Access authorization having embedded policies

US 8,931,035 B2
Filed: 11/11/2010
Issued: 01/06/2015
Est. Priority Date: 10/01/2004
Status: Active Grant

First Claim

Patent Images

1. A computer-readable storage medium comprising computer-executable instructions that, when executed by a processor, perform a method comprising:

receiving from a first process a request to load a first embedded policy and a second embedded policy applicable to an application program, wherein the first embedded policy and the second embedded policy are executed by an operating system access control service;

storing the first embedded policy and the second embedded policy in a policy repository, wherein the first embedded policy includes a provision to verify that the application program is of a type applicable to the first embedded policy and a set of executable rules that restrict access to a resource, wherein the second embedded policy includes a provision to verify that the application program is of a type applicable to second embedded policy and a set of executable rules that restrict access to a resource, and wherein the second embedded policy is more restrictive than the first embedded policy;

associating the first embedded policy with a first instance of the application program, such that the first embedded policy must be applied before executing the first instance of the application program;

applying the first embedded policy;

executing the first instance of the application program;

associating the second embedded policy with a second instance of the application program, such that the second embedded policy must be applied before executing the second instance of the application program;

applying the second embedded policy;

executing the second instance of the application program;

receiving a request from the second instance of the application program to access the resource; and

denying access to the resource based upon the second embedded policy.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A facility for receiving an embedded policy is provided. The facility checks an application program image for the presence of an embedded policy. If an embedded policy is detected, the facility extracts the policy from within the application program image. The facility may then apply the extracted policy to the application program image before the application program image is loaded and/or executed. Moreover, the facility may check the application program image'"'"'s integrity prior to extracting the embedded policy.

61 Citations

30 Claims

1. A computer-readable storage medium comprising computer-executable instructions that, when executed by a processor, perform a method comprising:
- receiving from a first process a request to load a first embedded policy and a second embedded policy applicable to an application program, wherein the first embedded policy and the second embedded policy are executed by an operating system access control service;
  
  storing the first embedded policy and the second embedded policy in a policy repository, wherein the first embedded policy includes a provision to verify that the application program is of a type applicable to the first embedded policy and a set of executable rules that restrict access to a resource, wherein the second embedded policy includes a provision to verify that the application program is of a type applicable to second embedded policy and a set of executable rules that restrict access to a resource, and wherein the second embedded policy is more restrictive than the first embedded policy;
  
  associating the first embedded policy with a first instance of the application program, such that the first embedded policy must be applied before executing the first instance of the application program;
  
  applying the first embedded policy;
  
  executing the first instance of the application program;
  
  associating the second embedded policy with a second instance of the application program, such that the second embedded policy must be applied before executing the second instance of the application program;
  
  applying the second embedded policy;
  
  executing the second instance of the application program;
  
  receiving a request from the second instance of the application program to access the resource; and
  
  denying access to the resource based upon the second embedded policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computer-readable storage medium of claim 1 further comprising computer-executable instructions that, when executed by the processor, perform the method further comprising:
    - determining whether the first embedded policy exists in the policy repository; and
      
      responsive to determining that the first embedded policy exists in the policy repository, applying the first embedded policy before the executing of the first instance of the application program.
  - 3. The computer-readable storage medium of claim 1 further comprising computer-executable instructions that, when executed by the processor, perform the method further comprising:
    - determining whether the first embedded policy exists in the policy repository; and
      
      responsive to determining that the first embedded does not exist in the policy repository, not executing the first instance of the application program.
  - 4. The computer-readable storage medium of claim 1 wherein the resource comprises a network, a file system, or an application program.
  - 5. The computer-readable storage medium of claim 1 wherein applying the first embedded policy comprises embedding the first embedded policy within the application program.
  - 6. The computer-readable storage medium of claim 1 wherein applying the second embedded policy comprises embedding the second embedded policy within the application program.
  - 7. The computer-readable storage medium of claim 1 wherein applying the first embedded policy comprises embedding the first embedded policy within the application program and wherein applying the second embedded policy comprises embedding the second embedded policy within the application program.
  - 8. The computer-readable storage medium of claim 1 wherein applying the first embedded policy comprises instantiating the first embedded policy.
  - 9. The computer-readable storage medium of claim 1 wherein applying the second embedded policy comprises instantiating the second embedded policy.
  - 10. The computer-readable storage medium of claim 1 wherein applying the first embedded policy comprises instantiating the first embedded policy and wherein applying the second embedded policy comprises instantiating the second embedded policy.

11. A method comprising:
- receiving from a first process a request to load a first embedded policy and a second embedded policy applicable to an application program, wherein the first embedded policy and the second embedded policy are executed by an operating system access control service;
  
  storing the first embedded policy and the second embedded policy in a policy repository, wherein the first embedded policy includes a provision to verify that the application program is of a type applicable to the first embedded policy and a set of executable rules that restrict access to a resource, wherein the second embedded policy includes a provision to verify that the application program is of a type applicable to second embedded policy and a set of executable rules that restrict access to a resource, and wherein the second embedded policy is more restrictive than the first embedded policy;
  
  associating the first embedded policy with a first instance of the application program, such that the first embedded policy must be applied before executing the first instance of the application program; and
  
  applying the first embedded policy;
  
  executing the first instance of the application program;
  
  associating the second embedded policy with a second instance of the application program, such that the second embedded policy must be applied before executing the second instance of the application program;
  
  applying the second embedded policy;
  
  executing the second instance of the application program;
  
  receiving a request from the second instance of the application program to access the resource; and
  
  denying access to the resource based upon the second embedded policy.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of claim 11 further comprising:
    - determining whether the first embedded policy exists in the policy repository; and
      
      responsive to determining that the first embedded policy exists in the policy repository, applying the first embedded policy before the executing of the first instance of the application program.
  - 13. The method of claim 11 further comprising:
    - determining whether the first embedded policy exists in the policy repository; and
      
      responsive to determining that the first embedded does not exist in the policy repository, denying the request to execute the first instance of the application program.
  - 14. The method of claim 11 wherein the resource comprises a network, a file system, or an application program.
  - 15. The method of claim 11 wherein applying the first embedded policy comprises embedding the first embedded policy within the application program.
  - 16. The method of claim 11 wherein applying the second embedded policy comprises embedding the second embedded policy within the application program.
  - 17. The method of claim 11 wherein applying the first embedded policy comprises embedding the first embedded policy within the application program and wherein applying the second embedded policy comprises embedding the second embedded policy within the application program.
  - 18. The method of claim 11 wherein applying the first embedded policy comprises instantiating the first embedded policy.
  - 19. The method of claim 11 wherein applying the second embedded policy comprises instantiating the second embedded policy.
  - 20. The method of claim 11 wherein applying the first embedded policy comprises instantiating the first embedded policy and wherein applying the second embedded policy comprises instantiating the second embedded policy.

21. A system comprising:
- a processing unit; and
  
  a memory coupled to the processing unit, the memory encoding computer executable instructions that, when executed by the processing unit, perform a method comprising;
  
  receiving from a first process a request to load a first embedded policy and a second embedded policy applicable to an application program, wherein the first embedded policy and the second embedded policy are executed by an operating system access control service;
  
  storing the first embedded policy and the second embedded policy in a policy repository, wherein the first embedded policy includes a provision to verify that the application program is of a type applicable to the first embedded policy and a set of executable rules that restrict access to a resource, wherein the second embedded policy includes a provision to verify that the application program is of a type applicable to second embedded policy and a set of executable rules that restrict access to a resource, and wherein the second embedded policy is more restrictive than the first embedded policy;
  
  associating the first embedded policy with a first instance of the application program, such that the first embedded policy must be applied before executing the first instance of the application program;
  
  applying the first embedded policy;
  
  executing the first instance of the application program;
  
  associating the second embedded policy with a second instance of the application program, such that the second embedded policy must be applied before executing the second instance of the application program;
  
  applying the second embedded policy;
  
  executing the second instance of the application program;
  
  receiving a request from the second instance of the application program to access the resource; and
  
  denying access to the resource based upon the second embedded policy.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The system of claim 21 wherein the resource comprises a network, a file system, or an application program.
  - 23. The system of claim 21 wherein applying the first embedded policy comprises computer executable instructions encoded within the memory that, when executed by the processing unit, perform the method further comprising embedding the first embedded policy within the application program.
  - 24. The system of claim 21 wherein applying the second embedded policy comprises computer executable instructions encoded within the memory that, when executed by the processing unit, perform the method further comprising embedding the second embedded policy within the application program.
  - 25. The system of claim 21 wherein applying the first embedded policy comprises computer executable instructions encoded within the memory that, when executed by the processing unit, perform the method further comprising embedding the first embedded policy within the application program and wherein applying the second embedded policy comprises computer executable instructions encoded within the memory that, when executed by the processing unit, perform the method further comprising embedding the second embedded policy within the application program.
  - 26. The system of claim 21 wherein applying the first embedded policy comprises computer executable instructions encoded within the memory that, when executed by the processing unit, perform the method further comprising instantiating the first embedded policy.
  - 27. The system of claim 21 wherein applying the second embedded policy comprises computer executable instructions encoded within the memory that, when executed by the processing unit, perform the method further comprising instantiating the second embedded policy.
  - 28. The system of claim 21 wherein applying the first embedded policy comprises computer executable instructions encoded within the memory that, when executed by the processing unit, perform the method further comprising instantiating the first embedded policy and wherein applying the second embedded policy comprises computer executable instructions encoded within the memory that, when executed by the processing unit, perform the method further comprising instantiating the second embedded policy.
  - 29. The system of claim 21 further comprising computer executable instructions encoded within the memory that, when executed by the processing unit, perform the method further comprising:
    - determine whether the first embedded policy exists in the policy repository; and
      
      responsive to determining that the first embedded policy exists in the policy repository, applying the first embedded policy before the executing of the first instance of the application program.
  - 30. The system of claim 29 further comprising computer executable instructions encoded within the memory that, when executed by the processing unit, perform the method further comprising:
    - determining whether the first embedded policy exists in the policy repository; and
      
      responsive to determining that the first embedded does not exist in the policy repository, not executing the first instance of the application program.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Golan, Gilad, Vayman, Mark
Primary Examiner(s)
Lipman, Jacob

Application Number

US12/944,667
Publication Number

US 20110126260A1
Time in Patent Office

1,517 Days
Field of Search

726/1
US Class Current

726/1
CPC Class Codes

G06F 16/122   using management policies b...

G06F 21/30   Authentication, i.e. establ...

G06F 21/54   by adding security routines...

G06F 21/554   involving event detection a...

G06F 21/62   Protecting access to data v...

Access authorization having embedded policies

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

61 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Access authorization having embedded policies

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

61 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links