Security critical data containers

US 20060179482A1
Filed: 02/04/2005
Published: 08/10/2006
Est. Priority Date: 02/04/2005
Status: Active Grant

First Claim

Patent Images

1. In a computing environment, a method comprising:

providing a container; and

allowing information to distinguish data associated with a particular method of the container as being security critical, such that the data only can be accessed via the particular method by code with elevated permissions.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Described are security critical data containers for platform code, comprising a Get container and Set container that allow data to be marked as security critical for critical usage of that data, but left unmarked for non-critical usage. The number of critical methods in the code is reduced, facilitating better code analysis. A container'"'"'s method may be marked as security critical, with the only access to the data via the method. By using a generic class for a Get container, access to the critical data only occurs through the property on the class, which is marked as critical. The field pointing to the generic class instance need not be critical, whereby initialization or existence checking may remain non-critical. The Set container handles security critical situations such as data that controls whether code can elevate permissions; a set method is marked as critical, while other methods can be accessed by non-critical code.

Citations

19 Claims

1. In a computing environment, a method comprising:
- providing a container; and
  
  allowing information to distinguish data associated with a particular method of the container as being security critical, such that the data only can be accessed via the particular method by code with elevated permissions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein the container comprises a get container and the method comprises a get method, and wherein the data only can be read via the get method by code with elevated permissions, and existence/initialization checks may be performed by code without elevated permissions.
  - 3. The method of claim 2 wherein the data comprises a value that provides access to a critical resource.
  - 4. The method of claim 1 wherein the container comprises a set container and the particular method comprises a set method, and wherein the data only can be set via the set method by code with elevated permissions.
  - 5. The method of claim 4 further comprising a get method, and wherein the data can be read via the get method by code without elevated permissions.
  - 6. The method of claim 5 wherein the data comprises a value that provides access to a critical resource.
  - 7. The method of claim 5 wherein the data comprises a value indicative of whether privileges can be elevated by other code.
  - 8. The method of claim 1 wherein the container is implemented in platform code that allows downloaded code to be executed, and further comprising analyzing the platform code via an analysis tool.
  - 9. At least one computer-readable medium having computer-executable instructions, which when executed perform the method of claim 1.

10. A computer-readable medium having stored thereon a data structure, comprising:
- a set container, including a set method and a get method; and
  
  information that distinguishes data associated with the set method as security critical and associated with the get method as non-security critical;
  
  such that the data can be read by code without elevated permissions via the get method, and the data only can be set by code with elevated permissions via the set method.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The computer-readable medium of claim 10 wherein the data comprises a value that provides access to a critical resource.
  - 12. The computer-readable medium of claim 10 wherein the data comprises a value indicative of whether privileges can be elevated by other code.
  - 13. The computer-readable medium of claim 10 further comprising receiving a request to set the value from code with elevated permissions, and setting the value.
  - 14. The computer-readable medium of claim 10 further comprising receiving a request to read the value from code without elevated permissions, and returning data corresponding to the value.
  - 15. The computer-readable medium of claim 10 wherein the set container is implemented in platform code that allows downloaded code to be executed, and further comprising analyzing the platform code via an analysis tool.

16. A computer-readable medium having stored thereon a data structure, comprising:
- a get container, including a get method; and
  
  information that indicates data associated with the get method is security critical;
  
  such that the data only can be read by code with elevated permissions via the get method, and existence/initialization checks may be performed by code without elevated permissions.
- View Dependent Claims (17, 18, 19)
- - 17. The computer-readable medium of claim 16 wherein the data comprises a value that provides access to a critical resource.
  - 18. The computer-readable medium of claim 16 further comprising receiving a request to get the value from code with elevated permissions, and returning data corresponding to the value.
  - 19. The computer-readable medium of claim 16 wherein the set container is implemented in platform code that allows downloaded code to be executed, and further comprising analyzing the platform code via an analysis tool.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Tammana, Venkata Rama Prasad, Alcazar, Mark A.

Granted Patent

US 7,600,256 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/52   during program execution, e...

G06F 21/57   Certifying or maintaining t...

G06F 21/6227   where protection concerns t...

Y10S 707/99939   Privileged access

Security critical data containers

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Security critical data containers

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links