TAMPER PROOF LOCATION SERVICES

US 20120159156A1
Filed: 12/20/2010
Published: 06/21/2012
Est. Priority Date: 12/20/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for setting access permissions on a resource based on location information, the method comprising:

receiving a permission update request to update permissions for an identified resource to include location-based permission information;

locating the identified resource;

locating access control information associated with the identified resource;

determining one or more allowed actions from the location-based permission information accompanying the request;

updating the located access control information to include the allowed location-based actions; and

storing the updated access control information associated with the identified resource, so that subsequent attempts to access the identified resource will be subject to the specified location-based access information,wherein the preceding steps are performed by at least one processor.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A secure location system is described herein that leverages location-based services and hardware to make access decisions. Many mobile computers have location devices, such as GPS. They also have a trusted platform module (TPM) or other security device. Currently GPS location data is made directly accessible to untrusted application code using a simple protocol. The secure location system provides a secure mechanism whereby the GPS location of a computer at a specific time can be certified by the operating system kernel and TPM. The secure location system logs user activity with a label indicating the geographic location of the computing device at the time of the activity. The secure location system can provide a difficult to forge, time-stamped location through a combination of kernel-mode GPS access and TPM security hardware. Thus, the secure location system incorporates secure location information into authorization and other operating system decisions.

62 Citations

View as Search Results

20 Claims

1. A computer-implemented method for setting access permissions on a resource based on location information, the method comprising:
- receiving a permission update request to update permissions for an identified resource to include location-based permission information;
  
  locating the identified resource;
  
  locating access control information associated with the identified resource;
  
  determining one or more allowed actions from the location-based permission information accompanying the request;
  
  updating the located access control information to include the allowed location-based actions; and
  
  storing the updated access control information associated with the identified resource, so that subsequent attempts to access the identified resource will be subject to the specified location-based access information,wherein the preceding steps are performed by at least one processor.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 wherein the identified resource is an object managed by an operating system that includes associated security information including at least one access control list (ACL) or access control entry (ACE).
  - 3. The method of claim 1 wherein receiving the permission update request comprises receiving the request from an application through an operating system application programming interface (API).
  - 4. The method of claim 1 wherein receiving the permission update request comprises receiving information identifying the resource by a path receiving access control information that includes a geographic location as at least one access criteria.
  - 5. The method of claim 1 wherein locating the identified resource comprises accessing the resource on disk, within a configuration database, or within a configuration directory and accessing related access control metadata associated with the resource.
  - 6. The method of claim 1 wherein locating the access control information comprises invoking an operating system application programming interface (API) for navigating and/or modifying access control information that include location-based information.
  - 7. The method of claim 1 wherein determining one or more allowed actions comprises determining whether the resource can be read, written, or included in a listing based on a geographic location of a computing device on which the resource is stored.
  - 8. The method of claim 1 wherein determining one or more allowed actions comprises determining a geographic region based on one or more specified boundaries of the geographic region.
  - 9. The method of claim 1 wherein updating the access control information comprises adding a hierarchical access control entry (ACE) that indicates a geographic region in which a specified action related to the identified resource is permitted.
  - 10. The method of claim 1 wherein updating the access control information comprises combining location-based access control information with non-location-based access control information to indicate one or more criteria for accessing the identified resource.

11. A computer system for providing tamper-proof location services to software applications, the system comprising:
- a location hardware component that provides a hardware signal that indicates a current geographic location of the system;
  
  a hardware security component that provides a trustworthy computing guarantee for software code running on the system;
  
  a processor and memory configured to execute software instructions embodied within the following components;
  
  a kernel location provider that provides an interface from an operating system kernel to user-mode services and applications that use location information;
  
  a location certification component that retrieves a certificate indicating a current location of the computer system with information from the location hardware component and hardware security component;
  
  a location audit component that stores an audit trail of secure location information associated with the computer system; and
  
  a location verification component that requests location information from the kernel location provider and performs one or more actions based on received location information.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The system of claim 11 wherein the location hardware component comprises a global positioning system (GPS) hardware device that receives a GPS signal and determines a location of the system.
  - 13. The system of claim 11 wherein the location hardware component comprises non-GPS hardware from which a location can be derived based on supplemental information.
  - 14. The system of claim 11 wherein the hardware security component includes a trusted platform module (TPM) that provides cryptographically verifiable authoritative information related to security of a computing device.
  - 15. The system of claim 11 wherein the hardware security component and location hardware are connected via a secure channel for communication.
  - 16. The system of claim 11 wherein the hardware security component verifies authentication information for a software driver associated with the location hardware component to create a secure chain of trust from the location hardware component to the operating system.
  - 17. The system of claim 11 wherein the kernel location provides includes a pluggable model for providing drivers or other software for interacting with various location and security hardware devices to expose secure location information in a common way to applications and services.
  - 18. The system of claim 11 wherein location certificates retrieved by the location certification component include a signed indication of the location of the computer system and the time at which the certificate was generated.
  - 19. The system of claim 11 wherein the location audit component stores an indication of the system'"'"'s location each time an application or service requests a location certificate from the location certification component.

20. A computer-readable storage medium comprising instructions for controlling a computer system to access a resource with location-based access permissions, wherein the instructions, upon execution, cause a processor to perform actions comprising:
- receiving a request to access an identified resource, wherein the identified resource includes associated location-based access information;
  
  accessing a secure source of location information;
  
  receiving a location certificate from the secure source of location information that indicates a current geographic location of a computing device on which the request was received;
  
  comparing the location-based information provided by the received location certificate with at least one location-based restriction in access control information associated with the identified resource;
  
  if the comparison indicates that the requested access of the resource is permitted at the current location, allowing the access request and providing the requested access to the resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Barham, Paul, Figueroa, Joseph N.

Granted Patent

US 8,560,839 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/156
CPC Class Codes

G06F 21/1013   to locations

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 2221/2111   Location-sensitive, e.g. ge...

H04L 63/107   wherein the security polici...

TAMPER PROOF LOCATION SERVICES

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

62 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

TAMPER PROOF LOCATION SERVICES

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

62 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links