Security critical data containers
First Claim
1. At a computer system, a computer implemented method for configuring platform code to simplify checks for security problems, the computer implemented method comprising:
- a programming language class providing a container for security critical data, the programming language class also including a plurality of methods for interacting with security critical data in the container,a processor selectively controlling whether the security critical data is treated as security critical depending on what interaction with the security critical data is being requested by distinguishing some methods of the set container as being security critical, such that the security critical data can only be accessed via the methods with elevated permissions, including;
marking methods that access the security critical data through a property on the class as security critical methods, andindicating that methods that access an actual field pointing to the programming language class are not security critical methods such that the existence or initialization of the security critical data can be checked in a non-critical manner without actually accessing the security critical data.
2 Assignments
0 Petitions
Accused Products
Abstract
Described are security critical data containers for platform code, comprising a Get container and Set container that allow data to be marked as security critical for critical usage of that data, but left unmarked for non-critical usage. The number of critical methods in the code is reduced, facilitating better code analysis. A container'"'"'s method may be marked as security critical, with the only access to the data via the method. By using a generic class for a Get container, access to the critical data only occurs through the property on the class, which is marked as critical. The field pointing to the generic class instance need not be critical, whereby initialization or existence checking may remain non-critical. The Set container handles security critical situations such as data that controls whether code can elevate permissions; a set method is marked as critical, while other methods can be accessed by non-critical code.
-
Citations
19 Claims
-
1. At a computer system, a computer implemented method for configuring platform code to simplify checks for security problems, the computer implemented method comprising:
-
a programming language class providing a container for security critical data, the programming language class also including a plurality of methods for interacting with security critical data in the container, a processor selectively controlling whether the security critical data is treated as security critical depending on what interaction with the security critical data is being requested by distinguishing some methods of the set container as being security critical, such that the security critical data can only be accessed via the methods with elevated permissions, including; marking methods that access the security critical data through a property on the class as security critical methods, and indicating that methods that access an actual field pointing to the programming language class are not security critical methods such that the existence or initialization of the security critical data can be checked in a non-critical manner without actually accessing the security critical data. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A computer program product for use at a computer system, the computer program product for implementing a method for configuring platform code to simplify checks for security problems, the computer program product including one or more computer storage medium having stored there on computer-executable instructions, which when executed at a processor, cause the computer system to perform the method, including the following:
-
a programming language class providing a container for security critical data, the programming language class also including a plurality methods for interacting with security critical data in the container; selectively controlling whether the security critical data is treated as security critical depending on what interaction with the security critical data is being requested by distinguishing some methods of the container as being security critical, such that the security critical data only can be accessed via the methods with elevated permissions, including; marking methods that access the security critical data through a property on the class as security critical methods; and indicating that methods that access an actual field pointing to the programming language class are not security critical methods such that the existence or initialization of the security critical data can be checked in a non-critical manner without actually accessing the security critical data.
-
-
10. A computer program product for use at a computer system, the computer program product for implementing a method for configuring platform code to simplify checks for security problems, the computer program product including one or more computer storage medium having stored thereon computer-executable instructions, that when executed at a processor, cause the computer system to perform the method, including performing the following:
-
a programming language class providing a set container for security critical data, the programming language including a plurality of methods for interacting with the security critical data in the set container, the plurality of methods including a set method and a get method; and selectively controlling whether the security critical data is treated as security critical depending on what interaction with the security critical data is being requested by distinguishing some methods of the set contain as security critical such that the security critical data can only be access via methods with elevated permissions, including; marking the set method as a security critical method; and indicating that the get method is not a security critical method, such that the security critical data can be read by code without elevated permissions via the get method, and the security critical data only can be set by code with elevated permissions via the set method. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. A computer program product for use at a computer system, the computer program product for implementing a method for configuring platform code to simplify checks for security problems, the computer program product including one or more computer storage having stored thereon computer-executable instructions, that when executed at a processor, cause the computer system to perform the method, including performing the following:
-
a programming language class providing a get container for security critical data, the programming language including a plurality of methods for interacting with the security critical data in the set container, the plurality of methods including a get method; and selectively controlling whether the security critical data is treated as security critical depending on what interaction with the security critical data is being requested by distinguishing the get method as security critical such that that the security critical data can only be access via methods with elevated permissions, including; marking the get method as a security critical method; and indicating that one or more other methods that access an actual field pointing to the programming language class are not security critical methods, such that the security critical data only can be read by code with elevated permissions via the get method, and existence / initialization checks may be performed by code without elevated permissions. - View Dependent Claims (17, 18, 19)
-
Specification