METHOD AND SYSTEM FOR RUN-TIME DYNAMIC AND INTERACTIVE IDENTIFICATION OF SOFTWARE AUTHORIZATION REQUIREMENTS AND PRIVILEGED CODE LOCATIONS, AND FOR VALIDATION OF OTHER SOFTWARE PROGRAM ANALYSIS RESULTS

US 20090007223A1
Filed: 05/27/2008
Published: 01/01/2009
Est. Priority Date: 05/03/2006
Status: Active Grant

First Claim

Patent Images

1. A method for detecting and verifying security authorization and privileged-code requirements in a run-time execution environment in which a software program is executing, said method comprising:

implementing reflection objects for identifying program points in said executing program where authorization failures have occurred in response to the program'"'"'s attempted access of resources requiring authorizations as enforced by a particular security subsystem;

displaying instances of identified program points via a user interface, said identified instances being user selectable;

for a selected program point, determining authorization and privileged-code requirements for said access restricted resources associated with said selected program point in real-time; and

,enabling a user to select, via said user interface, whether a required authorization should be granted, wherein local system, fine-grained access of resources requiring authorization is provided.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method and computer program product for identifying security authorizations and privileged-code requirements; for validating analyses performed using static analyses; for automatically evaluating existing security policies; for detecting problems in code; in a run-time execution environment in which a software program is executing. The method comprises: implementing reflection objects for identifying program points in the executing program where authorization failures have occurred in response to the program'"'"'s attempted access of resources requiring authorization; displaying instances of identified program points via a user interface, the identified instances being user selectable; for a selected program point, determining authorization and privileged-code requirements for the access restricted resources in real-time; and, enabling a user to select, via the user interface, whether a required authorization should be granted, wherein local system, fine-grained access of resources requiring authorizations is provided.

81 Citations

View as Search Results

43 Claims

1. A method for detecting and verifying security authorization and privileged-code requirements in a run-time execution environment in which a software program is executing, said method comprising:
- implementing reflection objects for identifying program points in said executing program where authorization failures have occurred in response to the program'"'"'s attempted access of resources requiring authorizations as enforced by a particular security subsystem;
  
  displaying instances of identified program points via a user interface, said identified instances being user selectable;
  
  for a selected program point, determining authorization and privileged-code requirements for said access restricted resources associated with said selected program point in real-time; and
  
  ,enabling a user to select, via said user interface, whether a required authorization should be granted, wherein local system, fine-grained access of resources requiring authorization is provided.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method as claimed in claim 1, wherein an authorization includes one or more of the following:
    - a permission, a role.
  - 3. The method as claimed in claim 1, wherein said local-system, fine-grained access is provided independent of a particular security subsystem implemented.
  - 4. The method as claimed in claim 1, wherein a program point includes one or more of:
    - a program component, a class, a method, a file line number.
  - 5. The method as claimed in claim 1, wherein a reflection object enables instantiation of selected objects of the program.
  - 6. The method as claimed in claim 1, wherein said implementing reflection objects further comprises:
    - determining all methods capable of being invoked for objects and classes of the program; and
      
      ,listing all said methods via said user interface.
  - 7. The method as claimed in claim 6, wherein said methods are listed as a hierarchical stack of method invocations.
  - 8. The method as claimed in claim 5, further comprising:
    - enabling a user, via said interface, to select a displayed method and invoking said method in real-time.
  - 9. The method as claimed in claim 8, wherein, in response to invoking said method, generating a security exception if a required authorization has not been expressly granted, said method further comprising:
    - reporting existence of said security exception via said user interface, and,enabling user selection of the security exception via said user interface; and
      
      ,generating information for display concerning said required authorization via said user interface.
  - 10. The method as claimed in claim 9, wherein said generating information concerning a required authorization comprises:
    - invoking a security function that performs a stack trace for determining all callers on a stack tracking program execution; and
      
      ,determining which stack frames do not have the required authorization; and
      
      ,generating information about the code that has not been granted the authorization.
  - 11. The method as claimed in claim 10, wherein said information generated about the code includes one or more of:
    - a component name, a class name, a method name, a line number, a code origin, and those authorizations that have already been granted to the program'"'"'s code.
  - 12. The method as claimed in claim 11, wherein for each authorization that should be granted, enabling a user to grant the necessary authorization via said user interface.
  - 13. The method as claimed in claim 12, further comprising:
    - automatically updating a policy file or database including declarative grants of software program authorizations with the granted authorization.
  - 14. The method as claimed in claim 8, wherein said method in executed in a separate thread, isolated from said execution environment.
  - 15. The method as claimed in claim 1, wherein said program is one selected from the group comprising:
    - a Java application, a component-based program;
      
      a C++ application, a C# application, a Web service application program, a Service Oriented Application (SOA) application, a C application, a Microsoft .NET Common Language Runtime (CLR) application, an application developed using a scripting language.
  - 16. A program storage device tangibly embodying software instructions which are adapted to be executed by a computing device to perform a method of verifying security authorizations in a run-time execution environment in which a software program is executing according to claim 1.

17. A run-time authorization requirement discovery tool for a computing device executing software programs requiring security authorizations comprising:
- means providing an execution environment enabling automatic discovery of security-sensitive and access-restricted actions attempted by an executing program, said means enabling execution of reflection objects for identifying program points in said executing program where authorization failures have occurred in response to the program'"'"'s attempt to access resources requiring permissions as enforced by a particular security subsystem;
  
  means for displaying instances of identified program points via a user interface;
  
  means enabling user selection of a displayed program point via said interface; and
  
  ,means for determining said authorizations for said access-restricted resources associated with said selected program point in real-time, said user being enabled to select, via said user interface, whether a required authorization should be granted, wherein local system, fine-grained access of resources requiring permissions is provided.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 18. The authorization requirement discovery tool as claimed in claim 17, wherein said local-system, fine-grained access is provided independent of a particular security subsystem implemented.
  - 19. The authorization requirement discovery tool as claimed in claim 18, wherein a program point includes one or more of:
    - a program component, a file, a class, a method, a file line number.
  - 20. The authorization requirement discovery tool as claimed in claim 17, wherein one or more reflection objects enables instantiation of selected objects of the program.
  - 21. The authorization requirement discovery tool as claimed in claim 17, wherein one or more reflection objects enables determination of all methods capable of being invoked for objects and classes of the program, said means for displaying further listing all said methods via said user interface.
  - 22. The authorization requirement discovery tool as claimed in claim 21, wherein said methods are listed as a hierarchical stack of method invocations.
  - 23. The authorization requirement discovery tool as claimed in claim 19, further comprising:
    - enabling a user, via said interface, to select a displayed method and invoking said method in real-time.
  - 24. The authorization requirement discovery tool as claimed in claim 23, wherein, in response to invoking said method, said execution environment generating a security exception if a required authorization has not been expressly granted, said tool further comprising:
    - means for reporting existence of said security exception via said user interface;
      
      means enabling user selection of the security exception via said user interface; and
      
      ,means for generating information for display concerning said required authorization via said user interface.
  - 25. The authorization requirement discovery tool as claimed in claim 24, wherein said means for generating information concerning a required authorization comprises:
    - means for invoking a security function that performs a stack trace for determining all callers on a stack tracking program execution; and
      
      ,means for determining which stack frames do not have the required authorization; and
      
      ,means for generating information about the code that has not been granted the authorization.
  - 26. The authorization requirement discovery tool as claimed in claim 25, wherein said information generated about the code includes one or more of a component name, a file name, a class name, a method name, a line number, a code origin, and those authorizations that have already been granted to the program'"'"'s code.
  - 27. The authorization requirement discovery tool as claimed in claim 26, wherein for each authorization that should be granted, enabling a user to grant the necessary authorization via said user interface.
  - 28. The authorization requirement discovery tool as claimed in claim 26, further comprising:
    - means for automatically updating a policy file or database including declarative grants of software program authorizations with the granted authorization.
  - 29. The authorization requirement discovery tool as claimed in claim 23, wherein said method in executed in a separate thread, isolated from said execution environment.
  - 30. The authorization requirement discovery tool as claimed in claim 17, wherein said executing program is one selected from the group comprising:
    - a Java application, a component-based program;
      
      a C++ application, a C application, a Microsoft .NET Common Language Runtime (CLR) application, a C# program, a Service Oriented Architecture (SOA) application, a Web service application program, an application written in a scripting language.

31. A system for providing real-time software authorization access to restricted resources by a computer program, said system comprising:
- means for enabling program execution in a restricted execution environment;
  
  means for determining one or more program points of said executing program where a required authorization is missing;
  
  means for selecting a program point requiring a missing authorization;
  
  means enabling a user to inspect, via a display device, a stack trace generated in response to said selected program point, said stack trace provided via said display means to indicate those required authorizations; and
  
  ,means enabling a user to grant, via said display means, one or more said required authorizations, wherein said granting of authorizations is performed without terminating execution of the program.
- View Dependent Claims (32, 33, 34)
- - 32. The system as claimed in claim 31, wherein a program point includes one or more of:
    - a program component, a file, a class, a method, a file line number.
  - 33. The system as claimed in claim 31, further comprising:
    - means for generating for display information about said code having the missing authorization, said information comprising;
      
      a URL from which the code is originated, the certificates of entities that signed that code, authentication information of the user or service executing the program, and the authorizations already granted to the program, user, and service.
  - 34. The system as claimed in claim 31, further comprising:
    - means for automatically updating a security policy in response to a user granting a particular authorization without the need for restarting execution of the program.

35. A method for providing real-time software authorization access to restricted resources by a computer program, said method comprising:
- enabling program execution in a restricted execution environment;
  
  determining one or more program points of said executing program where a required authorization is missing;
  
  selecting a program point requiring a missing authorization;
  
  enabling a user to inspect, via a display device, a stack trace generated in response to said selected program point, said stack trace provided via said display means to indicate those required authorizations; and
  
  ,enabling a user to grant, via said display means, one or more said required authorizations, wherein said granting of authorizations is performed without terminating execution of the program.
- View Dependent Claims (36)
- - 36. The method as claimed in claim 35, further comprising:
    - automatically updating a security policy in response to a user granting a particular authorization without the need for restarting execution of the program.

37. A method for detecting problems in an executing software program comprising:
- enabling program execution in a restricted execution environment, which prevents the underlying system from becoming corrupted if the program being executed is malicious or performs incorrectly;
  
  determining one or more program points of said executing program wherein an exception is raised indicating a potential problem in said executing software;
  
  selecting a program point;
  
  initiating the execution of a selected program point without causing the system to stop its own execution if all exception is raised indicating a problem with the software;
  
  enabling a user to inspect, via a display device, a stack trace generated in response to said selected program point, said stack trace provided via said display means to indicate said raised exception for said potential problem in said executing software; and
  
  means enabling a user to detect, via said display means, the optimal locations where code may be inserted to correct the indicated problem.
- View Dependent Claims (38, 39, 40)
- - 38. The method of claim 37, wherein a program point location includes one or more of:
    - a component name, a class name, a method name, a file name, and a line number.
  - 39. The method of claim 38, wherein an indicated program point is provided as a result of a static analysis performed by a static analysis tool for detecting problems in said program, said method verifying an analysis performed on said software program by said static analysis tool.
  - 40. The method of claim 38, wherein an indicated program point is provided as a result of a static analysis performed by a user inspecting said software for detecting a problem in said program, said method verifying said user'"'"'s program inspection analysis results.

41. A method for verifying analysis results of software programs, said analysis results being obtained as a result of a previously performed software analysis technique, said method comprising:
- enabling program execution in a restricted execution environment, which prevents the underlying system from becoming corrupted if the program being analyzed is malicious or performs incorrectly;
  
  determining from said previously obtained analysis results, one or more program points of said executing program indicating a potential problem in said software program;
  
  selecting a program point;
  
  initiating the execution of a selected program point without causing the system to stop its own execution if an exception is raised indicating said potential problem with the software;
  
  enabling a user to inspect, via a display device, a stack trace generated in response to said selected program point, said stack trace provided via said display means to indicate said problem in said executing software; and
  
  enabling a user to verify, via said display means, whether the potential problem was correctly indicated by said previously performed software analysis technique.
- View Dependent Claims (42, 43)
- - 42. The method of claim 41, wherein said previously performed software analysis technique comprises a static analysis performed by a static analysis tool for detecting problems in said program.
  - 43. The method of claim 41, wherein said previously performed software analysis technique comprises an analysis performed by a user inspecting said software for detecting a problem in said program.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Centonze, Paolina, Gomes, Jose, Pistoia, Marco

Granted Patent

US 9,449,190 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/6227   where protection concerns t...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2149   Restricted operating enviro...

METHOD AND SYSTEM FOR RUN-TIME DYNAMIC AND INTERACTIVE IDENTIFICATION OF SOFTWARE AUTHORIZATION REQUIREMENTS AND PRIVILEGED CODE LOCATIONS, AND FOR VALIDATION OF OTHER SOFTWARE PROGRAM ANALYSIS RESULTS

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

81 Citations

43 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND SYSTEM FOR RUN-TIME DYNAMIC AND INTERACTIVE IDENTIFICATION OF SOFTWARE AUTHORIZATION REQUIREMENTS AND PRIVILEGED CODE LOCATIONS, AND FOR VALIDATION OF OTHER SOFTWARE PROGRAM ANALYSIS RESULTS

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

81 Citations

43 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links