Data processing: software development – installation – and managem – Software program development tool – Translation of code
Reexamination Certificate
1998-10-07
2001-11-13
Chaki, Kakali (Department: 2122)
Data processing: software development, installation, and managem
Software program development tool
Translation of code
C717S152000, C717S152000, C713S152000, C709S225000, C709S246000
Reexamination Certificate
active
06317868
ABSTRACT:
FIELD OF THE INVENTION
This invention generally pertains to managing computer programs executing on a network, and more specifically, to enforcing and auditing site-specific security provisions on software components of programs.
BACKGROUND OF THE INVENTION
Access to the Internet and to other computers has greatly increased the exposure of computers to software components of unknown and uncontrolled origin. When executed, these components from potentially untrusted sources may violate site-specific policies relating to security and access control. It is therefore important to provide a mechanism for handling the execution of such software components without unduly restricting their functionality.
Dynamically linked libraries, Java applets, and Active-X controls are good examples of software components that are widely used in modem computer systems and which often do not originate on a local, trusted computer, but instead are downloaded over a wide area network, or as it even more frequently the case, over the Internet. Typically, these software components execute only with the security services that are native to the particular software component system or the operating system that hosts the software components. However, the conventional environment or operating system in which these components are executed typically does not provide adequate security services for enforcing security on tightly integrated software components. For example, Active-X controls currently have no security constraints enforced upon them and normally execute with the same privileges as the program that loaded them.
While some component systems may allow a programmer to integrate fine-grained security enforcement into a software component while the component is being developed, it is generally not possible to access the component's source code to make changes to the security features at the site where the software component is later actually being used. Such changes may be particularly important if the security policy at the site where the component is used is substantially incompatible with that originally programmed into the component. However, the prior art does not provide any practical technique for making changes to the security policy implemented in such a component.
It would clearly be desirable to provide security administrators with a mechanism allowing them to control and observe the behavior of software components derived from a different source in regard to security and access issues. The control and observation of these components should thus be independent of the origin of the component, and independent of the security services of the hosting component system or operating system used to execute the software component. Further, it would be desirable for this mechanism to interpose access control checks, protection domain transfers, and auditing onto software component operations in a transparent manner that does not otherwise affect the functionality and execution of the software components. The auditing may encompass instrumenting the software components to provide information relating to the execution of the component as thus modified. Such information might provide an indication of the efficiency of the software component in completing a function, or the processor overhead that the software component creates, or indicate the number of times that it calls a routine, etc. The mechanism providing these functions should also separate the enforcement and auditing of the security policy from the actual site-specific security policy. By doing so, the approach should be appropriate for use in environments that rely on potentially insecure software components, as well as for use in environments in which security policies frequently change.
SUMMARY OF THE INVENTION
In accordance with the present invention, a method is defined for modifying a software component to conform to predefined security and access policies, which may include collecting measurement information related to the execution of the software component. These security and access policies may be specific to a site and applied generally by a server to software executing on any computer on a network on which the server is disposed, or may be specific to a single computer and applied by the computer to software prior to execution of the software on the computer.
The method includes the steps of providing a set of security and access policies that may be applicable during the execution of the software component; and analyzing the software component prior to its execution, to determine if any of the security and access policies are indeed applicable to the software component. The software component is then modified as necessary to conform to the security and access policies, producing a modified software component. Finally, the security and access policies are enforced on the modified software component during its execution on the computer.
The step of analyzing preferably includes the step of parsing code comprising the software component to determine abstractions or object types supported thereby, and the operations of the abstractions or object types. Any authorization information for the software component is determined and, based on the abstractions or object types, the operations of the abstractions or object types, and the authorization information, each security policy that is applicable to the software component is determined. The operations that require an access control check, a protection domain transfer, or auditing are also preferably determined.
The step of modifying comprises the steps of adding security initialization code to the software component, and imposing security operations on the software component consistent with the security and access policies. These security operations indicate how to associate component system objects with security identifiers, and when and how to perform access checks, protection domain transfers, and auditing. Note that as used in this specification and in the claims that follow, the following definitions apply: a “security identifier” is a token uniquely assigned to subjects, objects, or access modes in the system; the term “subjects” corresponds to users or groups of users; the term “objects” corresponds to system resources; and the term “access modes” corresponds to operations that a subject may perform on an object.
If the set of security and access policies is revised, the method further includes the step of changing the modified software component to provide a new modified software component that incorporates changes consistent with the revised set of security and access policies.
Preferably, a user who is executing the modified software component is authenticated before the software component is enabled to be executed. During execution of the software component, if a new thread of control is detected, a security identifier for a subject is identified, and an association between the subject and its security identifier are registered to facilitate enforcement of the security and access policies.
The step of enforcing the security and access policies includes the step of invoking an enforcement. service before the software component is executed. This enforcement service determines whether it must associate a component system object with a security identifier, and if so, establishes an association between the component system object and the security identifier.
The enforcement service also determines whether access checks should be performed on the modified software component prior to permitting it to execute. If the access checks are not successful, the enforcement service precludes the modified software component from executing. The enforcement service determines whether a protection domain transfer is required, and if so, determines a new security identifier for a subject.
An audit record is preferably created during the execution of the modified software component. The software component may also be modified to instrument it so that it enables information relating to the execu
Bershad Brian N.
Grimm Robert
Anderson Ronald M.
Chaki Kakali
Dam Tuan Q.
University of Washington
LandOfFree
Process for transparently enforcing protection domains and... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Process for transparently enforcing protection domains and..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Process for transparently enforcing protection domains and... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2605512