Patents by Inventor Thomas Keefe

Thomas Keefe has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).

  • Patent number: 10339336
    Abstract: One embodiment of the present invention provides a system that facilitates encryption of data within a column of a database. The system operates by first receiving a command to perform a database operation. Next, the system parses the command to create a parse tree. The system then examines the parse tree to determine if a column referenced in the parse tree is an encrypted column. If a column referenced in the parse tree is an encrypted column, the system automatically transforms the command to include one or more cryptographic commands to facilitate accessing the encrypted column while performing the database operation.
    Type: Grant
    Filed: June 11, 2003
    Date of Patent: July 2, 2019
    Assignee: Oracle International Corporation
    Inventors: Chon Hei Lei, Thomas Keefe, Daniel M. Wong
  • Patent number: 10049205
    Abstract: Techniques are provided for integrating application-level user security context with a database. A session manager, in a middle tier that includes an application, obtains the security context of a user and establishes, in the database, a light-weight session (LWS) that reflects the security context. The security context is synchronized between the middle tier and database before application code execution. The database maintains an isolated copy of the LWS for the unit of application code executed as the security context. The database sends to the session manager the identifier of the copy of LWS. Before allowing a request from an application to be sent to the database, the session manager, transparent to the application, inserts an identifier that identifies the LWS. In this way, the database processes an application request in the context of the corresponding user's security context that is the same as the security context in the middle tier.
    Type: Grant
    Filed: June 25, 2014
    Date of Patent: August 14, 2018
    Assignee: Oracle International Corporation
    Inventors: Tanvir Ahmed, Thomas Keefe, Vikram R. Pesati
  • Patent number: 9886590
    Abstract: An application platform examines, at runtime, various specified aspects of an application environment in which an application interacts with a user. Such examinations are made to determine a state for each of the various specified aspects. Further, the platform automatically activates particular application environment roles for the user depending on the result of the examinations. For example, an application environment role may be activated representing a particular detected mode of communication (e.g., encrypted network communications) or a particular detected manner of authentication (e.g., password authentication). Such activations are based on the detected states and specified states for the various specified aspects of the application environment. Such activations may occur in the context of an application attempting to perform an operation on an access controlled object on behalf of a user.
    Type: Grant
    Filed: July 23, 2009
    Date of Patent: February 6, 2018
    Assignee: Oracle International Corporation
    Inventors: Janaki Narasinghanallur, Min-Hank Ho, Thomas Keefe, Eric Sedlar, Chi Ching Chui, Vikram Pesati
  • Patent number: 9495394
    Abstract: A method and apparatus are described for sharing a session to access a database. A database server receives, in a session, a session context identifier and a command. The session context identifier identifies a session context to use for the session. The session context is a set of information or commands that plug into a session state and specify how commands in the session are to be performed for a particular user or privilege level. In response to receiving the identifier, the database server associates the session context with the database session for the connection. The database server uses the session context to process the command. The session context may then be detached from the session, allowing another user to attach to the session via another session context.
    Type: Grant
    Filed: August 29, 2013
    Date of Patent: November 15, 2016
    Assignee: Oracle International Corporation
    Inventors: Janaki Narasinghanallur, Min-Hank Ho, Eric Sedlar, Thomas Keefe, Chon Hei Lei, Vikram Pesati
  • Patent number: 9477671
    Abstract: A system providing a method for implementing effective date constraints in a role hierarchy is described. In one embodiment, for example, the method comprises the steps of: storing data that represents a first effective date constraint on a role of a role hierarchy, the first effective date constraint having a start date and an end date; storing data in a database that represents a second effective date constraint on a grant of the role to a grantee, the second effective date constraint having a start date and an end date; storing data in a database that represents a third effective date constraint on the grantee, the third effective date constraint having a start date and an end date; and computing a net effective date constraint for the role by computing the intersection of the first effective date constraint, the second effective date constraint, and the third effective date constraint.
    Type: Grant
    Filed: May 27, 2009
    Date of Patent: October 25, 2016
    Assignee: Oracle International Corporation
    Inventors: Rafae Bhatti, Janaki Narasinghanallur, Thomas Keefe, Vikram Pesati
  • Patent number: 9471801
    Abstract: Embodiments of the present invention provide systems and techniques for creating, updating, and using an ACL (access control list). A database system may include a constraining ACL which represents a global security policy that is to be applied to all applications that interact with the database. By ensuring that all ACLs inherit from the constraining ACL, the database system can ensure that the global security policy is applied to all applications that interact with the database. During operation, the system may receive a request to create or update an ACL. Before creating or updating the ACL, the system may modify the ACL to ensure that it inherits from the constraining ACL. In an embodiment, the system grants a privilege to a user only if both the ACL and the constraining ACL grant the privilege.
    Type: Grant
    Filed: November 29, 2007
    Date of Patent: October 18, 2016
    Assignee: ORACLE INTERNATIONAL CORPORATION
    Inventors: Sam Idicula, Thomas Keefe, Mohammed Irfan Rafiq, Tanvir Ahmed, Vikram Pesati, Nipun Agarwal
  • Publication number: 20150379257
    Abstract: Techniques are provided for integrating application-level user security context with a database. A session manager, in a middle tier that includes an application, obtains the security context of a user and establishes, in the database, a light-weight session (LWS) that reflects the security context. The security context is synchronized between the middle tier and database before application code execution. The database maintains an isolated copy of the LWS for the unit of application code executed as the security context. The database sends to the session manager the identifier of the copy of LWS. Before allowing a request from an application to be sent to the database, the session manager, transparent to the application, inserts an identifier that identifies the LWS. In this way, the database processes an application request in the context of the corresponding user's security context that is the same as the security context in the middle tier.
    Type: Application
    Filed: June 25, 2014
    Publication date: December 31, 2015
    Inventors: Tanvir Ahmed, Thomas Keefe, Vikram R. Pesati
  • Patent number: 9043309
    Abstract: Techniques are provided for a database server to identify a query that comprises an access check operator specifying a data access control policy, and if so, to re-write the query to produce an optimized query execution plan. A first technique rewrites a query comprising an access check operator based on the privileges associated with the database principal requesting the query. The rewritten query exposes the access predicates relevant to the requesting principal to subsequent database optimization processes. A second technique rewrites a query comprising an access check operator that specifies a data security policy that does not include a denied privilege. A third technique rewrites a query that comprises an access check operator specifying one or more database table columns that store row-specific access control lists. The rewritten queries are used to generate a query execution plan that provides for several query execution optimizations.
    Type: Grant
    Filed: June 5, 2012
    Date of Patent: May 26, 2015
    Assignee: ORACLE INTERNATIONAL CORPORATION
    Inventors: Tanvir Ahmed, Thomas Keefe, Chao Liang, Vikram Pesati
  • Patent number: 8732847
    Abstract: Techniques are provided for access control in a system. A request is received for checking whether a subject has a privilege for a resource. A security class that defines a plurality of privileges that include the requested privilege is determined. One or more access control lists have been configured for the security class. The one or more access control lists comprise one or more access control entries. Each of the one more access control entry defines whether one or more subjects has been granted or denied to zero, one or more of the plurality of privileges defined in the security class. Based on the access control lists configured for the security class, it is determined whether the subject should be granted the privilege for the requested resource.
    Type: Grant
    Filed: August 31, 2009
    Date of Patent: May 20, 2014
    Assignee: Oracle International Corporation
    Inventors: Thomas Keefe, Tanvir Ahmed, Vikram Pesati, Roger Wigenstam
  • Patent number: 8635660
    Abstract: Systems, methods, and machine-readable media are disclosed for providing dynamic and/or conditional constraints on queries based on an external security policy. In one embodiment, a method is provided which comprises receiving from a user a request to access a resource. A condition clause can be read from a grant statement defined in the security policy. The grant statement can define permission for the user to access the requested resource. In some cases, the grant statement can comprise a Java Authentication and Authorization Service (JAAS) grant statement. A query associated with the requested access can be modified based on the permission granted to the user. The modified query can then be made to perform the requested access.
    Type: Grant
    Filed: December 6, 2005
    Date of Patent: January 21, 2014
    Assignee: Oracle International Corporation
    Inventors: Raymond K. Ng, Ganesh Kirti, Thomas Keefe, Naresh Kumar
  • Publication number: 20140006344
    Abstract: A method and apparatus are described for sharing a session to access a database. A database server receives, in a session, a session context identifier and a command. The session context identifier identifies a session context to use for the session. The session context is a set of information or commands that plug into a session state and specify how commands in the session are to be performed for a particular user or privilege level. In response to receiving the identifier, the database server associates the session context with the database session for the connection. The database server uses the session context to process the command. The session context may then be detached from the session, allowing another user to attach to the session via another session context.
    Type: Application
    Filed: August 29, 2013
    Publication date: January 2, 2014
    Applicant: Oracle International Corporation
    Inventors: JANAKI NARASINGHANALLUR, MIN-HANK HO, ERIC SEDLAR, THOMAS KEEFE, CHON HEI LEI, VIKRAM PESATI
  • Publication number: 20130325841
    Abstract: Techniques are provided for a database server to identify a query that comprises an access check operator specifying a data access control policy, and if so, to re-write the query to produce an optimized query execution plan. A first technique rewrites a query comprising an access check operator based on the privileges associated with the database principal requesting the query. The rewritten query exposes the access predicates relevant to the requesting principal to subsequent database optimization processes. A second technique rewrites a query comprising an access check operator that specifies a data security policy that does not include a denied privilege. A third technique rewrites a query that comprises an access check operator specifying one or more database table columns that store row-specific access control lists. The rewritten queries are used to generate a query execution plan that provides for several query execution optimizations.
    Type: Application
    Filed: June 5, 2012
    Publication date: December 5, 2013
    Inventors: Tanvir Ahmed, Thomas Keefe, Chao Liang, Vikram Pesati
  • Patent number: 8549038
    Abstract: A method and apparatus are described for sharing a session to access a database. A database server receives, in a session, a session context identifier and a command. The session context identifier identifies a session context to use for the session. The session context is a set of information or commands that plug into a session state and specify how commands in the session are to be performed for a particular user or privilege level. In response to receiving the identifier, the database server associates the session context with the database session for the connection. The database server uses the session context to process the command. The session context may then be detached from the session, allowing another user to attach to the session via another session context.
    Type: Grant
    Filed: June 15, 2009
    Date of Patent: October 1, 2013
    Assignee: Oracle International Corporation
    Inventors: Janaki Narasinghanallur, Min-Hank Ho, Eric Sedlar, Thomas Keefe, Chon Hei Lei, Vikram Pesati
  • Patent number: 8220033
    Abstract: One embodiment of the present invention provides a system that facilitates accessing a credential. During operation, the system receives a request at a credentials-storage framework (CSF) to retrieve the credential. If a target credential store containing the credential is not already connected to the CSF, the system looks up a bootstrap credential for the target credential store in a bootstrap credential store, which contains bootstrap credentials for other credential stores. Next, the system uses this bootstrap credential to connect the CSF to the target credential store. Finally, the system retrieves the credential from the target credential store, and returns the credential to the requestor.
    Type: Grant
    Filed: May 3, 2006
    Date of Patent: July 10, 2012
    Assignee: Oracle International Corporation
    Inventors: Raymond K. Ng, Ganesh Kirti, Thomas Keefe, Naresh Kumar
  • Patent number: 7945960
    Abstract: Systems, methods, and machine-readable media are disclosed for providing conditional grants of permission in an externally configured security policy. In one embodiment, a method is provided which comprises reading a condition clause from a grant statement defined in the security policy. The grant statement can cause the granting of permission for a user to access a requested resource. One or more constraints on the grant statement can be determined based on the condition clause. Permission can be granted to access the requested resource based on the one or more constraints.
    Type: Grant
    Filed: December 6, 2005
    Date of Patent: May 17, 2011
    Assignee: Oracle International Corporation
    Inventors: Raymond K. Ng, Ganesh Kirti, Thomas Keefe, Naresh Kumar
  • Publication number: 20110055918
    Abstract: Techniques are provided for access control in a system. A request is received for checking whether a subject has a privilege for a resource. A security class that defines a plurality of privileges that include the requested privilege is determined. One or more access control lists have been configured for the security class. The one or more access control lists comprise one or more access control entries. Each of the one more access control entry defines whether one or more subjects has been granted or denied to zero, one or more of the plurality of privileges defined in the security class. Based on the access control lists configured for the security class, it is determined whether the subject should be granted the privilege for the requested resource.
    Type: Application
    Filed: August 31, 2009
    Publication date: March 3, 2011
    Applicant: ORACLE INTERNATIONAL CORPORATION
    Inventors: Thomas Keefe, Tanvir Ahmed, Vikram Pesati, Roger Wigenstam
  • Publication number: 20110023082
    Abstract: An application platform examines, at runtime, various specified aspects of an application environment in which an application interacts with a user. Such examinations are made to determine a state for each of the various specified aspects. Further, the platform automatically activates particular application environment roles for the user depending on the result of the examinations. For example, an application environment role may be activated representing a particular detected mode of communication (e.g., encrypted network communications) or a particular detected manner of authentication (e.g., password authentication). Such activations are based on the detected states and specified states for the various specified aspects of the application environment. Such activations may occur in the context of an application attempting to perform an operation on an access controlled object on behalf of a user.
    Type: Application
    Filed: July 23, 2009
    Publication date: January 27, 2011
    Inventors: Janaki Narasinghanallur, Min-Hank Ho, Thomas Keefe, Eric Sedlar, Chi Ching Chui, Vikram Pesati
  • Publication number: 20100318570
    Abstract: A method and apparatus are described for sharing a session to access a database. A database server receives, in a session, a session context identifier and a command. The session context identifier identifies a session context to use for the session. The session context is a set of information or commands that plug into a session state and specify how commands in the session are to be performed for a particular user or privilege level. In response to receiving the identifier, the database server associates the session context with the database session for the connection. The database server uses the session context to process the command. The session context may then be detached from the session, allowing another user to attach to the session via another session context.
    Type: Application
    Filed: June 15, 2009
    Publication date: December 16, 2010
    Applicant: ORACLE INTERNATIONAL CORPORATION
    Inventors: Janaki Narasinghanallur, Min-Hank Ho, Eric Sedlar, Thomas Keefe, Chon Hei Lei, Vlkram Pesati
  • Publication number: 20100306268
    Abstract: A system providing a method for implementing effective date constraints in a role hierarchy is described. In one embodiment, for example, the method comprises the steps of: storing data that represents a first effective date constraint on a role of a role hierarchy, the first effective date constraint having a start date and an end date; storing data in a database that represents a second effective date constraint on a grant of the role to a grantee, the second effective date constraint having a start date and an end date; storing data in a database that represents a third effective date constraint on the grantee, the third effective date constraint having a start date and an end date; and computing a net effective date constraint for the role by computing the intersection of the first effective date constraint, the second effective date constraint, and the third effective date constraint.
    Type: Application
    Filed: May 27, 2009
    Publication date: December 2, 2010
    Inventors: Rafae Bhatti, Janaki Narasinghanallur, Thomas Keefe, Vikram Pesati
  • Patent number: 7761704
    Abstract: One embodiment of the present invention provides a system that can expire encrypted-data. During operation, the system receives an expiry-request that includes object-identifying information, which can be used to identify a set of database objects that contain the encrypted-data, wherein a database object can be a table, a partition, a row, or a column in a row. Furthermore, a database object can have an expiration time, and it can be stored in an archive, which is typically used to store large amounts of data for long periods using a slower, but cheaper storage medium than the storage medium used by the database. The system then identifies a set of keys for the encrypted-data using the object-identifying information. Next, the system deletes the set of keys, thereby expiring the encrypted-data. Note that, deleting the set of keys ensures that the secure key repository does not contain any stale keys associated with expired encrypted-data.
    Type: Grant
    Filed: March 17, 2005
    Date of Patent: July 20, 2010
    Assignee: Oracle International Corporation
    Inventors: Min-Hank Ho, Daniel ManHung Wong, Chon Hei Lei, Thomas Keefe