Patents by Inventor Blair B. Dillaway
Blair B. Dillaway has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 9282121Abstract: Security language constructs may be translated into logic language constructs and vice versa. Logic resolution may be effected using, for example, the logic language constructs. In an example implementation, translation of a security language assertion into at least one logic language rule is described. In another example implementation, translation of a proof graph reflecting a logic language into a proof graph reflecting a security language is described. In yet another example implementation, evaluation of a logic language program using a deterministic algorithm is described.Type: GrantFiled: February 13, 2014Date of Patent: March 8, 2016Assignee: Microsoft Technology Licensing, LLCInventors: Moritz Y. Becker, Blair B. Dillaway, Cedric Fournet, Andrew D. Gordon, Jason F. Mackay
-
Patent number: 8938783Abstract: A security language expresses assertions and authorization queries in a manner that facilitates logic resolution. In an example implementation, assertion syntax and authorization query syntax are described. In another example implementation, checks on the safety of assertions and authorization queries are described. In yet another example implementation, semantics rules are described.Type: GrantFiled: September 11, 2006Date of Patent: January 20, 2015Assignee: Microsoft CorporationInventors: Moritz Y. Becker, Blair B. Dillaway, Cedric Fournet, Andrew D. Gordon
-
Patent number: 8839344Abstract: Software tools assist an access-policy analyst or creator to debug and/or author access policies. An access request contains a query that evaluates to either true or false depending on whether access is to be allowed. Abduction may be used to generate assumptions that, if true, would cause the access request to be true. The tool may perform analysis on the generated assumptions, such as: comparing the assumptions with tokens to detect errors in the tokens or to suggest changes to the tokens that would cause the query to be satisfied, or comparing the assumptions to a meta-policy. The tool may allow an analysis, policy author, or other person to interactively walk through assumptions in order to see the implications of the access policy.Type: GrantFiled: January 28, 2008Date of Patent: September 16, 2014Assignee: Microsoft CorporationInventors: Moritz Y. Becker, Blair B. Dillaway, Gregory D. Fee, Jason F. Mackay, Jason Hogg, John M. Leen
-
Publication number: 20140165139Abstract: Security language constructs may be translated into logic language constructs and vice versa. Logic resolution may be effected using, for example, the logic language constructs. In an example implementation, translation of a security language assertion into at least one logic language rule is described. In another example implementation, translation of a proof graph reflecting a logic language into a proof graph reflecting a security language is described. In yet another example implementation, evaluation of a logic language program using a deterministic algorithm is described.Type: ApplicationFiled: February 13, 2014Publication date: June 12, 2014Applicant: Microsoft CorporationInventors: Moritz Y. Becker, Blair B. Dillaway, Cedric Fournet, Andrew D. Gordon, Jason F. Mackay
-
Patent number: 8687804Abstract: For a data transfer, security is negotiated via a control channel operating in accordance with a first protocol. The data is transmitted responsive to the security negotiation on a data channel operating in accordance with a second protocol. For example, a described implementation involves using a security control protocol and a separate secure data transfer protocol that operate cooperatively, but independently, to provide flexible application layer security with highly efficient data transfers.Type: GrantFiled: November 1, 2006Date of Patent: April 1, 2014Assignee: Microsoft CorporationInventor: Blair B. Dillaway
-
Patent number: 8656503Abstract: Security language constructs may be translated into logic language constructs and vise versa. Logic resolution may be effected using, for example, the logic language constructs. In an example implementation, translation of a security language assertion into at least one logic language rule is described. In another example implementation, translation of a proof graph reflecting a logic language into a proof graph reflecting a security language is described. In yet another example implementation, evaluation of a logic language program using a deterministic algorithm is described.Type: GrantFiled: September 11, 2006Date of Patent: February 18, 2014Assignee: Microsoft CorporationInventors: Moritz Y. Becker, Blair B. Dillaway, Cedric Fournet, Andrew D. Gordon, Jason F. Mackay
-
Patent number: 8607311Abstract: Access to a resource may be controlled by a policy, such that a request to access the resource is either granted or denied based on what assertions have been made by various principals. To find the assertions that support a grant of access to the resource, a template may be created that defines the nature of assertions that would cause access to succeed. Assertions may be stored in the form of tokens. The template may be used to search an existing token store to find assertions that have been made, and/or to generate assertions that have not been found in the token store and that would satisfy the template. The assertions in the template may be created by performing an abductive reasoning process on an access query.Type: GrantFiled: December 21, 2007Date of Patent: December 10, 2013Assignee: Microsoft CorporationInventors: Moritz Y. Becker, Blair B. Dillaway, Gregory D. Fee, John M. Leen, Jason F. Mackay
-
Patent number: 8584230Abstract: In an example implementation, a bifurcated security scheme has a first level that does not allow usage of negations and a second level that does permit usage of negations. In another example implementation, an authorization query table maps respective resource-specific operations to respective associated authorization queries. In yet another example implementation, authorization queries are permitted to have negations, but individual assertions are not.Type: GrantFiled: September 27, 2011Date of Patent: November 12, 2013Assignee: Microsoft CorporationInventors: Blair B. Dillaway, Moritz Y. Becker, Andrew D. Gordon, Cedric Fournet
-
Patent number: 8555335Abstract: In an example implementation, a data structure comports with a secure application instruction protocol. The data structure includes a first application-level request and a second application-level request. The first application-level request has application-specific instructions from a requestor and a requestor signature over the application-specific instructions from the requestor. The second application-level request has application-specific instructions from an intermediary and an intermediary signature over at least the application-specific instructions from the intermediary.Type: GrantFiled: November 1, 2006Date of Patent: October 8, 2013Assignee: Microsoft CorporationInventor: Blair B. Dillaway
-
Patent number: 8225378Abstract: The auditing of authorization decisions is facilitated by integrating or coupling an audit policy to access control decisions. In an example implementation, an audit policy of an auditing scheme is coupled to a semantic framework of an access control scheme such that the audit policy is specified using at least a portion of the semantic framework. In another example implementation, audit policy rules include audit content rules that specify what audit information from any of the inputs, the outputs, or the internal data of authorization decisions is to be included in an audit record. In yet another example implementation, a semantic of an audit trigger rule comports with a semantic framework of an access request and of a logical evaluation for an authorization decision.Type: GrantFiled: October 12, 2010Date of Patent: July 17, 2012Assignee: Microsoft CorporationInventor: Blair B. Dillaway
-
Patent number: 8201215Abstract: The delegation of rights may be controlled in a number of manners. In an example implementation, a delegation authority assertion is formulated with a delegator principle, a delegatee principal, a verb phrase, a resource, and a delagation-directive verb. In another example implementation, a delegation mechanism involving an assertor, a first principal, and a second principal enables a delegation to be specifically controlled. In yet another example implementation, a chained delegation mechanism enables explicit control of a permitted transitive chaining depth.Type: GrantFiled: September 8, 2006Date of Patent: June 12, 2012Assignee: Microsoft CorporationInventors: Blair B. Dillaway, Moritz Y. Becker, Andrew D. Gordon, Cedric Fournet
-
Publication number: 20120017263Abstract: In an example implementation, a bifurcated security scheme has a first level that does not allow usage of negations and a second level that does permit usage of negations. In another example implementation, an authorization query table maps respective resource-specific operations to respective associated authorization queries. In yet another example implementation, authorization queries are permitted to have negations, but individual assertions are not.Type: ApplicationFiled: September 27, 2011Publication date: January 19, 2012Applicant: MICROSOFT CORPORATIONInventors: Blair B. Dillaway, Moritz Y. Becker, Andrew D. Gordon, Cedric Fournet
-
Patent number: 8095969Abstract: Security assertion revocation enables a revocation granularity in a security scheme down to the level of individual assertions. In an example implementation, a security token includes multiple respective assertions that are associated with multiple respective assertion identifiers. More specifically, each individual assertion is associated with at least one individual assertion identifier.Type: GrantFiled: September 8, 2006Date of Patent: January 10, 2012Assignee: Microsoft CorporationInventors: Blair B. Dillaway, Moritz Y. Becker, Andrew D. Gordon, Cedric Fournet, Brian A. LaMacchia
-
Patent number: 8060931Abstract: In an example implementation, a bifurcated security scheme has a first level that does not allow usage of negations and a second level that does permit usage of negations. In another example implementation, an authorization query table maps respective resource-specific operations to respective associated authorization queries. In yet another example implementation, authorization queries are permitted to have negations, but individual assertions are not.Type: GrantFiled: September 8, 2006Date of Patent: November 15, 2011Assignee: Microsoft CorporationInventors: Blair B. Dillaway, Moritz Y. Becker, Andrew D. Gordon, Cedric Fournet
-
Publication number: 20110030038Abstract: The auditing of authorization decisions is facilitated by integrating or coupling an audit policy to access control decisions. In an example implementation, an audit policy of an auditing scheme is coupled to a semantic framework of an access control scheme such that the audit policy is specified using at least a portion of the semantic framework. In another example implementation, audit policy rules include audit content rules that specify what audit information from any of the inputs, the outputs, or the internal data of authorization decisions is to be included in an audit record. In yet another example implementation, a semantic of an audit trigger rule comports with a semantic framework of an access request and of a logical evaluation for an authorization decision.Type: ApplicationFiled: October 12, 2010Publication date: February 3, 2011Applicant: Microsoft CorporationInventor: Blair B. Dillaway
-
Patent number: 7814534Abstract: The auditing of authorization decisions is facilitated by integrating or coupling an audit policy to access control decisions. In an example implementation, an audit policy of an auditing scheme is coupled to a semantic framework of an access control scheme such that the audit policy is specified using at least a portion of the semantic framework. In another example implementation, audit policy rules include audit content rules that specify what audit information from any of the inputs, the outputs, or the internal data of authorization decisions is to be included in an audit record. In yet another example implementation, a semantic of an audit trigger rule comports with a semantic framework of an access request and of a logical evaluation for an authorization decision.Type: GrantFiled: September 8, 2006Date of Patent: October 12, 2010Assignee: Microsoft CorporationInventor: Blair B. Dillaway
-
Patent number: 7797544Abstract: To establish trust between first and second entities, the first entity sends an attestation message to the second entity, including a code ID, relevant data, a digital signature based on the code ID and data, and a certificate chain. The second entity verifies the signature and decides whether to in fact enter into a trust-based relationship with the first entity based on the code ID and the data in the attestation message. Upon so deciding, the second entity sends a trust message to the first entity, including a secret to be shared between the first and second entities. The first entity obtains the shared secret in the trust message and employs the shared secret to exchange information with the second entity.Type: GrantFiled: December 11, 2003Date of Patent: September 14, 2010Assignee: Microsoft CorporationInventors: Blair B. Dillaway, Paul England, Marcus Peinado
-
Publication number: 20090193493Abstract: Software tools assist an access-policy analyst or creator to debug and/or author access policies. An access request contains a query that evaluates to either true or false depending on whether access is to be allowed. Abduction may be used to generate assumptions that, if true, would cause the access request to be true. The tool may perform analysis on the generated assumptions, such as: comparing the assumptions with tokens to detect errors in the tokens or to suggest changes to the tokens that would cause the query to be satisfied, or comparing the assumptions to a meta-policy. The tool may allow an analysis, policy author, or other person to interactively walk through assumptions in order to see the implications of the access policy.Type: ApplicationFiled: January 28, 2008Publication date: July 30, 2009Applicant: MICROSOFT CORPORATIONInventors: Moritz Y. Becker, Blair B. Dillaway, Gregory D. Fee, Jason F. Mackay, Jason Hogg, John M. Leen
-
Publication number: 20090165110Abstract: Access to a resource may be controlled by a policy, such that a request to access the resource is either granted or denied based on what assertions have been made by various principals. To find the assertions that support a grant of access to the resource, a template may be created that defines the nature of assertions that would cause access to succeed. Assertions may be stored in the form of tokens. The template may be used to search an existing token store to find assertions that have been made, and/or to generate assertions that have not been found in the token store and that would satisfy the template. The assertions in the template may be created by performing an abductive reasoning process on an access query.Type: ApplicationFiled: December 21, 2007Publication date: June 25, 2009Applicant: MICROSOFT CORPORATIONInventors: Moritz Y. Becker, Blair B. Dillaway, Gregory D. Fee, John M. Leen, Jason F. Mackay
-
Patent number: 7545931Abstract: A method and system for securely storing, managing, and sending critical application data (application secrets) are disclosed. The invention provides an application program interface (API) through which applications (code components) can request a secure store component (SSC) store an application secret, retrieve an application secret, and send an application secret from one code component to another. The SSC encrypts and stores the application secrets using a symmetric cipher algorithm with a key derived by combining machine-specific entropy and evidence associated with the application (or code component), using a mechanism such as a hashing function. When an application requests the SSC to return a stored application secret, the SSC decrypts the secret using a key derived from machine-specific entropy and evidence associated with the application requesting the secret.Type: GrantFiled: April 12, 2002Date of Patent: June 9, 2009Assignee: Microsoft CorporationInventor: Blair B. Dillaway