Unshared scratch space
First Claim
1. A computerized method for providing unshared access to local persistent storage space on a local computer to a program executing on the local computer on behalf of a securely certified identity, the method comprising the steps of:
- determining the identity on which behalf the program is executing on the local computer from a secure certificate;
determining local capabilities requested by the identity for the program from the secure certificate, the local capabilities specifying an amount of local persistent storage space;
allocating the local persistent storage space on a persistent storage media to the program for unshared access during execution thereof on the local computer as specified by the local capabilities requested by the identity;
associating the local persistent storage space with the identity; and
limiting access to the persistent storage by the program to the allocated local persistent storage space.
3 Assignments
0 Petitions
Accused Products
Abstract
A computerized method provides unshared local storage space to a process distributed by a trusted source through the use of an identity associated with the process that specifies local capabilities for the identity on a computer. The method obtains the identity and allocates the local storage space based on the information on the local capabilities, securing the space with the identity so that only a process with the same identity can access the space. The method also enforces the local capabilities on the process by monitoring the use of the local storage space. The identity is uniquely defined by a digital certificate or similar security facility. The identity is associated with a data structure, such as a digital signature, that includes the size of the local storage space and, optionally, whether the process is subject to global storage limits set by the computer. A computerized system which executes the method is also disclosed.
73 Citations
17 Claims
-
1. A computerized method for providing unshared access to local persistent storage space on a local computer to a program executing on the local computer on behalf of a securely certified identity, the method comprising the steps of:
-
determining the identity on which behalf the program is executing on the local computer from a secure certificate;
determining local capabilities requested by the identity for the program from the secure certificate, the local capabilities specifying an amount of local persistent storage space;
allocating the local persistent storage space on a persistent storage media to the program for unshared access during execution thereof on the local computer as specified by the local capabilities requested by the identity;
associating the local persistent storage space with the identity; and
limiting access to the persistent storage by the program to the allocated local persistent storage space. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer-readable medium having computer-executable instructions for performing steps that cause a local computer to provide unshared storage space on a persistent storage medium to a process executing on behalf of an identity, the steps comprising:
-
determining the identity on which behalf the process is executing;
obtaining a digital certificate for the process, the digital certificate specifying a request for local capabilities including local storage space on the persistent storage medium for the identity;
decoding the digital certificate to establish local capabilities requested for the identity;
allocating the local storage space to the process as specified by the local capability request;
associating the local storage space with the identity; and
limiting access to the persistent storage by the program to the allocated local persistent storage space. - View Dependent Claims (9, 10, 11)
-
-
12. A computer-readable medium having stored thereon a data structure associated with an identity, the data structure comprising:
-
a first data field containing data that uniquely identifies the identity;
a second data field containing data representing local storage capabilities requested for the identity identified by the first data field, the local storage capabilities including a size of a local storage space on a persistent storage medium of the local computer; and
executable code for executing a process on behalf of the identity identified by the data in the first data field, wherein the process is constrained by the local storage capability request represented by data in the second data field to have unshared access to only local storage space allocated as specified in the request on the persistent storage medium. - View Dependent Claims (13, 14)
-
-
15. A computerized system comprising:
-
a server operative for transferring executable code for a process using a communications medium; and
a client operative for receiving the process, for determining an identity for the process, and for decoding an infrastructure component identified by the identity to determine a local persistent storage space capability limiting the process to unshared access to an amount of local persistent storage on the client, the client comprising a local persistent storage medium for retaining data used by the process;
the client further operative for assigning local storage space on the persistent storage medium to the process and for monitoring the use of the local persistent storage medium by the process for compliance with the requested capability.
-
-
16. A computerized client that manages local space allocated on a local computer to a process, the computerized client comprising:
-
a persistent storage medium;
a client storage manager module operative for determining an identity and local persistent storage capability for the process when executed on the client, and allocating local space on the persistent storage medium for unshared access by the process as requested for the identity; and
a client monitor module operative for monitoring access by the process to the persistent storage medium and limiting access to the persistent storage medium by the process to said unshared access to the allocated local space. - View Dependent Claims (17)
-
Specification