Multiple resource or security contexts in a multithreaded application

US 5,915,085 A
Filed: 02/28/1997
Issued: 06/22/1999
Est. Priority Date: 02/28/1997
Status: Expired due to Term

First Claim

Patent Images

1. In a computer system including a system security manager and a multithreaded application environment, a computerized method of supporting multiple security or resource contexts, said method comprising the steps of:

instantiating at least one thread for an execution of content, each thread having at least one content context;

associating each content context with a content loader for loading said each context for execution;

associating the loader with one of a security requirement and a resource requirement, wherein the requirement may vary according to said each content context; and

dynamically managing one of a security request and a resource request for each thread according to an associated requirement.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for creating flexible security control mechanisms and virtualization of nominally shared system resources. The goal is to minimize the potential for interference between concurrently executing applications in a multithreaded environment. Executable content is associated with security policies appropriate to the content, and policies are associated with the content loader; security policies are dynamically computed so that content from multiple sources can be combined to create new, yet secure, function; digitally signed executable content can bypass some security restrictions; and, nominally shared resources are managed via policies associated with the content loading mechanism.

158 Citations

30 Claims

1. In a computer system including a system security manager and a multithreaded application environment, a computerized method of supporting multiple security or resource contexts, said method comprising the steps of:
- instantiating at least one thread for an execution of content, each thread having at least one content context;
  
  associating each content context with a content loader for loading said each context for execution;
  
  associating the loader with one of a security requirement and a resource requirement, wherein the requirement may vary according to said each content context; and
  
  dynamically managing one of a security request and a resource request for each thread according to an associated requirement.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein the requirement is the security requirement, further comprising the steps of:
    - said instantiating step comprises the step of instantiating multiple threads, at least two of the threads having different security requirements; and
      
      dynamically managing security for said each thread as a function of the different security requirements.
  - 3. The method of claim 1, further comprising the step of instantiating security managers and associating instances of security managers with the content loader.
  - 4. The method of claim 3, wherein said step of associating security managers with the content loader is done indirectly.
  - 5. The method of claim 3, wherein said step of dynamically managing comprises the step of redirecting the security requests from the system security manager to the instances of security managers.
  - 6. The method of claim 3, further comprising the steps of:
    - said system security manager receiving said one of the security request and the resource request;
      
      searching for and identifying all security managers associated with the thread; and
      
      selecting a most restrictive one of the security requirement and the resource requirement associated with said all security managers.
  - 7. The method of claim 6, wherein no security mangers are identified, further comprising the step of assigning a default security manager.
  - 8. The method of claim 3, further comprising the steps of:
    - said system security manager receiving said one of the security request and the resource request;
      
      constraining said searching by determining if the content is trusted.
  - 9. The method of claim 1, further comprising the steps of:
    - said system security manager receiving the resource request;
      
      determining if a resource associated with the resource request is nominally shared by all threads; and
      
      instantiating and associating a non-shared copy of a nominally shared resource with the content loader.
  - 10. The method of claim 9 wherein the step of associating the nonshared copy of a nominally shared resource is indirectly associated with the content loader.
  - 11. The method of claim 3, wherein the resource requirement includes resource limits, said method comprising the steps of:
    - said system security manager receiving the resource request;
      
      searching for and identifying all security managers associated with the thread, in response to said system security manager receiving the resource request; and
      
      identifying by said all security managers whether resource limits have been exceeded.
  - 12. The method of claim 1, wherein the application environment is a Java virtual machine.
  - 13. The method of claim 1, wherein said step of associating the loader comprises the step of associating the loader with an unrestricted requirement.
  - 14. The method of claim 1, further comprising the step of associating a child thread or child threadgroup with one of the security requirement and the resource requirement.
  - 15. The method of claim 1, further comprising the steps of:
    - said instantiating step comprising instantiating a runtime stack for each thread, the stack including at least one stack frame, wherein the content context represents one of an uncompleted method and subroutine call in the thread.

16. A computer system for supporting multiple security or resource contexts, said system comprising:
- a system security manager coupled to a multithreaded application environment;
  
  means for instantiating at least one thread for an execution of content, each thread having at least one content context;
  
  means for associating each content context with a content loader for loading said each context for execution;
  
  means for associating the loader with one of a security requirement and a resource requirement, wherein the requirement may vary according to said each content context; and
  
  means for dynamically managing one of a security request and a resource request for each thread, coupled to said means for associating.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 17. The system of claim 16, wherein the requirement is the security requirement, further comprising:
    - said means for instantiating comprises means for instantiating multiple threads, at least two of the threads having different security requirements; and
      
      means for dynamically managing comprises dynamically managing security for said each thread as a function of the different security requirements.
  - 18. The system of claim 16, further comprising means for instantiating security managers and associating instances of security managers with the content loader.
  - 19. The system of claim 18, wherein said means for associating security managers with the content loader indirect.
  - 20. The system of claim 18, wherein said means for dynamically managing comprises means for redirecting the security requests from the system security manager to the instances of security managers.
  - 21. The system claim 18, further comprising:
    - means for said system security manager to receive said one of the security request and the resource request;
      
      means for searching for and identifying all security managers associated with the thread coupled to said means for said system security manager; and
      
      means for selecting a most restrictive one of the security requirement and the resource requirement associated with said all security managers.
  - 22. The system of claim 21, wherein no security mangers are identified, further comprising means for assigning a default security manager.
  - 23. The system of claim 18, further comprising the steps of:
    - means for said system security manager to receive said one of the security request and the resource request; and
      
      means for constraining said searching by determining if the content is trusted.
  - 24. The system of claim 16, further comprising the steps of:
    - means for said system security manager to receive the resource request;
      
      means for determining if a resource associated with the resource request is nominally shared by all threads; and
      
      means for instantiating and associating a non-shared copy of a nominally shared resource with the content loader, coupled to said means for determining.
  - 25. The system claim 24 wherein the nonshared copy of a nominally shared resource is indirectly associated with the content loader.
  - 26. The system of claim 18, wherein the resource requirement includes resource limits, said system method comprising:
    - means for said system security manager to receive the resource request;
      
      means for searching for and identifying all security managers associated with the thread, in response to said system security manager receiving the resource request; and
      
      means for identifying by said all security managers whether resource limits have been exceeded.
  - 27. The system of claim 16, wherein the application environment is a Java virtual machine.
  - 28. The system of claim 16, wherein means for associating the loader comprises means for associating the loader with an unrestricted requirement.
  - 29. The system of claim 16, wherein means for associating a child thread or child threadgroup with one of the security requirement and the resource requirement.
  - 30. The system of claim 16, further comprising;
    - said means for instantiating comprising means for instantiating a runtime stack for each thread, the stack including at least one stack frame, wherein the content context represents one of an uncompleted method and subroutine call in the thread.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Koved, Lawrence
Primary Examiner(s)
Treat, William M.

Application Number

US08/810,174
Time in Patent Office

844 Days
Field of Search

380/4, 380/25, 395/186, 395/187.01, 395/188.01
US Class Current

726/1
CPC Class Codes

G06F 21/54 by adding security routines...

G06F 9/468 Specific access rights for ...

Multiple resource or security contexts in a multithreaded application

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

158 Citations

30 Claims

Specification

Use Cases

Quick Links

Others

Multiple resource or security contexts in a multithreaded application

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

158 Citations

30 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others