Running internet applications with low rights

US 20060277218A1
Filed: 06/03/2005
Published: 12/07/2006
Est. Priority Date: 06/03/2005
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

providing a blocking mechanism that is configured to block Internet-application access to defined spaces of a client computing device on which the Internet-application executes; and

defining at least one containment zone in which said Internet-application is to write and read data.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In various embodiments, applications that are configured to interact with the Internet in some way are executed in a restricted process with a reduced privilege level that can prohibit the application from accessing portions of an associated computing device. For example, in some embodiments, the restricted process can prohibit applications from read and write access to portions of a system'"'"'s computer-readable media, such as the hard disk, that contains administrative data and settings information and user data and settings. In these embodiments, a special portion of the disk, termed a “containment zone”, is designated and used by applications in this restricted process.

138 Citations

View as Search Results

20 Claims

1. A computer-implemented method comprising:
- providing a blocking mechanism that is configured to block Internet-application access to defined spaces of a client computing device on which the Internet-application executes; and
  
  defining at least one containment zone in which said Internet-application is to write and read data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the defined spaces comprise the client computing device'"'"'s administrative space and user space.
  - 3. The method of claim 1, wherein the blocking mechanism is configured block access in a user-independent manner.
  - 4. The method of claim 1 further comprising logically interposing a broker mechanism between the Internet-application and the defined spaces to broker access to the defined spaces.
  - 5. The method of claim 4, wherein the broker mechanism comprises individual broker objects, each of which being associated with a different defined space.
  - 6. The method of claim 5, wherein one defined space comprises a user space, and one defined space comprises an administrative space.
  - 7. The method of claim 4, wherein the broker mechanism is configured to enable a user to approve access to an associated defined space.
  - 8. The method of claim 1, wherein the act of providing a blocking mechanism is performed by reconfiguring a token associated with a user of the Internet-application.
  - 9. The method of claim 1, wherein the act of providing a blocking mechanism is performed by setting an integrity level on a token associated with a user of the Internet-application.
  - 10. The method of claim 1 further comprising using a shim to redirect an attempted access to a defined space to a containment zone.
  - 11. The method of claim 1, wherein the Internet-application comprises a web browser application.
  - 12. The method of claim 1 further comprising launching, as a result of a user'"'"'s interaction with the Internet-application, a different Internet-application that is unblocked by the blocking mechanism and which uses a containment zone which is isolated from said at least one containment zone.

13. A computer-implemented method comprising:
- providing a token-based blocking mechanism that is configured to block Internet-application access to at least the administrative and user spaces of a client computing device on which the Internet-application executes;
  
  defining at least one containment zone in which said Internet-application is to write and read data;
  
  logically interposing an administrative broker object between the Internet-application and the administrative space to broker access to the administrative space; and
  
  logically interposing a user space broker object between the Internet-application and the user space to broker access to the user space.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The method of claim 13, wherein the broker objects are configured to enable a user to approve access to an associated defined space.
  - 15. The method of claim 14, wherein the administrative broker object is configured to prompt an administrative user to enter associated credentials in order to access the administrative space.
  - 16. The method of claim 13, wherein the act of providing a token-based blocking mechanism comprises:
    - removing privileges from a token associated with a user of the Internet application; and
      
      adding restrictions, on the token, that restrict access to the user space.
  - 17. The method of claim 16, wherein the act of adding restrictions comprises:
    - removing a user name from the token; and
      
      wherein the act of defining at least one containment zone is performed by replacing the removed user name with a group name that designates said at least one containment zone as the only zone for read/write access for members of the group name.
  - 18. The method of claim 13, wherein the act of providing a token-based blocking mechanism comprises setting an integrity level on an associated token.
  - 19. The method of claim 13, wherein the Internet-application comprises a web browser application.
  - 20. The method of claim 13 further comprising launching, as a result of a user'"'"'s interaction with the Internet-application, a different Internet-application that is unblocked by the blocking mechanism and which uses a containment zone which is isolated from said at least one containment zone.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Franco, Roberto A., Ganjam, Anantha P., Brundrett, Peter T., Bedworth, John G., Tokumi, Roland K.

Granted Patent

US 8,078,740 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/53 by executing in a restricte...

Running internet applications with low rights

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

138 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Running internet applications with low rights

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

138 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links