Method and apparatus for controlling software access to system resources
First Claim
1. A method for controlling the degree of access to operating system resources for a software program running on a first computer, wherein said first computer is running said operating system, the method comprising:
- examining at least one file associated with said software program to determine the degree of system-level access available to said software program when said software program is being executed by said first computer, wherein the software program is constructed using said at least one file;
executing said software program on said first computer;
intercepting a program instruction associated with said software program while said software program is being executed on said first computer;
determining when said program instruction includes an operation that is outside said degree of system-level access available to said software program; and
executing said program instruction when it is determined that said software program has permission to access system-level resources that are within said degree of system-level access available to said software program.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods, systems, and software for installing and operating selected software applications on a client computer that is in communication with a server computer on a computer network are described. In one aspect of the present invention, a method for controlling the degree of access to operating system resources for a software program running on a computer that is running said operating system is provided. The degree of access to the operating system resources is defined for the software program, and at least one file including instructions for executing the software program is loaded on the computer from the server computer. The file is examined to determine the degree of system-level access available to the software program when the software program is being executed by the computer. The software program is executed, and a program instruction associated with the software program is intercepted when the software is being executed on the computer. A determination is then made to determine if the program instruction includes an operation that is outside of a degree of system-level access that is available to the software program, and if it is determined that the software program has permission to access system-level resources associated with the computer that are within the degree of system-level access available to the software, the program instruction is executed.
88 Citations
36 Claims
-
1. A method for controlling the degree of access to operating system resources for a software program running on a first computer, wherein said first computer is running said operating system, the method comprising:
-
examining at least one file associated with said software program to determine the degree of system-level access available to said software program when said software program is being executed by said first computer, wherein the software program is constructed using said at least one file;
executing said software program on said first computer;
intercepting a program instruction associated with said software program while said software program is being executed on said first computer;
determining when said program instruction includes an operation that is outside said degree of system-level access available to said software program; and
executing said program instruction when it is determined that said software program has permission to access system-level resources that are within said degree of system-level access available to said software program. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
examining said at least one file includes determining the degree of system-level access to said server that is available to said applet when said applet is being executed by said client computer as defined by said defining a degree of access to said system-level resources associated with said server computer for said applet;
determining when the program instruction includes said operation that is outside said degree of system-level access available to the software program includes determining when said program instruction to access system-level resources associated with said server computer includes an operation that is outside said degree of system-level access available to said applet; and
executing said program instruction includes executing said program instruction to access system-level resources associated with said server computer when it is determined that said applet has permission to access system-level resources associated with said server computer that are within the degree of system-level access available to said applet.
-
-
11. A method as recited in claim 10 including loading at least one file including program instructions to access system-level resources associated with said server computer by transmitting said at least one file including program instructions to access system-level resources associated with said second computer from said server computer to said first computer across said computer network.
-
12. A method as recited in claim 1 wherein at least some of said operating system resources reside on a second computer coupled with said first computer through a computer network.
-
13. A method as recited in claim 12 further including loading at least one file including instructions for executing said software program on said first computer.
-
14. A method as recited in claim 13 wherein said software program comprises an applet.
-
15. A method as recited in claim 14 wherein said applet is a Java applet, said Java applet being arranged to include a header, said header being arranged to include an identifier, said identifier being arranged to identify said first computer.
-
16. A method as recited in claim 15 further including validating said identifier to determine when said first computer has permission to access said system-level resources residing on said server computer.
-
17. A method as recited in claim 12 further including
calling a third computer to initiate a download of files from said third computer to said first computer; -
loading said relevant files from said second server, said relevant files including an archive file, said archive file including at least one class file and a header, said header including an identifier arranged to indicate the origin of said archive file;
validating said archive file;
converting said class file into an applet; and
executing said applet, said applet including at least one instruction, wherein executing said applet enables said client to access said system resource associated with said first server.
-
-
18. A method for processing a request as recited in claim 17 wherein said step of executing said applet includes:
-
determining whether said instruction is an instruction to execute a protected operation;
executing said operation when it is determined that said instruction is not an instruction to execute a protected operation; and
determining whether said operation is allowed when it is determined that said instruction is an instruction to execute a protected operation.
-
-
19. A method for processing a request as recited in claim 18 further including calling a security manager when it is determined that said instruction is an instruction to execute a protected operation.
-
20. A method for processing a request as recited in claim 19 further including:
-
determining whether said operation is allowed;
executing the operation when it is determined that said operation is allowed; and
signaling an error when it is determined that said operation is not allowed.
-
-
21. A method for processing a request as recited in claim 20, wherein calling a security manager includes:
-
obtaining a name of said system resource;
using said name of said system resource to obtain a name of an access file which corresponds to said system resource; and
obtaining permissions corresponding to said applet from said access file.
-
-
22. A method for processing a request as recited in claim 21 wherein said archive file is a Java archive file.
-
23. A method for processing a request as recited in claim 22 wherein said Java archive file includes a data block which contains information associated with said Java archive file.
-
24. A computer system for controlling the degree of access to operating system resources comprising:
-
a first computer coupled with at least one memory device which holds therein at least one file including instructions for executing a software program, said software program running on said first computer, said first computer running said operating system, said first computer being configured to;
define said degree of access to said operating system resources for said software program;
load said at least one file, said at least one file including instructions for executing said software program on said first computer;
examine said at least one file to determine the degree of system-level access available to said software program when said software program is being executed by said first computer;
execute said software program on said first computer;
intercept a program instruction associated with said software program when said software program is being executed on said first computer;
determine when said program instruction includes an operation that is outside said degree of system-level access available to said software program; and
execute said program instruction when it is determined that said software program has permission to access system-level resources associated with said first computer that are within the degree of system-level access available to said software program. - View Dependent Claims (25, 26, 27, 28, 29, 30)
-
-
31. A computer-readable medium comprising computer-readable program code devices configured to cause a computer to perform the computer-implemented actions of:
-
defining said degree of access to said operating system resources for said software program;
examining at least one file to determine the degree of system-level access available to said software program when said software program is being executed by said computer, said at least one file being associated with said software program, wherein said at least one file includes instructions for executing said software program on said computer;
executing said software program on said computer;
intercepting a program instruction associated with said software program when said software program is being executed on said computer;
determining if said program instruction includes an operation that is outside said degree of system-level access available to said software program; and
executing said program instruction when it is determined that said software program has permission to access system-level resources associated with said computer that are within the degree of system-level access available to said software program. - View Dependent Claims (32, 33, 34, 35, 36)
-
Specification