公开(公告)号：WO2014066186A1

公开(公告)日：2014-05-01

申请号：PCT/US2013/065759

申请日：2013-10-18

Applicant: MICROSOFT CORPORATION

Inventor： KULKARNI, Amit Raghunath ,  GLAESKE, Brian Russell ,  JOHRI, Vijeta ,  NALLA, Amar ,  DESAI, Pramit H. ,  DUTTA, Tanmoy

IPC: G06F17/30

CPC classification number: G06F17/30389

Abstract: A search system, separate from a relational database, generates an index of information in the relational database that can be used to look up business records (or entities). A search system, that is also separate from the relational database, receives typing or other character inputs in a search user input mechanism and generates queries against the index based on the typing inputs, or other character inputs, received. The search system returns results and modifies those results as additional typing inputs, or characters, are received.

Abstract translation: 与关系数据库分离的搜索系统生成可用于查找业务记录（或实体）的关系数据库中的信息索引。 搜索系统也与关系数据库分离，在搜索用户输入机制中接收打字或其他字符输入，并根据接收的打字输入或其他字符输入生成针对索引的查询。 搜索系统返回结果并修改这些结果，因为接收到其他打字输入或字符。

公开(公告)号：WO2008030717A1

公开(公告)日：2008-03-13

申请号：PCT/US2007/076758

申请日：2007-08-24

Applicant: MICROSOFT CORPORATION

Inventor： CRISTOFOR, Elena, Daniela ,  CRISTOFOR, Laurentiu, Bogdan ,  DUTTA, Tanmoy ,  GARCIA, Raul ,  HSUEH, Sung, L.

IPC: G06F17/30

CPC classification number: G06F17/30312 ,  G06F21/606 ,  G06F21/6245 ,  H04L9/3236

Abstract: An indexing value may be determined, transparently with respect to a requester, based on a desired plaintext item of data and a cryptographic key. The indexing value may be used to access an entry in an indexing structure to obtain a corresponding database entry which includes a non-deterministically encrypted ciphertext item. In another embodiment, an indexing structure for a database may be accessed. Positions of items of the indexing structure may be based on corresponding plaintext items. References related to the corresponding plaintext items in the indexing structure may be encrypted and other information in the indexing structure may be unencrypted. A portion of the indexing structure may be loaded into a memory and at least one of the encrypted references related to one of the plaintext items may be decrypted. The decrypted reference may be used to access a corresponding non-deterministically encrypted data item from the database.

Abstract translation: 基于期望的明文数据项和加密密钥，可以相对于请求者透明地确定索引值。 索引值可以用于访问索引结构中的条目以获得包括非确定性加密的密文项目的相应数据库条目。 在另一个实施例中，可以访问用于数据库的索引结构。 索引结构的项目的位置可以基于相应的明文项目。 与索引结构中的相应明文项相关的引用可以被加密，并且索引结构中的其他信息可以是未加密的。 索引结构的一部分可以被加载到存储器中，并且与一个明文项目相关的加密引用中的至少一个可以被解密。 解密的引用可以用于从数据库访问相应的非确定性加密的数据项。

公开(公告)号：WO2006118662A2

公开(公告)日：2006-11-09

申请号：PCT/US2006/008416

申请日：2006-03-09

Applicant: MICROSOFT CORPORATION

Inventor： LI, Ziquan ,  DUTTA, Tanmoy

IPC: G06F17/30 ,  G06F7/00

CPC classification number: G06F21/6227

Abstract: The subject invention relates to systems and methods that provide region- based security to database objects having hierarchical relationships. In one aspect, a system is provided that facilitates database security and management. The system includes a database component that stores a plurality of objects having a hierarchical relationship between the objects. A region component defines security zones for a subset of the objects and maps security data to the subset, wherein the security zones are independent, decoupled, or disassociated from the hierarchical relationships between the objects.

Abstract translation: 本发明涉及向具有分层关系的数据库对象提供基于区域的安全性的系统和方法。 在一个方面，提供了一种便于数据库安全和管理的系统。 该系统包括存储具有对象之间的分层关系的多个对象的数据库组件。 区域组件定义对象的子集的安全区域，并将安全数据映射到子集，其中，安全区域与对象之间的分层关系是独立的，去耦合的或与之关联的。

公开(公告)号：WO2014193869A1

公开(公告)日：2014-12-04

申请号：PCT/US2014/039643

申请日：2014-05-28

Applicant: MICROSOFT CORPORATION

Inventor： VILLADSEN, Peter ,  PLANCARTE, Gustavo ,  DUTTA, Tanmoy

IPC: G06F9/45

CPC classification number: G06F8/41 ,  G06F8/427 ,  G06F8/437 ,  G06F8/451

Abstract: Abstract Syntax Trees (ASTs) are generated using the source code of a programming language that include information relating to the structure of the program. The generation of the ASTs may be performed in parallel. The types are split into a number of modules (e.g. configurable) that form an assembly. During the different stages of the compilation process, each module may be compiled in parallel. As the different modules are being compiled (e.g. in parallel), compiler metadata from the different modules may be written to a repository accessible by the different compilation processes. After flowing through the compilation pipeline, each of the enriched ASTs are used for code generation where they are transformed into the target language (e.g. a code stream that can be executed on hardware). The executable code is then stored as part of the assembly. The storage of the code may also be performed in parallel.

Abstract translation: 抽象语法树（AST）是使用包含与程序结构有关的信息的编程语言的源代码生成的。 AST的产生可以并行执行。 这些类型被分成多个形成组件的模块（例如可配置的）。 在编译过程的不同阶段，每个模块可以并行编译。 由于正在编译不同的模块（例如并行），来自不同模块的编译器元数据可被写入可由不同编译过程访问的存储库。 在流经编译流水线之后，每个富集的AST用于代码生成，在那里它们被转换成目标语言（例如，可以在硬件上执行的代码流）。 然后，可执行代码作为程序集的一部分存储。 代码的存储也可以并行执行。

公开(公告)号：WO2008118602A1

公开(公告)日：2008-10-02

申请号：PCT/US2008/055240

申请日：2008-02-28

Applicant: MICROSOFT CORPORATION

Inventor： BAKER, Arthur H. ,  GUARRACI, Brian J. ,  TUCKER, Andrew Stewart ,  MEDVINSKY, Gennady ,  DUTTA, Tanmoy

IPC: G06F21/04 ,  H04L9/14

CPC classification number: G06F21/31 ,  H04L9/32

Abstract: A computer related security mechanism requires that a human participate in an access verification sequence. Upon a request to access secure data, a puzzle is provided to the requester. Proper solution of the puzzle requires human participation. The puzzle is chosen such that its solution is within the capabilities of a human, but beyond the current state of the art for computer systems. The puzzled can be visually and/or audibly rendered to the user. In one configuration, the puzzle is obtained via a library of pluggable puzzle generators. Puzzle generators in the library can be replaced as the state of the art of computing technology improves.

Abstract translation: 计算机相关的安全机制要求人们参与访问验证序列。 在请求访问安全数据时，向请求者提供了一个难题。 拼图的正确解决需要人类参与。 这个难题被选中，使得它的解决方案在人类的能力范围之内，但超出了现有的计算机系统的现状。 困惑的可以视觉和/或听觉地呈现给用户。 在一个配置中，拼图通过可插拔拼图发生器库获得。 随着计算技术的先进水平的提高，图书馆中的拼图发生器可以被替换。

公开(公告)号：WO2008091715A1

公开(公告)日：2008-07-31

申请号：PCT/US2008/050042

申请日：2008-01-02

Applicant: MICROSOFT CORPORATION

Inventor： CROSS, David, B. ,  NATH, Satyajit ,  LI, George, Z. ,  DUTTA, Tanmoy ,  GOTTUMUKKALA, Sunil

IPC: G06F19/00

CPC classification number: G06F21/6218

Abstract: One or more labels are associated with a data object. One or more policies are associated with each of the labels. Based on the labels associated with the data objects, the associated policies are dispatched to policy decision engines to take one or more actions to enforce the policy. The labels, and the policies associated with the labels, are chosen by a business administrator within an enterprise, and are implemented by an Information Technology (IT) administrator. The association between labels and polices allows the policy to be applied to an object to be decoupled from the characterization of the nature of the object, or its purpose and/or role within an enterprise, business purpose and/or context of the object. Examples of policies are: access, backup, retention, isolation, audit, etc.

Abstract translation: 一个或多个标签与数据对象相关联。 一个或多个策略与每个标签相关联。 基于与数据对象相关联的标签，相关联的策略被分派到策略决策引擎，以采取一个或多个动作来执行策略。 标签和与标签相关联的策略由企业内的业务管理员选择，并由信息技术（IT）管理员实现。 标签和策略之间的关联允许将策略应用于要从对象的性质的表征或其在企业内的目的和/或作用，业务目的和/或对象的上下文中去脱离的对象。 策略的例子有：访问，备份，保留，隔离，审核等。

公开(公告)号：WO2008048748A1

公开(公告)日：2008-04-24

申请号：PCT/US2007/077659

申请日：2007-09-05

Applicant: MICROSOFT CORPORATION

Inventor： DUTTA, Tanmoy ,  GARCIA, Raul

IPC: G06F17/30

CPC classification number: G06F17/30483 ,  G06F21/6227 ,  G06F2221/2145

Abstract: A requester may request a ranged lookup operation with respect to an encrypted column of a database. An indexing structure may be used to perform the ranged lookup operation. The indexing structure may include multiple entries. Each of the entries of the indexing structure may include an index value and retrieval information for retrieving a corresponding row of the database. The index value of each entry may correspond to a respective decrypted data item from the encrypted column of the database, which was transformed by a transformation function such that the transformed decrypted data item may reveal less information than the decrypted data item before being transformed by the transformation function. When the respective index value of one of the entries of the indexing structure satisfies the received ranged lookup request, the respective retrieval information may be used to retrieve a corresponding row of data from the database.

Abstract translation: 请求者可以针对数据库的加密列请求范围查找操作。 可以使用索引结构来执行范围查找操作。 索引结构可以包括多个条目。 索引结构的每个条目可以包括用于检索数据库的相应行的索引值和检索信息。 每个条目的索引值可以对应于来自数据库的加密列的相应的解密数据项，其由变换函数变换，使得变换的解密数据项可以在被解密的数据项转换之前显示比解密的数据项更少的信息 转换功能。 当索引结构中的一个条目的相应索引值满足接收的范围查找请求时，可以使用相应的检索信息来从数据库检索相应的数据行。

公开(公告)号：WO2005103879A2

公开(公告)日：2005-11-03

申请号：PCT/US2004/024161

申请日：2004-07-26

Applicant: MICROSOFT CORPORATION ,  DUTTA, Tanmoy ,  CUNNINGHAM, Conor ,  STEFANI, Stefano ,  CHANDER, Girish ,  HANSON, Eric N.

Inventor： DUTTA, Tanmoy ,  CUNNINGHAM, Conor ,  STEFANI, Stefano ,  CHANDER, Girish ,  HANSON, Eric N.

IPC: G06F7/00

CPC classification number: G06F21/6227 ,  G06F17/30306 ,  Y10S707/99932 ,  Y10S707/99933 ,  Y10S707/99934 ,  Y10S707/99939

Abstract: A system and method for facilitating secure access to database(s) is provided. The system relates to authorizing discriminatory access to relational database data. More particularly, the invention provides for an innovative technique of defining secured access to rows in relational database tables in a way that cannot be spoofed while preserving various optimization techniques. The invention affords a persistent scheme via providing for a security architecture whereby discriminatory access policies on persistent entities can be defined and enforced while preserving set based associative query capabilities. A particular aspect of the invention relates to the specification of such policies and the technique by which those policies are enforced. With respect to one particular implementation of the invention, creation, modification and deletion of access control lists called security descriptors is provided. The security descriptors can be provisioned independent of rows in tables of the database and can be shared and embody the policy on what permissions are granted to whom when associated with a row.

Abstract translation: 提供了一种用于促进对数据库的安全访问的系统和方法。 该系统涉及授权对关系数据库数据的歧视性访问。 更具体地，本发明提供了一种创新技术，其以不能欺骗的方式定义对关系数据库表中的行的安全访问，同时保持各种优化技术。 本发明通过提供一种安全架构来提供持久性方案，从而可以在保持基于集合的关联查询能力的同时定义和实施持久性实体上的歧视性访问策略。 本发明的一个特定方面涉及这些策略的说明以及执行这些策略的技术。 关于本发明的一个具体实现，提供了称为安全描述符的访问控制列表的创建，修改和删除。 安全描述符可以独立于数据库表中的行进行配置，并且可以共享，并且包含与哪些权限相关联的权限被授予谁的策略。