Running internet applications with low rights
First Claim
1. A computer-implemented method comprising:
- providing a blocking mechanism that is configured to block Internet-application access to defined spaces of a client computing device on which the Internet-application executes; and
defining at least one containment zone in which said Internet-application is to write and read data.
2 Assignments
0 Petitions
Accused Products
Abstract
In various embodiments, applications that are configured to interact with the Internet in some way are executed in a restricted process with a reduced privilege level that can prohibit the application from accessing portions of an associated computing device. For example, in some embodiments, the restricted process can prohibit applications from read and write access to portions of a system'"'"'s computer-readable media, such as the hard disk, that contains administrative data and settings information and user data and settings. In these embodiments, a special portion of the disk, termed a “containment zone”, is designated and used by applications in this restricted process.
138 Citations
20 Claims
-
1. A computer-implemented method comprising:
-
providing a blocking mechanism that is configured to block Internet-application access to defined spaces of a client computing device on which the Internet-application executes; and
defining at least one containment zone in which said Internet-application is to write and read data. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A computer-implemented method comprising:
-
providing a token-based blocking mechanism that is configured to block Internet-application access to at least the administrative and user spaces of a client computing device on which the Internet-application executes;
defining at least one containment zone in which said Internet-application is to write and read data;
logically interposing an administrative broker object between the Internet-application and the administrative space to broker access to the administrative space; and
logically interposing a user space broker object between the Internet-application and the user space to broker access to the user space. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
-
Specification