SYSTEM AND METHOD FOR APPLICATION ATTESTATION
First Claim
1. A method of providing an attestation service for an application at runtime executing on a computing platform using an attestation server, comprising:
- receiving, by the attestation server remote from the computing platform;
a runtime execution context indicating attributes of the application at runtime; and
a security context providing security information about the application;
generating, by the attestation server, a report indicating security risks associated with the application based on the received runtime execution context and the received security context, as an attestation result; and
sending, by the attestation server, the attestation result associated with the application.
3 Assignments
0 Petitions
Accused Products
Abstract
An instrumented machine or platform having a target application thereon is disclosed. An attestation service may generate an application artifact having associated therewith a name and an application statement having at least one of a plurality of attribute value assertions describing the examined runtime local execution and introspection based derived security context. The application statements may represent the level of contextual trustworthiness, at near real time, of a running application on the instrumented target platform. A runtime process and network monitor may examine the local runtime execution context of the target application, and an identity provider may authenticate a user to the web application based on a web services query for attestation of the target application. A physical or logical authorization service may control access of an authenticated user to the target application, based on a dynamic application statement and multi-factor application attestation issued by the attestation service.
160 Citations
26 Claims
-
1. A method of providing an attestation service for an application at runtime executing on a computing platform using an attestation server, comprising:
-
receiving, by the attestation server remote from the computing platform; a runtime execution context indicating attributes of the application at runtime; and a security context providing security information about the application; generating, by the attestation server, a report indicating security risks associated with the application based on the received runtime execution context and the received security context, as an attestation result; and sending, by the attestation server, the attestation result associated with the application. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A non-transitory computer readable medium having instructions stored thereon that, if executed by a computing device, cause the computing device to perform operations for providing mutual attestation of applications in client-server or peer-to-peer transactions using an attestation server, the operations comprising:
-
generating and sending, by the attestation server, a first application artifact; receiving and validating, by the attestation server from a server in the client server transaction or from a first peer in the peer-to-peer transaction, the first application artifact sent by the attestation server to a client in a client server transaction or to a second peer in the peer-to-peer transaction; generating and sending application statements to the client and the server or the first and second peers about interrelated applications used in the client-server or peer-to-peer transactions. - View Dependent Claims (14, 15, 16)
-
-
17. A method for providing attestation of the authenticity of a running web application or web servlet using an attestation server, comprising:
-
requesting an application artifact for a running web application or servlet instance; establishing a secure channel between the web server and the attestation server; generating at least one hash file digest corresponding to the execution context of the web application or servlet instance; determining at least one file attribute corresponding to at least one element or the execution context of the web application or web servlet instance; sending an application report to an identity provider; generating assertions based on a received security context and a received local execution context; transmitting confidence metrics in the report to the identity provider; and providing attestation of the running web application or web servlet as a digital icon for rendering by a web browser. - View Dependent Claims (18, 19, 20)
-
-
21. A system for continuously monitoring running applications hosted on self-managed and on-premise, or on outsourced service provider managed infrastructure comprising:
-
an instrumented target platform for hosting a target user or service program; an application attestation service for; generating a globally unique, opaque, and time-sensitive application artifact and application statements including a plurality of assertions pertaining to inspection based runtime local execution context and introspection based security context; and remediating the instrumented target platform, wherein the remediating includes one or more of;
a reimage, a snapshot, or a quarantine of the instrumented target platform;a runtime monitor for discovering, identifying and inspecting running application processes on the instrumented target platform and for generating metadata that includes at least the runtime local execution context; a collaboration service configured to; provide introspected security context for a target application running on the instrumented target platform; and analyze executable file binaries for the target application running on the instrumented target platform; and a graphical user interface configured to; request and receive dynamic assertions from a metadata repository of the attestation service, the dynamic assertions pertaining to the local execution context the introspected security context of running application instances on instrumented target platforms; continuously display the dynamic assertions to a system administrator; and provision and dispatch alerts based on the dynamic assertions and predefined criteria. - View Dependent Claims (22, 23, 24, 25, 26)
-
Specification