公开(公告)号：US07743255B2

公开(公告)日：2010-06-22

申请号：US11156149

申请日：2005-06-17

Applicant: Tanmoy Dutta ,  Girish Chander ,  Raul Garcia ,  Ziquan Li

Inventor： Tanmoy Dutta ,  Girish Chander ,  Raul Garcia ,  Ziquan Li

IPC: H04L9/32 ,  G06F17/30

CPC classification number: G06F21/6227

Abstract: A database management system that supports multiple databases in an instance with controlled sharing between the databases. The invention can also support execution of procedures and other modules in the context of any principal possibly different from that of the caller. Trusted certificates can be employed to permit access to procedures (or other modules). The security context of the invention can enable the building blocks of building a pure trusted sub-system model of authorization.

Abstract translation: 数据库管理系统，支持在数据库之间具有受控共享的实例中的多个数据库。 本发明还可以支持在可能不同于呼叫者的任何主体的上下文中执行过程和其他模块。 可以使用受信任的证书来允许访问过程（或其他模块）。 本发明的安全上下文可以使建立一个纯信任子系统授权模型的构建模块。

公开(公告)号：US20070005600A1

公开(公告)日：2007-01-04

申请号：US11170585

申请日：2005-06-29

Applicant: Tanmoy Dutta ,  Raul Garcia ,  Ziquan Li ,  Girish Chander

Inventor： Tanmoy Dutta ,  Raul Garcia ,  Ziquan Li ,  Girish Chander

IPC: G06F17/30

CPC classification number: G06F21/629 ,  G06F21/6218 ,  G06F2221/2145

Abstract: A database management system that supports multiple databases in an instance with controlled sharing between the databases. The invention can also support execution of procedures and other modules in the context of any principal possibly different from that of the caller. Trusted certificates can be employed to permit access to procedures (or other modules). The security context of the invention can enable the building blocks of building a pure trusted sub-system model of authorization.

Abstract translation: 数据库管理系统，支持在数据库之间具有受控共享的实例中的多个数据库。 本发明还可以支持在可能不同于呼叫者的任何主体的上下文中执行过程和其他模块。 可以使用受信任的证书来允许访问过程（或其他模块）。 本发明的安全上下文可以使建立一个纯信任子系统授权模型的构建模块。

公开(公告)号：US07747597B2

公开(公告)日：2010-06-29

申请号：US11170585

申请日：2005-06-29

Applicant: Tanmoy Dutta ,  Raul Garcia ,  Ziquan Li ,  Girish Chander

Inventor： Tanmoy Dutta ,  Raul Garcia ,  Ziquan Li ,  Girish Chander

IPC: G06F7/00

CPC classification number: G06F21/629 ,  G06F21/6218 ,  G06F2221/2145

Abstract: A database management system that supports multiple databases in an instance with controlled sharing between the databases. The invention can also support execution of procedures and other modules in the context of any principal possibly different from that of the caller. Trusted certificates can be employed to permit access to procedures (or other modules). The security context of the invention can enable the building blocks of building a pure trusted sub-system model of authorization.

Abstract translation: 数据库管理系统，支持在数据库之间具有受控共享的实例中的多个数据库。 本发明还可以支持在可能不同于呼叫者的任何主体的上下文中执行过程和其他模块。 可以使用受信任的证书来允许访问过程（或其他模块）。 本发明的安全上下文可以使建立一个纯信任子系统授权模型的构建模块。

公开(公告)号：US20060288214A1

公开(公告)日：2006-12-21

申请号：US11156149

申请日：2005-06-17

Applicant: Tanmoy Dutta ,  Girish Chander ,  Raul Garcia ,  Ziquan Li

Inventor： Tanmoy Dutta ,  Girish Chander ,  Raul Garcia ,  Ziquan Li

IPC: H04L9/00

CPC classification number: G06F21/6227

Abstract: A database management system that supports multiple databases in an instance with controlled sharing between the databases. The invention can also support execution of procedures and other modules in the context of any principal possibly different from that of the caller. Trusted certificates can be employed to permit access to procedures (or other modules). The security context of the invention can enable the building blocks of building a pure trusted sub-system model of authorization

Abstract translation: 数据库管理系统，支持在数据库之间具有受控共享的实例中的多个数据库。 本发明还可以支持在可能不同于呼叫者的任何主体的上下文中执行过程和其他模块。 可以使用受信任的证书来允许访问过程（或其他模块）。 本发明的安全上下文可以使建立一个纯信任子系统授权模型的构建模块

公开(公告)号：US20060282433A1

公开(公告)日：2006-12-14

申请号：US11151998

申请日：2005-06-14

Applicant: Tanmoy Dutta ,  Girish Chander ,  Ziquan Li ,  Steven Gott ,  Clifford Dibble

Inventor： Tanmoy Dutta ,  Girish Chander ,  Ziquan Li ,  Steven Gott ,  Clifford Dibble

IPC: G06F17/30

CPC classification number: G06F21/6227 ,  G06F17/30421 ,  G06F21/6218 ,  G06F2221/2145 ,  Y10S707/99939 ,  Y10S707/99952

Abstract: Provided are systems and methods that facilitate providing permission to entities of a database. A system includes a component that authorizes a principal of a containing entity to grant a permission to that entity, and a component that grants the permission to the containing entity, the grantee of the permission inherits a set of permissions to one or more entities contained by the containing entity. When a permission is granted to a parent in a hierarchy of a relational database, the permission is inherited by the child nodes. Also provided is a method for transferring ownership of entities in a relational database. The method includes a two-part handshake that can be audited to avoid repudiation issues.

Abstract translation: 提供了有助于向数据库的实体提供许可的系统和方法。 系统包括授权包含实体的委托人向该实体授予许可的组件，以及向该包含实体授予许可的组件，该许可的授予者将继承一组或多个由 包含实体。 当向关系数据库的层次结构中的父级授予权限时，权限将由子节点继承。 还提供了一种用于转移关系数据库中的实体的所有权的方法。 该方法包括两部分握手，可以进行审核，以避免否认问题。

公开(公告)号：US08572716B2

公开(公告)日：2013-10-29

申请号：US11789270

申请日：2007-04-23

Applicant: Girish Chander ,  Tanmoy Dutta ,  Cristian Ilac ,  Bronislav Kavsan ,  Ziquan Li ,  Andreas K. Luther ,  Gennady Medvinsky ,  Liquiang Zhu

Inventor： Girish Chander ,  Tanmoy Dutta ,  Cristian Ilac ,  Bronislav Kavsan ,  Ziquan Li ,  Andreas K. Luther ,  Gennady Medvinsky ,  Liquiang Zhu

IPC: H04L29/06

CPC classification number: H04L63/083 ,  G06F21/335 ,  H04L63/08 ,  H04L63/0807 ,  H04L63/0884 ,  H04L63/10 ,  H04L63/123

Abstract: Example embodiments are provided for integrating operating systems with content offered by internet based entities.

公开(公告)号：US07613711B2

公开(公告)日：2009-11-03

申请号：US11151998

申请日：2005-06-14

Applicant: Tanmoy Dutta ,  Girish Chander ,  Ziquan Li ,  Steven Richard Gott ,  Clifford T. Dibble

Inventor： Tanmoy Dutta ,  Girish Chander ,  Ziquan Li ,  Steven Richard Gott ,  Clifford T. Dibble

IPC: G06F17/30

CPC classification number: G06F21/6227 ,  G06F17/30421 ,  G06F21/6218 ,  G06F2221/2145 ,  Y10S707/99939 ,  Y10S707/99952

Abstract: Provided are systems and methods that facilitate providing permission to entities of a database. A system includes a component that authorizes a principal of a containing entity to grant a permission to that entity, and a component that grants the permission to the containing entity, the grantee of the permission inherits a set of permissions to one or more entities contained by the containing entity. When a permission is granted to a parent in a hierarchy of a relational database, the permission is inherited by the child nodes. Also provided is a method for transferring ownership of entities in a relational database. The method includes a two-part handshake that can be audited to avoid repudiation issues.

Abstract translation: 提供了有助于向数据库的实体提供许可的系统和方法。 系统包括授权包含实体的委托人向该实体授予许可的组件，以及向该包含实体授予许可的组件，该许可的授予者将继承一组或多个由 包含实体。 当向关系数据库的层次结构中的父级授予权限时，权限将由子节点继承。 还提供了一种用于转移关系数据库中的实体的所有权的方法。 该方法包括两部分握手，可以进行审核，以避免否认问题。

公开(公告)号：US07661141B2

公开(公告)日：2010-02-09

申请号：US10885815

申请日：2004-07-07

Applicant: Tanmoy Dutta ,  Girish Chander ,  Laurentiu Bogdan Cristofor ,  Rodger N. Kline ,  James R. Hamilton

Inventor： Tanmoy Dutta ,  Girish Chander ,  Laurentiu Bogdan Cristofor ,  Rodger N. Kline ,  James R. Hamilton

IPC: G06F7/04 ,  G06F17/30 ,  H04N7/16

CPC classification number: G06F21/6227

Abstract: The systems and methods of the present invention facilitate database row-level security by utilizing SQL extensions to create and associate named security expressions with a query initiator(s). Such expressions include Boolean expressions, which must be satisfied by a row of data in order for that data to be made accessible to the query initiator. In general, a query is augmented with security expressions, which are aggregated and utilized during querying rows of data. The systems and methods variously place security expressions within a query in order to optimize query performance while mitigating information leaks. This is achieved by tagging security expressions as special and utilizing rules of predicate to pull or push non-security expressions above or below security expressions, depending on the likelihood of a non-security being safe, as determined via a static and/or dynamic analysis.

Abstract translation: 本发明的系统和方法通过利用SQL扩展来创建和关联命名的安全表达式与查询启动器来促进数据库行级安全性。 这样的表达式包括布尔表达式，这些表达式必须由一行数据满足，以使该数据能够被查询启动器访问。 一般来说，查询会增加安全性表达式，这些表达式在查询数据行期间进行聚合和使用。 系统和方法将查询中的安全表达式各不相同，以优化查询性能，同时减轻信息泄漏。 这是通过将安全表达式标记为特殊的，并利用谓词的规则在安全表达式之上或之下拉取或推送非安全表达式，这取决于非安全性的可能性，通过静态和/或动态分析确定 。

公开(公告)号：US07711750B1

公开(公告)日：2010-05-04

申请号：US10903338

申请日：2004-07-30

Applicant: Tanmoy Dutta ,  Girish Chander ,  James R. Hamilton ,  Alain C. Comeau

Inventor： Tanmoy Dutta ,  Girish Chander ,  James R. Hamilton ,  Alain C. Comeau

IPC: G06F7/00 ,  G06F17/30

CPC classification number: G06F21/6227 ,  Y10S707/99933 ,  Y10S707/99939

Abstract: The present invention specifies database security at a row level and, optionally, at a column and table level. The systems and methods cluster one or more sets of rows with similar security characteristics and treat them as a named expression, wherein clustered data is accessed based on associated row-level security. The systems and methods specify a syntax that invokes row(s), column(s) and/or table(s) security via programming statements. Such statements include arbitrary Boolean expressions (predicates) defined over, but not restricted to table columns and/or other contextual data. These statements typically are associated with query initiators, incorporated into queries therefrom, and utilized while querying data. Rows of data that return “true” when evaluated against an aggregate of associated security expressions are said to “satisfy” the security expressions and enable access to the data stored therein. Such security expressions can be created and invoked via the Structured Query Language (SQL) database programming language.

Abstract translation: 本发明在行级别和可选地在列和表级别指定数据库安全性。 系统和方法集中一组或多组具有相似安全特性的行，并将其视为命名表达式，其中基于关联的行级安全性访问群集数据。 系统和方法通过编程语句指定调用行，列和/或表的安全性的语法。 这样的语句包括定义在但不限于表列和/或其他上下文数据的任意布尔表达式（谓词）。 这些语句通常与查询启动器相关联，并入查询中，并在查询数据时使用。 对相对于安全表达式的聚合进行评估时返回“true”的数据行被称为“满足”安全表达式并且能够访问存储在其中的数据。 可以通过结构化查询语言（SQL）数据库编程语言创建和调用此类安全表达式。

公开(公告)号：US07599937B2

公开(公告)日：2009-10-06

申请号：US11696024

申请日：2007-04-03

Applicant: Tanmoy Dutta ,  Conor Cunningham ,  Stefano Stefani ,  Girish Chander ,  Eric N. Hanson

Inventor： Tanmoy Dutta ,  Conor Cunningham ,  Stefano Stefani ,  Girish Chander ,  Eric N. Hanson

IPC: G06F17/30

CPC classification number: G06F21/6227 ,  Y10S707/99932 ,  Y10S707/99933 ,  Y10S707/99934 ,  Y10S707/99939

Abstract: A system and method for facilitating secure access to database(s) is provided. The system relates to authorizing discriminatory access to relational database data. More particularly, the invention provides for an innovative technique of defining secured access to rows in relational database tables in a way that cannot be spoofed while preserving various optimization techniques. The invention affords a persistent scheme via providing for a security architecture whereby discriminatory access policies on persistent entities can be defined and enforced while preserving set based associative query capabilities.A particular aspect of the invention relates to the specification of such policies and the technique by which those policies are enforced. With respect to one particular implementation of the invention, creation, modification and deletion of access control lists called security descriptors is provided. The security descriptors can be provisioned independent of rows in tables of the database and can be shared and embody the policy on what permissions are granted to whom when associated with a row.

Abstract translation: 提供了一种用于促进对数据库的安全访问的系统和方法。 该系统涉及授权对关系数据库数据的歧视性访问。 更具体地，本发明提供了一种创新技术，其以不能欺骗的方式定义对关系数据库表中的行的安全访问，同时保持各种优化技术。 本发明通过提供一种安全架构来提供持久性方案，从而可以在保持基于集合的关联查询能力的同时定义和实施持久性实体上的歧视性访问策略。 本发明的一个特定方面涉及这些策略的说明以及执行这些策略的技术。 关于本发明的一个具体实现，提供了称为安全描述符的访问控制列表的创建，修改和删除。 安全描述符可以独立于数据库表中的行进行配置，并且可以共享，并且包含与哪些权限相关联的权限被授予谁的策略。