Allocation of virtual interfaces to containers
US-10938619-B2 · Mar 2, 2021 · US
Control of access to computing resources implemented in isolated environments
US11979411B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11979411-B2 |
| Application number | US-202117452740-A |
| Country | US |
| Kind code | B2 |
| Filing date | Oct 28, 2021 |
| Priority date | Oct 28, 2021 |
| Publication date | May 7, 2024 |
| Grant date | May 7, 2024 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A solution is proposed for controlling access to computing resources. A corresponding method comprises receiving and verifying an access request for accessing the computing resources by a secondary computing environment (isolated from the computing resources). A main computing environment (isolated from the secondary computing environment) detects an indication of a positive result of the verification of the access request; in response thereto, the main computing environment verifies an integrity condition of the secondary computing environment and then authorizes the secondary computing environment to access the computing resources accordingly. A computer program and a computer program product for performing the method are also proposed. Moreover, a system for implementing the method is proposed.
First claim
Opening claim text (preview).
What is claimed is: 1. A method for controlling access to one or more computing resources, wherein the method comprises, under control of a computing system: receiving an access request for accessing the computing resources of a main computing environment by a secondary computing environment implemented in the computing system hosting both the main computing environment and the secondary computing environment, the secondary computing environment being isolated from the computing resources, and the main computing environment being isolated from the secondary computing environment; verifying the access request by the secondary computing environment; monitoring an exchange folder of the secondary computing environment by the main computing environment, the exchange folder being accessible to the main computing environment via an operating system of the computing system; detecting an indication of a positive result of said verifying the access request by the monitoring of the exchange folder by the main computing environment; verifying an integrity condition of the secondary computing environment by the main computing environment in response to said detecting the indication of the positive result; authorizing said accessing the computing resources to the secondary computing environment by the main computing environment in response to a positive result of said verifying the integrity condition; generating a public key and a private key by the secondary computing environment, in response to verifying the access request; storing the verification including the public key into an exchange memory area by the secondary computing environment; and signing the public key using a secret key of the main computing environment, in response to detecting the verification by the main computing environment, wherein the main computing environment is defined by the operating system of the computing system and the secondary computing environment is defined by a container running on the operating system, wherein the container emulates a computing environment running on the operating system. 2. The method according to claim 1 , wherein said authorizing said accessing the computing resources comprises: generating credentials by the main computing environment in response to the positive result of said verifying the integrity condition; passing the credentials from the main computing environment to the secondary computing environment; submitting a further access request for accessing the computing resources by the secondary computing environment to the main computing environment in response to the credentials; verifying the further access request by the main computing environment according to the credentials provided by the secondary computing environment; and authorizing said accessing the computing resources to the secondary computing environment by the main computing environment in response to a positive result of said verifying the further access request. 3. The method according to claim 1 , wherein the method comprises: storing a result indicator into an exchange memory area by the secondary computing environment in response to the positive result of said verifying the access request; and detecting the indication of the positive result by detecting said storing the result indicator by the main computing environment. 4. The method according to claim 3 , wherein the method comprises: generating a pair of public key and private key by the secondary computing environment in response to the positive result of said verifying the access request; and storing the result indicator comprising the public key into the exchange memory area by the secondary computing environment. 5. The method according to claim 4 , wherein said verifying the integrity condition comprises: verifying a formal correction of the public key by the main computing environment. 6. The method according to claim 3 , wherein said authorizing said accessing the computing resources comprises: generating a signature of the result indicator with a secret key thereof by the main computing environment in response to said detecting said storing the result indicator; storing the signature into the exchange memory area by the main computing environment; detecting said storing the signature by the secondary computing environment; submitting a further access request for accessing the computing resources by the secondary computing environment to the main computing environment in response to said detecting said storing the signature; verifying the further access request by the main computing environment according to the signature provided by the secondary computing environment; and authorizing said accessing the computing resources to the secondary computing environment by the main computing environment in response to a positive result of said verifying the further access request. 7. The method according to claim 6 , wherein said authorizing said accessing the computing resources comprises: generating the signature having an expiration time by the main computing environment in response to said detecting said storing the result indicator; and verifying the further access request by the main computing environment according to the expiration time of the signature provided by the secondary computing environment. 8. The method according to claim 3 , wherein said verifying the integrity condition comprises: verifying an identifier of a process generating the result indicator by the main computing environment. 9. The method according to claim 3 , wherein said verifying the integrity condition comprises: verifying a delay between the positive result of said verifying the access request and said storing the result indicator by the main computing environment. 10. The method according to claim 3 , wherein said verifying the integrity condition comprises: verifying a delay between said storing the result indicator and a current time by the main computing environment. 11. The method according to claim 1 , wherein said verifying the integrity condition comprises: verifying a content of a memory space of the secondary computing environment by the main computing environment. 12. The method according to claim 1 , wherein said verifying the integrity condition comprises: verifying processes running in the secondary computing environment by the main computing environment. 13. The method according to claim 1 , wherein the computing resources are implemented by the computing system. 14. The method according to claim 1 , wherein the computing resources are implemented by one or more further computing systems. 15. A computer program product for controlling access to one or more computing resources, the computer program product comprising one or more computer readable storage media having program instructions collectively stored in said one or more computer readable storage media, the program instructions readable by a computing system to cause the computing system to perform a method comprising: receiving, using the computer, an access request for accessing the computing resources of a main computing environment by a secondary computing environment implemented in the computing system hosting both the main computing environment and the secondary computing environment, the secondary computing environment being isolated from the computing resources, and the main computing environment being isolated from the secondary computing environment; verifying, using the computer, the access request by the secondary computing environment; monitoring an exchange folder of the seconda
Assignees
Inventors
Classifications
- H04L63/108Primary
when the policy decisions are valid for a limited amount of time · CPC title
involving pairings, e.g. identity based encryption [IBE], bilinear mappings or bilinear pairings, e.g. Weil or Tate pairing · CPC title
- G06F21/53Primary
by executing in a restricted environment, e.g. sandbox or secure virtual machine · CPC title
for controlling access to devices or network resources · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11979411B2 cover?
- A solution is proposed for controlling access to computing resources. A corresponding method comprises receiving and verifying an access request for accessing the computing resources by a secondary computing environment (isolated from the computing resources). A main computing environment (isolated from the secondary computing environment) detects an indication of a positive result of the verif…
- Who is the assignee on this patent?
- IBM
- What technology area does this patent fall under?
- Primary CPC classification H04L63/108. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue May 07 2024 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 6 related publications on this page (citations in our corpus or others sharing the same primary CPC).