Data processing: software development – installation – and managem – Software program development tool – Editing
Reexamination Certificate
2001-03-23
2004-09-14
Zhen, Wei (Department: 2122)
Data processing: software development, installation, and managem
Software program development tool
Editing
Reexamination Certificate
active
06792596
ABSTRACT:
DETAILED DESCRIPTION OF THE INVENTION
The present invention relates to a program editing method for protecting a program that controls a resource and for preventing the program from being called by a malevolent program.
BACKGROUND ART
Java has a unique programming environment that permits a plurality of programs to be loaded into and executed by a single Java VM. Therefore, a mechanism is required to prevent a program that controls certain resources and that must be protected (hereinafter referred to as a program A) from being called by a malevolent program (hereinafter referred to as a program M). The program A for which protection is required is, for example, a system class group (e.g., java.io.FilelnputStream) for accessing a local file, a class for managing privacy information relating to a user, or a class that has the authority to call a system class when a signature is provided for the program A.
Generally, the following two methods are employed as means for hiding a program A from a program M during its execution. The first method is a method for separating a class loader when the program A and the program M are separate applications. All Java code is constituted by a class file for each class unit, and when a class is requested, it is dynamically loaded by the class loader. The class loader examines the principle of the pertinent class to determine whether or not it should be loaded.
The second method is a method by which a stack inspection is performed to test the principle of the program M if the program A is a system class. However, according to the method for separating class loaders, if the program A and the program M are placed on the same web page (in the same directory), the program M can employ the class loader provided for the program A, so that any limitations imposed on access are nullified. According to the method for conducting a stack inspection, a stack inspection can not be performed for a program A having a signature that provides the authority necessary for an access, or a class that is loaded from a local file.
The means (static access control) for protecting a program A before the execution is, for example, a method for employing a name scope to limit an access. The name scope is what is declared by a field or a method to define the visibility of a field or a method. In accordance with the declared name, references (accesses) by another program can be controlled. For example, the “private” scope can not be directly referred to by other programs, while the “public” scope can. Further, the “package” scope can not be referred to by programs outside the package of the field and the method for which the package scope is declared.
When the name scope is to be employed, it is guaranteed that a field or a method that is declared private will not be directly accessed by another program. Therefore, when a program A is declared to be private, accesses by the program M can be prevented. However, so long as a program consists of a plurality of classes and interaction among these classes is present, not all the fields and methods can be declared private, and the scope of some of the fields and methods must be the package scope or a higher scope (protected or public).
In accordance with Java programs up to JDK 1.2.1, an arbitrary program M can freely declare its package as constituting the package scope (it should be noted that a package name should fall within the effective name range for the package). Therefore, a so-called “Package Joining Attack” occurs when a program M declares its package using the same name as is used by a program A, and joins the package of the program A. That is, while the names of the methods and fields in different packages can be prevented from erroneously colliding with each other, for security, it can not be used as an access control mechanism.
Since the One-Package-One-Principal Policy, according to which only one signatory is allocated for one package is employed in the JDK 1.2.2, a program M without a signature can not join the same package as a program A which has a signature. Therefore, in the signed program, the field or the method that is declared as a package is not accessed by a malevolent program. Thus, for security, the package scope can function to limit access.
PROBLEMS TO BE SOLVED BY THE INVENTION
As is described above, a static access control means that employs a name scope can effectively function as a Java mechanism for preventing a program A, which controls a resource and which must be protected, from being called by a malevolent program M. However, for security, this mechanism only works when the program A is declared to be private, or when the signed program A is declared to be a package. Thus, security is still not provided for the class, the fields or the methods with the protected scope or the public scope.
Most non-trivial Java programs consist of a plurality of packages, and for interaction among the packages, some of the classes, the fields or the methods must be declared as being public. Therefore, in such a program, access control using the private scope or the package scope can not be effectively utilized.
It is, therefore, one object of the present invention to edit a Java program by effectively utilizing the access control using a name scope, so that a program that controls a resource and is to be protected can be prevented from being called by a malevolent program.
It is another object of the present invention to edit a program written in a programming language that implements an access control process based on the same concept as the package scope of Java, so that a program that controls a resource and is to be protected can be prevented from being called by a malevolent program.
SUMMARY OF THE INVENTION
To achieve the above objects, in accordance with the present invention a method is provided for editing a program written in an object oriented programming language that satisfies two conditions, a condition according to which a program includes the concept of a package that controls visibility of local names, and a condition according to which a program includes an access control system for obtaining an access authority based on “principal (identity of person or entity that developed or deployed the program)” information provided to specify the references of an access requester, the method comprising: a package name replacement step of replacing package names allocated for a plurality of classes that constitute an application program having a single package name; a data attribute change step of changing an attribute of internal fields of the classes that are not referred to by a source outside the application program, so as to accept an access request for a reference from the same package; and an access authority provision step of providing an access authority that is based on the principal information for the application program that has been processed at the package name replacement step and the data attribute change step. With this arrangement, except for a method or a variable among the system classes that is externally referred to, the fields in the package can not be accessed by a program without the same access authority as the application program. Since the one-package-one-principal policy is employed, the fields can not be accessed by a requestor outside the application program, and external illegal accesses can be prevented.
The program editing method further comprises: a class name changing step of changing the class name of a specific class of the application program when as a result of the package name replacement step the specific class has a name collision. This arrangement is preferable because single packaging of the application program can be performed even when a class having the same class name is present in a different package.
At the class name changing step, in order to change the class name of the specific class, a new class name is generated by using a character string that is employed for the package name of the package, before the package is changed at the package name
Kojima Hisashi
Maruyama Hiroshi
Clay A. Bruce
International Business Machines - Corporation
Kendall Chuck
Yee & Associates P.C.
Zhen Wei
LandOfFree
Method and system for protecting resource central programs does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Method and system for protecting resource central programs, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method and system for protecting resource central programs will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3250810