Method for enforcing a Java security policy in a multi virtual machine system

US 20060259947A1
Filed: 05/11/2005
Published: 11/16/2006
Est. Priority Date: 05/11/2005
Status: Abandoned Application

First Claim

Patent Images

1. A method of enforcing a security policy in a multiple virtual machine system comprising:

transmitting a request to a target virtual machine to access a receiving program residing on the target virtual machine;

receiving a request from the target virtual machine to examine a call stack residing on an originating virtual machine to determine whether a requesting program is permitted to access the receiving program; and

indicating to the target virtual machine if the requesting program is not permitted to access the receiving program.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for enforcing a security policy in a distributed system. A request is transmitted to a receiving program on a first virtual machine to permit a requesting program on a second virtual machine to access the receiving program. A first call stack is accessed in the target virtual machine to determine whether the requesting program is permitted to access the receiving program. A second call stack, in the originating virtual machine, is accessed to determine whether the requesting program is permitted to access the receiving program. If the requesting program is permitted to access the receiving program, the receiving program is invoked. If the requesting program is not permitted to access the receiving program a signal indicating access is not allowed is transmitted.

42 Citations

View as Search Results

18 Claims

1. A method of enforcing a security policy in a multiple virtual machine system comprising:
- transmitting a request to a target virtual machine to access a receiving program residing on the target virtual machine;
  
  receiving a request from the target virtual machine to examine a call stack residing on an originating virtual machine to determine whether a requesting program is permitted to access the receiving program; and
  
  indicating to the target virtual machine if the requesting program is not permitted to access the receiving program.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, wherein the indicating step comprises transmitting a signal indicating access is not allowed.
  - 3. The method of claim 1, wherein the transmitting step further comprises:
    - invoking connectivity between the originating virtual machine and the target virtual machine;
      
      attaching a tag ID to the request, whereby the tag ID identifies the call stack residing on the originating virtual machine; and
      
      routing the request from the requesting program to the receiving program via said connectivity.
  - 4. The method of claim 1, wherein the receiving step further comprises:
    - receiving a tag ID and information about a permission to be checked in the request from the target virtual machine;
      
      transmitting the request to a security program residing on the originating virtual machine; and
      
      examining the call stack residing on the originating virtual machine to determine whether the requesting program is permitted to access the receiving program.

5. A method of enforcing a security policy in a multiple virtual machine system comprising:
- receiving a request from a requesting program residing on an originating virtual machine to use a service of a receiving program residing on a target virtual machine;
  
  receiving a request from the receiving program to determine whether the requesting program is permitted to use the service of the receiving program;
  
  checking a call stack residing on the target virtual machine;
  
  determining whether the entire call stack is visible on the target virtual machine;
  
  if the entire call stack is not visible, transmitting a access control request to the originating virtual machine; and
  
  if the requesting program is not permitted to access the receiving program, sending an indication to the originating virtual machine.
- View Dependent Claims (6, 7)
- - 6. The method of claim 5, wherein the indication from the originating virtual machine is a signal indicating access is not allowed.
  - 7. The method of claim 5, wherein the receiving step further comprises:
    - invoking connectivity between the originating virtual machine and the target virtual machine;
      
      receiving a tag ID, identifying the call stack on the originating virtual machine; and
      
      transmitting the request to a security program residing on the target virtual machine.

8. A computer program product for enforcing a security policy in a multiple virtual machine system comprising:
- computer code for transmitting a request to a target virtual machine, to access a receiving program residing on the target virtual machine;
  
  computer code for receiving a request from the target virtual machine to examine a call stack residing on an originating virtual machine to determine whether a requesting program is permitted to access the receiving program; and
  
  computer code for, if the requesting program is not permitted to access the receiving program, transmitting a signal to the originating virtual machine.

9. A computer program product for enforcing a security policy in a multiple virtual machine system comprising:
- computer code for receiving a request from a requesting program residing on an originating virtual machine to use a service of a receiving program residing on a target virtual machine;
  
  computer code for accessing a call stack residing on the target virtual machine to determine whether the requesting program is permitted to access the receiving program;
  
  computer code for, if a portion of the call stack is not visible, transmitting an access control request to the originating virtual machine; and
  
  computer code for, if the requesting program is not permitted to access the receiving program, sending an indication to the originating virtual machine.
- View Dependent Claims (10)
- - 10. The computer program product of claim 9, wherein the indication to the originating virtual machine is a signal indicating access is not allowed.

11. An electronic device comprising:
- a processor for processing information; and
  
  a memory unit, including;
  
  computer code for transmitting a request to a target virtual machine, to access a receiving program residing on a target virtual machine;
  
  computer code for receiving a request from the target virtual machine to examine a call stack residing on an originating virtual machine to determine whether a requesting program is permitted to access the receiving program; and
  
  computer code for, indicating to the target virtual machine if the requesting program is not permitted to access the receiving program.

12. An electronic device comprising:
- a processor for processing information; and
  
  a memory unit, including;
  
  computer code for receiving a request from a requesting program residing on an originating virtual machine to use a service of a receiving program residing on a target virtual machine;
  
  computer code for accessing a call stack residing on the target virtual machine to determine whether the requesting program is permitted to access the receiving program;
  
  computer code for, if a portion of the call stack is not visible, transmitting an access control request to the originating virtual machine; and
  
  computer code for, indicating to the target virtual machine if the requesting program is permitted to access the receiving program.

13. A system for enforcing a security policy in a multiple virtual machine architecture comprising the steps of:
- transmitting a request to a receiving program residing on a target virtual machine to access the receiving program;
  
  examining a call stack residing on the target virtual machine to determine whether a requesting program is permitted to access the receiving program;
  
  examining the call stack residing on an originating virtual machine to determine whether the requesting program is permitted to access the receiving program; and
  
  if the requesting program is not permitted to access the receiving program, indicating access is not allowed.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The system of claim 13, wherein the indicating step comprises transmitting a signal indicating access is not allowed.
  - 15. The system of claim 13, wherein the transmitting step further comprises:
    - invoking connectivity between the originating virtual machine and the target virtual machine;
      
      attaching a tag ID to the request, whereby the tag ID identifies the call stack residing on the originating virtual machine; and
      
      routing the request from the requesting program to the receiving program via said connectivity.
  - 16. The system of claim 15, wherein the connectivity is implemented with an interprocess communication connection.
  - 17. The system of claim 13, wherein the examining a call stack residing on the target virtual machine step further comprises:
    - transmitting a request to a security program to determine whether the requesting program is permitted to access the receiving program;
      
      checking the call stack residing on the target virtual machine;
      
      determining whether the entire call stack is visible on the target virtual machine; and
      
      if the entire call stack is not visible, transmitting a access control request to originating virtual machine.
  - 18. The method of claim 13, wherein the accessing the call stack residing on the originating virtual machine step further comprises:
    - receiving an access control request from the target virtual machine whereby the tag ID and information about a permission to be checked is also received;
      
      transmitting a request to a security program to determine whether the requesting program is permitted to access the receiving program; and
      
      examining the call stack residing on the originating virtual machine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nokia Corporation
Original Assignee
Nokia Corporation
Inventors
Pentikainen, Pasi, Aarnos, Jyrki

Application Number

US11/126,651
Publication Number

US 20060259947A1
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/53 by executing in a restricte...

G06F 21/6209 to a single file or object,...

Method for enforcing a Java security policy in a multi virtual machine system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

42 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Method for enforcing a Java security policy in a multi virtual machine system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

42 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links