Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1998-06-12
2001-08-21
Trammell, James P. (Department: 2161)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C713S159000, C713S172000
Reexamination Certificate
active
06279111
ABSTRACT:
FIELD OF THE INVENTION
The invention relates generally to computer systems, and more particularly to an improved security model for computer systems.
BACKGROUND OF THE INVENTION
Historically, executable content could only installed on a computer system by physically bringing magnetic media to the computer and having someone with administrative privileges install it. At present, however, the Internet has made it very easy and popular for ordinary computer users to download executable content such as ActiveX controls, programs, and scripts. In many cases, executable content may be downloaded and executed via the Internet without the user even realizing that such an event took place.
Unfortunately, such executable content is often unruly, e.g., it may be malicious and intentionally destroy data on the client machine, error-prone and cause the client machine to crash, or well-intentioned but careless and divulge confidential information about the client. Although these types of computer problems have previously existed in the form of “viruses” and “trojans,” the ubiquitous presence of World Wide Web has made these problems widespread, and in some cases out of control. In general, client operating environments are not adequately protected against unruly code.
Some operating systems already have an existing security mechanism that limits what non-privileged users may do. For example, the security system built into the Windows NT operating system controls access to resources based on the identities of users. When a Windows NT process wishes to access a resource to perform some action, the security mechanism in Windows NT compares a client's user and group IDs and privileges associated with that process against security information assigned to that resource to grant or deny access to the resource. In this manner, unauthorized users are prevented from accessing resources and potentially causing harm, while authorized users may be limited in the actions they are allowed to perform.
However, at present, when a user process has the appropriate rights or privileges to access a resource, the process, which may include executable content that is unruly, may access the resource with undesirable results. For example, a Windows NT user having appropriate credentials may download and execute unruly code, whereby any or all of the above-described adverse consequences may result. Other security models have similar and other drawbacks that make them vulnerable to the same problems.
SUMMARY OF THE INVENTION
Briefly, the present invention provides restricted access tokens, each of which are a modified, restricted version of an access token created from an existing (parent) token. A restricted token has less access than the parent token from which it is copied, and may be created by changing an attribute of one or more security identifiers that allow access in the parent token to a setting that disables access for allow in the restricted token, and/or removing one or more privileges from the restricted token that are present in the parent token. In addition, a restricted token may also be created by placing restricted security identifiers therein.
In use, a process is associated with a restricted token, such as by an application that launches that process. When the restricted process attempts to perform an action on a resource, a kernel mode security mechanism first compares the user-based security identifiers and the intended type of action against a list of identifiers and actions associated with the resource. If there are no restricted security identifiers in the restricted token, access is determined by the result of this first comparison. If there are restricted security identifiers in the restricted token, a second access check for this action compares the restricted security identifiers against the list of identifiers and actions associated with the resource. With a token having restricted security identifiers, the process is granted access to the resource only if both the first and second access checks pass.
By creating a restricted token, a process can launch another process in a restricted context that is a subset of its own rights and privileges. In this manner, a process is capable of restricting another process, such as possibly unruly code, in the actions it can perform to resources.
Other advantages will become apparent from the following detailed description when taken in conjunction with the drawings, in which:
REFERENCES:
patent: 4962449 (1990-10-01), Schlesinger
patent: 5138712 (1992-08-01), Corbin
patent: 5276901 (1994-01-01), Howell et al.
patent: 5321841 (1994-06-01), East et al.
patent: 5390247 (1995-02-01), Fischer
patent: 5412717 (1995-05-01), Fischer
patent: 5506961 (1996-04-01), Carlson et al.
patent: 5542046 (1996-07-01), Carlson et al.
patent: 5638448 (1997-06-01), Nguyen
patent: 5649099 (1997-07-01), Theimer et al.
patent: 5675782 (1997-10-01), Montague et al.
patent: 5678041 (1997-10-01), Baker et al.
patent: 5680461 (1997-10-01), McManis
patent: 5682478 (1997-10-01), Watson et al.
patent: 5745676 (1998-04-01), Hobson et al.
patent: 5757916 (1998-05-01), MacDoran et al.
patent: 5761669 (1998-06-01), Montague et al.
patent: 5812784 (1998-09-01), Watson et al.
patent: 5826029 (1998-10-01), Gore et al.
patent: 5845067 (1998-12-01), Porter et al.
patent: 5922073 (1999-07-01), Shimada
patent: 5925109 (1999-07-01), Bartz
patent: 5940591 (1999-08-01), Boyle
patent: 5941947 (1999-08-01), Brown et al.
patent: 5949882 (1999-09-01), Angelo
patent: 5983270 (1999-11-01), Abraham et al.
patent: 5983350 (1999-11-01), Minear et al.
patent: 6081807 (2000-06-01), Story et al.
patent: 6105132 (2000-08-01), Fritch et al.
patent: 0 398 645 (1990-11-01), None
patent: 0 465 016 (1992-01-01), None
patent: 0 588 415 (1994-03-01), None
patent: 0 697 662 (1996-02-01), None
patent: 0 813 133 (1997-12-01), None
patent: WO 96/05549 (1996-02-01), None
patent: WO 96/13113 (1996-05-01), None
patent: WO 97/15008 (1997-04-01), None
patent: WO 97/26734 (1997-07-01), None
“Java Security Model: Java Protection Domains,” http://java.sun.com/security/handout.html, printed Nov. 11, 1999.
Anon, “Privilege Control Mechanism for UNIX Systems,”IBM Technical Disclosure Bulletin,vol. 34, No. 7b pp. 477-479, Dec. 1991.
Erdos et al., “Security Reference Model for the Java Developer's Kit 1.0.2,”Java Security Reference Model,Nov. 13, 1996, http://www.javasoft.com/security/SRM.html printed Jul. 14, 1999.
Fritzinger et al., “Java Security,” 1996, http://java.sun.com/security/whitepaper/txt.
Fritzinger et al., “Java Security,” 1996, http://java.sun.com/security/whitepaper/ps.
Goldberg et al., “A Secure Environment for Untrusted Helper Applications: Confining the Wily Hacker,”Sixt USENIX Security Symposium,Jul. 22-25, 1996, http://www.usenix.org/publications/library/proceedings/sec9.
Goldstein, Ted, “The Gateway Security Model in the Java Commerce Client,”The Source for Java™Technology,1997, http://www.java.sun.com/products/commerce/docs/whitepapers/security/JCC_gateway.html printed Jul. 14, 1999.
Mazieres, David and M. Frans Kaashoek, “Secure Applications Need Flexible Operating Systems,” 6th Workshop on Hot Topics in Operating Systems(HotOs-VI), May 5-6, 1997, http://www.eecs.harvard.edu/hotos/.
Neuman et al., “Kerbros: An Authentication Service for Computer Networks,”IEEE Communications Magazine,pp. 33-38, Sep. 1, 1994.
Copy of International Search Report in Corresponding PCT Application No. PCT/US99/13057.
Soshi et al.,The Saga Security System: A Security Architecture for Open Distributed Systems,IEEE, pp. 53-58 (1997).
Anonymous, “Apache suEXEC Support,” (describes the Apache HTTP Server Version 1.3 dating from Jun. 5, 1998 as documented in Written Opinion for PCT Application No. PCT/US99/12912), http://www.apache.org/docs/suexec.html printed Jul. 24, 2000.
Anonymous, “Apache Virtual Host documentation,” (describes the Apache HTTP Server Version 1.3 dating fr Jun. 5, 1998 as documented in Written Opinion for PCT Application No. PCT/US99/12912), http://www.apache.org/docs/vhosts/index.html, printed Jul. 24,
Chan Shannon J.
Garg Praerit
Goertzel Mario C.
Jensenworth Gregory
Swift Michael M.
Elisca Pierre Eddy
Michalik & Wylie PLLC
Microsoft Corporation
Trammell James P.
LandOfFree
Security model using restricted tokens does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Security model using restricted tokens, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Security model using restricted tokens will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2505564