Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1999-02-09
2003-12-02
Wright, Norman M. (Department: 2131)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C713S159000, C713S167000, C709S225000, C709S229000
Reexamination Certificate
active
06658571
ABSTRACT:
TECHNICAL FIELD
This invention relates generally to the field of secure computing environments, and more particularly to a security framework to dynamically wrap applications in a computing environment without requiring modification to an underlying operating system or the application itself, thereby limiting the amount of potential damage that a successful attacker or corrupt application can cause.
COPYRIGHTS
A portion of this patent document contains material that is subject to copyright protection. The copyright owners have no objection to the facsimile reproduction of the material by anyone, as it appears in the Patent and Trademark Office, patent files or records, but otherwise reserve all copyrights whatsoever.
BACKGROUND
There are many challenges to creating a highly secure computing environment such as preventing eavesdroppers from accessing private communications, preventing vandals from tampering with information while in transit from sender to receiver, verifying a network server is indeed the server it professes to be, safeguarding confidential documents from unauthorized individuals and correctly authenticating users who are attempting to access a network. One of the more difficult challenges is trying to limit the damage that an unauthorized individual can cause in the event that the individual is able to bypass the security mechanisms. Similarly, another difficult challenge is limiting the damage that malicious software can cause in the event that malicious software is accidentally executed by a computing system.
One conventional technique for limiting such damage has been to link special security libraries with each software application that will be executed by the computing system. The libraries prevent any corrupt software application from accessing system resources that would otherwise not normally be accessed via the software application. This approach has been discussed for TCP/IP applications where the SOCKS library is linked with each application. (Leech, M. et al., RFC 1928: SOCKS
Protocol Version
Mar. 5, 1996). This approach is impractical in that it requires customization of each software application and can be bypassed by making operating system calls that do not invoke the library.
Another approach has been to “wrap” an application with a protective layer of software. For example, wrappers have been developed that make use of an operating system's debug functionality. (Goldberg, I. et al., “
A Secure Environment for Untrusted Helper Applications
,” Proceedings of the 6th USENIX Security Symposium, July, 1996). This approach, however, requires running the operating system in debug mode which is impractical in that it significantly affects the performance of the system and introduces additional vulnerabilities.
For these reasons, and for other reasons stated below which will become apparent to those skilled in the art upon reading and understanding the present specification, there is a need in the art for a security mechanism that limits the amount of potential damage that a successful attacker or corrupt program can cause. Furthermore, there is a need for such a security mechanism that does not require using debug mode, additional hardware, or modification to the individual software applications or the underlying operating system.
SUMMARY
An inventive security framework provides a mechanism for dynamically wrapping standard, commercially available software applications in order to limit the amount of potential damage that a successful attacker or corrupt program can cause. In one aspect, the invention is a computerized method in which one or more security modules are loaded into an operating system that is executing on a computing system. The security module includes security information that can be application-specific or resource-specific. System calls from an application executing on the computing system are intercepted and subsequently processed by the security modules as a function of the security information.
In another aspect, the security framework includes one or more security modules that are loaded within an operating system of a computing system. Each security module includes security information that can be application-specific or resource-specific. A security master executing within the operating system intercepts system calls from the software applications and invokes one or more security modules to process the system call as a function of the security information. The security framework further includes a security manager that is communicatively coupled to the security master. The security manager commands the security master to configure the security modules as a function of input from a user. For example, via the security manager, the user is able to install and remove the security modules.
REFERENCES:
patent: 5457798 (1995-10-01), Alfredsson
patent: 5504814 (1996-04-01), Miyahara
patent: 5764889 (1998-06-01), Ault et al.
patent: 6047323 (2000-04-01), Krause
patent: 6131165 (2000-10-01), Lipkin et al.
patent: 6243692 (2001-06-01), Floyd et al.
patent: 6247127 (2001-06-01), Vandergeest
patent: 6289458 (2001-09-01), Garg et al.
patent: 6321337 (2001-11-01), Reshef et al.
patent: 2001/0037450 (2001-11-01), Metlitski et al.
Y.H. Song, Linux Security Kernel, Derwent Week, Derwent-Acc-No. 2002-672342, May 8, 2002.*
Goldberg, I., et al., “A Secure Environment for Untrusted Helper Applications”,Proceedings of the 6th USENIX Security Symposium, (Jul. 1996).
Leech, M., et al.,RFC 1928: SOCKS Protocol Version 5, (Mar. 1996).
Lu Raymond
Minear Spencer
Mitchem Terrence
O'Brien Richard
Schwegman Lundberg Woessner & Kluth P.A.
Secure Computing Corporation
Wright Norman M.
LandOfFree
Security framework for dynamically wrapping software... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Security framework for dynamically wrapping software..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Security framework for dynamically wrapping software... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3124442