`
`1111111111111111111111111111111111111111111111111111111111111
`US007437362Bl
`
`c12) United States Patent
`Ben-Natan
`
`(10) Patent No.:
`(45) Date of Patent:
`
`US 7,437,362 Bl
`Oct. 14, 2008
`
`(54)
`
`SYSTEM AND METHODS FOR
`NONINTRUSIVE DATABASE SECURITY
`
`(75)
`
`Inventor: Ron Ben-Natan, Lexington, MA (US)
`
`(73)
`
`Assignee: Guardium, Inc., Waltham, MA (US)
`
`( *)
`
`Notice:
`
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 337 days.
`
`(21)
`
`Appl. No.: 10/723,521
`
`(22) Filed:
`
`Nov. 26, 2003
`
`(51)
`
`(52)
`(58)
`
`(56)
`
`Int. Cl.
`G06F 7100
`(2006.01)
`G06F 17130
`(2006.01)
`U.S. Cl. .................................... 707/9; 707/3; 707/6
`Field of Classification Search . ... ... ... ... .. ... ... 707/2,
`707 /9; 709/223
`See application file for complete search history.
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`
`4,451,916 A
`6,085,191 A *
`6,205,475 B1
`6,332,163 B1
`6,366,952 B2
`6,505,241 B2
`6,529,948 B1
`6,539,396 B1
`6,550,057 B1
`6,578,068 B1
`6,581,052 B1 *
`6,601,192 B1
`
`5/1984 Casper eta!. ................. 370/16
`7/2000 Fisher eta!. ................... 707/9
`3/2001 Pitts ........................... 709/218
`12/2001 Bowman-Amuah ......... 709/231
`4/2002 Pitts ........................... 709/217
`112003 Pitts ........................... 709/218
`3/2003 Bowman-Amuah ......... 709/217
`3/2003 Bowman-Amuah ..... 707/103 R
`4/2003 Bowman-Amuah ......... 717/126
`6/2003 Bowman-Amuah ......... 709/203
`6/2003 Slutz . ... ... ... .. ... ... ... ... .. ... 707/2
`7/2003 Bowman-Amuah .......... 714/38
`
`6,606,660 B1
`6,615,253 B1
`6,636,585 B2
`6,678,355 B2
`6,820,082 B1 *
`7,043,541 B1 *
`2002/0078384 A1 *
`
`8/2003 Bowman-Amuah ......... 709/227
`9/2003 Bowman-Amuah ......... 709/219
`10/2003 Salzberg eta!. ............... 379/22
`112004 Eringis et al .................. 379/22
`1112004 Cook et al.
`. ................... 707/9
`5/2006 Bechtolsheim et al ....... 709/223
`6/2002 Hippe lain en ................ 713/201
`
`* cited by examiner
`Primary Examiner-Etienne P LeRoux
`Assistant Examiner-Paul Kim
`(74) Attorney, Agent, or Firm--Chapin IP Law, LLC
`
`(57)
`
`ABSTRACT
`
`Typical conventional database security scheme mechanisms
`are integrated in either the application or database. Mainte(cid:173)
`nance of the security scheme, therefore, such as changes and
`modifications, impose changes to the application and/or data(cid:173)
`base. Configurations of the invention employ a security filter
`for intercepting database streams, such as data access trans(cid:173)
`actions, between an application and the a data repository, such
`as a relational database. A security filter deployed between
`the application and database inspects the stream of transac(cid:173)
`tions between the application and the database. The security
`filter, by nonintrusively interrogating the transactions, pro(cid:173)
`vides a content-aware capability for seamlessly and nonde(cid:173)
`structively enforcing data level security. A security policy,
`codifying security requirements for the users and table of the
`database, employs rules concerning restricted data items. The
`filter intercepts transactions and determines if the transaction
`triggers rules of the security policy. If the transactions contain
`restricted data items, the security filter modifies the transac(cid:173)
`tion to eliminate the restricted data items.
`
`42 Claims, 12 Drawing Sheets
`
`200
`INTERCEPT, IN A NQNINTRUSIVE MANNER, A OAT A ACCESS
`TRANSACTION BETWEEN A USER APPLICATION AND A DATA
`REPOSITORY HAVING DATA ITEMS
`
`203
`DETERMINE IF THE INTERCEPTED DATA ACCESS TRANSACTION
`CORRESPONDS TO A SECURITY POLICY, THE SECURITY POLICY INDICATIVE
`OF RESTRICTED DATA ITEMS IN THE DATA REPOSITORY TO WHICH THE USER
`APPLICATION IS PROHIBITED ACCESS
`
`204
`SECURITY POLICY HAS RULES, EACH OF THE RULES INCLUDING AN
`OBJECT, A SELECTION CRITERIA AND AN ACTION, THE ACTION
`INDICATIVE OF THE RESTRICTED DATA ITEMS
`
`DENY
`
`208
`IDENTIFY DATA ITEMS CORRESPONDING TO THE ATTRIBUTES, EACH OF
`THE ATTRIBUTES ASSOCIATED WITH AN OPERATOR AND AN OPERAND
`
`209
`226 APPLYING AN OPERATOR SPECIFIED FOR THE DATA ITEM
`TO THE OPERAND SPECIFIED FOR THE DATA ITEM
`
`FireEye - Exhibit 1012 Page 1
`
`
`
`N = """"'
`-....l w
`~ w
`-....l
`rJl
`d
`
`0'1
`
`N
`....
`0 .....
`....
`.....
`rFJ =(cid:173)
`
`('D
`('D
`
`~ ...
`:-+- ....
`0
`
`(')
`
`QO
`0
`0
`N
`
`~ = ~
`
`~
`~
`~
`•
`00
`~
`
`Fig. 1
`
`22
`
`ACCESS TRANSACTION
`RESULT DATA
`
`~----------
`
`20
`
`\ 32
`.6
`
`30
`
`TRANSACTION
`DATA ACCESS
`
`TRANSACTION
`DATA ACCESS
`
`30~
`
`12
`
`POLICY
`SECURITY
`
`CATION
`
`ACCESS TRANSACTION
`RESULT DATA
`
`32::6
`
`16
`
`14
`
`10~
`
`FireEye - Exhibit 1012 Page 2
`
`
`
`U.S. Patent
`
`Oct. 14, 2008
`
`Sheet 2 of 12
`
`US 7,437,362 Bl
`
`100
`INTERCEPT, IN A NONINTRUSIVE MANNER, A DATA ACCESS
`TRANSACTION BETWEEN A USER APPLICATION AND A DATA
`REPOSITORY HAVING DATA ITEMS
`
`101
`NONINTRUSIVE MANNER IS UNDETECTABLE TO THE USER
`APPLICATION AND UNDETECTABLE TO THE DATA REPOSITORY
`
`,,.
`
`102
`DETERMINE IF THE INTERCEPTED DATA ACCESS TRANSACTION
`CORRESPONDS TO A SECURITY POLICY, THE SECURITY POLICY
`INDICATIVE OF RESTRICTED DATA ITEMS IN THE DATA REPOSITORY TO
`WHICH THE USER APPLICATION IS PROHIBITED ACCESS
`
`,,
`
`103
`LIMIT, BASED ON THE SECURITY POLICY, THE DATA ACCESS
`TRANSACTION
`
`,
`
`104
`MODIFY THE DATA ACCESS TRANSACTION SUCH THAT DATA
`INDICATIONS IN THE DATA ACCESS TRANSACTION CORRESPONDING
`TO RESTRICTED DATA ITEMS, ACCORDING TO THE SECURITY POLICY,
`ARE ELIMINATED FROM THE RESULTING DATA ACCESS TRANSACTION
`
`Fig. 2
`
`FireEye - Exhibit 1012 Page 3
`
`
`
`N = """"'
`-....l w
`~ w
`-....l
`rJl
`d
`
`0'1
`
`Fig. 3
`
`56A..56N
`
`N
`....
`0 .....
`
`~ 22
`
`(.H
`
`.....
`rFJ =(cid:173)
`
`('D
`('D
`
`STATEMENT
`ACCESS
`DATA
`RESULTING
`
`57 A
`
`~ ...
`:-+- ....
`0
`
`(')
`
`QO
`0
`0
`N
`
`./
`
`20
`
`__ ./
`..-
`
`RESPONSE
`QUERY
`DATA
`
`~//i .-----'----...-
`
`2
`
`INTERCEPTOR
`
`(54
`..6
`IAP~LICATION I ~
`
`STATEMENT
`ACCESS
`DATA
`40
`
`.....,...=goo-_ ___.,SERVER
`
`46
`RESPONSE
`DATA QUERY
`RESULTING
`
`14
`
`~ = ~
`
`~
`~
`~
`•
`00
`~
`
`60
`
`16
`
`10~
`
`53A .. 53N ..
`
`558
`
`FireEye - Exhibit 1012 Page 4
`
`
`
`U.S. Patent
`
`Oct. 14, 2008
`
`Sheet 4 of 12
`
`US 7,437,362 Bl
`
`200
`INTERCEPT, IN A NONINTRUSIVE MANNER, A DATA ACCESS
`TRANSACTION BETWEEN A USER APPLICATION AND A DATA
`REPOSITORY HAVING DATA ITEMS
`
`202
`ESTABLISH A PROXY TO THE
`DATA REPOSITORY ON
`BEHALF OF THE USER
`
`203
`DETERMINE IF THE INTERCEPTED DATA ACCESS TRANSACTION
`CORRESPONDS TO A SECURITY POLICY, THE SECURITY POLICY INDICATIVE
`OF RESTRICTED DATA ITEMS IN THE DATA REPOSITORY TO WHICH THE USER
`APPLICATION IS PROHIBITED ACCESS
`
`204
`SECURITY POLICY HAS RULES, EACH OF THE RULES INCLUDING AN
`OBJECT, A SELECTION CRITERIA AND AN ACTION, THE ACTION
`INDICATIVE OF THE RESTRICTED DATA ITEMS
`
`206
`ALLOW
`ACCESS
`
`ALLOW
`
`207
`DENY
`ACCESS
`
`MODIFY
`
`+
`
`208
`IDENTIFY DATA ITEMS CORRESPONDING TO THE ATTRIBUTES, EACH OF
`THE ATTRIBUTES ASSOCIATED WITH AN OPERATOR AND AN OPERAND
`
`226 APPLYING AN OPERATOR SPECIFIED FOR THE DATA ITEM
`TO THE OPERAND SPECIFIED FOR THE DATA ITEM
`
`Fig. 4
`
`• 209
`•
`
`FireEye - Exhibit 1012 Page 5
`
`
`
`U.S. Patent
`
`Oct. 14, 2008
`
`Sheet 5 of 12
`
`US 7,437,362 Bl
`
`210
`DETERMINE, AS A RESULT OF APPLYING THE OPERATOR, WHETHER TO
`ELIMINATE THE IDENTIFIED DATA ITEM
`
`211
`LIMIT, BASED ON THE SECURITY POLICY, THE DATA ACCESS TRANSACTION
`
`212
`MODIFY THE DATA ACCESS TRANSACTION SUCH THAT DATA
`INDICATIONS IN THE DATA ACCESS TRANSACTION CORRESPONDING
`TO RESTRICTED DATA ITEMS, ACCORDING TO THE SECURITY POLICY,
`ARE ELIMINATED FROM THE RESULTING DATA ACCESS TRANSACTION
`
`213
`DATA INDICATIONS ARE REFERENCES TO DATA ITEMS IN THE DATA
`REPOSITORY AND LIMITING FURTHER INCLUDES QUALIFYING THE
`REFERENCES TO GENERATE A MODIFIED REQUEST INDICATIVE OF
`UNRESTRICTED DATA ITEMS, SUCH THAT SUCCESSIVE RETRIEVAL
`OPERATIONS EMPLOYING THE QUALIFIED REFERENCES DO NOT
`RETRIEVE RESTRICTED DATA ITEMS
`
`214
`DATA ACCESS TRANSACTION IS A DATA ACCESS STATEMENT AND
`LIMITING FURTHER COMPRISES IDENTIFYING AT LEAST ONE RULE,
`ACCORDING TO THE SECURITY POLICY, CORRESPONDING TO THE
`DATA ACCESS STATEMENT, THE IDENTIFIED RULE RESTRICTING
`ACCESS TO AT LEAST ONE OF THE DATA ITEMS INDICATED BY THE
`DATA ACCESS STATEMENT
`
`Fig. 5
`
`FireEye - Exhibit 1012 Page 6
`
`
`
`U.S. Patent
`
`Oct. 14, 2008
`
`Sheet 6 of 12
`
`US 7,437,362 Bl
`
`215
`CONCATENATE SELECTION QUALIFIERS TO THE DATA ACCESS STATEMENT
`CORRESPONDING TO THE IDENTIFIED RULE, THE SELECTION QUALIFIERS
`OPERABLE TO OMIT THE RESTRICTED DATA ITEMS FROM THE QUALIFIED
`REFERENCES OF THE DATA ACCESS STATEMENT
`
`216
`RECEIVE AN SQL QUERY AND LIMITING INCLUDES APPENDING
`CONDITIONAL SELECTION STATEMENTS TO THE SQL QUERY, THE
`CONDITIONAL SELECTION STATEMENTS COMPUTED FROM THE
`SECURITY POLICY, TO GENERATE THE RESULTING DATA ACCESS
`TRANSACTION
`
`217
`
`BUILD A PARSE TREE CORRESPONDING TO THE SQL
`QUERY
`
`218
`ADD NODES IN THE PARSE TREE CORRESPONDING
`TO THE APPENDED CONDITIONAL SELECTION
`STATEMENTS
`
`219
`REPROCESS THE PARSE TREE TO GENERATE THE
`RESULTING DATA ACCESS TRANSACTION
`
`Fig. 6
`
`FireEye - Exhibit 1012 Page 7
`
`
`
`U.S. Patent
`
`Oct. 14, 2008
`
`Sheet 7 of 12
`
`US 7,437,362 Bl
`
`220
`
`RECEIVE A SET OF PACKETS, THE PACKETS
`ENCAPSULATING THE DATA ACCESS TRANSACTION
`ACCORDING TO LAYERED PROTOCOLS
`
`I
`
`221
`PROXY OR
`DIRECT?
`
`DIRECT ,,
`
`222
`GENERATE THE RESULTING DATA ACCESS TRANSACTION
`PRESERVING THE ENCAPSULATING LAYERED PROTOCOL
`ASSOCIATING THE PACKETS WITHOUT EMPLOYING A
`PROXY FOR REGENERATING THE SEQUENCE OF PACKETS
`
`223
`INTERROGATE AND MODIFY THE PACKETS IN A
`NONDESTRUCTIVE MANNER WITH RESPECT TO
`THE LAYERED PROTOCOLS
`
`,,
`
`224
`PAD THE PACKETS FOR ACCOMMODATING
`ELIMINATION OF THE RESTRICTED DATA ITEMS TO
`GENERATE THE RESULTING DATA ACCESS
`TRANSACTION
`
`PR6xY
`
`,,.
`
`225
`RECEIVE DATA
`ACCESS
`TRASACTION
`STREAM VIA PROXY
`AND REGENERATE
`DATA ACCESS
`RESULT
`
`226
`FORWARD
`GENERATED
`RESULTING
`DATBASE ACCESS
`TRANSACTION
`STREAM VIA USER
`LOGIN
`
`....
`
`.... ,,
`
`227
`TRANSMIT RESULTING
`DATA ACCESS
`TRANSACTION
`
`Fig. 7
`
`FireEye - Exhibit 1012 Page 8
`
`
`
`U.S. Patent
`
`Oct. 14, 2008
`
`Sheet 8 of 12
`
`US 7,437,362 Bl
`
`300
`
`INTERCEPT IN A NONINTRUSIVE MANNER, A DATA ACCESS
`TRANSACTION BETWEEN A USER APPLICATION AND A DATA
`REPOSITORY HAVING DATA ITEMS
`
`301
`ESTABLISH A PROXY TO THE DATA REPOSITORY ON
`BEHALF OF THE USER
`
`+ 302
`
`RECEIVE THE DATA ACCESS TRANSACTION AS A
`ROW SET UNDER THE PROXY
`
`+ 303
`
`REGENERATE THE RESULTING DATA ACCESS
`TRANSACTION AS A REDUCED ROW SET HAVING A
`SUBSET OF THE ROWS FROM THE PROXY ROW SET
`
`~
`
`304
`DETERMINE IF THE INTERCEPTED DATA ACCESS TRANSACTION
`CORRESPONDS TO A SECURITY POLICY, THE SECURITY POLICY
`INDICATIVE OF RESTRICTED DATA ITEMS IN THE DATA REPOSITORY TO
`WHICH THE USER APPLICATION IS PROHIBITED ACCESS
`
`305
`SECURITY POLICY HAS RULES, EACH OF THE RULES
`INCLUDING AN OBJECT, A SELECTION CRITERIA AND AN
`ACTION, THE ACTION INDICATIVE OF THE RESTRICTED DATA
`ITEMS
`
`+ 306
`
`ACTIONS ARE SELECTIVELY INDICATIVE OF MODIFICATIONS,
`THE MODIFICATIONS FURTHER COMPRISING ATTRIBUTES,
`OPERATORS, AND OPERANDS, THE LIMITING FURTHER
`COMPRISING
`IDENTIFYING DATA ITEMS CORRESPONDING TO THE
`ATTRIBUTES, EACH OF THE ATTRIBUTES ASSOCIATED WITH
`AN OPERATOR AND AN OPERAND
`
`+
`
`Fig. 8
`
`FireEye - Exhibit 1012 Page 9
`
`
`
`U.S. Patent
`
`Oct. 14, 2008
`
`Sheet 9 of 12
`
`US 7,437,362 Bl
`
`307
`FOR EACH ROW IN THE
`ROW SET
`
`308
`APPLY AN OPERATOR SPECIFIED FOR THE DATA ITE~ TO
`THE OPERAND SPECIFIED FOR THE DATA ITEM
`
`309
`228 DETERMINE, AS A RESULT OF APPLYING THE OPERATOR,
`WHETHER TO ELIMINATE THE IDENTIFIED DATA ITEM
`
`311
`IDENTIFY LIMITATIONS, BASED ON THE SECURITY POLICY, FOR THE DATA
`ACCESS TRANSACTION
`
`312
`MODIFY THE DATA ACCESS TRANSACTION SUCH THAT DATA
`INDICATIONS IN THE DATA ACCESS TRANSACTION CORRESPONDING
`TO RESTRICTED DATA ITEMS, ACCORDING TO THE SECURITY POLICY,
`ARE ELIMINATED FROM THE RESULTING DATA ACCESS TRANSACTION .
`
`INTERCEPT THE DATA QUERY RESPONSE FROM THE DATA
`REPOSITORY AS THE DATA ACCESS TRANSACTION, THE DATA QUERY
`RESPONSE ENCAPSULATED AS A ROW SET HAVING ROWS FROM A
`RELATIONAL DATABASE QUERY
`
`• 313
`
`Fig. 9
`
`FireEye - Exhibit 1012 Page 10
`
`
`
`U.S. Patent
`
`Oct. 14, 2008
`
`Sheet 10 of 12
`
`US 7,437,362 Bl
`
`315
`DATA INDICATIONS ARE ROWS OF DATA RETRIEVED FROM THE
`DATA REPOSITORY, AND LIMITING INCLUDES
`IDENTIFYING ROWS HAVING RESTRICTED DATA ITEMS
`
`316
`ELIMINATE THE IDENTIFIED ROWS FROM THE DATA ITEM
`TRANSACTION SUCH THAT THE RESULTING DATA ACCESS
`TRANSACTION IS A MODIFIED QUERY RESPONSE INCLUDING
`ROWS WITHOUT RESTRICTED DATA ITEMS
`
`,,
`
`317
`OAT A ACCESS TRANSACTION IS A OAT A QUERY RESPONSE
`INCLUDING A ROW SET AND LIMITING FURTHER COMPRISES
`COMPARING EACH OF THE ROWS IN THE ROW SET TO THE
`RULES OF THE SECURITY POLICY
`
`,,
`
`318
`SELECTIVELY ELIMINATE ROWS IN THE ROW SET INCLUDING
`THE RESTRICTED DATA ITEMS, BASED ON THE COMPARING,
`TO GENERATE A MODIFIED QUERY RESPONSE INCLUDING A
`FILTERED ROW SET
`
`.,,
`
`319
`TRANSMIT THE REDUCED ROW SET TO THE USER ON BEHALF
`OF THE PROXY
`
`Fig. 10
`
`FireEye - Exhibit 1012 Page 11
`
`
`
`N = """"'
`-....l w
`~ w
`-....l
`rJl
`d
`
`0'1
`
`N
`....
`0 .....
`....
`....
`.....
`rFJ =(cid:173)
`
`('D
`('D
`
`~ ...
`~ ....
`0
`
`(')
`
`QO
`0
`0
`N
`
`~ = ~
`
`~
`~
`~
`•
`00
`~
`
`156A
`
`12
`
`2D
`
`-
`
`152
`
`TIME ACTION MODS
`
`CMD
`
`OBJECT
`
`153
`
`IPADR
`
`APP
`
`Fig. 11
`
`2
`
`I
`
`160
`
`CA
`555-6666
`NY
`555-5555
`NY
`555-4444
`FL
`555-3333
`RI
`555-2222
`MA
`555-1111
`STATE PHONE
`
`sw
`NE
`NE
`SE
`NE
`NE
`REGION
`
`6
`5
`4
`3
`2
`1
`ID
`
`Gates
`Carnegie
`Ford ·
`Tesla
`Edison
`Olsen
`NAME
`
`USER
`DB
`
`~A
`~
`*
`192.168.0.0 *
`
`Fig. 13
`
`158C
`
`1588
`
`8
`
`"SW"
`"MA", "RI"
`
`/ NOTIN [
`
`IN
`
`AN
`AI
`CONDITION ATTRIBUTE OPERAND VALUE
`
`REGION
`STATE
`
`/
`
`---
`MODIFY A1
`---
`ALLOW
`
`f DENY
`
`1/zs
`
`/ *
`
`*
`
`*
`
`*
`
`152Cj
`*
`*
`GUEST CONTACT SELECT *
`*
`
`,.
`_.,
`
`U3
`U2
`Ul
`
`53
`
`FireEye - Exhibit 1012 Page 12
`
`
`
`N = """"'
`-....l w
`~ w
`-....l
`rJl
`d
`
`0'1
`
`N
`....
`0 .....
`N
`....
`.....
`rFJ =(cid:173)
`
`('D
`('D
`
`~ ...
`:-+- ....
`0
`
`(')
`
`QO
`0
`0
`N
`
`~ = ~
`
`~
`~
`~
`•
`00
`~
`
`. ....... .
`. ...
`--
`.
`. . . . . . .
`. . . . . . . . . . . . . .
`
`·······•·················
`
`···....
`
`190
`
`158'~
`
`Fig. 148
`
`~
`
`158
`
`Fig. 14A
`
`174
`
`FireEye - Exhibit 1012 Page 13
`
`
`
`US 7,437,362 Bl
`
`1
`SYSTEM AND METHODS FOR
`NONINTRUSIVE DATABASE SECURITY
`
`BACKGROUND OF THE INVENTION
`
`30
`
`2
`level security mechanism implements security scheme
`changes via the database. The database, or more specifically,
`the database management system (DBMS) or server respon(cid:173)
`sible for coordinating such access, enables a particular user to
`access certain database portions, typically tables, fields or
`rows. Changes to the security scheme involve modifications
`to the access rights to database tables, thus requiring changes
`to the database. Further, conventional DBMSs typically
`employ a database login corresponding to an application, not
`1 o to a user invoking the application. Therefore, the user does not
`directly login to the database. In typical conventional appli(cid:173)
`cations, many users invoke the same application, and accord(cid:173)
`ingly, pursue the same application level login to the database.
`Granularity of control is therefore difficult to modifY in con-
`15 ventional database security approaches.
`Therefore, such conventional approaches to database secu(cid:173)
`rity involve changes to either the client application or to the
`database server in order to effect security scheme changes.
`Embodiments of the invention, therefore, provide a system
`20 and method to implement data level security between the
`application and the database. Such data level security of the
`invention implements a security policy independently of the
`application and the database, and therefore relieves the devel(cid:173)
`oper and implementer from modifying either the application
`25 or the database to reflect the security mechanism. Embodi(cid:173)
`ments of the invention scrutinize and modify database com(cid:173)
`munications, such as a transaction stream, between the appli(cid:173)
`cation and the database to remove references or add
`constraints on access to sensitive or restricted data items.
`Embodiments of the invention are based, in part, on the
`observation that typical conventional database security
`scheme mechanisms are integrated in either the application or
`database. Maintenance of the security scheme, such as
`changes and modifications to accessibility options, require
`changes to the application and/or database. Further, since the
`conventional security scheme is embedded in the application
`or the database, integrity of the conventional security scheme
`assumes accurate enumeration of each potential stream (ac(cid:173)
`cess path) from the application into the database. Much like
`40 the weakest link of a chain, overlooking an application access
`stream may impose vulnerability on the conventional security
`scheme.
`Embodiments of the invention, such as the exemplary con(cid:173)
`figurations and segregation of duties depicted in further detail
`45 below, substantially overcome the deficiencies outlined
`above with respect to data level security in data management
`and retrieval environments, such as relational database man(cid:173)
`agement systems. Particular configurations of the invention
`employ a security filter for intercepting database streams,
`50 such as data access transactions, between an application and
`the a data repository, such as a relational database. Such an
`implementation deploys a security filter between the applica(cid:173)
`tion and database, and observes, or "sniffs" the stream of
`transactions between the application and the database. The
`55 exemplary security filter, by interrogating the transactions,
`provides a content-aware capability for seamlessly and non(cid:173)
`destructively enforcing data level security.
`A security policy, codifying security requirements
`between the users and the tables of the database, employs a
`60 plurality of rules concerning restricted and allowable data
`items. The security filter intercepts data access transactions
`and determines if the transaction triggers the rules of the
`security policy. If the "sniffed" transactions
`indicate
`restricted data items, the security filter modifies the transac-
`65 tion to eliminate only the restricted data items, and otherwise
`allows the transaction to pass with the benign data items. The
`modified transaction is receivable by the application or the
`
`Conventional applications in a data storage and retrieval
`environment typically operate with a data repository, such as
`a database, via a set of connections, or logical access streams,
`from the applications running in a user space into the data(cid:173)
`base. A user application employs a stream from among the
`available connections to perform data storage and retrieval
`operations. The connections, therefore, provide a mechanism
`for multiple users to access the conventional database via a
`suite of user applications or clients which the database sup(cid:173)
`ports.
`In a conventional data storage and retrieval environment, a
`conventional user application accesses the data repository for
`various data storage and retrieval operations. Such conven(cid:173)
`tional data manipulation operations typically occur via a data(cid:173)
`base management application accessible to the user applica(cid:173)
`tion via an Application Programming Interface (API) or other
`conventional access method. Often, in such a conventional
`data storage and retrieval environment, many users share
`access to the data objects, typically relational database tables,
`in the conventional data repository. Usually, it is neither nec(cid:173)
`essary nor desirable for every conventional user to have
`unlimited access to every data object, or table, in the data
`repository. Accordingly, conventional database driven stor(cid:173)
`age and retrieval environments attempt limit or restrict access
`to certain data objects to a particular user or users.
`Conventional database security techniques operate by
`associating database users with accessible data items.
`Accesses to the database cause the database server applica(cid:173)
`tion to invoke a check of the associations with the purported
`access, to determine if the user is allowed to access the 35
`requested data items. The database manager or other security
`mechanism implementing the security techniques either
`allow or deny access accordingly.
`
`SUMMARY
`
`Often, however, such conventional database access control
`techniques may lack granularity, such as defining users in
`terms of groups and defining the database according to global
`portions, such as groups of tables, for example. It may
`become problematic to distinguish individual users and indi(cid:173)
`vidual tables or sets in terms of a desirable or optimal security
`framework. Further, modifications to the conventional data(cid:173)
`base security scheme, such as for accommodating new users,
`applications, or access privileges, typically involve changes
`to either the conventional user or client application or data(cid:173)
`base server application, or both.
`In a conventional data storage and retrieval environment, a
`security mechanism typically takes the form of either an
`access control list (ACL) or a data level (DL) security mecha(cid:173)
`nism. The former strives to define pieces through which a user
`access the functionality for retrieving the data, and therefore
`designates which components of an application a user may
`employ. The latter approach, on the contrary, defines which
`data is visible to a particular user at the database, regardless of
`where the request emanates. The DL approach, therefore,
`allows a particular user to only "see" portions of the database
`permissible for access by the user.
`The conventional access control list allows manipulation
`of database security with reference to the access control list
`via the application. Changes to the security scheme mandate
`changes to the application. Conversely, the conventional data
`
`FireEye - Exhibit 1012 Page 14
`
`
`
`US 7,437,362 Bl
`
`3
`database by the same functions and methods which would
`have received the unmodified, unfiltered transaction stream,
`therefore allowing processing to continue unhindered by the
`security filter.
`The data access transaction, or transaction stream, may be
`either a data request from the application to the database, or a
`response from the database to the application. The security
`filter modifies a request by analyzing a query syntax conveyed
`in the transaction, such as a SQL (Structured Query Lan(cid:173)
`guage) operation, and determining additional SQL qualifiers
`to eliminate restricted data items from the data items pur(cid:173)
`ported to be retrieved by the transaction. The security filter
`modifies a response by analyzing data already retrieved, such
`as a row set corresponding to an SQL query, and identifying
`rows including restricted data items. The security filter elimi(cid:173)
`nates the rows having the restricted data items, and rebuilds
`the row set with a subset of only benign rows having unre(cid:173)
`stricted data items. The security filter then transports the
`filtered transaction to the user as the query response. There(cid:173)
`fore, the security filter provides data level security without
`changes to the applications or database (data schemas) by
`intercepting database requests and/or responses and modifY(cid:173)
`ing the transaction streams accordingly.
`In further detail, the system of the present invention teaches
`method of security enforcement for a persistent data reposi(cid:173)
`tory, such as a relational database, which intercepts a data
`access transaction between a user application and a data
`repository having a plurality of data items, i.e. tables (objects)
`containing rows of attributes. The security filter intercepts the 30
`data access transaction in a nonintrusive manner to determine
`if the intercepted data access transaction corresponds to the
`security policy. The nonintrusive manner of interception is
`undetectable to both the user application and the data reposi(cid:173)
`tory. The predefined security policy is indicative of restricted 35
`data items in the data repository to which the user/application
`is prohibited access. Based on the security policy, the security
`filter limits the data access transaction by modifying the data
`access transaction according to the security policy, such that
`data indications (i.e. retrieved fields and/or query values) in 40
`the data access transaction, corresponding to restricted data
`items, are modified or eliminated in the resulting data access
`transaction.
`The security policy employed for filtering the transactions
`has rules, in which each of the rules includes an object, a
`selection criteria of attributes, and an action indicative of the
`disposition of data items in the transaction. The actions are
`selectively indicative of modifications to the data access
`transaction, in which the modifications further include
`attributes, operators, and operands, such that limiting
`involves
`identifYing data
`items corresponding to
`the
`attributes, in which the attributes are each associated with an
`operator and an operand. By applying an operator specified
`for a particular data item to the operand specified for the data
`item, in relation to the data item sought, the security filter
`determines, as a result of applying the operator, whether to
`eliminate the identified data item.
`The data access transaction may, in a particular configura(cid:173)
`tion, be a data access statement operative to request data, in
`which limiting the transaction further includes identifYing at
`least one rule, according to the security policy, corresponding
`to the data access statement. The identified rule purports to
`restrict access to the data items indicated by the data access
`statement by concatenating selection qualifiers to the data
`access statement which triggers the identified rule. The selec(cid:173)
`tion qualifiers are therefore operable to omit the restricted
`data items from the data access statement.
`
`4
`Modification of a request in which the data indications in
`the data access transactions are references to data items in the
`data repository involves limiting the request (transaction) by
`qualifYing the references to generate a modified request
`indicative of only the unrestricted data items. The modified
`request is such that successive retrieval operations employing
`the qualified references do not retrieve restricted data items.
`In a particular arrangement, intercepting the data access
`statement includes receiving an SQL query and limiting the
`10 SQL query by appending conditional selection statements to
`the SQL query, in which the limiter computes conditional
`selection statements, derived from the security policy, to gen(cid:173)
`erate the resulting data access transaction. The modification
`of the SQL query involves manipulating a parse tree repre-
`15 sentation of the query, rather than modifYing a text string
`representation, by building a parse tree corresponding to the
`SQL query. The limiter then adds nodes in the parse tree
`corresponding to the appended conditional selection state(cid:173)
`ments, and reprocesses the parse tree to generate the resulting
`20 data access transaction as a modified parse tree operable to
`eliminate the restricted data items in the query.
`The data access transaction may also be, in another
`arrangement, a response, in which the data indications are
`rows of data (i.e. row set) retrieved from the data repository.
`25 In the case of such a response, limiting further includes iden(cid:173)
`tifYing rows having restricted data items, and eliminating the
`identified rows from the data access transaction such that the
`resulting data access transaction is a modified data query
`response including rows without restricted data items. In the
`aforementioned arrangement in which the data access trans(cid:173)
`action is a data query response including a row set, limiting
`further involves comparing each of the rows in the row set to
`the rules of the security policy, and selectively eliminating
`rows in the row set including the restricted data items, based
`on the comparing, to generate a modified query response
`including a filtered row set. Thus, the data query response
`modifications occur on whole rows of the row set embodied in
`the query response.
`The above described limitation operation may occur via
`either a proxy setup and regeneration of a login stream, or by
`nonintrusive direct modification of the stream. In the case of
`a proxy login, intercepting the data access transaction
`involves first establishing a proxy to the data repository on
`behalf of the user, and receiving the data access transaction as
`45 a row set under the proxy, thus terminating the user login
`connection and initiating the proxy login connection. Limit(cid:173)
`ing then involves regenerating the resulting data access trans(cid:173)
`action as a reduced row set having a subset of the rows from
`the proxy row set, and transmitting the reduced row set to the
`50 user on behalf of the proxy.
`In the non-proxy, or direct modification configuration, lim(cid:173)
`iting the data access transaction further includes receiving a
`set of packets, in which the packets encapsulate the data
`access transaction according to layered protocols. The inter-
`55 rogation and modification of the packets occurs in a nonde(cid:173)
`structive manner with respect to the layered protocols. The
`security filter padding the packets for accommodating elimi(cid:173)
`nation of the restricted data items to generate the resulting
`data access transaction. Therefore, the generation of the
`60 resulting data access transaction preserves the encapsulating
`layered protocol associating the packets, and without
`employing a proxy for regenerating the sequence of packets.
`The security filter embodying the system of the present
`invention performs the intercepting in a data path between a
`65 source of the data access transaction and a destination of the
`resulting data access transaction, such that limiting occurs in
`a component separate from the source and destination, there-
`
`FireEye - Exhibit 1012 Page 15
`
`
`
`US 7,437,362 Bl
`
`5
`fore relieving the requesting application and the database
`from the burden of modification. The nonintrusive manner of
`the security filter is such that the intercepting and limiting
`occurs undetectably to both the source and the destination.
`Therefore, the requesting application and the receiving data(cid:173)
`base operate on the SQ L request or row set response expected
`in the absence of the security filter. Further, the component
`embodying the security filter may be separate from the source
`and destination in a separate network device than the compo(cid:173)
`nents corresponding to the source and destination (i.e. appli- 10
`cation and database).
`In another arrangement, the system of the present invention
`teaches a method for nonintrusive implementation of data
`level security enforcement by defining a security policy hav(cid:173)
`ing rules, in which the rules further specify attributes and 15
`conditions, as in a typical SQL query. In this configuration,
`the interceptor in the security filter intercepts a data retrieval
`request, and compares the data retrieval request to the security
`policy. The interceptor determines if the data retrieval request
`corresponds to at least one of the rules of the security policy, 20
`and identifies, via a parse tree, selectivity operators indicative
`of the allowable data items to be retrieved. The limiter then
`modifies the parse tree according to the corresponding rule to
`generate a modified data retrieval request, and forwards the
`modified data retrieval request to the data repository for sub(cid:173)
`sequent retrieval and transport to the requesting user.
`The invention as disclosed above is described as imple(cid:173)
`mented on a computer having a processor, memory, and inter(cid:173)
`face operable for performing the steps and methods for pro(cid:173)
`viding nonintrusive database security as disclosed herein.
`Other embodiments of the invention include a computerized
`device such as a computer system, central processing unit,
`microprocessor, controller, electronic circuit, application(cid:173)
`specific integrated circuit, or other hardware device config(cid:173)
`ured to process all of the method operations disclosed herein 35
`as embodiments of the invention. In such embodiments, the
`computerize