Sandboxing technology for webruntime system
First Claim
1. A method of providing security enforcements of widgets in a computer system having a processor and a memory, comprising:
- extracting access control information from a widget process requesting a service, generating one or more access control rules customized for the widget process, and providing the access control rules to a trusted portion of the computer system outside of a user code space of a Web Runtime (WRT) system; and
for any static access control rule, delegating security checking of the widget process from the WRT system to the trusted portion of the computer system, wherein the trusted portion of the computer system uses the access control rules for security checking of the widget process, and wherein the WRT system is modified to generate one or more static access control rules and convert the static access control rules into a form that is compatible with the trusted portion of the computer system based on system requirements and type of technology used by the trusted portion of the computer system,the WRT system is configured to dynamically adjust, based on a particular access control rule, which one of the WRT system and the trusted portion of the computer system performs security checking of the widget process.
1 Assignment
0 Petitions
Accused Products
Abstract
In a first embodiment of the present invention, a method of providing security enforcements of widgets in a computer system having a processor and a memory is provided, comprising: extracting access control information from a widget process requesting a service, generating access control rules customized for the widget process, and providing the access control rules to a trusted portion of the computer system outside of the user code space of a Web Runtime (WRT) system; and for any static access control rule, delegating security checking of the widget process from the WRT system to the trusted portion of the computer system.
-
Citations
27 Claims
-
1. A method of providing security enforcements of widgets in a computer system having a processor and a memory, comprising:
-
extracting access control information from a widget process requesting a service, generating one or more access control rules customized for the widget process, and providing the access control rules to a trusted portion of the computer system outside of a user code space of a Web Runtime (WRT) system; and for any static access control rule, delegating security checking of the widget process from the WRT system to the trusted portion of the computer system, wherein the trusted portion of the computer system uses the access control rules for security checking of the widget process, and wherein the WRT system is modified to generate one or more static access control rules and convert the static access control rules into a form that is compatible with the trusted portion of the computer system based on system requirements and type of technology used by the trusted portion of the computer system, the WRT system is configured to dynamically adjust, based on a particular access control rule, which one of the WRT system and the trusted portion of the computer system performs security checking of the widget process. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A method of providing security enforcements of widgets in a computer system having a processor and a memory, comprising:
-
extracting access control information from a widget process requesting a service, generating one or more access control rules customized for the widget process, and providing the access control rules to a trusted portion of the computer system outside of the user code space of a Web Runtime (WRT) system; and for any static access control rule, delegating some but not all security checking of the widget process from the WRT system to the trusted portion of the computer system, such that two levels of security checking are performed, one by the WRT system and one by the trusted portion of the computer system, wherein the trusted portion of the computer system uses the access control rules for security checking of the widget process, and wherein the WRT system is modified to generate one or more static access control rules and convert the static access control rules into a form that is compatible with the trusted portion of the computer system based on system requirements and type of technology used by the trusted portion of the computer system, wherein the WRT system is configured to dynamically adjust, based on a particular access control rule, which one of the WRT system and the trusted portion of the computer system performs security checking of the widget process. - View Dependent Claims (16, 17)
-
-
18. A computer system having improved widget security, comprising:
-
a processor; a memory; an operating system; and a Web Runtime (WRT) system supporting installation and invocation of widgets, wherein the WRT system is configured to; receive a widget manifest from each installed widget; based on at least one widget manifest received, determine one or more access control rules delegable from the WRT system to a more secure portion of the computer system associated with the operating system; and pass a set of delegable static access control rules to the more secure portion of the computer system to perform security checking; wherein each widget manifest comprises access restrictions for an associated installed widget; wherein the WRT system is modified to generate the set of delegable static access control rules and convert the set of delegable static access control rules into a form compatible with the more secure portion of the computer system based on system requirements and type of technology used by the more secure portion of the computer system; and wherein the WRT system is configured to dynamically adjust, based on a particular access control rule, which one of the WRT system and the more secure portion of the computer system performs security checking. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25)
-
-
26. A system comprising:
-
a plurality of widgets; a WRT management process; a security server; and an operating system kernel; wherein the WRT management process; extracts access control information from the widgets, generate one or more access control rules, and provides the access control rules to the operating system kernel; and for any static access control rule, delegates at least some security checking of a widget process to the operating system kernel, wherein the operating system kernel uses the access control rules for security checking of the widget process, and wherein the WRT management process is modified to generate one or more static access control rules and convert the static access control rules into a form that is compatible with the operating system kernel based on system requirements and type of technology used by the operating system kernel, wherein the WRT management process is associated with a WRT system, and the WRT system is configured to dynamically adjust, based on a particular access control rule, which one of the WRT system and the operating system kernel performs security checking.
-
-
27. A program storage device readable by a machine tangibly embodying a program of instructions executable by the machine to perform a method providing security enforcements of widgets in a computer system having a processor and a memory, the method comprising:
-
extracting access control information from a widget process requesting a service, generating one or more access control rules customized for the widget process, and providing the access control rules to a trusted portion of the computer system outside of a user code space of a Web Runtime (WRT) system; and for any static access control rule, delegating security checking of the widget process from the WRT system to the trusted portion of the computer system, wherein the trusted portion of the computer system uses the access control rules for security checking of the widget process, and wherein the WRT system is modified to generate one or more static access control rules and convert the static access control rules into a form that is compatible with the trusted portion of the computer system based on system requirements and type of technology used by the trusted portion of the computer system, wherein the WRT system is configured to dynamically adjust, based on a particular access control rule, which one of the WRT system and the trusted portion of the computer system performs security checking.
-
Specification