Secure bytecode instrumentation facility

US 7,788,730 B2
Filed: 01/17/2006
Issued: 08/31/2010
Est. Priority Date: 01/17/2006
Status: Expired due to Fees

First Claim

Patent Images

1. A computer implemented method for registering a new code fragment in an encrypted registry of a bytecode instrumentation facility, the computer implemented method comprising:

extracting a digital certificate from a specified code fragment location;

determining, using the digital certificate, whether a certification authority in the digital certificate is a registered trusted certification authority;

responsive to a determination that the certification authority is a registered trusted certification authority, determining whether an origin of the code fragment is a registered trusted origin;

responsive to a determination that the origin of the code fragment is a registered trusted origin, determining whether the code fragment is authentic; and

responsive to a determination that the code fragment is authentic, recording information of the code fragment into the encrypted registry, the encrypted registry further comprising a list of registered code fragment information, a list of associations between code fragment locations and class locations, a list of trusted code fragment origins used to verify that a code fragment being registered originated from a trusted source, and a list of trusted certification authorities used to verify that the certificate has been signed from a trusted certification authority, wherein the code fragment locations include digital certificates used in determining whether an identity of a code signer is in a list of registered trusted certification authorities in the encrypted registry, wherein security of the bytecode instrumentation facility is increased.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A secure bytecode instrumentation facility, wherein a new code fragment is registered in an encrypted registry by first extracting a digital certificate from a specified code fragment location. A certification authority (CA) in the digital certificate is compared against a list of registered trusted certification authorities in the registry. If the CA is in the registry list, the code fragment origin in the digital certificate is compared against a list of registered trusted origins in the registry. If the code fragment origin is in the registry list, a determination is made as to whether the code fragment is authentic. If so, the information of the code fragment is recorded into the registry. The injection of code fragments may begin upon the initialization of the instrumentation facility if the encrypted registry has not been corrupted since last accessed, and if the code fragment content matches code fragment information in the registry.

Citations

18 Claims

1. A computer implemented method for registering a new code fragment in an encrypted registry of a bytecode instrumentation facility, the computer implemented method comprising:
- extracting a digital certificate from a specified code fragment location;
  
  determining, using the digital certificate, whether a certification authority in the digital certificate is a registered trusted certification authority;
  
  responsive to a determination that the certification authority is a registered trusted certification authority, determining whether an origin of the code fragment is a registered trusted origin;
  
  responsive to a determination that the origin of the code fragment is a registered trusted origin, determining whether the code fragment is authentic; and
  
  responsive to a determination that the code fragment is authentic, recording information of the code fragment into the encrypted registry, the encrypted registry further comprising a list of registered code fragment information, a list of associations between code fragment locations and class locations, a list of trusted code fragment origins used to verify that a code fragment being registered originated from a trusted source, and a list of trusted certification authorities used to verify that the certificate has been signed from a trusted certification authority, wherein the code fragment locations include digital certificates used in determining whether an identity of a code signer is in a list of registered trusted certification authorities in the encrypted registry, wherein security of the bytecode instrumentation facility is increased.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computer implemented method of claim 1, further comprising:
    - initializing the bytecode instrumentation facility, wherein the steps of initialization include;
      
      determining whether the encrypted registry has been corrupted since a last time the encrypted registry was accessed;
      
      responsive to a determination that the encrypted registry has not been corrupted, determining whether the content of the code fragment matches information of the code fragment in the encrypted registry; and
      
      responsive to a determination that the content of the code fragment matches the information of the code fragment in the encrypted registry, completing initialization of the bytecode instrumentation facility and beginning injection of code fragments.
  - 3. The computer implemented method of claim 1, further comprising:
    - appending content of the code fragment to the encrypted registry.
  - 4. The computer implemented method of claim 3, further comprising:
    - initializing the bytecode instrumentation facility, wherein the steps of initialization include;
      
      determining whether the encrypted registry has been corrupted since a last time the encrypted registry was accessed; and
      
      responsive to a determination that the encrypted registry has not been corrupted, completing initialization of the bytecode instrumentation facility and beginning injection of code fragments.
  - 5. The computer implemented method of claim 1, wherein information recorded in the encrypted registry is managed via password protected commands.
  - 6. The computer implemented method of claim 1, wherein the information of the code fragment recorded in the encrypted registry includes at least one of origin, location, file dates/times, file size, or file checksum data.
  - 7. The computer implemented method of claim 1, wherein using the digital certificate to determine whether a certification authority in the digital certificate is a registered trusted certification authority comprises comparing the extracted digital signature against the list of registered trusted certification authorities in the encrypted registry.
  - 8. The computer implemented method of claim 1, wherein the origin of the code fragment comprises an identity of at least one of a code signer or publisher.
  - 9. The computer implemented method of claim 1, wherein determining whether an origin of the code fragment is a registered trusted origin comprises comparing the extracted digital signature against a list of registered trusted origins in the encrypted registry.
  - 10. The computer implemented method of claim 1, wherein the determination whether the code fragment is authentic includes determining if one of a size or checksum of the code fragment differs from a size or checksum information for the code fragment in the extracted digital signature.

11. A computer implemented method for initializing a bytecode instrumentation facility, the computer implemented method comprising:
- determining whether an encrypted registry has been corrupted since a last time the encrypted registry was accessed;
  
  responsive to a determination that the encrypted registry has not been corrupted, extracting a digital certificate from a specified code fragment location for each code fragment in the encrypted registry;
  
  determining, using the digital certificate, whether a certification authority in the digital certificate is a registered trusted certification authority;
  
  responsive to a determination that the certification authority is a registered trusted certification authority, determining whether an origin of the code fragment is a registered trusted origin;
  
  responsive to a determination that the origin of the code fragment is a registered trusted origin, determining whether the code fragment is authentic;
  
  responsive to a determination that the code fragment is authentic, loading the code fragment in memory to prevent the code fragment from being accessed while the bytecode instrumentation facility is executing; and
  
  completing initialization of the bytecode instrumentation facility and beginning injection of code fragments, the encrypted registry further comprising a list of registered code fragment information, a list of associations between code fragment locations and class locations, a list of trusted code fragment origins used to verify that a code fragment being registered originated from a trusted source, and a list of trusted certification authorities used to verify that the certificate has been signed from a trusted certification authority, wherein the code fragment locations include digital certificates used in determining whether an identity of a code signer is in a list of registered trusted certification authorities in the encrypted registry, wherein security of the bytecode instrumentation facility is increased.

12. A computer program product for registering a new code fragment in an encrypted registry of a bytecode instrumentation facility, the computer program product comprising:
- a computer usable memory element having computer usable program code stored thereon, the computer usable program code comprising;
  
  computer usable program code for extracting a digital certificate from a specified code fragment location;
  
  computer usable program code for determining, using the digital certificate, a certification authority in the digital certificate is a registered trusted certification authority;
  
  computer usable program code responsive to a determination that the certification authority is a registered trusted certification authority for determining whether an origin of the code fragment is a registered trusted origin;
  
  computer usable program code responsive to a determination that the origin of the code fragment is a registered trusted origin for determining whether the code fragment is authentic ; and
  
  computer usable program code responsive to a determination that the code fragment is authentic for recording information of the code fragment into the encrypted registry the encrypted registry further comprising a list of registered code fragment information, a list of associations between code fragment locations and class locations, a list of trusted code fragment origins used to verify that a code fragment being registered originated from a trusted source, and a list of trusted certification authorities used to verify that the certificate has been signed from a trusted certification authority, wherein the code fragment locations include digital certificates used in determining whether an identity of a code signer is in a list of registered trusted certification authorities in the encrypted registry, wherein security of the bytecode instrumentation facility is increased.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The computer program product of claim 12, further comprising computer usable program code for initializing the bytecode instrumentation facility, wherein the computer usable program code for initializing the bytecode instrumentation facility includes:
    - computer usable program code for determining whether the encrypted registry has been corrupted since a last time the encrypted registry was accessed;
      
      computer usable program code responsive to a determination that the encrypted registry has not been corrupted for determining whether the content of the code fragment matches information of the code fragment in the encrypted registry; and
      
      computer usable program code responsive to a determination that the content of the code fragment matches the information of the code fragment in the encrypted registry for completing initialization of the bytecode instrumentation facility and beginning injection of code fragments.
  - 14. The computer program product of claim 12, further comprising computer usable program code for appending content of the code fragment to the encrypted registry.
  - 15. The computer program product of claim 14, further comprising computer usable program code for initializing the bytecode instrumentation facility, wherein the computer usable program code for initializing the bytecode instrumentation facility include:
    - computer usable program code for determining whether the encrypted registry has been corrupted since a last time the encrypted registry was accessed; and
      
      computer usable program code for completing initialization of the bytecode instrumentation facility and beginning injection of code fragments when the encrypted registry has not been corrupted.
  - 16. The computer program product of claim 12, wherein information recorded in encrypted registry is managed via password protected commands.
  - 17. The computer program product of claim 12, wherein the information of the code fragment recorded in the encrypted registry includes at least one of origin, location, file dates/times, file size, or file checksum data.
  - 18. The computer program product of claim 12, wherein the computer usable program code for using the digital certificate to determine whether a certification authority in the digital certificate is a registered trusted certification authority further comprises computer usable program code for comparing the extracted digital signature against a list of registered trusted certification authorities in the encrypted registry.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Giammaria, Alberto, Dean, Jeffrey R.
Primary Examiner(s)
Barron, Jr.; Gilberto
Assistant Examiner(s)
PERUNGAVOOR, VENKATANARAY

Application Number

US11/333,452
Publication Number

US 20070168670A1
Time in Patent Office

1,687 Days
Field of Search

717/158, 717/140, 717/131, 717/126, 713/155, 713/156, 713/175, 713165-167, 713/161, 726/26, 726/30, 726 22- 24
US Class Current

726/30
CPC Class Codes

G06F 21/52 during program execution, e...

G06F 21/54 by adding security routines...

Secure bytecode instrumentation facility

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Secure bytecode instrumentation facility

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links