PROVIDING A SECURITY BOUNDARY

US 20120159570A1
Filed: 12/21/2010
Published: 06/21/2012
Est. Priority Date: 12/21/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for providing a security boundary, the computer-implemented method comprising performing computer-implemented operations for:

executing a security monitor;

intercepting by way of the security monitor one or more application programming interface (API) calls placed by an application for accessing one or more system resources;

storing data in a security monitor database associated with accessing the system resources; and

determining by way of the security monitor at a runtime of the application whether the application placing the one or more API calls is authorized to access the system resources.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In order to enable potentially conflicting applications to execute on the same computer, application programming interface (API) calls are intercepted when an application attempts to access a computer system'"'"'s resources. During a learning mode of operation, a security monitor stores data in a security monitor database identifying which applications are allowed to access the computer system resources. At runtime of an application, the security monitor operates in an enforcement mode and utilizes the contents of the security monitor database to determine if an application is permitted to access system resources. If data associated with the application is located in the security monitor database, the application is allowed to access computer system resources, if data associated with the application is not located in the security monitor database, the application is not allowed to access computer system resources.

Citations

20 Claims

1. A computer-implemented method for providing a security boundary, the computer-implemented method comprising performing computer-implemented operations for:
- executing a security monitor;
  
  intercepting by way of the security monitor one or more application programming interface (API) calls placed by an application for accessing one or more system resources;
  
  storing data in a security monitor database associated with accessing the system resources; and
  
  determining by way of the security monitor at a runtime of the application whether the application placing the one or more API calls is authorized to access the system resources.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computer-implemented method of claim 1, further comprising:
    - allowing the application access to the system resources when data associated with the application is located in the security monitor database; and
      
      preventing the application access to the system resources when data associated with the application is not located in the security monitor database.
  - 3. The computer-implemented method of claim 2, further comprising providing data related to the application prevented access to the system resources to an administrator.
  - 4. The computer-implemented method of claim 1, further comprising:
    - associating one or more access control lists (ACLs) with the system resources requested to be used by the application; and
      
      storing the one or more ACLs in the security monitor database.
  - 5. The computer-implemented method of claim 4, wherein associating the one or more ACLs with the system resources requested to be used by the application and loading the security monitor database with the one or more ACLs occurs when the security monitor is operating in a learning mode.
  - 6. The computer-implemented method of claim 1, wherein the application is a virtual application.
  - 7. The computer-implemented method of claim 6, wherein the virtual application is running on a single physical machine on which other virtual applications are running.
  - 8. The computer-implemented method of claim 7, wherein the virtual application and other virtual applications are executed within a partition.
  - 9. The computer-implemented method of claim 1, wherein the system resource comprises at least one of a communications port, a registry, an open database connectivity connection string, or an endpoint.

10. A computer-readable storage medium having computer-readable instructions stored thereupon which, when executed by a computer, cause the computer to:
- intercepting by way of a security monitor one or more application program interface (API) calls placed by an application for accessing one or more system resources;
  
  storing data related to the API calls in a security monitor database; and
  
  isolating one or more other applications from accessing the system resources based on the data stored in the security monitor database.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The computer-readable storage medium of claim 10, having further computer-executable instructions stored thereon which, when executed bar the computer, cause the computer to:
    - provide a security monitor within a virtualization layer; and
      
      associate one or more access control lists (ACLs) with the system resources.
  - 12. The computer-readable storage medium of claim 11, having further computer-executable instructions stored thereon which, when executed by the computer, cause the computer to:
    - allow the application access to the system resources when data associated with the application is found in the security monitor database; and
      
      prevent the application from accessing the system resources when data associated with the application is not found in the security monitor database.
  - 13. The computer-readable storage medium of claim 12 further comprising providing data related to the application prevented from accessing the system resources to an administrator.
  - 14. The computer-readable storage medium of claim 13, wherein the administrator can allow access to the system resources to the application prevented from accessing the system resources.
  - 15. The computer-readable storage medium of claim 10, wherein the application is a virtual application.
  - 16. The computer-readable storage medium of claim 15, wherein the virtual application is running on a single physical machine on which other virtual applications are running.
  - 17. The computer-readable storage medium of claim 16, wherein the system resources are hidden from the other virtual applications running on the single physical machine using namespace hiding.
  - 18. The computer-readable storage medium of claim 17, wherein the system resource comprises at least one of a communications port, a registry, an open database connectivity connection string, or an endpoint.

19. A computer-implemented method for providing a security boundary, the computer-implemented method comprising performing computer-implemented operations for:
- executing a security monitor in a learning mode of operation during which application programming interface (API) calls placed by an application for accessing a system resource are intercepted and access control lists (ACLs) associated the system resource are stored in a security monitor database; and
  
  executing the security monitor in an enforcement mode of operation during which application programming interface (API) calls placed by the application are intercepted and a determination of whether ACLs associated with the application are stored in the security monitor database, wherein the application is authorized to access system resources when ACLs associated with the application are stored in the security monitor database, and the application is not authorized to access system resources when ACLs associated with the application are not stored in the security monitor database.
- View Dependent Claims (20)
- - 20. The computer-implemented method of claim 19, wherein the application comprises a virtual application and wherein the system resource comprises at least one of a communications port, a registry, an open database connectivity connection string, or an endpoint.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Reierson, Kristofer Hellick, de Souza, Lidiane Pereira, Anderson, Angela Mele

Granted Patent

US 9,003,543 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/2
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/604   Tools and structures for ma...

G06F 21/74   operating in dual or compar...

G06F 2221/2141   Access rights, e.g. capabil...

PROVIDING A SECURITY BOUNDARY

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

PROVIDING A SECURITY BOUNDARY

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links