METHOD AND SYSTEM FOR RESTRICTING EXECUTION OF VIRTUAL APPLICATIONS TO A MANAGED PROCESS ENVIRONMENT

US 20120110337A1
Filed: 10/29/2010
Published: 05/03/2012
Est. Priority Date: 10/29/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method performed by a first process configured to execute an application file, the method comprising:

determining whether the first process has a parent process;

when it is determined that the first process does not have a parent process, terminating execution of the application file;

when it is determined that the first process has a parent process, determining whether the parent process has a digital signature;

when it is determined that the parent process has a digital signature, determining whether the parent process is associated with an authorized entity;

when it is determined that the parent process is not associated with an authorized entity, terminating execution of the application file;

when it is determined that the parent process is associated with an authorized entity, determining whether the digital signature is valid using a public key associated with the authorized entity;

when it is determined that the digital signature is valid, executing the application file; and

when it is determined that the digital signature is invalid, terminating execution of the application file.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for restricting the launch of virtual application files. In one embodiment, a launching application is signed with a digital signature. When the launching application launches a runtime engine and instructs it to execute an application file, the runtime engine determines whether an entity identifier associated with the launching application identifies an authorized entity. If the entity identifier identifies an authorized entity and the digital signature is valid, the runtime engine executes the application file. In another embodiment, a ticket is transmitted to the launching application along with an instruction to launch the application file. The ticket includes a digital signature and an expiration date. The launching application communicates the ticket to the runtime engine, which will execute the application file only if the digital signature is valid and a current date is not later than the expiration date.

83 Citations

View as Search Results

28 Claims

1. A computer-implemented method performed by a first process configured to execute an application file, the method comprising:
- determining whether the first process has a parent process;
  
  when it is determined that the first process does not have a parent process, terminating execution of the application file;
  
  when it is determined that the first process has a parent process, determining whether the parent process has a digital signature;
  
  when it is determined that the parent process has a digital signature, determining whether the parent process is associated with an authorized entity;
  
  when it is determined that the parent process is not associated with an authorized entity, terminating execution of the application file;
  
  when it is determined that the parent process is associated with an authorized entity, determining whether the digital signature is valid using a public key associated with the authorized entity;
  
  when it is determined that the digital signature is valid, executing the application file; and
  
  when it is determined that the digital signature is invalid, terminating execution of the application file.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer-implemented method of claim 1 for use with the application file comprising configuration information including a digital rights management indicator, the method further comprising:
    - before determining whether the first process has a parent process, reading the configuration information of the application file to obtain the digital rights management indicator; and
      
      executing the application file without determining whether the first process has a parent process if the digital rights management indicator indicates that a parent process of the first process is not to be validated.
  - 3. The computer-implemented method of claim 1, wherein whether the parent process is associated with an authorized entity is determined based on an entity identifier associated with the parent process,the parent process is implemented by at least one executable file that comprises the entity identifier associated with the parent process, andthe method further comprises obtaining the entity identifier associated with the parent process from the at least one executable file.
  - 4. The computer-implemented method of claim 1, wherein the parent process is implemented by at least one executable file that comprises the public key, and the method further comprises:
    - obtaining the public key associated with the authorized entity from the at least one executable file.
  - 5. The computer-implemented method of claim 1, wherein whether the parent process is associated with an authorized entity is determined based on an entity identifier associated with the parent process,the parent process is implemented by at least one executable file that comprises a public key certificate comprising the entity identifier associated with the parent process and the public key associated with the authorized entity, andthe method further comprises obtaining at least one of the entity identifier associated with the parent process and the public key associated with the authorized entity from the public key certificate.
  - 6. The computer-implemented method of claim 5, wherein the parent process is determined to be associated with an authorized entity when the entity identifier matches a predetermined entity identifier associated with the authorized entity and the public key certificate was issued by a trusted certificate authority.
  - 7. The computer-implemented method of claim 5, wherein the parent process is determined to be associated with an authorized entity when the entity identifier matches a predetermined entity identifier associated with the authorized entity and the public key certificate was issued by the authorized entity.
  - 8. The computer-implemented method of claim 1 performed by the first process that is a virtual runtime engine configured to execute a virtualized application file, wherein the parent process is an application configured to instruct the virtual runtime engine to launch the virtualized application file.

9. A computer-implemented method performed by a first process implemented by an application file comprising configuration information, the method comprising:
- reading the configuration information from the application file to obtain a digital rights management indicator;
  
  when the digital rights management indicator indicates that a parent process of the first process is not to be validated, allowing the application file to continue executing; and
  
  when the digital rights management indicator indicates that a parent process of the first process is to be validated, determining whether the first process was launched by a parent process,when it is determined that the first process was not launched by a parent process, terminating execution of the application file,when it is determined that the first process was launched by a parent process, determining whether the parent process has a digital signature,when it is determined that the parent process has a digital signature, using an entity identifier associated with the parent process to determine whether the digital signature is associated with an authorized entity,when it is determined that the digital signature is not associated with an authorized entity, terminating execution of the application file,when it is determined that the digital signature is associated with an authorized entity, determining whether the digital signature is valid using a public key associated with the authorized entity,when it is determined that the digital signature is valid, allowing the application file to continue executing, andwhen it is determined that the digital signature is invalid, terminating execution of the application file.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The computer-implemented method of claim 9 performed by the first process that is a virtual runtime engine implemented by a virtualized application file, wherein the parent process is an application configured to launch execution of the virtualized application file.
  - 11. The computer-implemented method of claim 9, wherein the parent process is implemented by at least one executable file that comprises a public key certificate comprising the entity identifier associated with the parent process and the public key associated with the authorized entity, andthe method further comprises obtaining at least one of the entity identifier associated with the parent process and the public key associated with the authorized entity from the public key certificate.
  - 12. The computer-implemented method of claim 11, wherein the parent process is determined to be associated with an authorized entity when the entity identifier matches a predetermined entity identifier associated with the authorized entity and the public key certificate was issued by a trusted certificate authority.
  - 13. The computer-implemented method of claim 11, wherein the parent process is determined to be associated with an authorized entity when the entity identifier matches a predetermined entity identifier associated with the authorized entity and the public key certificate was issued by the authorized entity.

14. A computer-implemented method for use with a launching application and a separate runtime engine, the launching application and the runtime engine being configured to access a shared memory location, the method comprising:
- at the launching application, receiving a first instruction to execute an application file and a ticket, the ticket comprising a digital signature and an expiration date;
  
  at the launching application, storing the ticket in the shared memory location and sending a second instruction to the runtime engine instructing the runtime engine to execute the application file; and
  
  in response to the second instruction received from the launching application, at the runtime engine, reading the ticket from the shared memory block, determining whether the digital signature is valid, determining whether the ticket has expired, and executing the application file only when the runtime engine determines the ticket is valid and has not yet expired, whether the ticket is valid being determined based on the digital signature, and whether the ticket has expired being determined based on the expiration date.
- View Dependent Claims (15, 16, 17)
- - 15. The computer-implemented method of claim 14 for use with the runtime engine comprising a public key, wherein whether the ticket is valid is determined based on the digital signature and the public key.
  - 16. The computer-implemented method of claim 14 for use with the launching application connected to a server computing device via the Internet, wherein the first instruction to execute the application file and the ticket are both received by the launching application from the server computing device via the Internet.
  - 17. The computer-implemented method of claim 16, further comprising:
    - at the launching application, receiving a third instruction to at least partially download the application file.

18. A computer-implemented method for use with an application file, and a shared memory location storing a ticket comprising a digital signature and an expiration date, the application file comprising a digital rights management indicator, the method comprising:
- receiving an instruction to execute the application file;
  
  in response to the instruction, reading the ticket from the shared memory location and reading the digital rights management indicator from the application file;
  
  if the digital rights management indicator indicates the ticket is to be validated, determining whether the digital signature is valid, determining whether the ticket has expired, and executing the application file only when the ticket is determined to be valid and not yet expired, whether the ticket is valid being determined based on the digital signature, and whether the ticket has expired being determined based on the expiration date; and
  
  if the digital rights management indicator indicates the ticket is not to be validated, executing the application file.
- View Dependent Claims (19, 20)
- - 19. The computer-implemented method of claim 18 further comprising:
    - obtaining a public key, wherein whether the ticket is valid is determined based on the digital signature and the public key.
  - 20. The computer-implemented method of claim 18, further comprising:
    - when the ticket is determined to be one of invalid or expired, displaying an error message.

21. A computer-implemented method for use with a remote computing device implementing a launching application and a separate runtime engine, the method comprising:
- instructing the remote computing device to display a plurality of selectable options, each option corresponding to an application file;
  
  receiving a selection of one of the plurality of selectable options from the remote computing device;
  
  creating a ticket comprising a digital signature and an expiration date;
  
  instructing the launching application on the remote computing device to launch the application file corresponding to the selected one of the plurality of selectable options; and
  
  transmitting the ticket to the launching application, the launching application being operable to communicate the ticket to the runtime engine, the runtime engine being operable to execute the application file corresponding to the selected one of the plurality of selectable options in response to an instruction to do so only when the digital signature of the ticket is valid and a current date is not later than the expiration date.
- View Dependent Claims (22, 23, 24, 25)
- - 22. The computer-implemented method of claim 21, further comprising:
    - downloading the application file corresponding to the selected one of the plurality of selectable options to the remote computing device.
  - 23. The computer-implemented method of claim 21, wherein the application file corresponding to the selected one of the plurality of selectable options was stored on the remote computing device before the remote computing device is instructed to display the plurality of selectable options.
  - 24. The computer-implemented method of claim 21 for use with the remote computing device operated by a user, further comprising:
    - before creating the ticket, determining whether the user operating the remote computing device has logged into a user account;
      
      if the user has not logging into a user account, instructing the remote computing device to display a login display, receiving login information from the remote computing device via the login display, and determining whether the login information is valid;
      
      if the login information is valid, creating a login session, wherein creating the ticket further comprises incorporating information related to the login session in the ticket.
  - 25. The computer-implemented method of claim 21, wherein the application file is a virtualized application file.

26. A computer-implemented method for use with a server computing device and a runtime engine, the method comprising:
- receiving a ticket and a first instruction to execute an application file from the server computing device, the ticket comprising a digital signature and an expiration date;
  
  storing the ticket in a memory location accessible by the runtime engine;
  
  sending a second instruction to the runtime engine instructing the runtime engine to execute the application file, the runtime engine being operable to execute the application file in response to the instruction to do so only when the digital signature of the ticket is valid and a current date is not later than the expiration date.
- View Dependent Claims (27, 28)
- - 27. The computer-implemented method of claim 26, further comprising:
    - at least partially downloading the application file from the server computing device.
  - 28. The computer-implemented method of claim 26, wherein the application file is a virtualized application file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Code Systems Incorporated (VOXX International Corporation)
Original Assignee
Code Systems Incorporated (VOXX International Corporation)
Inventors
Murphey, C. Michael, Zeller, Mark Jeremy, Larimore, Stefan I., Obata, Kenjl C.

Granted Patent

US 9,209,976 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/182
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 21/121   Restricting unauthorised ex...

H04L 9/32   including means for verifyi...

H04L 9/3247   involving digital signatures

METHOD AND SYSTEM FOR RESTRICTING EXECUTION OF VIRTUAL APPLICATIONS TO A MANAGED PROCESS ENVIRONMENT

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

83 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND SYSTEM FOR RESTRICTING EXECUTION OF VIRTUAL APPLICATIONS TO A MANAGED PROCESS ENVIRONMENT

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

83 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links