Method for maintaining application compatibility within an application isolation policy

US 20070011723A1
Filed: 07/07/2005
Published: 01/11/2007
Est. Priority Date: 07/07/2005
Status: Abandoned Application

First Claim

Patent Images

1. A method for integrating a legacy application into a security zone runtime system, comprising:

defining an export policy corresponding to a first module within a first security zone, wherein the export policy declares an interface to the first module;

determining whether or not a second module belongs to the same or a higher security zone than the first security zone; and

denying, during a class loader operation, the second module access to the interface if the a second module does not belong to the same or a higher security zone that than the first module unless the export policy explicitly permits the access.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided is a method for providing Java modularity class loader protection by controlling the visibility of WebSphere, service provider, library and utility code interfaces. Interface access authorization is checked once, during class loading to effectively protect vulnerable programming interfaces, eliminating repeating permission checking during execution. Code in a WebSphere Application server (WAS) computing environment is categorized into a finite number of sets in which one permission zone is assigned to each set and the code in each set runs at the same privilege zone. Each set exposes programming interfaces to provide functional service and code in a particular set can only access code in the same or a lower security zone set. Also provided is a technique for explicitly providing to specific modules in lower security zones access to modules or designated interfaces of modules in higher security zones.

60 Citations

View as Search Results

20 Claims

1. A method for integrating a legacy application into a security zone runtime system, comprising:
- defining an export policy corresponding to a first module within a first security zone, wherein the export policy declares an interface to the first module;
  
  determining whether or not a second module belongs to the same or a higher security zone than the first security zone; and
  
  denying, during a class loader operation, the second module access to the interface if the a second module does not belong to the same or a higher security zone that than the first module unless the export policy explicitly permits the access.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the export policy explicitly permits the second module to access the interface because of a named export policy associated with the first module.
  - 3. The method of claim 1, further comprising:
    - analyzing, during an installation time, interface dependency among modules; and
      
      modifying the export policy by including a named export policy in the event that the interface dependency analysis detects an unresolved dependency.
  - 4. The method of claim 3, wherein the analyzing is executed by a Java byte code analysis.
  - 5. The method of claim 1, wherein the second module is not associated with a security zone.
  - 6. The method of claim 1, wherein the interface is a component level interface (CPI).
  - 7. The method of claim 1, wherein the method is executed on a Java Virtual Machine (JVM).

8. A system for integrating a legacy application into a security zone runtime system, comprising:
- a plurality of security zones;
  
  a first module within a first security zone of the plurality of security zones;
  
  an export policy, wherein the export policy declares an interface to the first module;
  
  a second module;
  
  logic for determining whether or not the second module belongs to the same or a higher security zone than the first security zone; and
  
  logic for denying, during a class loader operation, the second module access to the interface if the a second module does not belong to the same or a higher security class that than the first module unless the export policy explicitly permits the access.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, the export policy comprising a named export policy that explicitly permits the second module to access the interface associated with the first module.
  - 10. The system of claim 8, further comprising:
    - logic for analyzing, during an installation time, interface dependency among modules; and
      
      logic for modifying the export policy by the addition of a named export policy in the event that the logic for interface dependency analysis detects an unresolved dependency.
  - 11. The system of claim 10, wherein the analyzing is executed by a Java byte code analysis.
  - 12. The system of claim 8, wherein the second module is not associated with a security zone.
  - 13. The system of claim 8, wherein the interface is a component level interface (CPI).
  - 14. The system of claim 8, wherein the method is executed on a Java Virtual Machine (JVM).

15. A computer programming product for integrating a legacy application into a security zone runtime system, comprising:
- a memory;
  
  logic, stored on the memory, for defining an export policy corresponding to a first module within a first security zone, wherein the export policy declares an interface to the first module;
  
  logic, stored on the memory, for determining whether or not a second module belongs to the same or a higher security zone than the first security zone; and
  
  logic, stored on the memory, for denying, during a class loader operation, the second module access to the interface if the a second module does not belong to the same or a higher security zone that than the first module unless the export policy explicitly permits the access.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer programming product of claim 15, wherein the export policy explicitly permits the second module to access the interface because of a named export policy associated with the first module.
  - 17. The computer programming product of claim 15, further comprising:
    - logic, stored on the memory, for analyzing, during an installation time, interface dependency among modules; and
      
      logic, stored on the memory, for modifying the export policy by including a named export policy in the event that the interface dependency analysis detects an unresolved dependency.
  - 18. The computer programming product of claim 17, wherein the analyzing is executed by a Java byte code analysis.
  - 19. The computer programming product of claim 15, wherein the second module is not associated with a security zone.
  - 20. The computer programming product of claim 15, wherein the interface is a component level interface (CPI).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Chao, Ching-Yun

Application Number

US11/176,843
Publication Number

US 20070011723A1
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 2221/2113   Multi-level security, e.g. ...

G06F 9/445   Program loading or initiati...

Method for maintaining application compatibility within an application isolation policy

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

60 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method for maintaining application compatibility within an application isolation policy

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

60 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links