Access authorization having embedded policies

US 8,181,219 B2
Filed: 10/01/2004
Issued: 05/15/2012
Est. Priority Date: 10/01/2004
Status: Active Grant

First Claim

Patent Images

1. A method in a computing system having a memory and a processor for receiving an embedded policy, the method comprising:

receiving a request to load a first application program of a first application program image;

determining whether a first policy is embedded within the first application program image, such that the first application program image contains the first application program and the embedded first policy, wherein the first policy is coded in a programming language;

responsive to determining that a first policy is embedded in the first application program image;

with the processor, extracting the first policy from the first application program image,loading the first application program for execution by the processor,starting execution of the first application program,with the processor, intercepting a call by the first application program to access a resource, andupon intercepting the call,with the processor, executing the code of the extracted first policy to determine whether to allow or deny the access,upon determining that the access is allowed, enabling the access, andupon determining that the access is not allowed, preventing the accessso that the first application program of the first application program image is restricted from accessing computer resources in accordance with the access restrictions defined by the first policy embedded within the first application program image;

embedding a second policy within a second application program, wherein the second policy defines access restrictions for the second application program, so that the second application program contains the embedded second policy;

accessing a directed graph that represents system calls normally issued by the second application program, wherein the directed graph was previously generated by tracking previous instances of the second application program;

tracking the execution of a second instance of the second application program; and

upon detecting, based on the tracking and the directed graph, an anomalous condition in the execution of the second instance of the application program,extracting the embedded second policy from within the second application program, andapplying the extracted second policy to the second instance of the application programso that the second instance of the second application program is restricted from accessing computer resources in accordance with the access restrictions defined by the second policy that is embedded within the second application program.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A facility for receiving an embedded policy is provided. The facility checks an application program image for the presence of an embedded policy. If an embedded policy is detected, the facility extracts the policy from within the application program image. The facility may then apply the extracted policy to the application program image before the application program image is loaded and/or executed. Moreover, the facility may check the application program image'"'"'s integrity prior to extracting the embedded policy.

Citations

30 Claims

1. A method in a computing system having a memory and a processor for receiving an embedded policy, the method comprising:
- receiving a request to load a first application program of a first application program image;
  
  determining whether a first policy is embedded within the first application program image, such that the first application program image contains the first application program and the embedded first policy, wherein the first policy is coded in a programming language;
  
  responsive to determining that a first policy is embedded in the first application program image;
  
  with the processor, extracting the first policy from the first application program image,loading the first application program for execution by the processor,starting execution of the first application program,with the processor, intercepting a call by the first application program to access a resource, andupon intercepting the call,with the processor, executing the code of the extracted first policy to determine whether to allow or deny the access,upon determining that the access is allowed, enabling the access, andupon determining that the access is not allowed, preventing the accessso that the first application program of the first application program image is restricted from accessing computer resources in accordance with the access restrictions defined by the first policy embedded within the first application program image;
  
  embedding a second policy within a second application program, wherein the second policy defines access restrictions for the second application program, so that the second application program contains the embedded second policy;
  
  accessing a directed graph that represents system calls normally issued by the second application program, wherein the directed graph was previously generated by tracking previous instances of the second application program;
  
  tracking the execution of a second instance of the second application program; and
  
  upon detecting, based on the tracking and the directed graph, an anomalous condition in the execution of the second instance of the application program,extracting the embedded second policy from within the second application program, andapplying the extracted second policy to the second instance of the application programso that the second instance of the second application program is restricted from accessing computer resources in accordance with the access restrictions defined by the second policy that is embedded within the second application program.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising:
    - responsive to determining that a first policy is not embedded in the first application program image;
      
      when a third policy applicable to the first application program is stored in a policy repository,loading the first application for execution on the computer, andapplying the third policy applicable to the first application program that is stored in the policy repository so that the first application program is restricted from accessing computer resources in accordance with the access restrictions defined by the third policy applicable to the first application program that is stored in the policy repository, andwhen a third policy applicable to the first application program is not stored in the policy repository, not loading the first application program for execution on the computer.
  - 3. The method of claim 1, wherein the embedded first policy is declared using XML.
  - 4. The method of claim 1, further comprising:
    - verifying the integrity of the first application program image prior to extracting the embedded first policy, loading the first application program image, and applying the extracted first policy to the first application program image; and
      
      extracting the embedded first policy, loading the first application program image, and applying the extracted first policy to the first application program image subsequent to verifying the integrity of the first application program image.
  - 5. The method of claim 1, further comprising storing the extracted first policy in a policy repository.
  - 6. The method of claim 1, further comprising:
    - storing the extracted first policy in a policy table on the computing system.
  - 7. The method of claim 1, further comprising:
    - verifying the integrity of the first application program image prior to extracting the first policy.
  - 8. The method of claim 1, further comprising:
    - embedding the first policy within the first application program image.
  - 9. The method of claim 1, further comprising:
    - compiling the first policy from a non-executable version in a programming language into an executable version.

10. A method in a computing system having a memory and a processor for receiving an embedded policy, the method comprising:
- receiving a request to load a first application program of a first application program image;
  
  determining whether a first policy is embedded within the first application program image, such that the first application program image contains the first application program and the embedded first policy, wherein the first policy is coded in a programming language;
  
  responsive to determining that a first policy is embedded in the first application program image;
  
  with the processor, extracting the first policy from the first application program image,loading the first application program for execution by the processor,starting execution of the first application program,with the processor, intercepting a call by the first application program to access a resource, andupon intercepting the call,with the processor, executing the code of the extracted first policy to determine whether to allow or deny the access,upon determining that the access is allowed, enabling the access, andupon determining that the access is not allowed, preventing the accessso that the first application program of the first application program image is restricted from accessing computer resources in accordance with the access restrictions defined by the first policy embedded within the first application program image;
  
  embedding a second policy within a second application program, wherein the second policy defines access restrictions for the second application program, so that the second application program contains the embedded second policy;
  
  accessing a directed graph that represents system calls normally issued by the second application program, wherein the directed graph was previously generated by tracking previous instances of the second application program;
  
  tracking the execution of a second instance of the second application program;
  
  upon detecting, based on the tracking and the directed graph, an anomalous condition in the execution of the second instance of the application program,extracting the embedded second policy from within the second application program, andapplying the extracted second policy to the second instance of the application programso that the second instance of the second application program is restricted from accessing computer resources in accordance with the access restrictions defined by the second policy that is embedded within the second application program; and
  
  responsive to determining that a first policy is not embedded in the first application program image;
  
  when a third policy applicable to the first application program is stored in a policy repository,loading the first application for execution on the computer, andapplying the third policy applicable to the first application program that is stored in the policy repositoryso that the first application program is restricted from accessing computer resources in accordance with the access restrictions defined by the third policy applicable to the first application program that is stored in the policy repository, andwhen a third policy applicable to the first application program is not stored in the policy repository, not loading the first application program for execution on the computer.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The method of claim 10, further comprising:
    - extracting the embedded first policy, loading the first application program image, and applying the extracted first policy to the first application program image subsequent to verifying the integrity of the first application program image.
  - 12. The method of claim 11, further comprising:
    - storing the extracted first policy in a policy table on the computing system.
  - 13. The method of claim 10, further comprising:
    - embedding the first policy within the first application program image.
  - 14. The method of claim 13, further comprising:
    - verifying the integrity of the first application program image prior to extracting the first policy from the first application program image.
  - 15. The method of claim 14, further comprising storing the extracted first policy in a policy repository.
  - 16. The method of claim 15, wherein the first policy is declared using XML.
  - 17. The method of claim 16, further comprising:
    - compiling the first policy from a non-executable version in a programming language into an executable version.

18. A system having a memory and a processor for applying an embedded policy, the system comprising:
- a component that receives a request to load an image of a first application program, the image of the first application program containing the first application program;
  
  a component that determines whether a first policy is embedded within the first application program, the first policy defining access restrictions for the first application program, such that the first application program contains the embedded first policy, wherein the first policy is coded in a programming language;
  
  a component that, responsive to determining that a first policy is embedded within the first application program;
  
  extracts the first policy from the first application program,loads the image of the first application program on the computer for execution by the processor,starts execution of the first application program,intercepts a call by the first application program to access a resource, andupon intercepting the call,executes, with a processor, the code of the extracted first policy to determine whether to allow or deny the access,upon determining that the access is allowed, enables the access, andupon determining that the access is not allowed, prevents the accessso that the first application program is restricted from accessing computer resources in accordance with the access restrictions defined by the first policy embedded within the first application program;
  
  a component that embeds a second policy within a second application program, wherein the second policy defines access restrictions for the second application program, so that the second application program contains the embedded second policy;
  
  a component that accesses a directed graph that represents system calls normally issued by the second application program, wherein the directed graph was previously generated by tracking previous instances of the second application program;
  
  a component that tracks the execution of a second instance of the second application program; and
  
  a component that upon detecting, based on the tracking and the directed graph, an anomalous condition in the execution of the second instance of the application program,extracts the embedded second policy from within the second application program, andapplies the extracted second policy to the second instance of the application programso that the second instance of the second application program is restricted from accessing computer resources in accordance with the access restrictions defined by the second policy that is embedded within the second application program.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 19. The system of claim 18, further comprising:
    - a component that, responsive to determining that a first policy is not embedded in the first application program;
      
      when a third policy applicable to the first application program is stored in a policy repository,loads the first application for execution on the computer, andapplies the third policy applicable to the first application program that is stored in the policy repositoryso that the first application program is restricted from accessing computer resources in accordance with the access restrictions defined by the third policy applicable to the first application program that is stored in the policy repository, andwhen a third policy applicable to the first application program is not stored in the policy repository, does not load the first application program for execution on the computer.
  - 20. The system of claim 18, further comprising:
    - a component that extracts the embedded first policy and loads the image of the first application program subsequent to verifying the integrity of the image of the first application program.
  - 21. The system of claim 18, further comprisinga component that stores the extracted first policy in a policy repository.
  - 22. The system of claim 18, wherein the embedded first policy is declared using XML.
  - 23. The system of claim 18, further comprising:
    - a component that compiles the first policy from a non-executable version in a programming language into an executable version.
  - 24. The system of claim 18, wherein the extracted first policy is stored in a policy table on the computer.
  - 25. The system of claim 18, further comprising:
    - a component that verifies the integrity of the image of the first application program prior to extracting the embedded first policy, loading the image of the first application program, and applying the extracted first policy to the image of the first application program executing on the computer.
  - 26. The system of claim 18, further comprising:
    - a component that embeds the first policy within the image of the first application program.
  - 27. The system of claim 18 wherein the first policy is compiled from a non-executable version in a programming language into an executable version.

28. A system having a memory and a processor for applying an embedded policy, the system comprising:
- a component that receives a request to load an image of a first application program, the image of the first application program containing the first application program;
  
  a component that determines whether a first policy is embedded within the first application program, the first policy defining access restrictions for the first application program, such that the first application program contains the embedded first policy, wherein the first policy is coded in a programming language;
  
  a component that, responsive to determining that a first policy is embedded within the first application program;
  
  extracts the first policy from the first application program,loads the image of the first application program on the computer for execution by the processor;
  
  starts execution of the first application program,intercepts a call by the first application program to access a resource, and upon intercepting the call,executes, with a processor, the code of the extracted first policy to determine whether to allow or deny the access,upon determining that the access is allowed, enables the access, andupon determining that the access is not allowed, prevents the accessso that the first application program is restricted from accessing computer resources in accordance with the access restrictions defined by the first policy embedded within the first application program;
  
  a component that embeds a second policy within a second application program, wherein the second policy defines access restrictions for the second application program, so that the second application program contains the embedded second policy;
  
  a component that accesses a directed graph that represents system calls normally issued by the second application program, wherein the directed graph was previously generated by tracking previous instances of the second application program;
  
  a component that tracks the execution of a second instance of the second application program;
  
  a component that upon detecting, based on the tracking and the directed graph, an anomalous condition in the execution of the second instance of the application program,extracts the embedded second policy from within the second application program, andapplies the extracted second policy to the second instance of the application programso that the second instance of the second application program is restricted from accessing computer resources in accordance with the access restrictions defined by the second policy that is embedded within the second application program; and
  
  a component that, responsive to determining that a first policy is not embedded in the first application program;
  
  when a third policy applicable to the first application program is stored in a policy repository,loads the first application for execution on the computer, andapplies the third policy applicable to the first application program that is stored in the policy repositoryso that the first application program is restricted from accessing computer resources in accordance with the access restrictions defined by the third policy applicable to the first application program that is stored in the policy repository, andwhen a third policy applicable to the first application program is not stored in the policy repository, does not load the first application program for execution on the computer.
- View Dependent Claims (29, 30)
- - 29. The system of claim 28, further comprising:
    - a component that verifies the integrity of the first application program image prior to the extraction of the first policy from the first application program image.
  - 30. The system of claim 28, further comprisinga component that stores the extracted first policy in a policy repository.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Golan, Gilad, Vayman, Mark
Primary Examiner(s)
Lipman, Jacob

Application Number

US10/956,667
Publication Number

US 20060075462A1
Time in Patent Office

2,783 Days
Field of Search

726/1
US Class Current

726/1
CPC Class Codes

G06F 16/122   using management policies b...

G06F 21/30   Authentication, i.e. establ...

G06F 21/54   by adding security routines...

G06F 21/554   involving event detection a...

G06F 21/62   Protecting access to data v...

Access authorization having embedded policies

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Access authorization having embedded policies

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links