System and method for using security levels to simplify security policy management
First Claim
1. A computer-implemented method for providing secure execution of code units, the method comprising:
- installing a plurality of code units on a computer system, wherein the code units are adapted to execute in a user-level runtime environment on the computer system;
associating, with at least one of the code units, a privilege level selected from a plurality of privilege levels, wherein the privilege level corresponds to one or more individual runtime permissions associated with the user-level runtime environment;
executing at least a portion of the associated code unit, wherein the portion of the associated code unit calls a process that has an assigned security level;
comparing the associated privilege level with the assigned security level; and
executing the called process in response to a first result of the comparison, thereby providing secure execution of the associated code unit.
1 Assignment
0 Petitions
Accused Products
Abstract
A system and method is provided for reducing the complexity and improving the performance of enforcing security restrictions on the execution of program code in a runtime environment. In a preferred embodiment, units of executable code, such as methods or functions, are classified by “security level.” Code units belonging to a “trusted” security level may call any other code unit in the runtime environment, but other security levels are restricted in the code units they can call. In a preferred embodiment, the security levels are represented by corresponding permission objects. Each permission object that is associated with a particular security level includes a numerical value that denotes that security level. Security policies can be enforced with respect to caller and callee code units by comparing numerical values of corresponding permission objects. This security level scheme also improves runtime performance by making it unnecessary to check individually-defined permissions in many cases.
-
Citations
31 Claims
-
1. A computer-implemented method for providing secure execution of code units, the method comprising:
-
installing a plurality of code units on a computer system, wherein the code units are adapted to execute in a user-level runtime environment on the computer system;
associating, with at least one of the code units, a privilege level selected from a plurality of privilege levels, wherein the privilege level corresponds to one or more individual runtime permissions associated with the user-level runtime environment;
executing at least a portion of the associated code unit, wherein the portion of the associated code unit calls a process that has an assigned security level;
comparing the associated privilege level with the assigned security level; and
executing the called process in response to a first result of the comparison, thereby providing secure execution of the associated code unit. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. An information handling system comprising:
-
one or more processors;
one or more data storage units accessible by the processors; and
functional descriptive material contained within the data storage units that, when executed by the processors, directs the processors to perform actions of;
installing a plurality of code units on a computer system, wherein the code units are adapted to execute in a user-level runtime environment on the computer system;
associating, with at least one of the code units, a privilege level selected from a plurality of privilege levels, wherein the privilege level corresponds to one or more individual runtime permissions associated with the user-level runtime environment;
executing at least a portion of the associated code unit, wherein the portion of the associated code unit calls a process that has an assigned security level;
comparing the associated privilege level with the assigned security level; and
executing the called process in response to a first result of the comparison, thereby providing secure execution of the associated code unit. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27)
-
-
28. A computer program product stored in a computer-operable media for enforcing security policies with respect to units of executable code, said computer program product comprising:
-
installing means for installing a plurality of code units on a computer system, wherein the code units are adapted to execute in a user-level runtime environment on the computer system;
associating means for associating, with at least one of the code units, a privilege level selected from a plurality of privilege levels, wherein the privilege level corresponds to one or more individual runtime permissions associated with the user-level runtime environment;
first executing means for executing at least a portion of the associated code unit, wherein the portion of the associated code unit calls a process that has an assigned security level;
comparing means for comparing the associated privilege level with the assigned security level; and
second executing means for executing the called process in response to a first result of the comparison, thereby providing secure execution of the associated code unit. - View Dependent Claims (29, 30, 31)
-
Specification