Separate script context to isolate malicious script

US 8,505,070 B2
Filed: 09/08/2011
Issued: 08/06/2013
Est. Priority Date: 09/08/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

starting a first scripting context that has access to at least some resources associated with a computer;

loading at least one script into the first scripting context;

identifying a reference to remote content within the at least one script, the remote content being remote from the computer;

responsive to identifying the reference to remote content, starting a second scripting context that does not have access to the at least some resources associated with the computer;

loading the remote content into the second scripting context for execution; and

transferring data associated with the remote content from the second scripting context to the first scripting context.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various embodiments provide an ability to isolate execution of trusted content and/or script from execution of untrusted content and/or script. Separate contexts and/or execution environments can be used for the trusted content and untrusted content, respectively. A trusted context and/or execution environment associated with execution of trusted content can be configured to enable access to sensitive resources associated with a computing device. An untrusted context and/or execution environment associated with execution of untrusted content can be configured with limited and/or no access to the sensitive resources. Alternately or additionally, data generated within the untrusted context can be transferred to the trusted context in a benign manner.

6 Citations

View as Search Results

20 Claims

1. A computer-implemented method comprising:
- starting a first scripting context that has access to at least some resources associated with a computer;
  
  loading at least one script into the first scripting context;
  
  identifying a reference to remote content within the at least one script, the remote content being remote from the computer;
  
  responsive to identifying the reference to remote content, starting a second scripting context that does not have access to the at least some resources associated with the computer;
  
  loading the remote content into the second scripting context for execution; and
  
  transferring data associated with the remote content from the second scripting context to the first scripting context.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer-implemented method of claim 1, the at least some resources comprising at least some operating system software interfaces associated with the computer.
  - 3. The computer-implemented method of claim 1, the first scripting context configured to execute script associated with HyperText Markup Language (HTML).
  - 4. The computer-implemented method of claim 1 further comprising:
    - identifying a callback function associated with the remote content; and
      
      inserting a stub method associated with the callback function into the second scripting context to enable said transferring data associated with remote content in a benign format.
  - 5. The computer-implemented method of claim 4 further comprising:
    - calling the callback function in the first scripting context after the stub method executes in the second scripting context effective to process the transferred data.
  - 6. The computer-implemented method of claim 4, the transferring data associated with remote content in a benign format further comprising converting the data into at least one string.
  - 7. The computer-implemented method of claim 1, the identifying a reference to remote content comprising identifying the reference to remote content through identification of a Uniform Resource Locator (URL).
  - 8. The computer-implemented method of claim 1 further comprising disallowing direct communication between the first scripting context and the second scripting context.

9. One or more computer-readable storage memory comprising computer-readable instructions that are executable to:
- identify an attribute associated with remote content that is referenced within at least one scripting file, the at least one scripting file being local to a computing device, the remote content being remote from the computing device;
  
  responsive to identifying the attribute, start a scripting context that does not have access to at least some resources associated with the computing device;
  
  load the remote content into the scripting context, the remote content being configured to generate at least some data; and
  
  transfer the at least some data to a second scripting context in a trusted format.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The one or more computer-readable storage memory of claim 9, the trusted format comprising a string format.
  - 11. The one or more computer-readable storage memory of claim 9, the computer-readable instructions further executable to convert the trusted format into a data format associated with the second scripting context.
  - 12. The one or more computer-readable storage memory of claim 9, the instructions to identify an attribute associated with remote content further comprising instructions to identify a source attribute contained within a script tag.
  - 13. The one or more computer-readable storage memory of claim 9, the instructions to transfer the at least some data further comprising instructions to transfer the at least some data to the second scripting context via a proxy.
  - 14. The one or more computer-readable storage memory of claim 9, the instructions further comprising instructions to download the remote content to the computing device.
  - 15. The one or more computer-readable storage memory of claim 9, the second scripting context associated with a web browser.

16. One or more computer-readable storage memory comprising computer readable instructions which, responsive to execution by at least one processor, implement:
- one or more global scripting context modules configured to;
  
  execute packaged content associated with a web application; and
  
  enable identification of remotely referenced and accessible content within the packaged content;
  
  one or more limited scripting context modules configured to;
  
  process the remotely referenced and accessible content identified within the packaged content; and
  
  generate data associated with the remotely referenced and accessible content; and
  
  one or more proxy modules configured to;
  
  broker interactions between the one or more global scripting context modules and the one or more limited scripting context modules; and
  
  enable transfer of the data associated with the remotely referenced and accessible content, in a benign format, from a limited scripting context associated with the one or more limited scripting context modules to a global scripting context associated with the one or more global scripting context modules.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The one or more computer-readable storage memory of claim 16, the packaged content comprising one or more HyperText Markup Language (HTML) files.
  - 18. The one or more computer-readable storage memory of claim 16, the limited scripting context associated with the one or more limited scripting context module configured to execute JavaScript Object with Padding (JSONP) script.
  - 19. The one or more computer-readable storage memory of claim 16, the one or more proxy modules further configured to perform validation on the data associated with the remotely referenced and accessible content.
  - 20. The one or more computer-readable storage memory of claim 16, the one or more global scripting context modules further configured to:
    - receive the data associated with the remotely referenced and accessible content; and
      
      convert the data in the benign format to a data format associated with and useable by the global scripting context.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Sterland, Andy R., Risney, David L. Jr., Graham, Scott B.
Primary Examiner(s)
Reza, Mohammad W

Application Number

US13/228,346
Publication Number

US 20130067585A1
Time in Patent Office

698 Days
Field of Search

726/26, 726/2, 726/27, 713/168, 713/169, 713/189
US Class Current

726/2
CPC Class Codes

G06F 21/53 by executing in a restricte...

Separate script context to isolate malicious script

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

6 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Separate script context to isolate malicious script

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

6 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others