Variable Expressions in Security Assertions

US 20080065899A1
Filed: 09/08/2006
Published: 03/13/2008
Est. Priority Date: 09/08/2006
Status: Abandoned Application

First Claim

Patent Images

1. A system implementing a security scheme comprising a security language that operates with assertions, wherein the security language implicitly assigns a type to variables of a given assertion based on syntactic positions of the variables within the given assertion, the type selected from a set of predefined security-related types.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security scheme enables control over variables that are expressed in security assertions. In an example implementation, a security type is implicitly assigned to variables based on their syntactic position within a given assertion. In another example implementation, a security scheme enforces strong variable typing such that each variable in an assertion binds to only a single security type. In yet another example implementation, a security scheme constrains the binding behavior of two variables with respect to each other.

102 Citations

View as Search Results

20 Claims

1. A system implementing a security scheme comprising a security language that operates with assertions, wherein the security language implicitly assigns a type to variables of a given assertion based on syntactic positions of the variables within the given assertion, the type selected from a set of predefined security-related types.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system as recited in claim 1, wherein the set of predefined security-related types comprises two or more base types selected from a group of base types comprising:
    - principal, action verb, resource, attribute, and at least one specifically-identified environmental qualifier.
  - 3. The system as recited in claim 1, wherein the set of predefined security-related types comprises base types that include:
    - principal, action verb, resource, attribute, date-time, and location.
  - 4. The system as recited in claim 1, wherein the security scheme enforces strong-typing by ensuring that each variable within each assertion binds to no more than a single type of the set of predefined security-related types.
  - 5. The system as recited in claim 1, wherein the security language includes an ability to specify a dual variable binding constraint that stipulates whether two variables of a same type are to bind to different concrete values or are to bind to identical concrete values.
  - 6. The system as recited in claim 1, wherein the security language includes an ability to specify a single variable binding constraint that stipulates that an associated single variable is to bind to concrete values and not to other variables.
  - 7. The system as recited in claim 1, wherein the security language establishes a corresponding type from among the set of predefined security-related types for each syntactic position of the given assertion.
  - 8. The system as recited in claim 1, wherein the security language enables variables to be controlled by declaring their type in conjunction with a constraint pattern.

9. A device implementing a security language that operates with assertions, wherein the device enforces strong-typing for variables by validating that each variable binds to only a single type, the single type selected from a set of predefined security-related types.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The device as recited in claim 9, wherein the strong-typing enforcement is applied at an assertion granularity such that each variable of a given assertion is permitted to bind to only a single type within the given assertion.
  - 11. The device as recited in claim 9, wherein the strong-typing enforcement is applied at a syntactic level by rejecting any assertion that includes a particular variable that is present at two syntactic positions corresponding to two different types.
  - 12. The device as recited in claim 9, wherein the device processes a single variable binding constraint that is associated with a variable by constraining the variable to bind to a concrete value while preventing the variable from binding to another variable.
  - 13. The device as recited in claim 9, wherein the set of predefined security-related types comprises two or more base types selected from a group of base types comprising:
    - principal, action verb, resource, attribute, and at least one specifically-identified environmental qualifier.
  - 14. The device as recited in claim 9, wherein the device processes a dual variable binding constraint included as part of an assertion by enforcing a stipulation as to whether two variables of a same type are to bind to different concrete values or are to bind to identical concrete values.
  - 15. The device as recited in claim 9, wherein the device executes the security language by enabling variables to be controlled through a declaration of their type in conjunction with a constraint pattern to which they are to adhere.

16. A system implementing a security scheme comprising a variable binding constraint mechanism that enables an author of an assertion to constrain binding behavior of two or more variables with respect to each other when the two or more variables are of a same type.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The system as recited in claim 16, wherein the two or more variables comprise a first variable and a second variable;
    - and wherein the variable binding constraint mechanism comprises a dual variable binding constraint that stipulates whether the first variable and the second variable are to bind to an identical concrete value.
  - 18. The system as recited in claim 17, wherein the dual variable binding constraint comprises an equality constraint stipulating that the first variable and the second variable are to be bound to the identical concrete value.
  - 19. The system as recited in claim 17, wherein the dual variable binding constraint comprises an inequality constraint stipulating that the first variable and the second variable cannot be bound to the identical concrete value.
  - 20. The system as recited in claim 16, wherein the variable binding constraint mechanism comprises a single variable binding constraint indicator that indicates when a variable of the two or more variables is constrained to bind to a concrete value while being prevented from binding to another variable.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Dillaway, Blair B., LaMacchia, Brian A., Becker, Moritz Y., Gordon, Andrew D., Fournet, Cedric

Application Number

US11/530,427
Publication Number

US 20080065899A1
Time in Patent Office

Days
Field of Search
US Class Current

713/185
CPC Class Codes

G06F 21/6218 to a system of files or obj...

Variable Expressions in Security Assertions

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

102 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Variable Expressions in Security Assertions

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

102 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others