Stack based access control using code and executor identifiers
First Claim
1. A system that regulates access to a resource requested by an operation executing on a computer, the operation invoking a plurality of functions that operate upon code during execution, the system comprising,a policy file that stores permissions for each of the functions, the permissions authorizing types of access to the resource based on a source of the code and an executor of the code;
- a call stack that stores the functions and executors as frames in an order of invocation by the operation; and
an execution unit that grants access to the resource when the types of access authorized by the permissions of all of the functions and executors on the call stack encompass the access requested by the operation, wherein the execution unit determines the access dynamically.
0 Assignments
0 Petitions
Accused Products
Abstract
A system regulates access to resources requested by an operation executing on a computer. The operation invokes a plurality of methods that operate upon code during execution. The system includes a policy file, a call stack, and an execution unit. The policy file stores permissions for each of the resources. The permissions authorize particular types of access to the resource based on a source of the code and an executor of the code. The call stack stores representations of the methods and executors in an order of invocation by the operation. The execution unit grants access to the resource when the types of access authorized by the permissions of all of the methods and executors on the call stack encompass the access requested by the operation.
-
Citations
9 Claims
-
1. A system that regulates access to a resource requested by an operation executing on a computer, the operation invoking a plurality of functions that operate upon code during execution, the system comprising,
a policy file that stores permissions for each of the functions, the permissions authorizing types of access to the resource based on a source of the code and an executor of the code; -
a call stack that stores the functions and executors as frames in an order of invocation by the operation; and
an execution unit that grants access to the resource when the types of access authorized by the permissions of all of the functions and executors on the call stack encompass the access requested by the operation, wherein the execution unit determines the access dynamically.
-
-
2. The system of claim 1, wherein each of the frames include a privilege flag that indicates whether a corresponding function is a privileged function.
-
3. A system that regulates access to a resource requested by an operation executing on a computer, the operation invoking a plurality of functions that operate upon code during execution, the system comprising:
-
a policy file that stores permissions for each of the functions, the permissions authorizing types of access to the resource based on a source of the code and an executor of the code;
a call stack that stores the functions and executors as frames in an order of invocation by the operation; and
an execution unit that grants access to the resource when the types of access authorized by the permissions of all of the functions and executors on the call stack encompass the access requested by the operation;
wherein the execution unit includes an access controller that determines whether the operation is authorized to perform a requested type of access on the resource, the access controller including;
means for determining whether permissions associated with each of the frames on the call stack encompass the type of access requested, means for denying the requested access when any of the permissions fail to encompass the type of access requested, and means for granting access to the resource when all of the permissions encompass the type of access requested.
-
-
4. A system that regulates access to a resource requested by an operation executing on a computer, the operation invoking a plurality of functions that operate upon code during execution, the system comprising:
-
a policy file that stores permissions for each of the functions, the permissions authorizing types of access to the resource based on a source of the code and an executor of the code;
a call stack that stores the functions and executors as frames in an order of invocation by the operation; and
an execution unit that grants access to the resource when the types of access authorized by the permissions of all of the functions and executors on the call stack encompass the access requested by the operation, wherein each of the frames include a privilege flag that indicates whether a corresponding function is a privileged function; and
;
wherein the execution unit includes an access controller that determines whether the operation is authorized to perform a requested type of access on the resource, the access controller including;
means for determining that one of the frames has a set privilege flag, means for determining whether permissions associated with each of the frames on the call stack subsequent to the frame having the set privilege flag encompass the type of access requested, means for denying the requested access when any of the permissions fail to encompass the type of access requested, and means for granting access to the resource when all of the permissions encompass the type of access requested.
-
-
5. In a data processing system, a method that regulates access to a resource requested by an operation executing on a computer, the operation invoking a plurality of functions that operate upon code during execution, the method comprising the steps of:
-
storing permissions for each of the functions, the permissions authorizing types of access to the resource based on a source of the code and an executor of the code;
storing, as frames in a call stack, the functions and executors in an order of invocation by the operation;
dynamically determining whether the types of access authorized by the permissions of each of the functions and executors on the call stack encompass the access requested by the operation; and
granting access to the resource when the types of access authorized by the permissions of all of the functions and executors on the call stack encompass the access requested by the operation.
-
-
6. A data processing system that regulates access to a resource requested by an operation executing on a computer, the operation invoking a plurality of functions that operate upon code during execution, the data processing system comprising:
-
means for storing permissions for each of the functions, the permissions authorizing types of access to the resource based on a source of the code and an executor of the code;
means for storing, as frames in a call stack, the functions and executors in an order of invocation by the operation;
means for dynamically determining whether the types of access authorized by the permissions of each of the functions and executors on the call stack encompass the access requested by the operation; and
means for granting access to the resource when the types of access authorized by the permissions of all of the functions and executors on the call stack encompass the access requested by the operation.
-
-
7. In a system that regulates access to a resource requested by an operation executing on a computer, the operation invoking a plurality of functions that operate upon code during execution, the system including a policy file that stores permissions for each of the functions, the permissions authorizing types of access to the resource based on a source of the code and an executor of the code, a call stack that stores the functions and executors as frames in an order of invocation by the operation, and an execution unit, a method for regulating the requested access to the resource comprising steps, performed by the execution unit, of:
-
determining whether permissions associated with each of the frames on the call stack encompass a type of access requested, wherein each of the frames includes a code identifier that identifies the source of the code for a corresponding one of the functions, and an executor identifier that identifies the executor on whose behalf the code is being executed;
denying the requested access when any of the permissions fail to encompass the type of access requested; and
permitting access to the resource when all of the permissions encompass the type of access requested.
-
-
8. A computer-readable medium containing instructions for controlling a computer to perform an action requested by a program executing on the computer, the program invoking a plurality of functions that operate upon code during execution, the computer including a policy file that stores permissions for each of the functions, the permissions authorizing types of actions based on a source of the code and an executor of the code, a call stack that stores the functions and executors as frames in an order of invocation by the program, and an execution unit, the instructions causing the execution unit to perform the steps of:
-
determining whether permissions associated with each of the frames on the call stack encompasses a type of the requested action, wherein each of the frames includes a code identifier that identifies the source of the code for a corresponding one of the functions, and an executor identifier that identifies the executor on whose behalf the code is being executed;
denying the requested action when any of the permissions fail to encompass the type of requested action; and
performing the requested action when all of the permissions encompass the type of requested action.
-
-
9. A data processing system comprising:
-
a memory including;
a program that invokes a plurality of functions that operate upon code during execution;
a policy file that stores permissions for each of the functions, the permissions authorizing types of actions based on a source of the code and an executor of the code;
a call stack that stores the functions and executors as frames in an order of invocation by the programs; and
a runtime environment that receives a request for a type of action from the program, that dynamically determines whether permissions associated with each of the frames on the call stack encompass the requested type of action, and that grants the requested type of action when the types of actions authorized by the permissions of all of the functions and executors on the call stack encompass the requested type of action; and
a processor that executes the runtime environment and the program.
-
Specification