Declarative permission requests in a computer system
First Claim
1. A computer-implemented method for providing security on a host computer by selectively restricting the access of computer-executable instructions to system operations provided by the host computer, the method comprising:
- defining a security zone corresponding to a set of data sources;
associating a security policy with the security zone, the security policy including a host permission set created by a user of the host computer that defines a set of permissions that restrict access to the system operations provided by the host computer by computer-executable instructions to be retrieved from said set of data sources;
accessing a data source;
determining if the accessed data source is one of said sources of computer-executable instructions;
if the accessed data source is one of said set of data sources and if data to be retrieved by the host computer from said accessed data source contains computer-executable instructions, obtaining a requested permission set associated with the computer-executable instructions contained in the data retrieved from the accessed data souree, the requested permission set asserting a set of permissions that are requested by the computer-executable instructions for access to the system operations provided by the host computer; and
restricting the access of the computer-executable instructions to the system operations provided by the host computer based on a comparison of the requested permission set to the host permission set.
2 Assignments
0 Petitions
Accused Products
Abstract
Computer-based systems and methods are disclosed for a comprehensive security model for managing active content downloaded from a computer network. The security model includes the configuration of a system security policy that is stored on a host computer. The system security policy is configured by security zone in progressively “finer grain” levels with each level associated with and defining the previous level. These levels may include: protected operations; user permission sets, permissions, parameters and primitives. In the disclosed method and systems, a publisher of active content specifies a requested permission set that includes a list the permissions (defined by parameters, which are defined by primitives) that the active content requires in order to run on the host system. The requested permission set is external to the active content so that it is not necessary to run the active content in order to discover the permissions that the active content requires in order to run. The requested permission set may be included in a signed code package wherein the identity of the active content publisher is guaranteed. A digital signature of the signed code package also guarantees that the contents of the signed code package, including active content, support files, and the requested permission set have not been altered or otherwise corrupted since the signed code package was published. The requested permission set may also be included in a catalog file that can be downloaded separately from the active content.
500 Citations
65 Claims
-
1. A computer-implemented method for providing security on a host computer by selectively restricting the access of computer-executable instructions to system operations provided by the host computer, the method comprising:
-
defining a security zone corresponding to a set of data sources;
associating a security policy with the security zone, the security policy including a host permission set created by a user of the host computer that defines a set of permissions that restrict access to the system operations provided by the host computer by computer-executable instructions to be retrieved from said set of data sources;
accessing a data source;
determining if the accessed data source is one of said sources of computer-executable instructions;
if the accessed data source is one of said set of data sources and if data to be retrieved by the host computer from said accessed data source contains computer-executable instructions, obtaining a requested permission set associated with the computer-executable instructions contained in the data retrieved from the accessed data souree, the requested permission set asserting a set of permissions that are requested by the computer-executable instructions for access to the system operations provided by the host computer; and
restricting the access of the computer-executable instructions to the system operations provided by the host computer based on a comparison of the requested permission set to the host permission set. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
determining if the computer-executable instructions bear a recognized digital signature; and
restricting the access of the computer-executable instructions to the system operations provided by the host computer based on a comparson of the requested permission set to the host permission set if it is determined that the computer-executable instructions bear a recognized digital signature.
-
-
3. The method of claim 1, further comprising granting a default set of permissions included in an unsigned permission set if it is determined that the computer-executable instructions do not bear a recognized digital signature.
-
4. The method of claim 2, wherein there are a plurality of host permission sets each including a trusted signed permission set and an untrusted signed permission set, the method further comprising:
-
restricting the access of the computer-executable instructions to the system operations provided by the host computer based on a comparison of the requested permission set to the trusted signed permission set if it is determined that the computer-executable instructions bear a recognized digital signature from a trusted publisher; and
restricting the access of the computer-executable instructions to the system operations provided by the host computer based on a comparison of the requested permission set to the untrusted signed permission set if it is determined that the computer-executable instructions bear a recognized digital signature from an untrusted publisher.
-
-
5. The method of claim 4, further comprising granting the computer-executable instructions restricted access to the system operations provided by the host computer as specified in the requested permission set if the requested permission set is compared to the trusted signed permission set and is a subset of the trusted signed permission set.
-
6. The method of claim 5, further comprising associating a granted permission with the computer-executable instructions for each permission in the requested permission set such that once the granted permission is associated with the computer-executable instructions, the computer-executable instructions may access the system operation without the need to again compare the requested permission set to the host permission set.
-
7. The method of claim 6, further comprising persisting the granted permission with the computer-executable instructions.
-
8. The method of claim 4, further comprising:
-
(a) determining a configuration of the untrusted signed permission set;
(i) if the untrusted signed permission set has been configured as a denied permission set, denying the computer-executable instructions restricted access to the system operations as specified in the requested permission set if the requested permission set intersects with the untrusted signed permission set;
(ii) if the untrusted signed permission set has been configured as a query permission set, presenting a query dialog and receiving a response from the query dialog if the requested permission set is a subset of the untrusted signed permission set;
(1) if the response from the query dialog is to grant the requested permission set, granting the computer-executable instructions restricted access to the system operations as specified in the requested permission set; and
(2) if the response from the query dialog is to deny the requested permission set, denying the computer-executable instructions restricted access to the system operations as specified in the requested permission set.
-
-
9. The method of claim 8, further comprising associating a granted permission with the computer-executable instructions for each permission in the requested permission set such that once the granted permission is associated with the computer-executable instructions, the computer-executable instructions may access the system operation without the need to again compare the requested permission set to the host permission set.
-
10. The method of claim 9, further comprising persisting the granted permission with the computer-executable instructions.
-
11. The method of claim 8, further comprising not permitting the computer-executable instructions to run on the host computer if the requested permission set intersects wit the denied permission set.
-
12. The method of claim 11, further comprising:
-
retrieving a hash value from the recognized digital signature representing the computer-executable instructions at the time that the computer-executable instructions were digitally signed;
computing a new hash value for the computer-executable instructions as retrieved from a data source by the host computer; and
denying the computer-executable instructions restricted access to the system operations as specified in the requested permission set if the hash value retrieved from the recognized digital signature does not match the new hash value for the computer-executable instructions as retrieved from a data source by the host computer.
-
-
13. The method of claim 12, wherein the hash value representing the computer-executable instructions at the time that the computer-executable instructions was digitally signed from the digital signature and the new hash value for the computer-executable instructions as retrieved from the computer network to the host computer include the requested permission set.
-
14. The method of claim 1, wherein the requested permission set is externally attached to the computer-executable instructions so that the computer-executable instructions do not have to be run on the host computer in order to be compared to the host permission set on the host computer.
-
15. The method of claim 14, wherein the requested permission set is retrieved separately from the computer-executable instructions.
-
16. The method of claim 15, wherein the requested permission set is included in a catalog file.
-
17. The method of claim 1, wherein the network address from which the computer-executable instructions originate is assured by using a secure server connection.
-
18. The method of claim 2, further comprising:
-
retrieving a hash value from the digital signature representing the computer-executable instructions at the time that the computer-executable instructions were digitally signed;
computing a new hash value for the computer-executable instructions as retrieved from a data source by the host computer; and
denying the computer-executable instructions restricted access to the system operations as specified in the requested permission set if the hash value retrieved from the recognized digital signature does not match the new hash value for the computer-executable instructions as retrieved from a data source by the host computer.
-
-
19. A computer-readable medium having computer-executable instructions for performing a method to protect a host computer against unauthorzed access by an object class to system operations provided by the host computer, comprising:
-
configuring a security policy for a security zone, the security zone corresponding to a set of data sources, the security policy including a host permission set created by the user of the host computer that defines a set of permissions that restrict access to the system operations provided by the host computer by object classes received from said set of data sources;
accessing a data source;
determining if the accessed data source is one of said set of data sources;
if the accessed data source is one of said set of data sources and if an object class is to be retrieved by the host computer from the accessed data source, retrieving a requested permission set for the object class to be retrieved, the requested permission set specifying a set of permissions to access the system operations provided by the host computer that the object class requires in order to run on the host computer; and
comparing the requested permission set to the host permission set included in the security policy for the security zone to determine the restrictions that will be imposed on the object class if the object class is retrieved by run on the host computer and seeks access to the system operations provided by the host computer. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
(a) denying the permissions requested by the object class in the requested permission set and not allowing the object class to run on the host computer if the object class was digitally signed by an untrusted publisher and the untrusted signed permission set is configured to deny permissions in the untrusted signed permission set when any permission in the requested permission set intersects with a corresponding permission in the untrusted signed permission set;
(b) querying for a query response regarding the permissions requested by the object class in the requested permission set if the object class was digitally signed by an untrusted publisher and the untrusted signed permission set has been configured to query when the requested permission set is a subset of the untrusted signed permission set;
(i) granting the requested permission set if approved in the query response; and
(ii) denying the requested permission set if not approved in the query response.
-
-
24. The computer-readable medium of claim 23, further comprising storing the granted permissions to access system operations on the host computer with the object class so that the object class does not have to request that permissions to access system operations on the host computer be granted a second time.
-
25. The computer-readable medium of claim 23, further comprising:
-
retrieving a hash value from a recognized digital signature that represents the object class at the time that the object class was digitally signed;
computing a new hash value for the object class as retrieved from the accessed data source by the host computer; and
denying the object class restricted access to the system operations as specified in the requested permission set if the hash value retrieved from the recognized digital signature does not match the new hash value for the object class as retrieved from the accessed data source by the host computer.
-
-
26. The computer-readable medium of claim 25, wherein the hash value representing the object class at the time that the object class was digitally signed and the new hash value for the object class as retrieved from the accessed data source by the host computer includes a representation of the requested permission set.
-
27. The computer-readable medium of claim 19, wherein the requested permission set is externally attached to the object class so that the object class does not have to be run on the host computer in order to be compared to the user permission set.
-
28. The computer-readable medium of claim 27, further comprising granting a default set of permissions included in an unsigned permission set included in the security policy for the security zone if the object class is not digitally signed.
-
29. The computer-readable medium of claim 27, wherein if the object class was digitally signed by a trusted publisher, comparing the requested permission set to a trusted signed permission set and granting permissions to access system operations on the host computer if the requested permission set is a subset of the trusted signed permission set.
-
30. The computer-readable medium of claim 29, storing the granted permissions to access system operations on the host computer with the object class so that the object class does not have to request that permissions to access system operations on the host computer be granted a second time.
-
31. The computer-readable medium of claim 27, wherein if the object class was digitally signed by an untrusted publisher:
-
(a) denying the permissions requested by the object class in the requested permission set and not allowing the object class to run on the host computer when any permission in the requested permission set intersects with a corresponding permission in the untrusted signed permission set if;
(i) the object class was digitally signed by an untrusted publisher;
(ii) the untrusted signed permission set is configured to deny permissions in the untrusted signed permission set;
(b) querying for a query response regarding the permissions requested by the object class in the requested permission set if the object class was digitally signed by an untrusted publisher and the untrusted signed permission set has been configured to query when the requested permission set is a subset of the untrusted signed permission set;
(i) granting the requested permission set if approved in the query response; and
(ii) denying the requested permission set if not approved in the query response.
-
-
32. The computer-readable medium of claim 31, further comprising storing the granted permissions to access system operations on the host computer with the object class so that the object class does not have to request that permissions to access system operations on the host computer be granted a second time.
-
33. The computer-readable medium of claim 31, further comprising:
-
retrieving a hash value from the recognized digital signature that represents the object class at the time that the object class was digitally signed;
computing a new hash value for the object class as retrieved from the accessed data source by the host computer; and
denying the object class restricted access to the system operations as specified in the requested permission set if the hash value retrieved from the recognized digital signature does not match the new hash value for the object class as retrieved from the accessed data source by the host computer.
-
-
34. The computer-readable medium of claim 33, wherein the hash value representing the object class at the time that the computer-object class was digitally signed and the new hash value for the object class as retrieved from the accessed data source by the host computer includes the requested permission set.
-
35. A computer-implemented method for providing security on a host computer by selectively restricting the access of computer-executable instructions to system operations provided by the host computer, the method comprising:
-
providing a security policy that includes at least one host permission set that defines the access of computer-executable instructions to the system operations provided by the host computer;
obtaining a requested permission set associated with the actual computer-executable instructions that specify the access to the system operations provided by the host computer that the computer-executable instructions request; and
restricting the access of the computer-executable instructions to the system operations provided by the host computer based on a comparison of the requested permission set to the at least one host permission set. - View Dependent Claims (36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48)
(a) presenting a query dialog to a user if the requested permission set is a subset of the query permission set;
(b) receiving a response from the query dialog;
(i) if the response from the query dialog is to grant the requested permission set, granting the computer-executable instructions restricted access to the system operations as specified in the requested permission set; and
(ii) if the response from the query dialog is to deny the requested permission set, denying the computer-executable instructions restricted access to the system operations as specified in the requested permission set.
-
-
44. The method of claim 43, wherein a security zone corresponding to a set of data sources is associated with the security policy and the denied permission set is compared to the requested permission set associated with the computer-executable instructions that originate from a data source that is associated with a security zone.
-
45. The method of claim 43, further comprising associating a granted permission with the computer-executable instructions for each permission in the requested permission set such that once the granted permission is associated with the computer-executable instructions, the computer-executable instructions may access the system operation without the need to again compare the requested permission set to the host permission set.
-
46. The method of claim 45, further comprising persisting the granted permission with the computer-executable instructions.
-
47. The method of claim 43, wherein the security policy includes a denied permission set, the method further comprising comparing the requested permission set to the query permission set when the requested permission set does not intersect the denied permission set.
-
48. The method of claim 47, further comprising not permitting the computer-executable instructions to run on the host computer if the requested permission set intersects with the denied permission set.
-
49. A computer-implemented method for providing security on a host computer by selectively restricting the access of computer-executable instructions to system operations provided by the host computer, the method comprising:
-
providing a security policy that includes at least one host permission set that defines the access of computer-executable instructions to the system operations provided by the host computer;
determining if the computer-executable instructions bear a recognized digital signature;
obtaining a requested permission set associated with the computer-executable instructions, the requested permission set asserting a set of permissions requested by the computer-executable instructions; and
restricting the access of the computer-executable instructions to the system operations provided by the host computer based on a comparison of the requested permission set to the host permission set if it is determined that the computer-executable instructions bear a recognized digital signature. - View Dependent Claims (50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65)
restricting the access of the computer-executable instructions to the system operations provided by the host computer based on a comparison of the requested permission set to the untrusted signed permission set if the computer-executable instructions bear a recognized digital signature from a trusted publisher; and
restricting the access of the computer-executable instructions to the system operations provided by the host computer based on a comparison of the requested permission set to the untrusted signed permission set if the computer-executable instructions bear a recognized digital signature from an untrusted publisher.
-
-
52. The method of claim 51, further comprising granting the computer-executable instructions restricted access to the system operations provided by the host computer as specified in the requested permission set if the requested permission set is compared to the trusted signed permission set and is a subset of the trusted signed permission set.
-
53. The method of claim 52, wherein a security zone corresponding to a set of data sources is associated with the security policy and the trusted signed permission set is compared to the requested permission set associated with the computer-executable instructions that originate from a data source that is associated with a security zone.
-
54. The method of claim 52, further comprising associating a granted permission with the computer-executable instructions for each permission in the requested permission set to access a system operation such that once the granted permission is associated with the computer-executable instructions, the computer-executable instructions may access the system operation without the need to again compare the requested permission set to the host permission set.
-
55. The method of claim 54, further comprising persisting the granted permission with the computer-executable instructions.
-
56. The method of claim 51, further comprising:
-
(a) determining a configuration of the untrusted signed permission set;
(i) denying the computer-executable instructions restricted access to the system operations as specified in the requested permission set if the untrusted signed permission set has been configured as a denied permission set and if the requested permission set intersects with the untrusted signed permission set;
(ii) presenting a query dialog to a user if the untrusted signed permission set has been configured as a query permission set and if the requested permission set is a subset of the untrusted signed permission set;
(iii) receiving a response from the query dialog, (1) if the response from the query dialog is to grant the requested permission set, granting the computer-executable instructions restricted access to the system operations as specified in the requested permission set; and
(2) if the response from the query dialog is to deny the requested permission set, denying the computer-executable instructions restricted access to the system operations as specified in the requested permission set.
-
-
57. The method of claim 56, wherein a security zone corresponding to a set of data sources is associated with the security policy and the untrusted signed permission set is compared to the requested permission set associated with the computer-executable instructions that originate from a data source that is associated with a security zone.
-
58. The method of claim 56, further comprising associating a granted permission with the computer-executable instructions for each permission in the requested permission set such that once the granted permission is associated with the computer-executable instructions, the computer-executable instructions may access the system resource without the need to again compare the requested permission set to the host permission set.
-
59. The method of claim 58, further comprising persisting the granted permission with the computer-executable instructions.
-
60. The method of claim 59, further comprising not permitting the computer-executable instructions to run on the host computer if the requested permission set intersects with the denied permission set.
-
61. The method of claim 49, further comprising:
-
retrieving a hash value from the recognized digital signature representing the computer-executable instructions at the time that the computer-executable instructions were digitally signed;
computing a new hash value for the computer-executable instructions as retrieved from a data source by the host computer; and
denying the computer-executable instructions access to the system operations as specified in the requested permission set if the hash value retrieved from the recognized digital signature does not match the new hash value for the computer-executable instructions as retrieved from a data source by the host computer.
-
-
62. The method of claim 49, wherein the requested permission set is externally attached to the computer-executable instructions so that the computer-executable instructions do not have to be run on the host computer in order to be compared to the host permission set.
-
63. The method of claim 49, wherein the requested permission set is retrieved separately from the active content.
-
64. The method of claim 63, wherein the requested permission set is included in a catalog file.
-
65. The method of claim 49, wherein the network address from which the computer-executable instructions originate is authenticated by using a secure server connection.
Specification