Defenses against use of tainted cache

US 9,471,533 B1
Filed: 03/06/2013
Issued: 10/18/2016
Est. Priority Date: 03/06/2013
Status: Active Grant

First Claim

Patent Images

1. A method of using a browser cache when accessing a first server node by way of at least two different networks, the method comprising:

storing, in a cache accessible by a browser, an object received in connection with content received from a website, the object received via a first network;

generating data associated with the object, the data being indicative of attributes of the first network;

maintaining the data indicative of the attributes of the first network associated with the object;

determining that the data indicative of attributes of the first network meets at least one condition for using the object to interact with content via a second network; and

using the object to interact with content accessed over the second network based at least in part on the determination.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and computer readable media are described for validating objects stored in a web cache. In one embodiment, a computing device caches objects received while accessing networked content over a network. The computing device generates a description of conditions associated with the caching of the objects. When the computing device accesses networked content via a second network, the computing device or a remote server connected thereto utilizes the description to determine whether an object in the cache is trusted or untrusted. The server manages a policy that defines rules for making the determination. The policy can be generated based on descriptions received from a plurality of devices.

Citations

28 Claims

1. A method of using a browser cache when accessing a first server node by way of at least two different networks, the method comprising:
- storing, in a cache accessible by a browser, an object received in connection with content received from a website, the object received via a first network;
  
  generating data associated with the object, the data being indicative of attributes of the first network;
  
  maintaining the data indicative of the attributes of the first network associated with the object;
  
  determining that the data indicative of attributes of the first network meets at least one condition for using the object to interact with content via a second network; and
  
  using the object to interact with content accessed over the second network based at least in part on the determination.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1 further comprising:
    - determining that the object is untrusted when the data indicative of the attributes of the first network fails to meet the at least one condition.
  - 3. The method of claim 1, wherein the data indicative of the attributes of the first network comprises metadata, wherein the metadata indicates that the object was received via the first network.
  - 4. The method of claim 3, wherein the metadata comprises at least one of an identifier of the first network, a security level associated with the first network, an authentication method for connecting to the first network, geographical information associated with the first network, a time when the website was accessed via the first network, an address of the website, a certificate presented by the web site, an address of a gateway used in accessing the web site, trace route information associated with accessing the website, latency information associated with accessing the website, or information associated with an author of the object.

5. A non-transitory computer-readable storage medium bearing instructions for using cached objects that, upon execution on a computing node, cause the computing node to at least:
- cache data associated with a first network;
  
  associate with the cached data information related to the first network; and
  
  determine whether the cached data can be used over a second network, the determination being based at least in part on the associated information and a policy for using cached data over the second network.
- View Dependent Claims (6, 7, 8, 9, 10, 11)
- - 6. The non-transitory computer-readable storage medium of claim 5, wherein the cached data is used by a browser operating on the computing node in connection with the second network.
  - 7. The non-transitory computer-readable storage medium of claim 5 further comprising instructions that, upon execution on the computing node, cause the computing node to invalidate the cached data for use in connection to a network-based resource when accessed from the second network.
  - 8. The non-transitory computer-readable storage medium of claim 5, wherein the cached data comprises a library for interacting with a network-based resource, and wherein the instructions to determine whether the cached data can be used over the second network comprise instructions to:
    - determine that the library is trusted based at least in part on a comparison between the associated information and the policy; and
      
      execute the library when interacting with the network-based resource over the second network.
  - 9. The non-transitory computer-readable storage medium of claim 5, wherein the associated information comprises a description of the first network and an address where the cached data was obtained from.
  - 10. The non-transitory computer-readable storage medium of claim 9, wherein the description of the first network comprises a service set identifier of the first network.
  - 11. The non-transitory computer-readable storage medium of claim 9, wherein the address comprises a uniform resource locator of a web site from where the cached data was obtained.

12. A computing device for using a cache, the computing device comprising:
- a memory bearing instructions that, upon execution on the computing device, cause the computing device to at least;
  
  connect to a network-based resource over a first network;
  
  download at least one object associated with accessing network-based content from the network-based resource;
  
  associate information related to the at least one object with information related to the first network; and
  
  determine whether to reuse the at least one object when accessing network-based content over a second network, the determining being based at least in part on the associated information and a requirement related to the second network.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 13. The computing device of claim 12, wherein the first network is determined to be an insecure network, and wherein the second network is determined to be a secure network.
  - 14. The computing device of claim 13, wherein the first network is determined to be an insecure network when the first network is a public network, and wherein the second network is determined to be a secure network when the second network is a private network.
  - 15. The computing device of claim 13, wherein the second network is accessed via a virtual private network.
  - 16. The computing device of claim 12, wherein the object is a library.
  - 17. The computing device of claim 12, wherein the associated information comprises metadata, wherein the metadata comprises a description of a connection to the network-based resource via the first network, and wherein the description comprises a context associated with the connection.
  - 18. The computing device of claim 17, wherein the metadata is stored in a web cache.
  - 19. The computing device of claim 17, wherein the context comprises information associated with the first network, and wherein the information comprises an identifier of the first network.
  - 20. The computing device of claim 17, wherein the context comprises information associated with the network-based resource, and wherein the information comprises an address of the network-based resource.
  - 21. The computing device of claim 17, wherein the context comprises any of a security level associated with the first network, an authentication method for connecting to the first network, geographical information associated with the first network, a time when the network-based resource was accessed via the first network, an address of the network-based resource, a certificate presented by the network-based resource, an address of a gateway used in accessing the network-based resource, trace route information associated with accessing the network-based resource, or latency information associated with accessing the network-based resource.

22. A computing node comprising:
- a memory bearing instructions that, upon execution on the computing node, cause the computing node to at least;
  
  receive, from a client device, information associated with an object in a cache of the client device, the information being indicative of a network over which the object was obtained;
  
  determine whether the object is authorized to be used to access network-based content based at least in part on the information indicative of the network over which the object was obtained; and
  
  provide a response based at least in part on the determination to the client device.
- View Dependent Claims (23, 24, 25, 26, 27, 28)
- - 23. The computing node of claim 22, wherein the cache is a cache for a browser or an application.
  - 24. The computing node of claim 22, wherein the information includes a hash of the object.
  - 25. The computing node of claim 22, wherein the information identifies a network that was used by the client device to obtain the object.
  - 26. The computing node of claim 22, wherein in response to determining that the object is not authorized to be used to access the network-based content providing a response to invalidate the object to the client device.
  - 27. The computing node of claim 22, wherein in response to determining that the object is authorized to be used to access the network-based content providing a response authorizing the client device to use the object to access the network-based content.
  - 28. The computing node of claim 22, wherein the information associated with the object comprises annotations added by a user of the client device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory Branchek, Brown, Nicholas Howard
Primary Examiner(s)
Donaghue, Larry

Application Number

US13/787,568
Time in Patent Office

1,322 Days
Field of Search

709/213
US Class Current

1/1
CPC Class Codes

G06F 15/167   using a common memory, e.g....

G06F 16/9574   of access to content, e.g. ...

H04L 2463/145   Detection or countermeasure...

H04L 63/10   for controlling access to d...

H04L 63/145   the attack involving the pr...

H04L 63/168   above the transport layer

H04L 67/568   Storing data temporarily at...

H04L 67/5682   Policies or rules for updat...

H04L 69/14   Multichannel or multilink p...

Defenses against use of tainted cache

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Defenses against use of tainted cache

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links