Security language expressions for logic resolution
First Claim
Patent Images
1. A method comprising:
- determining, by one or more processors of a first computing device, whether an assertion context is safe or not safe by checking a syntax of one or more assertions of the assertion context, wherein the assertion context is safe when the syntax of each of the one or more assertions is safe and the assertion context is not safe when the syntax of at least one of the one or more assertions is not safe, wherein the syntax of the one or more assertions comprises a grammatically correct sentence comprising “
principal says claim,”
wherein the “
principal”
comprises a user of the first computing device who grants or restricts access to a resource stored in memory of the first computing device or a second computing device, and wherein the “
claim”
comprises a first fact comprising a statement about the principal;
determining, by the one or more processors, whether a syntax of an authorization query is safe or not safe, wherein the syntax of the authorization query comprises a grammatically correct logical expression comprising a second fact;
at least in part in response to determining that the assertion context is safe and at least in part in response to determining that the authorization query is safe;
translating, by the one or more processors, the safe assertion context and the safe authorization query into a logic language, andevaluating, by the one or more processors, the translated authorization query in conjunction with the translated assertion context to produce an authorization decision to grant or restrict access to the resource stored in the memory of the first computing device or the second computing device; and
in response to determining that the assertion context is not safe or in response to determining that the authorization query is not safe, refraining from evaluating the authorization query in conjunction with the assertion context to produce an authorization decision,wherein the determining whether the assertion context is safe or not safe guarantees that the evaluating the translated authorization query in conjunction with the translated assertion context terminates in all cases.
2 Assignments
0 Petitions
Accused Products
Abstract
A security language expresses assertions and authorization queries in a manner that facilitates logic resolution. In an example implementation, assertion syntax and authorization query syntax are described. In another example implementation, checks on the safety of assertions and authorization queries are described. In yet another example implementation, semantics rules are described.
142 Citations
20 Claims
-
1. A method comprising:
-
determining, by one or more processors of a first computing device, whether an assertion context is safe or not safe by checking a syntax of one or more assertions of the assertion context, wherein the assertion context is safe when the syntax of each of the one or more assertions is safe and the assertion context is not safe when the syntax of at least one of the one or more assertions is not safe, wherein the syntax of the one or more assertions comprises a grammatically correct sentence comprising “
principal says claim,”
wherein the “
principal”
comprises a user of the first computing device who grants or restricts access to a resource stored in memory of the first computing device or a second computing device, and wherein the “
claim”
comprises a first fact comprising a statement about the principal;determining, by the one or more processors, whether a syntax of an authorization query is safe or not safe, wherein the syntax of the authorization query comprises a grammatically correct logical expression comprising a second fact; at least in part in response to determining that the assertion context is safe and at least in part in response to determining that the authorization query is safe; translating, by the one or more processors, the safe assertion context and the safe authorization query into a logic language, and evaluating, by the one or more processors, the translated authorization query in conjunction with the translated assertion context to produce an authorization decision to grant or restrict access to the resource stored in the memory of the first computing device or the second computing device; and in response to determining that the assertion context is not safe or in response to determining that the authorization query is not safe, refraining from evaluating the authorization query in conjunction with the assertion context to produce an authorization decision, wherein the determining whether the assertion context is safe or not safe guarantees that the evaluating the translated authorization query in conjunction with the translated assertion context terminates in all cases. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A first device comprising:
-
one or more processors; assertions and authorization queries stored in memory; a safety checking module, stored in the memory and executable on the one or more processors, to (i) check that an assertion context is safe using an assertion syntactic check by checking a syntax of one or more assertions of the assertion context, wherein the syntax of the one or more assertions comprise a grammatically correct sentence comprising “
principal says claim,”
wherein the “
principal”
comprises a user of the first device who grants or restricts access to a resource of the first device or a second device, wherein the “
claim”
comprises a first fact comprising a statement about the principal, and wherein the assertion context is safe when the syntax of each of the one or more assertions of the assertion context is safe and not safe when the syntax of at least one of the one or more assertions of the assertion context is not safe, and (ii) check that an authorization query is safe using an authorization query syntactic check, wherein the syntax of the authorization query comprises a grammatically correct logic expression comprising a second fact; andan evaluation module, stored in the memory and executable on the one or more processors, to evaluate the authorization query against the assertion context to produce an authorization decision for granting or restricting access to the resource of the first device or the second device when the assertion context and the authorization query syntax are safe as determined by the safety checking module, wherein the evaluation module refrains from evaluating the authorization query against the assertion context responsive to determining by the safety checking module that at least one of the assertion context or the authorization query syntax is not safe. - View Dependent Claims (9)
-
-
10. One or more computer-readable memory storing instructions that, when executed by a processor, enable actions for implementing a security scheme, the actions comprising:
-
determining whether an assertion context of one or more assertions is safe or not safe, based at least on determining whether that all of the one or more assertions are safe; determining whether an authorization query is safe, based at least on checking a syntax of the authorization query; at least partly in response to determining that the assertion context is safe and determining that the authorization query is safe; translating the assertion context and the authorization query into a logic language, and evaluating the translated authorization query in conjunction with the translated assertion context to produce an authorization decision for access to a resource; and in response to determining that the assertion context is not safe or determining that the authorization query is not safe, refraining from evaluating the authorization query in conjunction with the assertion context to produce an authorization decision. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification