System and method for executing verifiable programs with facility for using non-verifiable programs from trusted sources
First Claim
1. A computer comprising:
- a program integrity verifier that verifies that programs written in an architecture neutral language satisfy predefined program integrity criteria;
a digital signature verifier that verifies the digital signatures of originating parties of programs that are contained in the programs;
an untrusted object class repository that stores untrusted object classes;
a trusted object class repository that stores trusted object classes;
said object classes each including at least one program, each program comprising a program selected from the group consisting of (A) architecture neutral programs wdtten in the architecture neutral language and (B) architecture specific programs written in an architecture specific language whose integrity cannot be verified by the integrity verifier;
an architecture specific program executer;
an architecture neutral program executer;
a user address space; and
a class loader that loads a specified one of said object classes into the user address space for execution when execution of any program in the one object class is requested, said class loader including program security logic for preventing the loading of any requested object class, other than object classes in said trusted object class repository, that includes at least one architecture specific program unless every architecture specific program in the requested object class includes a digital signature and said digital signature is successfully verified by said digital signature verifier.
2 Assignments
0 Petitions
Accused Products
Abstract
A computer system includes a program executer that executes verifiable architecture neutral programs and a class loader that prohibits the loading and execution of non-verifiable programs unless (A) the non-verifiable program resides in a trusted repository of such programs, or (B) the non-verifiable program is indirectly verifiable by way of a digital signature on the non-verifiable program that proves the program was produced by a trusted source. In the preferred embodiment, verifiable architecture neutral programs are Java bytecode programs whose integrity is verified using a Java bytecode program verifier. The non-verifiable programs are generally architecture specific compiled programs generated with the assistance of a compiler. Each architecture specific program typically includes two signatures, including one by the compiling party and one by the compiler. Each digital signature includes a signing party identifier and an encrypted message. The encrypted message includes a message generated by a predefined procedure, and is encrypted using a private encryption key associated with the signing party. A digital signature verifier used by the class loader includes logic for processing each digital signature by obtaining a public key associated with the signing party, decrypting the encrypted message of the digital signature with that public key so as generate a decrypted message, generating a test message by executing the predefined procedure on the architecture specific program associated with the digital signature, comparing the test message with the decrypted message, and issuing a failure signal if the decrypted message digest and test message digest do not match.
-
Citations
21 Claims
-
1. A computer comprising:
-
a program integrity verifier that verifies that programs written in an architecture neutral language satisfy predefined program integrity criteria; a digital signature verifier that verifies the digital signatures of originating parties of programs that are contained in the programs; an untrusted object class repository that stores untrusted object classes; a trusted object class repository that stores trusted object classes; said object classes each including at least one program, each program comprising a program selected from the group consisting of (A) architecture neutral programs wdtten in the architecture neutral language and (B) architecture specific programs written in an architecture specific language whose integrity cannot be verified by the integrity verifier; an architecture specific program executer; an architecture neutral program executer; a user address space; and a class loader that loads a specified one of said object classes into the user address space for execution when execution of any program in the one object class is requested, said class loader including program security logic for preventing the loading of any requested object class, other than object classes in said trusted object class repository, that includes at least one architecture specific program unless every architecture specific program in the requested object class includes a digital signature and said digital signature is successfully verified by said digital signature verifier. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method of OPerating a computer system, comprising the steps of:
-
storing untrusted object classes in an untrusted object class repository; storing trusted object classes in a trusted object class repository; said object classes each including at least one program, each program comprising a program selected from the group consisting of (A) architecture neutral programs written in an architecture neutral language and (B) architecture specific programs written in an architecture specific language; when execution of any program in the one object class is requested, loading the requested object class into a user address space for execution unless loading of the requested object class is prevented by a security violation, including preventing the loading of any requested object class, other than object classes in said trusted object class repository, that includes at least one architecture specific program unless every architecture specific program in the requested object class includes a digital signature and said digital signature is successfully verified by said digital signature verifier. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A memory for storing data programs being executed on a data processing system, said memory comprising:
-
a program integrity verifier that verifies that programs written in an architecture neutral language satisfy predefined program integrity criteria; a digital signature verifier that verifies the digital signatures of originating parties of programs that are contained in the programs; an untrusted object class repository that stores untrusted object classes; a trusted object class repository that stores trusted object classes; said object classes each including at least one program, each program comprising a program selected from the group consisting of (A) architecture neutral programs written in the architecture neutral language and (B) architecture specific programs written in an architecture specific language whose integrity cannot be verified by the integrity verifier; an architecture specific program executer; an architecture neutral program executer; and a class loader that loads a specified one of said object classes into a user address space for execution when execution of any program in the one object class is requested, said class loader including program security instructions for preventing the loading of any requested object class, other than object classes in said trusted object class repository, that includes at least one architecture specific program unless every architecture specific program in the requested object class includes a digital signature and said digital signature is successfully verified by said digital signature verifier. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
Specification