Methods and systems for implementing a secure application execution environment using derived user accounts for internet content

US 10,133,864 B2
Filed: 09/22/2015
Issued: 11/20/2018
Est. Priority Date: 06/06/2002
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

intercepting a request for a resource using a mediator at an application layer;

determining, using the mediator, whether the resource is trusted or untrusted;

when the resource is determined to be trusted, accessing the resource in a derived user account (DUA); and

when the resource is determined to be untrusted;

creating, using the mediator at the application layer, a protected DUA, wherein the protected DUA and the DUA are dynamically invoked within a same integrated user environment of a same user,redirecting, using the mediator at the application layer, the intercepted request to the protected DUA, andaccessing the resource that is determined to be untrusted in the protected DUA, wherein the protected DUA provides unrestricted access to the resource.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems are disclosed for implementing a secure application execution environment using Derived User Accounts (SAE DUA) for Internet content. Content is received and a determination is made if the received content is trusted or untrusted content. The content is accessed in a protected derived user account (DUA) such as a SAE DUA if the content is untrusted otherwise the content is accessed in a regular DUA if the content is trusted.

46 Citations

View as Search Results

17 Claims

1. A method comprising:
- intercepting a request for a resource using a mediator at an application layer;
  
  determining, using the mediator, whether the resource is trusted or untrusted;
  
  when the resource is determined to be trusted, accessing the resource in a derived user account (DUA); and
  
  when the resource is determined to be untrusted;
  
  creating, using the mediator at the application layer, a protected DUA, wherein the protected DUA and the DUA are dynamically invoked within a same integrated user environment of a same user,redirecting, using the mediator at the application layer, the intercepted request to the protected DUA, andaccessing the resource that is determined to be untrusted in the protected DUA, wherein the protected DUA provides unrestricted access to the resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein when the resource is determined to be untrusted:
    - providing, for display, the resource in conjunction with a concurrent display of at least one trusted resource that is accessed through the DUA.
  - 3. The method of claim 1, wherein the request is intercepted from an application that is separate from the mediator.
  - 4. The method of claim 1, wherein the resource comprises an email message and the method further comprises:
    - when the email message is determined to be untrusted, tagging the email message with a persistent identifier that persistently indicates to subsequent recipients that the email message is untrusted.
  - 5. The method of claim 4, further comprising:
    - when the email message is determined to be untrusted;
      
      determining whether the email message comprises an attachment; and
      
      tagging the attachment with the persistent identifier when the email message comprises the attachment.
  - 6. The method of claim 5, the method further comprising:
    - redirecting accesses of the tagged attachment to the protected DUA when the tagged attachment is accessed in the DUA.
  - 7. The method of claim 1, further comprising:
    - when the resource is determined to be untrusted;
      
      providing, for display, the resource in conjunction with a display of at least one trusted resource that is accessed through the DUA, wherein the resource is provided for display with a visible marker that visually distinguishes the resource as being accessed through the protected DUA as opposed to the DUA.
  - 8. The method of claim 1, further comprising:
    - when the resource is determined to be untrusted;
      
      intercepting a transfer of data items from the protected DUA to the DUA;
      
      tagging the data items to indicate that the data items were transferred from the protected DUA; and
      
      forwarding the tagged data items to the DUA.
  - 9. The method of claim 8, further comprising:
    - redirecting accesses of the tagged data items to the protected DUA when the tagged data items are accessed in the DUA.
  - 10. The method of claim 1, further comprising:
    - when the resource is determined to be untrusted;
      
      monitoring at least one system resource used by the protected DUA; and
      
      performing an action when a usage of the at least one system resource by the protected DUA satisfies a condition.
  - 11. The method of claim 10, wherein the action comprises at least one of:
    - notifying a user associated with the protected DUA of the usage of the at least one system resource, throttling the usage of the at least one system resource by the protected DUA, or terminating the protected DUA.

12. A device comprising:
- at least one processor configured to;
  
  receive a request for a resource using a mediator at an application layer;
  
  determine whether the resource is trusted or untrusted;
  
  when the resource is determined to be trusted, provide access to the resource in a derived user account (DUA); and
  
  when the resource is determined to be untrusted;
  
  create, using the mediator, a protected DUA,redirect, using the mediator, the request to the protected DUA,provide access to the resource in the protected DUA, wherein the protected DUA provides unrestricted access to the resource, andprovide the resource for contemporaneous display with at least one trusted resource that is accessed through the DUA, wherein the resource is provided for display with a visible marker that visually distinguishes the resource as being accessed through the protected DUA.
- View Dependent Claims (13, 14, 15)
- - 13. The device of claim 12, wherein the protected DUA and the DUA are both associated with a same user and the protected DUA and the DUA are dynamically invoked within a same integrated user environment of the same user.
  - 14. The device of claim 12, wherein the request is received from an application that is separate from the mediator.
  - 15. The device of claim 12, wherein the at least one processor is further configured to:
    - determine whether the resource is trusted or untrusted based at least in part on whether the resource comprises a persistent identifier that indicates that the resource is untrusted.

16. A computer program product comprising instructions stored in a non-transitory computer-readable storage medium, the instructions comprising:
- instructions to receive a request for a resource at an application layer;
  
  instructions to determine whether the resource is trusted or untrusted;
  
  when the resource is determined to be trusted, instructions to provide access to the resource in a derived user account (DUA) at the application layer; and
  
  when the resource is determined to be untrusted;
  
  instructions to create a protected DUA at the application layer,instructions to redirect the request to the protected DUA, andinstructions to provide unrestricted access to the resource in the protected DUA, wherein the protected DUA and the DUA are both associated with a same user and the protected DUA and the DUA are dynamically invoked within a same integrated user environment of the same user.
- View Dependent Claims (17)
- - 17. The computer program product of claim 16, wherein the instructions further comprise:
    - instructions to provide an integrated execution environment for both trusted and untrusted resources.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Google LLC (Alphabet Inc.)
Inventors
Erlingsson, Ulfar
Primary Examiner(s)
Najjar, Saleh
Assistant Examiner(s)
Almeida, Devin E

Application Number

US14/861,778
Publication Number

US 20160085964A1
Time in Patent Office

1,155 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/51   at application loading time...

G06F 21/53   by executing in a restricte...

H04L 63/1483   service impersonation, e.g....

Methods and systems for implementing a secure application execution environment using derived user accounts for internet content

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

46 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for implementing a secure application execution environment using derived user accounts for internet content

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

46 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links