Resource based dynamic security authorization

US 8,245,270 B2
Filed: 09/01/2005
Issued: 08/14/2012
Est. Priority Date: 09/01/2005
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for managing access to a second resource by sandboxed code included on a client, the method comprising:

executing the sandboxed code on the client and allowing operations to execute that adhere to a static security policy;

wherein the sandboxed code has restricted access to resources and other applications;

wherein the sandboxed code is specifically authorized by the static security policy to access a first resource through a first connection;

wherein the first resource includes an associated first resource policy;

determining when the sandboxed code on the client requests access to the second resource that is not authorized by the static security policy;

wherein authorization of the request to the second resource results in a direct cross-domain access to the second resource between the sandboxed code and the second resource that is not authorized by the static security policy;

wherein the cross-domain access results in a connection to a web server to provide the second resource to the sandboxed code on the client;

establishing a service connection that is a different network connection from the first connection between the second resource and the client that is limited in its functionality to confirming whether the sandboxed code meets any existing resource based policies that grant the sandboxed code access to the second resource;

comparing evidence of the sandboxed code sent using the service connection against a resource based policy associated with at least one of the first resource and the second resource;

wherein the resource based policy is stored with the first resource; and

providing the sandboxed code access to the second resource when the evidence is determined as sufficient according to the resource based policy.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Access to a resource by sandboxed code is dynamically authorized by a client security system based on a resource based policy. A sandboxed application running on a client is granted access to a resource based on a resource based policy despite denial of the access based on a static policy associated with the client security system. The granting of access coincides with the determination that the threat to a user or the user'"'"'s information is not increased should the access be granted.

104 Citations

View as Search Results

20 Claims

1. A computer-implemented method for managing access to a second resource by sandboxed code included on a client, the method comprising:
- executing the sandboxed code on the client and allowing operations to execute that adhere to a static security policy;
  
  wherein the sandboxed code has restricted access to resources and other applications;
  
  wherein the sandboxed code is specifically authorized by the static security policy to access a first resource through a first connection;
  
  wherein the first resource includes an associated first resource policy;
  
  determining when the sandboxed code on the client requests access to the second resource that is not authorized by the static security policy;
  
  wherein authorization of the request to the second resource results in a direct cross-domain access to the second resource between the sandboxed code and the second resource that is not authorized by the static security policy;
  
  wherein the cross-domain access results in a connection to a web server to provide the second resource to the sandboxed code on the client;
  
  establishing a service connection that is a different network connection from the first connection between the second resource and the client that is limited in its functionality to confirming whether the sandboxed code meets any existing resource based policies that grant the sandboxed code access to the second resource;
  
  comparing evidence of the sandboxed code sent using the service connection against a resource based policy associated with at least one of the first resource and the second resource;
  
  wherein the resource based policy is stored with the first resource; and
  
  providing the sandboxed code access to the second resource when the evidence is determined as sufficient according to the resource based policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computer-implemented method of claim 1, wherein the evidence is determined as sufficient according to the resource based policy when granting the sandboxed code access to the second resource does not increase a threat level to user data.
  - 3. The computer-implemented method of claim 2, wherein granting the sandboxed code access to the second resource does not increase a threat level to user data when the second resource is affiliated with a source resource that provided the sandboxed code to the client.
  - 4. The computer-implemented method of claim 1, wherein the evidence is transmitted to the second resource for comparing the evidence against the resource based policy.
  - 5. The computer-implemented method of claim 1, wherein the resource based policy is transmitted to the client for comparing the evidence against the resource based policy.
  - 6. The computer-implemented method of claim 1, further comprising alternatively denying access by the sandboxed code to the second resource when the resource based policy dictates that access to the second resource is denied and the access to the second resource is otherwise allowed.
  - 7. The computer-implemented method of claim 1, wherein the resource based policy is applied for managing access to the second resource along with a static policy.
  - 8. The computer-implemented method of claim 1, wherein the service connection corresponds to a communication connect other than an unrestricted connection.
  - 9. The computer-implemented method of claim 1, wherein the static security policy is supplied by the client security system.

10. A system for managing access to a second resource by sandboxed code included on a client, comprising:
- on the client executing the sandboxed code on a processor and allowing operations to execute that adhere to a static security policy;
  
  wherein the sandboxed code has restricted access to resources and other applications;
  
  wherein the sandboxed code is specifically authorized by the static security policy to access a first resource through a first connection;
  
  wherein the first resource includes an associated first resource policy;
  
  determining when the sandboxed code on the client requests access to the second resource that is not authorized by the static security policy;
  
  wherein authorization of the request to the second resource results in a direct cross-domain access to the second resource between the sandboxed code and the second resource that is not authorized by the static security policy;
  
  wherein the cross-domain access results in a connection to a web server to provide the second resource to the sandboxed code on the client;
  
  establishing a service connection that is a different network connection from the first connection between the second resource and the client that is limited in its functionality to confirming whether the sandboxed code meets any existing resource based policies that grant the sandboxed code access to the second resource;
  
  comparing evidence of the sandboxed code sent using the service connection against a resource based policy associated with at least one of the first resource and the second resource using a client security system;
  
  wherein the resource based policy is stored with the first resource; and
  
  providing the sandboxed code access to the second resource when the evidence is determined as sufficient according to the resource based policy.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 11. The system of claim 10, wherein the static security policy is supplied by the client security system.
  - 12. The system of claim 10, wherein the client security system is further configured to determine that the evidence is sufficient according to the resource based policy when granting the sandboxed code access to the second resource does not increase a threat level to user data.
  - 13. The system of claim 10, wherein the service connection is configured to transmit data between the second resource and the sandboxed code for the purposes of evaluating the evidence against the resource based policy.
  - 14. The system of claim 13, wherein the service connection is further configured to transmit the evidence to the second resource for the evaluation.
  - 15. The system of claim 13, wherein the service connection is further configured to transmit the resource based policy to the client security system for the evaluation.
  - 16. The system of claim 10, wherein the second resource corresponds to the web server.
  - 17. The system of claim 10, wherein the second resource corresponds to a database server.
  - 18. The system of claim 10, wherein the client security system is further configured to determine that the evidence is sufficient according to the resource based policy when the sandboxed code is identified as associated with a source resource that is affiliated with the second resource.
  - 19. The system of claim 10, wherein the service connection corresponds to a communication connection other than an unrestricted connection.

20. A computer-readable storage device medium having stored thereon computer-executable instructions for dynamically managing access to a second resource by sandboxed code included on a client, the computer-executable instructions comprising:
- executing the sandboxed code on the client and allowing operations to execute that adhere to a static security policy;
  
  wherein the sandboxed code has restricted access to resources and other applications;
  
  wherein the sandboxed code is specifically authorized by the static security policy to access a first resource through a first connection;
  
  wherein the first resource includes an associated first resource policy;
  
  determining when the sandboxed code on the client requests access to the second resource that is not authorized by the static security policy;
  
  wherein authorization of the request to the second resource results in a direct cross-domain access to the second resource between the sandboxed code and the second resource that is not authorized by the static security policy;
  
  wherein the cross-domain access results in a connection to a web server to provide the second resource to the sandboxed code on the client;
  
  establishing a service connection that is a different network connection from the first connection between the second resource and the client that is limited in its functionality to confirming whether the sandboxed code meets any existing resource based policies that grant the sandboxed code access to the second resource;
  
  comparing evidence of the sandboxed code sent using the service connection against a resource based policy associated with at least one of the first resource and the second resource;
  
  wherein the resource based policy is stored with the first resource; and
  
  providing the sandboxed code access to the second resource when the evidence is determined as sufficient according to the resource based policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Cooperstein, Jeffrey M., Goldfeder, Aaron R., Fee, Gregory D., Hawkins, John M., Kudallur, Venkatraman
Primary Examiner(s)
Arani, Taghi
Assistant Examiner(s)
Jeudy, Josnel

Application Number

US11/217,748
Publication Number

US 20070050854A1
Time in Patent Office

2,539 Days
Field of Search

713/186, 713/182, 713/156, 713164-168, 726/12, 726 1- 8, 726/21, 726 24- 33, 705/39, 705/64, 705/2, 705/67, 709/224, 709/203, 709217-219, 709200-202
US Class Current

726/1
CPC Class Codes

G06F 21/53 by executing in a restricte...

Resource based dynamic security authorization

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

104 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Resource based dynamic security authorization

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

104 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links