Patents by Inventor Jeffrey B. Hamblin
Jeffrey B. Hamblin has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 9038168Abstract: Described is a technology by which access to a resource is determined by evaluating a resource label of the resource against a user claim of an access request, according to policy decoupled from the resource. The resource may be a file, and the resource label may be obtained by classifying the file into classification properties, such that a change to the file may change its resource label, thereby changing which users have access to the file. The resource label-based access evaluation may be logically combined with a conventional ACL-based access evaluation to determine whether to grant or deny access to the resource.Type: GrantFiled: November 20, 2009Date of Patent: May 19, 2015Assignee: Microsoft Technology Licensing, LLCInventors: Nir Ben-Zvi, Raja Pazhanivel Perumal, Anders Samuelsson, Jeffrey B. Hamblin, Ran Kalach, Ziquan Li, Matthias H. Wollnik, Clyde Law, Paul Adrian Oltean
-
Patent number: 8984624Abstract: A scope hierarchy corresponding to a resource to which a type of access is requested is identified, the scope hierarchy including multiple scope levels each of which has an associated access control list. An access control list associated with a lower scope level can further restrict access permitted to the resource by an access control list associated with a higher scope level. Based at least in part on one or more of the access control lists associated with the multiple scope levels, a determination is made as to whether the requested type of access to the resource is permitted.Type: GrantFiled: June 5, 2013Date of Patent: March 17, 2015Assignee: Microsoft Technology Licensing, LLCInventors: Raja P. Perumal, Jeffrey B. Hamblin, Paul J. Leach
-
Patent number: 8775734Abstract: A virtual disk is comprised of segments of unused capacity of physical computer-readable storage media co-located with computing devices that are communicationally coupled to one another through network communications. The computing devices execute one or more of a client process, a storage process and a controller process. The controller processes manage the metadata of the virtual disk, including a virtual disk topology that defines the relationships between certain ones of the physical computer-readable storage media and a particular virtual disk. The client process provide data for storage to certain ones of the computing devices executing the storage processes, as defined by a virtual disk topology, and also read data from storage from those computing devices. The client process additionally expose the virtual disk in the same manner as any other computer-readable medium.Type: GrantFiled: November 15, 2011Date of Patent: July 8, 2014Assignee: Microsoft CorporationInventors: Jeffrey B. Hamblin, Saurabh Gupta, Justin Neddo, Joseph Sherman
-
Publication number: 20130269025Abstract: A scope hierarchy corresponding to a resource to which a type of access is requested is identified, the scope hierarchy including multiple scope levels each of which has an associated access control list. An access control list associated with a lower scope level can further restrict access permitted to the resource by an access control list associated with a higher scope level. Based at least in part on one or more of the access control lists associated with the multiple scope levels, a determination is made as to whether the requested type of access to the resource is permitted.Type: ApplicationFiled: June 5, 2013Publication date: October 10, 2013Inventors: Raja P. Perumal, Jeffrey B. Hamblin, Paul J. Leach
-
Patent number: 8464319Abstract: A scope hierarchy corresponding to a resource to which a type of access is requested is identified, the scope hierarchy including multiple scope levels each of which has an associated access control list. An access control list associated with a lower scope level can further restrict access permitted to the resource by an access control list associated with a higher scope level. Based at least in part on one or more of the access control lists associated with the multiple scope levels, a determination is made as to whether the requested type of access to the resource is permitted.Type: GrantFiled: January 8, 2010Date of Patent: June 11, 2013Assignee: Microsoft CorporationInventors: Raja P. Perumal, Jeffrey B. Hamblin, Paul J. Leach
-
Publication number: 20130124797Abstract: A virtual disk is comprised of segments of unused capacity of physical computer-readable storage media co-located with computing devices that are communicationally coupled to one another through network communications. The computing devices execute one or more of a client process, a storage process and a controller process. The controller processes manage the metadata of the virtual disk, including a virtual disk topology that defines the relationships between certain ones of the physical computer-readable storage media and a particular virtual disk. The client process provide data for storage to certain ones of the computing devices executing the storage processes, as defined by a virtual disk topology, and also read data from storage from those computing devices. The client process additionally expose the virtual disk in the same manner as any other computer-readable medium.Type: ApplicationFiled: November 15, 2011Publication date: May 16, 2013Applicant: MICROSOFT CORPORATIONInventors: Jeffrey B. Hamblin, Saurabh Gupta, Justin Neddo, Joseph Sherman
-
Patent number: 8347085Abstract: At computer device power on, the operating system of the computer device initiates a monitor. The monitor assigns a monitoring program to each program and object (collectively, “program”) running on the computer device to monitor the activities of the program. When the monitoring program is assigned to a program, the monitoring program is assigned an integrity and/or privacy label (collectively, “integrity label”) based on predetermined criteria applied to the monitored program. The monitoring program, in turn, assigns an integrity label to the program monitored by the monitoring program. The integrity label assigned to the monitored program is less than or equal to the integrity label of the monitoring program. The monitor enforces an integrity policy of the computer device based on the integrity label assigned to monitored programs and the integrity label associated with data, another program, or a remote network resource that the monitored program is seeking to access.Type: GrantFiled: December 30, 2011Date of Patent: January 1, 2013Assignee: Microsoft CorporationInventors: Thekkthalackal Varugis Kurien, Jeffrey B Hamblin, Narasimha Rao Nagampalli, Peter T Brundrett, Scott Field
-
Publication number: 20120102577Abstract: At computer device power on, the operating system of the computer device initiates a monitor. The monitor assigns a monitoring program to each program and object (collectively, “program”) running on the computer device to monitor the activities of the program. When the monitoring program is assigned to a program, the monitoring program is assigned an integrity and/or privacy label (collectively, “integrity label”) based on predetermined criteria applied to the monitored program. The monitoring program, in turn, assigns an integrity label to the program monitored by the monitoring program. The integrity label assigned to the monitored program is less than or equal to the integrity label of the monitoring program. The monitor enforces an integrity policy of the computer device based on the integrity label assigned to monitored programs and the integrity label associated with data, another program, or a remote network resource that the monitored program is seeking to access.Type: ApplicationFiled: December 30, 2011Publication date: April 26, 2012Applicant: Microsoft CorporationInventors: Thekkthalackal Varugis Kurien, Jeffrey B. Hamblin, Narasimha Rao Nagampalli, Peter T. Brundrett, Scott Field
-
Patent number: 8117441Abstract: At computer device power on, the operating system of the computer device initiates a monitor. The monitor assigns a monitoring program to each program and object (collectively, “program”) running on the computer device to monitor the activities of the program. When the monitoring program is assigned to a program, the monitoring program is assigned an integrity and/or privacy label (collectively, “integrity label”) based on predetermined criteria applied to the monitored program. The monitoring program, in turn, assigns an integrity label to the program monitored by the monitoring program. The integrity label assigned to the monitored program is less than or equal to the integrity label of the monitoring program. The monitor enforces an integrity policy of the computer device based on the integrity label assigned to monitored programs and the integrity label associated with data, another program, or a remote network resource that the monitored program is seeking to access.Type: GrantFiled: June 20, 2006Date of Patent: February 14, 2012Assignee: Microsoft CorporationInventors: Thekkthalackal Varugis Kurien, Jeffrey B Hamblin, Narasimha Rao Nagampalli, Peter T Brundrett, Scott Field
-
Publication number: 20110239293Abstract: Described is a technology, such as implemented in an operating system security system, by which a resource's metadata (e.g., including data properties) is evaluated against an audit rule or audit rules associated with that resource (e.g., object). The audit rule may be associated with all such resources corresponding to a resource manager, and/or by a resource-specific audit rule. When a resource is accessed, each audit rule is processed against the metadata to determine whether to generate an audit event for that rule. The audit rule may be in the form of one or more conditional expressions. Audit events may be maintained and queried to obtain audit information for various usage scenarios.Type: ApplicationFiled: March 24, 2010Publication date: September 29, 2011Applicant: Microsoft CorporationInventors: Raja Pazhanivel Perumal, Nir Ben-Zvi, Anders Samuelsson, Jeffrey B. Hamblin, Ran Kalach, Ziquan Li, Matthias H. Wollnik, Clyde Law
-
Publication number: 20110231940Abstract: Existing mechanisms that control access to data based upon whether the user seeking to access the data is identified among the users that are allowed to access the data, can be extended to further control access based upon the provision of credential data by the user, or processes associated therewith. Access control entries can limit access based upon Boolean conditionals, including those referencing credential data, such that access can be granted only to specific users that provide the credential data or, alternatively, to any user that provides it. The referenced credential data can be specified in the access control information in an obfuscated form for security purposes. Information associated with the user, such as a user token, can be temporarily updated to include credential data when provided by the user, so as to enable access to the data but to prevent such access from remaining open too long.Type: ApplicationFiled: March 19, 2010Publication date: September 22, 2011Applicant: MICROSOFT CORPORATIONInventors: Raja Pazhanivel Perumal, Jeffrey B. Hamblin
-
Publication number: 20110173679Abstract: A scope hierarchy corresponding to a resource to which a type of access is requested is identified, the scope hierarchy including multiple scope levels each of which has an associated access control list. An access control list associated with a lower scope level can further restrict access permitted to the resource by an access control list associated with a higher scope level. Based at least in part on one or more of the access control lists associated with the multiple scope levels, a determination is made as to whether the requested type of access to the resource is permitted.Type: ApplicationFiled: January 8, 2010Publication date: July 14, 2011Applicant: MICROSOFT CORPORATIONInventors: Raja P. Perumal, Jeffrey B. Hamblin, Paul J. Leach
-
Publication number: 20110126281Abstract: Described is a technology by which access to a resource is determined by evaluating a resource label of the resource against a user claim of an access request, according to policy decoupled from the resource. The resource may be a file, and the resource label may be obtained by classifying the file into classification properties, such that a change to the file may change its resource label, thereby changing which users have access to the file. The resource label-based access evaluation may be logically combined with a conventional ACL-based access evaluation to determine whether to grant or deny access to the resource.Type: ApplicationFiled: November 20, 2009Publication date: May 26, 2011Inventors: Nir Ben-Zvi, Raja Pazhanivel Perumal, Anders Samuelsson, Jeffrey B. Hamblin, Ran Kalach, Ziquan Li, Matthias H. Wollnik, Clyde Law, Paul Adrian Oltean
-
Patent number: 7636851Abstract: An operating system for a computing device has a first session for a user that includes a first base process that has a first privileges token attached thereto. The first privileges token includes substantially a full set of privileges of the user on the operating system. The operating system also has a second session for the user that includes a second base process that has a second privileges token attached thereto. The second privileges token is derived from the first privileges token and includes only a minimum set of privileges of the user on the operating system. Thus, the second, limited token does not have all privileges associated with the first, full token but instead has a limited set of privileges and not extra privileges that could be employed to take actions that would be harmful, deceptive, or malicious.Type: GrantFiled: June 30, 2005Date of Patent: December 22, 2009Assignee: Microsoft CorporationInventors: Jeffrey B. Hamblin, Jonathan Schwartz, Kedarnath A. Dubhashi, Klaus U. Schutz, Peter T. Brundrett, Richard B. Ward, Thomas C. Jones
-
Patent number: 7434257Abstract: A dynamic authorization callback mechanism is provided that implements a dynamic authorization model. An application can thus implement virtually any authorization policy by utilizing dynamic data and flexible policy algorithms inherent in the dynamic authorization model. Dynamic data, such as client operation parameter values, client attributes stored in a time-varying or updateable data store, run-time or environmental factors such as time-of-day, and any other static or dynamic data that is managed or retrievable by the application may be evaluated in connection with access control decisions. Hence, applications may define and implement business rules that can be expressed in terms of run-time operations and dynamic data. An application thus has substantial flexibility in defining and implementing custom authorization policy, and at the same time provides standard definitions for such dynamic data and policy.Type: GrantFiled: May 4, 2001Date of Patent: October 7, 2008Assignee: Microsoft CorporationInventors: Praerit Garg, Robert P. Reichel, Richard B. Ward, Kedarnath A. Dubhashi, Jeffrey B. Hamblin, Anne C. Hopkins
-
Publication number: 20080022093Abstract: At computer device power on, the operating system of the computer device initiates a monitor. The monitor assigns a monitoring program to each program and object (collectively, “program”) running on the computer device to monitor the activities of the program. When the monitoring program is assigned to a program, the monitoring program is assigned an integrity and/or privacy label (collectively, “integrity label”) based on predetermined criteria applied to the monitored program. The monitoring program, in turn, assigns an integrity label to the program monitored by the monitoring program. The integrity label assigned to the monitored program is less than or equal to the integrity label of the monitoring program. The monitor enforces an integrity policy of the computer device based on the integrity label assigned to monitored programs and the integrity label associated with data, another program, or a remote network resource that the monitored program is seeking to access.Type: ApplicationFiled: June 20, 2006Publication date: January 24, 2008Applicant: Microsoft CorporationInventors: Thekkthalackal Varugis Kurien, Jeffrey B. Hamblin, Narasimha Rao Nagampalli, Peter T. Brundrett, Scott Field
-
Patent number: 7248691Abstract: A hashing structure including multiple sub-hashes is used to determine whether an input value matches one or more of multiple target values. These values can be of any form, such as security identifiers in an access control system. To make the determination, a hash key is obtained from the input value and multiple sub-hash indexes (one for each of the multiple sub-hashes) are generated based on the key. Values are identified from the multiple sub-hashes by indexing into the sub-hashes using respective ones of the sub-hash indexes. These values are then combined to generate a resultant hash value. Each of the multiple target values corresponds to one of multiple portions of the resultant hash value. If the portion corresponding to one of the target values has a particular value, then that target value is a likely match and is compared to the input value to determine if indeed the two match.Type: GrantFiled: October 31, 2000Date of Patent: July 24, 2007Assignee: Microsoft CorporationInventors: Bhalchandra S. Pandit, Robert P. Reichel, Jeffrey B. Hamblin, Kedarnath A. Dubhashi
-
Patent number: 7096367Abstract: An authorization handle is supported for each access policy determination that is likely to be repeated. In particular, an authorization handle may be assigned to access check results associated with the same discretionary access control list and the same client context. This likelihood may be determined based upon pre-set criteria for the application or service, based on usage history and the like. Once an access policy determination is assigned an authorization handle, the static maximum allowed access is cached for that policy determination. From access check to access check, the set of permissions desired by the client may change, and dynamic factors that might affect the overall privilege grant may also change; however, generally there is still a set of policies that is unaffected by the changes and common across access requests. The cached static maximum allowed access data is thus used to provide efficient operations for the evaluation of common policy sets.Type: GrantFiled: May 4, 2001Date of Patent: August 22, 2006Assignee: Microsoft CorporationInventors: Praerit Garg, Robert P. Reichel, Richard B. Ward, Kedarnath A. Dubhashi, Jeffrey B. Hamblin, Anne C. Hopkins
-
Publication number: 20020166052Abstract: An authorization handle is supported for each access policy determination that is likely to be repeated. In particular, an authorization handle may be assigned to access check results associated with the same discretionary access control list and the same client context. This likelihood may be determined based upon pre-set criteria for the application or service, based on usage history and the like. Once an access policy determination is assigned an authorization handle, the static maximum allowed access is cached for that policy determination. From access check to access check, the set of permissions desired by the client may change, and dynamic factors that might affect the overall privilege grant may also change; however, generally there is still a set of policies that is unaffected by the changes and common across access requests. The cached static maximum allowed access data is thus used to provide efficient operations for the evaluation of common policy sets.Type: ApplicationFiled: May 4, 2001Publication date: November 7, 2002Applicant: Microsoft CorporationInventors: Praerit Garg, Robert P. Reichel, Richard B. Ward, Kedarnath A. Dubhashi, Jeffrey B. Hamblin, Anne C. Hopkins
-
Publication number: 20020002577Abstract: A dynamic authorization callback mechanism is provided that implements a dynamic authorization model. An application can thus implement virtually any authorization policy by utilizing dynamic data and flexible policy algorithms inherent in the dynamic authorization model. Dynamic data, such as client operation parameter values, client attributes stored in a time-varying or updateable data store, run-time or environmental factors such as time-of-day, and any other static or dynamic data that is managed or retrievable by the application may be evaluated in connection with access control decisions. Hence, applications may define and implement business rules that can be expressed in terms of run-time operations and dynamic data. An application thus has substantial flexibility in defining and implementing custom authorization policy, and at the same time provides standard definitions for such dynamic data and policy.Type: ApplicationFiled: May 4, 2001Publication date: January 3, 2002Inventors: Praerit Garg, Robert P. Reichel, Richard B. Ward, Kedarnath A. Dubhashi, Jeffrey B. Hamblin, Anne C. Hopkins