PROCESS CONTROL SOFTWARE SECURITY ARCHITECTURE BASED ON LEAST PRIVILEGES

摘要

A process control system software security architecture, that is more effective at preventing zero-day or other types of malware attacks, implements the use of “least privileges” when executing the applications and services run within a computer device. The least privileges based architecture separates “service” processes from desktop applications that run on behalf of a logged-on user by partitioning the global namespace of the software system into service namespaces and logged-on user namespaces, and by strictly controlling communications between the applications and services in these different namespaces using interprocess communications. Moreover, the security architecture uses custom accounts to assure that each service process has the least set of privileges that are needed for implementing its function regardless of the privileges associated with the calling application or user.

主权项

1. A computer device including;
a processor; and an operating system that executes on the processor according to configuration data to implement service processes, wherein the configuration data causes each of the service processes to be assigned to one of a plurality of custom service accounts that each have a preset set of operating system privileges associated therewith, wherein the preset set of operating system privileges for each the plurality of custom service accounts is defined based on the privileges needed by the services that are assigned to the custom service account, and wherein, custom service accounts do not have interactive logon privileges.