SANDBOXING TECHNOLOGY FOR WEBRUNTIME SYSTEM

US 20130036448A1
Filed: 03/05/2012
Published: 02/07/2013
Est. Priority Date: 08/03/2011
Status: Active Grant

First Claim

Patent Images

1. A method of providing security enforcements of widgets in a computer system having a processor and a memory, comprising:

extracting access control information from a widget process requesting a service, generating access control rules customized for the widget process, and providing the access control rules to a trusted portion of the computer system outside of the user code space of a Web Runtime (WRT) system; and

for any static access control rule, delegating security checking of the widget process from the WRT system to the trusted portion of the computer system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In a first embodiment of the present invention, a method of providing security enforcements of widgets in a computer system having a processor and a memory is provided, comprising: extracting access control information from a widget process requesting a service, generating access control rules customized for the widget process, and providing the access control rules to a trusted portion of the computer system outside of the user code space of a Web Runtime (WRT) system; and for any static access control rule, delegating security checking of the widget process from the WRT system to the trusted portion of the computer system.

84 Citations

View as Search Results

22 Claims

1. A method of providing security enforcements of widgets in a computer system having a processor and a memory, comprising:
- extracting access control information from a widget process requesting a service, generating access control rules customized for the widget process, and providing the access control rules to a trusted portion of the computer system outside of the user code space of a Web Runtime (WRT) system; and
  
  for any static access control rule, delegating security checking of the widget process from the WRT system to the trusted portion of the computer system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising:
    - for any non-static access control rule;
      
      requesting a one-time token from a security server, wherein the one-time token expires after the widget process consumes the requested service; and
      
      wherein the one-time token is used by the widget process to access the service.
  - 3. The method of claim 1, wherein a static access control rule includes one of the following:
    - a blanket prompt;
      
      a permit prompt; and
      
      a deny prompt.
  - 4. The method of claim 2, wherein a non-static access control rules includes one of the following:
    - a session prompt; and
      
      a one-shot prompt.
  - 5. The method of claim 2, wherein for any non-static access control rule that is a session prompt, the method further comprises:
    - requesting permission from a user prior to launching the widget process;
      
      dropping privileges of the WRT; and
      
      resetting dynamic access control configuration of the widget process and requesting that the security server revokes the one-time token upon next launch of the widget process.
  - 6. The method of claim 2, wherein for any non-static access control rule that is a one-time prompt, the method further comprises:
    - requesting permission from a user when the widget process requests the service;
      
      requesting that the security server honor the one-time token only a single time
  - 7. The method of claim 1, wherein the trusted portion is an operating system kernel.
  - 8. The method of claim 7, wherein the access control rules are implemented as mandatory access control rules enforced by the kernel.
  - 9. The method of claim 7, wherein the extracting, generating, and providing are performed by a WRT management process.
  - 10. The method of claim 1, wherein the security server is a part of Service Location Protocol (SLP) Access Control.

11. A method of providing security enforcements of widgets in a computer system having a processor and a memory, comprising:
- extracting access control information from a widget process requesting a service, generating access control rules customized for the widget process, and providing the access control rules to a trusted portion of the computer system outside of the user code space of a Web Runtime (WRT) system; and
  
  for any static access control rule, delegating some but not all security checking of the widget process from the WRT system to the trusted portion of the computer system, such that two levels of security checking are performed, one by the WRT system and one by the trusted portion of the computer system.
- View Dependent Claims (12, 13)
- - 12. The method of claim 11, wherein the trusted portion is an operating system kernel.
  - 13. The method of claim 12, wherein the access control rules are implemented as mandatory access control rules enforced by the kernel.

14. A computer system having improved widget security, comprising:
- a processor;
  
  a memory;
  
  an operating system; and
  
  a Web Runtime (WRT) system supporting installation and invocation of widgets, the WRT system configured to receive a widget manifest from each installed widget and determine access control rules delegable from the WRT to a more security portion of the computer system associated with the operating system, the WRT system further configured to pass a set of delegable static access control rules to the more secure portion to perform security checking.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The computer system of claim 14 wherein the WRT system includes a WRT management process that is configured to communicate with a security server to obtain one-time tokens for any non-static access control rules.
  - 16. The computer system of claim 14, wherein the WRT system is configured to pass the set of delegable static access control rules when a widget is invoked.
  - 17. The computer system of claim 15, wherein the WRT management process is further configured to communicate with the security server when a widget is invoked for any non-static access control rules that are session prompts.
  - 18. The computer system of claim 16, wherein the WRT management process is further configured to communicate with the security server when a widget requests a particular service for any non-static access control rules that are one-time prompts linked to the particular service.
  - 19. The computer system of claim 14, wherein the trusted portion is a kernel.

20. A system comprising:
- a plurality of widgets;
  
  a WRT management process;
  
  a security server; and
  
  an operating system kernel;
  
  wherein the WRT management process is configured to;
  
  extract access control information from the widgets, generate access control rules, and provide the access control rules to the operating system kernel; and
  
  for any static access control rule, delegate at least some security checking of the static access control rule to the operating system kernel.
- View Dependent Claims (21)
- - 21. The system of claim 20, wherein the WRT management process is associated with a WRT system.

22. A program storage device readable by a machine tangibly embodying a program of instructions executable by the machine to perform a method providing security enforcements of widgets in a computer system having a processor and a memory, the method comprising:
- extracting access control information from a widget process requesting a service, generating access control rules customized for the widget process, and providing the access control rules to a trusted portion of the computer system outside of the user code space of a Web Runtime (WRT) system; and
  
  for any static access control rule, delegating security checking of the widget process from the WRT system to the trusted portion of the computer system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Samsung Electronics Co. Ltd.
Original Assignee
Samsung Electronics Co. Ltd.
Inventors
ACIICMEZ, Onur, BLAICH, Andrew C.

Granted Patent

US 9,064,111 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/6218   to a system of files or obj...

G06F 21/6281   at program execution time, ...

G06F 21/629   to features or functions of...

G06F 2221/2113   Multi-level security, e.g. ...

G06F 2221/2119   Authenticating web pages, e...

G06F 2221/2137   Time limited access, e.g. t...

G06F 2221/2141   Access rights, e.g. capabil...

SANDBOXING TECHNOLOGY FOR WEBRUNTIME SYSTEM

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

84 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

SANDBOXING TECHNOLOGY FOR WEBRUNTIME SYSTEM

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

84 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links