-
公开(公告)号:US07930760B2
公开(公告)日:2011-04-19
申请号:US12163372
申请日:2008-06-27
Applicant: Neil Coles , Yadhu Gopalan , Christopher Jordan , Matthew Lyons , Andrew Rogers , Upender Sandadi , Scott Shell , Zoheb Vacheri , Angelo Vals , Sharath Viswanathan , Loren M. Kohnfelder
Inventor: Neil Coles , Yadhu Gopalan , Christopher Jordan , Matthew Lyons , Andrew Rogers , Upender Sandadi , Scott Shell , Zoheb Vacheri , Angelo Vals , Sharath Viswanathan , Loren M. Kohnfelder
CPC classification number: G06F21/6227 , G06F2221/2141
Abstract: This disclosure describes techniques of using a centralized rule database to control the abilities of software processes to perform actions with regard to resources provided by a computer. As described herein, each software process executing in a computer executes within a chamber and each resource provided by the computer is associated with a canonical name that uniquely identifies the resource. Furthermore, the computer stores a set of security rules in a centralized rule database. In addition, this disclosure describes techniques of enforcing the rules stored in the centralized rule database.
Abstract translation: 本公开描述了使用集中规则数据库来控制软件过程对由计算机提供的资源执行动作的能力的技术。 如本文所述,在计算机中执行的每个软件进程在一个室内执行,并且由该计算机提供的每个资源与唯一地标识该资源的规范名称相关联。 此外,计算机将一组安全规则存储在集中规则数据库中。 此外,本公开描述了实施存储在集中式规则数据库中的规则的技术。
-
公开(公告)号:US20090249436A1
公开(公告)日:2009-10-01
申请号:US12163372
申请日:2008-06-27
Applicant: Neil Coles , Yadhu Gopalan , Christopher Jordan , Matthew Lyons , Andrew Rogers , Upender Sandadi , Scott Shell , Zoheb Vacheri , Angelo Vals , Sharath Viswanathan , Loren M. Kohnfelder
Inventor: Neil Coles , Yadhu Gopalan , Christopher Jordan , Matthew Lyons , Andrew Rogers , Upender Sandadi , Scott Shell , Zoheb Vacheri , Angelo Vals , Sharath Viswanathan , Loren M. Kohnfelder
IPC: G06F21/00
CPC classification number: G06F21/6227 , G06F2221/2141
Abstract: This disclosure describes techniques of using a centralized rule database to control the abilities of software processes to perform actions with regard to resources provided by a computer. As described herein, each software process executing in a computer executes within a chamber and each resource provided by the computer is associated with a canonical name that uniquely identifies the resource. Furthermore, the computer stores a set of security rules in a centralized rule database. In addition, this disclosure describes techniques of enforcing the rules stored in the centralized rule database.
Abstract translation: 本公开描述了使用集中式规则数据库来控制软件过程对由计算机提供的资源执行动作的能力的技术。 如本文所述,在计算机中执行的每个软件进程在一个室内执行,并且由该计算机提供的每个资源与唯一地标识该资源的规范名称相关联。 此外,计算机将一组安全规则存储在集中规则数据库中。 此外,本公开描述了实施存储在集中式规则数据库中的规则的技术。
-
公开(公告)号:US20090328180A1
公开(公告)日:2009-12-31
申请号:US12163164
申请日:2008-06-27
Applicant: Neil Laurence Coles , Scott Randall Shell , Upender Sandadi , Angelo Renato Vals , Matthew G. Lyons , Christopher Ross Jordan , Andrew Rogers , Yadhu Gopalan , Bor-Ming Hsieh
Inventor: Neil Laurence Coles , Scott Randall Shell , Upender Sandadi , Angelo Renato Vals , Matthew G. Lyons , Christopher Ross Jordan , Andrew Rogers , Yadhu Gopalan , Bor-Ming Hsieh
CPC classification number: G06F21/6281 , G06F9/468 , G06F2221/2145
Abstract: Embodiments provide a security infrastructure that may be configured to run on top of an existing operating system to control what resources can be accessed by an applications and what APIs an application can call. Security decisions are made by taking into account both the current thread's identity and the current thread's call chain context to enable minimal privilege by default. The current thread context is captured and a copy of it is created to be used to perform security checks asynchronously. Every thread in the system has an associated identity. To obtain access to a particular resource, all the callers on the current thread are analyzed to make sure that each caller and thread has access to that resource. Only when each caller and thread has access to that resource is the caller given access to that resource.
Abstract translation: 实施例提供了可被配置为在现有操作系统之上运行以控制应用程序可以访问哪些资源以及应用程序可以调用哪些API的安全基础设施。 通过考虑当前线程的身份和当前线程的调用链上下文来进行安全性决策,以在默认情况下实现最小权限。 捕获当前线程上下文,并创建其副本以用于异步执行安全检查。 系统中的每个线程都有一个关联的身份。 为了获得对特定资源的访问,分析当前线程上的所有调用者,以确保每个调用者和线程都可以访问该资源。 只有当每个调用者和线程都能访问该资源时,调用者才能访问该资源。
-
4.发明授权公开(公告)号:US07386859B2
公开(公告)日:2008-06-10
申请号:US10156463
申请日:2002-05-28
Applicant: Upender Sandadi , David Bakin , Andrew L. Nicholson , David Sauntry , Marc Shepard
Inventor: Upender Sandadi , David Bakin , Andrew L. Nicholson , David Sauntry , Marc Shepard
CPC classification number: G06F9/4856 , H04L67/14 , H04L69/329
Abstract: Methods, functional components and structures are disclosed for carrying out management of client/server processes operating within separate process spaces within a computer system. The disclosed methods, functional components facilitate and carry out management of client and server processes within a computer system such that a greater degree of control can be exhibited over their execution. An active server component process maintains a list structure identifying each client process that is currently using one of the server component process's interfaces. When a new client references a server, the list structure is augmented to include the system identification (e.g., handle) assigned by the operating system to the client process. A thread within the server process blocks while awaiting a triggering event (e.g., a client process in the list terminates). When the client process terminates, the block on the thread releases and the thread processes the change in client references. If the list of clients within the structure reaches zero, then the server process can immediately terminate.
Abstract translation: 公开了方法,功能组件和结构,用于执行在计算机系统内的单独处理空间内操作的客户端/服务器进程的管理。 公开的方法,功能组件促进并执行计算机系统内的客户端和服务器进程的管理,使得可以在其执行上显示更大程度的控制。 活动服务器组件进程维护一个列表结构,用于标识当前正在使用服务器组件进程的一个接口的每个客户端进程。 当新的客户端引用服务器时,增加列表结构以将由操作系统分配的系统标识(例如,句柄)包括到客户端进程。 服务器进程内的线程在等待触发事件(例如,列表中的客户端进程终止)时阻塞。 当客户端进程终止时,线程上的块释放并且线程处理客户端引用中的更改。 如果结构中的客户端列表达到零,则服务器进程可以立即终止。
-
-
-
Search Results
4
records
(took 0.011 seconds)
