Policies for secure software execution

US 7,350,204 B2
Filed: 06/08/2001
Issued: 03/25/2008
Est. Priority Date: 07/24/2000
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

receiving a request to access a software file that includes executable code, the request including a type of access desired by a user for the software file;

performing a user-credential based access check to determine normal security privileges and access rights of the user for the software file;

thereafter, performing a file-classification based access check to determine whether the user'"'"'s normal security privileges and access rights should be modified to include a subset of the user'"'"'s normal security privileges and access rights for the software file, comprising;

obtaining a file classification corresponding to the software file for which the access request was received;

searching a rule set for the received file classification, the rule set providing security rules for a variety of software files which may have executable code, and the security rules being based on file classifications corresponding to the variety of software files; and

locating a rule in the rule set which matches the received file classification, the rule having a security level associated therewith;

associating the security level with the software file; and

controlling execution of the executable code of the software file based on the security level associated with the software file.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method that automatically, transparently and securely controls software execution by identifying and classifying software, and locating a rule and associated security level for executing executable software. The security level may disallow the software'"'"'s execution, restrict the execution to some extent, or allow unrestricted execution. To restrict software, a restricted access token may be computed that reduces software'"'"'s access to resources, and/or removes privileges, relative to a user'"'"'s normal access token. The rules that control execution for a given machine or user may be maintained in a restriction policy, e.g., locally maintained and/or in a group policy object distributable over a network. Software may be identified/classified by a hash of its content, by a digital signature, by its file system or network path, and/or by its URL zone. For software having multiple classifications, a precedence mechanism is provided to establish the applicable rule/security level.

290 Citations

74 Claims

1. A computer-implemented method, comprising:
- receiving a request to access a software file that includes executable code, the request including a type of access desired by a user for the software file;
  
  performing a user-credential based access check to determine normal security privileges and access rights of the user for the software file;
  
  thereafter, performing a file-classification based access check to determine whether the user'"'"'s normal security privileges and access rights should be modified to include a subset of the user'"'"'s normal security privileges and access rights for the software file, comprising;
  
  obtaining a file classification corresponding to the software file for which the access request was received;
  
  searching a rule set for the received file classification, the rule set providing security rules for a variety of software files which may have executable code, and the security rules being based on file classifications corresponding to the variety of software files; and
  
  locating a rule in the rule set which matches the received file classification, the rule having a security level associated therewith;
  
  associating the security level with the software file; and
  
  controlling execution of the executable code of the software file based on the security level associated with the software file.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
- - 2. The method of claim 1 wherein the file classification corresponding to the software file includes a hash value representative of the software file'"'"'s contents.
  - 3. The method of claim 1 wherein the file classification corresponding to the software file includes a digital signature.
  - 4. The method of claim 3 wherein the rule that corresponds to the file classification applies to any file associated with the digital signature.
  - 5. The method of claim 3 wherein the rule that corresponds to the file classification only applies to a set of at least one selected file associated with the digital signature.
  - 6. The method of claim 3 wherein the rule that corresponds to the file classification applies only to files associated with the digital signatures that have selected file extensions.
  - 7. The method of claim 1 wherein the file classification corresponding to the software file includes path information, and wherein the rule comprises a path rule for the path information.
  - 8. The method of claim 7 wherein the path rule applies only to files having selected file extensions.
  - 9. The method of claim 7 wherein the path is a fully qualified path including a filename.
  - 10. The method of claim 7 wherein the path is a general path that identifies at least one folder.
  - 11. The method of claim 10 wherein at least one folder has a list of selected file extensions associated therewith.
  - 12. The method of claim 7 wherein at least part of the path information corresponds to an environment variable.
  - 13. The method of claim 1 wherein the file classification corresponding to the software file includes data representative of a source of the software file.
  - 14. The method of claim 13 wherein the data representative of the source of the software file comprises a URL zone.
  - 15. The method of claim 1 wherein the file classification corresponding to the software file includes data provided by executable code hosting the software file.
  - 16. The method of claim 1 wherein locating a rule comprises, locating a plurality of applicable rules, and selecting one of the rules of the plurality as the rule that corresponds to the file classification based on selection criteria.
  - 17. The method of claim 16 wherein the selection criteria comprises a precedence ordering.
  - 18. The method of claim 17 wherein the rules that may correspond to the file classification include at least two rules of a set comprising a hash rule, a digital signature rule, an exact path rule, a general path rule and a zone rule, and wherein the precedence ordering comprises any hash rule, then any digital signature rule, then any exact path rule, then any general path rule and then any zone rule.
  - 19. The method of claim 1 further comprising executing the software file in an execution environment that corresponds to the security level.
  - 20. The method of claim 1 wherein controlling execution comprises providing a restricted execution environment for the software file.
  - 21. The method of claim 20 wherein providing a restricted execution environment comprises providing a restricted token, and associating the restricted token with a process of the software file.
  - 22. The method of claim 21 wherein providing the restricted token includes having at least one privilege therein removed relative to a parent token.
  - 23. The method of claim 21 wherein providing the restricted token includes modifying at least one security identifier relative to a parent token such that the restricted token has less access to at least one resource relative to access via a parent token.
  - 24. The method of claim 21 wherein providing the restricted token includes adding at least one restricted security identifier to the restricted token relative to a parent token.
  - 25. The method of claim 20 wherein providing a restricted execution environment comprises providing a job object having limitations associated therewith for executing the software file.
  - 26. The method of claim 20 wherein providing a restricted execution environment comprises restricting network access for the software file.
  - 27. The method of claim 1 wherein controlling execution comprises disallowing the execution.
  - 28. The method of claim 1 further comprising, providing a set of rules including the rule that corresponds to the file classification.
  - 29. The method of claim 28 wherein at least part of the set of rules are provided via a user interface.
  - 30. The method of claim 1, wherein controlling execution includes locating data corresponding to the security level, the data including information on whether to allow execution, and if so, the data further including information on providing an execution environment for executing the software file.
  - 31. The method of claim 30, wherein the data corresponds to settings for untrusted content, and wherein the data specifies that a restricted token is to be derived from a parent token by removing any privileges relative to the parent token and by removing any unknown security identifiers relative to the parent token.
  - 32. The method of claim 1, wherein controlling execution of executable content of the software file based on the security level includes providing a restricted token for association with at least one process of the software file the restricted token derived from a parent token and having reduced access rights or at least one privilege removed relative to the parent token.
  - 33. The method of claim 1 wherein the file classification corresponding to the software file that may be executed is received at a function, and further comprising, placing a call from the function to an enforcement mechanism, the enforcement mechanism locating the rule.
  - 34. The method of claim 1 wherein locating a rule comprises accessing policy information.
  - 35. The method of claim 34 wherein the policy information may be updated dynamically.
  - 36. The method of claim 34 wherein the policy information is maintained in a group policy object.
  - 37. The method of claim 34 wherein the policy information is maintained in a local registry.
  - 38. The method of claim 34 wherein the policy information is maintained in an effective policy constructed from a group policy object for a machine, a group policy object for a user, local machine data and a local user data.
  - 39. The method of claim 1 wherein the software file is maintained within a folder, wherein the rule applies to the folder and further indicates that each file therein runs unrestricted, and wherein the folder is protected from write access with respect to a user executing the software file.

40. Computer storage media having computer-executable instructions stored thereon that when executed by a computing system perform a method comprising:
- receiving, a request to access a software file that includes executable code the request including a type of access desired by a user for the software file;
  
  performing a user-credential based access check to determine normal security privileges and access rights of the user for the software file;
  
  thereafter, performing a file-classification based access check to determine whether the user'"'"'s normal security privileges and access rights should be modified to include a subset of the user'"'"'s normal security privileges and access rights for the software file, comprising;
  
  obtaining a file classification corresponding to the software file for which the access request was received;
  
  searching a rule set for the received file classification, the rule set providing security rules for a variety of software files which may have executable code, and the security rules being based on file classifications corresponding to the variety of software files; and
  
  locating a rule in the rule set which matches the received file classification, the rule having a security level associated therewith;
  
  associating the security level with the software file; and
  
  controlling execution of the executable code of the software file based on the security level associated with the software file.

41. A computer-implemented method, comprising:
- providing a plurality of rules for executable software files, each rule having a security level associated therewith;
  
  receiving a request to access a particular software file that include code;
  
  performing a user-credential based access check to determine normal security privileges and access rights of the user for the particular software file;
  
  thereafter, performing a file-classification based access check to determine whether the user'"'"'s normal security privileges and access rights should be modified to include a subset of the user'"'"'s normal security privileges and access rights for the particular software file, comprising;
  
  searching a rule set for an applicable rule to apply to the software file, the rule set providing security rules for a variety of software files which may have executable code, and the security rules being based on file classifications corresponding to the variety of software files;
  
  determining which rule applies to the particular software file based on a file classification of that software file, and;
  
  associating the particular software file with execution information corresponding to the security level to control the software file'"'"'s runtime capabilities.
- View Dependent Claims (42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52)
- - 42. The method of claim 41 wherein providing a plurality of rules for executable software files includes providing a policy object.
  - 43. The method of claim 41 wherein determining which rule applies to the particular software file includes, determining whether a hash rule is maintained for the software file.
  - 44. The method of claim 41 wherein determining which rule applies to the particular software file includes, determining whether the software file has a digital signature associated therewith, and if so, determining whether a digital signature rule exists for that digital signature.
  - 45. The method of claim 41 wherein determining which rule applies to the particular software file includes, determining whether a path rule is maintained for the software file.
  - 46. The method of claim 41 wherein determining which rule applies to the particular software file includes, determining whether a zone rule applies to the software file.
  - 47. The method of claim 41 wherein determining which rule applies to the particular software file includes selecting one of a plurality of applicable rules based on a precedence order.
  - 48. The method of claim 41 wherein determining which rule applies to the particular software file includes selecting one of a plurality of applicable rules based on a precedence order.
  - 49. The method of claim 41 wherein associating the particular software file with the execution information corresponding to the security level comprises computing a restricted token based on the security level.
  - 50. The method of claim 41 wherein associating the particular software file with the execution information corresponding to the security level comprises determining network restrictions based on the security level.
  - 51. The method of claim 41 wherein associating the particular software file with the execution information corresponding to the security level comprises determining job object limitations based on the security level.
  - 52. The method of claim 41 further comprising, executing the particular software file in an execution environment that is based on the security level.

53. Computer storage media having computer-executable instructions stored thereon that when executed by a computing system, perform a method comprising:
- providing a plurality of rules for executable software files, each rule having a security level associated therewith;
  
  receiving a request to access a particular software file that includes executable code;
  
  performing a user-credential based access check to determine normal security privileges and access rights of the user for the software file;
  
  thereafter, performing a file-classification based access check to determine whether the user'"'"'s normal security privileges and access rights should be modified to include a subset of the user'"'"'s normal security privileges and access rights for the software file, comprising;
  
  searching a rule set for an applicable rule to apply to the software file, the rule set providing security rules for a variety of software files which may have executable code, and the security rules being based on file classifications corresponding to the variety of software files; and
  
  determining which rule applies to the particular software file based on a file classification of that software file; and
  
  associating the particular software file with execution information corresponding to the security level to control the software file'"'"'s runtime capabilities.

54. A computer system having a processor that executes a security mechanism, the computer system comprising:
- means for implementing a set of at least one function, each function of the set being configured to receive a request relating to executing a software file, the software file being associated with software classification information, the software classification information being indicative of at least some executable code within the software file;
  
  means for establishing a policy container having a plurality of rules therein, the plurality of rules applying to a variety of software files which may have executable code and being based on a file classification corresponding to the variety of software files, each rule being associated with a security level; and
  
  means for implementing an enforcement mechanism configured for communication with each function of the set of functions, the implemented enforcement mechanism being further configured to;
  
  perform a user-credential based access check to determine normal security privileges and access rights of the user for the software file;
  
  obtain software classification information associated with the software file from a function of the set,after performing the user-credential based access check, consult the policy container to locate a rule based on the software classification, andassociate security information with the software file, the security information based on the security level associated with the rule.
- View Dependent Claims (55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74)
- - 55. The system of claim 54 wherein the security information associated with the software file comprises a normal access token of a user.
  - 56. The system of claim 54 wherein the security information associated with the software file comprises return data indicative of disallowing execution.
  - 57. The system of claim 54 wherein the security information associated with the software file comprises a restricted token.
  - 58. The system of claim 57 wherein the enforcement mechanism computes the restricted token from a parent token.
  - 59. The system of claim 58 wherein the restricted token has less access to at least one resource relative to the parent token.
  - 60. The system of claim 58 wherein the restricted token has at least one less privilege relative to the parent token.
  - 61. The system of claim 58 wherein the restricted token includes at least one restricted security identifier that is not present in the parent token.
  - 62. The system of claim 54 wherein the security information associated with the software file comprises a job object.
  - 63. The system of claim 54 wherein the security information associated with the software file comprises network access restrictions.
  - 64. The system of claim 54 wherein, one of the functions of the set is configured to load the software file into memory.
  - 65. The system of claim 54 wherein one of the functions of the set is configured to create a process.
  - 66. The system of claim 54 wherein one of the functions of the set is configured to execute the software file.
  - 67. The system of claim 54 wherein one of the functions of the set is configured to create an object.
  - 68. The system of claim 54 wherein one of the functions of the set is configured to run a script.
  - 69. The system of claim 54 wherein one of the functions of the set is configured to install software onto the system.
  - 70. The system of claim 54 wherein one of the rules comprises a hash rule.
  - 71. The system of claim 54 wherein one of the rules comprises a digital signature rule.
  - 72. The system of claim 54 wherein one of the rules comprises a path rule.
  - 73. The system of claim 54 wherein one of the rules comprises a zone rule.
  - 74. The system of claim 54 wherein the policy container includes information from at least one group policy object.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Lambert, John J., Lawson, Jeffrey A., Garg, Praerit
Primary Examiner(s)
Chavis; John

Application Number

US09/877,710
Publication Number

US 20020099952A1
Time in Patent Office

2,482 Days
Field of Search

717/172, 713/153, 707/219, 726/21
US Class Current

717/172
CPC Class Codes

G06F 21/51   at application loading time...

G06F 21/53   by executing in a restricte...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2145   Inheriting rights or proper...

G06F 2221/2149   Restricted operating enviro...

H04L 2463/101   applying security measures ...

H04L 63/12   Applying verification of th...

Policies for secure software execution

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

290 Citations

74 Claims

Specification

Solutions

Use Cases

Quick Links

Policies for secure software execution

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

290 Citations

74 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links