Work Files Saved Searches
   My Account                                                  Search:   Quick/Number   Boolean   Advanced   Derwent    Help   


 The Delphion Integrated View
  Buy Now:   Buy PDF- 22pp  PDF  |   File History  |   Other choices   
  Tools:  Citation Link  |  Add to Work File:    
  View:  Expand Details   |  INPADOC   |  Jump to: 
  Go to:  Derwent  
 Email this to a friend  Email this to a friend 
       
Title: US6308274: Least privilege via restricted tokens
[ Derwent Title ]
>> View Certificate of Correction for this publication

Country: US United States of America

View Images High
Resolution

 Low
 Resolution

 
22 pages

 
Inventor: Swift, Michael M.; Seattle, WA

Assignee: Microsoft Corporation, Redmond, WA
other patents from MICROSOFT CORPORATION (373780) (approx. 3,197)
 News, Profiles, Stocks and More about this company

Published / Filed: 2001-10-23 / 1998-06-12

Application Number: US1998000096679
IPC Code: Advanced: G06F 1/00; G06F 9/46; G06F 12/14; G06F 21/00; G06F 21/24;
Core: more...
IPC-7: G06F 1/00; G06F 12/14; G06F 13/00; G06F 15/40;

ECLA Code: G06F21/00N9A2; G06F21/00N9S;

U.S. Class: Current: 726/009; 710/200; 710/220; 710/241; 710/242; 710/243; 710/244; 713/159; 713/169; 713/170; 713/172; 713/173; 726/027;
Original: 713/201; 713/200; 713/169; 713/159; 713/172; 713/173; 713/170; 710/200; 710/220; 710/241; 710/242; 710/243; 710/244;

Field of Search: 713/200,201,169,170,172,173,159 710/240,200,220,241,242,243,244

Priority Number:
1998-06-12  US1998000096679

Abstract:     A method and mechanism to enforce reduced access via restricted access tokens. Restricted access tokens are based on an existing token, and have less access than that existing token. A process is associated with a restricted token, and when the restricted process attempts to perform an action on a resource, a security mechanism compares the access token information with security information associated with the resource to grant or deny access. Application programs may have restriction information stored in association therewith, such that when launched, a restricted token is created for that application based on the restriction information thereby automatically reducing that application's access. Applications may be divided into different access levels such as privileged and non-privileged portions, thereby automatically restricting the actions a user can perform via that application. Also, the system may enforce running with reduced access by running user processes with a restricted token, and then requiring a definite action by the user to specifically override actions that are restricted by temporarily running with the user's normal token.

Attorney, Agent or Firm: Michalik & Wylie, PLLC ;

Primary / Asst. Examiners: Lee, Thomas; Schuster, Katharina
Maintenance Status: CC Certificate of Correction issued
View Certificate of Correction

INPADOC Legal Status: Show legal status actions          Buy Now: Family Legal Status Report

Designated Country: AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE  EP JP 

Family: Show 5 known family members
First Claim:
Show all 43 claims		 What is claimed is:     1. In a system having a security mechanism that determines access to resources based on information in an access token against security information associated with each of the resources, a method of restricting the access of an application to system resources, comprising, storing restriction information with respect to the application, the restriction information related to access of the application to the resources, receiving a request to run the application, creating a restricted access token based on the parent token and the restriction information, the restricted access token providing reduced access with respect to a parent access token, and associating the restricted token with the application.

Background / Summary: Show background / summary

Drawing Descriptions: Show drawing descriptions

Description: Show description

Forward References: Show 51 U.S. patent(s) that reference this one

       
U.S. References: Go to Result Set: All U.S. references   |  Forward references (51)   |   Backward references (29)   |   Citation Link

Buy
PDF		 Patent  Pub.Date  Inventor Assignee   Title
Buy PDF- 10pp US4962449  1990-10 Schlesinger   Computer security system having remote location recognition and remote location lock-out
Buy PDF- 21pp US5138712  1992-08 Corbin  Sun Microsystems, Inc. Apparatus and method for licensing software on a network of computers
Buy PDF- 8pp US5276901  1994-01 Howell et al.  International Business Machines Corporation System for controlling group access to objects using group access control folder and group identification as individual user
Buy PDF- 41pp US5321841  1994-06 East et al.  Digital Equipment Corporation System for determining the rights of object access for a server process by combining them with the rights of the client process
Buy PDF- 47pp US5390247  1995-02 Fischer   Method and apparatus for creating, supporting, and using travelling programs
Buy PDF- 27pp US5412717  1995-05 Fischer   Computer system security method and apparatus having program authorization information data structures
Buy PDF- 21pp US5506961  1996-04 Carlson et al.  International Business Machines Corporation Connection authorizer for controlling access to system resources
Buy PDF- 20pp US5542046  1996-07 Carlson et al.  International Business Machines Corporation Server entity that provides secure access to its resources through token validation
Buy PDF- 27pp US5638448  1997-06 Nguyen   Network with secure communications sessions
Buy PDF- 84pp US5649099  1997-07 Theimer et al.  Xerox Corporation Method for delegating access rights through executable access control program without delegating access rights not in a specification to any intermediary nor comprising server security
Buy PDF- 16pp US5675782  1997-10 Montague et al.  Microsoft Corporation Controlling access to objects on multiple operating systems
Buy PDF- 12pp US5678041  1997-10 Baker et al.  AT&T System and method for restricting user access rights on the internet based on rating information stored in a relational database
Buy PDF- 13pp US5680461  1997-10 McManis  Sun Microsystems, Inc. Secure network protocol system and method
Buy PDF- 14pp US5682478  1997-10 Watson et al.  Microsoft Corporation Method and apparatus for supporting multiple, simultaneous services over multiple, simultaneous connections between a client and network server
Buy PDF- 18pp US5745676  1998-04 Hobson et al.  International Business Machines Corporation Authority reduction and restoration method providing system integrity for subspace groups and single address spaces during program linkage
Buy PDF- 27pp US5757916  1998-05 MacDoran et al.  International Series Research, Inc. Method and apparatus for authenticating the location of remote users of networked computing systems
Buy PDF- 24pp US5761669  1998-06 Montague et al.  Microsoft Corporation Controlling access to objects on multiple operating systems
Buy PDF- 15pp US5812784  1998-09 Watson et al.  Microsoft Corporation Method and apparatus for supporting multiple, simultaneous services over multiple, simultaneous connections between a client and network server
Buy PDF- 12pp US5826029  1998-10 Gore, Jr. et al.  International Business Machines Corporation Secured gateway interface
Buy PDF- 26pp US5845067  1998-12 Porter et al.   Method and apparatus for document management utilizing a messaging system
Buy PDF- 29pp US5922073  1999-07 Shimada  Canon Kabushiki Kaisha System and method for controlling access to subject data using location data associated with the subject data and a requesting device
Buy PDF- 20pp US5925109  1999-07 Bartz  National Instruments Corporation System for I/O management where I/O operations are determined to be direct or indirect based on hardware coupling manners and/or program privilege modes
Buy PDF- 25pp US5940591  1999-08 Boyle et al.  ITT Corporation Apparatus and method for providing network security
Buy PDF- 30pp US5941947  1999-08 Brown et al.  Microsoft Corporation System and method for controlling access to data entities in a computer network
Buy PDF- 14pp US5949882  1999-09 Angelo  Compaq Computer Corporation Method and apparatus for allowing access to secured computer resources by utilzing a password and an external encryption algorithm
Buy PDF- 110pp US5983270  1999-11 Abraham et al.  Sequel Technology Corporation Method and apparatus for managing internetwork and intranetwork activity
Buy PDF- 17pp US5983350  1999-11 Minear et al.  Secure Computing Corporation Secure firewall supporting different levels of authentication based on address or encryption status
Buy PDF- 13pp US6081807  2000-06 Story et al.  Compaq Computer Corporation Method and apparatus for interfacing with a stateless network file system server
Buy PDF- 18pp US6105132  2000-08 Fritch et al.  Novell, Inc. Computer network graded authentication system and method
       
Foreign References:
Buy
PDF		 Publication Date IPC Code Assignee   Title
Buy PDF- 15pp EP0398645 1990-11  G06F 12/00 IBM System for controlling access privileges 
Buy PDF- 12pp EP0465016 1992-01  G06F 1/00 DIGITAL EQUIPMENT CORP Distributed multilevel computer security system and method 
Buy PDF- 25pp EP0588415 1994-03  G06F 1/00 International Business Machines Corporation Peer to peer connection authorizer 
Buy PDF- 21pp EP0697662 1996-02  G06F 12/14 IBM Method and system for advanced role-based access control in distributed and centralized computer systems 
Buy PDF- 15pp EP0813133 1997-12  G06F 1/00 IBM A uniform mechanism for using signed content 
Buy PDF- 32pp WO9605549 1996-02  G06F 1/00 SHIVA CORP APPARATUS AND METHOD FOR RESTRICTING ACCESS TO A LOCAL COMPUTER NETWORK 
Buy PDF- 78pp WO9613113 1996-05  G06F 21/00 SECURE COMPUTING CORP SYSTEM AND METHOD FOR PROVIDING SECURE INTERNETWORK SERVICES 
Buy PDF- 19pp WO9715008 1997-04  G06F 11/00 AT & T CORP SYSTEM AND METHOD FOR DATABASE ACCESS CONTROL 
Buy PDF- 32pp WO9726734 1997-07  G06F 1/00 RAPTOR SYSTEMS INC TRANSFERRING ENCRYPTED PACKETS OVER A PUBLIC NETWORK 


Other Abstract Info: DERABS G2000-105923

Other References:
  • Frost, Jim "Windows NT Security", May 1995, pp. 1-5, retrieved on Jun. 27, 2001 from the Internet .
  • Asche, Ruediger R. "Windows NT Security in Theory and Practice", May 1995, pp. 1-14, retrieved on Jun. 27, 2001 from the Internet:.
  • Asche, Ruediger R. "The Guts of Security", May 1995, pp. 1-26, retrieved on Jun. 27, 2001 from the Internet:.
  • Soshi et al. "The Saga Security System: A Security Architechture for Open Distributed Systems", IEEE, 1997, pp. 53-58.*
  • "Java Security Model: Java Protection Domains," http://java.sun.com/security/handout.html, printed Nov. 11, 1999.
  • Anon, "Privilege Control Mechanism for UNIX Systems," IBM Technical Disclousure Bulletin, vol.34, No. 7b pp. 477-479, Dec. 1991.
  • Erdos et al., "Security Reference Model for the Java Developer's Kit 1.0.2," Java Security Reference Model, Nov. 13, 1996, http://www.javasoft.com/security/SRM.html printed Jul. 14, 1999.
  • Fritzinger et al., "Java Security,"1996, http://java.sun.com/security/whitepaper.txt.
  • Mazieres, David and M. Frans Kaashoek, "Secure Applications Need Flexible Operating Systems," 6th Workshop on Hot Topics in Operating Systems (HotOS-VI), May 5-6, 1997, http://www.eecs.harvard.edu/hotos/.
  • Goldstein, Ted, "The Gateway Security Model in the Java Commerce Client," The Source for Java .TM.Technology, 1997, http://www.java.sun.com/products/commerce/docs/whitepapers/security/ JCC_gateway.html printed Jul. 14, 1999.
  • Mazieres, David and M. Frans Kaashoek, "Secure Applications Need Flexible Operating Systems,"6th Workshop on Hot Topics in Operating Systems (HotOS-VI), May 5-6, 1997, http://www.eecs.harvard.edu/hotos/.
  • Neuman et al., "Kerberos: An Authentication Service for Computer Networks," IEEE Communications magazine, pp. 33-38, Sep. 1, 1994. (6 pages) Cited by 44 patents [ISI abstract]
  • copy of International Search Report in Corresponding PCT application No. PCT/US99/12914.
  • Anonymous, "Apache suEXEC Support," (describes the Apache HTTP Server Version 1.3 dating from Jun. 5, 1998 as documented in Written Opinion for PCT Application No. PCT/US99/12912), ,printed Jul. 24, 2000.
  • Anonymous, "Apache Virtual Host documentation," (describes the Apache HTTP Server Version 1.3 dating from Jun. 5, 1998 as documented in Written Opinion for PCT Application No. PCT/US99/12912), ,printed Jul. 24, 2000.
  • Bell Telephone Laboratories Incorporated, UNIX.TM.Time-Sharing System: UNIX Programmer's Manual, 7th Edition, vol. 1, CHMOD(1), Su(1), Exec(2) (Jan. 1979).
  • Fritzinger et al., "Java Security,"1996,.
  • Fritzinger et al., "Java Security,"1996,.


    • Inquire Regarding Licensing

    Powered by Verity
    Plaques from Patent Awards      Gallery of Obscure PatentsNominate this for the Gallery...

    Thomson Reuters Copyright © 1997-2010 Thomson Reuters 
    Subscriptions  |  Web Seminars  |  Privacy  |  Terms & Conditions  |  Site Map  |  Contact Us  |  Help