SANDBOXING TECHNOLOGY FOR WEBRUNTIME SYSTEM
First Claim
1. A method of providing security enforcements of widgets in a computer system having a processor and a memory, comprising:
- extracting access control information from a widget process requesting a service, generating access control rules customized for the widget process, and providing the access control rules to a trusted portion of the computer system outside of the user code space of a Web Runtime (WRT) system; and
for any static access control rule, delegating security checking of the widget process from the WRT system to the trusted portion of the computer system.
1 Assignment
0 Petitions
Accused Products
Abstract
In a first embodiment of the present invention, a method of providing security enforcements of widgets in a computer system having a processor and a memory is provided, comprising: extracting access control information from a widget process requesting a service, generating access control rules customized for the widget process, and providing the access control rules to a trusted portion of the computer system outside of the user code space of a Web Runtime (WRT) system; and for any static access control rule, delegating security checking of the widget process from the WRT system to the trusted portion of the computer system.
84 Citations
22 Claims
-
1. A method of providing security enforcements of widgets in a computer system having a processor and a memory, comprising:
-
extracting access control information from a widget process requesting a service, generating access control rules customized for the widget process, and providing the access control rules to a trusted portion of the computer system outside of the user code space of a Web Runtime (WRT) system; and for any static access control rule, delegating security checking of the widget process from the WRT system to the trusted portion of the computer system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method of providing security enforcements of widgets in a computer system having a processor and a memory, comprising:
-
extracting access control information from a widget process requesting a service, generating access control rules customized for the widget process, and providing the access control rules to a trusted portion of the computer system outside of the user code space of a Web Runtime (WRT) system; and for any static access control rule, delegating some but not all security checking of the widget process from the WRT system to the trusted portion of the computer system, such that two levels of security checking are performed, one by the WRT system and one by the trusted portion of the computer system. - View Dependent Claims (12, 13)
-
-
14. A computer system having improved widget security, comprising:
-
a processor; a memory; an operating system; and a Web Runtime (WRT) system supporting installation and invocation of widgets, the WRT system configured to receive a widget manifest from each installed widget and determine access control rules delegable from the WRT to a more security portion of the computer system associated with the operating system, the WRT system further configured to pass a set of delegable static access control rules to the more secure portion to perform security checking. - View Dependent Claims (15, 16, 17, 18, 19)
-
-
20. A system comprising:
-
a plurality of widgets; a WRT management process; a security server; and an operating system kernel; wherein the WRT management process is configured to; extract access control information from the widgets, generate access control rules, and provide the access control rules to the operating system kernel; and for any static access control rule, delegate at least some security checking of the static access control rule to the operating system kernel. - View Dependent Claims (21)
-
-
22. A program storage device readable by a machine tangibly embodying a program of instructions executable by the machine to perform a method providing security enforcements of widgets in a computer system having a processor and a memory, the method comprising:
-
extracting access control information from a widget process requesting a service, generating access control rules customized for the widget process, and providing the access control rules to a trusted portion of the computer system outside of the user code space of a Web Runtime (WRT) system; and for any static access control rule, delegating security checking of the widget process from the WRT system to the trusted portion of the computer system.
-
Specification