Security model using restricted tokens

US 6,279,111 B1
Filed: 06/12/1998
Issued: 08/21/2001
Est. Priority Date: 06/12/1998
Status: Expired due to Term

First Claim

Patent Images

1. In a computer system including a first process having access to a resource, a method of granting or denying access of a second process to the resource, comprising, creating a restricted access token from a parent token associated with a first process, the restricted access token having privilege and security identifier access rights therein that comprise reduced access rights relative to the parent token, associating the restricted access token with the second process, requesting that the second process be given access to the resource, providing a security descriptor associated with the resource to a security mechanism, providing the restricted token to the security mechanism, performing an access evaluation at the security mechanism by comparing information in the restricted token with information in the security descriptor, and determining whether to grant or deny access based on the result of the access evaluation.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A restrict ed access token is created from an existing token, and provides less access than that token. A restricted token may be created by changing an attribute of one or more security identifiers allowing access in the parent token to a setting that denies access in the restricted token and/or removing one or more privileges from the restricted token relative to the parent token. A restricted access token also may be created by adding restricted security identifiers thereto. Once created, a process associates another process with the restricted token to launch the other process in a restricted context that is a subset of its own rights and privileges. A kernel-mode security mechanism determines whether the restricted process has access to a resource by first comparing user-based security identifiers in the restricted token and the intended type of action against a list of identifiers and actions associated with the resource. If no restricted security identifiers are in the restricted token, access is determined by this first check, otherwise a second access check further compares the restricted security identifiers against the list of identifiers and actions associated with the resource. With a token having restricted security identifiers, the process is granted access if both the first and second access checks pass. In this manner, a process is capable of restricting another process, such as possibly unruly code, in the actions it can perform.

338 Citations

38 Claims

1. In a computer system including a first process having access to a resource, a method of granting or denying access of a second process to the resource, comprising, creating a restricted access token from a parent token associated with a first process, the restricted access token having privilege and security identifier access rights therein that comprise reduced access rights relative to the parent token, associating the restricted access token with the second process, requesting that the second process be given access to the resource, providing a security descriptor associated with the resource to a security mechanism, providing the restricted token to the security mechanism, performing an access evaluation at the security mechanism by comparing information in the restricted token with information in the security descriptor, and determining whether to grant or deny access based on the result of the access evaluation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 18)
- - 2. The method of claim 1 wherein creating a restricted access token from a parent token includes removing at least one privilege from the restricted token relative to the parent token.
  - 3. The method of claim 1 wherein creating a restricted access token from a parent token includes changing attribute information of a security identifier in the restricted token to reduce or deny access via that security identifier, relative to attribute information of a corresponding security identifier in the parent token.
  - 4. The method of claim 3 wherein performing the access evaluation at the security mechanism includes, performing a first access check using user-based security identifier information in the restricted token and security identifier entries in the security descriptor, and if a correspondence is detected between a security identifier entry in the security descriptor and a user-based security identifier in the restricted token having attribute information that denies access, denying the process access to the resource.
  - 5. The method of claim 1 wherein creating a restricted access token from a parent token includes adding a restricted security identifier to the restricted token.
  - 6. The method of claim 5 wherein performing the access evaluation at the security mechanism includes performing a first access check using user-based security identifier information in the restricted token and security identifier entries in the security descriptor, and if the first access check indicates that access is allowable, performing a second access check using restricted security identifier information in the restricted token and security identifier entries in the security descriptor, and granting access if the second access check indicates that access is allowable.
  - 7. The method of claim 6 wherein if performing the first access check indicates that access is not allowable, denying the second process access to the resource.
  - 8. The method of claim 1 wherein creating a restricted access token includes copying the identifiers and privileges from the parent token into the restricted token, removing at least one privilege from the restricted token, changing attribute information of at least one security identifier in the restricted token to reduce or deny access, and adding at least one restricted security identifier to the restricted token.
  - 9. The method of claim 1 wherein performing the access evaluation includes matching at least one security identifier in the restricted token with at least one security identifier in the security descriptor.
  - 10. The method of claim 1 wherein performing the access evaluation further includes matching a type of action desired by the second process against an allowed type of action identified in the security descriptor.
  - 11. The method of claim 1 wherein performing the access evaluation includes evaluating privileges in the restricted access token.
  - 12. The method of claim 1 further comprising auditing the result of the access evaluation.
  - 13. The method of claim 1 wherein creating a restricted access token from a parent token includes adding a plurality of sets of restricted security identifiers to the restricted token, and wherein performing the access evaluation at the security mechanism includes performing access checks on the sets of restricted security identifiers to obtain a plurality of results, and combining the results via a Boolean expression to determine whether to grant or deny access.
  - 14. A computer-readable medium having computer-executable instructions for performing the method of claim 1.
  - 18. A computer-readable medium having computer-executable instructions for performing the method of claim 14.

15. In a computer system, a method of granting a process access to a resource, comprising, creating an access token and associating the token with the process requesting the access, the access token including user and group security identifiers and at least one restricted identifier corresponding to a process or resource, assigning an access control list to a resource, the access control list containing entries of identifiers having access to the resource, performing a first comparison of the user and group identifiers in the token with the entries in the access control list, and if the first comparison indicates that access is allowable, performing a second comparison of the at least one restricted identifier with the entries in the access control list, and granting access if the second comparison indicates that access is allowable.
- View Dependent Claims (16, 17)
- - 16. The method of claim 15 wherein the access control list includes at least one allowable type of action with each entry, further comprising indicating a desired type of action to the security mechanism, and wherein performing the first and second comparisons each include comparing the desired type of action with the allowable type of action.
  - 17. The method of claim 15 further comprising denying access before performing the second comparison if the first comparison indicates that access is not allowable.

19. In a computer system, a system for providing access control, comprising, a process, a token associated with the process, the token including a list comprising at least one restricted security identifier therein, a resource, an access list associated with the resource comprising security identifier entries therein, and a security mechanism for performing an access evaluation by comparing the at least one identifier in the token list with the identifiers in the access list for granting or denying the process access to the resource based on a result of the access evaluation.
- View Dependent Claims (20, 21, 22, 23, 24)
- - 20. The system of claim 19 wherein the token further includes security identifiers therein identifying user and group information, and wherein the security mechanism performs the access evaluation including a first access check comparing user and group identifiers against identifiers in the access list and a second access check comparing the at least one restricted security identifier in the token list with the identifiers in the access list for granting or denying the process access to the resource based on a result of the first and second access checks.
  - 21. The system of claim 20 wherein the security mechanism grants access when both the first access check determines that a security identifier representing a user or group in the token corresponds to a security identifier in the access control list, and the second access check determines that a security identifier in the token corresponds to a security identifier in the access control list, and wherein otherwise the security mechanism denies access.
  - 22. The system of claim 19 wherein the token further includes user and group security identifiers therein identifying user and group information, and wherein the user and group security identifiers each include attribute information indicating whether that security identifier will be used for granting or denying access.
  - 23. The method of claim 22 wherein the security mechanism denies access when the first access check determines that a user or group security identifier having an attribute indicating that the security identifier is used for denying access corresponds to a security identifier in the access control list.
  - 24. The system of claim 19 wherein the security mechanism further evaluates privileges in the restricted access token.

25. A computer-readable medium having stored thereon a data structure associated with a process, comprising:
- a first data field including data representing user and group identifiers; and
  
  a second data field including data representing at least one other identifier;
  
  wherein the process is granted access to a resource if at least one identifier in the first data field and at least one identifier in the second data field each allowably match an entry in a list of identifier entries associated with the resource.

26. In a computer system, a method of determining access to system resources for a plurality of processes organized into a job, comprising, creating a restricted access token from a parent token, the restricted access token having privilege and security identifier access rights therein that comprise a reduced subset of privilege and security identifier access rights in the parent token, associating the restricted access token with the processes in the job, and for each process in the job, requesting access to a system resource, providing a security descriptor associated with that resource to a security mechanism, providing the restricted token to the security mechanism, performing an access evaluation at the security mechanism by comparing information in the restricted token with information in the security descriptor, and determining whether to grant or deny access for each process based on the result of the access evaluation.
- View Dependent Claims (27)
- - 27. The method of claim 26 further comprising producing another process in the job and associating the restricted token with that process.

28. In a computer network including a client machine and a server machine, a method of determining access to a server resource of a server process run for a client on the server machine, comprising, passing authentication information and restriction information from the client to the server, authenticating the client at the server based on the authentication information passed thereto, creating a restricted token on the server based on the restriction information passed thereto, the restricted token providing reduced access relative to a parent access token, associating the restricted token with the server process, requesting to access the server resource by the server process, and comparing the restricted token and a security descriptor of the resource to determine whether to grant or deny the process access to the resource.
- View Dependent Claims (29, 30, 31)
- - 29. The method of claim 28 wherein passing the authentication information and the restriction information from the client to the server includes, providing restriction data associated with a client process in a ticket request, passing the ticket request to a ticket issuing facility of the network for an authentication ticket, and in response to the request, receiving an authentication ticket at the client, the ticket including the restriction information therein.
  - 30. The method of claim 29 wherein the ticket issuing facility is a key distribution center in accordance with the Kerberos authentication protocol.
  - 31. A computer-readable medium having computer-executable instructions for performing the method of claim 28.

32. A computer-implemented method, comprising:
- deriving a restricted access token from a parent access token, the restricted access token having reduced access relative to the parent access token;
  
  associating the restricted access token with a process capable of requesting access to a set of resources; and
  
  providing the restricted access token to a security mechanism upon a request to access a resource of the set by the process, the security mechanism determining access to the resource based on the restricted access token and security information associated with the resource.
- View Dependent Claims (33, 34, 35, 36, 37, 38)
- - 33. The method of claim 32 wherein deriving a restricted access token from a parent access token includes removing at least one privilege from the restricted token relative to the parent token.
  - 34. The method of claim 32 wherein deriving a restricted access token from a parent access token includes changing attribute information of a security identifier in the restricted token.
  - 35. The method of claim 32 wherein deriving a restricted access token from a parent access token includes adding a restricted security identifier to the restricted token.
  - 36. The method of claim 35 wherein the restricted security identifier identifies an application program.
  - 37. The method of claim 32 wherein the security mechanism is incorporated into an operating system.
  - 38. A computer-readable medium having computer-executable instructions for performing the method of claim 32.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Garg, Praerit, Chan, Shannon J., Goertzel, Mario C., Swift, Michael M., Jensenworth, Gregory
Primary Examiner(s)
Trammell, James P.
Assistant Examiner(s)
ELISCA, PIERRE E

Application Number

US09/096,926
Time in Patent Office

1,166 Days
Field of Search

713/193, 713/185, 713/165, 713/172, 713/200, 713/201, 713/159
US Class Current

726/10
CPC Class Codes

G06F 21/335   for accessing specific reso...

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 21/645   using a third party

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2145   Inheriting rights or proper...

G06F 2221/2149   Restricted operating enviro...

H04L 63/0807   using tickets, e.g. Kerbero...

Security model using restricted tokens

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

338 Citations

38 Claims

Specification

Solutions

Use Cases

Quick Links

Security model using restricted tokens

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

338 Citations

38 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links