 2) comprising hardware and software, and these entities communicate with one another over a network, such as the Internet, an intranet, an extranet, a private network, or any other communications medium or link.
- the applications on the data processing system provide native support for Web and other known services and protocols including, without limitation, support for HTTP, FTP, SMTP, SOAP, XML, WSDL, UDDI, and WSFL, among others.
- the scheme described herein may be implemented in or in conjunction with various server-side architectures including simple n-tier architectures, web portals, federated systems, and the like. As noted, the techniques herein may be practiced in a loosely- coupled server (including a "cloud"-based) environment.
- the security server itself or functions thereof, such as the monitor process) may be hosted in the cloud.
- the subject matter described herein can take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment containing both hardware and software elements.
- the function is implemented in software, which includes but is not limited to firmware, resident software, microcode, and the like.
- the analytics engine functionality can take the form of a computer program product accessible from a computer-usable or computer-readable medium providing program code for use by or in connection with a computer or any instruction execution system.
- a computer-usable or computer readable medium can be any apparatus that can contain or store the program for use by or in connection with the instruction execution system, apparatus, or device.
- the medium can be an electronic, magnetic, optical, electromagnetic, infrared, or a semiconductor system (or apparatus or device).
- Examples of a computer- readable medium include a semiconductor or solid state memory, magnetic tape, a removable computer diskette, a random access memory (RAM), a read-only memory (ROM), a rigid magnetic disk and an optical disk.
- Current examples of optical disks include compact disk - read only memory (CD-ROM), compact disk - read/write (CD-R/W) and DVD.
- the computer-readable medium is a tangible item.
- the computer program product may be a product having program instructions (or program code) to implement one or more of the described functions. Those instructions or code may be stored in a computer readable storage medium in a data processing system after being downloaded over a network from a remote data processing system. Or, those instructions or code may be stored in a computer readable storage medium in a server data processing system and adapted to be downloaded over a network to a remote data processing system for use in a computer readable storage medium within the remote system.
- the spooling mechanism components are implemented in a special purpose computer, preferably in software executed by one or more processors. The software is maintained in one or more data stores or memories associated with the one or more processors, and the software may be implemented as one or more computer programs. Collectively, and in one embodiment, this special-purpose hardware and software comprises the spooling mechanism described above.
- server- set session management data might be re-used (either by an original user in a different session, or by another user) through the same client browser.
Abstract
Description
Claims
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE112014001949.6T DE112014001949T5 (en) | 2013-04-10 | 2014-03-11 | Spooling on system call data to allow for data transformation |
CN201480020417.2A CN105103159B (en) | 2013-04-10 | 2014-03-11 | The method, apparatus and computer storage media called for processing system |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US13/860,000 | 2013-04-10 | ||
US13/860,000 US9069628B2 (en) | 2013-04-10 | 2013-04-10 | Spooling system call data to facilitate data transformation |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2014167430A1 true WO2014167430A1 (en) | 2014-10-16 |
Family
ID=51687719
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/IB2014/059621 WO2014167430A1 (en) | 2013-04-10 | 2014-03-11 | Spooling system call data to facilitate data transformation |
Country Status (4)
Country | Link |
---|---|
US (1) | US9069628B2 (en) |
CN (1) | CN105103159B (en) |
DE (1) | DE112014001949T5 (en) |
WO (1) | WO2014167430A1 (en) |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH0756789A (en) * | 1991-07-24 | 1995-03-03 | At & T Corp | File system device and its operating method |
JP2005115514A (en) * | 2003-10-06 | 2005-04-28 | Ibm Japan Ltd | Database search system, its search method, and program |
US7426512B1 (en) * | 2004-02-17 | 2008-09-16 | Guardium, Inc. | System and methods for tracking local database access |
WO2009104720A1 (en) * | 2008-02-22 | 2009-08-27 | 日本電気株式会社 | Resource usage control system, method of controlling resource usage, program for controlling resource usage |
Family Cites Families (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6006214A (en) | 1996-12-04 | 1999-12-21 | International Business Machines Corporation | Database management system, method, and program for providing query rewrite transformations for nested set elimination in database views |
US6732211B1 (en) * | 2000-09-18 | 2004-05-04 | Ensim Corporation | Intercepting I/O multiplexing operations involving cross-domain file descriptor sets |
US7437362B1 (en) | 2003-11-26 | 2008-10-14 | Guardium, Inc. | System and methods for nonintrusive database security |
US7506371B1 (en) | 2004-01-22 | 2009-03-17 | Guardium, Inc. | System and methods for adaptive behavior based access control |
GB0505297D0 (en) | 2005-03-15 | 2005-04-20 | Level 5 Networks Ltd | Redirecting instructions |
US7748027B2 (en) * | 2005-05-11 | 2010-06-29 | Bea Systems, Inc. | System and method for dynamic data redaction |
US8635660B2 (en) | 2005-12-06 | 2014-01-21 | Oracle International Corporation | Dynamic constraints for query operations |
US8590034B2 (en) | 2006-06-21 | 2013-11-19 | Basit Hussain | Method, system and apparatus for providing stateful information redaction |
CN100504792C (en) | 2006-10-06 | 2009-06-24 | 国际商业机器公司 | Method and system for calling and catching system in user space |
US20100030737A1 (en) * | 2008-07-29 | 2010-02-04 | Volker Gunnar Scheuber-Heinz | Identity enabled data level access control |
US20100128866A1 (en) | 2008-11-26 | 2010-05-27 | Microsoft Corporation | Modification of system call behavior |
CN102904889B (en) * | 2012-10-12 | 2016-09-07 | 北京可信华泰信息技术有限公司 | Support the forced symmetric centralization system and method for cross-platform unified management |
CN103020257B (en) * | 2012-12-21 | 2016-12-07 | 曙光信息产业(北京)有限公司 | The implementation method of data manipulation and device |
CN103605930B (en) * | 2013-11-27 | 2016-04-13 | 湖北民族学院 | A kind of dualized file based on HOOK and filtration drive prevents divulging a secret method and system |
-
2013
- 2013-04-10 US US13/860,000 patent/US9069628B2/en not_active Expired - Fee Related
-
2014
- 2014-03-11 CN CN201480020417.2A patent/CN105103159B/en not_active Expired - Fee Related
- 2014-03-11 WO PCT/IB2014/059621 patent/WO2014167430A1/en active Application Filing
- 2014-03-11 DE DE112014001949.6T patent/DE112014001949T5/en not_active Withdrawn
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH0756789A (en) * | 1991-07-24 | 1995-03-03 | At & T Corp | File system device and its operating method |
JP2005115514A (en) * | 2003-10-06 | 2005-04-28 | Ibm Japan Ltd | Database search system, its search method, and program |
US7426512B1 (en) * | 2004-02-17 | 2008-09-16 | Guardium, Inc. | System and methods for tracking local database access |
WO2009104720A1 (en) * | 2008-02-22 | 2009-08-27 | 日本電気株式会社 | Resource usage control system, method of controlling resource usage, program for controlling resource usage |
Also Published As
Publication number | Publication date |
---|---|
US9069628B2 (en) | 2015-06-30 |
DE112014001949T5 (en) | 2015-12-31 |
US20140310727A1 (en) | 2014-10-16 |
CN105103159A (en) | 2015-11-25 |
CN105103159B (en) | 2018-06-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP6192725B2 (en) | Deep packet inspection method and apparatus, and coprocessor | |
US10200387B2 (en) | User state tracking and anomaly detection in software-as-a-service environments | |
US8631459B2 (en) | Policy and compliance management for user provisioning systems | |
US20140237538A1 (en) | Input prediction in a database access control system | |
US20090064194A1 (en) | Event driven sendfile | |
US8701163B2 (en) | Method and system for automatic generation of cache directives for security policy | |
US11349875B2 (en) | Dynamic balancing of security rules execution in a database protection system | |
US10592374B2 (en) | Remote service failure monitoring and protection using throttling | |
US11303615B2 (en) | Security information propagation in a network protection system | |
US9069628B2 (en) | Spooling system call data to facilitate data transformation | |
US11196757B2 (en) | Suspending security violating-database client connections in a database protection system | |
US20180276059A1 (en) | Programming language-independent transaction correlation | |
US10904215B2 (en) | Database firewall for use by an application using a database connection pool | |
US10614237B2 (en) | Resource-free prioritizing in high availability external security systems | |
US9654352B2 (en) | Brokering data access requests and responses | |
US11228607B2 (en) | Graceful termination of security-violation client connections in a network protection system (NPS) | |
US10810302B2 (en) | Database access monitoring with selective session information retrieval | |
US11223650B2 (en) | Security system with adaptive parsing | |
US11757837B2 (en) | Sensitive data identification in real time for data streaming | |
CN116366318A (en) | Network security engine acceleration method, device, equipment and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
WWE | Wipo information: entry into national phase |
Ref document number: 201480020417.2 Country of ref document: CN |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 14782925 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 112014001949 Country of ref document: DE Ref document number: 1120140019496 Country of ref document: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 14782925 Country of ref document: EP Kind code of ref document: A1 |