Tamper proof location services

US 8,560,839 B2
Filed: 12/20/2010
Issued: 10/15/2013
Est. Priority Date: 12/20/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for setting access permissions on a resource based on location information, the method comprising:

receiving a permission update request to update permissions for an identified resource to include location-based permission information, the location-based permission information including at least geographic location information defining a geographic region upon which the location based permission is applied;

locating an identified resource;

locating location based access control information associated with the identified resource;

determining one or more allowed location based actions from the location-based permission information accompanying the request by determining whether the resource can be read, written, or included in a listing based on a geographic location of a computing device on which the resource is stored;

updating the location based access control information to include the one or more allowed location-based actions; and

storing the updated location based access control information associated with the identified resource, so that subsequent attempts to access the identified resource will be subject to the specified location-based permission information,wherein the preceding steps are performed by at least one processor.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A secure location system is described herein that leverages location-based services and hardware to make access decisions. Many mobile computers have location devices, such as GPS. They also have a trusted platform module (TPM) or other security device. Currently GPS location data is made directly accessible to untrusted application code using a simple protocol. The secure location system provides a secure mechanism whereby the GPS location of a computer at a specific time can be certified by the operating system kernel and TPM. The secure location system logs user activity with a label indicating the geographic location of the computing device at the time of the activity. The secure location system can provide a difficult to forge, time-stamped location through a combination of kernel-mode GPS access and TPM security hardware. Thus, the secure location system incorporates secure location information into authorization and other operating system decisions.

Citations

16 Claims

1. A computer-implemented method for setting access permissions on a resource based on location information, the method comprising:
- receiving a permission update request to update permissions for an identified resource to include location-based permission information, the location-based permission information including at least geographic location information defining a geographic region upon which the location based permission is applied;
  
  locating an identified resource;
  
  locating location based access control information associated with the identified resource;
  
  determining one or more allowed location based actions from the location-based permission information accompanying the request by determining whether the resource can be read, written, or included in a listing based on a geographic location of a computing device on which the resource is stored;
  
  updating the location based access control information to include the one or more allowed location-based actions; and
  
  storing the updated location based access control information associated with the identified resource, so that subsequent attempts to access the identified resource will be subject to the specified location-based permission information,wherein the preceding steps are performed by at least one processor.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein the identified resource is an object managed by an operating system that includes associated security information including at least one access control list (ACL) or access control entry (ACE).
  - 3. The method of claim 1 wherein receiving the permission update request comprises receiving the request from an application through an operating system application programming interface (API).
  - 4. The method of claim 1 wherein receiving the permission update request comprises receiving information identifying the resource by a path receiving access control information that includes a geographic location as at least one access criteria.
  - 5. The method of claim 1 wherein locating the identified resource comprises accessing the resource on disk, within a configuration database, or within a configuration directory and accessing related access control metadata associated with the resource.
  - 6. The method of claim 1 wherein locating the access control information comprises invoking an operating system application programming interface (API) for navigating and/or modifying access control information that include location-based information.
  - 7. The method of claim 1 wherein determining the one or more allowed location based actions comprises determining a geographic region based on one or more specified boundaries of the geographic region.
  - 8. The method of claim 1 wherein updating the access control information comprises adding a hierarchical access control entry (ACE) that indicates a geographic region in which a specified action related to the identified resource is permitted.
  - 9. The method of claim 1 wherein updating the access control information comprises combining location-based access control information with non-location-based access control information to indicate one or more criteria for accessing the identified resource.

10. A computer system for providing tamper-proof location services to software applications, the system comprising:
- a location hardware component that provides a hardware signal that indicates a current geographic location of the system;
  
  a hardware security component that provides a trustworthy computing guarantee for software code running on the system wherein the hardware security component verifies authentication information for a software driver associated with the location hardware component to create a secure chain of trust from the location hardware component to the operating system;
  
  a processor and memory configured to execute software instructions embodied within the following components;
  
  a kernel location provider that provides an interface from an operating system kernel to user-mode services and applications that use geographic location information;
  
  a location certification component that retrieves a certificate indicating a current geographic location of the computer system with information from the location hardware component and hardware security component, wherein location certificates retrieved by the location certification component include a signed indication of the location of the computer system and the time at which the certificate was generated;
  
  a location audit component that stores an audit trail of secure location information associated with the computer system, the location audit component further configured to periodically query the location hardware component to obtain current geographic location information of the system, the location audit component further configured to store an indication of the system'"'"'s location each time an application or service requests a location certificate from the location certification component; and
  
  a location verification component that requests location information from the kernel location provider and performs one or more actions based on received location information.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The system of claim 10 wherein the location hardware component comprises a global positioning system (GPS) hardware device that receives a GPS signal and determines a location of the system.
  - 12. The system of claim 10 wherein the location hardware component comprises non-GPS hardware from which a geographic location can be derived based on supplemental information.
  - 13. The system of claim 10 wherein the hardware security component includes a trusted platform module (TPM) that provides cryptographically verifiable authoritative information related to security of a computing device.
  - 14. The system of claim 10 wherein the hardware security component and location hardware are connected via a secure channel for communication.
  - 15. The system of claim 10 wherein the kernel location provides includes a pluggable model for providing drivers or other software for interacting with various location and security hardware devices to expose secure location information in a common way to applications and services.

16. A computer-readable storage device comprising instructions for controlling a computer system to access a resource with location-based access permissions, wherein the instructions, upon execution, cause a processor to perform actions comprising:
- receiving a request to access an identified resource on a computing device, wherein the identified resource includes associated location-based access information, the request including a security token identifying a security principal associated with the request;
  
  accessing a location hardware component having a secure source of location information;
  
  querying the location hardware component to determine if the location hardware component has been tampered with;
  
  receiving a location certificate from the secure source of location information that indicates a current geographic location of the computing device on which the request was received;
  
  comparing the current geographic location information provided by the received location certificate with at least one location-based restriction in access control information associated with the identified resource; and
  
  when the comparison indicates that the requested access of the resource is permitted at the current geographic location, allowing the access request and providing the requested access to the resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Barham, Paul, Figueroa, Joseph N.
Primary Examiner(s)
Pwu, Jeffrey
Assistant Examiner(s)
JHAVERI, JAYESH M

Application Number

US12/972,534
Publication Number

US 20120159156A1
Time in Patent Office

1,030 Days
Field of Search

713/156, 713/168, 713/170, 713/172, 726/6, 726/9
US Class Current

713/156
CPC Class Codes

G06F 21/1013   to locations

G06F 21/604   Tools and structures for ma...

G06F 21/6218   to a system of files or obj...

G06F 2221/2111   Location-sensitive, e.g. ge...

H04L 63/107   wherein the security polici...

Tamper proof location services

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Tamper proof location services

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links