Method and apparatus for preventing rogue implementations of a security-sensitive class interface

US 20040172530A1
Filed: 02/27/2003
Published: 09/02/2004
Est. Priority Date: 02/27/2003
Status: Active Grant

First Claim

Patent Images

1. A method of securing a server runtime environment, comprising:

generating a first unique identifier at startup of the server runtime environment, the first unique identifier being an identifier that is valid for the server runtime environment;

storing the first unique identifier in a private location of the server runtime environment;

receiving a request to instantiate a first credential object; and

inserting the first unique identifier in a private field of the first credential object.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for preventing rogue implementations of a security-sensitive class interface are provided. With the method and apparatus, a unique identifier (UID) is created by a server process when the server process is started. Anytime the server process, i.e. a server runtime environment, instantiates a new credential object following start-up of the server process, the encrypted UID is placed into a private field within the new credential object. In addition, the UID is encrypted and stored in a private class of the server runtime environment. A verification class is provided within the server runtime environment which includes one or more methods that receive the credential object as a parameter and return true or false as to the validity of the credential object. These one or more methods determine the validity of the credential object by retrieving the encrypted UID from the private class stored in the server runtime environment, decrypting the UID and comparing it to the decrypted UID stored in the private field of the credential object. If the two UIDs match, a determination is made that the credential object was created by the server runtime environment rather than a rogue application. If the two UIDs do not match, or if there is no UID in the credential object, then a false result will be returned by the verification class.

Citations

20 Claims

1. A method of securing a server runtime environment, comprising:
- generating a first unique identifier at startup of the server runtime environment, the first unique identifier being an identifier that is valid for the server runtime environment;
  
  storing the first unique identifier in a private location of the server runtime environment;
  
  receiving a request to instantiate a first credential object; and
  
  inserting the first unique identifier in a private field of the first credential object.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - receiving a second credential object;
      
      obtaining a second unique identifier stored in a private field of the second credential object;
      
      comparing the second unique identifier to the first unique identifier; and
      
      validating the second credential object only if the second unique identifier matches the first unique identifier.
  - 3. The method of claim 1, wherein the first unique identifier is a pseudo-randomly generated set of alphanumeric characters.
  - 4. The method of claim 1, wherein the first unique identifier is stored in a private class of the server runtime environment.
  - 5. The method of claim 2, wherein comparing the second unique identifier to the first unique identifier includes performing a byte array comparison between the second unique identifier and the first unique identifier.
  - 6. The method of claim 1, further comprising:
    - receiving a request to instantiate a second credential object; and
      
      inserting the first unique identifier in a private field of the second credential object such that the first credential object and the second credential object include the same first unique identifier.
  - 7. The method of claim 1, wherein the server runtime environment is a Java 2 Security runtime environment.

8. A computer program product in a computer readable medium for securing a server runtime environment, comprising:
- first instructions for generating a first unique identifier at startup of the server runtime environment, the first unique identifier being an identifier that is valid for the server runtime environment;
  
  second instructions for storing the first unique identifier in a private location of the server runtime environment;
  
  third instructions for receiving a request to instantiate a first credential object; and
  
  fourth instructions for inserting the first unique identifier in a private field of the first credential object.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer program product of claim 8, further comprising:
    - fifth instructions for receiving a second credential object;
      
      sixth instructions for obtaining a second unique identifier stored in a private field of the second credential object;
      
      seventh instructions for comparing the second unique identifier to the first unique identifier; and
      
      eighth instructions for validating the second credential object only if the second unique identifier matches the first unique identifier.
  - 10. The computer program product of claim 8, wherein the first unique identifier is a pseudo-randomly generated set of alphanumeric characters.
  - 11. The computer program product of claim 8, wherein the first unique identifier is stored in a private class of the server runtime environment.
  - 12. The computer program product of claim 9, wherein the seventh instructions for comparing the second unique identifier to the first unique identifier include instructions for performing a byte array comparison between the second unique identifier and the first unique identifier.
  - 13. The computer program product of claim 8, further comprising:
    - fifth instructions for receiving a request to instantiate a second credential object; and
      
      sixth instructions for inserting the first unique identifier in a private field of the second credential object such that the first credential object and the second credential object include the same first unique identifier.
  - 14. The computer program product of claim 8, wherein the server runtime environment is a Java 2 Security runtime environment.

15. An apparatus for securing a server runtime environment, comprising:
- means for generating a first unique identifier at startup of the server runtime environment, the first unique identifier being an identifier that is valid for the server runtime environment;
  
  means for storing the first unique identifier in a private location of the server runtime environment;
  
  means for receiving a request to instantiate a first credential object; and
  
  means for inserting the first unique identifier in a private field of the first credential object.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The apparatus of claim 15, further comprising:
    - means for receiving a second credential object;
      
      means for obtaining a second unique identifier stored in a private field of the second credential object;
      
      means for comparing the second unique identifier to the first unique identifier; and
      
      means for validating the second credential object only if the second unique identifier matches the first unique identifier.
  - 17. The apparatus of claim 15, wherein the first unique identifier is a pseudo-randomly generated set of alphanumeric characters.
  - 18. The apparatus of claim 15, wherein the first unique identifier is stored in a private class of the server runtime environment.
  - 19. The apparatus of claim 16, wherein the means for comparing the second unique identifier to the first unique identifier includes means for performing a byte array comparison between the second unique identifier and the first unique identifier.
  - 20. The apparatus of claim 15, further comprising:
    - means for receiving a request to instantiate a second credential object; and
      
      means for inserting the first unique identifier in a private field of the second credential object such that the first credential object and the second credential object include the same first unique identifier.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Chao, Ching-Yun, Birk, Peter Daniel, Chung, Hyen Vui

Granted Patent

US 7,337,318 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/155
CPC Class Codes

G06F 21/64 Protecting data integrity, ...

Method and apparatus for preventing rogue implementations of a security-sensitive class interface

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for preventing rogue implementations of a security-sensitive class interface

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links