Pervasive package identifiers

US 9,679,130 B2
Filed: 03/05/2015
Issued: 06/13/2017
Est. Priority Date: 09/09/2011
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a memory; and

one or more processors;

at least one of the one or more processors is configured to perform actions including;

obtaining, at a computing device for an application installed on the computing device from a package, a package identifier for the package, the package identifier including an identifier of an architecture of devices on which the application is designed to operate, the application having been installed only if a publisher of the package included in the package identifier was verified as being the same as the publisher included in a digital certificate associated with the package;

maintaining the package identifier in a protected manner such that the package identifier is accessible to an operating system of the computing device but not accessible to other applications of the computing device;

assigning the package identifier to each of one or more processes created for the application, wherein each process created for the application includes a process token generated by the operating system of the computing device, the process incapable of modifying the process token; and

determining, based at least in part on the package identifier, for each of the one or more processes whether the process is permitted to access a resource of the computing device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A package identifier for a package from which an application is installed on a computing device is obtained. The package identifier is assigned to each of one or more processes created for running the application and, for each of the one or more processes, whether the process is permitted to access a resource of the computing device is determined based at least in part on the package identifier.

165 Citations

31 Claims

1. A system comprising:
- a memory; and
  
  one or more processors;
  
  at least one of the one or more processors is configured to perform actions including;
  
  obtaining, at a computing device for an application installed on the computing device from a package, a package identifier for the package, the package identifier including an identifier of an architecture of devices on which the application is designed to operate, the application having been installed only if a publisher of the package included in the package identifier was verified as being the same as the publisher included in a digital certificate associated with the package;
  
  maintaining the package identifier in a protected manner such that the package identifier is accessible to an operating system of the computing device but not accessible to other applications of the computing device;
  
  assigning the package identifier to each of one or more processes created for the application, wherein each process created for the application includes a process token generated by the operating system of the computing device, the process incapable of modifying the process token; and
  
  determining, based at least in part on the package identifier, for each of the one or more processes whether the process is permitted to access a resource of the computing device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The system of claim 1, the package identifier further including a name of the package and a name of the publisher of the package.
  - 3. The system of claim 2, the package identifier further including an indication of a version of the package and a value identifying a resource type of the package.
  - 4. The system of claim 1, the package including one or more components or modules of one or more applications.
  - 5. The system of claim 1, the assigning comprising generating a security identifier based on the package identifier or family identifier of the package, and adding the security identifier to the process token of each of the one or more processes.
  - 6. The system of claim 5, the determining comprising allowing, for each of the one or more processes, the process to access a folder of a storage device of the computing device only if an access control list associated with the folder indicates the security identifier of the process is permitted to access the folder.
  - 7. The system of claim 5, the determining further comprising allowing, for each of the one or more processes, the process to access an additional process in the computing device only if the security identifier of the process and the security identifier of the additional process are the same.
  - 8. The system of claim 5, the determining further comprising preventing the process to access other processes if the security identifier of the process and the security identifier of the additional process are not the same, the preventing comprising refusing to pass a call to the additional process or notifying another module that the process is not permitted to access the additional process.
  - 9. The system of claim 5, the generating the security identifier comprising inputting one or more elements of the package identifier to a hash function to generate a hash value, and using the hash value as the security identifier.
  - 10. The system of claim 1, the obtaining a package identifier for the package comprising obtaining the package identifier for the package from a manifest associated with the package.
  - 11. The system of claim 1, further comprising, in response to loading of a library being requested:
    - loading the library if the library is identified in a manifest of the package or in a manifest of a dependency package of the package; and
      
      otherwise not loading the library.

12. A system comprising:
- a memory; and
  
  one or more processors;
  
  at least one of the one or more processors configured to perform operations including;
  
  obtaining, at a computing device as part of installing one or more applications from a package on the computing device, a package identifier from the package;
  
  maintaining the package identifier in a protected manner such that the package identifier is accessible to an operating system of the computing device but not to other applications of the device;
  
  adding capabilities of one or more components included in the package to an access control list of a resource to create a capability security identifier;
  
  adding a package identifier security identifier to the access control list associated with the stored capabilities for the package;
  
  using the package identifier security identifier to gain access to the capability security identifier; and
  
  using the capability security identifier to access the resource.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The system of claim 12, the package identifier being obtained from a manifest associated with the package.
  - 14. The system of claim 12, further comprising using a subset of elements of the package identifier to be a family identifier of the package, the subset of elements including a name of the package and a name of the publisher of the package.
  - 15. The system of claim 12, the package including one or more components or modules of one or more applications.
  - 16. The system of claim 12, wherein the one or more processors are further configured to add the capability security identifier to the access control list prior to the package identifier for the package being obtained.
  - 17. The system of claim 12, wherein the one or more processors are further configured to cause the one or more processors to allow, for each of the one or more processes, the process to access a folder of a storage device of the computing device only if an access control list associated with the folder indicates the security identifier of the process is permitted to access the folder.
  - 18. The system of claim 12, wherein the one or more processors are further configured to allow, for each of the one or more processes, the process to access an additional process in the computing device only if the security identifier of the process and the security identifier of the additional process are the same.

19. A computing device comprising:
- a memory; and
  
  one or more processors;
  
  at least one of the one or more processors configured to perform actions including;
  
  obtaining, at the computing device as part of installing one or more applications from a package on the computing device, a package identifier from the package, the package identifier including a name of the package, a name of a publisher of the package, an identifier of an architecture of devices on which the application is designed to operate, an indication of a version of the package, and a value identifying a resource type of the package, the one or more applications being installed only if the publisher of the package included in the package identifier is verified to be the same as the publisher included in a digital certificate associated with the package;
  
  maintaining the package identifier in a protected manner such that the package identifier is accessible to an operating system of the computing device but not to other applications of the computing device;
  
  using a subset of elements of the package identifier to be a family identifier of the package, the subset of elements including the name of the package and the name of the publisher of the package;
  
  assigning the family identifier to each of one or more processes created for running the one or more applications by generating a security identifier based on the family identifier and adding the security identifier to a process token of each of the one or more processes; and
  
  responsive to the one or more processes spawning one or more other processes, causing the one or more other processes to inherit the same process token.

20. A mobile device, comprising:
- a memory; and
  
  one or more processors;
  
  at least one of the one or more processors configured to perform actions including;
  
  obtaining, at the mobile device as part of installing one or more applications from a package on the mobile device, a package identifier from the package, the package identifier including a name of the package, a name of a publisher of the package, an identifier of an architecture of devices on which the application is designed to operate, an indication of a version of the package, and a value identifying a resource type of the package, the one or more applications being installed only if the publisher of the package included in the package identifier is verified to be the same as the publisher included in a digital certificate associated with the package;
  
  maintaining the package identifier in a protected manner such that the package identifier is accessible to an operating system of the mobile device but not to other applications of the mobile device;
  
  using a subset of elements of the package identifier to be a family identifier of the package, the subset of elements including the name of the package and the name of the publisher of the package;
  
  assigning the family identifier to each of one or more processes created for running the one or more applications by generating a security identifier based on the family identifier and adding the security identifier to a process token of each of the one or more processes; and
  
  responsive to the one or more processes spawning one or more other processes, causing the one or more other processes to inherit the same process token.

21. A mobile device, comprising:
- a memory; and
  
  at least one processor;
  
  the at least one processor is configured to perform actions including;
  
  obtaining, at the mobile device for an application installed on the mobile device from a package, a package identifier for the package, the package identifier including an identifier of an architecture of devices on which the application is designed to operate, the application having been installed only if a publisher of the package included in the package identifier was verified as being the same as the publisher included in a digital certificate associated with the package;
  
  maintaining the package identifier in a protected manner such that the package identifier is accessible to an operating system of the mobile device but not accessible to other applications of the mobile device;
  
  assigning the package identifier to each of one or more processes created for the application, wherein each process created for the application includes a process token generated by the operating system of the mobile device, the process incapable of modifying the process token; and
  
  determining, based at least in part on the package identifier, for each of the one or more processes whether the process is permitted to access a resource of the mobile device.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31)
- - 22. The mobile device of claim 21, the package identifier further including a name of the package and a name of the publisher of the package.
  - 23. The mobile device of claim 21, the package identifier further including an indication of a version of the package and a value identifying a resource type of the package.
  - 24. The mobile device of claim 21, the package including one or more components or modules of one or more applications.
  - 25. The mobile device of claim 21, the assigning comprising generating a security identifier based on the package identifier or family identifier of the package, and adding the security identifier to the process token of each of the one or more processes.
  - 26. The mobile device of claim 25, the determining comprising allowing, for each of the one or more processes, the process to access a folder of a storage device of the mobile device only if an access control list associated with the folder indicates the security identifier of the process is permitted to access the folder.
  - 27. The mobile device of claim 25, the determining further comprising allowing, for each of the one or more processes, the process to access an additional process in the mobile device only if the security identifier of the process and the security identifier of the additional process are the same.
  - 28. The mobile device of claim 25, the determining further comprising preventing the process to access other processes if the security identifier of the process and the security identifier of the additional process are not the same, the preventing comprising refusing to pass a call to the additional process or notifying another module that the process is not permitted to access the additional process.
  - 29. The mobile device of claim 25, the generating the security identifier comprising inputting one or more elements of the package identifier to a hash function to generate a hash value, and using the hash value as the security identifier.
  - 30. The mobile device of claim 21, the obtaining a package identifier for the package comprising obtaining the package identifier for the package from a manifest associated with the package.
  - 31. The mobile device of claim 21, further comprising, in response to loading of a library being requested:
    - loading the library if the library is identified in a manifest of the package or in a manifest of a dependency package of the package; and
      
      otherwise not loading the library.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Sheehan, John M., Iskin, Sermet, Graham, Scott B., Kapustein, Howard S., Holman, Jerome Thomas
Primary Examiner(s)
Korsak, Oleg

Application Number

US14/639,615
Publication Number

US 20150178495A1
Time in Patent Office

831 Days
Field of Search
US Class Current
CPC Class Codes

G06F 17/00   Digital computing or data p...

G06F 21/121   Restricting unauthorised ex...

G06F 21/44   Program or device authentic...

G06F 21/52   during program execution, e...

G06F 21/6281   at program execution time, ...

G06F 2221/033   Test or assess software

G06F 9/468   Specific access rights for ...

Pervasive package identifiers

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

165 Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

Pervasive package identifiers

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

165 Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links