System and method for executing verifiable programs with facility for using non-verifiable programs from trusted sources

US 5,692,047 A
Filed: 12/08/1995
Issued: 11/25/1997
Est. Priority Date: 12/08/1995
Status: Expired due to Term

First Claim

Patent Images

1. A computer comprising:

a program integrity verifier that verifies that programs written in an architecture neutral language satisfy predefined program integrity criteria;

a digital signature verifier that verifies the digital signatures of originating parties of programs that are contained in the programs;

an untrusted object class repository that stores untrusted object classes;

a trusted object class repository that stores trusted object classes;

said object classes each including at least one program, each program comprising a program selected from the group consisting of (A) architecture neutral programs wdtten in the architecture neutral language and (B) architecture specific programs written in an architecture specific language whose integrity cannot be verified by the integrity verifier;

an architecture specific program executer;

an architecture neutral program executer;

a user address space; and

a class loader that loads a specified one of said object classes into the user address space for execution when execution of any program in the one object class is requested, said class loader including program security logic for preventing the loading of any requested object class, other than object classes in said trusted object class repository, that includes at least one architecture specific program unless every architecture specific program in the requested object class includes a digital signature and said digital signature is successfully verified by said digital signature verifier.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer system includes a program executer that executes verifiable architecture neutral programs and a class loader that prohibits the loading and execution of non-verifiable programs unless (A) the non-verifiable program resides in a trusted repository of such programs, or (B) the non-verifiable program is indirectly verifiable by way of a digital signature on the non-verifiable program that proves the program was produced by a trusted source. In the preferred embodiment, verifiable architecture neutral programs are Java bytecode programs whose integrity is verified using a Java bytecode program verifier. The non-verifiable programs are generally architecture specific compiled programs generated with the assistance of a compiler. Each architecture specific program typically includes two signatures, including one by the compiling party and one by the compiler. Each digital signature includes a signing party identifier and an encrypted message. The encrypted message includes a message generated by a predefined procedure, and is encrypted using a private encryption key associated with the signing party. A digital signature verifier used by the class loader includes logic for processing each digital signature by obtaining a public key associated with the signing party, decrypting the encrypted message of the digital signature with that public key so as generate a decrypted message, generating a test message by executing the predefined procedure on the architecture specific program associated with the digital signature, comparing the test message with the decrypted message, and issuing a failure signal if the decrypted message digest and test message digest do not match.

249 Citations

21 Claims

1. A computer comprising:
- a program integrity verifier that verifies that programs written in an architecture neutral language satisfy predefined program integrity criteria;
  
  a digital signature verifier that verifies the digital signatures of originating parties of programs that are contained in the programs;
  
  an untrusted object class repository that stores untrusted object classes;
  
  a trusted object class repository that stores trusted object classes;
  
  said object classes each including at least one program, each program comprising a program selected from the group consisting of (A) architecture neutral programs wdtten in the architecture neutral language and (B) architecture specific programs written in an architecture specific language whose integrity cannot be verified by the integrity verifier;
  
  an architecture specific program executer;
  
  an architecture neutral program executer;
  
  a user address space; and
  
  a class loader that loads a specified one of said object classes into the user address space for execution when execution of any program in the one object class is requested, said class loader including program security logic for preventing the loading of any requested object class, other than object classes in said trusted object class repository, that includes at least one architecture specific program unless every architecture specific program in the requested object class includes a digital signature and said digital signature is successfully verified by said digital signature verifier.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer of claim 1, said class loader includes verifier logic for invoking said program integrity verifier to verify the integrity of every architecture neutral program in the requested object class when the requested object class is not stored in said trusted object class repository and includes at least one architecture neutral program;
    - said program security logic further preventing the loading of said any requested object class other than object classes in said trusted object class repository when the requested object class includes at least one architecture neutral program whose integrity is not verified by said program integrity verifier.
  - 3. The computer of claim 2, said class loader further enabling execution of the requested program by said architecture neutral program executer when said requested program is an architecture neutral program and loading of the requested object class is not prevented by said program security logic, and enabling execution of the requested program by said architecture specific program executer when said requested program is an architecture specific program and loading of the requested object class is not prevented by said program security logic.
  - 4. The computer of claim 1,each said digital signature associated with one of said architecture specific programs including a signing party identifier and an encrypted message, said encrypted message including a message digest of the architecture specific program generated using a message digest function wherein said encrypted message has been encrypted using a private encryption key associated with said identified signing party;
    - andsaid digital signature verifier including logic for processing a specified digital signature by obtaining a public key associated with the signing party identified by said signing party identifier, decrypting the encrypted message of said digital signature with said public key so as generate a decrypted message digest, generating a test message digest by executing said message digest function on the architecture specific program associated with said digital signature, comparing said test message digest with said decrypted message digest, and issuing a failure signal if said decrypted message digest and test message digest do not match.
  - 5. The computer of claim 1,each said digital signature associated with one of said architecture specific programs including a signing party identifier and an encrypted message, said encrypted message including a message generated by a predefined procedure, wherein said encrypted message has been encrypted using a private encryption key associated with said identified signing party;
    - andsaid digital signature verifier including logic for processing a specified digital signature by obtaining a public key associated with the signing party identified by said signing party identifier, decrypting the encrypted message of said digital signature with said public key so as generate a decrypted message, generating a test message by executing said predefined procedure on the architecture specific program associated with said digital signature, comparing said test message with said decrypted message, and issuing a failure signal if said decrypted message digest and test message digest do not match.
  - 6. The computer of claim 1,said program security logic further for preventing the loading of any requested object class, other than object classes in said trusted object class repository, that includes at least one architecture specific program unless every architecture specific program in the requested object class includes two digital signatures and said digital signatures are both successfully verified by said digital signature verifier;
    - each said digital signature associated with one of said architecture specific programs including a signing party identifier and an encrypted message, said encrypted message including a message generated by a predefined procedure, wherein said encrypted message has been encrypted using a private encryption key associated with said identified signing party;
      
      said digital signature verifier including logic for processing a specified digital signature by obtaining a public key associated with the signing party identified by said signing party identifier, decrypting the encrypted message of said digital signature with said public key so as generate a decrypted message, generating a test message by executing said predefined procedure on the architecture specific program associated with said digital signature, comparing said test message with said decrypted message, and issuing a failure signal if said decrypted message digest and test message digest do not match; and
      
      said program security logic preventing loading of the requested object class, other than object classes in said trusted object class repository, unless every architecture specific program in the requested object class includes a first digital signature for which the signing party is a member of a first group of trusted parties, and includes a second digital signature for which the signing party is a member of a second group of trusted parties.
  - 7. The computer of claim 1,said program security logic preventing loading of the requested object class, other than object classes in said trusted object class repository, unless every architecture specific program in the requested object class includes a message digest for an associated architecture neutral program, and said message digest matches a test message digest generated by said program security logic by performing a predefined message digest procedure on said associated architecture neutral program.

8. A method of OPerating a computer system, comprising the steps of:
- storing untrusted object classes in an untrusted object class repository;
  
  storing trusted object classes in a trusted object class repository;
  
  said object classes each including at least one program, each program comprising a program selected from the group consisting of (A) architecture neutral programs written in an architecture neutral language and (B) architecture specific programs written in an architecture specific language;
  
  when execution of any program in the one object class is requested, loading the requested object class into a user address space for execution unless loading of the requested object class is prevented by a security violation, including preventing the loading of any requested object class, other than object classes in said trusted object class repository, that includes at least one architecture specific program unless every architecture specific program in the requested object class includes a digital signature and said digital signature is successfully verified by said digital signature verifier.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, said object class loading step including (A) verifying the integrity of every architecture neutral program in the requested object class when the requested object class is not stored in said trusted object class repository and includes at least one architecture neutral program, and (B) and preventing the loading of the requested object class, unless the requested object class is in said trusted object class repository, when the requested object class includes at least one architecture neutral program whose integrity is not verified.
  - 10. The method of claim 9, said object class loading step including enabling execution of the requested program by said architecture neutral program executer when said requested program is an architecture neutral program and loading of the requested object class is not prevented by said program security logic, and enabling execution of the requested program by said architecture specific program executer when said requested program is an architecture specific program and loading of the requested object class is not prevented by said program security logic.
  - 11. The method of claim 8,each said digital signature associated with one of said architecture specific programs including a signing party identifier and an encrypted message, said encrypted message including a message digest of the architecture specific program generated using a message digest function wherein said encrypted message has been encrypted using a private encryption key associated with said identified signing party;
    - andsaid object class loading step including processing a specified digital signature by obtaining a public key associated with the signing party identified by said signing party identifier, decrypting the encrypted message of said digital signature with said public key so as generate a decrypted message digest, generating a test message digest by executing said message digest function on the architecture specific program associated with said digital signature, comparing said test message digest with said decrypted message digest, and issuing a failure signal if said decrypted message digest and test message digest do not match.
  - 12. The method of claim 8,each said digital signature associated with one of said architecture specific programs including a signing party identifier and an encrypted message, said encrypted message including a message generated by a predefined procedure, wherein said encrypted message has been encrypted using a private encryption key associated with said identified signing party;
    - andsaid object class loading step including processing a specified digital signature by obtaining a public key associated with the signing party identified by said signing party identifier, decrypting the encrypted message of said digital signature with said public key so as generate a decrypted message, generating a test message by executing said predefined procedure on the architecture specific program associated with said digital signature, comparing said test message with said decrypted message, and issuing a failure signal if said decrypted message digest and test message digest do not match.
  - 13. The method of claim 8,object class loading step including preventing the loading of any requested object class, other than object classes in said trusted object class repository, that includes at least one architecture specific program unless every architecture specific program in the requested object class includes two digital signatures and said digital signatures are both successfully verified by said digital signature verifier;
    - each said digital signature associated with one of said architecture specific programs including a signing party identifier and an encrypted message, said encrypted message including a message generated by a predefined procedure, wherein said encrypted message has been encrypted using a private encryption key associated with said identified signing party;
      
      said object class loading step including processing a specified digital signature by obtaining a public key associated with the signing party identified by said signing party identifier, decrypting the encrypted message of said digital signature with said public key so as generate a decrypted message, generating a test message by executing said predefined procedure on the architecture specific program associated with said digital signature, comparing said test message with said decrypted message, and issuing a failure signal if said decrypted message digest and test message digest do not match;
      
      said object class loading step further including preventing loading of the requested object class, other than object classes in said trusted object class repository, unless every architecture specific program in the requested object class includes a first digital signature for which the signing party is a member of a first group of trusted parties, and includes a second digital signature for which the signing party is a member of a second group of trusted parties.
  - 14. The method of claim 8,said object class loading step including preventing loading of the requested object class, other than object classes in said trusted object class repository, unless every architecture specific program in the requested object class includes a message digest for an associated architecture neutral program, and said message digest matches a test message digest generated by said program security logic by performing a predefined message digest procedure on said associated architecture neutral program.

15. A memory for storing data programs being executed on a data processing system, said memory comprising:
- a program integrity verifier that verifies that programs written in an architecture neutral language satisfy predefined program integrity criteria;
  
  a digital signature verifier that verifies the digital signatures of originating parties of programs that are contained in the programs;
  
  an untrusted object class repository that stores untrusted object classes;
  
  a trusted object class repository that stores trusted object classes;
  
  said object classes each including at least one program, each program comprising a program selected from the group consisting of (A) architecture neutral programs written in the architecture neutral language and (B) architecture specific programs written in an architecture specific language whose integrity cannot be verified by the integrity verifier;
  
  an architecture specific program executer;
  
  an architecture neutral program executer; and
  
  a class loader that loads a specified one of said object classes into a user address space for execution when execution of any program in the one object class is requested, said class loader including program security instructions for preventing the loading of any requested object class, other than object classes in said trusted object class repository, that includes at least one architecture specific program unless every architecture specific program in the requested object class includes a digital signature and said digital signature is successfully verified by said digital signature verifier.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The memory of claim 15, said class loader includes verifier instructions for invoking said program integrity verifier to verify the integrity of every architecture neutral program in the requested object class when the requested object class is not stored in said trusted object class repository and includes at least one architecture neutral program;
    - said program security instructions further preventing the loading of said any requested object class other than object classes in said trusted object class repository when the requested object class includes at least one architecture neutral program whose integrity is not verified by said program integrity verifier.
  - 17. The memory of claim 16, said class loader further enabling execution of the requested program by said architecture neutral program executer when said requested program is an architecture neutral program and loading of the requested object class is not prevented by said program security instructions, and enabling execution of the requested program by said architecture specific program executer when said requested program is an architecture specific program and loading of the requested object class is not prevented by said program security instructions.
  - 18. The memory of claim 15,each said digital signature associated with one of said architecture specific programs including a signing party identifier and an encrypted message, said encrypted message including a message digest of the architecture specific program generated using a message digest function wherein said encrypted message has been encrypted using a private encryption key associated with said identified signing party;
    - andsaid digital signature verifier including instructions for processing a specified digital signature by obtaining a public key associated with the signing party identified by said signing party identifier, decrypting the encrypted message of said digital signature with said public key so as generate a decrypted message digest, generating a test message digest by executing said message digest function on the architecture specific program associated with said digital signature, comparing said test message digest with said decrypted message digest, and issuing a failure signal if said decrypted message digest and test message digest do not match.
  - 19. The memory of claim 15,each said digital signature associated with one of said architecture specific programs including a signing party identifier and an encrypted message, said encrypted message including a message generated by a predefined procedure, wherein said encrypted message has been encrypted using a private encryption key associated with said identified signing party;
    - andsaid digital signature verifier including instructions for processing a specified digital signature by obtaining a public key associated with the signing party identified by said signing party identifier, decrypting the encrypted message of said digital signature with said public key so as generate a decrypted message, generating a test message by executing said predefined procedure on the architecture specific program associated with said digital signature, comparing said test message with said decrypted message, and issuing a failure signal if said decrypted message digest and test message digest do not match.
  - 20. The memory of claim 15,said program security instructions further for preventing the loading of any requested object class, other than object classes in said trusted object class repository, that includes at least one architecture specific program unless every architecture specific program in the requested object class includes two digital signatures and said digital signatures are both successfully verified by said digital signature verifier;
    - each said digital signature associated with one of said architecture specific programs including a signing party identifier and an encrypted message, said encrypted message including a message generated by a predefined procedure, wherein said encrypted message has been encrypted using a private encryption key associated with said identified signing party;
      
      said digital signature verifier including instructions for processing a specified digital signature by obtaining a public key associated with the signing party identified by said signing party identifier, decrypting the encrypted message of said digital signature with said public key so as generate a decrypted message, generating a test message by executing said predefined procedure on the architecture specific program associated with said digital signature, comparing said test message with said decrypted message, and issuing a failure signal if said decrypted message digest and test message digest do not match; and
      
      said program security instructions preventing loading of the requested object class, other than object classes in said trusted object class repository, unless every architecture specific program in the requested object class includes a first digital signature for which the signing party is a member of a first group of trusted parties, and includes a second digital signature for which the signing party is a member of a second group of trusted parties.
  - 21. The memory of claim 15,said program security instructions preventing loading of the requested object class, other than object classes in said trusted object class repository, unless every architecture specific program in the requested object class includes a message digest for an associated architecture neutral program, and said message digest matches a test message digest generated by said program security instructions by performing a predefined message digest procedure on said associated architecture neutral program.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle America, Inc. (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
McManis, Charles E.
Primary Examiner(s)
Barron, Jr., Gilberto

Application Number

US08/569,398
Time in Patent Office

718 Days
Field of Search

380/4, 380/25, 364/280.4, 364/286.4, 364/946, 364/949.96, 395/704, 395/186
US Class Current

713/167
CPC Class Codes

G06F 21/52   during program execution, e...

G06F 2211/007   Encryption, En-/decode, En-...

G06F 9/445   Program loading or initiati...

System and method for executing verifiable programs with facility for using non-verifiable programs from trusted sources

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

249 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for executing verifiable programs with facility for using non-verifiable programs from trusted sources

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

249 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links