Adaptive network security using zero trust microsegmentation
US-2024356980-A1 · Oct 24, 2024 · US
Resource restriction systems and methods
US9400688B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9400688-B2 |
| Application number | US-201414491970-A |
| Country | US |
| Kind code | B2 |
| Filing date | Sep 19, 2014 |
| Priority date | Aug 4, 2006 |
| Publication date | Jul 26, 2016 |
| Grant date | Jul 26, 2016 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Resource restrictions are associated with a user identifier. A resource restriction agent receives operating system calls related for resources and provides resource request data to a resource agent. The resource agent determines whether the resource is restricted based on the resource request data and resource restriction data and generates access data based on the determination. The resource restriction agent grants or denies the system call based on the access data.
First claim
Opening claim text (preview).
What is claimed is: 1. A non-transitory machine readable medium storing a resource agent for execution outside of an operating system of a device by a set of processing units of the device, the resource agent comprising sets of instructions for: at the resource agent executing outside the operating system, receiving a system call from the operating system; determining whether the system call is subject to a resource restriction of at least one of a plurality of types of resource restriction; when the system call is subject to a resource restriction of at least one of the plurality of resource restriction types, causing the operating system to cancel the system call; and when the system call is not subject to a resource restriction of at least one of the plurality of resource restriction types, causing the operating system to allow the system call. 2. The non-transitory machine readable medium of claim 1 , wherein the plurality of resource restriction types comprises a type of resource restriction that is defined by an application path. 3. The non-transitory machine readable medium of claim 1 , wherein the plurality of resource restriction types comprises a type of resource restriction that is defined by an identifier associated with the resource. 4. The non-transitory machine readable medium of claim 1 , wherein the plurality of resource restriction types comprises a type of resource restriction that is defined by a hash of a file associated with the resource. 5. The non-transitory machine readable medium of claim 1 , wherein the set of instructions for receiving the system call from the operating system comprises a set of instructions for communicating with the operating system through a privileged root-owned socket. 6. The non-transitory machine readable medium of claim 1 , wherein the system call is associated with a user, wherein the set of instructions for determining whether the system call is subject to a resource restriction comprises a set of instructions for examining a set of resource restrictions stored in a data store for the user. 7. For a resource agent for execution outside of an operating system of a device, a method comprising: at the resource agent executing outside the operating system receiving a resource request from the operating system; determining whether the resource request is subject to a resource restriction of at least one of a plurality of types of resource restriction; when the resource request is subject to a resource restriction of at least one of the plurality of resource restriction types, causing the operating system to cancel the resource request; and when the resource request is not subject to a resource restriction of at least one of the plurality of resource restriction types, causing the operating system to allow the resource request. 8. The method of claim 7 , wherein the plurality of resource restriction types comprises a type of resource restriction that is defined by an application path. 9. The method of claim 7 , wherein the plurality of resource restriction types comprises a type of resource restriction that is defined by an identifier associated with a resource. 10. The method of claim 7 , wherein the plurality of resource restriction types comprises a type of resource restriction that is defined by a hash of a file associated with a resource. 11. The method of claim 7 , wherein receiving the resource request from the operating system comprises communicating with the operating system through a privileged root-owned socket. 12. The method of claim 7 , wherein the resource request is associated with a user, wherein determining whether the resource request is subject to a resource restriction comprises examining a set of resource restrictions stored in a data store for the user. 13. The method of claim 7 further comprising: determining whether the resource request includes a system call identifier; and when the resource request does not include a system call identifier, determining a system call identifier associated with the resource request. 14. The method of claim 7 further comprising: determining whether the resource request includes a user identifier; and when the resource request does not include a user identifier, determining a user identifier associated with the resource request. 15. An electronic device comprising: a set of processing units for executing sets of instructions; a non-transitory machine readable storage for storing a resource agent which when executed by at least one of the processing units executes outside an operating system of the electronic device, the resource agent comprising sets of instructions for: at the resource agent executing outside the operating system receiving a system call from the operating system; determining whether the system call is subject to a resource restriction of at least one of a plurality of types of resource restriction; when the system call is subject to a resource restriction of at least one of the plurality of resource restriction types, causing the operating system to cancel the system call; and when the system call is not subject to a resource restriction of at least one of the plurality of resource restriction types, causing the operating system to allow the system call. 16. The electronic device of claim 15 , wherein the plurality of resource restriction types comprises a type of resource restriction that is defined by an application path. 17. The electronic device of claim 15 , wherein the plurality of resource restriction types comprises a type of resource restriction that is defined by an identifier associated with the resource. 18. The electronic device of claim 15 , wherein the plurality of resource restriction types comprises a type of resource restriction that is defined by a hash of a file associated with the resource. 19. The electronic device of claim 15 , wherein the set of instructions for receiving the system call from the operating system comprises a set of instructions for communicating with the operating system through a privileged root-owned socket. 20. The electronic device of claim 15 , wherein the system call is associated with a user, wherein the set of instructions for determining whether the system call is subject to a resource restriction comprises a set of instructions for examining a set of resource restrictions stored in a data store for the user.
Assignees
Inventors
Classifications
- H04L63/104Primary
Grouping of entities · CPC title
Providing cryptographic facilities or services · CPC title
- G06F9/5005Primary
to service a request · CPC title
Interprogram communication · CPC title
Program or device authentication · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9400688B2 cover?
- Resource restrictions are associated with a user identifier. A resource restriction agent receives operating system calls related for resources and provides resource request data to a resource agent. The resource agent determines whether the resource is restricted based on the resource request data and resource restriction data and generates access data based on the determination. The resource …
- Who is the assignee on this patent?
- Apple Inc, Apple Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/104. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Jul 26 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).