Method and apparatus for escrowing properties used for accessing executable modules
First Claim
1. An apparatus implemented in a digital computer having a processor and memory for executing applications, the apparatus, a plurality of executable modules, and the apparatus used to verify and load the modules, the apparatus comprising:
- a base executable loadable into the computer to perform a base function, the base executable module being provided with at least one slot adapted to receive a filler module;
a first filler module containing a first unique property recognizable by the base executable, and alterable exclusively by an authorized entity;
a second filler module containing a second unique property recognizable by the base executable and alterable exclusively by an authorized entity;
the base executable being programmed to verify the presence of the first and second unique properties within the first and second filler modules, respectively, and to dynamically load the first and second filler modules into the at least one slot only upon verification of the presence of the first and second unique properties;
a manager module included within the first filler module for enforcing policies propagated by the authorized entity; and
a policy module included within the second filler module, wherein the second filler module contains the policies to be enforced by the manager module, and wherein the policy module includes a cryptographic policy.
9 Assignments
0 Petitions
Accused Products
Abstract
An apparatus and method provide a controlled, dynamically loaded, modular, cryptographic implementation for integration of flexible policy implementations on policy engines, and the like, into a base executable having at least one slot. The base executable may rely on an integrated loader to control loading and linking of fillers and submodules. A policy module may be included for use in limiting each module'"'"'s function, access, and potential for modification or substitution. The policy may be implemented organically within a manager layer or may be modularized further in an underlying engine layer as an independent policy, or as a policy created by a policy engine existing in an engine layer. The policy module is subordinate to the manager module in the manager layer in that the manager module calls the policy module when it is needed by the manager module. The policy module is preferably dynamically linkable, providing flexibility, and is layered deeper within the filler module than the manager module.
-
Citations
21 Claims
-
1. An apparatus implemented in a digital computer having a processor and memory for executing applications, the apparatus, a plurality of executable modules, and the apparatus used to verify and load the modules, the apparatus comprising:
-
a base executable loadable into the computer to perform a base function, the base executable module being provided with at least one slot adapted to receive a filler module;
a first filler module containing a first unique property recognizable by the base executable, and alterable exclusively by an authorized entity;
a second filler module containing a second unique property recognizable by the base executable and alterable exclusively by an authorized entity;
the base executable being programmed to verify the presence of the first and second unique properties within the first and second filler modules, respectively, and to dynamically load the first and second filler modules into the at least one slot only upon verification of the presence of the first and second unique properties;
a manager module included within the first filler module for enforcing policies propagated by the authorized entity; and
a policy module included within the second filler module, wherein the second filler module contains the policies to be enforced by the manager module, and wherein the policy module includes a cryptographic policy. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. An article, implemented in a computer readable medium, comprising a memory device having blocks for storing executables and data, the article including a first block storing a plurality of executable modules executable by a processor, the first block comprising:
-
a base module loadable to be executed by the processor to perform a base function, the base module being provided with at least one slot adapted to receive a first filler module;
the first filler module executable by a processor and containing a first unique property recognizable by a loader, the unique property being alterable exclusively by an authorized entity;
a second filler module containing a second unique property recognizable by the base executable, and alterable exclusively by an authorized entity;
a loader module integral to the base module and programmed to verify the presence of the first and second unique properties in the first and second filler module, respectively and to dynamically load the each of the first and second filler modules only upon verification of verification of the first and second unique properties in the first and second filler modules, respectively;
a manager module included within the first filler module for enforcing policies propagated by the authorized entity; and
a policy module included within the authorized entity, wherein the policy module contains the policies to be enforced by the manager module, and wherein the policies include at least one cryptographic policy. - View Dependent Claims (12, 13, 14, 15, 16, 17)
-
-
18. A method for flexibly integrating policies into a software module, the method implemented in a computer readable medium and executable by a processor of a computer, the method comprising:
-
providing a base module executable by the processor, the base module having at least one slot for receiving filler modules and having a loader programmed to operate within the base executable to control loading of the filler modules into the at least one slot;
providing a manager filler module containing a unique property recognizable by the first loader and alterable exclusively by an authorized entity;
providing a policy filler module containing a second unique property recognizable by the first loader and alterable exclusively by an authorized entity, the policy filler module containing policies enforceable by the manager filler module, wherein at least one of the policies is a cryptographic policy;
verifying by the loader the presence of the first unique property in the manager filler module;
loading dynamically the manager filler module only after the loader verifies the presence of the first unique property successfully;
verifying by the loader the presence of the second unique property in the policy filler module; and
loading dynamically the policy filler module only after the loader verifies the second unique property successfully. - View Dependent Claims (19, 20, 21)
-
Specification