Austin W Jennings

US Patent:

8631482, Jan 14, 2014

Filed:

May 28, 2010

Appl. No.:

12/790451

Inventors:

Ivan Krstic - Sunnyvale CA, US
Austin G. Jennings - Santa Clara CA, US
Jacques Anthony Vidrine - San Francisco CA, US

Assignee:

Apple Inc. - Cupertino CA

International Classification:

H04L 29/06

US Classification:

726 10, 726 2, 726 27

Abstract:

A resource manager of an operating system of a data processing system receives a first request from a first program for a ticket for accessing at least one of resources of the data processing system. In response to the first request, the resource manager determines whether the first program is entitled to access the resource. The ticket for accessing the resource is issued to the first program if the first program is entitled to access the resource. The ticket can be used by a second program to obtain rights to access the resource by acquiring the ticket from the first program, where the second program would not otherwise be entitled to access the resource based on a security profile associated with the second program.

US Patent:

20120185863, Jul 19, 2012

Filed:

Jan 14, 2011

Appl. No.:

13/007472

Inventors:

Ivan Krstic - Sunnyvale CA, US
Austin G. Jennings - Santa Clara CA, US
Richard L. Hagy - Montara CA, US

Assignee:

APPLE INC. - Cupertino CA

International Classification:

G06F 9/50

US Classification:

718104

Abstract:

In response to a request for launching a program, a list of one or more application frameworks to be accessed by the program during execution of the program is determined. Zero or more entitlements representing one or more resources entitled by the program during the execution are determined. A set of one or more rules based on the entitlements of the program is obtained from at least one of the application frameworks. The set of one or more rules specifies one or more constraints of resources associated with the at least one application framework. A security profile is dynamically compiled for the program based on the set of one or more rules associated with the at least one application framework. The compiled security profile is used to restrict the program from accessing at least one resource of the at least one application frameworks during the execution of the program.

US Patent:

20130283344, Oct 24, 2013

Filed:

Jun 19, 2013

Appl. No.:

13/922188

Inventors:

Austin G. Jennings - Santa Clara CA, US
Richard L. Hagy - Montara CA, US

International Classification:

G06F 21/10

US Classification:

726 1

Abstract:

In response to a request for launching a program, a list of one or more application frameworks to be accessed by the program during execution of the program is determined. Zero or more entitlements representing one or more resources entitled by the program during the execution are determined. A set of one or more rules based on the entitlements of the program is obtained from at least one of the application frameworks. The set of one or more rules specifies one or more constraints of resources associated with the at least one application framework. A security profile is dynamically compiled for the program based on the set of one or more rules associated with the at least one application framework. The compiled security profile is used to restrict the program from accessing at least one resource of the at least one application frameworks during the execution of the program.

US Patent:

20210397716, Dec 23, 2021

Filed:

Nov 6, 2020

Appl. No.:

17/092030

Inventors:

- Cupertino CA, US
Nikolaj Schlej - Deggendorf, DE
Thomas P. Mensch - Sunnyvale CA, US
Wade Benson - San Jose CA, US
Jerrold V. Hauck - Windermere FL, US
Josh P. de Cesare - Los Gatos CA, US
Austin G. Jennings - San Jose CA, US
John J. Dong - San Jose CA, US
Robert C. Graham - San Jose CA, US
Jacques Fortier - San Francisco CA, US

International Classification:

G06F 21/57
G06F 21/72
H04L 9/32
G06F 9/4401
H04L 9/08
H04L 29/06
G06F 21/73

Abstract:

Techniques are disclosed relating to securing computing devices during boot. In various embodiments, a secure circuit of a computing device generates for a public key pair and signs, using a private key of the public key pair, configuration settings for an operating system of the computing device. A bootloader of the computing device receives a certificate for the public key pair from a certificate authority and initiates a boot sequence to load the operating system. The boot sequence includes the bootloader verifying the signed configuration settings using a public key included in the certificate and the public key pair. In some embodiments, the secure circuit cryptographically protects the private key based on a passcode of a user, the passcode being usable by the user to authenticate to the computing device.

US Patent:

20160357950, Dec 8, 2016

Filed:

Jan 19, 2016

Appl. No.:

15/001085

Inventors:

- Cupertino CA, US
Austin G. Jennings - Santa Clara CA, US

International Classification:

G06F 21/12
G06F 21/57

Abstract:

According to one embodiment, a security manager of a first operating system executed by a processor of a data processing system receives a request received from an application to modify a security settings of the data processing system. In response to the request, the data processing system is restarted into a second operating system, where the second operating system includes functionalities that are fewer than the first operating system. The security settings of the data processing system is modified within the second operating system. After the security settings of the data processing system has been modified, the data processing is rebooted back to the first operating system. A security measure within the first operating system is enforced based on the modified security settings.

US Patent:

20160357983, Dec 8, 2016

Filed:

Oct 2, 2015

Appl. No.:

14/874224

Inventors:

- Cupertino CA, US
Austin G. Jennings - Santa Clara CA, US

International Classification:

G06F 21/62
G06F 9/54

Abstract:

Techniques for restricting access to a storage volume attached to a data processing system are described. In one embodiment, a storage management and access control logic in the data processing system can receive a message indicating the attachment of a storage volume. The logic can apply access restrictions to the storage volume by creating an association between a restricted resource class and the storage volume to limit programmatic access to the storage volume. An evaluation of the storage volume can be requested and based on the result of the evaluation the access restrictions can be removed or retained on the storage volume.

US Patent:

20160321471, Nov 3, 2016

Filed:

Mar 4, 2016

Appl. No.:

15/060837

Inventors:

- Cupertino CA, US
Austin G. Jennings - Santa Clara CA, US
Richard L. Hagy - Montara CA, US

International Classification:

G06F 21/62
G06F 21/10
G06F 21/51

Abstract:

In response to a request for launching a program, a list of one or more application frameworks to be accessed by the program during execution of the program is determined. Zero or more entitlements representing one or more resources entitled by the program during the execution are determined. A set of one or more rules based on the entitlements of the program is obtained from at least one of the application frameworks. The set of one or more rules specifies one or more constraints of resources associated with the at least one application framework. A security profile is dynamically compiled for the program based on the set of one or more rules associated with the at least one application framework. The compiled security profile is used to restrict the program from accessing at least one resource of the at least one application frameworks during the execution of the program.

US Patent:

20150347774, Dec 3, 2015

Filed:

May 30, 2014

Appl. No.:

14/292705

Inventors:

- Cupertino CA, US
Pierre-Olivier J. Martel - Mountain View CA, US
Austin G. Jennings - Santa Clara CA, US

Assignee:

Apple Inc. - Cupertino CA

International Classification:

G06F 21/62
G06F 9/50
G06F 21/44

Abstract:

Techniques for access control of a data processing system are described. In one embodiment, in response to a request from an application for accessing a resource of a data processing system, it is determined a first class of resources the requested resource belongs. A second class of resources the application is entitled to access is determined based on a resource entitlement encoded within the application and authorized by a predetermined authority. The application is allowed to access the resource if the first class and the second class of resources are matched. The application is denied from accessing the resource if the first class and the second class are not matched, regardless an operating privilege level of the application.