Protection domains to provide security in a computer system
DC CAFCFirst Claim
1. A method for providing security, the method comprising the steps of:
- establishing one or more protection domains, wherein a protection domain is associated with zero or more permissions;
establishing an association between said one or more protection domains and one or more classes of one or more objects; and
determining whether an action requested by a particular object is permitted based on said association between said one or more protection domains and said one or more classes.
3 Assignments
Litigations
0 Petitions
Reexamination
Accused Products
Abstract
A method and apparatus are provided for maintaining and enforcing security rules using protection domains. As new code arrives at a computer, a determination is assigned to a protection domain based on the source from which the code is received. The protection domain establishes the permissions that apply to the code. In embodiments where the code to be executed by the computer belongs to object classes, an association is established between the protection domains and the classes of objects. When an object requests an action, a determination is made as to whether the action is permitted based on the class to which the object belongs and the association between classes and protection domains.
149 Citations
24 Claims
-
1. A method for providing security, the method comprising the steps of:
-
establishing one or more protection domains, wherein a protection domain is associated with zero or more permissions; establishing an association between said one or more protection domains and one or more classes of one or more objects; and determining whether an action requested by a particular object is permitted based on said association between said one or more protection domains and said one or more classes. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method of providing security, the method comprising the steps of:
-
establishing one or more protection domains, wherein a protection domain is associated with zero or more permissions; establishing an association between said one or more protection domains and one or more sources of code; and in response to executing code making a request to perform an action, determining whether said request is permitted based on a source of said code making said request and said association between said one or more protection domains and said one or more sources of code. - View Dependent Claims (8, 9)
-
-
10. A computer-readable medium carrying one or more sequences of one or more instructions, the one or more sequences of the one or more instructions including instructions which, when executed by one or more processors, causes the one or more processors to perform the steps of:
-
establishing one or more protection domains, wherein a protection domain is associated with zero or more permissions; establishing an association between said one or more protection domains and one or more classes of one or more objects; and determining whether an action requested by a particular object is permitted based on said association between said one or more protection domains and said one or more classes. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. A computer-readable medium carrying one or more sequences of one or more instructions, wherein the execution of the one or more sequences of the one or more instructions causes the one or more processors to perform the steps of:
-
establishing one or more protection domains, wherein a protection domain is associated with zero or more permissions; establishing an association between said one or more protection domains and one or more sources of code; and in response to executing code making a request to perform an action, determining whether said request is permitted based on a source of said code making said request and said association between said one or more protection domains and said one or more sources of code. - View Dependent Claims (17, 18)
-
-
19. A computer system comprising:
-
a processor; a memory coupled to said processor; one or more protection domains stored as objects in said memory, wherein each protection domain is associated with zero or more permissions; a domain mapping object stored in said memory, said domain mapping object establishing an association between said one or more protection domains and one or more classes of one or more objects; and said processor being configured to determine whether an action requested by a particular object is permitted based on said association between said one or more protection domains and said one or more classes. - View Dependent Claims (20, 21, 22, 23, 24)
-
Specification