Automatic provisioning and onboarding of offline or disconnected machines
US-12182236-B2 · Dec 31, 2024 · US
Trust level activation
US8973158B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-8973158-B2 |
| Application number | US-201113186474-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jul 20, 2011 |
| Priority date | Jul 20, 2011 |
| Publication date | Mar 3, 2015 |
| Grant date | Mar 3, 2015 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
An isolation execution environment provides an application with limited resources to execute an application. The application may require access to secured resources associated with a particular trust level that are outside of the isolation execution environment. A trust activation engine determines the trust level associated with a request for a resource and operates differently based on the trust level. A broker process may be used to execute components providing access to resources having a partial trust level in an execution environment that is separate from the isolation execution environment.
First claim
Opening claim text (preview).
What is claimed: 1. A computer-implemented method, comprising: associating one of a plurality of trust levels with a component, the component including executable instructions that access a resource controlled by an operating system, the trust level associates a security level with the resource; associating a privilege level with an application, the privilege level associates a security level with the application, the trust level of the component separate from the privilege level of the application; executing the application in an isolation execution environment when the privilege level of the application is a first level; requesting, by the application, activation of the component; and based on the trust level of the component and the privilege level of the application, executing the component requested by the application in a broker process, the broker process accesses the resource in an execution environment that is separate from the isolation execution environment. 2. The computer-implemented method of claim 1 , wherein the application is associated with a low privilege level. 3. The computer-implemented method of claim 1 , wherein the component requested by the application is associated with a partial trust level. 4. The computer-implemented method of claim 1 , further comprising: executing the component requested by the application in the isolation execution environment when the component requested by the application has a base trust level. 5. The computer-implemented method of claim 1 , further comprising: denying access to the component requested by the application when the requested component has a full trust level. 6. The computer-implemented method of claim 1 , further comprising: generating an API object associated with the component requested by the application when the component requested by the application is associated with a partial trust level; and activating the API object within the broker process. 7. The computer-implemented method of claim 1 , further comprising: generating an API object associated with the component requested by the application when the component requested by the application is associated with a base trust level; and activating the API object within the isolation execution environment. 8. A computer-readable storage device storing thereon processor-executable instructions that when executed perform actions, comprising: creating an isolation execution environment that executes an application, the application associated with a privilege level; requesting activation of a component by the application, the component including executable instructions used to access a resource controlled by an operating system, the component associated with a trust level, the trust level of the component separate from the privilege level of the application; and based on the trust level of the component and the privilege level of the application; creating a broker process to execute the component requested by the application; and executing the component requested by the application in the broker process, the broker process operates in an execution environment separate from the isolation execution environment. 9. The computer-readable storage device of claim 8 , further comprising: recognizing a plurality of trust levels associated with a component. 10. The computer-readable storage device of claim 8 , further comprising: executing the component requested by the application in the isolation execution environment when the component requested by the application is associated with a base trust level. 11. The computer-readable storage device of claim 8 , further comprising: denying execution of the component requested by the application in the isolation execution environment when the component requested by the application is associated with a full trust level. 12. The computer-readable storage device of claim 8 , further comprising: generating an API object associated with the component requested by the application which is executed in the broker process when the component requested by the application is associated with a partial trust level. 13. The computer-readable storage device of claim 8 , further comprising: generating an API object associated with the component requested by the application which is executed in the isolation execution environment when the component requested by the application is associated with a base trust level. 14. The computer-readable storage device of claim 8 , further comprising: creating an execution environment that executes a high privilege application; and executing a component requested by the high privilege application in the execution environment. 15. An apparatus, comprising: a processor; and a memory, coupled to the processor, the memory having a trust activation module, the trust activation module containing instructions that when executed on the processor determines whether an application, associated with a select privilege level, may access a component having a select trust level, the application executing in an isolation execution environment separate from the trust activation module, the component including executable instructions used to access a resource controlled by an operating system, the trust activation module configures a broker process to execute the component based on the trust level of the component and the privilege level of the application in an execution environment separate from the isolation execution environment, the trust level of the component separate from the privilege level of the application. 16. The apparatus of claim 15 , further comprising: the trust activation module containing instructions that when executed on the processor prohibits a low privilege application from executing the component when the component has a full trust level. 17. The apparatus of claim 15 , further comprising: the trust activation module containing instructions that when executed on the processor enables a high privilege application to execute any trust level component. 18. The apparatus of claim 15 , further comprising: the trust activation module containing instructions that when executed on the processor provides a low privilege application with executable code configured to execute in the isolation execution environment when the component has a base trust level. 19. The apparatus of claim 15 , further comprising: the trust activation module containing instructions that when executed on the processor denies execution of a component requested by the application in the isolation execution environment when the component requested by the application is associated with a full trust level. 20. The apparatus of claim 15 , wherein the component is associated with an API object.
Assignees
Inventors
Classifications
- G06F21/53Primary
by executing in a restricted environment, e.g. sandbox or secure virtual machine · CPC title
during program execution, e.g. stack integrity {; Preventing unwanted data erasure; Buffer overflow} · CPC title
at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability · CPC title
- G06F21/604Primary
Tools and structures for managing or administering access control systems · CPC title
Multi-level security, e.g. mandatory access control · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US8973158B2 cover?
- An isolation execution environment provides an application with limited resources to execute an application. The application may require access to secured resources associated with a particular trust level that are outside of the isolation execution environment. A trust activation engine determines the trust level associated with a request for a resource and operates differently based on the tr…
- Who is the assignee on this patent?
- Abraham Saji, Wilson hart, Basu Tassaduq, and 3 more
- What technology area does this patent fall under?
- Primary CPC classification G06F21/53. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Mar 03 2015 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).