Security enforcement in the presence of dynamic code loading
First Claim
1. A method for verifying a software program for security, the method comprising:
- retrieving from a memory a program to be verified against a security policy and a security specification defining said security policy, the retrieved program comprising only static code available for evaluation before additional code is added during a dynamic linking of an execution of said program;
applying a static program analysis on said static code of said program, using a processor on a computer, to determine whether said static code of said program is compatible with said security specification; and
if a determination is made by said static program analysis that said static code of said program is incompatible with said security specification, rejecting said program as non-compliant; and
else, the determination is made by said static program analysis that said static code of said program is compatible with said security specification, then building a call-graph representation of said program for use to evaluate any dynamically-loaded code during an execution of said program, and indicating paths of said call-graph representation that reach at least one policy-relevant operation during the execution,wherein the static analysis first statically determines whether the static code of said program complies with all security policies in the security specification prior to any dynamic code loading, the program to be then dynamically checked only for aspects that were not verified during said static analysis.
1 Assignment
0 Petitions
Accused Products
Abstract
A method (and structure) for enforcing a security policy includes retrieving from a memory a program to be verified against a security policy and a security specification defining the security policy. A static program analysis is performed on the program, using a processor on a computer, to determine whether the program is compatible with the security specification. The program is rejected if the program is determined by the static program analysis as being incompatible with the security specification. If the program is determined during the static program analysis as compatible with the security specification under static analysis criteria, then building a call-graph representation of the program for use to evaluate any dynamically-loaded code during an execution of the program. Any paths, if any, of the call-graph representation that reach at least one policy-relevant operation is marked.
42 Citations
18 Claims
-
1. A method for verifying a software program for security, the method comprising:
-
retrieving from a memory a program to be verified against a security policy and a security specification defining said security policy, the retrieved program comprising only static code available for evaluation before additional code is added during a dynamic linking of an execution of said program; applying a static program analysis on said static code of said program, using a processor on a computer, to determine whether said static code of said program is compatible with said security specification; and if a determination is made by said static program analysis that said static code of said program is incompatible with said security specification, rejecting said program as non-compliant; and else, the determination is made by said static program analysis that said static code of said program is compatible with said security specification, then building a call-graph representation of said program for use to evaluate any dynamically-loaded code during an execution of said program, and indicating paths of said call-graph representation that reach at least one policy-relevant operation during the execution, wherein the static analysis first statically determines whether the static code of said program complies with all security policies in the security specification prior to any dynamic code loading, the program to be then dynamically checked only for aspects that were not verified during said static analysis. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. An apparatus, comprising:
-
a processor; and a memory system accessible to said processor, wherein said memory system has stored therein a set of computer-readable instructions that instruct said processor to execute a method for verifying a program for compliance with a security policy and a security specification, the program comprising static code that is statically declared but having no code that is to be dynamically-loaded during an execution of said program, said method comprising; retrieving from a memory a program to be verified against a security policy and a security specification defining said security policy; applying a static program analysis on static code of said program, using a processor on a computer, to determine whether said program is compatible with said security specification, the static program analysis verifying security compliance on the static code that is statically declared; and if a determination is made by said static program analysis that said static code of said program is incompatible with said security specification, rejecting said program as non-compliant; and else, the determination is made by said static program analysis that said static code of said program is compatible with said security specification, then building a call-graph representation of said program for use to evaluate any dynamically-loaded code during an execution of said program, and indicating paths of said call-graph representation that reach at least one policy-relevant operation during the execution, wherein the static analysis first statically determines whether the static code of said program complies with all security policies in the security specification prior to any dynamic code loading, the program to be then dynamically checked only for aspects that were not verified during said static analysis. - View Dependent Claims (13, 14, 15)
-
-
16. A method for verifying a software program for security, the method comprising:
-
retrieving from a memory a program to be verified against a security policy and a security specification defining said security policy; applying a static program analysis on a static portion of said program, using a processor on a computer, to determine whether said static portion is compatible with said security specification; and if a determination is made by said static program analysis that said static code of said program is incompatible with said security specification, rejecting said program as non-compliant; and else, the determination is made by said static program analysis that said static code of said program is compatible with said security specification, then building a call-graph representation of said program for use to evaluate any dynamically-loaded code during an execution of said program, and indicating paths of said call-graph representation that reach at least one policy-relevant operation during the execution, wherein the static analysis first statically determines whether the static code of said program complies with all security policies in the security specification prior to any dynamic code loading, the program to be then dynamically checked only for aspects that were not verified during said static analysis. - View Dependent Claims (17, 18)
-
Specification