公开(公告)号：US09280644B2

公开(公告)日：2016-03-08

申请号：US13922188

申请日：2013-06-19

Applicant: Apple Inc.

Inventor： Ivan Krstić ,  Austin G. Jennings ,  Richard L. Hagy

IPC: G06F9/46 ,  G06F9/455 ,  G06F21/10 ,  G06F21/51 ,  G06F21/53 ,  G06F21/62

CPC classification number: G06F21/6281 ,  G06F21/10 ,  G06F21/51 ,  G06F21/53 ,  G06F21/629 ,  G06F2221/033 ,  G06F2221/0735

Abstract: In response to a request for launching a program, a list of one or more application frameworks to be accessed by the program during execution of the program is determined. Zero or more entitlements representing one or more resources entitled by the program during the execution are determined. A set of one or more rules based on the entitlements of the program is obtained from at least one of the application frameworks. The set of one or more rules specifies one or more constraints of resources associated with the at least one application framework. A security profile is dynamically compiled for the program based on the set of one or more rules associated with the at least one application framework. The compiled security profile is used to restrict the program from accessing at least one resource of the at least one application frameworks during the execution of the program.

Abstract translation: 响应于启动程序的请求，确定在程序执行期间由程序访问的一个或多个应用程序框架的列表。 确定在执行期间表示由程序授权的一个或多个资源的零个或多个授权。 从应用程序框架中的至少一个获得基于程序的权利的一组或多个规则。 所述一个或多个规则的集合指定与所述至少一个应用框架相关联的资源的一个或多个约束。 基于与所述至少一个应用框架相关联的一个或多个规则的集合，为所述程序动态地编译安全简档。 编译的安全简档用于在程序执行期间限制程序访问至少一个应用程序框架的至少一个资源。

公开(公告)号：US20150347746A1

公开(公告)日：2015-12-03

申请号：US14292712

申请日：2014-05-30

Applicant: Apple Inc.

Inventor： Pierre-Olivier J. Martel ,  Kelly B. Yancey ,  Richard L. Hagy

IPC: G06F21/53

CPC classification number: G06F21/53 ,  G06F21/6218 ,  G06F2221/03 ,  G06F2221/034

Abstract: In response to a request for launching an application within an operating system of a data processing system, one or more extended entitlements are extracted from the application, where the one or more extended entitlements specify one or more resources the application is entitled to access. One or more security profile extensions corresponding to the one or more extended entitlements are dynamically generated. A security profile specifically for the application is created based on the one or more security profile extensions and a base security profile that has been previously compiled, where the base security profile specifies a list of a plurality of base resources. The application is then launched in a sandboxed operating environment that is configured based on the security profile specifically generated for the application.

Abstract translation: 响应于在数据处理系统的操作系统内启动应用程序的请求，从应用程序中提取一个或多个扩展授权，其中一个或多个扩展授权指定应用程序有权访问的一个或多个资源。 动态地生成与一个或多个扩展授权相对应的一个或多个安全简档扩展。 基于一个或多个安全配置文件扩展和先前已经编译的基本安全配置文件，其中基本安全配置文件指定多个基本资源的列表来创建专用于该应用的安全配置文件。 然后，应用程序将在基于为应用程序专门生成的安全配置文件配置的沙箱操作环境中启动。

公开(公告)号：US09189300B2

公开(公告)日：2015-11-17

申请号：US14179966

申请日：2014-02-13

Applicant: Apple Inc.

Inventor： Kevin J. Van Vechten ,  Damien Pascal Sorresso ,  Richard L. Hagy ,  Ivan Krstic

IPC: G06F9/54 ,  G06F9/46 ,  G06F21/52 ,  G06F9/445

CPC classification number: G06F21/629 ,  G06F9/44521 ,  G06F9/468 ,  G06F9/541 ,  G06F9/542 ,  G06F21/52

Abstract: When an application is launched, a framework scanning module scans a plurality of frameworks linked against by the application to generate a list of available services. When the application makes a request of a particular service, a service verification module compares the requested service to the list of available services and if the requested service is found in the list of available services, sends a signal to the application, the signal allowing access to the requested service for the application. Otherwise, access to the requested service is denied.

Abstract translation: 当启动应用程序时，框架扫描模块扫描由应用程序链接的多个框架以生成可用服务的列表。 当应用程序请求特定服务时，服务验证模块将所请求的服务与可用服务的列表进行比较，并且如果在可用服务的列表中找到所请求的服务，则向应用发送信号，允许访问的信号 到应用程序的请求服务。 否则，拒绝对请求的服务的访问。