US007607131B2
`
`US 7,607,131 B2
`(10) Patent No.:
`a2) United States Patent
`Oe et al.
`(45) Date of Patent:
`Oct. 20, 2009
`
`
`(54)
`
`INFORMATION PROCESSING METHOD,
`APPARATUS, AND SYSTEM FOR
`CONTROLLING COMPUTER RESOURCES,
`CONTROL METHOD THEREFOR, STORAGE
`MEDIUM, AND PROGRAM
`
`(75)
`
`Inventors: Naoyuki Oe, Tokyo (IP); Takahiro
`Shima, Tokyo(JP)
`,
`(73) Assignee: Humming Heads, Inc., Tokyo (JP)
`
`9/1998 Pereira oo... eeeeeeees 713/200
`5,809,230 A *
`2/1999 Imaiet al. oe 380/4
`5,870,467 A
`3/1999 Hunnicuttetal. ..
`.. 709/219
`5,889,952 A *
`9/1999 Glasseretal. oe. 7107/9
`5,956,715 A *
`6,308,173 BL* 10/2001 Glasser etal. 0.0.00... 707/9
`6,848,106 BL*
`1/2005 Hippo... eeeeeeee 719/312
`6,920,475 B1*
`7/2005 Klotsetal. oc 709/201
`
`6,971,023 B1* 11/2005 Makinsonetal. ........... 713/193
`4/2006 Duttaetal. oe. 709/217
`7,035,910 BL*
`
`
`
`(*) Notice:
`
`Subject to any disclaimer, the term ofthis
`patent is extended or adjusted under 35
`US.C. 154(b) by 221 days.
`
`yp
`
`(Continued)
`
`FOREIGN PATENT DOCUMENTS
`64-068835
`3/1989
`
`(21) Appl. No.: 09/988,106
`
`Filed:
`
`(22)
`(65)
`
`Nov. 19, 2001
`Prior Publication Data
`US 2002/0099837 Al
`Jul. 25, 2002
`Foreign Application Priority Data
`(30)
`deeseeeeseeeeeeeeesecaeeseeee 2000-352113
`Nov. 20, 2000
`(JP)
`Primary Examiner—Larry D Donaghue
`deeseeeeseeeeeeeeesecaeeseeee 2001-161403
`Assistant Examiner—Brian J Gillis
`Apr. 23,2001
`(JP)
`
`seesceeeeeeeeeeecases eee 2001-190445
`May 22,2001
`(JP)
`
`(74) Attorney, Agent, or Firm—Fitzpatrick, Cella, Harper &
`deeseeeeseeeeeeeeesecaeeseeee 2001-322437
`Scinto
`Oct. 19,2001
`(JP)
`
`(Continued)
`OTHER PUBLICATIONS
`Dorin Miller, “Security: Unix vs Mainframes. (Improving Unix
`Security with Mainframe Soft- Hooks Architecture)”, Miller Free-
`man Ine., vol, 14, issue. 12, Nov. 1, 1996.
`(Continued)
`
`(51)
`
`Int. Cl.
`(2006.01)
`GO6F 9/46
`(2006.01)
`GO6F 15/16
`(2006.01)
`GO6F 7/04
`(2006.01)
`GO6F 17/30
`(2006.01)
`HOAN 7/16
`(52) US. Ch ce eecteeeeees 718/102; 709/229; 726/27
`(58) Field of Classification Search ................. 709/225,
`709/229, 216; 707/9; 718/105, 102; 726/27,
`726/29
`
`See application file for complete search history.
`
`(56)
`
`References Cited
`U.S. PATENT DOCUMENTS
`
`(57)
`
`ABSTRACT
`
`An operation request from a process or OS for computer
`resource(s) managed by the OS, such as a file, network,
`storage device, display screen, or external device, is trapped
`before access to the computer resource. It is determined
`whetheran access right for the computer resource designated
`by the trapped operation requestis present. Ifthe access right
`is present, the operation requestis transferredto the operating
`system, and a result from the OSis returned to the request
`source process. If no access right is present, the operation
`request is denied, or the request is granted by charging in
`accordance with the contents of the computer resource.
`
`5,550,968 A *
`
`8/1996 Milleretal. oe. 715/741
`
`32 Claims, 21 Drawing Sheets
`
`eeeeeeceeeeeeee Ceeeee
`USER ENVIRONMENT FORMED FROM GENERAL APPLICATION
`
`CTAL
`2035
`ACCESS RIGHT
`MANAGEMENT TABLE
`2034 OS MONITOR CTRL
`
`3)
`
`@(
`
`6)
`
`RESOURCE MANAGEMENT PROGRAM la|ACCESS CONTROLL
`
`
`2033
`
`| 2014—-[RESOURCES MANAGED BY 08
`:
`(E.G, FILE, NETWORK DATA, DISPLAY, AND EXTERNAL DEVICE)
`GENERAL-PURPOSE OS
`eenence ee nee eee e eee eed
`
`APPLE 1021
`
`APPLE 1021
`
`1
`
`
`
`US 7,607,131 B2
`(10) Patent No.:
`a2) United States Patent
`Oe et al.
`(45) Date of Patent:
`Oct. 20, 2009
`
`
`(54)
`
`INFORMATION PROCESSING METHOD,
`APPARATUS, AND SYSTEM FOR
`CONTROLLING COMPUTER RESOURCES,
`CONTROL METHOD THEREFOR, STORAGE
`MEDIUM, AND PROGRAM
`
`(75)
`
`Inventors: Naoyuki Oe, Tokyo (IP); Takahiro
`Shima, Tokyo(JP)
`,
`(73) Assignee: Humming Heads, Inc., Tokyo (JP)
`
`9/1998 Pereira oo... eeeeeeees 713/200
`5,809,230 A *
`2/1999 Imaiet al. oe 380/4
`5,870,467 A
`3/1999 Hunnicuttetal. ..
`.. 709/219
`5,889,952 A *
`9/1999 Glasseretal. oe. 7107/9
`5,956,715 A *
`6,308,173 BL* 10/2001 Glasser etal. 0.0.00... 707/9
`6,848,106 BL*
`1/2005 Hippo... eeeeeeee 719/312
`6,920,475 B1*
`7/2005 Klotsetal. oc 709/201
`
`6,971,023 B1* 11/2005 Makinsonetal. ........... 713/193
`4/2006 Duttaetal. oe. 709/217
`7,035,910 BL*
`
`
`
`(*) Notice:
`
`Subject to any disclaimer, the term ofthis
`patent is extended or adjusted under 35
`US.C. 154(b) by 221 days.
`
`yp
`
`(Continued)
`
`FOREIGN PATENT DOCUMENTS
`64-068835
`3/1989
`
`(21) Appl. No.: 09/988,106
`
`Filed:
`
`(22)
`(65)
`
`Nov. 19, 2001
`Prior Publication Data
`US 2002/0099837 Al
`Jul. 25, 2002
`Foreign Application Priority Data
`(30)
`deeseeeeseeeeeeeeesecaeeseeee 2000-352113
`Nov. 20, 2000
`(JP)
`Primary Examiner—Larry D Donaghue
`deeseeeeseeeeeeeeesecaeeseeee 2001-161403
`Assistant Examiner—Brian J Gillis
`Apr. 23,2001
`(JP)
`
`seesceeeeeeeeeeecases eee 2001-190445
`May 22,2001
`(JP)
`
`(74) Attorney, Agent, or Firm—Fitzpatrick, Cella, Harper &
`deeseeeeseeeeeeeeesecaeeseeee 2001-322437
`Scinto
`Oct. 19,2001
`(JP)
`
`(Continued)
`OTHER PUBLICATIONS
`Dorin Miller, “Security: Unix vs Mainframes. (Improving Unix
`Security with Mainframe Soft- Hooks Architecture)”, Miller Free-
`man Ine., vol, 14, issue. 12, Nov. 1, 1996.
`(Continued)
`
`(51)
`
`Int. Cl.
`(2006.01)
`GO6F 9/46
`(2006.01)
`GO6F 15/16
`(2006.01)
`GO6F 7/04
`(2006.01)
`GO6F 17/30
`(2006.01)
`HOAN 7/16
`(52) US. Ch ce eecteeeeees 718/102; 709/229; 726/27
`(58) Field of Classification Search ................. 709/225,
`709/229, 216; 707/9; 718/105, 102; 726/27,
`726/29
`
`See application file for complete search history.
`
`(56)
`
`References Cited
`U.S. PATENT DOCUMENTS
`
`(57)
`
`ABSTRACT
`
`An operation request from a process or OS for computer
`resource(s) managed by the OS, such as a file, network,
`storage device, display screen, or external device, is trapped
`before access to the computer resource. It is determined
`whetheran access right for the computer resource designated
`by the trapped operation requestis present. Ifthe access right
`is present, the operation requestis transferredto the operating
`system, and a result from the OSis returned to the request
`source process. If no access right is present, the operation
`request is denied, or the request is granted by charging in
`accordance with the contents of the computer resource.
`
`5,550,968 A *
`
`8/1996 Milleretal. oe. 715/741
`
`32 Claims, 21 Drawing Sheets
`
`eeeeeeceeeeeeee Ceeeee
`USER ENVIRONMENT FORMED FROM GENERAL APPLICATION
`
`CTAL
`2035
`ACCESS RIGHT
`MANAGEMENT TABLE
`2034 OS MONITOR CTRL
`
`3)
`
`@(
`
`6)
`
`RESOURCE MANAGEMENT PROGRAM la|ACCESS CONTROLL
`
`
`2033
`
`| 2014—-[RESOURCES MANAGED BY 08
`:
`(E.G, FILE, NETWORK DATA, DISPLAY, AND EXTERNAL DEVICE)
`GENERAL-PURPOSE OS
`eenence ee nee eee e eee eed
`
`APPLE 1021
`
`APPLE 1021
`
`1
`
`
`
`US 7,607,131 B2
`
`Page 2
`
`U.S. PATENT DOCUMENTS
`
`............. 709/217
`7,136,903 B1* 11/2006 Phillips etal.
`2002/0133710 Al*
`9/2002 ‘Tarbotton etal.
`........... 713/188
`
`2003/0018918 A1l*
`1/2003 Natsunoet al.
`. 713/201
`2/2003 Newetal. ... ee 709/229
`2003/0028653 Al*
`
`JP
`JP
`Jp
`JP
`JP
`JP
`
`08-3 14786
`10-154184
`10-254840
`11-219320
`2001-202279
`2001 -312286
`
`11/1996
`6/1998
`9/1998
`8/1999
`7/2001
`11/2001
`
`FOREIGN PATENT DOCUMENTS
`mwa 860
`IP
`08-087440
`4/1996
`JP
`08-137733
`5/1996
`
`OTHER PUBLICATIONS
`bornMile,seo:Unio Mains Uns Magne
`?
`VOLE
`NON Ps
`OPE”
`* cited by examiner
`
`2
`
`
`
`U.S. Patent
`
`Oct. 20, 2009
`
`Sheet 1 of 21
`
`US 7,607,131 B2
`
`:
`
`| |
`
`FIG. 1A
`
`1013
`DISPLAY
`
`1014
`
`EXTERNAL] 1015 ;
`
`|
`
`:
`
`|
`
`|
`
` PC
`
`
`
`3
`
`
`
`U.S. Patent
`
`Oct. 20, 2009
`
`Sheet 2 of 21
`
`US 7,607,131 B2
`
`OS FUNCTION OPERATION
`(E.G., SCREEN CAPTURE)
`
`ACCESS CONTROLL
`CTRL
`2035
`
`
`
`(5)|ACCESS RIGHT 6)
`
`MANAGEMENT TABLE
`
`2034 OS MONITOR CTRL
`
`2033
`
`RESOURCES MANAGED BY OS
`(E.G., FILE, NETWORK DATA, DISPLAY, AND EXTERNAL DEVICE)
`
`'
`
`GENERAL-PURPOSE OS
`
`4
`
`
`
`U.S. Patent
`
`Oct. 20, 2009
`
`Sheet 3 of 21
`
`US 7,607,131 B2
`
`
`
`
`
`
`‘|LHOISSa0O¥
`UDNOILVINYOSNI
`UgNOLWAYOSNI
`
`LHOldSSS0OVUYNOLWWHOSNI ||IOIss3ooV
`
`
`
`TerrorscesseneeeeepTem
`VNOLIVAWHOSNI SGE0e
`
`toldss3oov|°NOWIGNOS|NoyNeigaaJOuNOSSY
`
`
`tHoIdssaooy|%NOMONOS|VouwNeigaa30uNOSSH
`
`
`HDIssaoav|2NOLICNOS|VouyneisaaaoHNOsaY
`
`6Ib0eLGe0c
`
`
`
`AVLLNAWSDVNVWLHOIdSSS30OV
`
`LYNOLLVANOSNI
`
`1NOLLWNHOSNI
`
`1NOLWNHOSNI
`
`€@NOWVAYOSNI
`
`ONOILVAHOSNI
`
`5
`
`
`
`
`U.S. Patent
`
`Oct. 20, 2009
`
`Sheet 4 of 21
`
`US 7,607,131 B2
`
`FIG. 4
`
`
`
`FIRST BASIC MODE OF API MONITOR/CONTROL 201 203
`
`
`
`ee en 0TARGETRESOURCE!
`
`RIGHT IS PRESENT
`
`WHEN ACCESS RIGHT
`
`|CHECKWHETHERACCESS
`
`
`(IS PRESENT) ‘API PROCESSING
`‘PROPER TO OS |
`
`ae eee ee ee ee eee
`
`
`' WHEN API 1S SUCCESSFULLY
`
`
`: DONE, REGISTER
`
`INFORMATION REPRESENTING
`1 THAT APPLICATION IS HOLDING
`RESOURCE
`
` wee ee ee ee ee ee ee eee ee
`
`wee ee eee eae ee eH ee ee ee ee ee
`
`ee ee ee ee eee eee eet
`
`were ee ee ee ee eee Hee
`
`REQUEST RELEASE
`' OF HELD RESOURCE
`we ewe ee ee ew eee eee ees
`408
`
`412
`’
`‘
`
`AP] PROCESSING |
`‘PROPER TO OS |
`
`a
`IS SUCCESSFULLY
`‘ WHEN API
`i EXECUTED, CANCEL
`‘ INFORMATION REPRESENTING
`; THAT APPLICATION [IS HOLDING
`! RESOURCE
`;DIRECTLY RETURN API RESULT
`‘FROM OS
`Io.-- eeslee
`
`-3\--+
`
`eo oe eee ee oe ne ee ee eee wore eee ee HH He ee ee een
`
`6
`
`
`
`U.S. Patent
`
`Oct. 20, 2009
`
`Sheet 5 of 21
`
`US 7,607,131 B2
`
`FIG. 5
`
`SECONDBASICMODEOFAPIMONITOR/CONTROL293 201
`
`
`
`
`
`
`
`
`
`eee eee eee ee eee eee eee 0 TARGETRESOURCE!| GigIRENERIGS 502
`
`RIGHT IS PRESENT
`
`
`901
`
`ULIDITIITI
`WHEN NO ACCESS AIGHT
`IS PRESENT
`
`i] 4,
`-
`
`
`
`505
`RETURN ACCESS VIOLATION
`donee-________...]|ERROR OR SUCCESS ~-504
`
`
`END ACCESS{fecnesncncneecee noes
`
`eee ee ee eee ee He eee ee ee
`;
`‘ACCESS REQUEST
`‘TO TARGETRESOURCE,
`a
`506
`
`CHECK WHETHER ACCESS
`__RIGHT IS PRESENT
`sds IZITITIZITIIITIIIIIII:
`WHEN NO ACCESS RIGHT IS
`PRESENT, AND APPLICATION
`DOES NOT COPE WITH
`ACCESS VIOLATION ERROR
`
`
`
`‘ ACCESS REQUEST TO DUMMY!
`tRESOURCE ‘API PROCESSING’
`‘PROPER TO OS
`‘FOR DUMMY
`‘RESOURCE
`
`‘DIRECTLY RETURNAPIRESULT |
`Ste
`‘ENDACCESS TO FROMOS
`‘TARGET RESOURCE,
`‘THOUGH NO
`‘PROCESSING IS
`‘EXECUTED BECAUSE
`
`7
`
`
`
`U.S. Patent
`
`Oct. 20, 2009
`
`Sheet 6 of 21
`
`US 7,607,131 B2
`
`FIG. 6
`
`ANNOUNCE
`PROGRAM
`
`203
`
`603
`
`
`
`
`
`
`RESOURCE MANAGEMENT
`PROGRAM
`
`
`LOG MANAGEMENT
`PROGRAM
`
`601
`
`602
`
`8
`
`
`
`U.S. Patent
`
`Oct. 20, 2009
`
`Sheet 7 of 21
`
`US 7,607,131 B2
`
`FIG. 7A
`
`701
`
`ERROR
`
`&9 YOU HAVE NO RIGHT TO OOO
`
`FIG. 7B
`
`702
`
`ILLICIT ACCESS MESSAGE
`
`&) AAA WERE GOING TO wxex% FILE: x X
`
`9
`
`
`
`U.S. Patent
`
`Oct
`
`. 20, 2009
`
`Sheet 8 of 21
`
`US 7,607,131 B2
`
`
`
`
`
`
`
`‘GZINIQSVMLIONV‘LSI1H3WOLSNOLNIHdOL
`
`SSS00V LO8
`
`
`
`
`
`
`WILNAGIZNOO|NOWWOO1]BNWWELWGSS300v]——_NOILOV|NOUWHsdO;—-43Sf|SWYN31d
`
`SSCENNOSEESSANETTBKINTHTOLOIBENQCLENBSEESYN
`
`
`SG...ESSEQWFETERET.QQ.BEIWEEWUWTEROBIN
`
`
`SuvaiyWORDEEIdW3LLYSQVLHOIONGVHOHMWlWsTNUOWONOLWIAIVOUO
`
`
`
`
`
`SulVddv¥TWHANSD&A00:0+0/L0/00LNVYDdivdadNFlduYOrLNAWNOOG
`INSWdOTSAS0&&00:0$0/-0/00SYNTVSAdOOFldPUI,=AQUYNOSLNAWdOTSASG
`
`
`
`ONINNWId#&700:040/L0/00TNASSSOINSAdOO}SLNALNODLNSWNDOdSUuYydeviSSSY9OuUd
`
`
`
`
`
`
`SONVNIdFeA00:040/LO/00LNVY5FYNLdVONSASYOSuey1YOd3YWIONVNid
`
`
`
`
`
`
`
`
`
`
`
`SAWSAA00:0+0/L0/00AyNTIVsSAOWFldAdUeNAqINDANVdQO
`
`
`
`8‘Ola
`
`5O1HOLINOW
`
`
`
`(Wd73H(O)NOWdO(LidaGs
`
`LHOIEHLIMSails
`
`10
`
`10
`
`
`
`U.S. Patent
`
`Oct. 20, 2009
`
`Sheet 9 of 21
`
`US 7,607,131 B2
`
`ATTACH TO MAIL
`
`
`FILE MOVE/FILE COPY
`
`Sha
`
`Ss
`
`.
`
`CAPTURE
`
`CLIPBOARD
`
`SAVE AS
`
`PASTE OBJECT
`
`11
`
`11
`
`
`
`U.S. Patent
`
`Oct. 20, 2009
`
`Sheet 10 of 21
`
`US 7,607,131 B2
`
`FIG. 10
`
`SECOND EMBODIMENT
`
`12 ACCESS RIGHT
`MANAGEMENT
`TABLE
`
`—=
`
`~
`
`11
`
`[os
`Te
`
`14
`
`APL
`
`UF
`
`20
`
`— —
`
`oe
`13 FILE
`
`COMMUNICATION
`
`22
`
`26
`
`of
`
`16
`
`NETWORK
`
`12
`
`
`
`U.S. Patent
`
`Oct. 20, 2009
`
`Sheet 11 of 21
`
`US 7,607,131 B2
`
`FIG.
`
`11
`
`eT
`LIE|_>
`
`2 INTERFACE
`
`27
`
`13
`
`13
`
`
`
`U.S. Patent
`
`Oct. 20, 2009
`
`Sheet 12 of 21
`
`US 7,607,131 B2
`
`FIG. 12
`
`3101
`3104 3100
`|
`ifGZ
`
`I'
`
`| !i |
`
`3102
`
`3103 COMMUNICATION NETWORK
`
`3110
`
`3116
`
`3111
`
`!
`
`Ii
`LANE
`
`INPUT|[OUTPUT iStt7
`SECTION]
`SECTION]
`
`| |
`
`3112 3113-33114.
`
`3115
`
`I
`
`14
`
`14
`
`
`
`U.S. Patent
`
`Oct. 20, 2009
`
`Sheet 13 of 21
`
`US 7,607,131 B2
`
`F | G.
`
`1 3A PROTECTED DIGITAL INFORMATION
`
`
`
`
`
`RESTRICTING
`PROGRAM
`RESTRICTING
`ATTRIBUTE
`
`ORIGINAL DIGITAL
`INFORMATION
`
`|
`|
`|
`|
`
` 321
`
`
`322
`
`323
`
`FIG. 13B
`
`F | G.
`
`1 3C
`
`EXPANSION
`ROUTINE SECTION
`RESTRICTING
`ROUTINE SECTION
`
`3210
`
`|
`
`RESTRICTING ATTRIBUTE
`
`322
`_ /
`
`‘| TARGET APPLICATION|j
`
`3211
`3222N
`
`
`
`INFORMATION
`
`|
`
`3220
`
`
`||RESTRICTED !
`32211
`—4
`L_
`32221
`
`3221N
`
`15
`
`
`
`U.S. Patent
`
`Oct. 20, 2009
`
`Sheet 14 of 21
`
`US 7,607,131 B2
`
`FIG. 14
`
`PROCEDURE OF PROTECTION
`
`START
`
`READ TARGET DIGITAL INFORMATION
`
`S30
`
`ADD RESTRICTING ATTRIBUTE TO TARGET
`DIGITAL INFORMATION
`
`$31
`
`
`
`ADD RESTRICTING PROGRAM ACCORDING
`TO TARGET DIGITAL INFORMATION, TYPE,
`AND RESTRICTING ATTRIBUTE
`
`932
`
`OUTPUT PROTECTED DIGITAL INFORMATION
`
`333
`
`END
`
`16
`
`
`
`U.S. Patent
`
`Oct. 20, 2009
`
`Sheet 15 of 21
`
`US 7,607,131 B2
`
`FIG. 15
`
`PROCESSING FLOW OF EXPANSION ROUTINE SECTION
`
`START
`
`ACTIVATE PROTECTED DIGITAL INFORMATION
`
`ACTIVATE RESTRICTING ROUTINE SECTION
`
`ACQUIRE TARGET APPLICATION FORM RESTRICTING
`ATTRIBUTE (IF APPLICATION IS NOT DESIGNATED,
`IT DEPENDS ON OS)
`
`ACTIVATE TARGET APPLICATION
`
`
`$405
`
`IS ACTIVATION
`
`
`NO
`SUCCESSFUL? (CAUSE RESTRICTING
`
`ROUTINE SECTION TO START
`MONITORING)
`
`YES
`
`EXTRACT DIGITAL INFORMATION PORTION AND
`DECODE ORIGINAL DIGITAL INFORMATION
`
`TRANSFER DECODED DIGITAL INFORMATION TO
`TARGET APPLICATION
`
`$401
`
`$402
`
`$403
`
`S404
`
`S407
`
`S408
`
` $409
`
`
`
`EXECUTE NORMAL OPERATION OF APPLICATION
`(RESTRICTED OPERATION IS RESTRICTED BY
`RESTRICTING ROUTINE SECTION)
`
`RELEASE (CLOSE) DIGITAL INFORMATION
`
`DELETE DECODED DIGITAL INFORMATION
`
`END APPLICATION
`
`RELEASE RESTRICTING ROUTINE SECTION
`
`$410
`
`S411
`
`$412
`
`$413
`
`END
`
`17
`
`17
`
`
`
`U.S. Patent
`
`Oct. 20, 2009
`
`Sheet 16 of 21
`
`US 7,607,131 B2
`
`FIG. 16
`
`EXAMPLE OF PROTECTING DOCUMENT FILE
`
`DOCUMENTFILE
`
`PROTECTED DOCUMENT
`FILE
`
`
`
`
`
`PROVIDE BY
`
`
`
`SHARE IN
`STORAGE
`PROVIDE BY
`NETWORK
`
`
`MEDIUM
`E-MAIL OR FIP
`SUCH AS FD
`
`
`
`OPERATIONS ARE RESTRICTED
`
`
`IN USE BY WORDPROCESSOR
`
`APPLICATION
`
`
`18
`
`18
`
`
`
`U.S. Patent
`
`Oct. 20, 2009
`
`Sheet 17 of 21
`
`US 7,607,131 B2
`
`FIG. 17
`
`EXAMPLE OF PROTECTING MULTIMEDIA INFORMATION
`(FILE OR IMAGE, MUSIC, OR MOVING IMAGE)
`
`- MULTIMEDIA INFORMATION
`
`3601
`
`3602
`
`- PROTECTED MULTIMEDIA
`INFORMATION
`
`3603
`
`WEB PAGE
`
`PUBLISH IN
`
`SERVICE TO
`PORTABLE
`TERMINAL
`
`363
`
`
` OPERATIONS ARE RESTRICTED
`IN USE BY MULTIMEDIA APPLICATION
`
`
`19
`
`19
`
`
`
`U.S. Patent
`
`Oct. 20, 2009
`
`Sheet 18 of 21
`
`US 7,607,131 B2
`
`
`
`
`35
`
`COMMUNICATION >
`NETWORK
`|
`
`
`
`
`“Le
`tw
`
`Ms
`YY
`
`QY
`
`32
`
`CONVENIENCE STORE,
`
`43
`
`34
`
`33
`
`-
`
`3,
`
`«SS
`
`26
`
`f
`
`FACTORY, OFFICE
`
`42
`
`20
`
`
`
`U.S. Patent
`
`Oct. 20, 2009
`
`Sheet 19 of 21
`
`US 7,607,131 B2
`
`FIG. 19
`
`NETWORK
`
`COMMUNICATION
`
`COMPANY, |
`
`|||| |
`
`21
`
`57
`
`21
`
`
`
`U.S. Patent
`
`Oct. 20, 2009
`
`Sheet 20 of 21
`
`US 7,607,131 B2
`
`FIG. 20
`
`Lex
`
`Npsss
`
`co ND
`
`15
`
`26
`
` FINANCIAL
`INSTITUTION
`
`COMMUNICATION NETWORK
`
`
`
`
`
`22
`
`22
`
`
`
`U.S. Patent
`
`Oct. 20, 2009
`
`Sheet 21 of 21
`
`US 7,607,131 B2
`
`FIG. 21
`
`CAUSE CLIENT TO
`ISSUE CONNECTION
`ACCESS REQUEST
`
`INFORMATION
`
`CAUSE H.H SITE
`TO COLLATE
`MANAGEMENT TABLE
`
`CAUSE H.H SITE TO
`SPECIFY REQUESTED
`
`384
`
`G)
`
`YES
`
`S81
`
`S82
`
`$83
`
`S91
`
`S92
`
`UNDISPLAYABLE
`
`CAUSE CLIENT TO
`INPUT ID
`
`DISPLAYABLE
`
`S85
`
`NO
`
`BeersNe
`
`
`
`
`
`
`REQUEST COPY,
`
`MAIL, OR TRANSFER
`
`OF INFORMATION
`
`
`
`DISPLAY
`
`
`<erennne>“IMPOSSIBLE” ONLY FOR
`NO
`DISPLAY
`INFORMATION
`
`
`
`
`
`
`TIME
`
`Yes
`S95
`
`
`
`DISPLAYING
`“NO
`ONLY DISPLAY
`LONGER TIME
`
`
`INFORMATION ON
`MANAGE LOG
`?
`
`
`
`SCREEN
`
` PROVIDE
` S90
`
`S87
`
`DISPLAY "POSSIBLE"
`
`(2)
`
`3
`
`S89
`
`PREDETERMINED
`
`INFORMATION
`TO CLIENT
`
`
`
`END
`
`23
`
`23
`
`
`
`US 7,607,131 B2
`
`1
`INFORMATION PROCESSING METHOD,
`APPARATUS, AND SYSTEM FOR
`CONTROLLING COMPUTER RESOURCES,
`CONTROL METHOD THEREFOR, STORAGE
`MEDIUM, AND PROGRAM
`
`FIELD OF THE INVENTION
`
`2
`operating system, such as a file, network, storage device,
`display screen, or external device, comprising:
`a trap step of trapping an operation request from a process
`or operating system for the computer resource before access
`to the computer resource;
`a determination step of determining whether an access
`right for the computer resource designated by the operation
`request trappedin thetrap step is present;
`a processing step of, ifit is determinedin the determination
`The present invention relates to a computer resource con-
`step that the access right is present, transferring the operation
`trol method and apparatus which manage access to computer
`requestto the operating system and returning a result from the
`resources such asafile, storage device, display screen, or
`operating system to the request source process; and
`external accessory device, and a storage medium.
`a denial step of denying the operation request if it is deter-
`minedin the determination step that no access right is present.
`In the trap step, the operation request from the process or
`operating system for the computer resource is preferably
`further trapped before access to the computer resource.
`In the determination step,
`it
`is preferably determined
`whether the access right is present by looking up an access
`right management
`table containing resource designation
`information that designates a specific computer resource,
`condition information under which the access rightis vali-
`dated, and access right information that designates an access
`right that is extended but not defined in an existing environ-
`ment.
`
`BACKGROUNDOF THE INVENTION
`
`Conventionally, to prevent a user who has no accessright
`from decoding or tapping information by making access to a
`resource such asa file or storage device in a computer such as
`a personal computer through an application program, a
`method of providing an access right check function in an
`operating system (to be referred to as an OS hereinafter) or a
`method of checking the access right by adding a dedicated
`access managementtool is known.
`For example, a general-purpose OSrepresented by Win-
`dows(registered trademark of Microsoft) has a function of
`inhibiting a user who hasno access right from reading, writ-
`ing, or executing a file. Some general-purpose OSs allow a
`user to set a right about deleting files, changing the access
`right, or changing ownership.
`As an access managementtool, a tool which registers the
`permission condition of file lookup and copy, then restricts
`file lookup and copy depending uponthat permission condi-
`tion is known, as disclosed in, e.g., Japanese Patent Laid-
`Open No. 7-84852. More specifically, a tool which adds a
`readrestricting attribute to a display area to prevent capture of
`the display screen is known.
`To completely inhibit a user from outputting information to
`some external medium, functions such as attachmentto mail,
`printing, file move/file copy, copy to the clipboard, saving in
`removable medium such as a floppy disk, object paste, and
`screen capture must be restricted, as shown in FIG. 9. In
`addition, information output through a network mustalso be
`restricted.
`
`In the prior art, however, operations other than file move/
`file copy and screen capture (e.g., copy to the clipboard)
`cannot be restricted. If operations such as copyto the clip-
`board should be restricted, the OS or application itself must
`be revised, and this makes versatile applicable use impos-
`sible.
`
`SUMMARYOF THE INVENTION
`
`It is an object of the present invention to provide an infor-
`mation processing apparatus and method which can control
`computer resources by makingit possible to restrict opera-
`tions to resources, including computer resources other than
`files and screen, by a user who has no access right and to
`extend inhibition or restricted items in an existing environ-
`ment without revising the OSor process (program such as an
`application or demon that runs on the OS), and to provide a
`storage medium.
`In order to achieve the above object, an information pro-
`cessing method according to the present invention has the
`following arrangement. Thatis,
`there is provided an information processing method of
`controlling access to computer resource(s) managed by an
`
`10
`
`15
`
`20
`
`is preferably determined
`it
`In the determination step,
`whetherthe access right is present by looking up accessright
`information that is described in the computer resource to
`designate an access right that is extended butnot defined in an
`existing environment.
`is preferably determined
`it
`In the determination step,
`whether the access right is present by determining whether
`the access right can be acquired.
`The access right information preferably contains informa-
`tion that designates at least one of a right to move to another
`medium, a right to copy in another medium,a rightto print, a
`right to write in a shared memory,a right to capture a screen,
`and a right to run specific processes.
`In the denial step, an access denial error message is pref-
`erably returned to the request source process without any
`access to the requested computer resource.
`Inthe denial step, a successful access messageis preferably
`returned to the request source process without any access to
`the requested computerresource.
`In the denial step, preferably, the operation request is
`replaced to an operation request for a dummy computer
`resource and transferred to the operating system, and a result
`from the operating system is returned to the request source
`process.
`In order to achieve the above object, an information pro-
`cessing apparatus according to the present invention has the
`following arrangement. Thatis,
`there is provided an information processing apparatus for
`controlling access to computer resource(s) managed by an
`operating system, such as a file, network, storage device,
`display screen, or external device, comprising:
`trap meansfor trapping an operation request from a process
`or operating system for the computer resource before access
`to the computer resource;
`determination means for determining whether an access
`right for the computer resource designated by the operation
`request trapped by the trap meansis present;
`processing meansfor, if it is determined by the determina-
`tion meansthat the access right is present, transferring the
`operation request to the operating system and returning a
`result from the operating system to the request source pro-
`cess; and
`
`30
`
`35
`
`50
`
`55
`
`60
`
`65
`
`24
`
`24
`
`
`
`US 7,607,131 B2
`
`3
`denial means for denying the operation request if it is
`determinedby the determination meansthat no accessright is
`present.
`In order to achieve the above object, a storage medium
`accordingto the present invention has the following arrange-
`ment. Thatis,
`there is provided a storage medium which stores program
`codes for controlling access to computer resource(s) such as
`a file, network, storage device, display screen, or external
`device, comprising:
`a program code of a trap step of trapping an operation
`request from a process or operating system for the computer
`resource before access to the computer resource;
`a program code of a determination step of determining
`whetheran access right for the computer resource designated
`by the operation request trappedin thetrap step is present;
`a program code of a processingstep of, if it is determined
`in the determination step that the access right is present,
`transferring the operation requestto the operating system and
`returning a result from the operating system to the request
`source process; and
`a program code of a denial step of denying the operation
`request if it is determined in the determination step that no
`access right is present.
`In order to achieve the above object, a program according
`to the present invention has the following arrangement. That
`is,
`
`there is provided a program for causing a computer to
`control access to computer resource(s) such asa file, network,
`storage device, display screen, or external device, compris-
`ing:
`a program code of a trap step of trapping an operation
`request from a process or operating system for the computer
`resource before access to the computer resource;
`a program code of a determination step of determining
`whetheran access right for the computer resource designated
`by the operation request trappedin thetrap step is present;
`a program code of a processingstep of, if it is determined
`in the determination step that the access right is present,
`transferring the operation requestto the operating system and
`returning a result from the operating system to the request
`source process; and
`a program code of a denial step of denying the operation
`request if it is determined in the determination step that no
`access right is present.
`In order to achieve the above object, an information pro-
`cessing system according to the present invention has the
`following arrangement. Thatis,
`the first terminal comprises:
`trap meansfor trapping an operation request from a process
`or operating system for computer resource(s) in the second
`terminal before access to the computer resource, and
`the second terminal comprises:
`determination means for determining whether an access
`right for the computer resource designated by the operation
`request trapped by the trap meansis present;
`processing meansfor, if it is determined by the determina-
`tion meansthat the access right is present, transferring the
`operation request to the operating system in thefirst terminal
`and returning a result from the operating system to the request
`source process; and
`denial means for denying the operation request if it is
`determinedby the determination meansthat no accessright is
`present.
`In order to achieve the above object, a control method for
`an information processing system according to the present
`invention has the following arrangement. Thatis,
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`4
`there is provided a control methodfor an information pro-
`cessing system constituted by connecting first and second
`terminals through a communication network, comprising:
`a trap step of, in the first terminal, trapping an operation
`request from a process or operating system for computer
`resource(s) in the second terminal before access to the com-
`puter resource;
`a determination step of determining, in the second termi-
`nal, whether an access right for the computer resource desig-
`nated by the operation request trapped in the trap step is
`present;
`a processing step of, ifit is determinedin the determination
`step that the access rightis present, transferring the operation
`requestto the operating system inthefirst terminal and return-
`ing a result from the operating system to the request source
`process; and
`a denial step of denying the operation request if it is deter-
`minedin the determination step that no access right is present.
`In order to achieve the above object, a storage medium
`according to the present invention has the following arrange-
`ment. Thatis,
`there is provided a storage medium which stores program
`codes of control for an information processing system con-
`stituted by connecting first and second terminals through a
`communication network, comprising:
`a program code of a trap step of, in the first terminal,
`trapping an operation request from a process or operating
`system for computer resource(s) in the second terminal
`before access to the computer resource;
`a program code of a determination step of determining, in
`the second terminal, whether an access right for the computer
`resource designated by the operation request trapped in the
`trap step is present;
`a program code of a processingstep of, if it is determined
`in the determination step that the access right is present,
`transferring the operation request to the operating system in
`the first terminal and returning a result from the operating
`system to the request source process; and
`a program code of a denial step of denying the operation
`request if it is determined in the determination step that no
`access right is present.
`In order to achieve the above object, a program according
`to the present invention has the following arrangement. That
`is,
`
`there is provided a program which causes a computer to
`control an information processing system constituted by con-
`necting first and second terminals through a communication
`network, comprising:
`a program code of a trap step of, in the first terminal,
`trapping an operation request from a process or operating
`system for computer resource(s) in the second terminal
`before access to the computer resource;
`a program code of a determination step of determining, in
`the second terminal, whether an access right for the computer
`resource designated by the operation request trapped in the
`trap step is present;
`a program code of a processingstep of, if it is determined
`in the determination step that the access right is present,
`transferring the operation request to the operating system in
`the first terminal and returning a result from the operating
`system to the request source process; and
`a program code of a denial step of denying the operation
`request if it is determined in the determination step that no
`access right is present.
`In order to achieve the above object, an information pro-
`cessing apparatus according to the present invention has the
`following arrangement. Thatis,
`
`25
`
`25
`
`
`
`US 7,607,131 B2
`
`5
`there is provided an information processing apparatus con-
`nected to another terminal through a communication net-
`work, comprising:
`trap meansfor trapping an operation request from a process
`or operating system for computer resource(s) in the other
`terminal before access to the computer resource; and
`reception means for receiving a reply to the operation
`request.
`In order to achieve the above object, an information pro-
`cessing apparatus according to the present invention has the
`following arrangement. Thatis,
`there is provided an information processing apparatus con-
`nected to another terminal through a communication net-
`work, comprising:
`determination means for determining whether an access
`right is present for computer resource(s) in the information
`processing apparatus, which is designated by an operation
`request for the computer resource trapped by the othertermi-
`nal before access to the computer resource;
`processing meansfor, if it is determined by the determina-
`tion meansthat the access right is present, transferring the
`operation request to an operating system in the other terminal
`and returning a result from the operating system to the request
`source process; and
`denial means for denying the operation request if it is
`determinedby the determination meansthat no accessright is
`present.
`In order to achieve the above object, an information pro-
`cessing method according to the present invention has the
`following arrangement. Thatis, there is provided an informa-
`tion processing methodfor an information processing appa-
`ratus connected to another terminal through a communication
`network, comprising:
`atrap step of trapping an operation request from a process
`or operating system for computer resources in the otherter-
`minal before access to the computer resource; and
`a reception step of receiving a reply to the operation
`request.
`In order to achieve the above object, an information pro-
`cessing method according to the present invention has the
`following arrangement. Thatis,
`there is provided an information processing methodfor an
`information processing apparatus connected to anotherter-
`minal through a communication network, comprising:
`a determination step of determining whether an access
`right is present for computer resource(s) in the information
`processing, apparatus, which is designated by an operation
`request for the computer resource trapped by the othertermi-
`nal before access to the computer resource;
`aprocessingstepof, if it is determined in the determination
`step that the accessright is present, transferring the operation
`request to an operating system in the other terminal and
`returning a result from the operating system to a request
`source process; and
`adenial step of denying the operation requestif it 1s deter-
`minedin the determination step that no access rightis present.
`In order to achieve the above object, a storage medium
`accordingto the present invention has the following arrange-
`ment. Thatis,
`there is provided a storage medium which stores program
`codes ofinformation processing ofan information processing
`apparatus connected to another terminal through a commu-
`nication network, comprising:
`a program code of a trap step of trapping an operation
`request from a process or operating system for computer
`resource(s) in the other terminal before access to the com-
`puter resource; and
`
`5
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`55
`
`60
`
`65
`
`6
`a program code of a reception step of receiving a reply to
`the operation request.
`In order to achieve the above object, a storage medium
`accordingto the present invention has the following arrange-
`ment. Thatis,
`there is provided a storage medium which stores program
`codes ofinformation processing ofan information processing
`apparatus connected to another terminal through a commu-
`nication network, comprising:
`a program code of a determination step of determining
`whetheran access right is present for computer resource(s) in
`the information processing apparatus, which is designated by
`an operation request for the computer resource trapped by the
`other terminal before access to the computer resource;
`a program code of a processingstep of, if it is determined
`in the determination step that the access right is present,
`transferring the operation request to an operating system in
`the other terminal and returning a result from the operating
`system to the request source process; and
`a program code of a denial step of denying the operation
`request if it is determined in the determination step that no
`access right is present.
`In order to achieve the above object, a program according
`to the present invention has the following arrangement. That
`is,
`
`there is provided a program which causes a computer to
`execute information processing of an information processing
`apparatus connected to another terminal through a commu-
`nication network, comprising:
`a program code of a trap step of trapping an operation
`request from a process or operating system for computer
`resource(s) in the other terminal before access to the com-
`puter resource; and
`a program code of a reception step of receiving a reply to
`the operation request.
`In order to achieve the above object, a program according
`to the present invention has the following arrangement. That
`is,
`
`there is provided a program which causes a computer to
`execute information processing of an information processing
`apparatus connected to another terminal through a commu-
`nication network, comprising:
`a program code of a determination step of determining
`whetheran access right is present for computer resource(s) in
`the information processing apparatus, which is designated by
`an operation request for the computer resource trapped by the
`other terminal before access to the computer resource;
`a program code of a processingstep of, if it is determined
`in the determination step that the access right is present,
`transferring the operation request to an operating system in
`the other terminal and returning a result from the operating
`system to the request source process; and
`a program code of a denial step of denying the operation
`request if it is determined in the determination step that no
`access right is present.
`In order to achieve the above object, an information pro-
`cessing apparatus according to the present invention has the
`following arrangement. Thatis,
`there is provided an information processing apparatus
`deals as an electronic information provider for converting
`digital
`information into protected digital
`information to
`restrict operations on the digital information, comprising
`a computer which can access target digital information, a
`storage medium such as a memory or hard disk to store the
`target digital information and protected digital information,
`
`26
`
`26
`
`
`
`US 7,607,131 B2
`
`8
`7
`
`and an external medium device such as a floppy disk drive or second adding meansfor addingarestricting program to
`the digital information, wherein the restricting program for
`communication line as meansfor providing the digital infor-
`mation.
`monitoring and controlling operation(s) on the digital infor-
`mation; and
`On the other hand, there is provided an information pro-
`information to
`output means for outputting the digital
`cessing apparatus deals as an electric information receiver
`which
Accessing this document will incur an additional charge of $.
After purchase, you can access this document again without charge.
Accept $ Charge
Still Working On It
This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.
Give it another minute or two to complete, and then try the refresh button.
A few More Minutes ... Still Working
It can take up to 5 minutes for us to download a document if the court servers are running slowly.
Thank you for your continued patience.
This document could not be displayed.
We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.
Your account does not support viewing this document.
You need a Paid Account to view this document. Click here to change your account type.
Your account does not support viewing this document.
Set your membership
status to view this document.
With a Docket Alarm membership, you'll
get a whole lot more, including:
- Up-to-date information for this case.
- Email alerts whenever there is an update.
- Full text search for other cases.
- Get email alerts whenever a new case matches your search.
One Moment Please
The filing “” is large (MB) and is being downloaded.
Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.
Your document is on its way!
If you do not receive the document in five minutes, contact support at support@docketalarm.com.
Sealed Document
We are unable to display this document, it may be under a court ordered seal.
If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.
Access Government Site
