Sandboxing third party components

US 9,959,405 B2
Filed: 09/11/2014
Issued: 05/01/2018
Est. Priority Date: 05/28/2014
Status: Active Grant

First Claim

Patent Images

1. A non-transitory machine-readable medium having executable instructions to cause one or more processing units to perform a method of security management for a data processing system, the method comprising:

determining whether a third-party component supports access to a network coupled to the data processing system, wherein the third-party component provides input data to a user application;

when the third-party component supports network access, requesting an input regarding whether to restrict access of system resources by the third-party component;

constructing a restrictive access sandbox for the third-party component in response to receiving an input indicating to restrict access to the network by the third-party component, wherein the third-party component, executing within the restrictive access sandbox, sends to the user application, text based on character input to the third-party component, and stores text prediction information received from the user application in the restrictive access sandbox for subsequent access by the third-party component to predict text for input characters, the restrictive access sandbox further storing text predication information generated by the third-party component; and

constructing a normal access sandbox for the third-party component in response to receiving an input indicating not to restrict access of system resources by the third-party component.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus of a device for security management by sandboxing third-party components is described. The device can determine whether a third-party component supports network access. If the third-party component supports network access, the device can request a user input regarding whether to restrict the network access of the component. The device can receive a user input to restrict network access of the third-party component. Upon receiving the user input to restrict network access, the device can construct a sandbox for the third-party component to restrict network access of the component and prevent the component from performing data exfiltration. Other embodiments are also described and claimed.

25 Citations

View as Search Results

23 Claims

1. A non-transitory machine-readable medium having executable instructions to cause one or more processing units to perform a method of security management for a data processing system, the method comprising:
- determining whether a third-party component supports access to a network coupled to the data processing system, wherein the third-party component provides input data to a user application;
  
  when the third-party component supports network access, requesting an input regarding whether to restrict access of system resources by the third-party component;
  
  constructing a restrictive access sandbox for the third-party component in response to receiving an input indicating to restrict access to the network by the third-party component, wherein the third-party component, executing within the restrictive access sandbox, sends to the user application, text based on character input to the third-party component, and stores text prediction information received from the user application in the restrictive access sandbox for subsequent access by the third-party component to predict text for input characters, the restrictive access sandbox further storing text predication information generated by the third-party component; and
  
  constructing a normal access sandbox for the third-party component in response to receiving an input indicating not to restrict access of system resources by the third-party component.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The non-transitory machine-readable medium of claim 1, wherein the third-party component is a third-party keyboard application.
  - 3. The non-transitory machine-readable medium of claim 1, wherein the third-party component is a third-party voice input application.
  - 4. The non-transitory machine-readable medium of claim 1, wherein the third-party component is a third-party drawing application or a third-party motion sensing application.
  - 5. The non-transitory machine-readable medium of claim 1, wherein the third-party component is a third-party optical instrument application, wherein the third-party optical instrument application is a third-party camera application or a third-party image scanner application.
  - 6. The non-transitory machine-readable medium of claim 1, wherein the constructing of the restrictive access sandbox for the third-party component further comprises preventing data exfiltration by the third-party component.
  - 7. The non-transitory machine-readable medium of claim 1, wherein the user application transmits the text sent by the third-party component and the corresponding text prediction information through the network for storage.

8. A computer-implemented method for security management of a data processing system, the method comprising:
- determining whether a third-party component supports access to a network coupled to the data processing system;
  
  when the third-party component supports network access, requesting an input regarding whether to restrict access of system resources by the third-party component;
  
  constructing a restrictive access sandbox for the third-party component in response to receiving an input indicating to restrict access to the network by the third-party component, wherein the third-party component executing within the restrictive access sandbox, sends to the user application, text based on character input to the third-party component, and stores text prediction information received from the user application in the restrictive access sandbox for subsequent access by the third-party component to predict text for input characters, the restrictive access sandbox further storing text predication information generated by the third-party component; and
  
  constructing a normal access sandbox for the third-party component in response to receiving an input indicating not to restrict access of system resources by the third-party component.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The method of claim 8, wherein the third-party component provides input data to a user application.
  - 10. The method of claim 8, wherein the third-party component is a third-party keyboard application.
  - 11. The method of claim 8, wherein the third-party component is a third-party voice input application.
  - 12. The method of claim 8, wherein the third-party component is a third-party drawing application or a third-party motion sensing application.
  - 13. The method of claim 8, wherein the third-party component is a third-party optical instrument application, wherein the third-party optical instrument application is a third-party camera application or a third-party image scanner application.
  - 14. The method of claim 8, wherein the constructing of the restrictive access sandbox for the third-party component further comprises preventing data exfiltration of the third-party component.
  - 15. The method of claim 8, wherein the user application transmits the text sent by the third-party component and the corresponding text prediction information through the network for storage.

16. A device to perform security management, the device comprising:
- a processing system;
  
  a memory coupled to the processing system through a bus;
  
  a network coupled to the processing system through the bus; and
  
  a process executed from the memory by the processing system that causes the processing system to determine whether a third-party component supports access to the network, when the third-party component supports network access, request an input regarding whether to restrict access to the network by the third-party component, construct a restrictive access sandbox for the third-party component in response to receiving the input indicating to restrict access of system resources by the third-party component, wherein the third-party component, executing within the restrictive access sandbox, sends to the user application, text based on character input to the third-party component, and stores text prediction information received from the user application in a the restrictive access sandbox for subsequent access by the third-party component to predict text for input characters, the restrictive access sandbox further storing text predication information generated by the third-party component, and construct a normal access sandbox for the third-party component in response to receiving an input indicating not to restrict access of system resources by the third-party component.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The device of claim 16, wherein the third-party component is a third-party keyboard application or a third-party voice input application.
  - 18. The device of claim 16, wherein the third-party component is a third-party drawing application or a third-party motion sensing application.
  - 19. The device of claim 16, wherein the third-party component is a third-party optical instrument application, wherein the third-party optical instrument application is a third-party camera application or a third-party image scanner application.
  - 20. The device of claim 16, the user application transmits the text sent by the third-party component and the corresponding text prediction information through the network for storage.

21. A computer-implemented method comprising:
- sending, by a third-party component to a user application, text based on characters input to the third-party component, the third-party component executing on a processor within a restrictive access sandbox generated by the processor in response to receiving a user request to prevent the third-party component from transmitting data through a network;
  
  receiving, by the third-party component from the user application, text prediction information;
  
  storing, by the third-party component, the text prediction information from the user application in the restrictive access sandbox, the restrictive access sandbox further storing text predication information generated by the third-party component;
  
  accessing, by the third-party component, the restrictive access sandbox to predict text from input characters.

22. A non-transitory machine-readable medium having executable instructions to cause one or more processing units to perform a method comprising:
- sending, by a third-party component to a user application, text based on characters input to the third-party component, the third-party component executing on a processor within a restrictive access sandbox generated by the processor in response to receiving a user request to prevent the third-party component from transmitting data through a network;
  
  receiving, by the third-party component from the user application, text prediction information;
  
  storing, by the third-party component, the text prediction information from the user application in the restrictive access sandbox, the restrictive access sandbox further storing text predication information generated by the third-party component;
  
  accessing, by the third-party component, the text prediction information stored in the restrictive access sandbox to predict text from input characters.

23. A device comprising:
- a processing system;
  
  a memory coupled to the processing system through a bus;
  
  a network coupled to the processing system through the bus; and
  
  a third-party component executed from the memory by the processing system that causes the processing system sent to send, to a user application, text based on characters input to the third-party component, the third-party component executing within a restrictive access sandbox generated by the processor in response to receiving a user request to prevent the third-party component from transmitting data through a network, receive text prediction information from the user application, store the text prediction information from the user application in the restrictive access sandbox, the restrictive access sandbox further storing text predication information generated by the third-party component, and access the text prediction information stored in the restrictive access sandbox to predict text from input characters.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Apple Inc.
Original Assignee
Apple Inc.
Inventors
Yancey, Kelly B., Martel, Pierre-Olivier J.
Primary Examiner(s)
Lewis, Lisa C

Application Number

US14/483,543
Publication Number

US 20150347747A1
Time in Patent Office

1,328 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/62   Protecting access to data v...

H04L 63/145   the attack involving the pr...

Sandboxing third party components

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

25 Citations

23 Claims

Specification

Use Cases

Quick Links

Others

Sandboxing third party components

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

25 Citations

23 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others