Patents by Inventor Kelly B. Yancey
Kelly B. Yancey has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 11514157Abstract: Some embodiments provide a method for a device having multiple users. The method identifies a process installed on the device that requires an isolated storage in a file system of the device. For each of a set of the users of the electronic device, the method assigns at least one container for use by the process within a user-specific section of the file system. The containers assigned to the process in a section of the file system specific to a particular user are only accessible by the process when the particular user is logged into the device. The method assigns at least one container for use by the process within a non-user-specific section of the file system. The containers assigned to the process within the non-user-specific section of the file system are accessible by the process irrespective of which user is logged into the device.Type: GrantFiled: April 20, 2020Date of Patent: November 29, 2022Assignee: Apple Inc.Inventors: Andrew S. Terry, Kelly B. Yancey, Pierre-Olivier J. Martel, Richard L. Hagy, Timothy P. Hannon, Alastair K. Fettes
-
Patent number: 11017109Abstract: Embodiments described herein provide techniques to limit programmatic access to privacy related user data and system resources for applications that execute outside of a sandbox or other restricted operating environment while enabling a user to grant additional access to those applications via prompts presented to the user via a graphical interface. In a further embodiment, techniques are applied to limit the frequency in which a user is prompted by learning the types of files or resources to which a user is likely to permit or deny access.Type: GrantFiled: May 6, 2019Date of Patent: May 25, 2021Assignee: Apple Inc.Inventors: Kelly B. Yancey, Richard J. Cooper, Richard L. Hagy, Pierre-Olivier Martel, David P. Remahl, Jonathan A. Zdziarski
-
Publication number: 20200265157Abstract: Some embodiments provide a method for a device having multiple users. The method identifies a process installed on the device that requires an isolated storage in a file system of the device. For each of a set of the users of the electronic device, the method assigns at least one container for use by the process within a user-specific section of the file system. The containers assigned to the process in a section of the file system specific to a particular user are only accessible by the process when the particular user is logged into the device. The method assigns at least one container for use by the process within a non-user-specific section of the file system. The containers assigned to the process within the non-user-specific section of the file system are accessible by the process irrespective of which user is logged into the device.Type: ApplicationFiled: April 20, 2020Publication date: August 20, 2020Inventors: Andrew S. TERRY, Kelly B. YANCEY, Pierre-Olivier J. MARTEL, Richard L. HAGY, Timothy P. HANNON, Alastair K. FETTES
-
Patent number: 10628580Abstract: Some embodiments provide a method for a device having multiple users. The method identifies a process installed on the device that requires an isolated storage in a file system of the device. For each of a set of the users of the electronic device, the method assigns at least one container for use by the process within a user-specific section of the file system. The containers assigned to the process in a section of the file system specific to a particular user are only accessible by the process when the particular user is logged into the device. The method assigns at least one container for use by the process within a non-user-specific section of the file system. The containers assigned to the process within the non-user-specific section of the file system are accessible by the process irrespective of which user is logged into the device.Type: GrantFiled: September 22, 2016Date of Patent: April 21, 2020Assignee: APPLE INC.Inventors: Andrew S. Terry, Kelly B. Yancey, Pierre-Olivier J. Martel, Richard L. Hagy, Timothy P. Hannon, Alastair K. Fettes
-
Patent number: 10592679Abstract: Representative embodiments set forth herein disclose techniques for modifying encryption classes of files. According to some embodiments, a technique can include receiving a request to update an encryption configuration of a file from a current encryption class to an updated encryption class. In response, the technique involves obtaining (i) a first class key associated with the current encryption class, and (ii) a second class key associated with the updated encryption class. Next, the technique involves identifying file extents of the file, where each file extent is encrypted by a respective extent key that is encrypted by the first class key. Finally, the technique involves, for each file extent of the file: (i) decrypting the respective extent key using the first class key to produce a decrypted respective extent key, and (ii) encrypting the decrypted respective extent key using the second class key to produce an updated respective extent key.Type: GrantFiled: September 23, 2016Date of Patent: March 17, 2020Assignee: Apple Inc.Inventors: Eric B. Tamura, Kelly B. Yancey
-
Patent number: 10515209Abstract: A method and apparatus of a device for security management by sandboxing third-party components is described. The device can determine whether a third-party component supports network access. If the third-party component supports network access, the device can request a user input regarding whether to restrict the network access of the component. The device can receive a user input to restrict network access of the third-party component. Upon receiving the user input to restrict network access, the device can construct a sandbox for the third-party component to restrict network access of the component and prevent the component from performing data exfiltration. Other embodiments are also described and claimed.Type: GrantFiled: April 12, 2018Date of Patent: December 24, 2019Assignee: Apple Inc.Inventors: Kelly B. Yancey, Pierre-Olivier J. Martel
-
Publication number: 20190354705Abstract: The disclosed technology addresses the need in the art for assigning multiple containers to a single application. A container can be a specified area of a file system that an assigned application can access to store data, while other applications are restricted access to the container. In some instances, it may be beneficial for multiple applications to share some data, while still maintaining other data in a secure location, thus an application can be assigned to multiple containers, a personal container that can only be accessed by the applications, and a shared container that can be accessed by multiple applications. Further, an application can be assigned an alternate container, in addition to the personal container. The alternate container can be used when an alternate user is using the client device, thus restricting the alternate user from accessing any sensitive data stored in the personal container.Type: ApplicationFiled: July 30, 2019Publication date: November 21, 2019Inventors: Kelly B. Yancey, Jacques Anthony Vidrine, Eric Olaf Carlson, Paul William Chinn, Simon P. Cooper
-
Patent number: 10454679Abstract: This application sets forth a key rolling technique for a file system of a computing device. The key rolling technique allows for files to be transparently re-encrypted in a background process while still allowing applications to access the files being re-encrypted. During re-encryption, at least one file extent of a file is decrypted using a current key for the file extent and re-encrypted using a new key for the file extent. Moreover, the file extent can be relocated to another location in memory during re-encryption to enhance accessibility and crash protection features. Metadata associated with the file can be updated to include information pertaining to both the location of the re-encrypted file extent as well as the new key that can be used to decrypt the re-encrypted file extent. In this manner, the metadata can be used to properly construct a complete file when the file needs to be accessed.Type: GrantFiled: September 23, 2016Date of Patent: October 22, 2019Assignee: Apple Inc.Inventors: Eric B. Tamura, Dominic B. Giampaolo, Kelly B. Yancey
-
Patent number: 10430577Abstract: A method and an apparatus to dynamically distribute privileges among a plurality of processes are described. Each process may have attributes including a privilege to control access to processing resources. A first process may be running with a first privilege prohibited from access to a processing resource. A second process may be running with a second privilege allowed to access the processing resource. The first process may receive a request from the second process to perform a data processing task for the second process. In response, the second privilege may be dynamically transferred to the first process to allow the first process to access the processing resource. The first process may perform operations for the data processing task with the second privilege transferred from the second process.Type: GrantFiled: December 19, 2014Date of Patent: October 1, 2019Assignee: Apple Inc.Inventors: James Michael Magee, Russell A. Blaine, Vishal Patel, Daniel Andreas Steffen, Kevin James Van Vechten, Jacques Anthony Vidrine, Kelly B. Yancey, Jainam A. Shah
-
Patent number: 10410003Abstract: The disclosed technology addresses the need in the art for assigning multiple containers to a single application. A container can be a specified area of a file system that an assigned application can access to store data, while other applications are restricted access to the container. In some instances, it may be beneficial for multiple applications to share some data, while still maintaining other data in a secure location, thus an application can be assigned to multiple containers, a personal container that can only be accessed by the application, and a shared container that can be accessed by multiple applications. Further, an application can be assigned an alternate container, in addition to the personal container. The alternate container can be used when an alternate user is using the client device, thus restricting the alternate user from accessing any sensitive data stored in the personal container.Type: GrantFiled: June 7, 2013Date of Patent: September 10, 2019Assignee: Apple Inc.Inventors: Kelly B. Yancey, Jacques Anthony Vidrine, Eric Olaf Carlson, Paul William Chinn, Simon P. Cooper
-
Patent number: 10216928Abstract: In response to a request for launching an application within an operating system of a data processing system, one or more extended entitlements are extracted from the application, where the one or more extended entitlements specify one or more resources the application is entitled to access. One or more security profile extensions corresponding to the one or more extended entitlements are dynamically generated. A security profile specifically for the application is created based on the one or more security profile extensions and a base security profile that has been previously compiled, where the base security profile specifies a list of a plurality of base resources. The application is then launched in a sandboxed operating environment that is configured based on the security profile specifically generated for the application.Type: GrantFiled: July 28, 2017Date of Patent: February 26, 2019Assignee: Apple Inc.Inventors: Pierre-Olivier J. Martel, Kelly B. Yancey, Richard L. Hagy
-
Publication number: 20180336343Abstract: A method and apparatus of a device for security management by sandboxing third-party components is described. The device can determine whether a third-party component supports network access. If the third-party component supports network access, the device can request a user input regarding whether to restrict the network access of the component. The device can receive a user input to restrict network access of the third-party component. Upon receiving the user input to restrict network access, the device can construct a sandbox for the third-party component to restrict network access of the component and prevent the component from performing data exfiltration. Other embodiments are also described and claimed.Type: ApplicationFiled: April 12, 2018Publication date: November 22, 2018Inventors: Kelly B. Yancey, Pierre-Olivier J. Martel
-
Patent number: 9959405Abstract: A method and apparatus of a device for security management by sandboxing third-party components is described. The device can determine whether a third-party component supports network access. If the third-party component supports network access, the device can request a user input regarding whether to restrict the network access of the component. The device can receive a user input to restrict network access of the third-party component. Upon receiving the user input to restrict network access, the device can construct a sandbox for the third-party component to restrict network access of the component and prevent the component from performing data exfiltration. Other embodiments are also described and claimed.Type: GrantFiled: September 11, 2014Date of Patent: May 1, 2018Assignee: Apple Inc.Inventors: Kelly B. Yancey, Pierre-Olivier J. Martel
-
Publication number: 20180012017Abstract: In response to a request for launching an application within an operating system of a data processing system, one or more extended entitlements are extracted from the application, where the one or more extended entitlements specify one or more resources the application is entitled to access. One or more security profile extensions corresponding to the one or more extended entitlements are dynamically generated. A security profile specifically for the application is created based on the one or more security profile extensions and a base security profile that has been previously compiled, where the base security profile specifies a list of a plurality of base resources. The application is then launched in a sandboxed operating environment that is configured based on the security profile specifically generated for the application.Type: ApplicationFiled: July 28, 2017Publication date: January 11, 2018Inventors: Pierre-Olivier J. Martel, Kelly B. Yancey, Richard L. Hagy
-
Publication number: 20170359175Abstract: Representative embodiments set forth herein disclose techniques for modifying encryption classes of files. According to some embodiments, a technique can include receiving a request to update an encryption configuration of a file from a current encryption class to an updated encryption class. In response, the technique involves obtaining (i) a first class key associated with the current encryption class, and (ii) a second class key associated with the updated encryption class. Next, the technique involves identifying file extents of the file, where each file extent is encrypted by a respective extent key that is encrypted by the first class key. Finally, the technique involves, for each file extent of the file: (i) decrypting the respective extent key using the first class key to produce a decrypted respective extent key, and (ii) encrypting the decrypted respective extent key using the second class key to produce an updated respective extent key.Type: ApplicationFiled: September 23, 2016Publication date: December 14, 2017Inventors: Eric B. TAMURA, Kelly B. YANCEY
-
Publication number: 20170359174Abstract: This application sets forth a key rolling technique for a file system of a computing device. The key rolling technique allows for files to be transparently re-encrypted in a background process while still allowing applications to access the files being re-encrypted. During re-encryption, at least one file extent of a file is decrypted using a current key for the file extent and re-encrypted using a new key for the file extent. Moreover, the file extent can be relocated to another location in memory during re-encryption to enhance accessibility and crash protection features. Metadata associated with the file can be updated to include information pertaining to both the location of the re-encrypted file extent as well as the new key that can be used to decrypt the re-encrypted file extent. In this manner, the metadata can be used to properly construct a complete file when the file needs to be accessed.Type: ApplicationFiled: September 23, 2016Publication date: December 14, 2017Inventors: Eric B. TAMURA, Dominic B. GIAMPAOLO, Kelly B. YANCEY
-
Patent number: 9734327Abstract: In response to a request for launching an application within an operating system of a data processing system, one or more extended entitlements are extracted from the application, where the one or more extended entitlements specify one or more resources the application is entitled to access. One or more security profile extensions corresponding to the one or more extended entitlements are dynamically generated. A security profile specifically for the application is created based on the one or more security profile extensions and a base security profile that has been previously compiled, where the base security profile specifies a list of a plurality of base resources. The application is then launched in a sandboxed operating environment that is configured based on the security profile specifically generated for the application.Type: GrantFiled: May 23, 2016Date of Patent: August 15, 2017Assignee: Apple Inc.Inventors: Pierre-Olivier J Martel, Kelly B. Yancey, Richard L. Hagy
-
Publication number: 20170199883Abstract: Some embodiments provide a method for a device having multiple users. The method identifies a process installed on the device that requires an isolated storage in a file system of the device. For each of a set of the users of the electronic device, the method assigns at least one container for use by the process within a user-specific section of the file system. The containers assigned to the process in a section of the file system specific to a particular user are only accessible by the process when the particular user is logged into the device. The method assigns at least one container for use by the process within a non-user-specific section of the file system. The containers assigned to the process within the non-user-specific section of the file system are accessible by the process irrespective of which user is logged into the device.Type: ApplicationFiled: September 22, 2016Publication date: July 13, 2017Inventors: Andrew S. Terry, Kelly B. Yancey, Pierre-Olivier J. Martel, Richard L. Hagy, Timothy P. Hannon, Alastair K. Fettes
-
Publication number: 20170053113Abstract: In response to a request for launching an application within an operating system of a data processing system, one or more extended entitlements are extracted from the application, where the one or more extended entitlements specify one or more resources the application is entitled to access. One or more security profile extensions corresponding to the one or more extended entitlements are dynamically generated. A security profile specifically for the application is created based on the one or more security profile extensions and a base security profile that has been previously compiled, where the base security profile specifies a list of a plurality of base resources. The application is then launched in a sandboxed operating environment that is configured based on the security profile specifically generated for the application.Type: ApplicationFiled: May 23, 2016Publication date: February 23, 2017Inventors: Pierre-Olivier J. Martel, Kelly B. Yancey, Richard L. Hagy
-
Patent number: 9361454Abstract: In response to a request for launching an application within an operating system of a data processing system, one or more extended entitlements are extracted from the application, where the one or more extended entitlements specify one or more resources the application is entitled to access. One or more security profile extensions corresponding to the one or more extended entitlements are dynamically generated. A security profile specifically for the application is created based on the one or more security profile extensions and a base security profile that has been previously compiled, where the base security profile specifies a list of a plurality of base resources. The application is then launched in a sandboxed operating environment that is configured based on the security profile specifically generated for the application.Type: GrantFiled: May 30, 2014Date of Patent: June 7, 2016Assignee: Apple Inc.Inventors: Pierre-Olivier J. Martel, Kelly B. Yancey, Richard L. Hagy