Method and apparatus for controlling software access to system resources

US 6,317,742 B1
Filed: 01/09/1997
Issued: 11/13/2001
Est. Priority Date: 01/09/1997
Status: Expired due to Term

First Claim

Patent Images

1. A method for controlling the degree of access to operating system resources for a software program running on a first computer, wherein said first computer is running said operating system, the method comprising:

examining at least one file associated with said software program to determine the degree of system-level access available to said software program when said software program is being executed by said first computer, wherein the software program is constructed using said at least one file;

executing said software program on said first computer;

intercepting a program instruction associated with said software program while said software program is being executed on said first computer;

determining when said program instruction includes an operation that is outside said degree of system-level access available to said software program; and

executing said program instruction when it is determined that said software program has permission to access system-level resources that are within said degree of system-level access available to said software program.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and software for installing and operating selected software applications on a client computer that is in communication with a server computer on a computer network are described. In one aspect of the present invention, a method for controlling the degree of access to operating system resources for a software program running on a computer that is running said operating system is provided. The degree of access to the operating system resources is defined for the software program, and at least one file including instructions for executing the software program is loaded on the computer from the server computer. The file is examined to determine the degree of system-level access available to the software program when the software program is being executed by the computer. The software program is executed, and a program instruction associated with the software program is intercepted when the software is being executed on the computer. A determination is then made to determine if the program instruction includes an operation that is outside of a degree of system-level access that is available to the software program, and if it is determined that the software program has permission to access system-level resources associated with the computer that are within the degree of system-level access available to the software, the program instruction is executed.

88 Citations

View as Search Results

36 Claims

1. A method for controlling the degree of access to operating system resources for a software program running on a first computer, wherein said first computer is running said operating system, the method comprising:
- examining at least one file associated with said software program to determine the degree of system-level access available to said software program when said software program is being executed by said first computer, wherein the software program is constructed using said at least one file;
  
  executing said software program on said first computer;
  
  intercepting a program instruction associated with said software program while said software program is being executed on said first computer;
  
  determining when said program instruction includes an operation that is outside said degree of system-level access available to said software program; and
  
  executing said program instruction when it is determined that said software program has permission to access system-level resources that are within said degree of system-level access available to said software program.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 2. A method as recited in claim 1 further including defining said degree of access to said operating system resources for said software program.
  - 3. A method as recited in claim 1 wherein determining when said program instruction includes an operation that is outside said degree of system-level access available to said software program includes validating an identifier associated with said software program.
  - 4. A method as recited in claim 1 wherein executing said program instruction includes determining when said system-level resources being accessed by said program instruction are protected system-level resources.
  - 5. A method as recited in claim 1 wherein said software program comprises an applet.
  - 6. A method as recited in claim 4 wherein said applet is a Java applet.
  - 7. A method as recited in claim 4 wherein said applet is associated with a header, said header being arranged to include an identifier, said identifier being arranged to identify said an origin of said file.
  - 8. A method as recited in claim 7 further including validating said identifier to determine when said first computer has permission to access said system-level resources.
  - 9. A method as recited in claim 8 wherein said first computer is a client computer and said applet is downloaded to said client computer from a server computer.
  - 10. A method as recited in claim 9 wherein:
11. A method as recited in claim 10 including loading at least one file including program instructions to access system-level resources associated with said server computer by transmitting said at least one file including program instructions to access system-level resources associated with said second computer from said server computer to said first computer across said computer network.
12. A method as recited in claim 1 wherein at least some of said operating system resources reside on a second computer coupled with said first computer through a computer network.
13. A method as recited in claim 12 further including loading at least one file including instructions for executing said software program on said first computer.
14. A method as recited in claim 13 wherein said software program comprises an applet.
15. A method as recited in claim 14 wherein said applet is a Java applet, said Java applet being arranged to include a header, said header being arranged to include an identifier, said identifier being arranged to identify said first computer.
16. A method as recited in claim 15 further including validating said identifier to determine when said first computer has permission to access said system-level resources residing on said server computer.
17. A method as recited in claim 12 further includingcalling a third computer to initiate a download of files from said third computer to said first computer;
- loading said relevant files from said second server, said relevant files including an archive file, said archive file including at least one class file and a header, said header including an identifier arranged to indicate the origin of said archive file;
  
  validating said archive file;
  
  converting said class file into an applet; and
  
  executing said applet, said applet including at least one instruction, wherein executing said applet enables said client to access said system resource associated with said first server.
18. A method for processing a request as recited in claim 17 wherein said step of executing said applet includes:
- determining whether said instruction is an instruction to execute a protected operation;
  
  executing said operation when it is determined that said instruction is not an instruction to execute a protected operation; and
  
  determining whether said operation is allowed when it is determined that said instruction is an instruction to execute a protected operation.
19. A method for processing a request as recited in claim 18 further including calling a security manager when it is determined that said instruction is an instruction to execute a protected operation.
20. A method for processing a request as recited in claim 19 further including:
- determining whether said operation is allowed;
  
  executing the operation when it is determined that said operation is allowed; and
  
  signaling an error when it is determined that said operation is not allowed.
21. A method for processing a request as recited in claim 20, wherein calling a security manager includes:
- obtaining a name of said system resource;
  
  using said name of said system resource to obtain a name of an access file which corresponds to said system resource; and
  
  obtaining permissions corresponding to said applet from said access file.
22. A method for processing a request as recited in claim 21 wherein said archive file is a Java archive file.
23. A method for processing a request as recited in claim 22 wherein said Java archive file includes a data block which contains information associated with said Java archive file.

24. A computer system for controlling the degree of access to operating system resources comprising:
- a first computer coupled with at least one memory device which holds therein at least one file including instructions for executing a software program, said software program running on said first computer, said first computer running said operating system, said first computer being configured to;
  
  define said degree of access to said operating system resources for said software program;
  
  load said at least one file, said at least one file including instructions for executing said software program on said first computer;
  
  examine said at least one file to determine the degree of system-level access available to said software program when said software program is being executed by said first computer;
  
  execute said software program on said first computer;
  
  intercept a program instruction associated with said software program when said software program is being executed on said first computer;
  
  determine when said program instruction includes an operation that is outside said degree of system-level access available to said software program; and
  
  execute said program instruction when it is determined that said software program has permission to access system-level resources associated with said first computer that are within the degree of system-level access available to said software program.
- View Dependent Claims (25, 26, 27, 28, 29, 30)
- - 25. A computer system according to claim 24 wherein said first computer is arranged to validate an identifier associated with said software program.
  - 26. A computer system according to claim 24 wherein said first computer is arranged to determine if said system-level resources being accessed by said program instruction are protected system-level resources.
  - 27. A computer system according to claim 24 wherein said software program comprises an applet.
  - 28. A computer system according to claim 27 wherein said applet is a Java applet.
  - 29. A computer system according to claim 28 wherein said applet is associated with a header, said header being arranged to include an identifier, said identifier being arranged to identify a creator of said identifier.
  - 30. A computer system according to claim 29 wherein said first computer is arranged to verify said identifier to determine if said first computer has permission to access said system-level resources.

31. A computer-readable medium comprising computer-readable program code devices configured to cause a computer to perform the computer-implemented actions of:
- defining said degree of access to said operating system resources for said software program;
  
  examining at least one file to determine the degree of system-level access available to said software program when said software program is being executed by said computer, said at least one file being associated with said software program, wherein said at least one file includes instructions for executing said software program on said computer;
  
  executing said software program on said computer;
  
  intercepting a program instruction associated with said software program when said software program is being executed on said computer;
  
  determining if said program instruction includes an operation that is outside said degree of system-level access available to said software program; and
  
  executing said program instruction when it is determined that said software program has permission to access system-level resources associated with said computer that are within the degree of system-level access available to said software program.
- View Dependent Claims (32, 33, 34, 35, 36)
- - 32. A computer readable medium comprising computer-readable program code devices according to claim 31 wherein said computer-readable program code devices are configured to determine when said program instruction includes an operation that is outside said degree of system-level access available to said software program are arranged to validate an identifier associated with said software program.
  - 33. A computer readable medium comprising computer-readable program code devices according to claim 31 wherein said computer-readable code devices are configured to execute said program instruction are arranged to determine when said system-level resources being accessed by said program instruction are protected system-level resources.
  - 34. A computer readable medium comprising computer-readable program code according to claim 31 wherein said software program comprises an applet.
  - 35. A computer readable medium comprising computer-readable program code according to claim 34 wherein said applet is a Java™
    - applet.
  - 36. A computer readable medium comprising computer-readable program code according to claim 34 wherein said applet is associated with a header, said header being arranged to include an identifier, said identifier being arranged to identify a creator of said identifier, and said computer-readable program code devices are configured to perform the action of validating said identifier to determine if said applet has permission to access said system-level resources.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
Nagaratnam, Nataraj, Byrne, Steven B.
Primary Examiner(s)
Banankhah, Majid A.

Application Number

US08/780,823
Time in Patent Office

1,769 Days
Field of Search

709/300, 709/301, 709/303, 709/108, 713/200, 711/164, 707/6, 707/9, 707/103, 707/10, 395/425, 717/11
US Class Current

1/1
CPC Class Codes

G06F 9/52 Program synchronisation; Mu...

Y10S 707/99939 Privileged access

Method and apparatus for controlling software access to system resources

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

88 Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for controlling software access to system resources

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

88 Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links