WO2008048320A1 - Control of application access to system resources - Google Patents

Control of application access to system resources Download PDF

Info

Publication number
WO2008048320A1
WO2008048320A1 PCT/US2006/060014 US2006060014W WO2008048320A1 WO 2008048320 A1 WO2008048320 A1 WO 2008048320A1 US 2006060014 W US2006060014 W US 2006060014W WO 2008048320 A1 WO2008048320 A1 WO 2008048320A1
Authority
WO
WIPO (PCT)
Prior art keywords
application
user
computer
security
security context
Prior art date
Application number
PCT/US2006/060014
Other languages
French (fr)
Inventor
David W. Plummer
Original Assignee
Xeriton Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xeriton Corporation filed Critical Xeriton Corporation
Priority claimed from US11/549,804 external-priority patent/US20070199072A1/en
Publication of WO2008048320A1 publication Critical patent/WO2008048320A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2113Multi-level security, e.g. mandatory access control
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2149Restricted operating environment

Definitions

  • Embodiments of the invention relate generally to computer systems and, more particularly, to improvements in security for computer systems.
  • a goal in computer security is the concept of least privilege in which a user performing a task should run with the absolute minimum privileges (or identities, such as group memberships) necessary to perform that task.
  • At least one operating system permits users to exercise one of two possible choices. First, a user may elect to run the selected application as an administrator, and to execute all programs with administrative privileges. Secondly, the user may elect to run the selected application as a non-administrator, and risk having many programs fail to work as expected.
  • a method executable in a system having a security mechanism that determines access by an application to system resources based on a security context in which the application is run includes receiving definitions of a plurality of security contexts. Each security context provides access to a respective set of the system resources. An association of each application of a plurality of applications with a respective one of the security contexts is received from the user. A first one of the applications is run subject to a first associated security context.
  • FIG. 1 is a schematic view of an exemplary operating environment in which an embodiment of the invention can be implemented;
  • FIG. 2 is a functional block diagram of an exemplary operating environment in which an embodiment of the invention can be implemented;
  • FIG. 3 is a schematic illustration of a user interface according to an embodiment of the invention.
  • FIG. 4 is a schematic illustration of a user interface according to an embodiment of the invention.
  • FIG. 5 is a schematic illustration of a user interface according to an embodiment of the invention.
  • FIGS. 6-8 are flow diagrams illustrating methods according to embodiments of the invention.
  • FIG. 9 is a block diagram generally representing the creation of a limited token from an existing token according to an embodiment of the invention.
  • FIGS. 10-14 are flow diagrams illustrating methods according to embodiments of the invention.
  • FIG. 1 illustrates an example of a suitable computing system environment 100 on which the invention may be implemented.
  • the computing system environment 100 is only one example of a suitable computing environment and is not intended to suggest any limitation as to the scope of use or functionality of the invention. Neither should the computing environment 100 be interpreted as having any dependency or requirement relating to any one or combination of components illustrated in the exemplary operating environment 100.
  • Embodiments of the invention are operational with numerous other general purpose or special purpose computing system environments or configurations.
  • Examples of well known computing systems, environments, and/or configurations that may be suitable for use with the invention include, but are not limited to, personal computers, server computers, hand-held or laptop devices, multiprocessor systems, microprocessor-based systems, set top boxes, programmable consumer electronics, network PCs, minicomputers, mainframe computers, distributed computing environments that include any of the above systems or devices, and the like.
  • Embodiments of the invention may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer.
  • program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types.
  • the invention may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network.
  • program modules may be located in both local and remote computer storage media including memory storage devices.
  • an exemplary system for implementing the invention includes a general purpose computing device in the form of a computer 110.
  • Components of computer 110 may include, but are not limited to, a processing unit 120, a system memory 130, and a system bus 121 that couples various system components including the system memory to the processing unit 120.
  • the system bus 121 may be any of several types of bus structures including a memory bus or memory controller, a peripheral bus, and a local bus using any of a variety of bus architectures.
  • such architectures include Industry Standard Architecture (ISA) bus, Micro Channel Architecture (MCA) bus, Enhanced ISA (EISA) bus, Video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnect (PCI) bus also known as Mezzanine bus.
  • ISA Industry Standard Architecture
  • MCA Micro Channel Architecture
  • EISA Enhanced ISA
  • VESA Video Electronics Standards Association
  • PCI Peripheral Component Interconnect
  • Computer 110 typically includes a variety of computer readable media.
  • Computer readable media can be any available media that can be accessed by computer 110 and includes both volatile and nonvolatile media, removable and non-removable media.
  • Computer readable media may comprise computer storage media and communication media.
  • Computer storage media includes both volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data.
  • Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD- ROM, digital versatile disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can accessed by computer 1 10.
  • Communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media.
  • modulated data signal means a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal.
  • communication media includes wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, RF, infrared and other wireless media. Combinations of any of the above should also be included within the scope of computer readable media.
  • the system memory 130 includes computer storage media in the form of volatile and/or nonvolatile memory such as read only memory (ROM) 131 and random access memory (RAM) 132.
  • ROM read only memory
  • RAM random access memory
  • BIOS basic input/output system
  • RAM 132 typically contains data and/or program modules that are immediately accessible to and/or presently being operated on by processing unit 120.
  • FIG. 1 illustrates operating system 134, application programs 135, other program modules 136, and program data 137.
  • the computer 110 may also include other removable/non-removable, volatile/nonvolatile computer storage media.
  • FIG. 1 illustrates a hard disk drive 140 that reads from or writes to non-removable, nonvolatile magnetic media, a magnetic disk drive 151 that reads from or writes to a removable, nonvolatile magnetic disk 152, and an optical disk drive 155 that reads from or writes to a removable, nonvolatile optical disk 156 such as a CD ROM or other optical media.
  • removable/non-removable, volatile/nonvolatile computer storage media that can be used in the exemplary operating environment include, but are not limited to, magnetic tape cassettes, flash memory cards, digital versatile disks, digital video tape, solid state RAM, solid state ROM, and the like.
  • the hard disk drive 141 is typically connected to the system bus 121 through a non-removable memory interface such as interface 140.
  • Magnetic disk drive 151 and optical disk drive 155 are typically connected to the system bus 121 by a removable memory interface, such as interface 150.
  • the drives and their associated computer storage media discussed above and illustrated in FIG. 1, provide storage of computer readable instructions, data structures, program modules and other data for the computer 110.
  • hard disk drive 141 is illustrated as storing operating system 144, application programs 145, other program modules 146, and program data 147. Note that these components can either be the same as or different from operating system 134, application programs 135, other program modules 136, and program data 137. Operating system 144, application programs 145, other program modules 146, and program data 147 are given different numbers here to illustrate that, at a minimum, they are different copies.
  • a user may enter commands and information into the computer 20 through input devices such as a keyboard 162 and pointing device 161, commonly referred to as a mouse, trackball or touch pad.
  • Other input devices may include a microphone, joystick, game pad, satellite dish, scanner, or the like.
  • These and other input devices are often connected to the processing unit 120 through a user input interface 160 that is coupled to the system bus, but may be connected by other interface and bus structures, such as a parallel port, game port or a universal serial bus (USB).
  • a monitor 191 or other type of display device is also connected to the system bus 121 via an interface, such as a video interface 190.
  • computers may also include other peripheral output devices such as speakers 197 and printer 196, which may be connected through a output peripheral interface 190.
  • the computer 110 may operate in a networked environment using logical connections to one or more remote computers, such as a remote computer 180.
  • the remote computer 180 may be a personal computer, a server, a router, a network PC, a peer device or other common network node, and typically includes many or all of the elements described above relative to the computer 110, although only a memory storage device 181 has been illustrated in FIG. 1.
  • the logical connections depicted in FIG. 1 include a local area network (LAN) 171 and a wide area network (WAN) 173, but may also include other networks.
  • LAN local area network
  • WAN wide area network
  • Such networking environments are commonplace in offices, enterprise-wide computer networks, intranets and the Internet.
  • the computer 110 When used in a LAN networking environment, the computer 110 is connected to the LAN 171 through a network interface or adapter 170.
  • the computer 1 10 When used in a WAN networking environment, the computer 1 10 typically includes a modem 172 or other means for establishing communications over the WAN 173, such as the Internet.
  • the modem 172 which may be internal or external, may be connected to the system bus 121 via the user input interface 160, or other appropriate mechanism.
  • program modules depicted relative to the computer 110, or portions thereof may be stored in the remote memory storage device.
  • FIG. 1 illustrates remote application programs 185 as residing on memory device 181. It will be appreciated that the network connections shown are exemplary and other means of establishing a communications link between the computers may be used.
  • System 200 includes an electronic client device 210, such as a personal computer or workstation, that is linked via a communication medium, such as a network 220 (e.g., the Internet), to an electronic device or system, such as a server 230.
  • the server 230 may further be coupled, or otherwise have access, to a database 240 and a computer system 260.
  • FIG. 2 includes one server 230 coupled to one client device 210 via the network 220, it should be recognized that embodiments of the invention may be implemented using one or more such client devices coupled to one or more such servers.
  • each of the client device 210 and server 230 may include all or fewer than all of the features associated with the computer 110 illustrated in and discussed with reference to FIG. 1.
  • Client device 210 includes or is otherwise coupled to a computer screen or display 250.
  • Client device 210 can be used for various purposes including both network- and local-computing processes.
  • the client device 210 is linked via the network 220 to server 230 so that computer programs, such as, for example, a browser, running on the client device 210 can cooperate in two-way communication with server 230.
  • Server 230 may be coupled to database 240 to retrieve information therefrom and to store information thereto.
  • Database 240 may include a plurality of different tables (not shown) that can be used by server 230 to enable performance of various aspects of embodiments of the invention.
  • the server 230 may be coupled to the computer system 260 in a manner allowing the server to delegate certain processing functions to the computer system.
  • An embodiment of the present invention includes an application that advantageously permits a user to assume a non-administrator status for tasks that do not require an administrative privilege, and manually or automatically escalate and/or demote only those tasks that require an enhanced or diminished security level, as the case may be, to be executed with an appropriate level of security.
  • An embodiment of the present invention may also be configured to allow a user to create zones with which applications may be associated so as to make available respective sets of system resources to each application.
  • an embodiment of the invention may provide a user interface that includes a pane 300 displayable on a display device, such as the display 250.
  • a plurality of security-level zones 310, 320 and 330 are presented in corresponding regions of the pane 300.
  • each of the zones 310 represents a respective security context providing access to corresponding sets of system resources.
  • each of the zones 310 represents a respective security context providing access to corresponding sets of system resources.
  • 320 and 330 may correspond to a Win32 Job Object.
  • An embodiment of the invention may subsequently apply selected characteristics (such as, for example, ACLs and privileges) to each Job Object based on its respective zone configuration.
  • exemplary zone 330 represents an "Admin" zone.
  • the Admin zone 330 represents a security context in which full administrator-level system resources are accorded to one or more applications associated with (i.e., running in) the Admin zone.
  • Exemplary zone 320 represents a "Safe" zone.
  • the Safe zone 320 represents a security context in which fewer than full administrator-level system resources are accorded to one or more applications associated with the Safe zone.
  • Exemplary zone 310 represents an "Automatic" zone.
  • the Automatic zone 310 represents a security context in which a user-designated level of system resources are accorded to one or more applications associated with the Automatic zone and that have not otherwise been placed by the user in a designated zone.
  • the Automatic-zone 310 settings allow a user to mirror the settings of another zone at any selected point in time by selecting which of the available zones (e.g., Admin zone or Safe zone) will be so mirrored.
  • the Safe zone 320 is selected, all applications not otherwise placed into a zone will operate as if in the Safe zone.
  • the Admin zone 310 is selected, all applications not otherwise placed into a zone will operate as if in the Admin zone.
  • options for implementing this feature may be user-selectable.
  • the user may instruct an embodiment to create a separate Job Object for the Automatic zone 310 and change the attributes of the Job Object when the designation of a mirrored zone is changed.
  • the user may instruct an embodiment to relocate applications from the Automatic zone 310 to the designated mirrored zone.
  • the user may choose one or more software applications 340A-340D to associate with and run subject to the security contexts of particular zones. By associating an application 340 with a particular zone, the user thus limits access by that application to the set of system resources corresponding to the chosen zone.
  • the user may move an application from a first zone or other location, such as, for example, a menu of available applications (not shown), to a second zone, thereby associating the application with the second zone, by "dragging and dropping" an icon 350 or other graphical representation of the application to the second zone using, for example, a conventional pointer device (not shown).
  • a first zone or other location such as, for example, a menu of available applications (not shown)
  • a second zone such as, for example, a menu of available applications (not shown)
  • an icon 350 or other graphical representation of the application to the second zone using, for example, a conventional pointer device (not shown).
  • FIG. 3 While the example illustrated in FIG. 3 includes only three zones, it should be understood that more or fewer than the three zones illustrated may be created and/or implemented in embodiments of the invention. Additionally, an embodiment of the invention enables the user to create each of the zones with which to associate applications. In doing so, the user may define the security context of, and system- resource availability associated with, each such created zone. Alternatively, one or more of the zones and associated security-context definitions may be included as part of a software application provided to the user. [0034] An embodiment of the invention may implement the features described herein by creating and/or retrieving access tokens to be associated with applications in order to control the availability of system resources to such applications. For example, the movement of an application from one zone to another may be effected by the exchange of one token associated with the application for another. The creation and functionality of tokens implementable in an embodiment of the invention are discussed below herein.
  • An embodiment of the present invention permits the user to select which user account the user will operate under.
  • User A may be signed in to a user account otherwise having full administrator privileges, but nonetheless utilize an application in, and subject to the restrictions associated with, a privileges-restricted zone, such as the Safe zone 320 discussed above. This may be achieved in an embodiment by creating a limited token that accurately identifies such user as User A, but not as an administrator.
  • An embodiment of the present invention, with respect to a selected application permits a user to switch from a first user account having a first set of privileges to a second user account having a second set of privileges without requiring a re-launch of the application.
  • an application running in association with User A may be temporarily switched to run as User B so that the application may perform operations that only User B is entitled to perform, such as, for example, installing other applications, drivers, downloading content, etc.
  • an embodiment of the present invention may be configured to permit a user to specify which user privileges (including, for example, shutdown, change-system-time, backup, etc.) may be restricted in one or more selected zones, or alternatively, which privileges are allowed in the one or more selected zones.
  • An embodiment of the present invention may be configured to enable a user to specify a processing priority for the one or more selected zones.
  • An embodiment may further be configured to enable a user to specify a memory allocation for applications within the one or more specified zones.
  • an embodiment of the present invention may be initiated automatically by an operating system each time a user logs into the operating system.
  • a visual indication that an embodiment is running may be presented to a user as, for example, a tray bar (not shown) that contains a dropdown list of the current default zone setting.
  • an embodiment may be initiated as part of the operating-system startup.
  • an application associated with a limited token may be blocked from modifying or otherwise accessing any administrative data, but it can still read and modify any -user- data, such as, for example, MyDocuments or the user part of the registry.
  • an embodiment offers a "lockdown" option whereby a user can specify that applications in the Safe zone 320 cannot WRITE at all. This means such applications can still "see” the user's registry and documents (which is required for useful operation) but cannot modify them.
  • Such an embodiment may be implemented by marking the token with a new flag that indicates "This token is WRITE-RESTRICTED" when a user elects this option.
  • the token may be configured in such a way that it cannot write to any data, whether such data is administrative or personal.
  • An embodiment of the present invention may also be configured to permit the selective application of predetermined rules in the one or more selected zones and/or to selected programs.
  • a user interface that includes a pane 400 displayable on a display device, such as the display 250, that enables a user to designate selected applications to be automatically moved into a particular zone at the time such applications are run.
  • the user may identify the application to be automatically moved into a zone.
  • the user may identify the zone into which the application is to be automatically moved.
  • the user may create a name for the rule, thereby better enabling the user to later recognize the functionality of the rule.
  • the selected applications are designated using either an exact match on their name (e.g., "c: ⁇ program files ⁇ internet applications ⁇ iexplore.exe”) or by defining a pattern (e.g., "* ⁇ iexplore.exe”) that the application name must adhere to in order to be selected.
  • This mechanism includes, but is not limited to, applying the exact match or pattern match on the name of the application as well as other identifying characteristics of the application.
  • An embodiment of the present invention may also be configured to modify a portion of the user interface of each application to enable the convenient allocation of each such application to a particular zone.
  • an application such as the illustrated Internet browser, includes a pane 500 displayable on a display device, such as the display 250.
  • the pane 500 associated with the Internet browser includes a titlebar 510.
  • An embodiment of the invention provides a user-selectable button 520 in the titlebar 510 that, when selected by the user, invokes a menu 530 of options selectable by the user.
  • Such options may, for example, enable the user to associate the application with a zone different from the zone in which the application is currently run and/or enable the user to invoke a pane, such as the pane 400 illustrated in and described with reference to FIG. 4, or other interface that will allow the user to create a zone-association rule to be applied to the application.
  • the button 520 is, in the illustrated example, positioned in the titlebar 510, it should be appreciated that the button could be positioned in one or more different portions of the pane 500. Alternatively, the button 520 could be displayed in a portion of the display device external to the pane 500. Additionally, a user-selectable field other than the button 520 may be presented in order to enable the user to invoke the menu 530.
  • FIG. 6 illustrates a process 600, according to an embodiment of the invention, that can be implemented in a system having a security mechanism that determines access by an application to system resources based on a security context in which the application is run.
  • This same system may employ the same or a different security mechanism, which determines access to system resources based on information in an access token against security information associated with each of the resources in order to control access of the application to the system resources.
  • the process 600 is illustrated as a set of operations shown as discrete blocks.
  • the process 600 may be implemented in any suitable hardware, software, firmware, or combination thereof.
  • process 600 may be implemented in computer-executable instructions that can be transferred from one computer, such as server 230, to a second computer, such as client device 210, via a communications medium, such as network 220.
  • a communications medium such as network 220.
  • a user interface that enables a user to define a plurality of security contexts.
  • definitions may be received, for example, by the client device 210 from the network 220 from the server 230.
  • Each security context provides access to a respective set of the system resources.
  • an embodiment may provide a user interface (not shown) that enables a user to create and define the sets of system resources associated with the zones 310-330 described with reference to FIG. 3.
  • the user interface further enables the user to assign a processing priority to at least one of the security contexts.
  • the user interface further enables the user to assign a memory-usage allocation to at least one of the security contexts.
  • the user interface further enables the user to apply a set of predetermined rules to at least one of the security contexts and/or at least one of the applications.
  • the user interface further provides a representation of each security context in a respective portion of a display-device screen, such as the display of zone fields 310-330.
  • the user interface enables the user to associate each application of a plurality of applications with a respective one of the security contexts.
  • the applications may be associated with the Safe zone 320 or Admin zone 330 described herein with reference to FIG. 3.
  • the user interface enables the user to associate an application with a security context by placing a graphical representation of the application, such as the icon 350, in a screen portion associated with the security context, such as one of the zones 310-330.
  • the user interface enables the user to change the security context of an application by dragging the graphical representation of the application from a screen portion associated with a first security context and dropping the graphical representation in a screen portion associated with a second security context.
  • a first one of the applications is run subject to a first associated security context.
  • the applications may be run in, and subject to the system-resource limitations of, the Safe zone 320 or Admin zone 330.
  • the first one of the applications can transition, without re-launching the application, from running subject to the first security context to running subject to a second security context.
  • FIG. 7 illustrates a process 700, according to an embodiment of the invention, that can be implemented in a system having a security mechanism that determines access by an application to system resources based on a security context in which the application is run.
  • the process 700 is illustrated as a set of operations shown as discrete blocks.
  • the process 700 may be implemented in any suitable hardware, software, firmware, or combination thereof.
  • the process 700 may be implemented in computer-executable instructions that can be transferred from one computer, such as server 230, to a second computer, such as client device 210, via a communications medium, such as network 220.
  • the order in which the operations are described is not to be necessarily construed as a limitation.
  • definitions of a plurality of security contexts are received. Each security context provides access to a respective set of the system resources. These definitions may be received, for example, by the client device 210 from a user of the client device or over the network 220 from the server 230.
  • the applications may be associated with the Safe zone 320 or Admin zone 330 described herein with reference to FIG. 3.
  • the user may associate an application with a security context by placing a graphical representation of the application, such as the icon 350, in a screen portion associated with the security context, such as one of the zones 310-330.
  • the user may change the security context of an application by dragging the graphical representation of the application from a screen portion associated with a first security context and dropping the graphical representation in a screen portion associated with a second security context.
  • a first one of the applications is run subject to a first associated security context.
  • the applications may be run in, and subject to the system-resource limitations of, the Safe zone 320 or Admin zone 330.
  • the first one of the applications can transition, without re-launching the application, from running subject to the first context to running subject to a second security context.
  • FIG. 8 illustrates a process 800, according to an embodiment of the invention, that can be implemented in a system having a security mechanism that dete ⁇ nines access by an application to system resources based on a security context in which the application is run.
  • This same system may employ the same or a different security mechanism, which determines access to system resources based on information in an access token against security information associated with each of the resources in order to control access of the application to the system resources.
  • the process 800 is illustrated as a set of operations shown as discrete blocks.
  • the process 800 may be implemented in any suitable hardware, software, firmware, or combination thereof.
  • process 800 may be implemented in computer-executable instructions that can be transferred from one computer, such as server 230, to a second computer, such as client device 210, via a communications medium, such as network 220.
  • a communications medium such as network 220.
  • the application is run subject to a first security context providing access to a first set of the system resources.
  • the application may be run in the Admin zone 330 described herein with reference to FIG. 3.
  • a request is received to run the first application subject to a second security context providing access to a second set of the system resources different from the first set.
  • the application may be moved or otherwise reassigned from the Admin zone 330 to the Safe zone 320.
  • a user may provide the request via a user-selectable field displayed within a user interface associated with the first application.
  • the first application is run subject to the second security context.
  • the application runs subject to the second security context without re-launching the application.
  • the application can transition "on the fly" from running in the Admin zone 330 to running in the Safe zone 320.
  • the first security context with respect to the second security context, provides access to fewer of the system resources.
  • the first security context with respect to the second security context, provides access to at least the same system resources.
  • at least one of the security contexts is defined by at least one privilege and/or group identifier.
  • a user performs tasks by accessing the system's resources via processes (and their threads).
  • a security context may be set up for that user, which includes building an access token 900.
  • a conventional user-based access token 900 includes a UserAndGroups field 902 including a security identifier (Security ID, or SID) 904 based on the user's credentials and one or more group IDs 906 identifying groups (e.g., within an organization) to which that user belongs and a Token ID.
  • the token 900 also includes a privileges field 908 listing any privileges assigned to the user. For example, one such privilege may give an administrative-level user the ability to set the system clock through a particular application programming interface (API).
  • API application programming interface
  • An embodiment of the invention seeks to create a token that limits access to system resources in proportion to a particular user's group membership and/or granted privileges, for example. Such a limited token may only receive the allowable attributes of a corresponding parent token while omitting selected attributes, such as, for example, membership in the Administrator's group.
  • an embodiment employs a function that can extract from the parent token certain attributes.
  • the attributes of interest may include, for example:
  • TOKEN_OWNER [0058] TOKEN GROUPS
  • a limited token 910 based on a parent token, such as token 900, may be created by employing a GetLimitedToken API 912 or other executable function.
  • the limited token 910 includes a UserAndGroups field 914, a privileges field 916, a Limited Token ID and the Token ID of the parent token 900.
  • the limited token has been created with the omission of the Group3 SID and Privilege2 present in the parent token 900.
  • the limited token 910 provides a user access to fewer system resources than would be the case with the parent token 900.
  • the limited token 910 provides a user access to a greater amount of system resources than would be the case with the parent token 900.
  • a result of this process may be the creation of a clone of an original token with only select attributes present in the clone.
  • This process provides the benefit of creating a clone with the original User ID (SID) and/or group memberships and/or privileges except those deemed to be unsafe in a limited security context.
  • SID User ID
  • the parent token may, in some instances, be created in such manner that the token has membership in a group, such as the Administrator's group, but that membership may be marked as "Deny Only.” Because a security issue may be created if any group in the parent token that was marked as "Deny Only” is omitted in the limited token, the API 912, in embodiments thereof, may fail creation of the limited token or may include the "Deny Only" group or other access-restricting attribute in the limited token. [0066] FIG.
  • FIG. 10 illustrates a process 1000, according to an embodiment of the invention, that can be implemented in a system having a security mechanism that determines access to system resources based on information in an access token against security information associated with each of the resources in order to control access of an application to the system resources.
  • the process 1000 is illustrated as a set of operations shown as discrete blocks.
  • the process 1000 may be implemented in any suitable hardware, software, firmware, or combination thereof.
  • the process 1000 may be implemented in computer-executable instructions that can be transferred from one computer, such as server 230, to a second computer, such as client device 210, via a communications medium, such as network 220.
  • the order in which the operations are described is not to be necessarily construed as a limitation.
  • data related to access by the application to at least one of the system resources is accessed.
  • the API 912 may have access to a set of stored data defining resource-access restrictions to be placed on certain users when utilizing certain applications.
  • This stored data may include, for example, a whitelist of allowable privileges and/or group identifiers.
  • a request to run the application is received.
  • a first access token is created having a first set of attributes enabling access to at least one of the system resources and selected based on the data.
  • the attributes may disable access to any of the system resources.
  • These attributes may include, for example, a privilege and/or a group identifier.
  • the API 912 may employ the GetModifiedTokenGroups and/or GetLimitedPrivileges functions described in at least one application incorporated by reference herein to effect limitation on, for example, the Group SIDs and/or Privileges conferred on the limited token 910.
  • the first token can be based on a second access token having a second set of the attributes.
  • the limited token 910 may be based on the parent token 900.
  • the first-set attributes can be fewer in number than the second-set attributes.
  • the first token, with respect to the second token provides access to fewer of the system resources.
  • the first token, with respect to the second token provides access to a greater number or amount of the system resources.
  • the first token, with respect to the second token provides access to an equal number or amount of the system resources, but, perhaps, different one(s) of the resources.
  • the first token is associated with the application.
  • the application may run subject to the first token.
  • FIG. 11 illustrates a process 1100, according to an embodiment of the invention, that can be implemented in a system having a security mechanism that determines access to system resources based on information in an access token against security information associated with each of the resources in order to control access of an application to the system resources.
  • the process 1100 is illustrated as a set of operations shown as discrete blocks.
  • the process 1100 may be implemented in any suitable hardware, software, firmware, or combination thereof.
  • the process 1100 may be implemented in computer-executable instructions that can be transferred from one computer, such as server 230, to a second computer, such as client device 210, via a communications medium, such as network 220.
  • the order in which the operations are described is not to be necessarily construed as a limitation.
  • a request to run the application is received.
  • the application is launched subject to a first access token providing access to a first set of the system resources.
  • the application may launch subject to its original, unmodified token.
  • a second access token is created providing access to a second set of the system resources different from the first set.
  • the API 912 may employ the GetModifiedTokenGroups and/or GetLimitedPrivileges functions described in at least one application incorporated by reference herein to effect limitation on, for example, the Group SIDs and/or Privileges conferred on the limited token 910.
  • the second access token can be based on the first access token.
  • the limited token 910 may be based on the parent token 900.
  • the second access token is associated with the application.
  • the application runs subject to the second access token without re-launching the application.
  • the process token may be replaced live on the application, granting the application a new security context.
  • the first token, with respect to the second token provides access to fewer of the system resources.
  • the first token, with respect to the second token provides access to a greater number or amount of the system resources.
  • the first token, with respect to the second token provides access to an equal number or amount of the system resources, but, perhaps, different one(s) of the resources.
  • a duplicate of the first access token may be created and stored in memory. As such, if the original security context is subsequently desired, the duplicate may be retrieved and associated with the application, also without relaunching the application. Alternatively, of course, the first access token itself may be stored and subsequently retrieved for similar purposes.
  • a process that is already running with certain attributes, such as membership in the Administrator's group can be limited (i.e., placed in a more restrictive security context) on the fly without stopping or restarting the application.
  • a process that is already running under a particular user's security account can be changed, on the fly, to run under another user's security account without stopping or restarting the application.
  • a process that was originally launched in a limited security context i.e., lacking membership in the Administrator's group
  • FIG. 12 illustrates a process 1200, according to an embodiment of the invention, that can be implemented in a system having a security mechanism that determines access to system resources based on information in an access token against security information associated with each of the resources in order to control access of an application to the system resources.
  • the process 1200 is illustrated as a set of operations shown as discrete blocks.
  • the process 1200 may be implemented in any suitable hardware, software, firmware, or combination thereof.
  • the process 1200 may be implemented in computer-executable instructions that can be transferred from one computer, such as server 230, to a second computer, such as client device 210, via a communications medium, such as network 220.
  • the order in which the operations are described is not to be necessarily construed as a limitation.
  • a request to run the application is received.
  • the application is launched subject to a first access token providing access to a first set of the system resources.
  • a second access token is retrieved from a memory and provides access to a second set of the system resources different from the first set. For example, as discussed above with reference to FIG. 11 , the original token with which the application was associated when launched may have been previously stored and is thus available for retrieval.
  • the first access token can be based on the second access token.
  • the second access token is associated with the application.
  • the application runs subject to the second access token without re-launching the application.
  • the process token may be replaced live on the application, granting the application a new security context, which may result in the application running subject to its original, unmodified token.
  • the first token, with respect to the second token provides access to fewer of the system resources.
  • the first token, with respect to the second token provides access to a greater number or amount of the system resources.
  • the first token, with respect to the second token provides access to an equal number or amount of the system resources, but, perhaps, different one(s) of the resources.
  • FIG. 13 illustrates a process 1300, according to an embodiment of the invention, that can be implemented in a system having a security mechanism that determines access to system resources based on information in an access token against security information associated with each of the resources in order to control access of an application to the system resources.
  • the process 1300 is illustrated as a set of operations shown as discrete blocks.
  • the process 1300 may be implemented in any suitable hardware, software, firmware, or combination thereof.
  • the process 1300 may be implemented in computer-executable instructions that can be transferred from one computer, such as server 230, to a second computer, such as client device 210, via a communications medium, such as network 220.
  • the order in which the operations are described is not to be necessarily construed as a limitation.
  • the application is run subject to a first access token providing access to a first set of the system resources.
  • a second access token is retrieved from a memory and provides access to a second set of the system resources different from the first set. For example, as discussed above with reference to FIG. 11 , the original token with which the application was associated when launched may have been previously stored and is thus available for retrieval.
  • the first access token can be based on the second access token.
  • the second access token is associated with the application.
  • the application runs subject to the second access token without re-launching the application.
  • the process token may be replaced live on the application, granting the application a new security context, which may result in the application running subject to its original, unmodified token.
  • the first token, with respect to the second token provides access to fewer of the system resources.
  • the first token, with respect to the second token provides access to a greater number or amount of the system resources.
  • the first token, with respect to the second token provides access to an equal number or amount of the system resources, but, perhaps, different one(s) of the resources.
  • FIG. 14 illustrates a process 1400, according to an embodiment of the invention, that can be implemented in a system having a security mechanism that determines access to system resources based on information in an access token against security information associated with each of the resources in order to control access of an application to the system resources.
  • the process 1400 is illustrated as a set of operations shown as discrete blocks.
  • the process 1400 may be implemented in any suitable hardware, software, firmware, or combination thereof.
  • the process 1400 may be implemented in computer-executable instructions that can be transferred from one computer, such as server 230, to a second computer, such as client device 210, via a communications medium, such as network 220.
  • the order in which the operations are described is not to be necessarily construed as a limitation.
  • a request to run the application is detected.
  • the application may be associated with a first access token providing access to a first set of the system resources.
  • at least a portion of the computer- executable instructions may include a driver operable to monitor process-creation events, such as a request to run an application.
  • a second access token is created providing access to a second set of the system resources different from the first set.
  • the second access token is created prior to launching and running the application and in a manner similar to that described elsewhere herein.
  • the second access token can be based on the first access token.
  • the application is launched subject to the second access token.
  • at least one thread of execution of the application runs subject to the second access token.
  • at least a portion of the computer-executable instructions may include a callback function registered by the driver to facilitate creation and implementation of the second access token.
  • the first token, with respect to the second token provides access to fewer of the system resources.
  • the first token, with respect to the second token provides access to a greater number or amount of the system resources.
  • the first token with respect to the second token, provides access to an equal number or amount of the system resources, but, perhaps, different one(s) of the resources.
  • a duplicate of the first access token may be created and stored in memory. As such, if the original security context is subsequently desired for the application and/or associated threads, the duplicate may be retrieved and associated with the application without re-launching the application. Alternatively, of course, the first access token itself may be stored and subsequently retrieved for similar purposes.

Abstract

A method executable in a system having a security mechanism that determines access by an application to system resources based on a security context in which the application is run includes receiving definitions of a plurality of security contexts. Each security context provides access to a respective set of the system resources. An association of each application of a plurality of applications with a respective one of the security contexts is received from the user. A first one of the applications is run subject to a first associated security context.

Description

CONTROL OF APPLICATION ACCESS TO SYSTEM RESOURCES INVENTOR
David Plummer
PRIORITY CLAIM
[0001] The present application claims priority from U.S. Provisional Application
No. 60/727,288 filed October 14, 2005, which is, along with commonly owned and co- pending U.S. Application No. 1 1/351,257 filed on February 6, 2006, U.S. Patent
Application No. 11/549,812 (Attorney Ref. No. SFON-1-1005) entitled "Enhanced
Browser Security," U.S. Patent Application No. 11/549,783 (Attorney Ref. No. SFON-I-
1007) entitled "Control of Application Access to System Resources," and U.S.
Provisional Application No. 60/805,683 filed on June 23, 2006, herein incorporated by reference in its entirety.
FIELD OF THE INVENTION
[0002] Embodiments of the invention relate generally to computer systems and, more particularly, to improvements in security for computer systems.
BACKGROUND OF THE INVENTION [0003] In computing, if a task is performed by a user having more privileges than necessary to do that task, there is an increased risk that the user will inadvertently (or perhaps intentionally) do harm to computer resources. By way of example, if a set of files can only be deleted by a user with administrator privileges, then an administrator may inadvertently delete those files when performing another task that does not need to be accomplished by an administrator. If the administrator had been a user having lesser privileges, then the intended task could still have been performed but the inadvertent deletion would not have been allowed. [0004] As such, a goal in computer security is the concept of least privilege in which a user performing a task should run with the absolute minimum privileges (or identities, such as group memberships) necessary to perform that task. At least one operating system permits users to exercise one of two possible choices. First, a user may elect to run the selected application as an administrator, and to execute all programs with administrative privileges. Secondly, the user may elect to run the selected application as a non-administrator, and risk having many programs fail to work as expected.
SUMMARY OF THE INVENTION
[0005] In an embodiment of the invention, a method executable in a system having a security mechanism that determines access by an application to system resources based on a security context in which the application is run includes receiving definitions of a plurality of security contexts. Each security context provides access to a respective set of the system resources. An association of each application of a plurality of applications with a respective one of the security contexts is received from the user. A first one of the applications is run subject to a first associated security context. BRIEF DESCRIPTION OF THE DRAWINGS
[0006] Preferred and alternative embodiments of the present invention are described in detail below with reference to the following drawings.
[0007] FIG. 1 is a schematic view of an exemplary operating environment in which an embodiment of the invention can be implemented; [0008] FIG. 2 is a functional block diagram of an exemplary operating environment in which an embodiment of the invention can be implemented;
[0009] FIG. 3 is a schematic illustration of a user interface according to an embodiment of the invention; [0010] FIG. 4 is a schematic illustration of a user interface according to an embodiment of the invention;
[0011] FIG. 5 is a schematic illustration of a user interface according to an embodiment of the invention; [0012] FIGS. 6-8 are flow diagrams illustrating methods according to embodiments of the invention;
[0013] FIG. 9 is a block diagram generally representing the creation of a limited token from an existing token according to an embodiment of the invention; and
[0014] FIGS. 10-14 are flow diagrams illustrating methods according to embodiments of the invention.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT [0015] FIG. 1 illustrates an example of a suitable computing system environment 100 on which the invention may be implemented. The computing system environment 100 is only one example of a suitable computing environment and is not intended to suggest any limitation as to the scope of use or functionality of the invention. Neither should the computing environment 100 be interpreted as having any dependency or requirement relating to any one or combination of components illustrated in the exemplary operating environment 100.
[0016] Embodiments of the invention are operational with numerous other general purpose or special purpose computing system environments or configurations.
Examples of well known computing systems, environments, and/or configurations that may be suitable for use with the invention include, but are not limited to, personal computers, server computers, hand-held or laptop devices, multiprocessor systems, microprocessor-based systems, set top boxes, programmable consumer electronics, network PCs, minicomputers, mainframe computers, distributed computing environments that include any of the above systems or devices, and the like.
[0017] Embodiments of the invention may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The invention may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
[0018] With reference to FIG. 1, an exemplary system for implementing the invention includes a general purpose computing device in the form of a computer 110. Components of computer 110 may include, but are not limited to, a processing unit 120, a system memory 130, and a system bus 121 that couples various system components including the system memory to the processing unit 120. The system bus 121 may be any of several types of bus structures including a memory bus or memory controller, a peripheral bus, and a local bus using any of a variety of bus architectures. By way of example, and not limitation, such architectures include Industry Standard Architecture (ISA) bus, Micro Channel Architecture (MCA) bus, Enhanced ISA (EISA) bus, Video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnect (PCI) bus also known as Mezzanine bus.
[0019] Computer 110 typically includes a variety of computer readable media. Computer readable media can be any available media that can be accessed by computer 110 and includes both volatile and nonvolatile media, removable and non-removable media. By way of example, and not limitation, computer readable media may comprise computer storage media and communication media. Computer storage media includes both volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD- ROM, digital versatile disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can accessed by computer 1 10. Communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media. The term "modulated data signal" means a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal. By way of example, and not limitation, communication media includes wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, RF, infrared and other wireless media. Combinations of any of the above should also be included within the scope of computer readable media.
[0020] The system memory 130 includes computer storage media in the form of volatile and/or nonvolatile memory such as read only memory (ROM) 131 and random access memory (RAM) 132. A basic input/output system 133 (BIOS), containing the basic routines that help to transfer information between elements within computer 110, such as during start-up, is typically stored in ROM 131. RAM 132 typically contains data and/or program modules that are immediately accessible to and/or presently being operated on by processing unit 120. By way of example, and not limitation, FIG. 1 illustrates operating system 134, application programs 135, other program modules 136, and program data 137.
[0021] The computer 110 may also include other removable/non-removable, volatile/nonvolatile computer storage media. By way of example only, FIG. 1 illustrates a hard disk drive 140 that reads from or writes to non-removable, nonvolatile magnetic media, a magnetic disk drive 151 that reads from or writes to a removable, nonvolatile magnetic disk 152, and an optical disk drive 155 that reads from or writes to a removable, nonvolatile optical disk 156 such as a CD ROM or other optical media. Other removable/non-removable, volatile/nonvolatile computer storage media that can be used in the exemplary operating environment include, but are not limited to, magnetic tape cassettes, flash memory cards, digital versatile disks, digital video tape, solid state RAM, solid state ROM, and the like. The hard disk drive 141 is typically connected to the system bus 121 through a non-removable memory interface such as interface 140. Magnetic disk drive 151 and optical disk drive 155 are typically connected to the system bus 121 by a removable memory interface, such as interface 150.
[0022] The drives and their associated computer storage media discussed above and illustrated in FIG. 1, provide storage of computer readable instructions, data structures, program modules and other data for the computer 110. In FIG. 1, for example, hard disk drive 141 is illustrated as storing operating system 144, application programs 145, other program modules 146, and program data 147. Note that these components can either be the same as or different from operating system 134, application programs 135, other program modules 136, and program data 137. Operating system 144, application programs 145, other program modules 146, and program data 147 are given different numbers here to illustrate that, at a minimum, they are different copies. A user may enter commands and information into the computer 20 through input devices such as a keyboard 162 and pointing device 161, commonly referred to as a mouse, trackball or touch pad. Other input devices (not shown) may include a microphone, joystick, game pad, satellite dish, scanner, or the like. These and other input devices are often connected to the processing unit 120 through a user input interface 160 that is coupled to the system bus, but may be connected by other interface and bus structures, such as a parallel port, game port or a universal serial bus (USB). A monitor 191 or other type of display device is also connected to the system bus 121 via an interface, such as a video interface 190. In addition to the monitor, computers may also include other peripheral output devices such as speakers 197 and printer 196, which may be connected through a output peripheral interface 190.
[0023] The computer 110 may operate in a networked environment using logical connections to one or more remote computers, such as a remote computer 180. The remote computer 180 may be a personal computer, a server, a router, a network PC, a peer device or other common network node, and typically includes many or all of the elements described above relative to the computer 110, although only a memory storage device 181 has been illustrated in FIG. 1. The logical connections depicted in FIG. 1 include a local area network (LAN) 171 and a wide area network (WAN) 173, but may also include other networks. Such networking environments are commonplace in offices, enterprise-wide computer networks, intranets and the Internet.
[0024] When used in a LAN networking environment, the computer 110 is connected to the LAN 171 through a network interface or adapter 170. When used in a WAN networking environment, the computer 1 10 typically includes a modem 172 or other means for establishing communications over the WAN 173, such as the Internet. The modem 172, which may be internal or external, may be connected to the system bus 121 via the user input interface 160, or other appropriate mechanism. In a networked environment, program modules depicted relative to the computer 110, or portions thereof, may be stored in the remote memory storage device. By way of example, and not limitation, FIG. 1 illustrates remote application programs 185 as residing on memory device 181. It will be appreciated that the network connections shown are exemplary and other means of establishing a communications link between the computers may be used.
[0025] Referring now to FIG. 2, an embodiment of the present invention can be described in the context of an exemplary computer network system 200 as illustrated. System 200 includes an electronic client device 210, such as a personal computer or workstation, that is linked via a communication medium, such as a network 220 (e.g., the Internet), to an electronic device or system, such as a server 230. The server 230 may further be coupled, or otherwise have access, to a database 240 and a computer system 260. Although the embodiment illustrated in FIG. 2 includes one server 230 coupled to one client device 210 via the network 220, it should be recognized that embodiments of the invention may be implemented using one or more such client devices coupled to one or more such servers. [0026] In an embodiment, each of the client device 210 and server 230 may include all or fewer than all of the features associated with the computer 110 illustrated in and discussed with reference to FIG. 1. Client device 210 includes or is otherwise coupled to a computer screen or display 250. Client device 210 can be used for various purposes including both network- and local-computing processes.
[0027] The client device 210 is linked via the network 220 to server 230 so that computer programs, such as, for example, a browser, running on the client device 210 can cooperate in two-way communication with server 230. Server 230 may be coupled to database 240 to retrieve information therefrom and to store information thereto. Database 240 may include a plurality of different tables (not shown) that can be used by server 230 to enable performance of various aspects of embodiments of the invention. Additionally, the server 230 may be coupled to the computer system 260 in a manner allowing the server to delegate certain processing functions to the computer system.
[0028] An embodiment of the present invention includes an application that advantageously permits a user to assume a non-administrator status for tasks that do not require an administrative privilege, and manually or automatically escalate and/or demote only those tasks that require an enhanced or diminished security level, as the case may be, to be executed with an appropriate level of security.
[0029] An embodiment of the present invention may also be configured to allow a user to create zones with which applications may be associated so as to make available respective sets of system resources to each application. Referring to FIG. 3, an embodiment of the invention may provide a user interface that includes a pane 300 displayable on a display device, such as the display 250. In the illustrated example, a plurality of security-level zones 310, 320 and 330 (as delineated by associated dashed lines) are presented in corresponding regions of the pane 300. Each zone 310, 320 and
330 represents a respective security context providing access to corresponding sets of system resources. For example, in an exemplary operating system, each of the zones 310,
320 and 330 may correspond to a Win32 Job Object. An embodiment of the invention may subsequently apply selected characteristics (such as, for example, ACLs and privileges) to each Job Object based on its respective zone configuration.
[0030] Still referring to FIG. 3, exemplary zone 330 represents an "Admin" zone. The Admin zone 330, in turn, represents a security context in which full administrator-level system resources are accorded to one or more applications associated with (i.e., running in) the Admin zone. Exemplary zone 320 represents a "Safe" zone. The Safe zone 320, in turn, represents a security context in which fewer than full administrator-level system resources are accorded to one or more applications associated with the Safe zone. [0031] Exemplary zone 310 represents an "Automatic" zone. The Automatic zone 310, in turn, represents a security context in which a user-designated level of system resources are accorded to one or more applications associated with the Automatic zone and that have not otherwise been placed by the user in a designated zone. In an embodiment, the Automatic-zone 310 settings allow a user to mirror the settings of another zone at any selected point in time by selecting which of the available zones (e.g., Admin zone or Safe zone) will be so mirrored. Thus, if the Safe zone 320 is selected, all applications not otherwise placed into a zone will operate as if in the Safe zone. Alternatively, if the Admin zone 310 is selected, all applications not otherwise placed into a zone will operate as if in the Admin zone. In an embodiment, options for implementing this feature may be user-selectable. For example, the user may instruct an embodiment to create a separate Job Object for the Automatic zone 310 and change the attributes of the Job Object when the designation of a mirrored zone is changed. Alternatively, the user may instruct an embodiment to relocate applications from the Automatic zone 310 to the designated mirrored zone. [0032] Upon establishment of the zones 310, 320 and 330, the user may choose one or more software applications 340A-340D to associate with and run subject to the security contexts of particular zones. By associating an application 340 with a particular zone, the user thus limits access by that application to the set of system resources corresponding to the chosen zone. In an embodiment, the user may move an application from a first zone or other location, such as, for example, a menu of available applications (not shown), to a second zone, thereby associating the application with the second zone, by "dragging and dropping" an icon 350 or other graphical representation of the application to the second zone using, for example, a conventional pointer device (not shown).
[0033] While the example illustrated in FIG. 3 includes only three zones, it should be understood that more or fewer than the three zones illustrated may be created and/or implemented in embodiments of the invention. Additionally, an embodiment of the invention enables the user to create each of the zones with which to associate applications. In doing so, the user may define the security context of, and system- resource availability associated with, each such created zone. Alternatively, one or more of the zones and associated security-context definitions may be included as part of a software application provided to the user. [0034] An embodiment of the invention may implement the features described herein by creating and/or retrieving access tokens to be associated with applications in order to control the availability of system resources to such applications. For example, the movement of an application from one zone to another may be effected by the exchange of one token associated with the application for another. The creation and functionality of tokens implementable in an embodiment of the invention are discussed below herein.
[0035] An embodiment of the present invention, with respect to a selected zone, permits the user to select which user account the user will operate under. For example, User A may be signed in to a user account otherwise having full administrator privileges, but nonetheless utilize an application in, and subject to the restrictions associated with, a privileges-restricted zone, such as the Safe zone 320 discussed above. This may be achieved in an embodiment by creating a limited token that accurately identifies such user as User A, but not as an administrator. An embodiment of the present invention, with respect to a selected application, permits a user to switch from a first user account having a first set of privileges to a second user account having a second set of privileges without requiring a re-launch of the application. For example, an application running in association with User A may be temporarily switched to run as User B so that the application may perform operations that only User B is entitled to perform, such as, for example, installing other applications, drivers, downloading content, etc. Additionally, an embodiment of the present invention may be configured to permit a user to specify which user privileges (including, for example, shutdown, change-system-time, backup, etc.) may be restricted in one or more selected zones, or alternatively, which privileges are allowed in the one or more selected zones.
[0036] An embodiment of the present invention may be configured to enable a user to specify a processing priority for the one or more selected zones. An embodiment may further be configured to enable a user to specify a memory allocation for applications within the one or more specified zones. [0037] Additionally, an embodiment of the present invention may be initiated automatically by an operating system each time a user logs into the operating system. A visual indication that an embodiment is running may be presented to a user as, for example, a tray bar (not shown) that contains a dropdown list of the current default zone setting. Alternatively, an embodiment may be initiated as part of the operating-system startup.
[0038] Additionally, in an embodiment of the invention an application associated with a limited token may be blocked from modifying or otherwise accessing any administrative data, but it can still read and modify any -user- data, such as, for example, MyDocuments or the user part of the registry. Accordingly, an embodiment offers a "lockdown" option whereby a user can specify that applications in the Safe zone 320 cannot WRITE at all. This means such applications can still "see" the user's registry and documents (which is required for useful operation) but cannot modify them. Such an embodiment may be implemented by marking the token with a new flag that indicates "This token is WRITE-RESTRICTED" when a user elects this option. As such, the token may be configured in such a way that it cannot write to any data, whether such data is administrative or personal.
[0039] An embodiment of the present invention may also be configured to permit the selective application of predetermined rules in the one or more selected zones and/or to selected programs. Referring to FIG. 4, an embodiment provides a user interface that includes a pane 400 displayable on a display device, such as the display 250, that enables a user to designate selected applications to be automatically moved into a particular zone at the time such applications are run. In a data entry field 410, the user may identify the application to be automatically moved into a zone. In a data entry field 420, the user may identify the zone into which the application is to be automatically moved. In a data entry field 430, the user may create a name for the rule, thereby better enabling the user to later recognize the functionality of the rule. The selected applications are designated using either an exact match on their name (e.g., "c:\program files\internet applications\iexplore.exe") or by defining a pattern (e.g., "*\iexplore.exe") that the application name must adhere to in order to be selected. This mechanism includes, but is not limited to, applying the exact match or pattern match on the name of the application as well as other identifying characteristics of the application.
[0040] An embodiment of the present invention may also be configured to modify a portion of the user interface of each application to enable the convenient allocation of each such application to a particular zone. Referring to FIG. 5, an application, such as the illustrated Internet browser, includes a pane 500 displayable on a display device, such as the display 250. As is the case with many applications known in the art, the pane 500 associated with the Internet browser includes a titlebar 510. An embodiment of the invention provides a user-selectable button 520 in the titlebar 510 that, when selected by the user, invokes a menu 530 of options selectable by the user. Such options may, for example, enable the user to associate the application with a zone different from the zone in which the application is currently run and/or enable the user to invoke a pane, such as the pane 400 illustrated in and described with reference to FIG. 4, or other interface that will allow the user to create a zone-association rule to be applied to the application. Although the button 520 is, in the illustrated example, positioned in the titlebar 510, it should be appreciated that the button could be positioned in one or more different portions of the pane 500. Alternatively, the button 520 could be displayed in a portion of the display device external to the pane 500. Additionally, a user-selectable field other than the button 520 may be presented in order to enable the user to invoke the menu 530.
[0041] FIG. 6 illustrates a process 600, according to an embodiment of the invention, that can be implemented in a system having a security mechanism that determines access by an application to system resources based on a security context in which the application is run. This same system may employ the same or a different security mechanism, which determines access to system resources based on information in an access token against security information associated with each of the resources in order to control access of the application to the system resources. The process 600 is illustrated as a set of operations shown as discrete blocks. The process 600 may be implemented in any suitable hardware, software, firmware, or combination thereof. As such the process 600 may be implemented in computer-executable instructions that can be transferred from one computer, such as server 230, to a second computer, such as client device 210, via a communications medium, such as network 220. The order in which the operations are described is not to be necessarily construed as a limitation.
[0042] At a block 610, a user interface is provided that enables a user to define a plurality of security contexts. Alternatively, or additionally, definitions may be received, for example, by the client device 210 from the network 220 from the server 230. Each security context provides access to a respective set of the system resources. For example, an embodiment may provide a user interface (not shown) that enables a user to create and define the sets of system resources associated with the zones 310-330 described with reference to FIG. 3. In an embodiment, the user interface further enables the user to assign a processing priority to at least one of the security contexts. In an embodiment, the user interface further enables the user to assign a memory-usage allocation to at least one of the security contexts. In an embodiment, the user interface further enables the user to apply a set of predetermined rules to at least one of the security contexts and/or at least one of the applications. In an embodiment, the user interface further provides a representation of each security context in a respective portion of a display-device screen, such as the display of zone fields 310-330.
[0043] At a block 620, the user interface enables the user to associate each application of a plurality of applications with a respective one of the security contexts. For example, the applications may be associated with the Safe zone 320 or Admin zone 330 described herein with reference to FIG. 3. In an embodiment, the user interface enables the user to associate an application with a security context by placing a graphical representation of the application, such as the icon 350, in a screen portion associated with the security context, such as one of the zones 310-330. In an embodiment, the user interface enables the user to change the security context of an application by dragging the graphical representation of the application from a screen portion associated with a first security context and dropping the graphical representation in a screen portion associated with a second security context.
[0044] At a block 630, a first one of the applications is run subject to a first associated security context. For example, the applications may be run in, and subject to the system-resource limitations of, the Safe zone 320 or Admin zone 330. In an embodiment, the first one of the applications can transition, without re-launching the application, from running subject to the first security context to running subject to a second security context. [0045] FIG. 7 illustrates a process 700, according to an embodiment of the invention, that can be implemented in a system having a security mechanism that determines access by an application to system resources based on a security context in which the application is run. This same system may employ the same or a different security mechanism, which determines access to system resources based on information in an access token against security information associated with each of the resources in order to control access of the application to the system resources. The process 700 is illustrated as a set of operations shown as discrete blocks. The process 700 may be implemented in any suitable hardware, software, firmware, or combination thereof. As such the process 700 may be implemented in computer-executable instructions that can be transferred from one computer, such as server 230, to a second computer, such as client device 210, via a communications medium, such as network 220. The order in which the operations are described is not to be necessarily construed as a limitation. [0046 J At a block 710, definitions of a plurality of security contexts are received. Each security context provides access to a respective set of the system resources. These definitions may be received, for example, by the client device 210 from a user of the client device or over the network 220 from the server 230.
[0047] At a block 720, receiving from the user an association of each application of a plurality of applications with a respective one of the security contexts. For example, the applications may be associated with the Safe zone 320 or Admin zone 330 described herein with reference to FIG. 3. In an embodiment, the user may associate an application with a security context by placing a graphical representation of the application, such as the icon 350, in a screen portion associated with the security context, such as one of the zones 310-330. In an embodiment, the user may change the security context of an application by dragging the graphical representation of the application from a screen portion associated with a first security context and dropping the graphical representation in a screen portion associated with a second security context.
[0048] At a block 730, a first one of the applications is run subject to a first associated security context. For example, the applications may be run in, and subject to the system-resource limitations of, the Safe zone 320 or Admin zone 330. In an embodiment, the first one of the applications can transition, without re-launching the application, from running subject to the first context to running subject to a second security context.
[0049] FIG. 8 illustrates a process 800, according to an embodiment of the invention, that can be implemented in a system having a security mechanism that deteπnines access by an application to system resources based on a security context in which the application is run. This same system may employ the same or a different security mechanism, which determines access to system resources based on information in an access token against security information associated with each of the resources in order to control access of the application to the system resources. The process 800 is illustrated as a set of operations shown as discrete blocks. The process 800 may be implemented in any suitable hardware, software, firmware, or combination thereof. As such the process 800 may be implemented in computer-executable instructions that can be transferred from one computer, such as server 230, to a second computer, such as client device 210, via a communications medium, such as network 220. The order in which the operations are described is not to be necessarily construed as a limitation.
[0050] At a block 810, the application is run subject to a first security context providing access to a first set of the system resources. For example, the application may be run in the Admin zone 330 described herein with reference to FIG. 3.
[0051] At a block 820, a request is received to run the first application subject to a second security context providing access to a second set of the system resources different from the first set. For example, as discussed above with reference to FIG. 3, the application may be moved or otherwise reassigned from the Admin zone 330 to the Safe zone 320. In an embodiment, and as described herein with reference to FIG. 5, a user may provide the request via a user-selectable field displayed within a user interface associated with the first application.
[0052] At a block 830, the first application is run subject to the second security context. In an embodiment, the application runs subject to the second security context without re-launching the application. As such, for example, the application can transition "on the fly" from running in the Admin zone 330 to running in the Safe zone 320. In an embodiment, the first security context, with respect to the second security context, provides access to fewer of the system resources. Alternatively, the first security context, with respect to the second security context, provides access to at least the same system resources. In an embodiment, at least one of the security contexts is defined by at least one privilege and/or group identifier.
[0053] In general, in a conventional operating system, such as, for example, the Windows NT operating system, a user performs tasks by accessing the system's resources via processes (and their threads). When a user logs on to the operating system and is authenticated, a security context may be set up for that user, which includes building an access token 900. As shown in the left portion of FIG. 9, a conventional user-based access token 900 includes a UserAndGroups field 902 including a security identifier (Security ID, or SID) 904 based on the user's credentials and one or more group IDs 906 identifying groups (e.g., within an organization) to which that user belongs and a Token ID. The token 900 also includes a privileges field 908 listing any privileges assigned to the user. For example, one such privilege may give an administrative-level user the ability to set the system clock through a particular application programming interface (API).
[0054] The role and functionality of access tokens, such as token 900, in regulating access to system resources are described in detail in, for example, U. S. Patent No. 6,308,274 entitled "Least Privilege Via Restricted Tokens" to Swift, which is hereby fully incorporated by reference herein.
[0055] An embodiment of the invention seeks to create a token that limits access to system resources in proportion to a particular user's group membership and/or granted privileges, for example. Such a limited token may only receive the allowable attributes of a corresponding parent token while omitting selected attributes, such as, for example, membership in the Administrator's group. In order to include the attributes of an existing parent token, an embodiment employs a function that can extract from the parent token certain attributes. The attributes of interest may include, for example:
[0056] TOKEN_STATISTICS
[0057] TOKEN_OWNER [0058] TOKEN GROUPS
[0059] TOKEN PRIVILEGES
[0060] TOKEN_PRIMARY_GROUP
[0061] TOKLENJ)EFAULTJDACL
[0062] TOKEN SOURCE [0063] Referring again to FIG. 9, a limited token 910, based on a parent token, such as token 900, may be created by employing a GetLimitedToken API 912 or other executable function. In the example illustrated in FIG. 9, the limited token 910 includes a UserAndGroups field 914, a privileges field 916, a Limited Token ID and the Token ID of the parent token 900. However, for purposes of the application with which the limited token 910 is associated, the limited token has been created with the omission of the Group3 SID and Privilege2 present in the parent token 900. In an embodiment, the limited token 910 provides a user access to fewer system resources than would be the case with the parent token 900. Alternatively, depending on operating system and/or application configuration, the limited token 910 provides a user access to a greater amount of system resources than would be the case with the parent token 900.
[0064] A result of this process may be the creation of a clone of an original token with only select attributes present in the clone. This process provides the benefit of creating a clone with the original User ID (SID) and/or group memberships and/or privileges except those deemed to be unsafe in a limited security context. [0065] In some operating systems employing a security mechanism in which embodiments of the present invention may be implemented, the parent token may, in some instances, be created in such manner that the token has membership in a group, such as the Administrator's group, but that membership may be marked as "Deny Only." Because a security issue may be created if any group in the parent token that was marked as "Deny Only" is omitted in the limited token, the API 912, in embodiments thereof, may fail creation of the limited token or may include the "Deny Only" group or other access-restricting attribute in the limited token. [0066] FIG. 10 illustrates a process 1000, according to an embodiment of the invention, that can be implemented in a system having a security mechanism that determines access to system resources based on information in an access token against security information associated with each of the resources in order to control access of an application to the system resources. The process 1000 is illustrated as a set of operations shown as discrete blocks. The process 1000 may be implemented in any suitable hardware, software, firmware, or combination thereof. As such the process 1000 may be implemented in computer-executable instructions that can be transferred from one computer, such as server 230, to a second computer, such as client device 210, via a communications medium, such as network 220. The order in which the operations are described is not to be necessarily construed as a limitation.
[0067] At a block 1010, data related to access by the application to at least one of the system resources is accessed. For example, the API 912 may have access to a set of stored data defining resource-access restrictions to be placed on certain users when utilizing certain applications. This stored data may include, for example, a whitelist of allowable privileges and/or group identifiers.
[0068] At a block 1020, a request to run the application is received. [0069] At a block 1030, a first access token is created having a first set of attributes enabling access to at least one of the system resources and selected based on the data. Alternatively, the attributes may disable access to any of the system resources. These attributes may include, for example, a privilege and/or a group identifier. For example, in an embodiment, the API 912 may employ the GetModifiedTokenGroups and/or GetLimitedPrivileges functions described in at least one application incorporated by reference herein to effect limitation on, for example, the Group SIDs and/or Privileges conferred on the limited token 910. The first token can be based on a second access token having a second set of the attributes. For example, as discussed above, the limited token 910 may be based on the parent token 900. Additionally, the first-set attributes can be fewer in number than the second-set attributes. In an embodiment, the first token, with respect to the second token, provides access to fewer of the system resources. Alternatively, the first token, with respect to the second token, provides access to a greater number or amount of the system resources. Alternatively, the first token, with respect to the second token, provides access to an equal number or amount of the system resources, but, perhaps, different one(s) of the resources. [0070] At a block 1040, the first token is associated with the application.
Accordingly, the application may run subject to the first token.
[0071] FIG. 11 illustrates a process 1100, according to an embodiment of the invention, that can be implemented in a system having a security mechanism that determines access to system resources based on information in an access token against security information associated with each of the resources in order to control access of an application to the system resources. The process 1100 is illustrated as a set of operations shown as discrete blocks. The process 1100 may be implemented in any suitable hardware, software, firmware, or combination thereof. As such the process 1100 may be implemented in computer-executable instructions that can be transferred from one computer, such as server 230, to a second computer, such as client device 210, via a communications medium, such as network 220. The order in which the operations are described is not to be necessarily construed as a limitation.
[0072] At a block 1110, a request to run the application is received.
[0073] At a block 1120, the application is launched subject to a first access token providing access to a first set of the system resources. For example, the application may launch subject to its original, unmodified token.
[0074] At a block 1 130, a second access token is created providing access to a second set of the system resources different from the first set. For example, in an embodiment, the API 912 may employ the GetModifiedTokenGroups and/or GetLimitedPrivileges functions described in at least one application incorporated by reference herein to effect limitation on, for example, the Group SIDs and/or Privileges conferred on the limited token 910. The second access token can be based on the first access token. For example, as discussed above, the limited token 910 may be based on the parent token 900.
[0075] At a block 1140, the second access token is associated with the application. The application runs subject to the second access token without re-launching the application. As such, the process token may be replaced live on the application, granting the application a new security context. In an embodiment, the first token, with respect to the second token, provides access to fewer of the system resources.
Alternatively, the first token, with respect to the second token, provides access to a greater number or amount of the system resources. Alternatively, the first token, with respect to the second token, provides access to an equal number or amount of the system resources, but, perhaps, different one(s) of the resources.
[0076] In an embodiment, a duplicate of the first access token may be created and stored in memory. As such, if the original security context is subsequently desired, the duplicate may be retrieved and associated with the application, also without relaunching the application. Alternatively, of course, the first access token itself may be stored and subsequently retrieved for similar purposes.
[0077] Consequently, a process that is already running with certain attributes, such as membership in the Administrator's group, can be limited (i.e., placed in a more restrictive security context) on the fly without stopping or restarting the application. Additionally, a process that is already running under a particular user's security account can be changed, on the fly, to run under another user's security account without stopping or restarting the application. In addition, a process that was originally launched in a limited security context (i.e., lacking membership in the Administrator's group) can be "promoted" or "escalated" by granting it Administrator's powers without stopping or restarting the application. Since the original process token may be cached (i.e., saved), the process can be reverted or restored to its original security context by replacing the modified token with the original token that was used to launch the application.
[0078] FIG. 12 illustrates a process 1200, according to an embodiment of the invention, that can be implemented in a system having a security mechanism that determines access to system resources based on information in an access token against security information associated with each of the resources in order to control access of an application to the system resources. The process 1200 is illustrated as a set of operations shown as discrete blocks. The process 1200 may be implemented in any suitable hardware, software, firmware, or combination thereof. As such the process 1200 may be implemented in computer-executable instructions that can be transferred from one computer, such as server 230, to a second computer, such as client device 210, via a communications medium, such as network 220. The order in which the operations are described is not to be necessarily construed as a limitation. [0079] At a block 1210, a request to run the application is received.
[0080] At a block 1220, the application is launched subject to a first access token providing access to a first set of the system resources.
[0081] At a block 1230, a second access token is retrieved from a memory and provides access to a second set of the system resources different from the first set. For example, as discussed above with reference to FIG. 11 , the original token with which the application was associated when launched may have been previously stored and is thus available for retrieval. The first access token can be based on the second access token.
[0082] At a block 1240, the second access token is associated with the application. The application runs subject to the second access token without re-launching the application. As such, the process token may be replaced live on the application, granting the application a new security context, which may result in the application running subject to its original, unmodified token. In an embodiment, the first token, with respect to the second token, provides access to fewer of the system resources. Alternatively, the first token, with respect to the second token, provides access to a greater number or amount of the system resources. Alternatively, the first token, with respect to the second token, provides access to an equal number or amount of the system resources, but, perhaps, different one(s) of the resources. [0083] FIG. 13 illustrates a process 1300, according to an embodiment of the invention, that can be implemented in a system having a security mechanism that determines access to system resources based on information in an access token against security information associated with each of the resources in order to control access of an application to the system resources. The process 1300 is illustrated as a set of operations shown as discrete blocks. The process 1300 may be implemented in any suitable hardware, software, firmware, or combination thereof. As such the process 1300 may be implemented in computer-executable instructions that can be transferred from one computer, such as server 230, to a second computer, such as client device 210, via a communications medium, such as network 220. The order in which the operations are described is not to be necessarily construed as a limitation.
[0084] At a block 1310, the application is run subject to a first access token providing access to a first set of the system resources.
[0085] At a block 1320, a second access token is retrieved from a memory and provides access to a second set of the system resources different from the first set. For example, as discussed above with reference to FIG. 11 , the original token with which the application was associated when launched may have been previously stored and is thus available for retrieval. The first access token can be based on the second access token.
[0086] At a block 1330, the second access token is associated with the application. The application runs subject to the second access token without re-launching the application. As such, the process token may be replaced live on the application, granting the application a new security context, which may result in the application running subject to its original, unmodified token. In an embodiment, the first token, with respect to the second token, provides access to fewer of the system resources. Alternatively, the first token, with respect to the second token, provides access to a greater number or amount of the system resources. Alternatively, the first token, with respect to the second token, provides access to an equal number or amount of the system resources, but, perhaps, different one(s) of the resources. [0087] FIG. 14 illustrates a process 1400, according to an embodiment of the invention, that can be implemented in a system having a security mechanism that determines access to system resources based on information in an access token against security information associated with each of the resources in order to control access of an application to the system resources. The process 1400 is illustrated as a set of operations shown as discrete blocks. The process 1400 may be implemented in any suitable hardware, software, firmware, or combination thereof. As such the process 1400 may be implemented in computer-executable instructions that can be transferred from one computer, such as server 230, to a second computer, such as client device 210, via a communications medium, such as network 220. The order in which the operations are described is not to be necessarily construed as a limitation.
[0088] At a block 1410, a request to run the application is detected. The application may be associated with a first access token providing access to a first set of the system resources. For example, in an embodiment, at least a portion of the computer- executable instructions may include a driver operable to monitor process-creation events, such as a request to run an application.
[0089] At a block 1420, a second access token is created providing access to a second set of the system resources different from the first set. In an embodiment, the second access token is created prior to launching and running the application and in a manner similar to that described elsewhere herein. The second access token can be based on the first access token.
[0090] At a block 1430, after the second access token is created, the application is launched subject to the second access token. Advantageously, at least one thread of execution of the application runs subject to the second access token. In an embodiment, at least a portion of the computer-executable instructions may include a callback function registered by the driver to facilitate creation and implementation of the second access token. In an embodiment, the first token, with respect to the second token, provides access to fewer of the system resources. Alternatively, the first token, with respect to the second token, provides access to a greater number or amount of the system resources.
Alternatively, the first token, with respect to the second token, provides access to an equal number or amount of the system resources, but, perhaps, different one(s) of the resources.
[0091] In an embodiment, a duplicate of the first access token may be created and stored in memory. As such, if the original security context is subsequently desired for the application and/or associated threads, the duplicate may be retrieved and associated with the application without re-launching the application. Alternatively, of course, the first access token itself may be stored and subsequently retrieved for similar purposes.
[0092] While a preferred embodiment of the invention has been illustrated and described, as noted above, many changes can be made without departing from the spirit and scope of the invention. Accordingly, the scope of the invention is not limited by the disclosure of the preferred embodiment. Instead, the invention should be determined entirely by reference to the claims that follow.
The embodiments of the invention in which an exclusive property or privilege is claimed are defined as follows:

Claims

1. A method of transferring a computer program product from at least one first computer to at least one second computer connected to the at least one first computer through a communication medium, the method comprising the steps of:
(a) accessing, on the at least one first computer, computer-executable instructions that, when executed in a system having a security mechanism that determines access by an application to system resources based on a security context in which the application is run, perform at least the steps of:
(1) running a first application subject to a first security context providing access to a first set of the system resources;
(2) receiving a request to run the first application subject to a second security context providing access to a second set of the system resources different from the first set; and
(2) running the first application subject to the second security context, wherein the application runs subject to the second security context without re-launching the application; and
(b) transferring the computer-executable instructions from the at least one first computer to the at least one second computer through the communications medium.
2. The method of claim 1 wherein the first security context, with respect to the second security context, provides access to fewer of the system resources.
3. The method of claim 1 wherein the second security context, with respect to the first security context, provides access to at least the same system resources.
4. The method of claim 1 wherein at least one of the security contexts is defined by at least one privilege.
5. The method of claim 1 wherein at least one of the security contexts is defined by at least one group identifier.
6. The method of claim 1 wherein: the first application includes a user interface; and the computer-executable instructions further perform the step of displaying within the user interface a user-selectable field operable to enable the user to provide the request to run the first application subject to the second security context.
7. A computer-readable medium having computer-executable instructions that, when executed in a system having a security mechanism that determines access by an application to system resources based on a security context in which the application is run, perform at least the steps of:
(a) providing a user interface that:
(1) enables a user to define a plurality of security contexts, each security context providing access to a respective set of the system resources; and
(2) enables the user to associate each application of a plurality of applications with a respective one of the security contexts; and
(b) running a first one of the applications subject to a first associated security context.
8. The medium of claim 7 wherein the user interface further enables the user to define each set of the system resources.
9. The medium of claim 7 wherein the computer-executable instructions further perform the step of running the first one of the applications subject to a second security context without re-launching the application.
10. The medium of claim 7 wherein the user interface further enables the user to assign a processing priority to at least one of the security contexts.
11. The medium of claim 7 wherein the user interface further enables the user to assign a memory allocation to at least one of the security contexts.
12. The medium of claim 7 wherein the user interface further enables the user to apply a set of predetermined rules to at least one of the security contexts.
13. The medium of claim 7 wherein the user interface further enables the user to apply a set of predetermined rules to at least one of the applications.
14. The medium of claim 7 wherein the user interface further provides a representation of each security context in a respective portion of a display-device screen.
15. The medium of claim 14 wherein the user interface further enables the user to associate an application with a security context by placing a graphical representation of the application in a screen portion associated with the security context.
16. The medium of claim 15 wherein the user interface further enables the user to change the security context of an application by dragging a graphical representation of the application from a screen portion associated with a first security context and dropping the graphical representation in a screen portion associated with a second security context.
17. A computer-readable medium having computer-executable instructions that, when executed in a system having a security mechanism that determines access by an application to system resources based on a security context in which the application is run, perform at least the steps of: receiving definitions of a plurality of security contexts, each security context providing access to a respective set of the system resources; receiving from the user an association of each application of a plurality of applications with a respective one of the security contexts; and running a first one of the applications subject to a first associated security context.
18. The medium of claim 17 wherein the computer-executable instructions further perform the step of running the first one of the applications subject to a second security context without re-launching the application.
19. The medium of claim 17 wherein the computer-executable instructions further perform the step of enabling the user to apply a set of predetermined rules to at least one of the security contexts.
20. The medium of claim 17 wherein the computer-executable instructions further perform the step of enabling the user to apply a set of predetermined rules to at least one of the applications.
PCT/US2006/060014 2005-10-14 2006-10-16 Control of application access to system resources WO2008048320A1 (en)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US72728805P 2005-10-14 2005-10-14
US60/727,288 2005-10-14
US11/549,804 US20070199072A1 (en) 2005-10-14 2006-10-16 Control of application access to system resources
US11/549,804 2006-10-16

Publications (1)

Publication Number Publication Date
WO2008048320A1 true WO2008048320A1 (en) 2008-04-24

Family

ID=39314312

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2006/060014 WO2008048320A1 (en) 2005-10-14 2006-10-16 Control of application access to system resources

Country Status (1)

Country Link
WO (1) WO2008048320A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3057028A1 (en) * 2015-02-16 2016-08-17 Samsung Electronics Co., Ltd. Electronic device for installing application and method of controlling same
EP3057026A1 (en) * 2015-02-16 2016-08-17 Samsung Electronics Co., Ltd. Electronic device for executing application and method of controlling same

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6289458B1 (en) * 1998-09-21 2001-09-11 Microsoft Corporation Per property access control mechanism
US6308274B1 (en) 1998-06-12 2001-10-23 Microsoft Corporation Least privilege via restricted tokens
US6321334B1 (en) * 1998-07-15 2001-11-20 Microsoft Corporation Administering permissions associated with a security zone in a computer system security model
US6505300B2 (en) * 1998-06-12 2003-01-07 Microsoft Corporation Method and system for secure running of untrusted content
US6826698B1 (en) * 2000-09-15 2004-11-30 Networks Associates Technology, Inc. System, method and computer program product for rule based network security policies

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6308274B1 (en) 1998-06-12 2001-10-23 Microsoft Corporation Least privilege via restricted tokens
US6505300B2 (en) * 1998-06-12 2003-01-07 Microsoft Corporation Method and system for secure running of untrusted content
US6321334B1 (en) * 1998-07-15 2001-11-20 Microsoft Corporation Administering permissions associated with a security zone in a computer system security model
US6289458B1 (en) * 1998-09-21 2001-09-11 Microsoft Corporation Per property access control mechanism
US6826698B1 (en) * 2000-09-15 2004-11-30 Networks Associates Technology, Inc. System, method and computer program product for rule based network security policies

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3057028A1 (en) * 2015-02-16 2016-08-17 Samsung Electronics Co., Ltd. Electronic device for installing application and method of controlling same
EP3057026A1 (en) * 2015-02-16 2016-08-17 Samsung Electronics Co., Ltd. Electronic device for executing application and method of controlling same
US20160239287A1 (en) * 2015-02-16 2016-08-18 Samsung Electronics Co., Ltd. Electronic device for installing application and method of controlling same
KR20160100760A (en) * 2015-02-16 2016-08-24 삼성전자주식회사 Electronic devcie for installing application and method for cotrolling thereof
US10146517B2 (en) 2015-02-16 2018-12-04 Samsung Electronics Co., Ltd Electronic device for installing application and method of controlling same
US10360375B2 (en) 2015-02-16 2019-07-23 Samsung Electronics Co., Ltd Electronic device for executing application and method of controlling same
KR102320151B1 (en) * 2015-02-16 2021-11-01 삼성전자주식회사 Electronic devcie for installing application and method for cotrolling thereof

Similar Documents

Publication Publication Date Title
US11675918B2 (en) Policy-based user device security checks
US8806494B2 (en) Managed control of processes including privilege escalation
US7246374B1 (en) Enhancing computer system security via multiple user desktops
US11272030B2 (en) Dynamic runtime interface for device management
US9594898B2 (en) Methods and systems for controlling access to resources and privileges per process
US7516477B2 (en) Method and system for ensuring that computer programs are trustworthy
US7188127B2 (en) Method, system, and program for processing a file request
US20070199057A1 (en) Control of application access to system resources
US8020190B2 (en) Enhanced browser security
US8667578B2 (en) Web management authorization and delegation framework
US7895664B2 (en) Determination of access checks in a mixed role based access control and discretionary access control environment
US20070240150A1 (en) Simplifying installation of a suite of software products
US20070233686A1 (en) Isolated access to named resources
JP2011526387A (en) Granting least privilege access for computing processes
CN108351769B (en) Dashboard as a remote computing service
US20070199072A1 (en) Control of application access to system resources
US20150379294A1 (en) Joint ownership of protected information
US7797727B1 (en) Launching an application in a restricted user account
WO2009005935A2 (en) Using a trusted entity to drive security decisions
US20230315909A1 (en) Computer device and method for managing privilege delegation
US8640215B2 (en) Secure isolation of application pools
WO2008048320A1 (en) Control of application access to system resources
JP2004062241A (en) Controller and method for controlling user access right
US8627068B1 (en) Selecting access authorities
WO2008063185A1 (en) Control of application access to system resources

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 06850049

Country of ref document: EP

Kind code of ref document: A1