Secure bytecode instrumentation facility
First Claim
1. A computer implemented method for registering a new code fragment in an encrypted registry of a bytecode instrumentation facility, the computer implemented method comprising:
- extracting a digital certificate from a specified code fragment location;
determining, using the digital certificate, whether a certification authority in the digital certificate is a registered trusted certification authority;
responsive to a determination that the certification authority is a registered trusted certification authority, determining whether an origin of the code fragment is a registered trusted origin;
responsive to a determination that the origin of the code fragment is a registered trusted origin, determining whether the code fragment is authentic; and
responsive to a determination that the code fragment is authentic, recording information of the code fragment into the encrypted registry, the encrypted registry further comprising a list of registered code fragment information, a list of associations between code fragment locations and class locations, a list of trusted code fragment origins used to verify that a code fragment being registered originated from a trusted source, and a list of trusted certification authorities used to verify that the certificate has been signed from a trusted certification authority, wherein the code fragment locations include digital certificates used in determining whether an identity of a code signer is in a list of registered trusted certification authorities in the encrypted registry, wherein security of the bytecode instrumentation facility is increased.
1 Assignment
0 Petitions
Accused Products
Abstract
A secure bytecode instrumentation facility, wherein a new code fragment is registered in an encrypted registry by first extracting a digital certificate from a specified code fragment location. A certification authority (CA) in the digital certificate is compared against a list of registered trusted certification authorities in the registry. If the CA is in the registry list, the code fragment origin in the digital certificate is compared against a list of registered trusted origins in the registry. If the code fragment origin is in the registry list, a determination is made as to whether the code fragment is authentic. If so, the information of the code fragment is recorded into the registry. The injection of code fragments may begin upon the initialization of the instrumentation facility if the encrypted registry has not been corrupted since last accessed, and if the code fragment content matches code fragment information in the registry.
-
Citations
18 Claims
-
1. A computer implemented method for registering a new code fragment in an encrypted registry of a bytecode instrumentation facility, the computer implemented method comprising:
-
extracting a digital certificate from a specified code fragment location; determining, using the digital certificate, whether a certification authority in the digital certificate is a registered trusted certification authority; responsive to a determination that the certification authority is a registered trusted certification authority, determining whether an origin of the code fragment is a registered trusted origin; responsive to a determination that the origin of the code fragment is a registered trusted origin, determining whether the code fragment is authentic; and responsive to a determination that the code fragment is authentic, recording information of the code fragment into the encrypted registry, the encrypted registry further comprising a list of registered code fragment information, a list of associations between code fragment locations and class locations, a list of trusted code fragment origins used to verify that a code fragment being registered originated from a trusted source, and a list of trusted certification authorities used to verify that the certificate has been signed from a trusted certification authority, wherein the code fragment locations include digital certificates used in determining whether an identity of a code signer is in a list of registered trusted certification authorities in the encrypted registry, wherein security of the bytecode instrumentation facility is increased. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A computer implemented method for initializing a bytecode instrumentation facility, the computer implemented method comprising:
-
determining whether an encrypted registry has been corrupted since a last time the encrypted registry was accessed; responsive to a determination that the encrypted registry has not been corrupted, extracting a digital certificate from a specified code fragment location for each code fragment in the encrypted registry; determining, using the digital certificate, whether a certification authority in the digital certificate is a registered trusted certification authority; responsive to a determination that the certification authority is a registered trusted certification authority, determining whether an origin of the code fragment is a registered trusted origin; responsive to a determination that the origin of the code fragment is a registered trusted origin, determining whether the code fragment is authentic; responsive to a determination that the code fragment is authentic, loading the code fragment in memory to prevent the code fragment from being accessed while the bytecode instrumentation facility is executing; and completing initialization of the bytecode instrumentation facility and beginning injection of code fragments, the encrypted registry further comprising a list of registered code fragment information, a list of associations between code fragment locations and class locations, a list of trusted code fragment origins used to verify that a code fragment being registered originated from a trusted source, and a list of trusted certification authorities used to verify that the certificate has been signed from a trusted certification authority, wherein the code fragment locations include digital certificates used in determining whether an identity of a code signer is in a list of registered trusted certification authorities in the encrypted registry, wherein security of the bytecode instrumentation facility is increased.
-
-
12. A computer program product for registering a new code fragment in an encrypted registry of a bytecode instrumentation facility, the computer program product comprising:
-
a computer usable memory element having computer usable program code stored thereon, the computer usable program code comprising; computer usable program code for extracting a digital certificate from a specified code fragment location; computer usable program code for determining, using the digital certificate, a certification authority in the digital certificate is a registered trusted certification authority; computer usable program code responsive to a determination that the certification authority is a registered trusted certification authority for determining whether an origin of the code fragment is a registered trusted origin; computer usable program code responsive to a determination that the origin of the code fragment is a registered trusted origin for determining whether the code fragment is authentic ; and computer usable program code responsive to a determination that the code fragment is authentic for recording information of the code fragment into the encrypted registry the encrypted registry further comprising a list of registered code fragment information, a list of associations between code fragment locations and class locations, a list of trusted code fragment origins used to verify that a code fragment being registered originated from a trusted source, and a list of trusted certification authorities used to verify that the certificate has been signed from a trusted certification authority, wherein the code fragment locations include digital certificates used in determining whether an identity of a code signer is in a list of registered trusted certification authorities in the encrypted registry, wherein security of the bytecode instrumentation facility is increased. - View Dependent Claims (13, 14, 15, 16, 17, 18)
-
Specification