Controlling computer program extensions in a network device

US 20060288404A1
Filed: 06/12/2006
Published: 12/21/2006
Est. Priority Date: 06/21/2005
Status: Active Grant

First Claim

Patent Images

1. A data processing apparatus, comprising:

a plurality of network interfaces that are coupled to a data network for receiving one or more packets therefrom and sending one or more packets thereto;

one or more processors;

a switching system coupled to the one or more processors and packet forwarding logic, wherein the switching system and packet forwarding logic are configured to receive packets on a first network interface, determine a second network interface on which to send the packets, and to send the packets on the second network interface;

a computer-readable storage medium having stored thereon an application program and one or more user program extensions to the application program;

logic comprising one or more stored sequences of instructions which, when executed by the one or more processors, cause the one or more processors to perform;

creating and storing one or more default program security permissions;

receiving a user-defined security policy that defines one or more user extension security permissions for the one or more user program extensions;

creating and storing only each of the one or more user extension security permissions that do not conflict with the default program security permissions;

receiving a request from one of the user program extensions to access a resource of the apparatus or the network;

permitting the request to access the resource or the network only when the access does not violate the user extension security permissions and the default program security permissions.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network infrastructure element such as a packet data router or switch hosts an application program and one or more user program extensions to the application program. Logic in the network element is configured to perform creating and storing one or more default program security permissions; receiving a user-defined security policy that defines one or more user extension security permissions for the one or more user program extensions; creating and storing only each of the one or more user extension security permissions that do not conflict with the default program security permissions; receiving a request from one of the user program extensions to access a resource of the apparatus or the network; permitting the request to access the resource or the network only when the access does not violate the user extension security permissions and the default program security permissions.

Citations

22 Claims

1. A data processing apparatus, comprising:
- a plurality of network interfaces that are coupled to a data network for receiving one or more packets therefrom and sending one or more packets thereto;
  
  one or more processors;
  
  a switching system coupled to the one or more processors and packet forwarding logic, wherein the switching system and packet forwarding logic are configured to receive packets on a first network interface, determine a second network interface on which to send the packets, and to send the packets on the second network interface;
  
  a computer-readable storage medium having stored thereon an application program and one or more user program extensions to the application program;
  
  logic comprising one or more stored sequences of instructions which, when executed by the one or more processors, cause the one or more processors to perform;
  
  creating and storing one or more default program security permissions;
  
  receiving a user-defined security policy that defines one or more user extension security permissions for the one or more user program extensions;
  
  creating and storing only each of the one or more user extension security permissions that do not conflict with the default program security permissions;
  
  receiving a request from one of the user program extensions to access a resource of the apparatus or the network;
  
  permitting the request to access the resource or the network only when the access does not violate the user extension security permissions and the default program security permissions.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The apparatus of claim 1, comprising a router or switch for a packet-switched network.
  - 3. The apparatus of claim 1, wherein the logic further comprises instructions which when executed cause permitting the request to access the resource or the network only when the access also does not violate Java®
    - sandbox security permissions.
  - 4. The apparatus of claim 1, wherein the logic further comprises sequences of instructions which, when executed by the processor, cause the one or more processors to perform creating and storing only each of the one or more user extension security permissions that do not conflict with the default program security permissions, except when the logic specifies that the user extension security permissions can override the default program security permissions.
  - 5. The apparatus of claim 1, wherein the user-defined security policy comprises one or more extensible markup language (XML) documents each comprising one or more permission definitions each comprising a permission type, permission name, and one or more actions, and wherein each of the permission definitions is associated in the policy with a codebase identifier.
  - 6. The apparatus of claim 5, wherein the logic further comprises sequences of instructions which, when executed by the processor, cause the processor to perform parsing the user-defined security policy by:
    - storing the permission type, permission name, actions, and codebase identifier in a policy store;
      
      identifying a programmatic class of the user program extension that is associated with the request;
      
      determining a location from which the identified class has been loaded;
      
      determining a name of the resource from the request;
      
      determining an action associated with the request;
      
      searching the policy store for the location, name and action based on comparing the identified class to stored codebase identifiers.
  - 7. The apparatus of claim 1, wherein the logic further comprises sequences of instructions which, when executed by the processor, cause the processor to perform:
    - first determining whether the request violates the user extension security permissions and generating a user extension permission exception when a violation is determined;
      
      then determining whether the request violates the default program security permissions and generating a user extension permission exception when a violation is determined.

8. A machine-implemented method, comprising:
- creating and storing one or more default program security permissions in a network infrastructure device that is coupled to a network and that hosts an application program and one or more user program extensions to the application program;
  
  receiving a user-defined security policy that defines one or more user extension security permissions for the one or more user program extensions;
  
  creating and storing only each of the one or more user extension security permissions that do not conflict with the default program security permissions;
  
  receiving in the network infrastructure device a request from one of the user program extensions to access a resource of the apparatus or the network;
  
  permitting the request to access the resource or the network only when the access does not violate the user extension security permissions and the default program security permissions.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, wherein the network infrastructure device comprises a router or switch for a packet-switched network.
  - 10. The method of claim 8, further comprising permitting the request to access the resource or the network only when the access also does not violate Java(®
    - sandbox security permissions.
  - 11. The method of claim 8, further comprising creating and storing only each of the one or more user extension security permissions that do not conflict with the default program security permissions, except when the logic specifies that the user extension security permissions can override the default program security permissions.
  - 12. The method of claim 8, wherein the user-defined security policy comprises one or more extensible markup language (XML) documents each comprising one or more permission definitions each comprising a permission type, permission name, and one or more actions, and wherein each of the permission definitions is associated in the policy with a codebase identifier.
  - 13. The method of claim 12, further comprising:
    - storing the permission type, permission name, actions, and codebase identifier in a policy store;
      
      identifying a programmatic class of the user program extension that is associated with the request;
      
      determining a location from which the identified class has been loaded;
      
      determining a name of the resource from the request;
      
      determining an action associated with the request;
      
      searching the policy store for the location, name and action based on comparing the identified class to stored codebase identifiers.
  - 14. The method of claim 8, further comprising:
    - first determining whether the request violates the user extension security permissions and generating a user extension permission exception when a violation is determined;
      
      then determining whether the request violates the default program security permissions and generating a user extension permission exception when a violation is determined.

15. A computer-readable storage medium carrying instructions which when executed by one or more processors, cause the one or more processors to perform:
- creating and storing one or more default program security permissions in a network infrastructure device that is coupled to a network and that hosts an application program and one or more user program extensions to the application program;
  
  receiving a user-defined security policy that defines one or more user extension security permissions for the one or more user program extensions;
  
  creating and storing each of the one or more user extension security permissions that do not conflict with the default program security permissions;
  
  receiving in the network infrastructure device a request from one of the user program extensions to access a resource of the apparatus or the network;
  
  permitting the request to access the resource or the network only when the access does not violate the user extension security permissions and the default program security permissions.

16. A data processing apparatus, comprising:
- a plurality of network interfaces that are coupled to a data network for receiving one or more packets therefrom and sending one or more packets thereto;
  
  one or more processors;
  
  a switching system coupled to the one or more processors and packet forwarding logic, wherein the switching system and packet forwarding logic are configured to receive packets on a first network interface, determine a second network interface on which to send the packets, and to send the packets on the second network interface;
  
  a computer-readable storage medium having stored thereon an application program and one or more user program extensions to the application program;
  
  means for creating and storing one or more default program security permissions;
  
  means for receiving a user-defined security policy that defines one or more user extension security permissions for the one or more user program extensions;
  
  means for creating and storing each of the one or more user extension security permissions that do not conflict with the default program security permissions;
  
  means for receiving a request from one of the user program extensions to access a resource of the apparatus or the network;
  
  means for permitting the request to access the resource or the network only when the access does not violate the user extension security permissions and the default program security permissions.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. The apparatus of claim 16, comprising a router or switch for a packet-switched network.
  - 18. The apparatus of claim 16, further comprising means for permitting the request to access the resource or the network only when the access also does not violate Java®
    - sandbox security permissions.
  - 19. The apparatus of claim 16, further comprising means for creating and storing only each of the one or more user extension security permissions that do not conflict with the default program security permissions, except when the logic specifies that the user extension security permissions can override the default program security permissions.
  - 20. The apparatus of claim 16, wherein the user-defined security policy comprises one or more extensible markup language (XML) documents each comprising one or more permission definitions each comprising a permission type, permission name, and one or more actions, and wherein each of the permission definitions is associated in the policy with a codebase identifier.
  - 21. The apparatus of claim 20, further comprising:
    - means for storing the permission type, permission name, actions, and codebase identifier in a policy store;
      
      means for identifying a programmatic class of the user program extension that is associated with the request;
      
      means for determining a location from which the identified class has been loaded;
      
      means for determining a name of the resource from the request;
      
      means for determining an action associated with the request;
      
      means for searching the policy store for the location, name and action based on comparing the identified class to stored codebase identifiers.
  - 22. The apparatus of claim 16, further comprising:
    - means for first determining whether the request violates the user extension security permissions and generating a user extension permission exception when a violation is determined;
      
      means for then determining whether the request violates the default program security permissions and generating a user extension permission exception when a violation is determined.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Kirshnan, Mayilraj, Raghavan, Kollivakkam

Granted Patent

US 8,239,923 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/5
CPC Class Codes

G06F 2221/2141   Access rights, e.g. capabil...

G06F 8/656   while running

H04L 41/026   using e-messaging for trans...

H04L 41/06   Management of faults, event...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 41/12   Discovery or management of ...

H04L 41/22   comprising specially adapte...

H04L 41/5003   Managing SLA; Interaction b...

H04L 41/5009   Determining service level p...

H04L 41/5012   determining service availab...

H04L 41/5096   wherein the managed service...

H04L 43/0811   by checking connectivity

H04L 45/00   Routing or path finding of ...

H04L 45/56   Routing software

H04L 45/563   Software download or update

H04L 63/0245   Filtering by information in...

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/102   Entity profiles

H04L 63/12 : Applying verification of th...

H04L 67/02 : based on web technology, e....

H04L 67/34 : involving the movement of s...

H04L 69/22 : Parsing or analysis of headers

H04L 9/40 : Network security protocols

View All

Controlling computer program extensions in a network device

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Controlling computer program extensions in a network device

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links