Patents by Inventor Thomas Keefe
Thomas Keefe has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 10339336Abstract: One embodiment of the present invention provides a system that facilitates encryption of data within a column of a database. The system operates by first receiving a command to perform a database operation. Next, the system parses the command to create a parse tree. The system then examines the parse tree to determine if a column referenced in the parse tree is an encrypted column. If a column referenced in the parse tree is an encrypted column, the system automatically transforms the command to include one or more cryptographic commands to facilitate accessing the encrypted column while performing the database operation.Type: GrantFiled: June 11, 2003Date of Patent: July 2, 2019Assignee: Oracle International CorporationInventors: Chon Hei Lei, Thomas Keefe, Daniel M. Wong
-
Patent number: 10049205Abstract: Techniques are provided for integrating application-level user security context with a database. A session manager, in a middle tier that includes an application, obtains the security context of a user and establishes, in the database, a light-weight session (LWS) that reflects the security context. The security context is synchronized between the middle tier and database before application code execution. The database maintains an isolated copy of the LWS for the unit of application code executed as the security context. The database sends to the session manager the identifier of the copy of LWS. Before allowing a request from an application to be sent to the database, the session manager, transparent to the application, inserts an identifier that identifies the LWS. In this way, the database processes an application request in the context of the corresponding user's security context that is the same as the security context in the middle tier.Type: GrantFiled: June 25, 2014Date of Patent: August 14, 2018Assignee: Oracle International CorporationInventors: Tanvir Ahmed, Thomas Keefe, Vikram R. Pesati
-
Patent number: 9886590Abstract: An application platform examines, at runtime, various specified aspects of an application environment in which an application interacts with a user. Such examinations are made to determine a state for each of the various specified aspects. Further, the platform automatically activates particular application environment roles for the user depending on the result of the examinations. For example, an application environment role may be activated representing a particular detected mode of communication (e.g., encrypted network communications) or a particular detected manner of authentication (e.g., password authentication). Such activations are based on the detected states and specified states for the various specified aspects of the application environment. Such activations may occur in the context of an application attempting to perform an operation on an access controlled object on behalf of a user.Type: GrantFiled: July 23, 2009Date of Patent: February 6, 2018Assignee: Oracle International CorporationInventors: Janaki Narasinghanallur, Min-Hank Ho, Thomas Keefe, Eric Sedlar, Chi Ching Chui, Vikram Pesati
-
Patent number: 9495394Abstract: A method and apparatus are described for sharing a session to access a database. A database server receives, in a session, a session context identifier and a command. The session context identifier identifies a session context to use for the session. The session context is a set of information or commands that plug into a session state and specify how commands in the session are to be performed for a particular user or privilege level. In response to receiving the identifier, the database server associates the session context with the database session for the connection. The database server uses the session context to process the command. The session context may then be detached from the session, allowing another user to attach to the session via another session context.Type: GrantFiled: August 29, 2013Date of Patent: November 15, 2016Assignee: Oracle International CorporationInventors: Janaki Narasinghanallur, Min-Hank Ho, Eric Sedlar, Thomas Keefe, Chon Hei Lei, Vikram Pesati
-
Patent number: 9477671Abstract: A system providing a method for implementing effective date constraints in a role hierarchy is described. In one embodiment, for example, the method comprises the steps of: storing data that represents a first effective date constraint on a role of a role hierarchy, the first effective date constraint having a start date and an end date; storing data in a database that represents a second effective date constraint on a grant of the role to a grantee, the second effective date constraint having a start date and an end date; storing data in a database that represents a third effective date constraint on the grantee, the third effective date constraint having a start date and an end date; and computing a net effective date constraint for the role by computing the intersection of the first effective date constraint, the second effective date constraint, and the third effective date constraint.Type: GrantFiled: May 27, 2009Date of Patent: October 25, 2016Assignee: Oracle International CorporationInventors: Rafae Bhatti, Janaki Narasinghanallur, Thomas Keefe, Vikram Pesati
-
Patent number: 9471801Abstract: Embodiments of the present invention provide systems and techniques for creating, updating, and using an ACL (access control list). A database system may include a constraining ACL which represents a global security policy that is to be applied to all applications that interact with the database. By ensuring that all ACLs inherit from the constraining ACL, the database system can ensure that the global security policy is applied to all applications that interact with the database. During operation, the system may receive a request to create or update an ACL. Before creating or updating the ACL, the system may modify the ACL to ensure that it inherits from the constraining ACL. In an embodiment, the system grants a privilege to a user only if both the ACL and the constraining ACL grant the privilege.Type: GrantFiled: November 29, 2007Date of Patent: October 18, 2016Assignee: ORACLE INTERNATIONAL CORPORATIONInventors: Sam Idicula, Thomas Keefe, Mohammed Irfan Rafiq, Tanvir Ahmed, Vikram Pesati, Nipun Agarwal
-
Publication number: 20150379257Abstract: Techniques are provided for integrating application-level user security context with a database. A session manager, in a middle tier that includes an application, obtains the security context of a user and establishes, in the database, a light-weight session (LWS) that reflects the security context. The security context is synchronized between the middle tier and database before application code execution. The database maintains an isolated copy of the LWS for the unit of application code executed as the security context. The database sends to the session manager the identifier of the copy of LWS. Before allowing a request from an application to be sent to the database, the session manager, transparent to the application, inserts an identifier that identifies the LWS. In this way, the database processes an application request in the context of the corresponding user's security context that is the same as the security context in the middle tier.Type: ApplicationFiled: June 25, 2014Publication date: December 31, 2015Inventors: Tanvir Ahmed, Thomas Keefe, Vikram R. Pesati
-
Patent number: 9043309Abstract: Techniques are provided for a database server to identify a query that comprises an access check operator specifying a data access control policy, and if so, to re-write the query to produce an optimized query execution plan. A first technique rewrites a query comprising an access check operator based on the privileges associated with the database principal requesting the query. The rewritten query exposes the access predicates relevant to the requesting principal to subsequent database optimization processes. A second technique rewrites a query comprising an access check operator that specifies a data security policy that does not include a denied privilege. A third technique rewrites a query that comprises an access check operator specifying one or more database table columns that store row-specific access control lists. The rewritten queries are used to generate a query execution plan that provides for several query execution optimizations.Type: GrantFiled: June 5, 2012Date of Patent: May 26, 2015Assignee: ORACLE INTERNATIONAL CORPORATIONInventors: Tanvir Ahmed, Thomas Keefe, Chao Liang, Vikram Pesati
-
Patent number: 8732847Abstract: Techniques are provided for access control in a system. A request is received for checking whether a subject has a privilege for a resource. A security class that defines a plurality of privileges that include the requested privilege is determined. One or more access control lists have been configured for the security class. The one or more access control lists comprise one or more access control entries. Each of the one more access control entry defines whether one or more subjects has been granted or denied to zero, one or more of the plurality of privileges defined in the security class. Based on the access control lists configured for the security class, it is determined whether the subject should be granted the privilege for the requested resource.Type: GrantFiled: August 31, 2009Date of Patent: May 20, 2014Assignee: Oracle International CorporationInventors: Thomas Keefe, Tanvir Ahmed, Vikram Pesati, Roger Wigenstam
-
Patent number: 8635660Abstract: Systems, methods, and machine-readable media are disclosed for providing dynamic and/or conditional constraints on queries based on an external security policy. In one embodiment, a method is provided which comprises receiving from a user a request to access a resource. A condition clause can be read from a grant statement defined in the security policy. The grant statement can define permission for the user to access the requested resource. In some cases, the grant statement can comprise a Java Authentication and Authorization Service (JAAS) grant statement. A query associated with the requested access can be modified based on the permission granted to the user. The modified query can then be made to perform the requested access.Type: GrantFiled: December 6, 2005Date of Patent: January 21, 2014Assignee: Oracle International CorporationInventors: Raymond K. Ng, Ganesh Kirti, Thomas Keefe, Naresh Kumar
-
Publication number: 20140006344Abstract: A method and apparatus are described for sharing a session to access a database. A database server receives, in a session, a session context identifier and a command. The session context identifier identifies a session context to use for the session. The session context is a set of information or commands that plug into a session state and specify how commands in the session are to be performed for a particular user or privilege level. In response to receiving the identifier, the database server associates the session context with the database session for the connection. The database server uses the session context to process the command. The session context may then be detached from the session, allowing another user to attach to the session via another session context.Type: ApplicationFiled: August 29, 2013Publication date: January 2, 2014Applicant: Oracle International CorporationInventors: JANAKI NARASINGHANALLUR, MIN-HANK HO, ERIC SEDLAR, THOMAS KEEFE, CHON HEI LEI, VIKRAM PESATI
-
Publication number: 20130325841Abstract: Techniques are provided for a database server to identify a query that comprises an access check operator specifying a data access control policy, and if so, to re-write the query to produce an optimized query execution plan. A first technique rewrites a query comprising an access check operator based on the privileges associated with the database principal requesting the query. The rewritten query exposes the access predicates relevant to the requesting principal to subsequent database optimization processes. A second technique rewrites a query comprising an access check operator that specifies a data security policy that does not include a denied privilege. A third technique rewrites a query that comprises an access check operator specifying one or more database table columns that store row-specific access control lists. The rewritten queries are used to generate a query execution plan that provides for several query execution optimizations.Type: ApplicationFiled: June 5, 2012Publication date: December 5, 2013Inventors: Tanvir Ahmed, Thomas Keefe, Chao Liang, Vikram Pesati
-
Patent number: 8549038Abstract: A method and apparatus are described for sharing a session to access a database. A database server receives, in a session, a session context identifier and a command. The session context identifier identifies a session context to use for the session. The session context is a set of information or commands that plug into a session state and specify how commands in the session are to be performed for a particular user or privilege level. In response to receiving the identifier, the database server associates the session context with the database session for the connection. The database server uses the session context to process the command. The session context may then be detached from the session, allowing another user to attach to the session via another session context.Type: GrantFiled: June 15, 2009Date of Patent: October 1, 2013Assignee: Oracle International CorporationInventors: Janaki Narasinghanallur, Min-Hank Ho, Eric Sedlar, Thomas Keefe, Chon Hei Lei, Vikram Pesati
-
Patent number: 8220033Abstract: One embodiment of the present invention provides a system that facilitates accessing a credential. During operation, the system receives a request at a credentials-storage framework (CSF) to retrieve the credential. If a target credential store containing the credential is not already connected to the CSF, the system looks up a bootstrap credential for the target credential store in a bootstrap credential store, which contains bootstrap credentials for other credential stores. Next, the system uses this bootstrap credential to connect the CSF to the target credential store. Finally, the system retrieves the credential from the target credential store, and returns the credential to the requestor.Type: GrantFiled: May 3, 2006Date of Patent: July 10, 2012Assignee: Oracle International CorporationInventors: Raymond K. Ng, Ganesh Kirti, Thomas Keefe, Naresh Kumar
-
Patent number: 7945960Abstract: Systems, methods, and machine-readable media are disclosed for providing conditional grants of permission in an externally configured security policy. In one embodiment, a method is provided which comprises reading a condition clause from a grant statement defined in the security policy. The grant statement can cause the granting of permission for a user to access a requested resource. One or more constraints on the grant statement can be determined based on the condition clause. Permission can be granted to access the requested resource based on the one or more constraints.Type: GrantFiled: December 6, 2005Date of Patent: May 17, 2011Assignee: Oracle International CorporationInventors: Raymond K. Ng, Ganesh Kirti, Thomas Keefe, Naresh Kumar
-
Publication number: 20110055918Abstract: Techniques are provided for access control in a system. A request is received for checking whether a subject has a privilege for a resource. A security class that defines a plurality of privileges that include the requested privilege is determined. One or more access control lists have been configured for the security class. The one or more access control lists comprise one or more access control entries. Each of the one more access control entry defines whether one or more subjects has been granted or denied to zero, one or more of the plurality of privileges defined in the security class. Based on the access control lists configured for the security class, it is determined whether the subject should be granted the privilege for the requested resource.Type: ApplicationFiled: August 31, 2009Publication date: March 3, 2011Applicant: ORACLE INTERNATIONAL CORPORATIONInventors: Thomas Keefe, Tanvir Ahmed, Vikram Pesati, Roger Wigenstam
-
Publication number: 20110023082Abstract: An application platform examines, at runtime, various specified aspects of an application environment in which an application interacts with a user. Such examinations are made to determine a state for each of the various specified aspects. Further, the platform automatically activates particular application environment roles for the user depending on the result of the examinations. For example, an application environment role may be activated representing a particular detected mode of communication (e.g., encrypted network communications) or a particular detected manner of authentication (e.g., password authentication). Such activations are based on the detected states and specified states for the various specified aspects of the application environment. Such activations may occur in the context of an application attempting to perform an operation on an access controlled object on behalf of a user.Type: ApplicationFiled: July 23, 2009Publication date: January 27, 2011Inventors: Janaki Narasinghanallur, Min-Hank Ho, Thomas Keefe, Eric Sedlar, Chi Ching Chui, Vikram Pesati
-
Publication number: 20100318570Abstract: A method and apparatus are described for sharing a session to access a database. A database server receives, in a session, a session context identifier and a command. The session context identifier identifies a session context to use for the session. The session context is a set of information or commands that plug into a session state and specify how commands in the session are to be performed for a particular user or privilege level. In response to receiving the identifier, the database server associates the session context with the database session for the connection. The database server uses the session context to process the command. The session context may then be detached from the session, allowing another user to attach to the session via another session context.Type: ApplicationFiled: June 15, 2009Publication date: December 16, 2010Applicant: ORACLE INTERNATIONAL CORPORATIONInventors: Janaki Narasinghanallur, Min-Hank Ho, Eric Sedlar, Thomas Keefe, Chon Hei Lei, Vlkram Pesati
-
Publication number: 20100306268Abstract: A system providing a method for implementing effective date constraints in a role hierarchy is described. In one embodiment, for example, the method comprises the steps of: storing data that represents a first effective date constraint on a role of a role hierarchy, the first effective date constraint having a start date and an end date; storing data in a database that represents a second effective date constraint on a grant of the role to a grantee, the second effective date constraint having a start date and an end date; storing data in a database that represents a third effective date constraint on the grantee, the third effective date constraint having a start date and an end date; and computing a net effective date constraint for the role by computing the intersection of the first effective date constraint, the second effective date constraint, and the third effective date constraint.Type: ApplicationFiled: May 27, 2009Publication date: December 2, 2010Inventors: Rafae Bhatti, Janaki Narasinghanallur, Thomas Keefe, Vikram Pesati
-
Patent number: 7761704Abstract: One embodiment of the present invention provides a system that can expire encrypted-data. During operation, the system receives an expiry-request that includes object-identifying information, which can be used to identify a set of database objects that contain the encrypted-data, wherein a database object can be a table, a partition, a row, or a column in a row. Furthermore, a database object can have an expiration time, and it can be stored in an archive, which is typically used to store large amounts of data for long periods using a slower, but cheaper storage medium than the storage medium used by the database. The system then identifies a set of keys for the encrypted-data using the object-identifying information. Next, the system deletes the set of keys, thereby expiring the encrypted-data. Note that, deleting the set of keys ensures that the secure key repository does not contain any stale keys associated with expired encrypted-data.Type: GrantFiled: March 17, 2005Date of Patent: July 20, 2010Assignee: Oracle International CorporationInventors: Min-Hank Ho, Daniel ManHung Wong, Chon Hei Lei, Thomas Keefe