Capability-based access control for applications in particular co-operating applications in a chip card
First Claim
1. A method for controlling access between two applications each cooperating by means of capabilities on objects belonging to the other application, the applications cooperating through at least one operating system and being established in a data processing means, comprising the following step:
- when one of the applications, known as the access-requesting application, is given access to an object belonging to another application, known as the access-providing application,creating two capabilities respectively in said access-requesting and providing applications, as objects;
wherein the capability created in the access-providing application limits access to said object and,the capability created in the access-requesting application associates the access-requesting application with the capability created in the access-providing application.
2 Assignments
0 Petitions
Accused Products
Abstract
The invention relieves an application programmer of the responsibility for managing access rights, by providing application code that is independent of the protection in a chip card. When an application, for example in a docking station, is given access to an object pertaining to another application in a chip card, two capabilities are created respectively in the applications, as objects, to protect all subsequent accesses to the object by filtering them through the two capabilities. On accessing an object pertaining to an application, if a second object pertaining to the other application is passed on to the latter, two other capabilities are added in the applications to protect access to the second object.
27 Citations
13 Claims
-
1. A method for controlling access between two applications each cooperating by means of capabilities on objects belonging to the other application, the applications cooperating through at least one operating system and being established in a data processing means, comprising the following step:
-
when one of the applications, known as the access-requesting application, is given access to an object belonging to another application, known as the access-providing application, creating two capabilities respectively in said access-requesting and providing applications, as objects; wherein the capability created in the access-providing application limits access to said object and, the capability created in the access-requesting application associates the access-requesting application with the capability created in the access-providing application. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. An application generating method, comprising the following steps:
-
developing an application comprising at least one object, without restriction on access; defining rules on rights of access to the object included within the application from a second application; transforming the application comprising the object by adding to said application means of filtering the accesses to said object and; establishing the transformed application within a data processing means. - View Dependent Claims (12, 13)
-
Specification
-
- Resources
-
Current AssigneeGemalto SA (Thales SA)
-
Original AssigneeGemalto SA (Thales SA)
-
InventorsVandewalle, Jean-Jacques, Hagimont, Daniel, Grimaud, Gilles
-
Primary Examiner(s)Ho; Andy
-
Application NumberUS10/148,954Publication NumberTime in Patent Office2,986 DaysField of Search719/310, 719/316, 719/313, 719/331, 719/332, 713/159, 713/167, 713/172, 713/185US Class Current719/316CPC Class CodesG06F 21/6218 to a system of files or obj...G06F 2221/2141 Access rights, e.g. capabil...G06F 2221/2153 Using hardware token as a s...
