Systems and methods for enforcing security in mobile computing

US 9,712,530 B2
Filed: 01/07/2013
Issued: 07/18/2017
Est. Priority Date: 01/06/2012
Status: Active Grant

First Claim

Patent Images

1. A method of filtering access to a resource in a device, the method comprising:

using a computer processor, controlling access to the resource from an application based upon a policy, comprising;

providing the policy to an object firewall;

translating the policy into one or more settings for the object firewall;

filtering, via the object firewall in the device, inter-process communications access to a first object from a second object associated with the application, wherein the first object provides access to the resource through one or more inter-process control paths, wherein the object firewall is configured via the policy to govern interprocess communications to the first object, wherein the object firewall is the only object firewall for the first object, and wherein the object firewall is not an object firewall for any object other than the first object; and

wherein controlling access to the resource comprises at least one of permitting and blocking access to the resource in response to the policy, wherein at least one of permitting and blocking access to the resource further comprises at least one of permitting the inter-process communications without modification, permitting the inter-process communications with modified contents of the inter-process communications, permitting the inter-process communications with a modified return value of data sent from a resource in response to the inter-process communications, blocking the inter-process communications, logging the inter-process communications, ignoring the inter-process communications, modifying one or more firewall rules, adding one or more firewall policies, and removing one or more firewall policies.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems described herein relate to enhancing security on a device by configuring one or more software functions in a trusted zone of a processor using object firewalls, IPC mechanisms, and/or a policy engine.

121 Citations

22 Claims

1. A method of filtering access to a resource in a device, the method comprising:
- using a computer processor, controlling access to the resource from an application based upon a policy, comprising;
  
  providing the policy to an object firewall;
  
  translating the policy into one or more settings for the object firewall;
  
  filtering, via the object firewall in the device, inter-process communications access to a first object from a second object associated with the application, wherein the first object provides access to the resource through one or more inter-process control paths, wherein the object firewall is configured via the policy to govern interprocess communications to the first object, wherein the object firewall is the only object firewall for the first object, and wherein the object firewall is not an object firewall for any object other than the first object; and
  
  wherein controlling access to the resource comprises at least one of permitting and blocking access to the resource in response to the policy, wherein at least one of permitting and blocking access to the resource further comprises at least one of permitting the inter-process communications without modification, permitting the inter-process communications with modified contents of the inter-process communications, permitting the inter-process communications with a modified return value of data sent from a resource in response to the inter-process communications, blocking the inter-process communications, logging the inter-process communications, ignoring the inter-process communications, modifying one or more firewall rules, adding one or more firewall policies, and removing one or more firewall policies.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising, using the computer processor, generating a device-based context based on one or more of a current date and time, a current location of the device, an identity of a current user of the device, an identity of each application currently executing on the device, and an identity of each resource currently in use.
  - 3. The method of claim 1, further comprising controlling access to the resource from the second object based upon a policy by providing a context aware policy engine to control access to the resource, wherein the second object is associated with the application attempting to access the resource.
  - 4. The method of claim 3, wherein the context-aware policy engine is further enabled to communicate with a policy server to communicate one or more policies.
  - 5. The method of claim 1, wherein the policy governing the interprocess communication to the first object is a context-related policy.
  - 6. The method of claim 1, wherein the resource is one of a network connection, a cellular connection, a keyboard, a touch interface, an operating system, an application, a part of an application programming interface, a software driver, a database, a port, a wireless communication interface, and a secured area in memory.
  - 7. The method of claim 1, wherein the object firewall is stored in a centralized object registry.
  - 8. The method of claim 1, wherein the first object providing access to the resource is stored in a centralized registry.
  - 9. The method of claim 1, further comprising providing a browser-based interface to author policies that, when installed on the device, control or create the object firewall.
  - 10. The method of claim 1, wherein the policy is authored using a graphical user interface, stored in a first format, translated into a second format for transmission to a device, and parsed by a receiving device in order to determine how to configure the object firewall.
  - 11. The method of claim 1, further comprising, using the computer processor, controlling and configuring the object firewall in a single process associated with a device security system.

12. A system of enforcing distributed policies in a mobile network, comprising:
- at least one hardware processor adapted to provide an inter-process communications firewall on a device to enforce one or more rules governing communication between a first system and a second system that communicate via the device, wherein the inter-process communications firewall is an object firewall, wherein an object on the first system provides access to a resource allowing communication with the second system, wherein the inter-process communications firewall is the only object firewall for the object and wherein the inter-process communications firewall is not an object firewall for any other object;
  
  said at least one hardware processor adapted to generate, via a policy engine associated with the inter-process communications firewall, an indicator of a context of the first system;
  
  said at least one hardware processor adapted to receive an inter-process communication call from the first system intended for communication to the second system;
  
  said at least one hardware processor adapted to pass the inter-process communications call to the policy engine, wherein passing the inter-process communications call comprises passing the indicator of the context of the first system to the policy engine via inter-process communications;
  
  said at least one hardware processor adapted to execute the policy engine to determine whether the inter-process communication is permitted by the inter-process communications firewall based on a policy and the context of at least one of the systems; and
  
  said at least one hardware processor adapted to at least one of permit and block the interprocess communication call in response to the determination, wherein at least one of permitting andblocking the inter-process communication call in response to the determination further comprises at least one of permitting the inter-process communication call without modification, permitting the inter-process communication call with modified contents of the inter-process communication call, permitting the inter-process communication call with a modified return value of data sent from a resource in response to the inter-process communication call, blocking the inter-process communication call, logging the inter-process communication call, ignoring the inter-process communication call, modifying one or more firewall rules, adding one or more firewall policies, and removing one or more firewall policies.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The system of claim 12, wherein the at least one processor is adapted to provide a plurality of inter-process communications firewalls on a device, wherein each inter-process communications firewall of the plurality of inter-process communications firewall is the only object firewall for an object of a plurality of objects and wherein each inter-process communications firewall of the plurality of inter-process communications firewalls is not an object firewall for any other object of the plurality of objects.
  - 14. The system of claim 12, wherein the at least one processor is further adapted to generate the policy engine wherein the policy engine is enabled to communicate with a policy server to communicate one or more policies.
  - 15. The system of claim 12, wherein the policy is comprised of one or more of a black list, a white list, a signing policy, a naming policy, a checksum analysis policy, a library analysis policy, and a permission for one or more of an application, a process, a user, and a group of users.
  - 16. The system of claim 12, wherein said at least one processor adapted to determine whether a communication between the first system and the second system is permitted by the inter-process communications firewall is further based on content of the communication.

17. A method of securing a mobile device from malware, comprising:
- using a computer processor, passing a remote procedure call intended for a second application from a first application to an inter-process control data bus;
  
  requesting, from a policy engine by the inter-process control data bus, a policy validation for the remote procedure call, wherein the policy validation is performed by an object firewall, wherein the object firewall is the only object firewall for an object of the second application, wherein each object of a plurality of objects of the second application has an independent object firewall, and wherein the object firewall is set based on a policy;
  
  determining by the policy engine whether to approve the remote procedure call based on a context of the remote procedure call and a stored policy;
  
  communicating the determination from the policy engine back to the inter-process control data bus; and
  
  at least one of permitting and blocking the remote procedure call by the interprocess control data bus in response to the determination, wherein at least one of permitting and blocking the remote procedure call by the inter-process control data bus in response to the determination further comprises at least one of permitting the remote procedure call without modification, permitting the remote procedure call with modified contents of the remote procedure call, permitting the remote procedure call with a modified return value of data sent from a resource in response to the remote procedure call, blocking the remote procedure call, logging the remote procedure call, ignoring the remote procedure call, modifying one or more firewall rules, adding one or more firewall policies, and removing one or more firewall policies.
- View Dependent Claims (18, 19, 20, 21, 22)
- - 18. The method of claim 17, wherein passing the remote procedure call further comprises passing a remote procedure call for a second object associated with the second application from a first object associated with the first application to an inter-process control data bus.
  - 19. The method of claim 17, wherein the policy engine is further enabled to communicate with a policy server to communicate one or more policies.
  - 20. The method of claim 17, wherein the method further comprising providing an interprocess controller for installing new object firewalls as new objects are created.
  - 21. The method of claim 17, wherein the policy engine further comprises a contextaware policy engine.
  - 22. The method of claim 21, wherein the context-aware policy engine is further enabled to generate a system-specific context, said system-specific context comprising one or more of a current date, a current time, a location of the mobile device, an identity of a user of the device user, and applications currently executing on the mobile device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Optio Labs
Original Assignee
Optio Labs, Inc.
Inventors
Clancy III, Thomas Charles, White, Christopher Jules, Dougherty, Brian
Primary Examiner(s)
Waliullah, Mohammed

Application Number

US13/735,885
Publication Number

US 20130179991A1
Time in Patent Office

1,653 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/577   Assessing vulnerabilities a...

H04L 63/0227   Filtering policies mail mes...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

Systems and methods for enforcing security in mobile computing

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

121 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for enforcing security in mobile computing

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

121 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links