SYSTEM AND METHOD FOR PROVIDING APPLICATION SECURITY IN A CLOUD COMPUTING ENVIRONMENT

US 20150222620A1
Filed: 01/30/2015
Published: 08/06/2015
Est. Priority Date: 01/31/2014
Status: Active Grant

First Claim

Patent Images

1. A system for providing application deployment security in a cloud computing or other environment, comprising:

one or more computers, including a cloud computing or other environment which enables compilation and deployment of software applications to run within the environment;

a plurality of hot-spot configurations, wherein each hot-spot configuration defines an API usage that is of interest to be monitored, and can associate a particular action with that API usage; and

an application compiler, whichreceives a user application to be deployed to the environment, wherein the user application includes one or more of the API usages expressed as method invocations within the source code of the user application,determines, for the API usages, one or more matching hot-spot configurations and associated policies and actions, andinjects the user application during compilation to create an application runtime including a corresponding instrumented code and a security manager glue code that, during execution of the user application, monitors the method invocations and values that are invoked, for use in granting or denying access.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In accordance with an embodiment, described herein is a system and method for providing application security in a cloud computing or other environment. A plurality of hot-spot configurations define API usages which, for security reasons, are of interest to be monitored at runtime, such as invocations of particular methods that are likely to be used to attempt unauthorized access. Upon a user application being received for deployment to the cloud environment, an application compiler determines, for API usages expressed as method invocations within the source code of the application, one or more hot-spot configurations and associated policies or actions. The application compiler can then inject the user application to provide a security manager that, during runtime, monitors the methods and values invoked, and communicates with one or more security extensions to grant or deny access.

10 Citations

View as Search Results

18 Claims

1. A system for providing application deployment security in a cloud computing or other environment, comprising:
- one or more computers, including a cloud computing or other environment which enables compilation and deployment of software applications to run within the environment;
  
  a plurality of hot-spot configurations, wherein each hot-spot configuration defines an API usage that is of interest to be monitored, and can associate a particular action with that API usage; and
  
  an application compiler, whichreceives a user application to be deployed to the environment, wherein the user application includes one or more of the API usages expressed as method invocations within the source code of the user application,determines, for the API usages, one or more matching hot-spot configurations and associated policies and actions, andinjects the user application during compilation to create an application runtime including a corresponding instrumented code and a security manager glue code that, during execution of the user application, monitors the method invocations and values that are invoked, for use in granting or denying access.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system of claim 1, wherein the plurality of hot-spot configurations is defined by an editable configuration file in XML or another format.
  - 3. The system of claim 1, wherein the security manager glue code communicates with one or more security extensions to perform the method invocations on behalf of the user application, including granting or denying access by the user application to the API usages expressed as method invocations.
  - 4. The system of claim 1, wherein the application compiler uses a set of rules to translate hot-spot configuration expressions defined in XML or another format into regular expressions understandable by the application compiler.
  - 5. The system of claim 1, further comprising a standard security manager that enforces permissions granted to classes within an application runtime, wherein the system operates with, and supplements or defends the operation of the standard security manager in enforcing the permissions.
  - 6. The system of claim 1, wherein the system is used to enforce security in an extensible manner within a Java environment.

7. A method of providing application deployment security in a cloud computing or other environment, comprising:
- providing one or more computers, including a cloud computing or other environment which enables compilation and deployment of software applications to run within the environment;
  
  providing a plurality of hot-spot configurations, wherein each hot-spot configuration defines an API usage that is of interest to be monitored, and can associate a particular action with that API usage; and
  
  compiling a user application, to be deployed to the environment, includingreceiving the user application to be deployed to the environment, wherein the user application includes one or more of the API usages expressed as method invocations within the source code of the user application,determining, for the API usages, one or more matching hot-spot configurations and associated policies and actions, andinjecting the user application during compilation to create an application runtime including a corresponding instrumented code and a security manager glue code that, during execution of the user application, monitors the method invocations and values that are invoked, for use in granting or denying access.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method of claim 7, wherein the plurality of hot-spot configurations is defined by an editable configuration file in XML or another format.
  - 9. The method of claim 7, wherein the security manager glue code communicates with one or more security extensions to perform the method invocations on behalf of the user application, including granting or denying access by the user application to the API usages expressed as method invocations.
  - 10. The method of claim 7, further comprising using a set of rules to translate hot-spot configuration expressions defined in XML or another format into regular expressions understandable by the application compiler.
  - 11. The method of claim 7, further comprising providing a standard security manager that enforces permissions granted to classes within an application runtime, wherein the method operates with, and supplements or defends the operation of the standard security manager in enforcing the permissions.
  - 12. The method of claim 7, wherein the method is used to enforce security in an extensible manner within a Java environment.

13. A non-transitory computer readable storage medium, including instructions stored thereon which when read and executed by one or more computers cause the one or more computers to perform the steps comprising:
- providing, at one or more computers, a cloud computing or other environment which enables compilation and deployment of software applications to run within the environment;
  
  providing a plurality of hot-spot configurations, wherein each hot-spot configuration defines an API usage that is of interest to be monitored, and can associate a particular action with that API usage; and
  
  compiling a user application, to be deployed to the environment, includingreceiving the user application, wherein the user application includes one or more API usages expressed as method invocations within the source code of the user application,determining, for the API usages expressed as method invocations within the source code, one or more matching hot-spot configurations and associated policies and actions, andinjecting the user application during compilation to create an application runtime which includes a corresponding instrumented code and a security manager glue code that, during execution of the user application, monitors methods and values that are invoked, and grants or denies access.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The non-transitory computer readable storage medium of claim 13, wherein the plurality of hot-spot configurations is defined by an editable configuration file in XML or another format.
  - 15. The non-transitory computer readable storage medium of claim 13, wherein the security manager glue code communicates with one or more security extensions to perform the method invocations on behalf of the user application, including granting or denying access by the user application to the API usages expressed as method invocations.
  - 16. The non-transitory computer readable storage medium of claim 13, further comprising using a set of rules to translate hot-spot configuration expressions defined in XML or another format into regular expressions understandable by the application compiler.
  - 17. The non-transitory computer readable storage medium of claim 13, further comprising providing a standard security manager that enforces permissions granted to classes within an application runtime, wherein the steps operate with, and supplement or defends the operation of the standard security manager in enforcing the permissions.
  - 18. The non-transitory computer readable storage medium of claim 13, wherein the steps are used to enforce security in an extensible manner within a Java environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
SUBRAMANIAN, VELMURUGAN, JUNNARKAR, NILESH

Granted Patent

US 9,871,800 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/102 Entity profiles

SYSTEM AND METHOD FOR PROVIDING APPLICATION SECURITY IN A CLOUD COMPUTING ENVIRONMENT

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

10 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR PROVIDING APPLICATION SECURITY IN A CLOUD COMPUTING ENVIRONMENT

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

10 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links