Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1998-10-15
2004-02-10
Sheikh, Ayaz (Department: 2131)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C717S116000
Reexamination Certificate
active
06691230
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Technical Field
The present invention relates in general to data processing systems and in particular to data processing systems utilizing Java applets with a Java-enabled internet browser. More particularly, the present invention relates to utilization of Java applets, retrieved from an internet site, on a user's machine. Still more particularly, the present invention relates to extension of a pre-defined “sandbox” for use with Java applets on a user's machine.
2. Description of the Related Art
Java™ (“Java”) is a programming language developed by Sun Microsystems, of Mountain View, Calif. Java's portability, security, and intrinsic distributed programming support features make this language useful for Internet programming. The Internet and the World Wide Web allows access by virtually any operating system, thus requiring construction of Internet and Web sites utilizing a programming language that is operating system independent. Java is a totally object-oriented, operating system independent programming language which achieves architectural independence by compiling source code into its own intermediate representation. Java source code is not compiled into any particular machine code, but is translated into code for a virtual machine specifically designed to support Java's features. A Java interpreter or a Java-enabled browser then executes the translated code. While Java source code must be compiled, no link step is required since the Java interpreter dynamically links the translated code at run time.
FIG. 2
illustrates how Java™ achieves operating system independence utilizing the Java Virtual Machine (“JVM”)
202
. JVM
202
resides on host operating system
204
, functioning within hardware
206
, and all Java applications
200
run on top of JVM
202
. Operating system
204
may include Windows™, an operating system of Microsoft, Inc. of Redmond Wash.; MAC™ OS, an operating system of Apple Computer Corporation of San Jose, Calif., and other suitable operating systems. JVM
202
buffers Java applications
200
from system differences and creates a virtual machine (data processing system) that is constant between various systems.
Java became popular for use on Internet and World Wide Web sites because of the popularity and utility of the Internet. Many different operating systems are capable of accessing web sites through browsers such as Netscape™ and Internet Explorer™, products of Netscape, Inc. of San Jose, Calif. and Microsoft Corporation, Redmond, Wash., respectively. Therefore, the Internet and web sites have to be accessible by browsers that use different operating systems and languages.
Java applets are operating system-independent programs that may be downloaded, via the Internet, to a disk drive and executed on a user's data processing system. To protect the user's data processing system (“computer”), the designers of Java have defined a “sandbox;” a set of restrictions and an area on the disk within which the downloaded applet is allowed to operate. Applets within a sandbox, generally, are not permitted to access the computer file system, they may only initiate network connections to the computer from which they were downloaded. The restrictions, provided by Java's security model, protect the user from downloaded hostile code.
FIG. 3
depicts a high-level block diagram of a conventional security process in a data processing system. Security problems are intensified when binary code is downloaded to a data processing system. Binary code is not as easy to inspect as interpreted languages, such as Java. As indicated, data processing system
300
includes security manager
304
installed as a barrier/filter between remote (downloaded) code
308
and operating system
302
. Local code
306
, or applications that are resident on data processing system
300
, are not filtered by security manager
304
. Generally, users rely on security measures that may not have been updated and may not adequately protect the machine. Also, the security of a user's machine depends on the user to perform the security scan (virus scan) and the user relies on the adequacy of the scanning software.
FIG. 4
illustrates a high-level block diagram for a typical security procedure for a Java Virtual Machine operating in a data processing system. In data processing system
400
, Java Virtual Machine (JVM)
404
resides on the host operating system
402
. JVM
404
permits multiple class loaders
408
and
412
, to be active simultaneously. Class loader
408
, loads local classes from JDK (Java Developer Kit)
410
created by Java applications on the local operation system. Applet class loader
412
loads remote, or downloaded, classes.
In Java, both unsafe (untrusted) byte code
416
and safe byte code
418
are loaded through byte code verifier
414
. All Java source code is compiled into operating system independent byte-code. As indicated, local Java source code
422
compiled through Java compiler
420
resulting in “safe” byte code must be verified through byte code verifier
414
. JVM
404
will only execute code that passes byte code verifier
414
.
As a Java applet or program starts up it makes a request to the Java security manager for specific privileges. The security manager determines if the privileges are to be granted and if so, they are stored on the program's stack as a series of approved capabilities. The Java system library will check the stack looking for these capabilities before performing any security-critical actions. The combination of the Java class loader, the byte-code verifier, and the language design itself assures that an applet cannot simply access memory or restricted areas on the disk drive.
The Java applet sandbox has been successful in establishing a level of trust in network computing, but it has also put narrow limits on what may be done for users with applets. With the development of electronic commerce and other Internet based transactions, the sandbox becomes too restrictive and means to extend it in a secure fashion are needed.
It would be desirable, therefore, to provide a method and apparatus that would provide a sandbox that is securely extendable on a user's machine. Also, it would be desirable to provide various levels of restriction defining various modalities of access.
SUMMARY OF THE INVENTION
It is therefore one object of the present invention to extend the Java applet sandbox that may be available on a user's disk drive.
It is yet another object of the present invention to allow applets to permit applet data on the disk drive after an applet execution has terminated.
It is a further object of the present invention to provide more than one set of restrictions to define different levels of access.
The foregoing objects are achieved as is now described. A Java applet sandbox, provided by restrictions originally set by the manufacturer of a Java enabled Internet browser, may be securely extended by introducing the notion of public and private client storage. In addition to the sandbox, users are given means of declaring a portion of the user machine's disk space as “public.” The public disk space is accessible to executing applets and is installed in addition to the standard sandbox. The modality of access may be defined with various levels of restriction by the user within the security manager. Restriction levels of the public space may range from clearing (from the Public space) any data left after the applet has terminated, to allowing an executable applet to be moved into the private area on the user's disk drive.
The above as well as additional objects, features, and advantages of the present invention will become apparent in the following detailed written description.
REFERENCES:
patent: 5974549 (1999-10-01), Golan
patent: 6044467 (2000-03-01), Gong
patent: 6125447 (2000-09-01), Gong
patent: 6167522 (2000-12-01), Lee et al.
patent: 6275938 (2001-08-01), Bond et al.
patent: 6321334 (2001-11-01), Jerger et al.
L. Gong (Dec. 1997) Going Beyond t
Baum Ronald
Bracewell & Patterson L.L.P.
International Business Machines - Corporation
Leeuwen Leslie A. Van
Sheikh Ayaz
LandOfFree
Method and system for extending Java applets sand box with... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Method and system for extending Java applets sand box with..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method and system for extending Java applets sand box with... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3287864