SYSTEM AND METHOD FOR APPLICATION ATTESTATION

US 20120216244A1
Filed: 02/17/2012
Published: 08/23/2012
Est. Priority Date: 02/17/2011
Status: Active Grant

First Claim

Patent Images

1. A method of providing an attestation service for an application at runtime executing on a computing platform using an attestation server, comprising:

receiving, by the attestation server remote from the computing platform;

a runtime execution context indicating attributes of the application at runtime; and

a security context providing security information about the application;

generating, by the attestation server, a report indicating security risks associated with the application based on the received runtime execution context and the received security context, as an attestation result; and

sending, by the attestation server, the attestation result associated with the application.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An instrumented machine or platform having a target application thereon is disclosed. An attestation service may generate an application artifact having associated therewith a name and an application statement having at least one of a plurality of attribute value assertions describing the examined runtime local execution and introspection based derived security context. The application statements may represent the level of contextual trustworthiness, at near real time, of a running application on the instrumented target platform. A runtime process and network monitor may examine the local runtime execution context of the target application, and an identity provider may authenticate a user to the web application based on a web services query for attestation of the target application. A physical or logical authorization service may control access of an authenticated user to the target application, based on a dynamic application statement and multi-factor application attestation issued by the attestation service.

160 Citations

26 Claims

1. A method of providing an attestation service for an application at runtime executing on a computing platform using an attestation server, comprising:
- receiving, by the attestation server remote from the computing platform;
  
  a runtime execution context indicating attributes of the application at runtime; and
  
  a security context providing security information about the application;
  
  generating, by the attestation server, a report indicating security risks associated with the application based on the received runtime execution context and the received security context, as an attestation result; and
  
  sending, by the attestation server, the attestation result associated with the application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, further comprising:
    - generating, by the attestation server, an application artifact as a reference for changes in a subsequent execution context; and
      
      sending the generated application artifact such that subsequent changes to the runtime execution context are tracked based on the generated application artifact.
  - 3. The method according to claim 2, further comprising digitally signing the attestation results and the application artifact.
  - 4. The method of claim 1, wherein the received security context is an introspective security context.
  - 5. The method of claim 1, wherein the generating of the report indicating security risks associated with the application includes generating, by the attestation server, one or more security assertions that pertain to the received runtime execution context and the received introspective security context.
  - 6. The method according to claim 1, further comprising authenticating the application using a plurality of collaboration services.
  - 7. The method according to claim 1, further comprising controlling a user'"'"'s transaction with the application by applying a set of authorization rules in accordance with the attestation results.
  - 8. The method according to claim 1, further comprising controlling a user'"'"'s network access to the application by applying a set of authorization rules in accordance with the attestation results.
  - 9. The method according to claim 1, further comprising providing confidence metrics in the attestation results indicating a level of security risk by different classifications such that a restriction on a user'"'"'s transaction with the application are applied based on the level of security risk indicated by the confidence metrics in the attestation results.
  - 10. The method according to claim 9, wherein the application of the restriction on the user'"'"'s transaction includes applying the restriction on the user'"'"'s network access to the application.
  - 11. The method according to claim 1, wherein the application of the restriction on the user'"'"'s transaction includes applying routing decisions and redirecting the user to an alternate computer platform.
  - 12. The method according to claim 1, further comprising controlling, by a network access enforcer, access of a user to the application based on the attestation result.

13. A non-transitory computer readable medium having instructions stored thereon that, if executed by a computing device, cause the computing device to perform operations for providing mutual attestation of applications in client-server or peer-to-peer transactions using an attestation server, the operations comprising:
- generating and sending, by the attestation server, a first application artifact;
  
  receiving and validating, by the attestation server from a server in the client server transaction or from a first peer in the peer-to-peer transaction, the first application artifact sent by the attestation server to a client in a client server transaction or to a second peer in the peer-to-peer transaction;
  
  generating and sending application statements to the client and the server or the first and second peers about interrelated applications used in the client-server or peer-to-peer transactions.
- View Dependent Claims (14, 15, 16)
- - 14. The computer readable medium of claim 13, the operations further comprising:
    - generating and sending, by the attestation server, a second application artifact;
      
      receiving and validating, by the attestation server from a client in the client server transaction or from a second peer in the peer-to-peer transaction, the second application artifact sent by the attestation server to a server in a client server transaction or to a first peer in the peer-to-peer transaction.
  - 15. The computer readable medium of claim 14, wherein:
    - the sending of the application statements to the client and the server or the first and second peers comprises the following operations;
      
      sending by the attestation server;
      
      the application statement regarding a client application of the interrelated applications to the server of the client-server transaction and the application statement regarding a server application of the interrelated applications to the client of the client-server transaction;
      
      orthe application statement regarding a first peer application of the interrelated applications to the second peer of the peer-to-peer transaction and the application statement regarding a second peer application of the interrelated applications to the first peer of the peer-to-peer transaction; and
      
      determining, based at least in part upon the sent application statements, whether to transact data exchanges with associated applications.
  - 16. The computer readable medium of claim 15, wherein:
    - the generating of the application statements includes;
      
      including in the application statements confidence metrics and contextual assertions; and
      
      the determining whether to transact data exchanges with the associated applications includes;
      
      comparing respective confidence metrics to a set of rules; and
      
      determining whether to transact data exchange based on the comparison.

17. A method for providing attestation of the authenticity of a running web application or web servlet using an attestation server, comprising:
- requesting an application artifact for a running web application or servlet instance;
  
  establishing a secure channel between the web server and the attestation server;
  
  generating at least one hash file digest corresponding to the execution context of the web application or servlet instance;
  
  determining at least one file attribute corresponding to at least one element or the execution context of the web application or web servlet instance;
  
  sending an application report to an identity provider;
  
  generating assertions based on a received security context and a received local execution context;
  
  transmitting confidence metrics in the report to the identity provider; and
  
  providing attestation of the running web application or web servlet as a digital icon for rendering by a web browser.
- View Dependent Claims (18, 19, 20)
- - 18. The method according to claim 17, wherein the attestation is provided prior to commencing any data exchange in an established connection with a user.
  - 19. The method according to claim 17, wherein the attestation is provided prior to establishing a network connection with a user.
  - 20. The method according to claim 19, further comprising rendering attestation information about the web application to be accessed responsive to user input.

21. A system for continuously monitoring running applications hosted on self-managed and on-premise, or on outsourced service provider managed infrastructure comprising:
- an instrumented target platform for hosting a target user or service program;
  
  an application attestation service for;
  
  generating a globally unique, opaque, and time-sensitive application artifact and application statements including a plurality of assertions pertaining to inspection based runtime local execution context and introspection based security context; and
  
  remediating the instrumented target platform, wherein the remediating includes one or more of;
  
  a reimage, a snapshot, or a quarantine of the instrumented target platform;
  
  a runtime monitor for discovering, identifying and inspecting running application processes on the instrumented target platform and for generating metadata that includes at least the runtime local execution context;
  
  a collaboration service configured to;
  
  provide introspected security context for a target application running on the instrumented target platform; and
  
  analyze executable file binaries for the target application running on the instrumented target platform; and
  
  a graphical user interface configured to;
  
  request and receive dynamic assertions from a metadata repository of the attestation service, the dynamic assertions pertaining to the local execution context the introspected security context of running application instances on instrumented target platforms;
  
  continuously display the dynamic assertions to a system administrator; and
  
  provision and dispatch alerts based on the dynamic assertions and predefined criteria.
- View Dependent Claims (22, 23, 24, 25, 26)
- - 22. The system according to claim 21, wherein a network access enforcer subscribes for and receives dynamic application statements from an attestation service to analyze the contextual assertions and determine whether an authenticated user is permitted or denied network access to an attested application instance.
  - 23. The system according to claim 21, wherein the graphical user interface displays the applications running on instrumented target platform on a client specific dashboard or portal, and presents for each associated application execution context at least one of:
    - a service hostname;
      
      a service realm;
      
      a service principal name;
      
      a product version;
      
      a product vendor;
      
      one or more classifications based confidence metrics;
      
      an active network service port;
      
      orexecutable file binaries.
  - 24. The system according to claim 21, further comprising an identity provider that queries for dynamic application statements from the attestation server to analyze the contextual assertions and to determine whether an authenticated user is permitted or denied authorization to transact data exchanges with an attested application instance in an established connection.
  - 25. The system according to claim 21, further comprising a network access enforcer that analyzes classifications based confidence metrics included in received dynamic application statements, based on a subscription, from an attestation service to determine whether an authenticated user is permitted or denied network access to an attested application instance.
  - 26. The system according to claim 21, wherein an identity provider analyzes classifications based confidence metrics included in received dynamic application statements, based on a subscription, from an attestation service to determine whether an authenticated user is permitted or denied authorization to transact data exchanges with an attested application instance in an established connection.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Taasera Licensing LLC (Quest Patent Research Corporation)
Original Assignee
Taasera, Inc. (Full Circle Investments, Inc.)
Inventors
Shashikumar, Gurudatt, KUMAR, Srinivas

Granted Patent

US 8,327,441 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/31   User authentication

G06F 21/57   Certifying or maintaining t...

G06F 2221/033   Test or assess software

SYSTEM AND METHOD FOR APPLICATION ATTESTATION

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

160 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR APPLICATION ATTESTATION

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

160 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links