Internal object protection from application programs

US 20050091214A1
Filed: 09/10/2004
Published: 04/28/2005
Est. Priority Date: 10/24/2003
Status: Abandoned Application

First Claim

Patent Images

1. A method of granting a first object executing in a computing system access to a second object, said first object having a local namespace associated therewith, said method comprising:

receiving a request from the first object to access the second object;

determining whether the second object is stored in the local namespace;

granting the first object access if the second object is determined to be stored in the local namespace; and

otherwise, copying the second object from a global namespace to the local namespace and granting the first object access to the copied second object in the local namespace.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Granting an executable object (e.g., an application program, thread, or process) access to a namespace object (e.g., a named object, resource, file, or folder). A request by the executable object for the namespace object is intercepted and processed to determine whether a local namespace associated with the executable object, user, or session stores a copy of the requested namespace object. If the copy exists in one of the local namespaces, the request is granted and allowed to operate on that local namespace. If the requested namespace object exists only in a global namespace, the namespace object is copied to a local namespace. The request is then granted and allowed to operate on the copy of the namespace object in the local namespace. Protecting the namespace objects stored in the global namespace from modification improves the stability of the application program and operating system.

199 Citations

39 Claims

1. A method of granting a first object executing in a computing system access to a second object, said first object having a local namespace associated therewith, said method comprising:
- receiving a request from the first object to access the second object;
  
  determining whether the second object is stored in the local namespace;
  
  granting the first object access if the second object is determined to be stored in the local namespace; and
  
  otherwise, copying the second object from a global namespace to the local namespace and granting the first object access to the copied second object in the local namespace.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, further comprising:
    - receiving another request from the first object for the second object; and
      
      granting the first object access to the copied second object.
  - 3. The method of claim 1, wherein the second object has a protected status associated therewith, and further comprising:
    - denying the received request; and
      
      sending an error message to the first object.
  - 4. The method of claim 3, further comprising associating the protected status with the second object upon creation of the second object.
  - 5. The method of claim 1, wherein the second object has a path associated therewith, and wherein granting the received request comprises modifying the path to point to the local namespace.
  - 6. The method of claim 1, further comprising generating a list of objects available on the computing system.
  - 7. The method of claim 6, wherein generating the list of objects comprises:
    - generating a first list of objects in the local namespace;
      
      generating a second list of objects in the global namespace; and
      
      removing any duplicate objects common to the first list and the second list.
  - 8. The method of claim 1, wherein receiving the request comprises receiving a request from the first object to delete the second object, and wherein granting the received request comprises marking the second object in the local namespace as deleted.
  - 9. The method of claim 1, further comprising receiving a notification that the second object has been deleted from the global namespace, and further comprising deleting the second object from the local namespace in response to the received notification.
  - 10. The method of claim 1, further comprising logging the received request.
  - 11. The method of claim 1, further comprising:
    - if the second object is determined to be stored in the global namespace and is identified as being external to the computing device, granting the first object access to modify the second object in the global namespace.
  - 12. The method of claim 1, wherein one or more computer-readable media have computer-executable instructions for performing the method recited in claim 1.

13. One or more computer-readable media having computer-executable components for granting a first object executing in a computing system access to a second object, said first object having a local namespace associated therewith, said components comprising:
- an interface component for receiving a request from the first object to access the second object;
  
  an analysis component for determining whether the second object is stored in the local namespace;
  
  a security component for granting the request received by the interface component if the second object is determined by the analysis component to be stored in the local namespace, and if the second object is determined by the analysis component to be stored in a global namespace, copying the second object from the global namespace to the local namespace and granting the first object access to the copied second object in the local namespace.
- View Dependent Claims (14, 15, 16)
- - 14. The computer-readable media of claim 13, further comprising an enumeration component for generating a list of objects available on the computing system by:
    - generating a first list of objects in the local namespace;
      
      generating a second list of objects in the global namespace; and
      
      removing any duplicate objects common to the first list and the second list.
  - 15. The computer-readable media of claim 13, wherein the interface component receives a request from the first object to delete the second object from the local namespace, and wherein the security component marks the second object in the local namespace as deleted.
  - 16. The computer-readable media of claim 13, wherein the security component comprises a logging component for storing information about the request received by the interface component in a log.

17. A system for multi-layer virtualization to protect objects in a computing system, said system comprising:
- a memory area storing an ordered set of namespaces; and
  
  a processor configured to execute computer-executable instructions for;
  
  receiving a request from an executable object for access to a resource object;
  
  identifying a first namespace from the ordered set of namespaces that includes the requested resource object; and
  
  providing the executable object with access to the requested resource object from the identified, first namespace.
- View Dependent Claims (18, 19, 20, 21, 22, 23)
- - 18. The system of claim 17, wherein the memory area stores the ordered set of namespaces including a user namespace, an application namespace, a session namespace, and a global namespace.
  - 19. The system of claim 18, wherein the processor is further configured to execute computer-executable instructions for searching the user namespace, the application namespace, the session namespace, and the global namespace in order to locate the requested resource object.
  - 20. The system of claim 17, wherein the computer-executable instructions are implemented in an operating system.
  - 21. The system of claim 17, wherein the computer-executable instructions are supplied by a namespace provider.
  - 22. The system of claim 17, further comprising a link between a resource object in a namespace in the ordered set of namespaces and another resource object in another namespace in the ordered set of namespaces.
  - 23. The system of claim 17, wherein the link comprises one or more of the following:
    - a file system link, a symbolic link, a soft link, a registry link, and a hard link.

24. A computerized method for deprecating resource usage in a computing system, said computerized method comprising:
- detecting a predefined operation of an executable object, said predefined operation relating to access to a resource object;
  
  redirecting the detected predefined operation from the resource object to another resource object as a function of the executable object and the resource object.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
- - 25. The computerized method of claim 24, wherein redirecting the detected predefined operation comprises redirecting the detected predefined operation from the resource object to the other resource object based on one or more of the following:
    - a policy associated with the executable object, a policy associated with the resource object, a manifest associated with the executable object, a manifest associated with the resource object, an operating system manifest, a rule associated with the executable object, and a rule associated with the resource object.
  - 26. The computerized method of claim 24, further comprising predefining the operation of the executable object.
  - 27. The computerized method of claim 24, wherein redirecting the detected predefined operation comprises mapping the resource object to the other resource object.
  - 28. The computerized method of claim 24, wherein the resource object is internal to an operating system of the computing system, and further comprising blocking execution of the detected predefined operation.
  - 29. The computerized method of claim 28, further comprising sending an error message to the executable object.
  - 30. The computerized method of claim 24, wherein the resource object is external to an operating system of the computing system, and further comprising allowing execution of the detected predefined operation.
  - 31. The computerized method of claim 24, wherein the other resource object is associated with another executable object.
  - 32. The computerized method of claim 24, wherein redirecting the detected predefined operation comprises redirecting the detected predefined operation from the resource object to the other resource object as a function of a session associated with the executable object.
  - 33. The computerized method of claim 24, wherein redirecting the detected predefined operation comprises redirecting the detected predefined operation from the resource object to another resource object as a function of a manifest provided by a namespace provider.
  - 34. The computerized method of claim 24, further comprising storing information relating to the detected predefined operation in a log file.
  - 35. The computerized method of claim 24, wherein one or more computer-readable media have computer-executable instructions for performing the computerized method recited in claim 24.

36. A system for implementing a virtual view of computing system resources for an executable object, said system comprising:
- a global namespace for storing one or more namespace objects;
  
  a local namespace associated with the executable object, said local namespace for storing a copy of at least one of the one or more namespace objects; and
  
  a manifest for mapping each of the namespace objects stored in the global namespace to the copy stored in the local namespace.
- View Dependent Claims (37, 38, 39)
- - 37. The system of claim 36, wherein the manifest comprises one or more of the following:
    - a rule, an object manifest, and an operating system manifest.
  - 38. The system of claim 36, wherein the namespace object comprises one or more of the following:
    - a file, a folder, a process, a thread, a fiber, a work item, an operating system setting, a named object, an application programming interface, a code path, a library of executable routines, an operating system property value, and an operating system resource.
  - 39. The system of claim 36, wherein the executable object comprises one or more of the following:
    - an application program, a process, a thread, a fiber, a work item, an application programming interface, a code path, and a library of executable routines.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Fernandes, Genevieve, Tsuryk, Valeriy, Li, Eric, Rector, John Austin, Praitis, Edward J., Sambotin, Dragos C., Probert, David B.

Application Number

US10/938,094
Publication Number

US 20050091214A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/31   User authentication

G06F 21/51   at application loading time...

G06F 21/54   by adding security routines...

G06F 21/568   eliminating virus, restorin...

G06F 21/57   Certifying or maintaining t...

G06F 21/6218   to a system of files or obj...

G06F 2221/2141   Access rights, e.g. capabil...

Internal object protection from application programs

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

199 Citations

39 Claims

Specification

Solutions

Use Cases

Quick Links

Internal object protection from application programs

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

199 Citations

39 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links