Access control based on program properties

US 8,239,954 B2
Filed: 05/07/2007
Issued: 08/07/2012
Est. Priority Date: 05/07/2007
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method, comprising:

generating privilege access lists based on manifests associated with one or more applications and a publisher for each of the one or more applications, said generating including accessing a manifest associated with a first of the applications, identifying one or more privileges in the manifest that the first application is asserted to have, and confirming that a publisher of the first application may grant the privileges in the manifest to the first application;

receiving a request for a resource from a principal associated with a requesting application;

retrieving an access control pattern associated with the resource;

identifying a privilege sub-expression in the access control pattern, the sub-expression defining a privilege;

accessing the privilege access lists to determine which applications have the privilege in the sub-expression;

expanding the privilege in the privilege sub-expression in the access control pattern to include the applications that have the privilege; and

matching the expanded access control pattern to the name of the principal.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A pattern matching access control system determines whether a principal should be granted access to use a resource based on properties of applications comprised by the principal. The principal name may be created when an application is loaded, invokes other applications (or programs) and/or assumes a new role context. Access is provided based on whether, for each application, the publisher is authorized by system policy to grant privilege as requested by the application. When a resource which requires the privilege is requested by a principal, an access control list (ACL) for the resource is expanded with a list of applications that have been authorized through their publisher to assert the privilege. The expanded ACL is compared to the principal name to determine resource access.

49 Citations

View as Search Results

20 Claims

1. A computer implemented method, comprising:
- generating privilege access lists based on manifests associated with one or more applications and a publisher for each of the one or more applications, said generating including accessing a manifest associated with a first of the applications, identifying one or more privileges in the manifest that the first application is asserted to have, and confirming that a publisher of the first application may grant the privileges in the manifest to the first application;
  
  receiving a request for a resource from a principal associated with a requesting application;
  
  retrieving an access control pattern associated with the resource;
  
  identifying a privilege sub-expression in the access control pattern, the sub-expression defining a privilege;
  
  accessing the privilege access lists to determine which applications have the privilege in the sub-expression;
  
  expanding the privilege in the privilege sub-expression in the access control pattern to include the applications that have the privilege; and
  
  matching the expanded access control pattern to the name of the principal.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer implemented method of claim 1,wherein the principal is a compound entity.
  - 3. The computer implemented method of claim 1, wherein the disjunction of application names includes applications provided by publishers which are allowed by system policy to grant the privilege associated with the privilege sub-expression.
  - 4. The computer implemented method of claim 3, wherein a publisher that provides an application and an endorser that asserts a privilege for the application are not the same entity.
  - 5. The computer implemented method of claim 1, wherein the principal includes a publisher name and the privilege sub-expression may be expanded to include an application provided by the publisher associated with the publisher name.
  - 6. The computer implemented method of claim 1, wherein said step of matching includes:
    - comparing the principal name to the access control pattern expanded using a subset of the application names, the subset limited to names of applications in the disjunction of application names which are running or are otherwise included in a principal name.
  - 7. The computer implemented method of claim 1, further comprising:
    - invoking the requesting application; and
      
      updating the privilege access lists for a privilege asserted by the requesting application if the requesting application publisher has authority to grant the privilege.
  - 8. The computer implemented method of claim 7, wherein said step of updating includes:
    - accessing an access control pattern for the privilege;
      
      determining whether the requesting application publisher matches a publisher in the privilege access control pattern.

9. One or more computer storage devices having processor readable code stored on said computer storage devices, said processor readable code for programming one or more processors to perform a method comprising:
- determining an application asserts at least one privilege, said determining the application asserts a privilege includes accessing a set of program properties from a manifest for the application, and determining if the program properties indicate the application asserts a privilege, the accessing a set of program properties includes either deriving the at least one privilege from annotations or deducing the at least one privilege from analysis of source code;
  
  determining the publisher of the application;
  
  accessing an access control pattern for the privilege;
  
  comparing the application publisher to the access control pattern for the privilege; and
  
  adding the application to an application list for the privilege based on said step of comparing.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The one or more computer storage devices of claim 9, wherein the access control pattern for the privilege describes one or more publishers having authority to grant the privilege.
  - 11. The one or computer storage devices of claim 10, wherein the access control pattern is controlled by system policy.
  - 12. The one or more computer storage devices of claim 9, wherein said step of comparing includes:
    - expanding the access control pattern with one or more publishers by access permission logic.
  - 13. The one or more computer storage devices of claim 9, further comprising:
    - assuming a new context role by the application.
  - 14. The one or more computer storage devices of claim 9, further comprising:
    - receiving a request for a resource by a principal comprised of an application;
      
      accessing a second access control pattern for the resource; and
      
      expanding a privilege sub-expression in the second access control pattern with a disjunction of elements included in the application list.
  - 15. The one or more computer storage devices of claim 9, further comprising:
    - determining if a name of the principal matches the second access control list for the resource after the second access control list is expanded with the application list.
  - 16. The one or more computer storage devices of claim 9, wherein the deducing the at least one privilege from analysis of source code includes determining what resources the application needs access to.

17. A computer system, comprising:
- a processor; and
  
  a computer storage media coupled to the processor, the storage media having processor readable code stored thereon for programming the processor to perform a method comprising;
  
  generating application lists comprising a disjunction of application names, wherein said generating application lists includes;
  
  accessing manifests associated with respective applications;
  
  identifying one or more privileges in each of the manifests that the respective application is asserted to have, andconfirming that a publisher of the respective application may grant the privileges in the manifest to the respective application;
  
  receiving a request for a resource from a principal associated with a requesting application;
  
  retrieving an access control pattern associated with the resource;
  
  identifying a sub-expression in the access control pattern;
  
  determining whether the sub-expression is set by system policy and, if so;
  
  retrieving sub-expression content defined by system policy; and
  
  expanding the sub-expression using the sub-expression content defined by system policy;
  
  determining whether the sub-expression is set by privilege and, if so;
  
  accessing the privilege access lists to determine which applications have a privilege in the sub-expression; and
  
  expanding the sub-expression to include the applications that have the privilege; and
  
  matching the expanded access control pattern to the name of the principal associated with the requesting application.
- View Dependent Claims (18, 19, 20)
- - 18. The computer system of claim 17, further comprising:
    - looking for a filename that corresponds to the sub-expression in the access control pattern in response to determining that the sub-expression is neither set by system policy nor by privilege;
      
      selecting file content associated with the filename; and
      
      expanding the sub-expression based on the file content.
  - 19. The computer system of claim 17, wherein said matching includes comparing the principal name to the access control pattern expanded using a subset of the application names, the subset limited to applications which are running or are otherwise included in a principal name.
  - 20. The computer system of claim 17, wherein the identifying one or more privileges in each of the manifests that the respective application is asserted to have includes either deriving the one or more privileges from annotations or deducing the one or more privileges from analysis of source code.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Wobber, Edward P., Birrell, Andrew, Abadi, Martin
Primary Examiner(s)
Homayounmehr, Farid
Assistant Examiner(s)
TRUONG, THONG P

Application Number

US11/745,048
Publication Number

US 20080282354A1
Time in Patent Office

1,919 Days
Field of Search

726/26, 726/4
US Class Current

726/26
CPC Class Codes

G06F 21/6218 to a system of files or obj...

H04L 63/101 Access control lists [ACL]

Access control based on program properties

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

49 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Access control based on program properties

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

49 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links