Running internet applications with low rights

Information

  • Patent Grant
  • 8078740
  • Patent Number
    8,078,740
  • Date Filed
    Friday, June 3, 2005
    19 years ago
  • Date Issued
    Tuesday, December 13, 2011
    13 years ago
Abstract
In various embodiments, applications that are configured to interact with the Internet in some way are executed in a restricted process with a reduced privilege level that can prohibit the application from accessing portions of an associated computing device. For example, in some embodiments, the restricted process can prohibit applications from read and write access to portions of a system's computer-readable media, such as the hard disk, that contains administrative data and settings information and user data and settings. In these embodiments, a special portion of the disk, termed a “containment zone”, is designated and used by applications in this restricted process.
Description
TECHNICAL FIELD

This invention pertains to running internet applications with low rights.


BACKGROUND

Many different types of applications are able to interact with the Internet and acquire data or other information from the Internet. For example, some applications can allow a user to download certain content, such as web pages, files and the like. With the ability to interact with the Internet come various risks that are associated with such interaction.


For example, through various interactions that can take place between an application and the Internet, so called malware or spyware can get downloaded on the user's system and can adversely impact the system's performance and, perhaps more importantly, can impermissibly install malicious software. For example, buffer overruns and other security holes can allow malware to maliciously make its way onto a user's system.


With regard to impacting the system's performance, consider the following. In some instances, malware may attempt to, or may actually change security settings associated with a particular application or the user's system in general, thus rendering it more likely for malicious tampering to take place.


Against the backdrop of these and other security concerns remains the ever-present desire, on the part of those who develop software, to provide the user with a safe and rich experience.


SUMMARY

In various embodiments, applications that are configured to interact with the Internet, in some way, are executed in a restricted process with a reduced privilege level that can prohibit the application from accessing portions of an associated computing device. For example, in some embodiments, the restricted process can prohibit applications from read and write access to portions of a system's computer-readable media, such as the hard disk, that contains administrative data and settings information and user data and settings. In these embodiments, a special portion of the disk, termed a “containment zone”, is designated and used by applications in this restricted process.


In other embodiments, a broker mechanism is utilized and is logically interposed between the application and restricted portions or containment zones of the computing system. The broker mechanism acts to broker access to these restricted portions and to ensure that the user is aware of and can approve the application's access to these restricted portions of the computing system.


In other embodiments, a shim mechanism is employed to redirect access, typically for third party extensions, to the containment zones.


In yet other embodiments, an application's execution in the restricted process can result in another application being launched which is functionally similar to the restricted application, yet is less restricted in order to facilitate the user experience in particular contexts which have been deemed as trusted or at least desirably secure.





BRIEF DESCRIPTION OF THE DRAWINGS


FIG. 1 is a block diagram of a system in accordance with one embodiment.



FIG. 2 is a block diagram of a system in accordance with one embodiment.



FIG. 3 is a flow diagram that describes steps in a method in accordance with one embodiment.



FIG. 4 is a block diagram of a system in accordance with one embodiment.



FIG. 5 is a block diagram of a system in accordance with one embodiment.



FIG. 6 is a block diagram of a client computing device in accordance with one embodiment.





DETAILED DESCRIPTION
Overview

In the embodiments described below, applications that are configured to interact with the Internet in some way are executed in a restricted process with a reduced privilege level that can prohibit the application from accessing portions of an associated computing device. For example, in some embodiments, the restricted process can prohibit applications from read and write access to portions of a system's computer-readable media, such as the hard disk, that contains administrative data and settings information and user data and settings. In these embodiments, a special portion of the disk, termed a “containment zone”, is designated and used by applications in this restricted process.


In other embodiments, a broker mechanism is utilized and is logically interposed between the application and restricted portions or containment zones of the computing system. The broker mechanism acts to broker access to these restricted portions and to ensure that the user is aware of and can approve the application's access to these restricted portions of the computing system.


In other embodiments, a shim mechanism is employed to redirect access, typically for third party extensions, to the containment zones.


In yet other embodiments, an application's execution in the restricted process can result in another application being launched which is functionally similar to the restricted application, yet is less restricted in order to facilitate the user experience in particular contexts which have been deemed as trusted or at least desirably secure.


The techniques described in this document can be employed in connection with any type of application that interacts with the Internet. These types of applications, as will be appreciated by the skilled artisan, are many and varied. However, to provide a tangible context to appreciate the inventive embodiments, an application in the form of a web browser application is utilized. It is to be appreciated and understood, however, that the techniques can be employed with other types of applications without departing from the spirit and scope of the claimed subject matter. By way of example and not limitation, these other types of applications include instant messaging clients, peer-to-peer clients, RSS readers, email clients, word processing clients and the like.


Restricting Internet Applications and Using a Broker



FIG. 1 illustrates a high level view of a system 100 in accordance with one embodiment. In this example, system 100 includes an Internet application in the form of a web browser 102 that can interact with the Internet as shown. System 100 also includes computer-readable media 104, such as a hard disk, that contains different portions or “space” that contain different types of information, settings data and the like.


In this example, one portion or space is the administrative space 106 that includes information and data that is usually accessible to and manipulable by a system administrator. This type of information and data can include information and data that is typically contained in operating system folders, computer system folders, permanent file folders and the like. This space usually requires an administrator with the appropriate credentials and privileges in order for its content to be accessed and manipulated.


Another portion or space is the user space 108 that includes user information and data. This type of information and data can include information and data that is typically contained in user-accessible folders such as My Documents, My Music, Desktop and the like. This space can typically be associated with lesser privileges in order for access to be granted.


In accordance with one embodiment, computer-readable media 104 includes one or more containment zones 110. A containment zone is the only zone which can, in at least some embodiments, be directly written to by browser 102. To facilitate this functionality, a wall or blocking mechanism 112 is provided and prevents browser 102 from directly writing to the administrative space 106 or the user space. In at least some embodiments, a containment zone can allow for the settings of the restricted application to be saved between sessions in a place where they could not pollute any other application on the machine. The containment zone might include a few registry locations and files folders. In the context of a web browser application, containment zone 110 can include a Temporary Internet Files folder which is used to improve web page loading time and for caching other types of data.


Thus, in this embodiment, one or more containment zones are specifically defined and designated as those portions of the computing device to which an Internet application, such as a web browser application, can have access. This is different from an approach which simply denies access to portions of a disk and permits access to other portions based on the particular user who might be attempting such access. Rather, in the inventive type of approach, the restriction is application-centric and not necessarily user-centric. That is, the inventive approach can be considered as user-independent. This approach helps to ensure that only a small number, e.g. a minimum number of required locations, are exposed in the containment zone and helps to ensure that other applications do not store settings in the containment zone. In addition, this application-centric approach can make both the administrative and the user space inaccessible to the application.


Hence, at this point, wall or blocking mechanism 112 is logically interposed between browser 102 and certain predefined spaces, such as the administrative and user spaces, to prevent the browser from directly accessing such spaces. Yet, in some instances, it can be desirable to allow an application to access the administrative or user space. For example, the user who is a system administrator may wish to legitimately manipulate some system settings. Alternately, a regular user may wish to save a picture to the My Document folder.


In this embodiment, a broker mechanism is utilized and is logically interposed between the application, in this case browser 102, and restricted portions or containment zones of the computing system. The broker mechanism acts to broker access to these restricted portions and to ensure that the user is aware of and can approve the application's access to these restricted portions of the computing system.


As an example, consider FIG. 2, wherein like numerals from the FIG. 1 embodiment have been utilized. There, a broker mechanism is provided in the form of broker objects 200, 202. In this example, broker object 200 is an administrative space broker object and brokers access to the administrative space 106. Broker object 202, on the other hand, is a user space broker object and brokers access to the user space. The broker mechanism can be implemented in any suitable way using any suitable type of object. In one implementation, each broker object is implemented as a DCOM local server object. In addition, broker objects run in a separate process from browser 102, which provides a degree of protection from attacks by malicious code that target browser 102. In addition, in at least one implementation, the broker objects are task based and have their lifetimes defined by the tasks that they are to accomplish.


In this example, when an application such as browser 102 wishes to access a particular restricted space, such as the administrative or user space, the application calls the associated broker object which then inspects the application's request. The broker object can inspect the request for a number of reasons among which include ensuring that it is a well-formed request or checking for an electronic signature on the files being downloaded by the application. Once the request is inspected, the broker object can take steps to broker access to the restricted space.


In some embodiments, this can include prompting the user to ascertain whether the user wishes to access the space in the manner represented in the request. For example, if the user is attempting to save a picture to their My Documents folder, the broker object may simply ask the user, through an appropriate dialog box, if this is the user's intent. If confirmed, then the broker object can permit and facilitate the access. Alternately or additionally, if the user is the administrator and is attempting to write to the administrative space, then the broker object may request the administrator to enter their credentials. In this manner, access to the restricted space is maintained. In these examples, the broker objects perform the writing or modify the restricted space so as to abstract that process away from the application that is calling.


Thus, wall or blocking mechanism 112 and the broker mechanism 200, 202 collectively work to block access to restricted portions of the disk, yet not inhibit access to those portions in appropriate circumstances.


Having explored the notion of the wall or blocking mechanism, as well as the broker mechanism, the discussion that follows just below provides but one example (along with an alternative example) of how the blocking mechanism can be implemented. It is to be appreciated and understood that the blocking mechanism and broker mechanism can be implemented in other ways without departing from the spirit and scope of the claimed subject matter.


Blocking Mechanism—Implementation Example


In the discussion that follows, a blocking mechanism is described in the context of a tokenized system that imposes low rights on an Internet application. The imposition of low rights, in turn, causes certain portions of the client system, such as the administrative and user spaces, to be restricted from the application. In a first embodiment, a token which is not necessarily structured to inherently permit this type of applicant-centric functionality is processed and reconfigured to implement this functionality. In a second embodiment, a token is structured, through what are referred to as “integrity levels”, to permit the application-centric functionality described above.


First Embodiment—Reconfiguring a Token


In many systems, when a user runs or executes an application, the application executes in the user's context. What this means is that the user typically has user data, such as a user name and user privileges, that circumscribe the execution of the application. More specifically, the user name and privileges can be represented by and in the context of a token. Thus, when a user executes an application, the application becomes aware of and inherits aspects of the user's context, such as the user's privileges, via the token. Accordingly, if the user is the system administrator, then an associated token would identify the user as such, and the application would inherit the system administrator's privileges which, in turn, would allow the application to write to the administrative space mentioned above.



FIG. 3 is a flow diagram that describes steps in a token processing method in accordance with one embodiment. The method can be implemented in connection with any suitable hardware, software, firmware or combination thereof. In one embodiment, aspects of the method are implemented by a suitably configured application, such as browser application 102 in FIGS. 1 and 2.


Step 300 launches an application which, in the present example, is a web browser such as the browser illustrated and described above. When the user launches the application, a token associated with the user becomes available to the application from which, as noted above, the application can inherit the user's privileges.


Step 302 ascertains the type of user. There can be different types of users such as an administrative user, a power user, a backup operator and the like. Step 304 removes privileges associated with the type of user. In the illustrated embodiment, this step is implemented by effectively manipulating the token's data to remove designations that indicate any privileges associated with the token and hence, the user type. This step essentially creates a block to the administrative space of the computing device, such as administrative space 106 in FIGS. 1 and 2.


Step 306 adds restrictions on the user space. In the illustrated and described embodiment, this is done by effectively manipulating the token's data to remove the user's name from the token. By removing the user's name from the token, the privileges that are associated with that particular user are removed as well.


Step 308 then defines one or more containment zones for read/write access. In this particular example, this step is implemented by replacing the removed user name with a particular defined user group name, for example, “IEUsersGroup”. Now, for the one or more containment zones, these zones are the only zones designated for read/write access for members of the particular defined group name.


Thus, at this point, any administrative privileges have been removed thus effectively blocking the administrative space. Likewise, the user's privileges have been removed, thus blocking access to the user space. However, by changing the user's name to a particular group name and associating that group name with the containment zone(s), read/write access for the application can now be limited only to the containment zone(s).


More specifically, having proceeded as described above, step 310 terminates the old process associated with the application that was launched, and step 312 creates a new process for the application with the reconfigured token.


Using this reconfigured token, the application will not be able to directly access either the administrative space or the user space. Rather, the application will only be able to directly write to the containment zone and, without further intervention by, for example, a broker mechanism, the application will be unable to cause data to be written to the user or administrative space.


Second Embodiment—Using Integrity Levels


In another embodiment, a token is utilized and is structured, through what are referred to as “integrity levels”, to permit the application-centric functionality described above. That is, through a process referred to as Mandatory Integrity Control, the token that is associated with a user has different integrity levels such as “high”, “medium” and “low” that can be set. Likewise, computing resources on the client device have associated integrity levels and in order to access resources, the resource must have the same integrity level or one that is lower than the user's integrity level.


So, for example, by establishing the integrity levels of the administrative and user spaces as “high” and “medium” respectively, and that of the user as “low”, access to the administrative and user spaces is effectively blocked. However, designating a containment zone as having a “low” level of integrity allows a user to access that containment zone through whatever application the user happens to be using.


Using a Shim


In at least some embodiments, a shim mechanism, such as shim 400 in FIG. 4, is utilized to redirect access, typically for third party extensions, to the containment zones. More specifically, in the context of the browser application, many different third party extensions can be provided and run in conjunction with or inside of the browser. For example, the Google toolbar is one example of an extension that is designed to run inside of a browser.


Certain extensions typically require write access to sections of a file system and/or registry in order to operate correctly. For example, the Google tool bar may wish to save a list of favorite searches for a particular user. Yet, without access to the user space, this type of write would be blocked by the wall or blocking mechanism 112.


In accordance with one embodiment, when application 102 or an associated third party component attempts to write to a restricted space, shim 400 is configured to trap and redirect the call and write the data into a containment zone. Subsequent calls by the application for the data that was redirected to the containment zone are handled by the shim and the appropriate data is retrieved from the containment zone. Hence, data that was intended to be written to the administrative or user space by a particular extension or application is redirected into an appropriate containment zone.


This allows third party extensions to continue to operate without requiring any third party code to be rewritten. In operation, the third party extension believes it is writing data to the user or administrative space. Yet, through the mechanism of the shim, such data is getting written to and read from the containment zone.


Launching an Application that is Not Restricted


As noted above, in some embodiments, an application's execution in the restricted process can result in another application being launched which is functionally similar to the restricted application, yet is less restricted in order to facilitate the user experience in particular contexts which have been deemed as trusted or at least desirably secure.


As a more tangible example, consider the following in the browser context. Assume that a corporate user has access through their client computing device to both the Internet and a company intranet. Assume also that the company intranet is a secure and trusted entity. Further assume that the user's computing device is executing several different business applications that need a high degree of compatibility to keep running properly. In context such as these, as well as others, it can be desirable to allow the application to operate in an unrestricted manner when executing in the context of the company's intranet—that is, in a manner that is unrestricted by blocking mechanism 112.


As an example, consider FIG. 5 in connection with the following. There are certain contexts that an application may attempt to execute in, and these contexts can pertain to a particular zone that has been defined as being trusted or may otherwise carry with it a level of security that has been defined as “safe”. In the browser example, the user may attempt to navigate to a corporate intranet or some other safe zone. In this case, restricted browser 102 calls the broker mechanism and the broker mechanism, based on the call that the application is making, can instantiate an unrestricted browser 500 with which the user can operate in the particular zone to which they have navigated. In this example, a token is created and configured to include the privileges associated with the user (such as administrative privileges, power user privileges and the like), as well as a user name associated with the user to provide the user with access to the appropriate portion of the user space.


In addition, in this embodiment, the containment zone is defined in a manner that maintains a separation between the restricted and unrestricted browsers 102, 500 respectively. Specifically, recall from the discussion above that a containment zone in the form of a Temporary Internet File folder is provided into which the restricted browser 102 and other components read and write. Yet, in the present embodiment, if the unrestricted browser 500 were to use this containment zone for writing temporary Internet files, there is a chance that the restricted browser could access this data or otherwise use this containment zone overlap to attempt to maliciously gain access to portions of the computing device to which it should not have access.


Accordingly, to address this situation, as well as others, different containment zones are defined, one of which being associated with the restricted browser 102, the other of which being associated with the unrestricted browser 500 and isolated from the restricted browser. In the illustrated example, containment zone 110a is associated with and useable only by restricted browser 102. Likewise, containment zone 110b is associated with and useable only by unrestricted browser 500. Neither browser can read or write to or from the other's associated containment zone. As such, wall 112 is seen to extend down and block access from the restricted browser 102 to containment zone 110b.


In the implementation above in which the token is processed and reconfigured, containment zone 110a is designated as being able to be read from and written to only by the group identified in the token. Hence, applications executing in the context of this token cannot access containment zone 110b.


Exemplary Use Scenarios


The following use scenarios provide some additional examples of how the above-described inventive embodiments can be utilized in the context of a web browser.


Consider first an example in which the inventive embodiments can be utilized to protect the user. Assume that user Abby visits a website that exploits a buffer overrun in the browser to install a control. Here, Abby navigates to a page that uses a buffer overrun exploit in the browser to inject native code into the process space. The native code downloads a dynamic link library (DLL) into a folder on her machine and attempts to register as an ActiveX control to be loaded by the browser by creating entries in the registry. Here, however, the operation fails because the browser does not have permission to write to the registry. Abby then receives a notification and continues to browse securely.


As another example, assume that user Abby visits a website that uses a control she has installed to attempt to overwrite a system file. Here, Abby navigates to a page that contains an already installed ActiveX control. The control attempts to overwrite a DLL in her system folder. Here, however, the operation is rejected and Abby receives a notification informing her that the page attempted to perform a privileged operation. She then continues to browse securely.


Consider now an example in which the inventive embodiments can be utilized to maintain the compatibility of Abby's system. Here, assume that Abby upgrades her video drivers from a website. Abby navigates to the web site and clicks on the link to the driver.exe file. The file is downloaded and the executable install broker (i.e. the broker mechanism) prompts Abby to ensure she trusts the executable and wishes to install it. If approved by Abby, the installation completes successfully and Abby continues to browse securely.


Assume now that Abby visits her favorite web site. A new menu control has been added, so the browser needs to install the control. Abby is prompted to ask if she trusts the control, and to authorize the installation. If approved, the control installs and Abby continues navigating the site and browsing securely.


Exemplary Computing System



FIG. 6 shows an exemplary computer system having components that can be used to implement one or more of the embodiments described above.


Computer system 630 includes one or more processors or processing units 632, a system memory 634, and a bus 636 that couples various system components including the system memory 634 to processors 632. The bus 636 represents one or more of any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, and a processor or local bus using any of a variety of bus architectures. The system memory 634 includes read only memory (ROM) 638 and random access memory (RAM) 640. A basic input/output system (BIOS) 642, containing the basic routines that help to transfer information between elements within computer 630, such as during start-up, is stored in ROM 638.


Computer 630 further includes a hard disk drive 644 for reading from and writing to a hard disk (not shown), a magnetic disk drive 646 for reading from and writing to a removable magnetic disk 648, and an optical disk drive 650 for reading from or writing to a removable optical disk 652 such as a CD ROM or other optical media. The hard disk drive 644, magnetic disk drive 646, and optical disk drive 650 are connected to the bus 636 by an SCSI interface 654 or some other appropriate interface. The drives and their associated computer-readable media provide nonvolatile storage of computer-readable instructions, data structures, program modules and other data for computer 630. Although the exemplary environment described herein employs a hard disk, a removable magnetic disk 648 and a removable optical disk 652, it should be appreciated by those skilled in the art that other types of computer-readable media which can store data that is accessible by a computer, such as magnetic cassettes, flash memory cards, digital video disks, random access memories (RAMs), read only memories (ROMs), and the like, may also be used in the exemplary operating environment.


A number of program modules may be stored on the hard disk 644, magnetic disk 648, optical disk 652, ROM 638, or RAM 640, including an operating system 658, one or more application programs 660, other program modules 662, and program data 664. A user may enter commands and information into computer 630 through input devices such as a keyboard 666 and a pointing device 668. Other input devices (not shown) may include a microphone, joystick, game pad, satellite dish, scanner, or the like. These and other input devices are connected to the processing unit 632 through an interface 670 that is coupled to the bus 636. A monitor 672 or other type of display device is also connected to the bus 636 via an interface, such as a video adapter 674. In addition to the monitor, personal computers typically include other peripheral output devices (not shown) such as speakers and printers.


Computer 630 commonly operates in a networked environment using logical connections to one or more remote computers, such as a remote computer 676. The remote computer 676 may be another personal computer, a server, a router, a network PC, a peer device or other common network node, and typically includes many or all of the elements described above relative to computer 630, although only a memory storage device 678 has been illustrated in FIG. 6. The logical connections depicted in FIG. 6 include a local area network (LAN) 680 and a wide area network (WAN) 682. Such networking environments are commonplace in offices, enterprise-wide computer networks, intranets, and the Internet.


When used in a LAN networking environment, computer 630 is connected to the local network 680 through a network interface or adapter 684. When used in a WAN networking environment, computer 630 typically includes a modem 686 or other means for establishing communications over the wide area network 682, such as the Internet. The modem 686, which may be internal or external, is connected to the bus 636 via a serial port interface 656. In a networked environment, program modules depicted relative to the personal computer 630, or portions thereof, may be stored in the remote memory storage device. It will be appreciated that the network connections shown are exemplary and other means of establishing a communications link between the computers may be used.


Generally, the data processors of computer 630 are programmed by means of instructions stored at different times in the various computer-readable storage media of the computer. Programs and operating systems are typically distributed, for example, on floppy disks or CD-ROMs. From there, they are installed or loaded into the secondary memory of a computer. At execution, they are loaded at least partially into the computer's primary electronic memory. The invention described herein includes these and other various types of computer-readable storage media when such media contain instructions or programs for implementing the steps described below in conjunction with a microprocessor or other data processor. The invention also includes the computer itself when programmed according to the methods and techniques described below.


For purposes of illustration, programs and other executable program components such as the operating system are illustrated herein as discrete blocks, although it is recognized that such programs and components reside at various times in different storage components of the computer, and are executed by the data processor(s) of the computer.


CONCLUSION

The embodiments described above can reduce the security risks associated with applications that have access to the Internet, while at the same provide users with safe, rich experiences.


Although the invention has been described in language specific to structural features and/or methodological steps, it is to be understood that the invention defined in the appended claims is not necessarily limited to the specific features or steps described. Rather, the specific features and steps are disclosed as preferred forms of implementing the claimed invention.

Claims
  • 1. A computer-implemented method comprising: launching an Internet-application that inherits privileges of a token associated with a user, the token including a user integrity level associated with the user;providing a blocking mechanism that is configured to block the Internet-application's access to defined spaces of a client computing device on which the Internet-application executes, the defined spaces including an administrative space and a user space of the client computing device, and the providing a blocking mechanism comprising: setting an administrative space integrity level that is higher than the user integrity level to restrict the Internet-application from accessing the administrative space;setting a user space integrity level that is higher than the user integrity level to restrict the Internet-application from accessing the user space;defining a containment zone in which the Internet-application is to write and read data;setting a containment zone integrity level that is lower than or equal to the user integrity level to allow the Internet-application to access the containment zone;launching, as a result of the user's interaction with the Internet-application, an unrestricted Internet-application that is unblocked by the blocking mechanism, the unrestricted Internet-application associated with an additional token that is configured to enable the unrestricted Internet-application to access the administrative space and the user space; anddefining an additional containment zone in which the unrestricted Internet-application is to read and write data, the Internet-application being restricted from accessing the additional containment zone and the unrestricted Internet-application being restricted from accessing the containment zone.
  • 2. The method of claim 1, wherein the blocking mechanism is configured block access in a user-independent manner.
  • 3. The method of claim 1 further comprising logically interposing a broker mechanism between the Internet-application and the defined spaces to broker access to the defined spaces.
  • 4. The method of claim 3, wherein the broker mechanism comprises individual broker objects, each of which being associated with a different defined space.
  • 5. The method of claim 3, wherein the broker mechanism is configured to enable a user to approve access to an associated defined space.
  • 6. The method of claim 1, wherein the Internet-application comprises a web browser application.
  • 7. A computer-implemented method comprising: launching an Internet-application that inherits privileges of a token associated with a user, the token including a user integrity level associated with the user;providing a token-based blocking mechanism that is configured to block the Internet-application's access to at least the administrative and user spaces of a client computing device on which the Internet-application executes, the providing a token-based blocking mechanism comprising: setting an administrative space integrity level that is higher than the user integrity level to restrict the Internet-application from accessing the administrative space;setting a user space integrity level that is higher than the user integrity level to restrict the Internet-application from accessing the user space;defining a containment zone in which the Internet-application is to write and read data;setting a containment zone integrity level that is lower than or equal to the user integrity level to allow the Internet-application to access the containment zone;logically interposing an administrative broker object between the Internet-application and the administrative space to broker access to the administrative space;logically interposing a user space broker object between the Internet-application and the user space to broker access to the user space;launching, as a result of the user's interaction with the Internet-application, an unrestricted Internet-application that is unblocked by the blocking mechanism, the unrestricted Internet-application associated with an additional token that is configured to enable the unrestricted Internet-application to access the administrative space and the user space; anddefining an additional containment zone in which the unrestricted Internet-application is to read and write data, the Internet-application being restricted from accessing the additional containment zone and the unrestricted Internet-application being restricted from accessing the containment zone.
  • 8. The method of claim 7, wherein the user space broker object is configured to enable a user to approve access to the user space.
  • 9. The method of claim 8, wherein the administrative broker object is configured to prompt an administrative user to enter associated credentials in order to access the administrative space.
  • 10. The method of claim 7, wherein the Internet-application comprises a web browser application.
  • 11. A computing device comprising: one or more processors;one or more hardware computer-readable storage media, associated with the one or more processors and embodying computer-readable instructions which, when executed, cause the computing device to perform a method comprising:launching an Internet-application that inherits privileges of a token associated with a user, the token including a user integrity level associated with the user;providing a blocking mechanism that is configured to block the Internet-application's access to defined spaces of the computing device on which the Internet-application executes, the defined spaces including an administrative space and a user space of the computing device, and the providing a blocking mechanism comprising:setting an administrative space integrity level that is higher than the user integrity level to restrict the Internet-application from accessing the administrative space;setting a user space integrity level that is higher than the user integrity level to restrict the Internet-application from accessing the user space;defining a containment zone in which the Internet-application is to write and read data;setting a containment zone integrity level that is lower than or equal to the user integrity level to allow the Internet-application to access the containment zone;launching, as a result of the user's interaction with the Internet-application, an unrestricted Internet-application that is unblocked by the blocking mechanism, the unrestricted Internet-application associated with an additional token that is configured to enable the unrestricted Internet-application to access the administrative space and the user space; anddefining an additional containment zone in which the unrestricted Internet-application is to read and write data, the Internet-application being restricted from accessing the additional containment zone and the unrestricted Internet-application being restricted from accessing the containment zone.
  • 12. The computing device of claim 11, wherein the blocking mechanism is configured block access in a user-independent manner.
  • 13. The computing device of claim 11, wherein the method further comprises logically interposing a broker mechanism between the Internet-application and the defined spaces to broker access to the defined spaces.
  • 14. The computing device of claim 13, wherein the broker mechanism comprises individual broker objects, each of which being associated with a different defined space.
  • 15. The computing device of claim 13, wherein the broker mechanism is configured to enable a user to approve access to an associated defined space.
  • 16. The computing device of claim 11, wherein the Internet-application comprises a web browser application.
US Referenced Citations (333)
Number Name Date Kind
4227253 Ehrsam et al. Oct 1980 A
4984272 McIlroy et al. Jan 1991 A
5210874 Karger May 1993 A
5339422 Brender et al. Aug 1994 A
5377188 Seki Dec 1994 A
5428529 Hartrick et al. Jun 1995 A
5623604 Russell et al. Apr 1997 A
5659539 Porter et al. Aug 1997 A
5666519 Hayden Sep 1997 A
5675762 Bodin et al. Oct 1997 A
5729710 Magee et al. Mar 1998 A
5758093 Boezeman et al. May 1998 A
5760767 Shore et al. Jun 1998 A
5771383 Magee et al. Jun 1998 A
5799090 Angert Aug 1998 A
5812394 Lewis et al. Sep 1998 A
5852435 Vigneaux et al. Dec 1998 A
5892904 Atkinson et al. Apr 1999 A
5931900 Notani et al. Aug 1999 A
5941947 Brown et al. Aug 1999 A
5949882 Angelo Sep 1999 A
5974549 Golan Oct 1999 A
5983348 Ji Nov 1999 A
5987523 Hind et al. Nov 1999 A
5987611 Freund Nov 1999 A
5995945 Notani et al. Nov 1999 A
6006228 McCollum et al. Dec 1999 A
6029245 Scanlan Feb 2000 A
6041309 Laor Mar 2000 A
6076109 Kikinis Jun 2000 A
6092194 Touboul Jul 2000 A
6154844 Touboul et al. Nov 2000 A
6158007 Moreh et al. Dec 2000 A
6161139 Win et al. Dec 2000 A
6253326 Lincke et al. Jun 2001 B1
6266681 Guthrie Jul 2001 B1
6272641 Ji Aug 2001 B1
6275937 Hailpern et al. Aug 2001 B1
6275938 Bond et al. Aug 2001 B1
6279111 Jensenworth et al. Aug 2001 B1
6311269 Luckenbaugh et al. Oct 2001 B2
6321334 Jerger et al. Nov 2001 B1
6332147 Moran et al. Dec 2001 B1
6339423 Sampson et al. Jan 2002 B1
6343362 Ptacek et al. Jan 2002 B1
6345361 Jerger et al. Feb 2002 B1
6351816 Mueller et al. Feb 2002 B1
6366912 Wallent et al. Apr 2002 B1
6385301 Nolting et al. May 2002 B1
6430561 Austel et al. Aug 2002 B1
6457130 Hitz et al. Sep 2002 B2
6460079 Blumenau Oct 2002 B1
6473800 Jerger et al. Oct 2002 B1
6490626 Edwards et al. Dec 2002 B1
6516308 Cohen Feb 2003 B1
6519647 Howard et al. Feb 2003 B1
6526513 Shrader et al. Feb 2003 B1
6546546 Van Doorn Apr 2003 B1
6553393 Eilbott et al. Apr 2003 B1
6553410 Kikinis Apr 2003 B2
6584186 Aravamudan et al. Jun 2003 B1
6591265 Erickson et al. Jul 2003 B1
6594664 Estrada et al. Jul 2003 B1
6598046 Goldberg et al. Jul 2003 B1
6601233 Underwood Jul 2003 B1
6609198 Wood et al. Aug 2003 B1
6629081 Cornelius et al. Sep 2003 B1
6629246 Gadi Sep 2003 B1
6636889 Estrada et al. Oct 2003 B1
6636972 Ptacek et al. Oct 2003 B1
6662341 Cooper et al. Dec 2003 B1
6671802 Ott Dec 2003 B1
6691153 Hanson et al. Feb 2004 B1
6691230 Bardon Feb 2004 B1
6701376 Haverstock et al. Mar 2004 B1
6711675 Spiegel et al. Mar 2004 B1
6724406 Kelley Apr 2004 B1
6728762 Estrada et al. Apr 2004 B1
6748425 Duffy et al. Jun 2004 B1
6754702 Kennelly et al. Jun 2004 B1
6772167 Snavely et al. Aug 2004 B1
6772345 Shetty Aug 2004 B1
6772393 Estrada et al. Aug 2004 B1
6779120 Valente et al. Aug 2004 B1
6785790 Christie et al. Aug 2004 B1
6789170 Jacobs et al. Sep 2004 B1
6789204 Abdelnur et al. Sep 2004 B2
6792113 Ansell et al. Sep 2004 B1
6799208 Sankaranarayan et al. Sep 2004 B1
6801224 Lewallen et al. Oct 2004 B1
6820261 Bloch Nov 2004 B1
6823433 Barnes et al. Nov 2004 B1
6826716 Mason Nov 2004 B2
6850252 Hoffberg Feb 2005 B1
6854039 Strongin et al. Feb 2005 B1
6871321 Wakayama Mar 2005 B2
6898618 Slaughter et al. May 2005 B1
6898705 Abboud et al. May 2005 B2
6931532 Davis et al. Aug 2005 B1
6934757 Kalantar et al. Aug 2005 B1
6941459 Hind et al. Sep 2005 B1
6959336 Moreh et al. Oct 2005 B2
6961849 Davis et al. Nov 2005 B1
6978367 Hind et al. Dec 2005 B1
7003734 Gardner et al. Feb 2006 B1
7010681 Fletcher et al. Mar 2006 B1
7051366 LaMacchia et al. May 2006 B1
7051368 Howard et al. May 2006 B1
7069554 Stammers et al. Jun 2006 B1
7082527 Zimmer et al. Jul 2006 B2
7082572 Pea et al. Jul 2006 B2
7085995 Fukuda et al. Aug 2006 B2
7093244 Lajoie et al. Aug 2006 B2
7143362 Dieberger et al. Nov 2006 B2
7185210 Faden Feb 2007 B1
7188363 Boutros et al. Mar 2007 B1
7191252 Redlich et al. Mar 2007 B2
7194744 Srivastava et al. Mar 2007 B2
7203749 Hiraga Apr 2007 B2
7213051 Zhu et al. May 2007 B2
7240015 Karmouch et al. Jul 2007 B1
7263561 Green et al. Aug 2007 B1
7275152 Goud et al. Sep 2007 B2
7281132 Bender et al. Oct 2007 B2
7308648 Buchthal et al. Dec 2007 B1
7318238 Elvanoglu et al. Jan 2008 B2
7328435 Trifon Feb 2008 B2
7343626 Gallagher Mar 2008 B1
7392545 Weber et al. Jun 2008 B1
7398533 Slaughter et al. Jul 2008 B1
7406502 Oliver et al. Jul 2008 B1
7475404 Hamel Jan 2009 B2
7478434 Hinton et al. Jan 2009 B1
7480907 Marolia et al. Jan 2009 B1
7562382 Hinton et al. Jul 2009 B2
7600224 Obayashi et al. Oct 2009 B2
7640434 Lee et al. Dec 2009 B2
7650617 Hoshino et al. Jan 2010 B2
7729992 Rose Jun 2010 B2
7792964 Franco Sep 2010 B2
20010013096 Luckenbaugh et al. Aug 2001 A1
20010016907 Kang et al. Aug 2001 A1
20010039622 Hitz et al. Nov 2001 A1
20010043237 Schmieder Nov 2001 A1
20010049671 Joerg Dec 2001 A1
20010054049 Maeda et al. Dec 2001 A1
20020010679 Felsher Jan 2002 A1
20020010855 Reshef et al. Jan 2002 A1
20020019936 Hitz et al. Feb 2002 A1
20020019941 Chan et al. Feb 2002 A1
20020046290 Andersson et al. Apr 2002 A1
20020069200 Cooper et al. Jun 2002 A1
20020073119 Richard Jun 2002 A1
20020073197 Bhogal et al. Jun 2002 A1
20020087479 Malcolm Jul 2002 A1
20020099952 Lambert et al. Jul 2002 A1
20020104023 Hewett et al. Aug 2002 A1
20020107889 Stone et al. Aug 2002 A1
20020107890 Gao et al. Aug 2002 A1
20020112155 Martherus et al. Aug 2002 A1
20020124181 Nambu Sep 2002 A1
20020129239 Clark Sep 2002 A1
20020147923 Dotan Oct 2002 A1
20020166052 Garg et al. Nov 2002 A1
20020178375 Whittaker et al. Nov 2002 A1
20020184520 Bush et al. Dec 2002 A1
20020188689 Chung Dec 2002 A1
20020188869 Patrick Dec 2002 A1
20030002526 Dias et al. Jan 2003 A1
20030014659 Zhu Jan 2003 A1
20030023445 Trifon Jan 2003 A1
20030023774 Gladstone et al. Jan 2003 A1
20030023880 Edwards et al. Jan 2003 A1
20030025727 Rath et al. Feb 2003 A1
20030037236 Simon et al. Feb 2003 A1
20030037261 Meffert et al. Feb 2003 A1
20030051027 Aupperle et al. Mar 2003 A1
20030051142 Hidalgo et al. Mar 2003 A1
20030061482 Emmerichs Mar 2003 A1
20030061512 Flurry et al. Mar 2003 A1
20030088807 Mathiske et al. May 2003 A1
20030093464 Clough et al. May 2003 A1
20030093666 Millen et al. May 2003 A1
20030097591 Pham et al. May 2003 A1
20030135504 Elvanoglu et al. Jul 2003 A1
20030163448 Kilemba et al. Aug 2003 A1
20030172293 Johnson et al. Sep 2003 A1
20030177226 Garg et al. Sep 2003 A1
20030177389 Albert et al. Sep 2003 A1
20030177390 Radhakrishnan Sep 2003 A1
20030229501 Copeland et al. Dec 2003 A1
20040006706 Erlingsson Jan 2004 A1
20040025060 Raffaele et al. Feb 2004 A1
20040030788 Cimo et al. Feb 2004 A1
20040034794 Mayer et al. Feb 2004 A1
20040039752 Goldfuss et al. Feb 2004 A1
20040047347 Worry et al. Mar 2004 A1
20040054791 Chakraborty et al. Mar 2004 A1
20040073811 Sanin Apr 2004 A1
20040078577 Feng et al. Apr 2004 A1
20040078591 Teixeira et al. Apr 2004 A1
20040103200 Ross et al. May 2004 A1
20040103203 Nichols et al. May 2004 A1
20040109410 Chase et al. Jun 2004 A1
20040123157 Alagna et al. Jun 2004 A1
20040151323 Olkin et al. Aug 2004 A1
20040167964 Rounthwaite et al. Aug 2004 A1
20040187031 Liddle Sep 2004 A1
20040199603 Tafla et al. Oct 2004 A1
20040199763 Freund Oct 2004 A1
20040205342 Roegner Oct 2004 A1
20040210536 Gudelj et al. Oct 2004 A1
20040215731 Tzann-en Szeto Oct 2004 A1
20040230825 Shepherd et al. Nov 2004 A1
20040239700 Baschy Dec 2004 A1
20040239703 Angelica Dec 2004 A1
20040254812 Horstemeyer et al. Dec 2004 A1
20040260754 Olson et al. Dec 2004 A1
20040268139 Christianson et al. Dec 2004 A1
20040268322 Chow Dec 2004 A1
20050015752 Alpern et al. Jan 2005 A1
20050022012 Bluestone et al. Jan 2005 A1
20050055458 Mohan et al. Mar 2005 A1
20050055570 Kwan et al. Mar 2005 A1
20050066290 Chebolu et al. Mar 2005 A1
20050066311 Hagmeier et al. Mar 2005 A1
20050071616 Zimmer et al. Mar 2005 A1
20050091536 Whitmer et al. Apr 2005 A1
20050108518 Pandya May 2005 A1
20050108554 Rubin et al. May 2005 A1
20050114430 Zheng et al. May 2005 A1
20050120242 Mayer et al. Jun 2005 A1
20050149726 Joshi et al. Jul 2005 A1
20050154885 Viscomi et al. Jul 2005 A1
20050177635 Schmidt et al. Aug 2005 A1
20050182924 Sauve et al. Aug 2005 A1
20050182928 Kamalanathan et al. Aug 2005 A1
20050193329 Kickel Sep 2005 A1
20050198153 Keohane et al. Sep 2005 A1
20050204041 Blinn et al. Sep 2005 A1
20050216582 Toomey et al. Sep 2005 A1
20050222902 Coit et al. Oct 2005 A1
20050223412 Nadalin et al. Oct 2005 A1
20050223413 Duggan et al. Oct 2005 A1
20050235200 Goldberg Oct 2005 A1
20050256924 Chory et al. Nov 2005 A1
20050259655 Cuervo et al. Nov 2005 A1
20050259674 Cuervo et al. Nov 2005 A1
20050262232 Cuervo et al. Nov 2005 A1
20050267870 Everett-Church et al. Dec 2005 A1
20050268214 Lu Dec 2005 A1
20050283719 Awamoto et al. Dec 2005 A1
20050283828 Perley et al. Dec 2005 A1
20060010134 Davis Jan 2006 A1
20060015728 Ballinger et al. Jan 2006 A1
20060020538 Ram et al. Jan 2006 A1
20060020679 Hinton et al. Jan 2006 A1
20060026667 Bhide et al. Feb 2006 A1
20060031347 Sahi Feb 2006 A1
20060031404 Kassab Feb 2006 A1
20060036746 Davis Feb 2006 A1
20060041636 Ballinger et al. Feb 2006 A1
20060041834 Chen et al. Feb 2006 A1
20060047959 Morais Mar 2006 A1
20060053048 Tandetnik Mar 2006 A1
20060053224 Subramaniam Mar 2006 A1
20060053411 Takamiya Mar 2006 A1
20060056431 Toyoda et al. Mar 2006 A1
20060069613 Marquardt Mar 2006 A1
20060069737 Gilhuly et al. Mar 2006 A1
20060123244 Gheorghescu et al. Jun 2006 A1
20060136590 Barrett et al. Jun 2006 A1
20060143688 Futoransky Jun 2006 A1
20060150256 Fanton et al. Jul 2006 A1
20060155780 Sakairi et al. Jul 2006 A1
20060185021 Dujari et al. Aug 2006 A1
20060259955 Gunther et al. Nov 2006 A1
20060271425 Goodman et al. Nov 2006 A1
20060277218 Franco et al. Dec 2006 A1
20060277592 Brown et al. Dec 2006 A1
20070011744 Carothers et al. Jan 2007 A1
20070016949 Dunagan et al. Jan 2007 A1
20070016954 Choi Jan 2007 A1
20070027779 Bhambri et al. Feb 2007 A1
20070028185 Bhogal et al. Feb 2007 A1
20070050854 Cooperstein et al. Mar 2007 A1
20070073800 Rothman et al. Mar 2007 A1
20070094712 Gibbs et al. Apr 2007 A1
20070100915 Rose May 2007 A1
20070101258 Xu et al. May 2007 A1
20070101435 Konanka et al. May 2007 A1
20070106650 Moore May 2007 A1
20070107057 Chander et al. May 2007 A1
20070113237 Hickson May 2007 A1
20070113282 Ross May 2007 A1
20070124693 Dominowska et al. May 2007 A1
20070124797 Gupta et al. May 2007 A1
20070136579 Levy et al. Jun 2007 A1
20070136811 Gruzman et al. Jun 2007 A1
20070146812 Lawton Jun 2007 A1
20070174419 O'Connell et al. Jul 2007 A1
20070180490 Renzi et al. Aug 2007 A1
20070192839 Fee et al. Aug 2007 A1
20070199000 Shekhel et al. Aug 2007 A1
20070199050 Meier Aug 2007 A1
20070208822 Wang et al. Sep 2007 A1
20070214503 Shulman et al. Sep 2007 A1
20070260495 Mace et al. Nov 2007 A1
20070261037 Bendapudi Nov 2007 A1
20070271342 Brandt et al. Nov 2007 A1
20070294332 Karki et al. Dec 2007 A1
20070299857 Gwozdz et al. Dec 2007 A1
20070300064 Isaacs et al. Dec 2007 A1
20080005282 Gaedcke Jan 2008 A1
20080010615 Curtis et al. Jan 2008 A1
20080046518 Tonnison et al. Feb 2008 A1
20080262913 Reitz et al. Oct 2008 A1
20080313648 Wang et al. Dec 2008 A1
20090037806 Yang et al. Feb 2009 A1
20090043739 Choi Feb 2009 A1
20090070872 Cowings et al. Mar 2009 A1
20090083714 Kiciman et al. Mar 2009 A1
20090132713 Dutta et al. May 2009 A1
20090183171 Isaacs et al. Jul 2009 A1
20090183227 Isaacs et al. Jul 2009 A1
20090187918 Chen et al. Jul 2009 A1
20090254898 Sareen et al. Oct 2009 A1
20090299862 Fan et al. Dec 2009 A1
20090300496 Fan et al. Dec 2009 A1
20090327869 Fan et al. Dec 2009 A1
20090327896 Pall et al. Dec 2009 A1
20100058293 Dunagan Mar 2010 A1
20110106948 Franco May 2011 A1
Foreign Referenced Citations (15)
Number Date Country
1299478 Jun 2001 CN
1366239 Aug 2002 CN
1420562 May 2004 EP
1119321 Feb 2009 HK
2001325249 Nov 2001 JP
20070102859 Oct 2007 KR
WO-0153965 Jul 2001 WO
WO-0213026 Feb 2002 WO
WO-0219076 Mar 2002 WO
WO-0239237 May 2002 WO
WO-03073240 Sep 2003 WO
WO-2005008456 Jan 2005 WO
WO-2005059755 Jun 2005 WO
WO-2008002456 Jan 2008 WO
WO-2008036969 Mar 2008 WO
Related Publications (1)
Number Date Country
20060277218 A1 Dec 2006 US