公开(公告)号：US07770202B2

公开(公告)日：2010-08-03

申请号：US10771653

申请日：2004-02-03

申请人： Christopher W. Brumme ,  Vance Morrison ,  Sebastian Lange ,  Gregory D. Fee ,  Dario Russi ,  Simon Jeremy Hall ,  Mahesh Prakriya ,  Brian F. Sullivan

发明人： Christopher W. Brumme ,  Vance Morrison ,  Sebastian Lange ,  Gregory D. Fee ,  Dario Russi ,  Simon Jeremy Hall ,  Mahesh Prakriya ,  Brian F. Sullivan

IPC分类号： G06F17/00 ,  H04L29/06

CPC分类号： H04L63/102 ,  G06F9/468 ,  G06F21/52 ,  G06F21/62 ,  H04L63/101

摘要： A host intercepts calls between two executables and determines whether the calls are permissible according to the host's security model which can be identify based, such as user identity based—for instance, mapping access rights within a specific data base user context to database object access. Such an identity security model differs from a common language runtime security model where managed code uses Code Access Security to prevent managed assemblies from performing certain operations. Managed assemblies registered with the host are host objects from the host's perspective for which access rights can be defined via security rules, such as are defined for individual user identities. A host can decide access between managed executables based on the host's identity based access rules by trapping any cross assembly calls and deciding whether such calls should proceed or be blocked from taking place based on the corresponding identity security settings.

摘要翻译： 主机拦截两个可执行文件之间的调用，并根据主机的可以识别的安全模型（例如基于用户身份的特定数据库用户上下文中将访问权限映射到数据库对象访问）来确定是否允许呼叫。 这种身份安全模型与公共语言运行时安全模型不同，托管代码使用代码访问安全性来防止托管程序集执行某些操作。 与主机注册的托管程序集是主机视角的主机对象，可以通过安全规则定义访问权限，例如为各个用户身份定义的对象。 主机可以基于主机的基于身份的访问规则来决定托管的可执行文件之间的访问，通过捕获任何交叉程序集调用，并根据相应的身份安全设置来确定这些呼叫是应该继续还是被阻止发生。

公开(公告)号：US07647629B2

公开(公告)日：2010-01-12

申请号：US10772205

申请日：2004-02-03

申请人： Christopher W. Brumme ,  Sebastian Lange ,  Gregory D. Fee ,  Michael Gashler ,  Mahesh Prakriya

发明人： Christopher W. Brumme ,  Sebastian Lange ,  Gregory D. Fee ,  Michael Gashler ,  Mahesh Prakriya

IPC分类号： G06F7/04 ,  G06F12/00 ,  G06F12/14 ,  G06F13/00 ,  G06F17/30 ,  G11C7/00

CPC分类号： G06F9/468

摘要： A host operating in a managed environment intercepts a call from a managed caller to a particular callee and determines whether the call is permissible according to the host's prior configuration of a plurality of callees. The particular callee, which provides access to a resource that the host can be protecting, can have been previously configured by the host to always allow the call to be made, to never allow the call to be made, or to allow the call to be made based upon the degree to which the host trusts the managed caller.

摘要翻译： 在受管环境中操作的主机拦截来自被管理的呼叫者到特定被叫方的呼叫，并根据主机先前配置多个被呼叫者确定该呼叫是否被允许。 提供对主机可以保护的资源的访问的特定被叫方可以先前由主机配置，以始终允许进行呼叫，从不允许进行呼叫，或允许呼叫成为 基于主机信任被管理的呼叫者的程度。

公开(公告)号：US07013469B2

公开(公告)日：2006-03-14

申请号：US11159851

申请日：2005-06-23

申请人： Adam W. Smith ,  Anthony J. Moore ,  Brian A. LaMacchia ,  Anders Hejlsberg ,  Brian M. Grunkemeyer ,  Caleb L. Doise ,  Christopher W. Brumme ,  Christopher L. Anderson ,  Corina E. Feuerstein ,  Craig T. Sinclair ,  Daniel Takacs ,  David S. Ebbo ,  David O. Driver ,  David S. Mortenson ,  Erik B. Christensen ,  Erik B. Olson ,  Fabio A. Yeon ,  Gopala Krishna R. Kakivaya ,  Gregory D. Fee ,  Hany E. Ramadan ,  Henry L. Sanders ,  Jayanth V. Rajan ,  Jeffrey M. Cooperstein ,  Jonathan C. Hawkins ,  James H. Hogg ,  Joe D. Long ,  John I. McConnell ,  Jesus Ruiz-Scougall ,  James S. Miller ,  Julie D. Bennett ,  Krzysztof J. Cwalina ,  Lance E. Olson ,  Loren M. Kohnfelder ,  Michael M. Magruder ,  Manish S. Prabhu ,  Radu Rares Palanca ,  Raja Krishnaswamy ,  Shawn P. Burke ,  Sean E. Trowbridge ,  Seth M. Demsey ,  Shajan Dasan ,  Stefan H. Pharies ,  Suzanne M. Cook ,  Tarun Anand ,  Travis J. Muhlestein ,  Yann E. Christensen ,  Yung-shin Lin ,  Ramasamy Krishnaswamy ,  Joseph Roxe ,  Alan Boshier ,  David Bau

发明人： Adam W. Smith ,  Anthony J. Moore ,  Brian A. LaMacchia ,  Anders Hejlsberg ,  Brian M. Grunkemeyer ,  Caleb L. Doise ,  Christopher W. Brumme ,  Christopher L. Anderson ,  Corina E. Feuerstein ,  Craig T. Sinclair ,  Daniel Takacs ,  David S. Ebbo ,  David O. Driver ,  David S. Mortenson ,  Erik B. Christensen ,  Erik B. Olson ,  Fabio A. Yeon ,  Gopala Krishna R. Kakivaya ,  Gregory D. Fee ,  Hany E. Ramadan ,  Henry L. Sanders ,  Jayanth V. Rajan ,  Jeffrey M. Cooperstein ,  Jonathan C. Hawkins ,  James H. Hogg ,  Joe D. Long ,  John I. McConnell ,  Jesus Ruiz-Scougall ,  James S. Miller ,  Julie D. Bennett ,  Krzysztof J. Cwalina ,  Lance E. Olson ,  Loren M. Kohnfelder ,  Michael M. Magruder ,  Manish S. Prabhu ,  Radu Rares Palanca ,  Raja Krishnaswamy ,  Shawn P. Burke ,  Sean E. Trowbridge ,  Seth M. Demsey ,  Shajan Dasan ,  Stefan H. Pharies ,  Suzanne M. Cook ,  Tarun Anand ,  Travis J. Muhlestein ,  Yann E. Christensen ,  Yung-shin Lin ,  Ramasamy Krishnaswamy ,  Joseph Roxe ,  Alan Boshier ,  David Bau

IPC分类号： G06F9/46

CPC分类号： G06F3/00 ,  G06F9/46 ,  G06F9/465 ,  G06F9/541 ,  G06F2209/463

摘要： An application program interface (API) provides a set of functions, including a set of base classes and types that are used in substantially all applications accessing the API, for application developers who build Web applications on Microsoft Corporation's .NET™ platform.

公开(公告)号：US07581231B2

公开(公告)日：2009-08-25

申请号：US10087027

申请日：2002-02-28

申请人： Adam W. Smith ,  Anthony J. Moore ,  Anders Hejlsberg ,  Brian A. LaMacchia ,  Blaine J. Dockter ,  Brian M. Grunkemeyer ,  Brian K. Pepin ,  Caleb L. Doise ,  Christopher W. Brumme ,  Chad W. Royal ,  Christopher L. Anderson ,  Corina E. Feuerstein ,  Craig T. Sinclair ,  Daniel Dedu-Constantin ,  Daniel Takacs ,  David S. Ebbo ,  David S. Mortenson ,  Erik B. Christensen ,  Erik B. Olson ,  Fabio A. Yeon ,  Giovanni M. Della-Libera ,  Gopala Krishna R. Kakivaya ,  Gregory D. Fee ,  Hany E. Ramadan ,  Jayanth V. Rajan ,  Jeffrey M. Cooperstein ,  Jonathan C. Hawkins ,  James H. Hogg ,  Joe D. Long ,  John I. McConnell ,  Jesus Ruiz-Scougall ,  James S. Miller ,  Julie D. Bennett ,  Jun Fang ,  Krzysztof J. Cwalina ,  Keith W. Ballinger ,  Lance E. Olson ,  Loren M. Kohnfelder ,  Luca Bolognese ,  Manu Vasandani ,  Mark T. Anders ,  Mark P. Ashton ,  Mark A. Boulter ,  Mark W. Fussell ,  Michael M. Magruder ,  Manish S. Prabhu ,  Neetu Rajpal ,  Nikhil Kothari ,  Nithyalakshmi Sampathkumar ,  Nicholas M. Kramer ,  Omri Gazitt ,  Radu Rares Palanca ,  Raja Krishnaswamy ,  Robert M. Howard ,  Ramasamy Krishnaswamy ,  Shawn P. Burke ,  Scott D. Guthrie ,  Sean E. Trowbridge ,  Seth M. Demsey ,  Shajan Dasan ,  Subhag P. Oak ,  Sreeram Nivarthi ,  Stefan H. Pharies ,  Suzanne M. Cook ,  Susan M. Warren ,  Tarun Anand ,  Travis J. Muhlestein ,  William A. Adams ,  Yan Leshinsky ,  Yann E. Christensen ,  Yung-shin Lin ,  Stephen J. Millet ,  Joseph Roxe ,  Alan Boshier ,  Henry L. Sanders ,  David Bau

发明人： Adam W. Smith ,  Anthony J. Moore ,  Anders Hejlsberg ,  Brian A. LaMacchia ,  Blaine J. Dockter ,  Brian M. Grunkemeyer ,  Brian K. Pepin ,  Caleb L. Doise ,  Christopher W. Brumme ,  Chad W. Royal ,  Christopher L. Anderson ,  Corina E. Feuerstein ,  Craig T. Sinclair ,  Daniel Dedu-Constantin ,  Daniel Takacs ,  David S. Ebbo ,  David S. Mortenson ,  Erik B. Christensen ,  Erik B. Olson ,  Fabio A. Yeon ,  Giovanni M. Della-Libera ,  Gopala Krishna R. Kakivaya ,  Gregory D. Fee ,  Hany E. Ramadan ,  Jayanth V. Rajan ,  Jeffrey M. Cooperstein ,  Jonathan C. Hawkins ,  James H. Hogg ,  Joe D. Long ,  John I. McConnell ,  Jesus Ruiz-Scougall ,  James S. Miller ,  Julie D. Bennett ,  Jun Fang ,  Krzysztof J. Cwalina ,  Keith W. Ballinger ,  Lance E. Olson ,  Loren M. Kohnfelder ,  Luca Bolognese ,  Manu Vasandani ,  Mark T. Anders ,  Mark P. Ashton ,  Mark A. Boulter ,  Mark W. Fussell ,  Michael M. Magruder ,  Manish S. Prabhu ,  Neetu Rajpal ,  Nikhil Kothari ,  Nithyalakshmi Sampathkumar ,  Nicholas M. Kramer ,  Omri Gazitt ,  Radu Rares Palanca ,  Raja Krishnaswamy ,  Robert M. Howard ,  Ramasamy Krishnaswamy ,  Shawn P. Burke ,  Scott D. Guthrie ,  Sean E. Trowbridge ,  Seth M. Demsey ,  Shajan Dasan ,  Subhag P. Oak ,  Sreeram Nivarthi ,  Stefan H. Pharies ,  Suzanne M. Cook ,  Susan M. Warren ,  Tarun Anand ,  Travis J. Muhlestein ,  William A. Adams ,  Yan Leshinsky ,  Yann E. Christensen ,  Yung-shin Lin ,  Stephen J. Millet ,  Joseph Roxe ,  Alan Boshier ,  Henry L. Sanders ,  David Bau

IPC分类号： G06F13/00 ,  G06F15/16 ,  G06F17/00 ,  G06F3/00

CPC分类号： G06F9/44

摘要： An application program interface (API) provides a set of functions for application developers who build Web applications on Microsoft Corporation's .NET™ platform.

摘要翻译： 应用程序接口（API）为在Microsoft Corporation的.NET（TM）平台上构建Web应用程序的应用程序开发人员提供了一组功能。

公开(公告)号：US07017162B2

公开(公告)日：2006-03-21

申请号：US09902811

申请日：2001-07-10

申请人： Adam W. Smith ,  Anthony J. Moore ,  Brian A. LaMacchia ,  Anders Hejlsberg ,  Brian M. Grunkemeyer ,  Caleb L. Doise ,  Christopher W. Brumme ,  Christopher L. Anderson ,  Corina E. Feuerstein ,  Craig T. Sinclair ,  Daniel Takacs ,  David S. Ebbo ,  David O. Driver ,  David S. Mortenson ,  Erik B. Christensen ,  Erik B. Olson ,  Fabio A. Yeon ,  Gopala Krishna R. Kakivaya ,  Gregory D. Fee ,  Hany E. Ramadan ,  Henry L. Sanders ,  Jayanth V. Rajan ,  Jeffrey M. Cooperstein ,  Jonathan C. Hawkins ,  James H. Hogg ,  Joe D. Long ,  John I. McConnell ,  Jesus Ruiz-Scougall ,  James S. Miller ,  Julie D. Bennett ,  Krzysztof J. Cwalina ,  Lance E. Olson ,  Loren M. Kohnfelder ,  Michael M. Magruder ,  Manish S. Prabhu ,  Radu Rares Palanca ,  Raja Krishnaswamy ,  Shawn P. Burke ,  Sean E. Trowbridge ,  Seth M. Demsey ,  Shajan Dasan ,  Stefan H. Pharies ,  Suzanne M. Cook ,  Tarun Anand ,  Travis J. Muhlestein ,  Yann E. Christensen ,  Yung-shin Lin ,  Ramasamy Krishnaswamy ,  Joseph Roxe ,  Alan Boshier ,  David Bau

发明人： Adam W. Smith ,  Anthony J. Moore ,  Brian A. LaMacchia ,  Anders Hejlsberg ,  Brian M. Grunkemeyer ,  Caleb L. Doise ,  Christopher W. Brumme ,  Christopher L. Anderson ,  Corina E. Feuerstein ,  Craig T. Sinclair ,  Daniel Takacs ,  David S. Ebbo ,  David O. Driver ,  David S. Mortenson ,  Erik B. Christensen ,  Erik B. Olson ,  Fabio A. Yeon ,  Gopala Krishna R. Kakivaya ,  Gregory D. Fee ,  Hany E. Ramadan ,  Henry L. Sanders ,  Jayanth V. Rajan ,  Jeffrey M. Cooperstein ,  Jonathan C. Hawkins ,  James H. Hogg ,  Joe D. Long ,  John I. McConnell ,  Jesus Ruiz-Scougall ,  James S. Miller ,  Julie D. Bennett ,  Krzysztof J. Cwalina ,  Lance E. Olson ,  Loren M. Kohnfelder ,  Michael M. Magruder ,  Manish S. Prabhu ,  Radu Rares Palanca ,  Raja Krishnaswamy ,  Shawn P. Burke ,  Sean E. Trowbridge ,  Seth M. Demsey ,  Shajan Dasan ,  Stefan H. Pharies ,  Suzanne M. Cook ,  Tarun Anand ,  Travis J. Muhlestein ,  Yann E. Christensen ,  Yung-shin Lin ,  Ramasamy Krishnaswamy ,  Joseph Roxe ,  Alan Boshier ,  David Bau

IPC分类号： G06F9/46

CPC分类号： G06F3/00 ,  G06F9/46 ,  G06F9/465 ,  G06F9/541 ,  G06F2209/463

摘要： An application program interface (API) provides a set of functions, including a set of base classes and types that are used in substantially all applications accessing the API, for application developers who build Web applications on Microsoft Corporation's .NET™ platform.

公开(公告)号：US07669238B2

公开(公告)日：2010-02-23

申请号：US10705756

申请日：2003-11-10

申请人： Gregory D. Fee ,  Aaron Goldfeder ,  John M. Hawkins ,  Jamie L. Cool ,  Sebastian Lange ,  Sergey Khorun

发明人： Gregory D. Fee ,  Aaron Goldfeder ,  John M. Hawkins ,  Jamie L. Cool ,  Sebastian Lange ,  Sergey Khorun

IPC分类号： H04L9/00

CPC分类号： G06F21/51 ,  G06F21/53

摘要： Evidence-based application security may be implemented at the application and/or application group levels. A manifest may be provided defining at least one trust condition for the application or application group. A policy manager evaluates application evidence (e.g., an XrML license) for an application or group of applications relative to the manifest. The application is only granted permissions on the computer system if the application evidence indicates that the application is trusted. Similarly, a group of applications are only granted permissions on the computer system if the evidence indicates that the group of applications is trusted. If the application evidence satisfies the at least one trust condition defined by the manifest, the policy manager generates a permission grant set for each code assembly that is a member of the at least one application. Evidence may be further evaluated for code assemblies that are members of the trusted application or application group.

摘要翻译： 基于证据的应用程序安全性可以在应用程序和/或应用程序组级别实现。 可以提供清单来为应用或应用组定义至少一个信任条件。 策略管理员针对相对于清单的应用程序或应用程序组来评估应用程序证据（例如，XrML许可证）。 如果应用程序的证据表明应用程序是可信任的，则该应用程序仅被授予计算机系统的权限。 类似地，如果证据表明应用程序组是可信任的，则一组应用程序仅被授予计算机系统的权限。 如果应用证据满足由清单定义的至少一个信任条件，则策略管理器为作为至少一个应用的成员的每个代码集合生成许可授权集合。 可以对作为可信应用程序或应用程序组成员的代码程序集进一步评估证据。

公开(公告)号：US07779460B2

公开(公告)日：2010-08-17

申请号：US11736295

申请日：2007-04-17

申请人： Gregory D. Fee ,  Brian Pratt ,  Sebastian Lange ,  Loren Kohnfelder

发明人： Gregory D. Fee ,  Brian Pratt ,  Sebastian Lange ,  Loren Kohnfelder

IPC分类号： G06F9/00 ,  G06F17/30

CPC分类号： G06F21/6218 ,  G06F21/6209 ,  G06F2221/2141

摘要： An evidence-based policy manager generates a permission grant set for a code assembly received from a resource location. The policy manager executes in a computer system (e.g., a Web client or server) in combination with the verification module and class loader of the run-time environment. The permission grant set generated for a code assembly is applied in the run-time call stack to help the system determine whether a given system operation by the code assembly is authorized. The policy manager may determine a subset of the permission grant set based on a subset of the received code assembly's evidence, in order to expedite processing of the code assembly. When the evidence subset does not yield the desired permission subset, the policy manager may then perform an evaluation of all evidence received.

摘要翻译： 基于证据的策略管理器为从资源位置接收到的代码集合生成许可授权集。 策略管理器与计算机系统（例如，Web客户端或服务器）结合运行时环境的验证模块和类加载器一起执行。 为代码组合生成的许可授权集合被应用于运行时调用堆栈中，以帮助系统确定代码组件的给定系统操作是否被授权。 策略管理器可以基于所接收的代码组件的证据的子集来确定许可授权集合的子集，以便加速代码组合的处理。 当证据子集不产生期望的许可子集时，策略管理器然后可以对所接收的所有证据进行评估。

公开(公告)号：US07207064B2

公开(公告)日：2007-04-17

申请号：US10162260

申请日：2002-06-05

申请人： Gregory D. Fee ,  Brian Pratt ,  Sebastian Lange ,  Loren Kohnfelder

发明人： Gregory D. Fee ,  Brian Pratt ,  Sebastian Lange ,  Loren Kohnfelder

IPC分类号： G06F19/00 ,  G06F7/04

CPC分类号： G06F21/6218 ,  G06F21/6209 ,  G06F2221/2141

摘要： An evidence-based policy manager generates a permission grant set for a code assembly received from a resource location. The policy manager executes in a computer system (e.g., a Web client or server) in combination with the verification module and class loader of the run-time environment. The permission grant set generated for a code assembly is applied in the run-time call stack to help the system determine whether a given system operation by the code assembly is authorized. The policy manager may determine a subset of the permission grant set based on a subset of the received code assembly's evidence, in order to expedite processing of the code assembly. When the evidence subset does not yield the desired permission subset, the policy manager may then perform an evaluation of all evidence received.

摘要翻译： 基于证据的策略管理器为从资源位置接收到的代码集合生成许可授权集。 策略管理器与计算机系统（例如，Web客户端或服务器）结合运行时环境的验证模块和类加载器一起执行。 为代码组合生成的许可授权集合被应用于运行时调用堆栈中，以帮助系统确定代码组件的给定系统操作是否被授权。 策略管理器可以基于所接收的代码组件的证据的子集来确定许可授权集合的子集，以便加速代码组合的处理。 当证据子集不产生期望的许可子集时，策略管理器然后可以对所接收的所有证据进行评估。

公开(公告)号：US07743423B2

公开(公告)日：2010-06-22

申请号：US10772207

申请日：2004-02-03

申请人： Sebastian Lange ,  Gregory D. Fee ,  Aaron Goldfeder ,  Ivan Medvedev ,  Michael Gashler

发明人： Sebastian Lange ,  Gregory D. Fee ,  Aaron Goldfeder ,  Ivan Medvedev ,  Michael Gashler

IPC分类号： H04N7/16 ,  G06F17/00 ,  G06F11/30 ,  G06F9/44

CPC分类号： G06F21/53

摘要： All execution paths of one or more assemblies in managed code are simulated to find the permissions for each execution path. The managed code can correspond to a managed shared library or a managed application. Each call in each execution path has a corresponding permissions set. When the library or application has permissions to execute that are not less than the required permission sets for the execution paths, any dynamic execution of the library or application will not trigger a security exception The simulated execution provides a tool that can be used to ensure that code being written will not exceed a maximum security permission for the code. A permission set can be determined by the tool for each assembly corresponding to an application and for each entry point corresponding to a shared library.

摘要翻译： 托管代码中的一个或多个程序集的所有执行路径都被模拟，以查找每个执行路径的权限。 托管代码可以对应于托管共享库或托管应用程序。 每个执行路径中的每个调用都具有相应的权限集。 当库或应用程序具有不少于执行路径所需权限集的执行权限时，库或应用程序的任何动态执行都不会触发安全异常。模拟执行提供了一种可用于确保 正在编写的代码不会超过代码的最大安全许可。 对于与应用程序对应的每个程序集以及对应于共享库的每个入口点，工具可以确定权限集。

公开(公告)号：US08607311B2

公开(公告)日：2013-12-10

申请号：US11962761

申请日：2007-12-21

申请人： Moritz Y. Becker ,  Blair B. Dillaway ,  Gregory D. Fee ,  John M. Leen ,  Jason F. Mackay

发明人： Moritz Y. Becker ,  Blair B. Dillaway ,  Gregory D. Fee ,  John M. Leen ,  Jason F. Mackay

IPC分类号： G06F7/04 ,  G06F17/30 ,  G06F12/00 ,  H04L29/06

CPC分类号： G06F21/6218

摘要： Access to a resource may be controlled by a policy, such that a request to access the resource is either granted or denied based on what assertions have been made by various principals. To find the assertions that support a grant of access to the resource, a template may be created that defines the nature of assertions that would cause access to succeed. Assertions may be stored in the form of tokens. The template may be used to search an existing token store to find assertions that have been made, and/or to generate assertions that have not been found in the token store and that would satisfy the template. The assertions in the template may be created by performing an abductive reasoning process on an access query.

摘要翻译： 可以通过策略来控制对资源的访问，使得根据各个主体所做的断言来授予或拒绝访问资源的请求。 要查找支持资源访问权限的断言，可以创建一个模板，该模板定义了导致访问成功的断言的性质。 断言可以以令牌的形式存储。 该模板可以用于搜索现有的令牌存储以找到已经做出的断言和/或生成在令牌存储器中尚未发现并且将满足模板的断言。 可以通过在访问查询上执行引用推理过程来创建模板中的断言。