公开(公告)号：US20050021971A1

公开(公告)日：2005-01-27

申请号：US10625312

申请日：2003-07-23

申请人： Vishnu Patankar ,  Robert Reichel ,  John Lambert ,  Kedarnath Dubhashi ,  Jim Thatcher

发明人： Vishnu Patankar ,  Robert Reichel ,  John Lambert ,  Kedarnath Dubhashi ,  Jim Thatcher

IPC分类号： G06F21/00 ,  H04L9/00

CPC分类号： G06F21/57

摘要： The restriction of particular resources includes providing a digital signature for unauthorized resources based on a structure-related parameter of the resource. Thus, attempts at circumventing recognition of such resource will likely result in altering the overall functionality of the resource. Further, such digital signatures are encoded in a critical file required for loading of a resource, thus ensuring that the identity of the resource is considered before execution thereof. Enforcement of the resource restriction includes generating a verification signature for a resource that requests loading. The verification signature is compared to the signature coded into the critical file, and a positive match results in the resource being blocked from loading.

摘要翻译： 特定资源的限制包括基于资源的结构相关参数为未授权资源提供数字签名。 因此，绕过这种资源的识别的尝试可能导致改变资源的整体功能。 此外，这样的数字签名被编码在加载资源所需的关键文件中，从而确保在执行资源之前考虑资源的身份。 资源限制的执行包括为请求加载的资源生成验证签名。 将验证签名与编码到关键文件中的签名进行比较，并且肯定匹配导致资源被阻止加载。

公开(公告)号：US20070005961A1

公开(公告)日：2007-01-04

申请号：US11171744

申请日：2005-06-30

申请人： Jeffrey Hamblin ,  Jonathan Schwartz ,  Kedarnath Dubhashi ,  Klaus Schutz ,  Peter Brundrett ,  Richard Ward ,  Thomas Jones

发明人： Jeffrey Hamblin ,  Jonathan Schwartz ,  Kedarnath Dubhashi ,  Klaus Schutz ,  Peter Brundrett ,  Richard Ward ,  Thomas Jones

IPC分类号： H04N7/16 ,  H04L9/32 ,  G06F17/30 ,  H04L9/00 ,  G06F7/04 ,  G06K9/00 ,  H03M1/68 ,  H04K1/00

CPC分类号： G06F21/62 ,  G06F2221/2145 ,  G06F2221/2149

摘要： An operating system for a computing device has a first session for a user that includes a first base process that has a first privileges token attached thereto. The first privileges token includes substantially a full set of privileges of the user on the operating system. The operating system also has a second session for the user that includes a second base process that has a second privileges token attached thereto. The second privileges token is derived from the first privileges token and includes only a minimum set of privileges of the user on the operating system. Thus, the second, limited token does not have all privileges associated with the first, full token but instead has a limited set of privileges and not extra privileges that could be employed to take actions that would be harmful, deceptive, or malicious.

摘要翻译： 用于计算设备的操作系统具有用于用户的第一会话，所述第一会话包括具有连接到其的第一权限令牌的第一基本进程。 第一权限令牌在操作系统上基本上包括用户的一整套特权。 操作系统还具有用户的第二会话，其包括具有附加到其的第二权限令牌的第二基本进程。 第二个权限令牌是从第一个权限令牌导出的，并且仅包含操作系统上用户的一组最小权限。 因此，第二个有限令牌不具有与第一个完整令牌相关联的所有权限，而是具有一组有限的权限，而不是可以用于采取有害，欺骗性或恶意行为的额外权限。

公开(公告)号：US20060195449A1

公开(公告)日：2006-08-31

申请号：US11168589

申请日：2005-06-28

申请人： Jason Hunter ,  Simon Skaria ,  Kedarnath Dubhashi

发明人： Jason Hunter ,  Simon Skaria ,  Kedarnath Dubhashi

IPC分类号： G06F17/30

CPC分类号： G06F21/6227 ,  Y10S707/99933 ,  Y10S707/99939

摘要： A system that generates a per user abstraction of a store from a connection point. Filtering a view set of a hierarchically secured containment hierarchy based on the access permissions of the principal is one of the novel features of the invention. The invention can offer a collection of primitives that can operate on this aggregation that span multiple container hierarchies with potentially heterogeneous security descriptors. The model can reduce the necessity to traverse the container hierarchy to discover all the accessible items in a domain.

摘要翻译： 从连接点生成每个用户抽象存储的系统。 基于主体的访问权限来过滤层次安全的包含层次结构的视图集是本发明的新颖特征之一。 本发明可以提供可以对具有潜在的异构安全描述符跨越多个容器层次的该聚合进行操作的原语集合。 该模型可以减少遍历容器层次结构以发现域中所有可访问项目的必要性。

公开(公告)号：US20070136578A1

公开(公告)日：2007-06-14

申请号：US11302047

申请日：2005-12-13

申请人： Kedarnath Dubhashi ,  Balan Raman ,  Paul Leach ,  Prasanna Krishnan

发明人： Kedarnath Dubhashi ,  Balan Raman ,  Paul Leach ,  Prasanna Krishnan

IPC分类号： H04L9/00

CPC分类号： G06F21/6218 ,  G06F2221/2141 ,  G06F2221/2145 ,  H04L63/101

摘要： An item inheritance system and method are provided. The item inheritance system can be employed to propagate access control information (e.g., an access control list) to one or more item(s), thus facilitating security of item(s). At least one of the item(s) is a compound item. The item inheritance system includes an input component that receives information associated with one or more items. The items can include container(s), object(s) and/or compound item(s). The system can be triggered by a change in security policy to the item(s), for example, adding and/or deleting a user's access to the item(s). Additionally, moving and/or copying a collection of items can further trigger the system. The system further includes a propagation component that propagates access control information to the item(s). For example, the propagation component can enforce the ACL propagation policies when a change to the security descriptor takes place at the root of a hierarchy.

摘要翻译： 提供了项目继承系统和方法。 可以采用项目继承系统将访问控制信息（例如，访问控制列表）传播到一个或多个项目，从而促进项目的安全性。 至少一个项目是复合项目。 项目继承系统包括接收与一个或多个项目相关联的信息的输入组件。 物品可以包括容器，物体和/或复合物品。 可以通过对项目的安全策略的改变来触发系统，例如添加和/或删除用户对项目的访问。 此外，移动和/或复制物品的集合可以进一步触发系统。 该系统还包括将访问控制信息传播到该项目的传播组件。 例如，当安全描述符的更改发生在层次结构的根目录下时，传播组件可以强制执行A​​CL传播策略。