Methods for restricting resources used by a program based on entitlements

US 9,280,644 B2
Filed: 06/19/2013
Issued: 03/08/2016
Est. Priority Date: 01/14/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

in response to a request for launching a program;

identifying a library that the program utilizes when executed;

determining a list of resources of the library to be accessed by the program during execution of the program;

calling a predetermined function of the library that provides access to the resources, the call including a parameter specifying one or more resource entitlements of the program, the predetermined function returning a set of rules for accessing resources associated with the library based on the one or more resource entitlements specified in the parameter; and

dynamically generating a security profile for the program based on the set of rules returned from the library, wherein the security profile is used to permit the program to access a resource of the library for which a rule in the set of rules permits access, and the security profile restricts the program from accessing a library resource for which a rule in the set of rules restricts access or no rule in the set of rules permits access during execution of the program.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In response to a request for launching a program, a list of one or more application frameworks to be accessed by the program during execution of the program is determined. Zero or more entitlements representing one or more resources entitled by the program during the execution are determined. A set of one or more rules based on the entitlements of the program is obtained from at least one of the application frameworks. The set of one or more rules specifies one or more constraints of resources associated with the at least one application framework. A security profile is dynamically compiled for the program based on the set of one or more rules associated with the at least one application framework. The compiled security profile is used to restrict the program from accessing at least one resource of the at least one application frameworks during the execution of the program.

46 Citations

View as Search Results

21 Claims

1. A computer-implemented method, comprising:
- in response to a request for launching a program;
  
  identifying a library that the program utilizes when executed;
  
  determining a list of resources of the library to be accessed by the program during execution of the program;
  
  calling a predetermined function of the library that provides access to the resources, the call including a parameter specifying one or more resource entitlements of the program, the predetermined function returning a set of rules for accessing resources associated with the library based on the one or more resource entitlements specified in the parameter; and
  
  dynamically generating a security profile for the program based on the set of rules returned from the library, wherein the security profile is used to permit the program to access a resource of the library for which a rule in the set of rules permits access, and the security profile restricts the program from accessing a library resource for which a rule in the set of rules restricts access or no rule in the set of rules permits access during execution of the program.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising communicating with a trusted source via a security application programming interface (API) to obtain the one or more resource entitlements of the program, wherein the trusted source is associated with an authority that authorizes the program to be deployed.
  - 3. The method of claim 1, further comprising determining the one or more resource entitlements of the program based on metadata of the program.
  - 4. The method of claim 1, wherein the resources to be accessed by the program are provided by a plurality of libraries.
  - 5. The method of claim 4, further comprising calling a respective application programming interface (API) of each of the libraries to retrieve a respective set of one or more rules based on the resource entitlements of the program, wherein the security profile is generated based on a plurality of sets of rules associated with the plurality of libraries.
  - 6. The method of claim 1, wherein the one or more entitlements of the program are specified using user understandable language.
  - 7. The method of claim 6, wherein the set of rules is specified in a format that is compatible with the library.

8. A non-transitory machine-readable medium having instructions stored therein, which when executed by a processor, cause the processor to perform a method, the method comprising:
- in response to a request for launching a program;
  
  identifying a library that the program utilizes when executed;
  
  determining a list of resources of the library to be accessed by the program during execution of the program;
  
  calling a predetermined function of the library that provides access to the resources, the call including a parameter specifying one or more resource entitlements of the program, the predetermined function returning a set of rules for accessing resources associated with the library based on the one or more resource entitlements specified in the parameter; and
  
  dynamically generating a security profile for the program based on the set of rules returned from the library, wherein the security profile is used to permit the program to access a resource of the library for which a rule in the set of rules permits access, and the security profile restricts the program from accessing a library resource for which a rule in the set of rules restricts access or no rule in the set of rules permits access during execution of the program.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The non-transitory machine-readable medium of claim 8, wherein the method further comprises communicating with a trusted source via a security application programming interface (API) to obtain the one or more resource entitlements of the program, wherein the trusted source is associated with an authority that authorizes the program to be deployed.
  - 10. The non-transitory machine-readable medium of claim 8, wherein the method further comprises determining the one or more resource entitlements of the program based on metadata of the program.
  - 11. The non-transitory machine-readable medium of claim 8, wherein the resources to be accessed by the program are provided by a plurality of libraries.
  - 12. The non-transitory machine-readable medium of claim 11, wherein the method further comprises calling a respective application programming interface (API) of each of the libraries to retrieve a respective set of one or more rules based on the resource entitlements of the program, wherein the security profile is generated based on a plurality of sets of rules associated with the plurality of libraries.
  - 13. The non-transitory machine-readable medium of claim 8, wherein the one or more entitlements of the program are specified using user understandable language.
  - 14. The non-transitory machine-readable medium of claim 13, wherein the set of rules is specified in a format that is compatible with the library.

15. A data processing system, comprising:
- an access control module executed by a processor, in response to a request for launching a program, to;
  
  identify a library that the program utilizes when executed;
  
  determine a list of resources of the library to be accessed by the program during execution of the program; and
  
  call a predetermined function of the library that provides access to the resources, the call including a parameter specifying one or more resource entitlements of the program, the predetermined function to return a set of rules for accessing resources associated with the library based on the one or more resource entitlements; and
  
  a profile compiler, executed by the processor, to dynamically generate a security profile for the program based on the set of rules returned from the library, wherein the security profile is used to permit a program to access a resource of the library for which a rule in the set of rules permits access, and the security profile restricts the program from accessing a library resource for which a rule in the set of rules restricts access or no rule in the set of rules permits access during execution of the program.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The system of claim 15, wherein the access control module is configured to communicate with a trusted source via a security application programming interface (API) to obtain the one or more resource entitlements of the program, wherein the trusted source is associated with an authority that authorizes the program to be deployed.
  - 17. The system of claim 15, wherein the access control module is configured to determine the one or more resource entitlements of the program based on metadata of the program.
  - 18. The system of claim 15, wherein the resources to be accessed by the program are provided by a plurality of libraries.
  - 19. The system of claim 18, wherein the access control module is configured to call a respective application programming interface (API) of each of the libraries to retrieve a respective set of one or more rules based on the resource entitlements of the program, wherein the security profile is generated based on a plurality of sets of rules associated with the plurality of libraries.
  - 20. The system of claim 15, wherein the one or more entitlements of the program are specified using user understandable language.
  - 21. The system of claim 20, wherein the set of rules is specified in a format that is compatible with the library.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Apple Inc.
Original Assignee
Apple Inc.
Inventors
Krsti, Ivan, Jennings, Austin G., Hagy, Richard L.
Primary Examiner(s)
An, Meng
Assistant Examiner(s)
TEETS, BRADLEY A

Application Number

US13/922,188
Publication Number

US 20130283344A1
Time in Patent Office

993 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 21/1064   Restricting content process...

G06F 21/51   at application loading time...

G06F 21/53   by executing in a restricte...

G06F 21/6281   at program execution time, ...

G06F 21/629   to features or functions of...

G06F 2221/033   Test or assess software

Methods for restricting resources used by a program based on entitlements

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

46 Citations

21 Claims

Specification

Use Cases

Quick Links

Others

Methods for restricting resources used by a program based on entitlements

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

46 Citations

21 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others