Work Files Saved Searches
   My Account                                                  Search:   Quick/Number   Boolean   Advanced   Derwent    Help   


 The Delphion Integrated View
  Buy Now:   Buy PDF- 23pp  PDF  |   File History  |   Other choices   
  Tools:  Citation Link  |  Add to Work File:    
  View:  Expand Details   |  INPADOC   |  Jump to: 
  Go to:  Derwent  
 Email this to a friend  Email this to a friend 
       
Title: US6279111: Security model using restricted tokens
[ Derwent Title ]

Country: US United States of America

View Images High
Resolution

 Low
 Resolution

 
23 pages

 
Inventor: Jensenworth, Gregory; Redmond, WA
Garg, Praerit; Kirkland, WA
Swift, Michael M.; Seattle, WA
Goertzel, Mario C.; Kirkland, WA
Chan, Shannon J.; Bellevue, WA

Assignee: Microsoft Corporation, Redmond, WA
other patents from MICROSOFT CORPORATION (373780) (approx. 3,197)
 News, Profiles, Stocks and More about this company

Published / Filed: 2001-08-21 / 1998-06-12

Application Number: US1998000096926
IPC Code: Advanced: G06F 9/46; G06F 12/14; G06F 21/00; G06F 21/24; H04L 29/06; G06F 1/00;
Core: more...
IPC-7: G06F 12/14;

ECLA Code: H04L29/06S8A; G06F21/00N5A2C2; G06F21/00N9A2; G06F21/00N9C2; G06F21/00N9S;

U.S. Class: Current: 726/010; 713/159; 713/172; 726/017;
Original: 713/200; 713/159; 713/172;

Field of Search: 713/193,185,165,172,200,201,159

Priority Number:
1998-06-12  US1998000096926

Abstract:     A restrict ed access token is created from an existing token, and provides less access than that token. A restricted token may be created by changing an attribute of one or more security identifiers allowing access in the parent token to a setting that denies access in the restricted token and/or removing one or more privileges from the restricted token relative to the parent token. A restricted access token also may be created by adding restricted security identifiers thereto. Once created, a process associates another process with the restricted token to launch the other process in a restricted context that is a subset of its own rights and privileges. A kernel-mode security mechanism determines whether the restricted process has access to a resource by first comparing user-based security identifiers in the restricted token and the intended type of action against a list of identifiers and actions associated with the resource. If no restricted security identifiers are in the restricted token, access is determined by this first check, otherwise a second access check further compares the restricted security identifiers against the list of identifiers and actions associated with the resource. With a token having restricted security identifiers, the process is granted access if both the first and second access checks pass. In this manner, a process is capable of restricting another process, such as possibly unruly code, in the actions it can perform.

Attorney, Agent or Firm: Michalik & Wylie, PLLC ;

Primary / Asst. Examiners: Trammell, James P.; Elisca, Pierre Eddy
INPADOC Legal Status: Show legal status actions          Buy Now: Family Legal Status Report

Designated Country: AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE  EP JP 

Family: Show 5 known family members
First Claim:
Show all 38 claims		 What is claimed is:     1. In a computer system including a first process having access to a resource, a method of granting or denying access of a second process to the resource, comprising, creating a restricted access token from a parent token associated with a first process, the restricted access token having privilege and security identifier access rights therein that comprise reduced access rights relative to the parent token, associating the restricted access token with the second process, requesting that the second process be given access to the resource, providing a security descriptor associated with the resource to a security mechanism, providing the restricted token to the security mechanism, performing an access evaluation at the security mechanism by comparing information in the restricted token with information in the security descriptor, and determining whether to grant or deny access based on the result of the access evaluation.

Background / Summary: Show background / summary

Drawing Descriptions: Show drawing descriptions

Description: Show description

Forward References: Show 41 U.S. patent(s) that reference this one

       
U.S. References: Go to Result Set: All U.S. references   |  Forward references (41)   |   Backward references (29)   |   Citation Link

Buy
PDF		 Patent  Pub.Date  Inventor Assignee   Title
Buy PDF- 10pp US4962449  1990-10 Schlesinger   Computer security system having remote location recognition and remote location lock-out
Buy PDF- 21pp US5138712  1992-08 Corbin  Sun Microsystems, Inc. Apparatus and method for licensing software on a network of computers
Buy PDF- 8pp US5276901  1994-01 Howell et al.  International Business Machines Corporation System for controlling group access to objects using group access control folder and group identification as individual user
Buy PDF- 41pp US5321841  1994-06 East et al.  Digital Equipment Corporation System for determining the rights of object access for a server process by combining them with the rights of the client process
Buy PDF- 47pp US5390247  1995-02 Fischer   Method and apparatus for creating, supporting, and using travelling programs
Buy PDF- 27pp US5412717  1995-05 Fischer   Computer system security method and apparatus having program authorization information data structures
Buy PDF- 21pp US5506961  1996-04 Carlson et al.  International Business Machines Corporation Connection authorizer for controlling access to system resources
Buy PDF- 20pp US5542046  1996-07 Carlson et al.  International Business Machines Corporation Server entity that provides secure access to its resources through token validation
Buy PDF- 27pp US5638448  1997-06 Nguyen   Network with secure communications sessions
Buy PDF- 84pp US5649099  1997-07 Theimer et al.  Xerox Corporation Method for delegating access rights through executable access control program without delegating access rights not in a specification to any intermediary nor comprising server security
Buy PDF- 16pp US5675782  1997-10 Montague et al.  Microsoft Corporation Controlling access to objects on multiple operating systems
Buy PDF- 12pp US5678041  1997-10 Baker et al.  AT&T System and method for restricting user access rights on the internet based on rating information stored in a relational database
Buy PDF- 13pp US5680461  1997-10 McManis  Sun Microsystems, Inc. Secure network protocol system and method
Buy PDF- 14pp US5682478  1997-10 Watson et al.  Microsoft Corporation Method and apparatus for supporting multiple, simultaneous services over multiple, simultaneous connections between a client and network server
Buy PDF- 18pp US5745676  1998-04 Hobson et al.  International Business Machines Corporation Authority reduction and restoration method providing system integrity for subspace groups and single address spaces during program linkage
Buy PDF- 27pp US5757916  1998-05 MacDoran et al.  International Series Research, Inc. Method and apparatus for authenticating the location of remote users of networked computing systems
Buy PDF- 24pp US5761669  1998-06 Montague et al.  Microsoft Corporation Controlling access to objects on multiple operating systems
Buy PDF- 15pp US5812784  1998-09 Watson et al.  Microsoft Corporation Method and apparatus for supporting multiple, simultaneous services over multiple, simultaneous connections between a client and network server
Buy PDF- 12pp US5826029  1998-10 Gore et al.  International Business Machines Corporation Secured gateway interface
Buy PDF- 26pp US5845067  1998-12 Porter et al.   Method and apparatus for document management utilizing a messaging system
Buy PDF- 29pp US5922073  1999-07 Shimada  Canon Kabushiki Kaisha System and method for controlling access to subject data using location data associated with the subject data and a requesting device
Buy PDF- 20pp US5925109  1999-07 Bartz  National Instruments Corporation System for I/O management where I/O operations are determined to be direct or indirect based on hardware coupling manners and/or program privilege modes
Buy PDF- 25pp US5940591  1999-08 Boyle  ITT Corporation Apparatus and method for providing network security
Buy PDF- 30pp US5941947  1999-08 Brown et al.  Microsoft Corporation System and method for controlling access to data entities in a computer network
Buy PDF- 14pp US5949882  1999-09 Angelo  Compaq Computer Corporation Method and apparatus for allowing access to secured computer resources by utilzing a password and an external encryption algorithm
Buy PDF- 110pp US5983270  1999-11 Abraham et al.  Sequel Technology Corporation Method and apparatus for managing internetwork and intranetwork activity
Buy PDF- 17pp US5983350  1999-11 Minear et al.  Secure Computing Corporation Secure firewall supporting different levels of authentication based on address or encryption status
Buy PDF- 13pp US6081807  2000-06 Story et al.  Compaq Computer Corporation Method and apparatus for interfacing with a stateless network file system server
Buy PDF- 18pp US6105132  2000-08 Fritch et al.  Novell, Inc. Computer network graded authentication system and method
       
Foreign References:
Buy
PDF		 Publication Date IPC Code Assignee   Title
Buy PDF- 15pp EP0398645 1990-11  G06F 12/00 IBM System for controlling access privileges 
Buy PDF- 12pp EP0465016 1992-01  G06F 1/00 DIGITAL EQUIPMENT CORP Distributed multilevel computer security system and method 
Buy PDF- 25pp EP0588415 1994-03  G06F 1/00 International Business Machines Corporation Peer to peer connection authorizer 
Buy PDF- 21pp EP0697662 1996-02  G06F 12/14 IBM Method and system for advanced role-based access control in distributed and centralized computer systems 
Buy PDF- 15pp EP0813133 1997-12  G06F 1/00 IBM A uniform mechanism for using signed content 
Buy PDF- 32pp WO9605549 1996-02  G06F 1/00 SHIVA CORP APPARATUS AND METHOD FOR RESTRICTING ACCESS TO A LOCAL COMPUTER NETWORK 
Buy PDF- 78pp WO9613113 1996-05  G06F 21/00 SECURE COMPUTING CORP SYSTEM AND METHOD FOR PROVIDING SECURE INTERNETWORK SERVICES 
Buy PDF- 19pp WO9715008 1997-04  G06F 11/00 AT & T CORP SYSTEM AND METHOD FOR DATABASE ACCESS CONTROL 
Buy PDF- 32pp WO9726734 1997-07  G06F 1/00 RAPTOR SYSTEMS INC TRANSFERRING ENCRYPTED PACKETS OVER A PUBLIC NETWORK 


Other Abstract Info: DERABS G2000-105924

Other References:
  • "Java Security Model: Java Protection Domains," http://java.sun.com/security/handout.html, printed Nov. 11, 1999.
  • Anon, "Privilege Control Mechanism for UNIX Systems," IBM Technical Disclosure Bulletin, vol. 34, No. 7b pp. 477-479, Dec. 1991.
  • Erdos et al., "Security Reference Model for the Java Developer's Kit 1.0.2," Java Security Reference Model, Nov. 13, 1996, http://www.javasoft.com/security/SRM.html printed Jul. 14, 1999.
  • Fritzinger et al., "Java Security," 1996, http://java.sun.com/security/whitepaper/txt.
  • Fritzinger et al., "Java Security," 1996, http://java.sun.com/security/whitepaper/ps.
  • Goldberg et al., "A Secure Environment for Untrusted Helper Applications: Confining the Wily Hacker," Sixt USENIX Security Symposium, Jul. 22-25, 1996, http://www.usenix.org/publications/library/proceedings/sec9.
  • Goldstein, Ted, "The Gateway Security Model in the Java Commerce Client," The Source for Java.TM.Technology, 1997, http://www.java.sun.com/products/commerce/docs/whitepapers/security/ JCC_gateway.html printed Jul. 14, 1999.
  • Mazieres, David and M. Frans Kaashoek, "Secure Applications Need Flexible Operating Systems," 6th Workshop on Hot Topics in Operating Systems(HotOs-VI), May 5-6, 1997, http://www.eecs.harvard.edu/hotos/.
  • Neuman et al., "Kerbros: An Authentication Service for Computer Networks," IEEE Communications Magazine, pp. 33-38, Sep. 1, 1994. (6 pages) Cited by 44 patents [ISI abstract]
  • Copy of International Search Report in Corresponding PCT Application No. PCT/US99/13057.
  • Soshi et al., The Saga Security System: A Security Architecture for Open Distributed Systems, IEEE, pp. 53-58 (1997).
  • Anonymous, "Apache suEXEC Support," (describes the Apache HTTP Server Version 1.3 dating from Jun. 5, 1998 as documented in Written Opinion for PCT Application No. PCT/US99/12912), http://www.apache.org/docs/suexec.html printed Jul. 24, 2000.
  • Anonymous, "Apache Virtual Host documentation," (describes the Apache HTTP Server Version 1.3 dating fr Jun. 5, 1998 as documented in Written Opinion for PCT Application No. PCT/US99/12912), http://www.apache.org/docs/vhosts/index.html, printed Jul. 24, 2000.
  • Bell Telephone Laboratories Incorporated, UNIX.TM. Time-Sharing System: UNIX Programmer's Manual, 7th Edition, vol. 1, CHMOD(1), SU(1), EXEC(2) (Jan. 1979).


    • Inquire Regarding Licensing

    Powered by Verity
    Plaques from Patent Awards      Gallery of Obscure PatentsNominate this for the Gallery...

    Thomson Reuters Copyright © 1997-2010 Thomson Reuters 
    Subscriptions  |  Web Seminars  |  Privacy  |  Terms & Conditions  |  Site Map  |  Contact Us  |  Help