Memory bound functions for spam deterrence and the like
    1.
    发明授权
    Memory bound functions for spam deterrence and the like 有权
    用于垃圾邮件威慑的内存绑定功能等

    公开(公告)号:US07149801B2

    公开(公告)日:2006-12-12

    申请号:US10290879

    申请日:2002-11-08

    IPC分类号: G06F15/173 H04K1/00

    CPC分类号: H04L63/126 H04L51/12

    摘要: A resource may be abused if its users incur little or no cost. For example, e-mail abuse is rampant because sending an e-mail has negligible cost for the sender. Such abuse may be discouraged by introducing an artificial cost in the form of a moderately expensive computation. Thus, the sender of an e-mail might be required to pay by computing for a few seconds before the e-mail is accepted. Unfortunately, because of sharp disparities across computer systems, this approach may be ineffective against malicious users with high-end systems, prohibitively slow for legitimate users with low-end systems, or both. Starting from this observation, we identify moderately hard, memory bound functions that most recent computer systems will evaluate at about the same speed, and we explain how to use them for protecting against abuses.

    摘要翻译: 如果用户投入很少或没有成本,资源可能会被滥用。 例如,电子邮件滥用是猖獗的,因为发送电子邮件对发件人的成本可以忽略不计。 通过以中等昂贵的计算的形式引入人造成本,可能不鼓励这种滥用。 因此,电子邮件的发件人可能需要在电子邮件被接受之前几秒计算才能付款。 不幸的是,由于计算机系统之间的差异很大,对于具有高端系统的恶意用户来说,这种方法可能无效,对于具有低端系统的合法用户或者两者都是非常缓慢的。 从这个观察开始,我们确定了最近的计算机系统以相同的速度评估的适度硬的记忆绑定功能,我们解释如何使用它们来防止滥用。

    Access control subsystem and method for distributed computer system
using compound principals
    2.
    发明授权
    Access control subsystem and method for distributed computer system using compound principals 失效
    使用复合主体的分布式计算机系统的访问控制子系统和方法

    公开(公告)号:US5173939A

    公开(公告)日:1992-12-22

    申请号:US783361

    申请日:1991-10-28

    IPC分类号: G06F9/46

    CPC分类号: G06F9/468 Y10S707/99939

    摘要: A distributed computer system has a number of computers coupled thereto at distinct nodes and a naming service with a membership table that defines a list of assumptions concerning which principals in the system are stronger than other principals, and which roles adopted by principals are stronger than other roles. Each object in the system has an access control list (ACL) having a list of entries. Each entry is either a simple principal or a compound principal. The set of allowed compound principals is limited to a predefined set of allowed combinations of simple principals, roles, delegations and conjunctions in accordance with a defined hierarchical ordering of the conjunction, delegation and role portions of each compound principal. The assumptions in the membership table reduce the number of entries needed in an ACL by allowing an entry to state only the weakest principals and roles that are to be allowed access. The reference checking process, handled by a reference monitor found at each node of the distributed system, grants an access request if the requestor is stronger than any one of the entries in the access control list for the resource requested. Furthermore, one entry is stronger than another entry if for each of the conjuncts in the latter entry there is a stronger conjunct in the former. Additional rules used by the reference monitor during the reference checking process govern the processes of comparing conjuncts in a requestor principal with the conjuncts in an access control list entry and of using assumptions to compare the relative strengths of principals and roles.

    摘要翻译: 分布式计算机系统具有多个与不同节点耦合的计算机,以及具有会员表的命名服务,该成员表定义了系统中哪些主体比其他主体更强的假设列表,以及由主体采用的角色比其他主体更强 角色。 系统中的每个对象都具有一个具有条目列表的访问控制列表(ACL)。 每个条目都是简单的主体或复合主体。 允许的复合主体的集合被限制为根据每个复合主体的连接,委派和角色部分的定义的分级顺序的简单主体,角色,委托和连接的允许的组合的预定义集合。 成员资格表中的假设通过允许条目仅指定允许访问的最弱主体和角色来减少ACL中所需的条目数。 如果请求者比所请求的资源的访问控制列表中的任何一个条目更强,由在分布式系统的每个节点处发现的参考监视器处理的参考检查过程就会授予访问请求。 此外,如果对于前一个条目中的每个连词都有一个更强的连接,则一个条目比另一个条目更强。 引用检查过程中参考监视器使用的附加规则管理将请求方主体中的连接与访问控制列表条目中的连接进行比较的过程,以及使用假设来比较主体和角色的相对强度。

    Secure web tunnel
    4.
    发明授权
    Secure web tunnel 失效
    安全的网络隧道

    公开(公告)号:US5805803A

    公开(公告)日:1998-09-08

    申请号:US855025

    申请日:1997-05-13

    IPC分类号: H04L29/06 G06F13/14

    摘要: In a computer implemented method, a client computer connected to a public network such as the Internet makes a request for an intranet resource to a tunnel of a firewall isolating the intranet from the Internet. The request is made in a public message. The tunnel sends a message to the client computer to redirect to a proxy server of the tunnel. The client computer send a token and the request for the resource the proxy server. If the token is valid, the request is forwarded to the intranet, otherwise, the user of the client computer must first be authenticated.

    摘要翻译: 在计算机实现的方法中,连接到公共网络(例如因特网)的客户端计算机向内部网络与因特网隔离的防火墙的隧道请求内部网资源。 请求是在公开消息中发出的。 隧道向客户端计算机发送消息以重定向到隧道的代理服务器。 客户端计算机向代理服务器发送令牌和资源请求。 如果令牌有效,请求将转发到内部网,否则客户端计算机的用户必须首先被认证。

    Systems and methods for pattern matching on principal names to control access to computing resources
    6.
    发明授权
    Systems and methods for pattern matching on principal names to control access to computing resources 有权
    用于主体名称上的模式匹配的系统和方法,以控制对计算资源的访问

    公开(公告)号:US07716734B2

    公开(公告)日:2010-05-11

    申请号:US11133806

    申请日:2005-05-19

    IPC分类号: G06F7/04 G06F21/00

    CPC分类号: G06F21/6218

    摘要: Systems and methods are provided for resource access control in computer systems. Our approach includes new techniques for composing and authenticating principals in an access control system. Our principals may comprise information that identifies the role of the user of a computer system, the mechanism by which the user was authenticated, and program execution history. Thus, when a principal makes a request, access control determinations can be made based on the principal's identity. Access control lists may provide patterns that are used to recognize principals, thereby ensuring a level of security without enumerating precise identifiers for all of the possible principles that may request a particular resource.

    摘要翻译: 为计算机系统中的资源访问控制提供了系统和方法。 我们的方法包括在访问控制系统中组合和验证主体的新技术。 我们的主体可以包括识别计算机系统的用户的角色,用户被认证的机制以及程序执行历史的信息。 因此,当委托人发出请求时,可以基于主体的身份进行访问控制确定。 访问控制列表可以提供用于识别主体的模式,从而确保安全级别,而不需要列举可能请求特定资源的所有可能原则的精确标识符。

    Access-control permissions with inter-process message-based communications
    7.
    发明授权
    Access-control permissions with inter-process message-based communications 有权
    基于进程间消息通信的访问控制权限

    公开(公告)号:US07865934B2

    公开(公告)日:2011-01-04

    申请号:US11419145

    申请日:2006-05-18

    IPC分类号: H04L29/00

    CPC分类号: G06F21/6281

    摘要: Described herein are one or more implementations that facilitate message-passing over a communication conduit between software processes in a computing environment. More particularly, the implementations described restrict access of one process to another via messages passed over a particular conduit connecting the processes and the access-control restrictions are defined by a contract associated with that particular conduit.

    摘要翻译: 这里描述了一种或多种实现,其便于在计算环境中的软件进程之间通过通信导线进行消息传递。 更具体地,所描述的实施方式通过在连接过程的特定管道上传递的消息来限制一个进程的访问,并且访问控制限制由与该特定管道相关联的合同定义。

    Access control policy in a weakly-coherent distributed collection
    8.
    发明授权
    Access control policy in a weakly-coherent distributed collection 有权
    访问控制策略在弱连贯的分布式集合中

    公开(公告)号:US08505065B2

    公开(公告)日:2013-08-06

    申请号:US11765886

    申请日:2007-06-20

    IPC分类号: G06F17/00 H04L29/06

    摘要: A system is disclosed for creating and implementing an access control policy framework in a weakly coherent distributed collection. A collection manager may sign certificates forming equivalence classes of replicas that share a specific authority. The collection manager and/or certain privileged replicas may issue certificates that delegate authority for control of item policy and replica policy. Further certificates may be signed that create one or more items, set policy for these one or more items, and define a set of operations authorized on the one or more items. The certificates issued according to the present system for creating and implementing a control policy framework cannot be modified or simply overridden. Once a policy certificate is issued, it may only be revoked by the collection manager or by a replica having revocation authority.

    摘要翻译: 公开了一种用于在弱相关分布式集合中创建和实现访问控制策略框架的系统。 收集管理员可以签署形成共享特定权限的副本的等价类的证书。 收集管理员和/或某些特权副本可能会颁发授权来管理项目策略和副本策略的证书。 可以签署创建一个或多个项目的其他证书,为这些一个或多个项目设置策略,并且定义一个或多个项目授权的一组操作。 根据本制度制定的颁发和实施控制政策框架的证书不能修改或简单地覆盖。 颁发政策证书后,只能由收款经理或具有撤销授权的副本撤销。

    ACCESS CONTROL BASED ON PROGRAM PROPERTIES
    10.
    发明申请
    ACCESS CONTROL BASED ON PROGRAM PROPERTIES 有权
    基于程序属性的访问控制

    公开(公告)号:US20080282354A1

    公开(公告)日:2008-11-13

    申请号:US11745048

    申请日:2007-05-07

    IPC分类号: H04L9/00

    CPC分类号: H04L63/101 G06F21/6218

    摘要: A pattern matching access control system determines whether a principal should be granted access to use a resource based on properties of applications comprised by the principal. The principal name may be created when an application is loaded, invokes other applications (or programs) and/or assumes a new role context. Access is provided based on whether, for each application, the publisher is authorized by system policy to grant privilege as requested by the application. When a resource which requires the privilege is requested by a principal, an access control list (ACL) for the resource is expanded with a list of applications that have been authorized through their publisher to assert the privilege. The expanded ACL is compared to the principal name to determine resource access.

    摘要翻译: 模式匹配访问控制系统基于主体的应用程序的属性确定是否应授予主体访问权限以使用资源。 可以在应用程序加载时调用主体名称,调用其他应用程序(或程序)和/或假定新的角色上下文。 访问是基于每个应用程序,发布者是否被系统策略授权以根据应用程序请求授予特权来提供访问。 当一个委托人请求一个需要该权限的资源时,该资源的访问控制列表(ACL)会被扩展,并通过其发布者授权的应用程序列表来声明该权限。 将扩展的ACL与主体名称进行比较以确定资源访问。