File system access for one or more sandboxed applications

US 9,342,689 B2
Filed: 01/26/2015
Issued: 05/17/2016
Est. Priority Date: 05/28/2010
Status: Active Grant

First Claim

Patent Images

1. A non-transitory machine-readable medium storing instructions which, when executed by one or more processors, cause the one or more processors to perform operations comprising:

receiving a selection of a resource managed by a restricted operating environment;

requesting from a resource manager of the restricted operating environment, in response to the selection, a location identifier associated with the resource;

receiving, in response to the request, a bookmark and a digest, wherein the digest is a cryptographically derived version of the bookmark and the bookmark is to enable retrieval of the resource on a storage device; and

storing the bookmark and the digest in the restricted operating environment to indicate trust of the resource.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and machine-readable storage medium are described wherein identifiers are used to allow access to files or folders in a restricted operating environment. One embodiment provides a process comprising receiving a selection of a resource managed by a restricted operating environment; requesting from a resource manager of the restricted operating environment, in response to the selection, a location identifier associated with the resource; receiving, in response to the request, a bookmark and a digest, wherein the digest is a cryptographically derived version of the bookmark and the bookmark is to enable retrieval of the resource on a storage device; and storing the bookmark and the digest in the restricted operating environment to indicate trust of the resource.

26 Citations

20 Claims

1. A non-transitory machine-readable medium storing instructions which, when executed by one or more processors, cause the one or more processors to perform operations comprising:
- receiving a selection of a resource managed by a restricted operating environment;
  
  requesting from a resource manager of the restricted operating environment, in response to the selection, a location identifier associated with the resource;
  
  receiving, in response to the request, a bookmark and a digest, wherein the digest is a cryptographically derived version of the bookmark and the bookmark is to enable retrieval of the resource on a storage device; and
  
  storing the bookmark and the digest in the restricted operating environment to indicate trust of the resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The medium as in claim 1, wherein the bookmark includes a uniform resource locator (URL) and the digest includes a keyed hash of the URL.
  - 3. The medium as in claim 2, wherein the resource includes at least a portion of a file, folder, or memory.
  - 4. The medium as in claim 3, further comprising instructions to perform operations including:
    - creating a combination key using a signed key of a requesting application and a secret key unknown to the application; and
      
      hashing the URL using the combination key to create the keyed hash of the URL.
  - 5. The non-transitory machine-readable medium as in claim 4, further comprising instructions to perform operations including:
    - sending an access request to the resource manager to access to the resource, the access request including the bookmark, the digest, and a specifier for a requesting application; and
      
      receiving access to the resource when the requesting application is entitled to access.
  - 6. The non-transitory machine-readable medium as in claim 5, further comprising instructions to perform operations including:
    - authenticating the access request to the resource manager by creating a second keyed hash and comparing the second keyed hash with the digest.
  - 7. The non-transitory machine-readable medium of claim 5, further comprising instructions to perform operations including retrieving a resource via the resource manager after the resource is renamed or moved on the storage device.
  - 8. The non-transitory machine-readable medium as in claim 5, further comprising retrieving a resource via the resource manager after the requesting application is terminated and re-launched.
  - 9. The non-transitory machine-readable medium as in claim 8, wherein the resource manager is a trusted access control system and a cryptographically authenticated component of a computer operating system.

10. A system to provide a restricted operating environment for managing access to a resource on a computing device, the system comprising:
- memory to store instructions and resources;
  
  a storage device coupled to the memory; and
  
  one or more processors coupled to the memory and the storage device, the one or more processors to;
  
  execute instructions stored in the memory to create the restricted operating environment for managing access to the resource by an application, wherein the resource is outside of the restricted operating environment and the restricted operating environment couples with a resource manager, the resource manager to receive a request from the application for a location identifier to access the resource, the request associated with an interaction that indicates trustworthiness of the resource;
  
  generate a location identifier to indicate trust of the resource, the location identifier including a bookmark and a digest; and
  
  transmit the location identifier to the application, the location identifier to enable the application to retrieve the resource.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The system as in claim 10, wherein the resource manager is a trusted access control system and a cryptographically authenticated component of a computer operating system of the computing device.
  - 12. The system as in claim 10, wherein the resource includes at least a portion of a file, folder, or memory of the computing device.
  - 13. The system as in claim 10, wherein the bookmark includes a uniform resource locator (URL) and the digest includes a keyed hash of the URL.
  - 14. The system as in claim 13, wherein the one or more processors are further to generate the keyed hash of the URL using a combination key including a signed key of the application and a secret key, the secret key unknown to the application.
  - 15. The system as in claim 14, wherein the one or more processors are further to authenticate the keyed hash of the URL using the combination key.
  - 16. The system as in claim 15, wherein the one or more processors are further to store the secret key in a location associated with the resource and the location associated with the resource is inaccessible to the application.

17. A computing device comprising:
- memory to store instructions; and
  
  one or more processors to execute instructions to provide a restricted operating environment for managing access to a resource stored outside of the restricted operating environment, the instructions to cause the one or more processors to perform operations to;
  
  receive a first request to provide a location identifier associated with the resource, the resource representing a collection of one or more selected files or folders;
  
  verify that the first request is entitled to access the resource;
  
  create a randomized secret key and attach the secret key to the resource;
  
  create a first keyed hash of a uniform resource locator (URL) of the resource using the secret key; and
  
  return the location identifier associated with the resource, the location identifier including the URL and the first keyed hash, the location identifier to indicate trust of the resource and to provide persistent access to the collection represented by the resource.
- View Dependent Claims (18, 19, 20)
- - 18. The computing device of claim 17, wherein the one or more processors to perform additional operations to:
    - receive a second request to access the resource, the second request including the location identifier, wherein the location identifier includes a uniform resource locator (URL) and the first keyed hash;
      
      receive the secret key from the resource;
      
      create a second keyed hash via the secret key;
      
      authenticate the first keyed hash via the second keyed hash; and
      
      provide access to the resource and the collection when the first keyed hash is authentic.
  - 19. The computing device of claim 17, wherein the location identifier is application specific.
  - 20. The computing device of claim 17 wherein the location identifier is to further to provide consistent access to the collection across application sessions and system power cycles.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Apple Inc.
Original Assignee
Apple Inc.
Inventors
strand, Love Hrnquist, Krsti, Ivan
Primary Examiner(s)
Zecher, Dede
Assistant Examiner(s)
DOAN, TRANG T

Application Number

US14/605,085
Publication Number

US 20150199510A1
Time in Patent Office

477 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 16/122   using management policies b...

G06F 16/9566   URL specific, e.g. using al...

G06F 21/53   by executing in a restricte...

G06F 2221/034   Test or assess a computer o...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

File system access for one or more sandboxed applications

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

26 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

File system access for one or more sandboxed applications

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others