CONSISTENT SECURITY ENFORCEMENT FOR SAFER COMPUTING SYSTEMS

US 20100162240A1
Filed: 12/23/2008
Published: 06/24/2010
Est. Priority Date: 12/23/2008
Status: Abandoned Application

First Claim

Patent Images

1. A computer-implemented method of generating one or more consistent security criteria for enforcing security in a consistent manner with respect to:

(a) execution of first executable computer code effectively supported by an Operating System of a computing system and (b) execution of second computer code effectively supported by a Virtual Computing Environment that can interface with said Operating System, wherein said method comprises;

obtaining input security criterion for enforcement of security in a consistent manner with respect to execution of;

(a) said first executable computer code effectively supported by said Operating System, and (b) said second computer code effectively supported by said Virtual Computing Environment;

generating, based on said input security criterion, at least one consistent security criterion in a computer readable and storable form, thereby allowing said consistent security criterion to be stored in a computer readable storage medium as a consistent security criterion for enforcement of security in a consistent manner with respect to execution effectively supported by said Operating System and said Virtual Computing Environment; and

storing said at least one consistent security criterion in said computer readable storage medium as stored consistent security criterion, thereby allowing said stored consistent security criterion to be effectively provided to said computing system for enforcement of said input security criterion in said consistent manner.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Security can be enforced in a consistent manner with respect to various computing environments that may be operable in a computing system. Consistent security criteria can be generated, based on input security criterion, in a computer readable and storable form and stored in a computer readable storage medium, thereby allowing the consistent security criterion to be effectively provided to a computing system for enforcement of the input security criterion in a consistent manner with respect to, for example, (a) a first executable computer code effectively supported by an Operating System (OS), and (b) a second computer code effectively supported by the Virtual Computing Environment (VCE). A Trusted Component (TC) can effectively provide a consistent security criterion as a part and/or form that is suitable for a particular computing environment. The TC can, for example, be an automated tool that performs various functions including: verifying the consistency of security criteria, generation and deployment of consistent security criteria, and transformation of security criteria to parts and/or forms suitable for various computing environments. In addition, a Virtual Computing Environment (VCE) can obtain from the Operating System (OS) one or more security criteria. The Virtual Computing Environment (VCE) can be operable in a Trusted Computing Environment (TCE) and interface with a Trusted Operating System (TOS) that effectively enforces Mandatory Access Control (MAC), thereby allowing the Virtual Computing Environment (VCE) to leverage the security provided by the OS. The OS can, for example, be a Security-Enhanced Linux (SELinux) Operating System operating as a Trusted Component in a Trusted Environment that includes a Trusted Security Agent (TSA) operable to deploy consistent security criteria.

Citations

29 Claims

1. A computer-implemented method of generating one or more consistent security criteria for enforcing security in a consistent manner with respect to:
- (a) execution of first executable computer code effectively supported by an Operating System of a computing system and (b) execution of second computer code effectively supported by a Virtual Computing Environment that can interface with said Operating System, wherein said method comprises;
  
  obtaining input security criterion for enforcement of security in a consistent manner with respect to execution of;
  
  (a) said first executable computer code effectively supported by said Operating System, and (b) said second computer code effectively supported by said Virtual Computing Environment;
  
  generating, based on said input security criterion, at least one consistent security criterion in a computer readable and storable form, thereby allowing said consistent security criterion to be stored in a computer readable storage medium as a consistent security criterion for enforcement of security in a consistent manner with respect to execution effectively supported by said Operating System and said Virtual Computing Environment; and
  
  storing said at least one consistent security criterion in said computer readable storage medium as stored consistent security criterion, thereby allowing said stored consistent security criterion to be effectively provided to said computing system for enforcement of said input security criterion in said consistent manner.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 21, 22)
- - 2. The computer-implemented method of claim 1,verifying said input security criterion for consistency with one or more other input consistent security criterion and/or one or more other stored consistent security criteria;
    - andgenerating said at least one consistent security criterion in said computer readable and storable form when said verifying successfully verifies said consistency.
  - 3. The computer-implemented method of claim 2, wherein said generating generates said at least one consistent security criterion in said computer readable and storable form only when said verifying successfully verifies said consistency.
  - 4. The computer-implemented method of claim 2, wherein said method further comprises:
    - effectively providing said stored consistent security criterion to said Virtual Computing Environment and/or Operating System.
  - 5. The computer-implemented method of claim 4, wherein said effectively providing of said stored consistent security criterion to said Virtual Computing Environment and/or Operating System comprises:
    - effectively providing by a safe computing component said stored consistent security criterion to said Virtual Computing Environment and/or Operating System.
  - 6. The computer-implemented method of claim 4, wherein said safe deployment computing component includes a trusted deployment computing component.
  - 7. The computer-implemented method of claim 2, wherein said verifying of said input security criterion and/or said generating of said at least one consistent security criterion comprise of one or more of the following:
    - verifying, by a safe criterion-verification component, said for consistency with one or more other input consistent security criterion and/or one or more other stored consistent security criterion; and
      
      generating, by a safe criterion-generation component, said at least one consistent security criterion in said computer readable and storable form when said verifying by a said safe criterion-verification component successfully verifies said consistency.
  - 8. The computer-implemented method of claim 7, wherein said safe criterion-verification component and said safe criterion-verification component are trusted components effectively provided by a trusted tool operable to verify said input security criterion and to generate said consistent security criterion.
  - 9. The computer-implemented method of claim 8, wherein said trusted tool is further operable to store said consistent security criterion on said Operating System and/or virtual computing environment.
  - 10. The computer-implemented method of claim 8, wherein said method further comprises:
    - receiving said input security criterion as input defined and/or provided by a person.
  - 11. The computer-implemented method of claim 1, wherein said Virtual Computing Environment includes a virtual machine.
  - 12. The computer-implemented method of claim 11,wherein said virtual machine is Java™
    - compliant Virtual Machine (JVM),wherein said second computer code pertains to a Java™
      
      Application, andwherein said first executable computer code pertains to a native application.
  - 13. The computer-implemented method of claim 12,wherein said Java™
    - compliant Virtual Machine (JVM) is a KVM, andwherein said second computer code pertains to a Java™
      
      compliant Applet.wherein said first executable computer code pertains to a native application.
  - 14. The computer-implemented method of claim 13,wherein said Java™
    - compliant Applet is provided by a first entity and said native application is provided by a second entity,wherein said method further comprises;
      
      obtaining first and second input security criterion respectively defined by said first and second entities for enforcing security of said Java™
      
      compliant and native application.
  - 15. The computer-implemented method claim 13, wherein said method further comprises:
    - determining whether to provide said at least one security criterion to said Operating System and/or said virtual computing environment;
      
      providing said at least one security criterion only to said Operating System when said determining determines to provide said at least one security criterion only to said Operating System;
      
      providing said at least one security criterion only to said virtual computing system when said determining determines to provide said at least one security criterion only to said virtual computing system; and
      
      providing said at least one security criterion in a same form to Operating System and said Virtual Computing Environment when said determining determines to provide said at least one security criterion to said Operating System and said virtual computing environment.
  - 16. The computer-implemented method claim 1, wherein said generating, based on said input security criterion, at least one consistent security criteria comprises:
    - generating said at least one security criterion in a form including first and second parts respectively for said Operating System and said virtual computing environment.
  - 17. The computer-implemented method of claim 16,wherein said first part of said least one security criterion includes operating-system security labels for said Operating System, andwherein said second part of said least one security includes one or more of the following:
    - virtual-computing security labels for said computing environment, anda security-label mapping that effectively allows mapping of said virtual-computing security labels to said operating-system security labels.
  - 18. The computer-implemented method of claim 1,wherein said computing system is and/or includes one or more of the following:
    - a mobile and/or portable device, a Smartphone, a cell phone.
  - 19. The computer-implemented method of claim 18,wherein said computing system is further operable to support third computer executable code effectively provided by a third entity;
    - andwherein said Operating System is operable to enforce said at least one security criterion for execution of said third computer executable code.
  - 21. The computer-implemented method of claim 1, wherein said enforcing of said security comprises one or more of the following:
    - enforcing said first consistent security criterion with respect to execution of said first executable computer code and/or second computer code;
      
      determining, based on said first consistent security criterion, a security decision with respect to said first executable computer code and/or second computer code; and
      
      determining, based on said first consistent security criterion, whether to allow said first executable computer code and/or second computer code to access an accessible resource.
  - 22. The computer-implemented method of claim 21, wherein said computer-implemented method further comprises:
    - obtaining an input security criterion for enforcement of security in a consistent manner with respect to execution of;
      
      (a) said first executable computer code effectively supported by said Operating System, and (b) said second computer code effectively supported by said virtual computing environment; and
      
      generating, based on said input security criterion, said at least one consistent security criteria.

20. A computer-implemented method of securing a computing system that includes:
- (a) an Operating System operable to effectively support execution of at least a first executable computer code (b) a Virtual Computing Environment operable to support execution of at least a second computer code, wherein said computer-implemented method comprises;
  
  obtaining a first consistent security criterion for enforcement of a security criterion in a consistent manner with respect to said first executable computer code and second computer code; and
  
  enforcing security in said computing system in accordance with said first consistent security criterion, thereby enforcing security in a consistent manner with respect to said first executable computer code and second computer code.

23. A computing system, wherein said computing system includes:
- an Operating System operable to;
  
  support at least a first executable computer code;
  
  store a set of security criteria for securing said computing system; and
  
  enforce a set of security criteria; and
  
  a Virtual Computing Environment operable to;
  
  support execution of at least a second computer code;
  
  obtain from said Operating System at least one of a set of security criteria; and
  
  enforce said at least one security criterion with respect to said second computer code operable to execute in said Virtual Computing Environment.
- View Dependent Claims (24, 25, 26, 27)
- - 24. The computing system of claim 23, wherein said set of operating-system security criterion are a consistent set of consistent security criterion defined for enforcement of security in a consistent manner with respect to:
    - (a) said first executable computer code effectively supported by said Operating System and (b) said second computer code supported by said virtual computing environment.
  - 25. The computing system of claim 23, wherein said Virtual Computing Environment includes an operating-system aware component operable to:
    - interface with said Operating System by an operating-system security interfaceto obtain said at least one security criterion; and
      
      enforce said at least security criterion with respect to said second computer effectively supported by said Virtual Computing Environment as said operating-system security control component would enforce said operating-system security criterion with respect to said first executable computer code.
  - 26. The computing system of claim 25, wherein said operating-system security interface includes a Programming Interfaces and/or a Library.
  - 27. The computing system of claim 26,wherein said Operating System is a Security-Enhanced Linux (SELinux), andwherein said Programming Interface and/or Library include a SELinux library, thereby allowing said operating-system security interface to be effectively provided by using said SELinux library.

28. The computing system 27, wherein said computing environment is further operable to map one or more virtual-computing security labels to one or more operating-system security labels.

29. A computer readable storage medium storing in a tangible form at least executable computer code for a Virtual Computing Environment operable to support a Virtual Computing Environment for execution of computer code, wherein said computer readable storage medium includes:
- executable computer code operable to obtain from an Operating System at least one security criterion that can be effectively enforced by said Operating System with respect to first executable computer code supported by said Operating System; and
  
  executable computer code operable to enforce said security criterion with respect to a second computer code operable to execute in said virtual computing environment, thereby effectively enforcing a security criteria that can be enforced by said Operating System.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Samsung Electronics Co. Ltd.
Original Assignee
Samsung Electronics Co. Ltd.
Inventors
Aciicmez, Onur, Seifert, Jean-Pierre, Zhang, Xinwen

Application Number

US12/343,154
Publication Number

US 20100162240A1
Time in Patent Office

Days
Field of Search
US Class Current

718/1
CPC Class Codes

G06F 21/577 Assessing vulnerabilities a...

CONSISTENT SECURITY ENFORCEMENT FOR SAFER COMPUTING SYSTEMS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

CONSISTENT SECURITY ENFORCEMENT FOR SAFER COMPUTING SYSTEMS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links