-
公开(公告)号:US06308273B1
公开(公告)日:2001-10-23
申请号:US09096676
申请日:1998-06-12
申请人: Mario C. Goertzel , Susi E. Strom , Praerit Garg , Bharat Shah
发明人: Mario C. Goertzel , Susi E. Strom , Praerit Garg , Bharat Shah
IPC分类号: G06F1214
CPC分类号: H04L63/10 , G06F21/6218 , G06F2221/2111 , H04L29/06 , H04L63/105 , H04L63/107 , H04L67/18 , H04L69/329
摘要: An improved computer network security system and method wherein access to network resources is based on information that includes the location of the connecting user. In general, the less trusted the location of the user, the more the access rights assigned to the user are restricted. A discrimination mechanism and process determines the location of a user with respect to categories of a security policy, such as to distinguish local users, intranet users and dial-up users from one another. Based on information including the location and the user's credentials, an access token is set up that may restrict the user's normal access in accordance with the security policy, such as to not restrict a user's processes beyond the user-based security information in the user's normal access token, while further restricting the same user's access to resources when connecting via a dial-up connection. Restricted tokens are preferably used to implement the location-based discrimination by restricting the security context of users connecting from less trusted locations.
摘要翻译: 一种改进的计算机网络安全系统和方法,其中对网络资源的访问基于包括连接用户的位置的信息。 一般来说,用户的位置信任度越低,分配给用户的访问权限就越多。 鉴别机制和过程确定用户相对于安全策略的类别的位置,例如将本地用户,内部网用户和拨号用户彼此区分开。 基于包括位置和用户凭据在内的信息,设置可以根据安全策略来限制用户的正常访问的访问令牌,例如不将用户的进程限制在用户正常的基于用户的安全信息之外 访问令牌,同时在通过拨号连接进行连接时进一步限制同一用户对资源的访问。 优选地使用限制令牌来通过限制从不太可信位置连接的用户的安全上下文来实现基于位置的歧视。
-
公开(公告)号:US06279111B1
公开(公告)日:2001-08-21
申请号:US09096926
申请日:1998-06-12
IPC分类号: G06F1214
CPC分类号: H04L63/0807 , G06F21/335 , G06F21/604 , G06F21/6218 , G06F21/645 , G06F2221/2141 , G06F2221/2145 , G06F2221/2149
摘要: A restrict ed access token is created from an existing token, and provides less access than that token. A restricted token may be created by changing an attribute of one or more security identifiers allowing access in the parent token to a setting that denies access in the restricted token and/or removing one or more privileges from the restricted token relative to the parent token. A restricted access token also may be created by adding restricted security identifiers thereto. Once created, a process associates another process with the restricted token to launch the other process in a restricted context that is a subset of its own rights and privileges. A kernel-mode security mechanism determines whether the restricted process has access to a resource by first comparing user-based security identifiers in the restricted token and the intended type of action against a list of identifiers and actions associated with the resource. If no restricted security identifiers are in the restricted token, access is determined by this first check, otherwise a second access check further compares the restricted security identifiers against the list of identifiers and actions associated with the resource. With a token having restricted security identifiers, the process is granted access if both the first and second access checks pass. In this manner, a process is capable of restricting another process, such as possibly unruly code, in the actions it can perform.
摘要翻译: 从现有令牌创建限制访问令牌,并提供比该令牌更少的访问权限。 可以通过改变一个或多个安全标识符的属性来创建限制令牌,该安全标识符允许父令牌中的访问被拒绝在受限令牌中的访问和/或从受限令牌相对于父令牌去除一个或多个特权的设置。 还可以通过向其中添加受限制的安全标识符来创建受限访问令牌。 一旦创建,进程将另一个进程与受限制的令牌相关联,以在受限上下文中启动另一个进程,该进程是其自己的权限和特权的一部分。 内核模式安全机制通过首先将限制令牌中的基于用户的安全标识符与预期的操作类型相对于与该资源相关联的标识符和动作的列表进行比较来确定受限制的进程是否可以访问资源。 如果没有受限制的令牌中的受限制的安全标识符,则通过该第一检查确定访问,否则第二访问检查进一步将受限安全标识符与与该资源相关联的标识符和动作的列表进行比较。 使用具有受限安全标识符的令牌,如果第一和第二访问检查都通过,则该进程被授予访问权限。 以这种方式,一个进程能够限制其可以执行的动作中的其他进程,例如可能不守规矩的代码。
-
3.发明授权Method and mechanism for interprocess communication using client and server listening threads 失效使用客户端和服务器侦听线程的进程间通信的方法和机制公开(公告)号:US06226689B1
公开(公告)日:2001-05-01
申请号:US08790104
申请日:1997-01-29
IPC分类号: G06F1300
CPC分类号: G06F9/544
摘要: A method and mechanism for interprocess communication between a thread of a client application and a thread of a server application. The mechanism includes a server listening thread and a client listening thread. The client thread sends a request to a server listening thread, and the server listening thread places the request in a message queue associated with the server thread. The request is received at the server thread and dispatched to a remote procedure for processing. Reply data received back from the remote procedure is sent to the client listening thread. The client listening thread notifies the client thread when the reply is received and gives the reply to the client thread.
摘要翻译: 用于客户端应用程序的线程和服务器应用程序线程之间的进程间通信的方法和机制。 该机制包括服务器侦听线程和客户端侦听线程。 客户端线程向服务器侦听线程发送请求,服务器监听线程将请求放置在与服务器线程相关联的消息队列中。 该请求在服务器线程处被接收并发送到远程过程进行处理。 从远程过程接收到的回复数据被发送到客户端侦听线程。 客户端侦听线程在收到回复时通知客户端线程,并向客户端发出回复。
-
公开(公告)号:US06208952B1
公开(公告)日:2001-03-27
申请号:US08738432
申请日:1996-10-24
IPC分类号: G06F1202
摘要: A method and system for delayed registration of a remote protocol for communicating between a client computer system and a server computer system. The server computer system has a communications process that registers a plurality of protocols. When the client process needs to communicate with the server process, it sends a request to the communications process along with an indication of the protocols that it supports. The communications process selects a protocol that is supported by both the client computer system and the server computer system and directs the server process to register that protocol. The communication process provides the server endpoint for that protocol to the client process which can then communicate directly with the server process.
摘要翻译: 用于在客户计算机系统和服务器计算机系统之间进行通信的远程协议的延迟注册的方法和系统。 服务器计算机系统具有登记多个协议的通信过程。 当客户端进程需要与服务器进程进行通信时,它会向通信进程发送请求以及其支持的协议的指示。 通信过程选择客户端计算机系统和服务器计算机系统都支持的协议,并指示服务器进程注册该协议。 通信过程为该协议的服务器端点提供给客户端进程,然后可以直接与服务器进程通信。
-
公开(公告)号:US06505300B2
公开(公告)日:2003-01-07
申请号:US09097218
申请日:1998-06-12
申请人: Shannon Chan , Gregory Jensenworth , Mario C. Goertzel , Bharat Shah , Michael M. Swift , Richard B. Ward
发明人: Shannon Chan , Gregory Jensenworth , Mario C. Goertzel , Bharat Shah , Michael M. Swift , Richard B. Ward
IPC分类号: G06F0124
CPC分类号: G06F21/6218 , G06F21/53 , G06F2221/2101 , G06F2221/2141 , G06F2221/2145 , G06F2221/2149
摘要: Restricted execution contexts are provided for untrusted content, such as computer code or other data downloaded from websites, electronic mail messages and any attachments thereto, and scripts or client processes run on a server. A restricted process is set up for the untrusted content, and any actions attempted by the content are subject to the restrictions of the process, which may be based on various criteria. Whenever a process attempt to access a resource, a token associated with that process is compared against security information of that resource to determine if the type of access is allowed. The security information of each resource thus determines the extent to which the restricted process, and thus the untrusted content, has access. In general, the criteria used for setting up restrictions for each untrusted content's process is information indicative of how trusted or untrusted the content is likely to be.
摘要翻译: 为不受信任的内容提供限制的执行上下文,例如计算机代码或从网站下载的其他数据,电子邮件消息及其任何附件,以及在服务器上运行的脚本或客户端进程。 为不受信任的内容设置了限制的过程,并且内容尝试的任何操作都受到过程的限制,这可能基于各种标准。 每当进程尝试访问资源时,将与该进程关联的令牌与该资源的安全信息进行比较,以确定是否允许访问类型。 因此,每个资源的安全信息决定了受限制的过程以及不可信内容的访问程度。 一般来说,用于为每个不受信任的内容过程设置限制的标准是指示内容可能受信任或不受信任的信息。
-
6.发明授权Method and system for migrating connections between receive-any and receive-direct threads 失效用于在接收任意线程和接收直接线程之间迁移连接的方法和系统公开(公告)号:US06175879B1
公开(公告)日:2001-01-16
申请号:US08790632
申请日:1997-01-29
IPC分类号: G06F900
CPC分类号: H04L67/42 , G06F9/547 , H04L29/12924 , H04L61/6063 , H04L67/1002 , H04L67/14 , H04L69/16 , H04L69/161
摘要: A method and mechanism for efficiently handling connections in a computer system between client sockets and data sockets of a server. The server includes a receive-any thread having a socket mask associated therewith to listen for new connection requests and for activity on data sockets handled thereby. The server further includes receive-direct threads associated with at least some of the data sockets for handling data communication. When a receive-direct connection has no activity for a period of time, the connection is migrated to a receive-any connection. When a receive-any connection becomes active, the connection is migrated to a receive-direct connection if a receive-direct thread is available.
摘要翻译: 一种用于在服务器的客户机套接字和数据套接字之间有效地处理计算机系统中的连接的方法和机制。 服务器包括具有与其相关联的套接字掩码的接收任何线程,以监听新的连接请求以及由此处理的数据套接字上的活动。 服务器还包括与用于处理数据通信的至少一些数据套接字相关联的接收直接线程。 当接收直接连接在一段时间内没有活动时,连接将迁移到接收任何连接。 当接收任何连接变为活动状态时,如果接收直接线程可用,则连接将迁移到接收直接连接。
-
公开(公告)号:US20070299940A1
公开(公告)日:2007-12-27
申请号:US11493277
申请日:2006-07-26
IPC分类号: G06F15/16 , G06F15/177
CPC分类号: G06F8/65 , H04L67/10 , H04L67/125 , H04L67/34
摘要: Updates for an enterprise's software product are made available to user devices on-line, even when network resources of the enterprise are unavailable. Software update sets and notifications concerning the update sets may be published by an enterprise for consumption by content distribution partners of the enterprise and parties not affiliated with the enterprise. Each abstraction relating to an update, including update notifications and update sets may include a cryptographic signature for later use in authenticating the source of the abstraction. Update notifications also may include information indicative of: available update sets; and network locations at which the update sets can be accessed. Further, an update notification may be configured with a time-to-live (TTL) value indicating a value of time after which the notification expires. TTL values give the enterprise some control over the distribution of update sets by limiting the lifespan of the update notifications corresponding to the update sets.
摘要翻译: 即使企业的网络资源不可用,企业软件产品的更新也可以在线提供给用户设备。 关于更新集的软件更新集和通知可以由企业发布,供企业的内容分发伙伴和不属于企业的各方消费。 与更新相关的每个抽象(包括更新通知和更新集)可以包括用于稍后用于认证抽象源的加密签名。 更新通知还可以包括指示:可用更新集合的信息; 以及可以访问更新集的网络位置。 此外,更新通知可以被配置为具有指示通知到期的时间值的生存时间(TTL)值。 TTL值通过限制与更新集相对应的更新通知的使用寿命,使企业对更新集的分布进行一些控制。
-
公开(公告)号:US08775572B2
公开(公告)日:2014-07-08
申请号:US11493277
申请日:2006-07-26
IPC分类号: G06F15/177 , G06F15/16
CPC分类号: G06F8/65 , H04L67/10 , H04L67/125 , H04L67/34
摘要: Updates for an enterprise's software product are made available to user devices on-line, even when network resources of the enterprise are unavailable. Software update sets and notifications concerning the update sets may be published by an enterprise for consumption by content distribution partners of the enterprise and parties not affiliated with the enterprise. Each abstraction relating to an update, including update notifications and update sets may include a cryptographic signature for later use in authenticating the source of the abstraction. Update notifications also may include information indicative of: available update sets; and network locations at which the update sets can be accessed. Further, an update notification may be configured with a time-to-live (TTL) value indicating a value of time after which the notification expires. TTL values give the enterprise some control over the distribution of update sets by limiting the lifespan of the update notifications corresponding to the update sets.
摘要翻译: 即使企业的网络资源不可用,企业软件产品的更新也可以在线提供给用户设备。 关于更新集的软件更新集和通知可以由企业发布,供企业的内容分发伙伴和不属于企业的各方消费。 与更新相关的每个抽象(包括更新通知和更新集)可以包括用于稍后用于认证抽象源的加密签名。 更新通知还可以包括指示:可用更新集合的信息; 以及可以访问更新集的网络位置。 此外,更新通知可以被配置为具有指示通知到期的时间值的生存时间(TTL)值。 TTL值通过限制与更新集相对应的更新通知的使用寿命,使企业对更新集的分布进行一些控制。
-
公开(公告)号:US08171560B2
公开(公告)日:2012-05-01
申请号:US12098456
申请日:2008-04-07
CPC分类号: H04L9/0891 , H04L2209/60
摘要: Described is a technology by which encrypted content is pre-distributed to recipients during a pre-distribution timeframe, for example to distribute protected content to many clients in a controlled manner. At a release moment, a key for decrypting the encrypted content is released. For example, a software update may be pre-distributed in this manner, whereby many clients may receive the updates over time but the update cannot be analyzed for hacking purposes, e.g., to use the update to figure out a prior vulnerability. By rapidly and widely disseminating the key at the release moment, the update is installed on a large percentage of client systems before those systems can be exploited. The content may be allowed to expire before the key is released, or may be canceled or replaced. The content may include a complete file, and/or a delta file that changes another file into a resultant piece of content.
摘要翻译: 描述的是在预分发时间范围内将加密内容预先分发给收件人的技术,例如以受控的方式将受保护的内容分发给许多客户端。 在发布时刻,解密加密内容的密钥被释放。 例如,可以以这种方式预先分发软件更新,由此许多客户端可以随着时间而接收更新,但是不能为了黑客目的而分析更新,例如使用更新来计算先前的漏洞。 通过在发布时快速,广泛地传播密钥,更新安装在大部分客户端系统上,才能利用这些系统。 在钥匙释放之前,内容可能会被允许过期,或者可能被取消或更换。 内容可以包括完整的文件和/或将另一文件改变成所得到的内容的增量文件。
-
公开(公告)号:US06859829B1
公开(公告)日:2005-02-22
申请号:US09256624
申请日:1999-02-23
IPC分类号: G06F9/46 , G06F15/16 , H04J1/16 , H04J3/14 , H04L1/00 , H04L12/16 , H04L12/24 , H04L12/26 , H04Q11/00
CPC分类号: G06F9/542 , G06F2209/544 , H04L41/0604 , H04L43/0811
摘要: A method and system for providing system event notifications to clients such as applications. Clients register for notification of one or more types of events with a registration mechanism, and a System Event Notification Service, (SENS), receives system event information and fires event notifications in response thereto. A distribution mechanism selectively communicates the fired event to each client registered for notification thereof based on the type of event. Events include network events, for which the service monitors the connectivity state of the machine, including whether a connection is established or lost, the type of connection (LAN/WAN) and bandwidth information. To monitor a LAN state, the service caches outgoing and incoming network information including errors and packet counts and statistically evaluates this cached information against current information to determine whether the connection is established or lost. The service also determines if a destination (IP address or name) is reachable, by periodically polling destinations. Other system event notifications may be fired, including logon or logoff operations and power management events.
-
-
-
-
-
-
-
-
-
搜索结果
17 条记录 (耗时 0.022 秒)
