会员体验
专利管家(专利管理)
工作空间(专利管理)
风险监控(情报监控)
数据分析(专利分析)
侵权分析(诉讼无效)
联系我们
交流群
官方交流:
QQ群: 891211   
微信请扫码    >>>
现在联系顾问~
热词
    • 2. 发明授权
    • Network security zones
    • 网络安全区域
    • US06366912B1
    • 2002-04-02
    • US09055772
    • 1998-04-06
    • Michael J. WallentRajeev DujariAnand RamakrishnaLoren M. KohnfelderLewis Geer
    • Michael J. WallentRajeev DujariAnand RamakrishnaLoren M. KohnfelderLewis Geer
    • G06F1730
    • G06F21/36G06F17/30867G06F21/51G06F21/52G06F21/54G06F21/57G06F21/6218G06F21/6227G06F2221/2141G06F2221/2149Y10S707/99939
    • A computer based system and method of providing security when receiving digital data at a client computer from one or more Web sites is disclosed. The method includes receiving security configuration information that specifies multiple security zones, each zone corresponding to a set of Web sites. The security configuration information also includes information specifying a set of security settings corresponding to each security zone. A security setting is a specification indicating an action to perform when a Web page from one of the security zones requests a protected operation to be performed. During a Web browsing session, the mechanism of the invention determines the security zone corresponding to the Web site currently being browsed. Prior to performing the protected operation, the mechanism of the invention determines the action to perform, based on the current Web site's security zone, the requested operation, and the security setting corresponding to the requested operation and the Web site's zone. Depending upon the security setting, the Web browser may perform the requested operation, prevent the requested operation from being performed, or prompt the user of whether to perform the requested operation. During the browsing of a Web site, the Web browser visually indicates the security zone corresponding to the current Web site.
    • 公开了一种基于计算机的系统和在从一个或多个网站在客户端计算机处接收数字数据时提供安全性的方法。 该方法包括接收指定多个安全区域的安全配置信息,每个区域对应于一组网站。 安全配置信息还包括指定对应于每个安全区域的一组安全设置的信息。 安全设置是指示当来自安全区域之一的网页请求执行受保护操作时执行的动作的规范。 在Web浏览会话期间,本发明的机制确定与当前正在浏览的网站对应的安全区域。 在执行受保护的操作之前,本发明的机制基于当前网站的安全区域确定所请求的操作以及与所请求的操作和网站区域相对应的安全设置来执行的动作。 根据安全设置,Web浏览器可以执行所请求的操作,防止所请求的操作被执行,或提示用户是否执行所请求的操作。 在浏览网站期间,Web浏览器可视地指示与当前网站对应的安全区域。
    • 3. 发明授权
    • Evidence-based security policy manager
    • 以证据为基础的安全策略经理
    • US07051366B1
    • 2006-05-23
    • US09598534
    • 2000-06-21
    • Brian A LaMacchiaLoren M. KohnfelderGregory Darrell FeeMichael J. Toutonghi
    • Brian A LaMacchiaLoren M. KohnfelderGregory Darrell FeeMichael J. Toutonghi
    • G06F15/16G06F17/30H04L9/32
    • G06F21/6218G06F21/6209G06F2221/2141
    • An evidence-based policy manager generates a permission grant set for a code assembly received from a resource location. The policy manager executes in a computer system (e.g., a Web client or server) in combination with the verification module and class loader of the run-time environment. The permission grant set generated for a code assembly is applied in the run-time call stack to help the system determine whether a given system operation by the code assembly is authorized. Both code assemblies and evidence may be received from a local origin or from a remote resource location via a network (e.g., the Internet). The policy manager may comprise execution modules for parsing a security policy specification, generating a one or more code hierarchies, evaluating membership of the received code assembly in one or more code groups, and generating a permission grant set based upon this membership evaluation.
    • 基于证据的策略管理器为从资源位置接收到的代码集合生成许可授权集。 策略管理器与计算机系统(例如,Web客户端或服务器)结合运行时环境的验证模块和类加载器一起执行。 为代码组合生成的许可授权集合被应用于运行时调用堆栈中,以帮助系统确定代码组件的给定系统操作是否被授权。 代码集合和证据可以经由网络(例如,因特网)从本地来源或远程资源位置接收。 策略管理器可以包括用于解析安全策略规范的执行模块,生成一个或多个代码层次,评估在一个或多个代码组中接收的代码组合的成员资格,以及基于该成员资格评估生成许可授权集合。
    • 4. 发明授权
    • Applying a permission grant set to a call stack during runtime
    • 在运行时将权限授予集应用于调用堆栈
    • US07076557B1
    • 2006-07-11
    • US09613032
    • 2000-07-10
    • Brian A. LaMacchiaGregory Darrell FeeLoren M. KohnfelderAshok Cholpady Kamath
    • Brian A. LaMacchiaGregory Darrell FeeLoren M. KohnfelderAshok Cholpady Kamath
    • G06F15/16
    • G06F21/52
    • A system and method determine whether a called code frame has a requested permission available to it, so as to be able to execute a protected operation. A code frame is contained within a code assembly received from a remote or local resource location. A policy manager generates a permission grant set containing permission grant objects associated with the code assembly. Both the permission grant set and the code assembly are loaded into a runtime call stack for runtime execution of one or more code frames. Calls to other code frames may involve loading additional code assemblies and permission grant sets into the runtime call stack. In order for a called code frame to perform a protected operation, the code frame demands a requested permission from its calling code frame and all code frames preceding the calling code frame on the runtime call stack as part of a stack walk operation. If the calling code frame and the preceding call frames can satisfy the requested permission, the called code frame can perform the protected operation (absent stack overrides). Otherwise, a security exception is thrown and the called code frame is inhibited from performing the protected operation (absent stack overrides). Stack overrides may be employed to dynamically modify the stack walk operation. To increase performance, a stack walk may be avoided by caching an intersection of the permission grants of all code assemblies in the application.
    • 一种系统和方法确定被叫代码帧是否具有可用的请求权限,以便能够执行受保护的操作。 代码帧包含在从远程或本地资源位置接收的代码集合中。 策略管理器生成包含与代码集合相关联的许可授权对象的许可权授予集。 许可授予集和代码集合都被加载到运行时调用堆栈中,以便运行时执行一个或多个代码帧。 对其他代码帧的调用可能涉及将额外的代码组合和许可授权集合加载到运行时调用堆栈中。 为了使被叫代码帧执行受保护的操作,代码帧需要其调用代码帧和运行时调用堆栈之前的调用代码帧之前的所有代码帧的请求许可,作为堆栈步骤操作的一部分。 如果呼叫代码帧和前面的呼叫帧可以满足请求的权限,则被叫代码帧可以执行受保护的操作(不存在堆栈覆盖)。 否则,将抛出安全异常,并禁止调用的代码帧执行受保护的操作(不存在堆栈覆盖)。 可以采用堆叠覆盖来动态地修改堆栈行进操作。 为了提高性能,可以通过缓存应用程序中所有代码程序集的许可授权的交集来避免堆栈移动。
    • 6. 发明授权
    • Filtering a permission set using permission requests associated with a code assembly
    • 使用与代码程序集相关联的权限请求过滤权限集
    • US07251834B2
    • 2007-07-31
    • US11254839
    • 2005-10-20
    • Brian A. LaMacchiaLoren M. KohnfelderGregory D. FeeMichael J. Toutonghi
    • Brian A. LaMacchiaLoren M. KohnfelderGregory D. FeeMichael J. Toutonghi
    • G06F7/04G06F17/30G06K9/00H03M1/68H04K1/00H04L9/00H04L9/32
    • G06F21/52
    • A security policy manager generates a permission grant set for a code assembly received from a resource location. The policy manager can execute in a computer system (e.g., a Web client) in combination with the verification module and class loader of the run-time environment. The permission grant set generated for a code assembly is applied in the run-time call stack to help the system determine whether a given system operation by the code assembly is authorized. A permission request set may also be received in association with the code assembly. The permission request set may include a minimum request set, specifying permissions required by the code assembly to run properly. The permission request set may also include an optional request set, specifying permissions requested by the code assembly to provide an alternative level of functionality. In addition, the permission request set may include a refuse request set, specifying permissions that are not to be granted to the code assembly. The permission requests are used to filter a permission set to generate a permission grant set.
    • 安全策略管理器为从资源位置接收到的代码集合生成许可权授予集。 策略管理器可以与计算机系统(例如,Web客户机)一起在运行时环境的验证模块和类加载器的组合中执行。 为代码组合生成的许可授权集合被应用于运行时调用堆栈中,以帮助系统确定代码组件的给定系统操作是否被授权。 还可以与代码组合相关联地接收许可请求集合。 许可请求集可以包括最小请求集,指定代码组件正确运行所需的权限。 许可请求集还可以包括可选的请求集合,指定代码组件请求的许可以提供替代级别的功能。 此外,许可请求集合可以包括垃圾请求集合,指定不被授予代码组件的权限。 权限请求用于过滤权限集以生成权限授予集。
    • 7. 发明授权
    • Method and apparatus for writing a windows application in HTML
    • 在HTML中编写Windows应用程序的方法和装置
    • US06662341B1
    • 2003-12-09
    • US09315858
    • 1999-05-20
    • Phillip R. CooperLoren M. KohnfelderRoderick A. Chavez
    • Phillip R. CooperLoren M. KohnfelderRoderick A. Chavez
    • G06F1721
    • G06F9/451
    • A method, apparatus, and computer-readable medium for authoring and executing HTML application files is disclosed. An HTML application file is basically a standard HTML file that runs in its own window outside of the browser, and is thus not bound by the security restrictions of the browser. The author of an HTML application file can take advantage of the relaxed security. The author of the HTML application file designates the file as an HTML application file by doing one or more of the following: defining the MIME type as an HTML application MIME type; or using an HTML application file extension for the file. When a browser, such as the Internet Explorer, encounters one of the above, it processes the file as an HTML application file rather than a standard HTML file by creating a main window independent of the browser, and rendering the HTML in the main window.
    • 公开了一种用于创作和执行HTML应用程序文件的方法,装置和计算机可读介质。 HTML应用程序文件基本上是一个标准的HTML文件,它在浏览器外部的窗口中运行,因此不受浏览器安全限制的约束。 HTML应用程序文件的作者可以利用轻松的安全性。 HTML应用程序文件的作者通过执行以下一项或多项将文件指定为HTML应用程序文件:将MIME类型定义为HTML应用程序MIME类型; 或使用文件的HTML应用程序文件扩展名。 当浏览器(如Internet Explorer)遇到上述之一时,它会通过创建一个独立于浏览器的主窗口,并在主窗口中呈现HTML来将文件作为HTML应用程序文件而不是标准HTML文件进行处理。
    • 8. 发明授权
    • Isolated persistent storage
    • 隔离持久存储
    • US07620731B1
    • 2009-11-17
    • US09790840
    • 2001-02-21
    • Shajan DasanLoren M. KohnfelderMichael J. Toutonghi
    • Shajan DasanLoren M. KohnfelderMichael J. Toutonghi
    • G06F15/173
    • G06F9/52
    • An isolated persistent storage object accesses an isolated persistent storage region using identities of the application, an underlying component of the application, and optionally the user. Direct access to the isolated persistent storage region is available only to the isolated persistent storage object and is unavailable to other components. Accordingly, other components access the isolated persistent storage region through the isolated persistent storage object, which determines the specific location (e.g., specified by an internally constructed path name) and performs the access operation on behalf of the calling component. The application identity and the component identity are converted to typed identity names for use in the construction of the path name.
    • 孤立的持久存储对象使用应用程序的标识,应用程序的底层组件以及可选的用户来访问隔离的持久存储区域。 对隔离的持久存储区域的直接访问仅对隔离的持久存储对象可用,对其他组件不可用。 因此,其他组件通过隔离的持久存储对象访问隔离的持久存储区域,该隔离的持久存储对象确定特定位置(例如,由内部构造的路径名称指定),并代表主叫组件执行访问操作。 应用程序标识和组件标识将转换为类型化的标识名称,以用于构建路径名。
    • 9. 发明授权
    • Evaluating initially untrusted evidence in an evidence-based security policy manager
    • 在基于证据的安全策略管理器中评估最初的不可信证据
    • US07131143B1
    • 2006-10-31
    • US09598814
    • 2000-06-21
    • Brian A. LaMacchiaLoren M. KohnfelderGregory Darrell Fee
    • Brian A. LaMacchiaLoren M. KohnfelderGregory Darrell Fee
    • G06F7/04
    • G06F21/51G06F21/53
    • An evidence-based policy manager generates a permission grant set for a code assembly received from a resource location. The policy manager executes in a computer system (e.g., a Web client or server) in combination with the verification module and class loader of the run-time environment. The permission grant set generated for a code assembly is applied in the run-time call stack to help the system determine whether a given system operation by the code assembly is authorized. Both code assemblies and evidence may be received from a local origin or from a remote resource location via a network (e.g., the Internet). Evidence having different levels of trust may be evaluated in combination so that a permission grant set is associated only with trusted code assemblies. The policy manager may comprise execution modules for parsing a security policy specification, generating one or more code hierarchies, evaluating membership of the received code assembly in one or more code groups, and generating a permission grant set based upon this membership evaluation.
    • 基于证据的策略管理器为从资源位置接收到的代码集合生成许可授权集。 策略管理器与计算机系统(例如,Web客户端或服务器)结合运行时环境的验证模块和类加载器一起执行。 为代码组合生成的许可授权集合被应用于运行时调用堆栈中,以帮助系统确定代码组件的给定系统操作是否被授权。 代码集合和证据可以经由网络(例如,因特网)从本地来源或远程资源位置接收。 可以组合评估具有不同级别的信任的证据,使得许可授权集合仅与可信代码组件相关联。 策略管理器可以包括用于解析安全策略规范的执行模块,生成一个或多个代码层次,评估在一个或多个代码组中接收到的代码组合的成员资格,以及基于该成员资格评估生成许可授权集合。