RESTRICTION OF PROGRAM PROCESS CAPABILITIES

US 20080127292A1
Filed: 08/04/2006
Published: 05/29/2008
Est. Priority Date: 08/04/2006
Status: Active Grant

First Claim

Patent Images

1. A method of operating a computing device having an operating system defining kernel space and user space, comprising the acts of:

causing a program to be operated by the computing device, the program having a plurality of intended functionalities, the program further having a set of policies associated therewith;

monitoring calls attempted by the program, the monitoring performed by monitoring operations in the kernel initiated in response to the calls, the monitoring comprising intercepting a kernel operation at a point at which one or more arguments associated with the call have been resolved in the kernel for the kernel operation;

determining whether at least one intercepted kernel operation initiated in response to the program is consistent with the policies associated with the program; and

after determining that an intercepted kernel operation initiated in response to the program is consistent with the policies associated with the program, allowing execution of the intercepted kernel operation.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This document describes systems and methods for restricting program process capabilities. In some implementations, the capabilities are restricted by limiting the rights or privileges granted to an application. A plurality of rules may be established for a program, or for a group of programs, denying that program the right to take actions which are outside of the actions needed to implement its intended functionality. A security policy is implemented to test actions initiated in response to an application against the rules to enable decisions restricting the possible actions of the program. Embodiments are disclosed which process the majority of decisions regarding actions against a security profile through use of a virtual machine. In some embodiments, the majority of decisions are resolved within the kernel space of an operating system.

Citations

32 Claims

1. A method of operating a computing device having an operating system defining kernel space and user space, comprising the acts of:
- causing a program to be operated by the computing device, the program having a plurality of intended functionalities, the program further having a set of policies associated therewith;
  
  monitoring calls attempted by the program, the monitoring performed by monitoring operations in the kernel initiated in response to the calls, the monitoring comprising intercepting a kernel operation at a point at which one or more arguments associated with the call have been resolved in the kernel for the kernel operation;
  
  determining whether at least one intercepted kernel operation initiated in response to the program is consistent with the policies associated with the program; and
  
  after determining that an intercepted kernel operation initiated in response to the program is consistent with the policies associated with the program, allowing execution of the intercepted kernel operation.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the act of determining whether a operation initiated in response to a program call is consistent with the policies associated with the program comprises correlating the intercepted kernel operation with the policies and determining if the attempted action is allowed by the policies.
  - 3. The method of claim 2, wherein the act of monitoring is performed at least partially at the kernel level of the operating system.
  - 4. The method of claim 3, wherein the program policies are loaded into memory in the kernel space of an operating system of the computing device.
  - 5. The method of claim 1, wherein the program is an applications program.

6. A computing device, comprising:
- an operating system, the operating system defining a kernel space and a user space;
  
  at least one application implementable by the computing device;
  
  a set of operational permissions accessible to the computing device and operatively associated with the application, the operational permissions comprising permissions representative of operations in the kernel space of the operating system that are permitted, so as to enable functions the application is allowed to perform;
  
  a monitoring system adapted to monitor operations in the kernel space initiated in response to at least some system calls initiated by the application by intercepting the kernel operations before execution, wherein at least some kernel operations have resolved arguments associated with the operations; and
  
  a determination system configured to determine if the initiated kernel operations should be permitted, the determination system adapted to make such determinations at least partially in response to the operational permissions for the application.
- View Dependent Claims (7, 8, 9, 10, 11)
- - 7. The computing device of claim 6, wherein the monitoring system and the determination system are implemented by the operating system of the computing device.
  - 8. The computing device of claim 6, wherein the determination system operates at least in part in the kernel space of the operating system.
  - 9. The computing device of claim 6, wherein the determination system comprises a virtual machine operating in the kernel space of the operating system.
  - 10. The computing device of claim 6, wherein the determination system comprises:
    - a virtual machine operating in the kernel space of the operating system, the virtual machine configured to test at least a portion of the intercepted kernel operations against the operation permissions; and
      
      a decision module operating at least in part in the user space and configured to receive decision instructions referred from the virtual machine, and to resolve the referred decision instructions.
  - 11. The computing device of claim 10, wherein the operational permissions for the application comprise instructions for the virtual machine to refer selected decisions to the decision module.

12. A machine readable medium containing instructions, which when implemented by a machine, cause operations to be performed which comprise the following:
- monitoring at least some actions attempted by an application running on the machine by intercepting kernel operations initiated in response to actions initiated by the application;
  
  functionally correlating at least one of the kernel operations initiated in response to the application to at least one of a plurality of predetermined policies for the application, the plurality of policies containing at least a first policy indicative of an operation which is necessary for the application to provide a predetermined functionality;
  
  gating at least one monitored action of the application at least partially in response to the functional correlation of the kernel operation with the first policy.
- View Dependent Claims (13)
- - 13. The machine readable medium of claim 12, wherein the operation of functionally correlating at least one of the kernel operations initiated in response to the application to at least one of a plurality of predetermined policies for the application, comprises the operation of:
    - implementing a virtual machine to execute compiled code representing the predetermined policies.

14. A machine readable medium containing instructions, which when implemented by a machine, cause operations to be performed which comprise:
- a first plurality of predetermined operations of an application which when executed provide a set of predetermined functionalities of the machine to a user; and
  
  wherein the machine readable instructions further comprise a plurality of arguments collectively defining a security policy, the arguments representative of kernel operations which are intended operations of the machine to facilitate performance of the first plurality of operations when executed, and wherein the arguments when implemented by the machine restrict operations which may be executed by the application.

15. A method of implementing security containment for at least one selected application operated on a computing device, the computing device having an operating system having a kernel space and having user space, comprising the acts of:
- accessing a plurality of policies, the policies indicative of processes for determining whether the application may complete selected system calls, by determining the permissibility of selected operations in the kernel initiated in response to the system calls;
  
  identifying a system call initiated by the application, and trapping kernel operations initiated in response to the system call;
  
  comparing the initiated kernel operations with the policies, without executing the kernel operations; and
  
  in the operation that the initiated kernel operation is addressed by the policies, allowing or denying the execution of the kernel operation in accordance with the policies.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The method of claim 15,wherein the act of comparing initiated kernel operations with the policies comprises:
    - testing a first group of initiated kernel operations against the policies within the kernel space; and
      
      testing a second group of initiated kernel operations against the policies by an extension module operating in user space, wherein the second group of initiated kernel operations comprise operations requiring user input to resolve.
  - 17. The method of claim 16, wherein the policies identify initiated kernel operations which will be tested in the extension module.
  - 18. The method of claim 15, wherein the step of comparing is performed by the computing device operating system at the kernel level.
  - 19. The method of claim 15, wherein the application is a user-level application.

20. A method of security containment for an application operable on a processing device, comprising the acts of utilizing a virtual machine in the processing device to:
- reference a security profile specific to the application and accessible to the processing device, anddetermine if actions initiated by the application are to be permitted or denied, the determination made at least partially in reference to the security profile for the application.
- View Dependent Claims (21, 22)
- - 21. The security containment method of claim 20, wherein the virtual machine implements a deterministic finite automaton to determine if at least one action initiated by the application is to be permitted.
  - 22. The method of claim 20, further comprising the act of:
    - utilizing a monitoring system to monitor kernel-level operations initiated in response to selected system calls from the application being contained, the monitoring system intercepting the selected kernel-level operations before an action is taken to complete the operation.

23. A method of providing security containment of a program operating on a computing device having an operating system, comprising the act of establishing an application monitoring system which interfaces between the program being contained and any request for user approval of an action, where in the event of a request by the program for user approval of an action, a user interface for the action is opened by the monitoring system, and wherein the monitoring system operates in a memory space that is protected from access by any other contained program operating on the computing device.

24. A method of providing security for a computer having an operating system and operating at least one user application, the operating system having a kernel space and a user space, and having an system level application program interface layer between the kernel space and the user space, the method comprising the steps of:
- opening the user application on the computer;
  
  communicating a notification to a monitoring module in the user space of the operating system that the program was opened; and
  
  in response to the notification, placing a first profile for the program in the kernel layer of the operating system, the profile containing machine language operations for determining if certain operations initiated in the kernel in response to actions initiated by the application should be allowed or denied.using the profile to determine if the profile establishes a policy by which a first kernel operation should be permitted or denied;
  
  if the profile establishes a policy by which the first kernel operation should be permitted or denied, permitting or denying the operation in accordance with the policy.
- View Dependent Claims (25, 26)
- - 25. The method of claim 24, wherein the profile establishes that determination of a kernel operation should be referred to a decision process outside of the kernel to determine if the initiated kernel operation should be permitted or denied.
  - 26. The method of claim 25, wherein the decision process has the ability to ask the user for input affecting whether the initiated call should be permitted or denied.

27. A method of regulating actions of an applications program operated on a computing device, comprising the acts of:
- determining when the applications program is instantiated on the computing device; and
  
  in response to the determination, compiling a plurality of policies for the application into machine language and placing said compiled policies in secure memory space accessible to said computing device.
- View Dependent Claims (28)
- - 28. The method of claim 27, wherein the secure memory space accessible to the computing device is memory space within the kernel of an operating system installed on the device, and under which the applications program is instantiated.

29. A computing device, comprising:
- at least one application implementable by the computing device;
  
  a set of operational permissions accessible to the computing device and operatively associated with the application, the operational permissions comprising permissions representative of actions the application is permitted to perform;
  
  a monitoring system adapted to monitor at least some actions initiated by the application when it is implemented by the computer, the monitoring system located within kernel space of an operating system on the computing device, the monitoring system operating by intercepting kernel operations initiated in response to actions initiated by the application; and
  
  a determination system configured to determine if actions attempted by the application should be allowed, the determination system adapted to make such determinations in response to the operational permissions for the application.

30. A method of providing security for a computing device having an operating system and operating at least one user application, the operating system having a kernel level and a user level, and having an system level application program interface layer between the kernel level and the user level, the method comprising the steps of:
- opening the user application on the computer;
  
  recognizing in the user level of the operating system that the program was opened;
  
  in response to the recognition of the opening of the user application, placing a profile for operation of the program in the kernel level of the operating system, the profile containing machine language operations for determining if operations initiated in the kernel in response to a call by the application should be allowed or denied;
  
  intercepting at least selected kernel operations initiated in response to system calls at the system level application program interface layer initiated by the application, the monitoring performed at a level within the kernel and outside the system level application program interface layer;
  
  correlating at least a first set of the intercepted kernel operations to the profile to determine if the profile establishes a privilege by which each kernel operation should be permitted or denied, the correlating performed within the kernel level of the operating system; and
  
  permitting or denying a kernel operation in accordance with the correlation of the operation to the profile.
- View Dependent Claims (31, 32)
- - 31. The method of claim 30, wherein the profile contains instructions that at least one kernel operation is to be evaluated outside the kernel, and wherein such an operation and a privilege related to that operation are referred to a decision module in user space.
  - 32. The method of claim 31, wherein kernel operations requiring input from a user are referred out of the kernel for resolution.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Apple Inc.
Original Assignee
Apple Computer Incorporated (Apple Inc.)
Inventors
Lane-Smith, Nick, Cooper, Simon, Osborne, Joshua

Granted Patent

US 8,272,048 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/6281   at program execution time, ...

G06F 2221/033   Test or assess software

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2149   Restricted operating enviro...

RESTRICTION OF PROGRAM PROCESS CAPABILITIES

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

RESTRICTION OF PROGRAM PROCESS CAPABILITIES

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links