Security component for a computing device

US 7,058,978 B2
Filed: 12/27/2000
Issued: 06/06/2006
Est. Priority Date: 12/27/2000
Status: Expired due to Fees

First Claim

Patent Images

1. A network server, comprising:

an Internet server to receive a request for a resource maintained on the network server and, in response to the request, implement security policies to prevent unauthorized access to the resource;

a security component that is registerable with the Internet server during run-time, the security component having;

a validation component to determine whether the request will pose a security risk to the network server by determining if a total number of characters defining all of the arguments of the request exceeds a maximum number of characters; and

an integrity verification component to;

determine whether the resource will pose a security risk to the network server upon receipt of the request;

formulate a descriptor corresponding to the resource;

compare the formulated descriptor with a cached descriptor, the cached descriptor corresponding to the resource and formulated when the resource is initially requested;

determine that the resource is not a security risk if the formulated descriptor and the cached descriptor are equivalent;

if the formulated descriptor and the cached descriptor are not equivalent, formulate a second descriptor corresponding to an original resource maintained on a file server remotely located from the network server, the resource being replicated from the original resource;

compare the formulated descriptor with the second descriptor; and

determine that the resource is not a security risk if the formulated descriptor and the second descriptor are equivalent.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security component determines whether a request for a resource poses a security risk to a computing device and verifies the integrity of the requested resource before the request is allowed. For a request having arguments and a resource path with a filename that identifies the resource, the security component determines that the request does not pose a security risk if the resource path does not exceed a maximum number of characters, individual arguments do not exceed a maximum number of characters, the arguments combined do not exceed a maximum number of characters, and the filename has a valid extension. The security component verifies the integrity of a requested resource by formulating a descriptor corresponding to the resource and comparing the descriptor with a cached descriptor corresponding to the resource.

118 Citations

31 Claims

1. A network server, comprising:
- an Internet server to receive a request for a resource maintained on the network server and, in response to the request, implement security policies to prevent unauthorized access to the resource;
  
  a security component that is registerable with the Internet server during run-time, the security component having;
  
  a validation component to determine whether the request will pose a security risk to the network server by determining if a total number of characters defining all of the arguments of the request exceeds a maximum number of characters; and
  
  an integrity verification component to;
  
  determine whether the resource will pose a security risk to the network server upon receipt of the request;
  
  formulate a descriptor corresponding to the resource;
  
  compare the formulated descriptor with a cached descriptor, the cached descriptor corresponding to the resource and formulated when the resource is initially requested;
  
  determine that the resource is not a security risk if the formulated descriptor and the cached descriptor are equivalent;
  
  if the formulated descriptor and the cached descriptor are not equivalent, formulate a second descriptor corresponding to an original resource maintained on a file server remotely located from the network server, the resource being replicated from the original resource;
  
  compare the formulated descriptor with the second descriptor; and
  
  determine that the resource is not a security risk if the formulated descriptor and the second descriptor are equivalent.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. A network server as recited in claim 1, wherein the request designates a resource locator having a resource path, the resource path identifying a location of the resource, and wherein the validation component determines that the request is not a security risk if the resource path does not exceed a maximum number of characters.
  - 3. A network server as recited in claim 1, wherein the request designates a resource locator having a plurality of arguments, and wherein the validation component determines that the request is not a security risk if individual arguments do not exceed a maximum number of characters.
  - 4. A network server as recited in claim 1, wherein the request designates a resource locator having a resource identifier, and wherein the validation component determines that the request is not a security risk if the resource identifier has a valid file extension.
  - 5. A network server as recited in claim 1, wherein:
    - the request designates a resource locator having a resource path and one or more arguments, the resource path identifying a location of the resource and the resource path having a resource identifier;
      
      the validation component determines that the request is not a security risk if;
      
      the resource path does not exceed a maximum number of characters;
      
      individual arguments do not exceed a maximum number of characters; and
      
      the resource identifier has a valid file extension.
  - 6. A network server as recited in claim 1, wherein if the formulated descriptor and the second descriptor are not equivalent, the integrity verification component:
    - initiates that the resource stored on the network server be replaced with a copy of the original resource maintained on the file server; and
      
      initiates that the cached descriptor be replaced with the second descriptor.

7. One or more computer readable media containing a security application, comprising:
- a security component that is registerable with an Internet server during run-time, the security component having;
  
  a validation component to determine whether a request for a resource poses a security risk by determining if a total number of characters defining all of the arguments of the request exceeds a maximum number of characters; and
  
  an integrity verification component to determine whether the resource poses a security risk, the integrity verification component further configured to;
  
  formulate a descriptor corresponding to the resource when the security application receives the request;
  
  compare the formulated descriptor with a cached descriptor, the cached descriptor corresponding to the resource and formulated when the resource is initially requested;
  
  if the formulated descriptor and the cached descriptor are not equivalent, formulate a second descriptor corresponding to an original resource remotely located, the resource being replicated from the original resource;
  
  compare the formulated descriptor with the second descriptor; and
  
  determine that the resource is not a security risk if the formulated descriptor and the second descriptor are equivalent.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. Computer readable media as recited in claim 7, wherein the request designates a resource locator having a resource path, the resource path identifying a location of the resource and wherein the validation component determines that the request is not a security risk if the resource path does not exceed a maximum number of characters.
  - 9. Computer readable media as recited in claim 7, wherein the request designates a resource locator having a plurality of arguments, and wherein the validation component determines that the request is not a security risk if individual arguments do not exceed a maximum number of characters.
  - 10. Computer readable media as recited in claim 7, wherein the request designates a resource locator having a resource identifier, and wherein the validation component determines that the request is not a security risk if the resource identifier has a valid file extension.
  - 11. Computer readable media as recited in claim 7, wherein:
    - the request designates a resource locator having a resource path and one or more arguments, the resource path identifying a location of the resource and the resource path having a resource identifier;
      
      the validation component determines that the request is not a security risk if;
      
      the resource path does not exceed a maximum number of characters;
      
      individual arguments do not exceed a maximum number of characters; and
      
      the resource identifier has a valid file extension.
  - 12. Computer readable media as recited in claim 7, wherein if the formulated descriptor and the second descriptor are not equivalent, the integrity verification component:
    - initiates that the resource be replaced with a copy of the original resource; and
      
      initiates that the cached descriptor be replaced with the second descriptor.

13. A method, comprising:
- registering a security component with an Internet server during run-time;
  
  receiving a request for a replica resource stored on a computing device, the request designating a resource locator having a resource path identifying a location of the replica resource, the request further designating the resource locator having a plurality of arguments;
  
  implementing security policies to prevent unauthorized access to the replica resource;
  
  determining whether the request will pose a security risk if allowing the request, and allowing the request if said determining that the replica resource does not pose a security risk to the computing device;
  
  redirecting the request to indicate that the replica resource is not available if determining that the request poses a security risk to the computing device;
  
  determining that the request does not pose a security risk if individual arguments do not exceed a maximum number of characters, and if a total number of characters defining all of the arguments do not exceed a maximum number of characters;
  
  formulating a descriptor corresponding to the replica resource;
  
  comparing the formulated descriptor with a cached descriptor corresponding to an original resource stored on a second computing device remotely located from the computing device, the replica resource being replicated from the original resource;
  
  determining that the replica resource does not pose a security risk if the formulated descriptor and the cached descriptor are equivalent;
  
  if the formulated descriptor and the cached descriptor are not equivalent, formulating a second descriptor corresponding to the original resource;
  
  comparing the formulated descriptor with the second descriptor; and
  
  determining that the replica resource does not pose a security risk if the formulated descriptor and the second descriptor are equivalent.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 14. A method as recited in claim 13, further comprising replacing the cached descriptor with the second descriptor if the formulated descriptor and the second descriptor are equivalent.
  - 15. A method as recited in claim 13, further comprising replacing the replica resource with a copy of the original resource if the formulated descriptor and the cached descriptor are not equivalent, and if the formulated descriptor and the second descriptor are not equivalent.
  - 16. A method as recited in claim 13, further comprising replacing the cached descriptor with the second descriptor if the formulated descriptor and the cached descriptor are not equivalent, and if the formulated descriptor and the second descriptor are not equivalent.
  - 17. A method as recited in claim 13, further comprising formulating the cached descriptor when the original resource is replicated to create the replica resource.
  - 18. A method as recited in claim 13, further comprising formulating the cached descriptor when the replica resource is initially requested.
  - 19. A method as recited in claim 13, further comprising determining that the request does not pose a security risk if the resource path does not exceed a maximum number of characters.
  - 20. A method as recited in claim 13, wherein the request further designates the resource locator having a resource identifier, and the method further comprising determining that the request does not pose a security risk if the resource identifier has a valid file extension.
  - 21. A method as recited in claim 13, wherein:
    - the request further designates the resource locator having the resource path that has a resource identifier;
      
      the method further comprising determining that the request does not pose a security risk if;
      
      the resource path does not exceed a maximum number of characters;
      
      individual arguments do not exceed a maximum number of characters;
      
      a total number of characters defining all of the arguments do not exceed a maximum number of characters; and
      
      the resource identifier has a valid file extension.
  - 22. A computer-readable medium comprising computer executable instructions that, when executed, direct a computing system to perform the method of claim 21.
  - 23. A computer-readable medium comprising computer executable instructions that, when executed, direct a computing system to perform the method of claim 13.

24. A method, comprising:
- registering a security component with an Internet server during run-time;
  
  receiving a request for a resource;
  
  implementing security policies to prevent unauthorized access to the resource;
  
  determining whether the request will pose a security risk by determining if a total number of characters defining all of the arguments of the request exceeds a maximum number of characters;
  
  determining whether the resource will pose a security risk if allowing the request;
  
  formulating a descriptor corresponding to the resource;
  
  comparing the formulated descriptor with a cached descriptor corresponding to the resource and formulated when the resource is initially requested;
  
  determining that the resource does not pose a security risk if the formulated descriptor and the cached descriptor are equivalent;
  
  if the formulated descriptor and the cached descriptor are not equivalent, formulating a second descriptor corresponding to an original resource remotely located, the resource replicated from the original source;
  
  comparing the formulated descriptor with the second descriptor; and
  
  determining that the resource does not pose a security risk if the formulated descriptor and the second descriptor are equivalent.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31)
- - 25. A method as recited in claim 24, further comprising allowing the request for the resource if determining that the request does not pose a security risk and if determining that the resource does not pose a security risk.
  - 26. A method as recited in claim 24, wherein the request designates a resource locator having a resource path, the resource path identifying a location of the resource, and the method further comprising determining that the request does not pose a security risk if the resource path does not exceed a maximum number of characters.
  - 27. A method as recited in claim 24, wherein the request designates a resource locator having a plurality of arguments, and the method further comprising determining that the request does not pose a security risk if individual arguments do not exceed a maximum number of characters.
  - 28. A method as recited in claim 24, wherein the request designates a resource locator having a resource identifier, and the method further comprising determining that the request does not pose a security risk if the resource identifier has a valid file extension.
  - 29. A method as recited in claim 24, further comprising:
    - if the formulated descriptor and the second descriptor are not equivalent, replacing the resource with a copy of the original resource and replacing the cached descriptor with the second descriptor.
  - 30. A computer-readable medium comprising computer executable instructions that, when executed, direct a computing system to perform the method of claim 29.
  - 31. A computer-readable medium comprising computer executable instructions that, when executed, direct a computing system to perform the method of claim 24.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Feuerstein, Yehuda, Pfost, Jared E., Purpura, Stephen J.
Primary Examiner(s)
Sheikh, Ayaz
Assistant Examiner(s)
Chai, Longbit

Application Number

US09/751,016
Publication Number

US 20020083341A1
Time in Patent Office

1,987 Days
Field of Search

713200-202, 713/165, 713/187, 380247-249, 707/2, 707/3, 707/10, 705/26, 726 4- 6, 726 25- 26, 726/22, 726/24, 726/30, 709/216, 709/225
US Class Current

726/26
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

G06F 21/64   Protecting data integrity, ...

G06F 2221/2101   Auditing as a secondary aspect

G06Q 30/0609   Buyer or seller confidence ...

Y10S 707/99932   Access augmentation or opti...

Y10S 707/99933   Query processing, i.e. sear...

Security component for a computing device

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

118 Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

Security component for a computing device

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

118 Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links