Systems and methods for enforcing security in mobile computing
First Claim
Patent Images
1. A method of filtering access to a resource in a device, the method comprising:
- using a computer processor, controlling access to the resource from an application based upon a policy, comprising;
providing the policy to an object firewall;
translating the policy into one or more settings for the object firewall;
filtering, via the object firewall in the device, inter-process communications access to a first object from a second object associated with the application, wherein the first object provides access to the resource through one or more inter-process control paths, wherein the object firewall is configured via the policy to govern interprocess communications to the first object, wherein the object firewall is the only object firewall for the first object, and wherein the object firewall is not an object firewall for any object other than the first object; and
wherein controlling access to the resource comprises at least one of permitting and blocking access to the resource in response to the policy, wherein at least one of permitting and blocking access to the resource further comprises at least one of permitting the inter-process communications without modification, permitting the inter-process communications with modified contents of the inter-process communications, permitting the inter-process communications with a modified return value of data sent from a resource in response to the inter-process communications, blocking the inter-process communications, logging the inter-process communications, ignoring the inter-process communications, modifying one or more firewall rules, adding one or more firewall policies, and removing one or more firewall policies.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods and systems described herein relate to enhancing security on a device by configuring one or more software functions in a trusted zone of a processor using object firewalls, IPC mechanisms, and/or a policy engine.
121 Citations
22 Claims
-
1. A method of filtering access to a resource in a device, the method comprising:
-
using a computer processor, controlling access to the resource from an application based upon a policy, comprising; providing the policy to an object firewall; translating the policy into one or more settings for the object firewall; filtering, via the object firewall in the device, inter-process communications access to a first object from a second object associated with the application, wherein the first object provides access to the resource through one or more inter-process control paths, wherein the object firewall is configured via the policy to govern interprocess communications to the first object, wherein the object firewall is the only object firewall for the first object, and wherein the object firewall is not an object firewall for any object other than the first object; and wherein controlling access to the resource comprises at least one of permitting and blocking access to the resource in response to the policy, wherein at least one of permitting and blocking access to the resource further comprises at least one of permitting the inter-process communications without modification, permitting the inter-process communications with modified contents of the inter-process communications, permitting the inter-process communications with a modified return value of data sent from a resource in response to the inter-process communications, blocking the inter-process communications, logging the inter-process communications, ignoring the inter-process communications, modifying one or more firewall rules, adding one or more firewall policies, and removing one or more firewall policies. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system of enforcing distributed policies in a mobile network, comprising:
-
at least one hardware processor adapted to provide an inter-process communications firewall on a device to enforce one or more rules governing communication between a first system and a second system that communicate via the device, wherein the inter-process communications firewall is an object firewall, wherein an object on the first system provides access to a resource allowing communication with the second system, wherein the inter-process communications firewall is the only object firewall for the object and wherein the inter-process communications firewall is not an object firewall for any other object; said at least one hardware processor adapted to generate, via a policy engine associated with the inter-process communications firewall, an indicator of a context of the first system; said at least one hardware processor adapted to receive an inter-process communication call from the first system intended for communication to the second system; said at least one hardware processor adapted to pass the inter-process communications call to the policy engine, wherein passing the inter-process communications call comprises passing the indicator of the context of the first system to the policy engine via inter-process communications; said at least one hardware processor adapted to execute the policy engine to determine whether the inter-process communication is permitted by the inter-process communications firewall based on a policy and the context of at least one of the systems; and said at least one hardware processor adapted to at least one of permit and block the interprocess communication call in response to the determination, wherein at least one of permitting and blocking the inter-process communication call in response to the determination further comprises at least one of permitting the inter-process communication call without modification, permitting the inter-process communication call with modified contents of the inter-process communication call, permitting the inter-process communication call with a modified return value of data sent from a resource in response to the inter-process communication call, blocking the inter-process communication call, logging the inter-process communication call, ignoring the inter-process communication call, modifying one or more firewall rules, adding one or more firewall policies, and removing one or more firewall policies. - View Dependent Claims (13, 14, 15, 16)
-
-
17. A method of securing a mobile device from malware, comprising:
-
using a computer processor, passing a remote procedure call intended for a second application from a first application to an inter-process control data bus; requesting, from a policy engine by the inter-process control data bus, a policy validation for the remote procedure call, wherein the policy validation is performed by an object firewall, wherein the object firewall is the only object firewall for an object of the second application, wherein each object of a plurality of objects of the second application has an independent object firewall, and wherein the object firewall is set based on a policy; determining by the policy engine whether to approve the remote procedure call based on a context of the remote procedure call and a stored policy; communicating the determination from the policy engine back to the inter-process control data bus; and at least one of permitting and blocking the remote procedure call by the interprocess control data bus in response to the determination, wherein at least one of permitting and blocking the remote procedure call by the inter-process control data bus in response to the determination further comprises at least one of permitting the remote procedure call without modification, permitting the remote procedure call with modified contents of the remote procedure call, permitting the remote procedure call with a modified return value of data sent from a resource in response to the remote procedure call, blocking the remote procedure call, logging the remote procedure call, ignoring the remote procedure call, modifying one or more firewall rules, adding one or more firewall policies, and removing one or more firewall policies. - View Dependent Claims (18, 19, 20, 21, 22)
-
Specification