Policies for secure software execution
First Claim
1. A computer-implemented method, comprising:
- receiving information corresponding to software that may be executable;
locating a rule that corresponds to the information, the rule having a security level associated therewith;
associating the security level with the software; and
controlling execution of any executable content of the software based on the security level associated with the software.
2 Assignments
0 Petitions
Accused Products
Abstract
A system and method that automatically, transparently and securely controls software execution by identifying and classifying software, and locating a rule and associated security level for executing executable software. The security level may disallow the software'"'"'s execution, restrict the execution to some extent, or allow unrestricted execution. To restrict software, a restricted access token may be computed that reduces software'"'"'s access to resources, and/or removes privileges, relative to a user'"'"'s normal access token. The rules that control execution for a given machine or user may be maintained in a restriction policy, e.g., locally maintained and/or in a group policy object distributable over a network. Software may be identified/classified by a hash of its content, by a digital signature, by its file system or network path, and/or by its URL zone. For software having multiple classifications, a precedence mechanism is provided to establish the applicable rule/security level.
-
Citations
75 Claims
-
1. A computer-implemented method, comprising:
-
receiving information corresponding to software that may be executable;
locating a rule that corresponds to the information, the rule having a security level associated therewith;
associating the security level with the software; and
controlling execution of any executable content of the software based on the security level associated with the software. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
-
-
41. A computer-implemented method, comprising:
-
providing a plurality of rules for executable software, each rule having a security level associated therewith;
determining which rule applies to a given software module based on a classification of that software module; and
associating the given software module with execution information corresponding to the security level to control the software module'"'"'s runtime capabilities. - View Dependent Claims (42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53)
-
-
54. In a computer system, a security mechanism, comprising:
-
a set of at least one function, each function of the set configured to receive a request related to executing a software module, the software module being associated with software identification information;
a policy container having a plurality of rules therein, each rule being associated with a security level; and
an enforcement mechanism configured for communication with each function of the set of functions, the enforcement mechanism being further configured to;
obtain software identification information associated with the software module from a function of the set, consult the policy container to locate a rule based on the software identification, and associate security information with the software module, the security information based on the security level associated with the rule. - View Dependent Claims (55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75)
-
Specification