Integration of high-assurance features into an application through application factoring
First Claim
1. A system that manages the partitioning of an application comprising:
- a base layer that hosts the operation of a first environment and a second environment, the application comprising;
a first software object that executes in said first environment, said first software object handling a plurality of data and including logic to identify a first of said plurality of data as not processable by said software object; and
a second software object that executes in said second environment and that processes said first of said plurality of data in a manner that resists tampering with said first of said plurality of data, said base layer comprising or hosting logic that receives said first of said plurality of data from said software object and routes said first of said plurality of data to said second environment.
3 Assignments
0 Petitions
Accused Products
Abstract
Application factoring or partitioning is used to integrate secure features into a conventional application. An application'"'"'s functionality is partitioned into two sets according to whether a given action does, or does not, involve the handling of sensitive data. Separate software objects (processors) are created to perform these two sets of actions. A trusted processor handles secure data and runs in a high-assurance environment. When another processor encounters secure data, that data is sent to the trusted processor. The data is wrapped in such a way that allows it to be routed to the trusted processor, and prevents the data from being deciphered by any entity other than the trusted processor. An infrastructure is provided that wraps objects, routes them to the correct processor, and allows their integrity to be attested through a chain of trust leading back to base component that is known to be trustworthy.
58 Citations
34 Claims
-
1. A system that manages the partitioning of an application comprising:
-
a base layer that hosts the operation of a first environment and a second environment, the application comprising;
a first software object that executes in said first environment, said first software object handling a plurality of data and including logic to identify a first of said plurality of data as not processable by said software object; and
a second software object that executes in said second environment and that processes said first of said plurality of data in a manner that resists tampering with said first of said plurality of data, said base layer comprising or hosting logic that receives said first of said plurality of data from said software object and routes said first of said plurality of data to said second environment. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A method of a first software object, which executes in a first environment, handling data to which a policy applies, the method comprising:
-
the first software object encountering the data;
the first software object determining that the data is not processable by the first software object;
the first software object causing the data to be provided to a second software object that executes in a second environment that provides a first level of assurance that actions performed in the second environment will be performed correctly, wherein the second software object processes the data in a manner that uses said assurance to resist tampering with the data by acts arising outside of the second environment. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. A computer-readable medium having encoded thereon code and data to allow a user to operate on first and second classes of data, said second class of data requiring a relatively higher level of protection from tampering than said first class of data, said code and data comprising:
-
a first software object associated with a first specification that describes the behavior of said first software object, said first software object comprising instructions to;
operate on members of said first class of data;
recognize a member of said second class of data as not being processable by said first software object; and
cause said member of said second class of data to be routed to a second software object; and
said second software object, which is associated with a second specification that describes the behavior of said second software object, there being a relatively higher level of assurance that said second software object will conform to said second specification than that said first software object will conform to said first specification, said second software object comprising instructions to operate on members of said second class of data. - View Dependent Claims (26, 27, 28, 29, 30, 31)
-
-
32. A system that supports the partitioning of an application into at least a first software object and a second software object, the system hosting a first environment and a second environment, the first software object running in the first environment, the second software object running in the second environment, the system comprising an application programming interface that exposes at least one of the following methods:
-
a first method that receives from the first software object a first data object that comprises;
(1) data processable by the second software object, and (2) a first identifier assigned by the system to the second environment; and
that routes said first data object to said second environment based on said first identifier;
a second method that creates a second data object that comprises;
(1) data processable by the second software object;
(2) said first identifier;
(3) authentication data that allows a subsequent determination that said second data object has not been tampered with since being created by said second method;
a third method that receives, from the first environment, a second identifier associated with the second software object, and that directs that an instance of the second software object be created; and
a fourth method that receives, from the first software environment;
(1) a third data object, and (2) a third identifier associated with said first software object, and that directs that an instance of said first software object be created based on having received said third identifier, and that directs that said first software object operate on said third data object. - View Dependent Claims (33, 34)
-
Specification