Method and apparatus for preventing rogue implementations of a security-sensitive class interface

US 7,925,881 B2
Filed: 10/04/2007
Issued: 04/12/2011
Est. Priority Date: 02/27/2003
Status: Expired due to Fees

First Claim

Patent Images

1. A method in a data processing system for securing a server runtime environment, comprising:

generating by a server runtime environment executing in a server device a first unique identifier at startup of the server runtime environment to uniquely identify the server runtime environment executing in the server device;

storing the first unique identifier that uniquely identifies the server runtime environment in a private location in the server runtime environment;

receiving a request to instantiate a first user credential object that represents a first user identity;

inserting the first unique identifier that uniquely identifies the server runtime environment in a private field in the first user credential object;

receiving a request to instantiate a second user credential object that represents a second user identity; and

inserting the first unique identifier that uniquely identifies the server runtime environment in a private field in the second user credential object such that the first user credential object and the second user credential object include the same first unique identifier.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for preventing rogue implementations of a security-sensitive class interface are provided. With the method and apparatus, a unique identifier (UID) is created by a server process when the server process is started. Anytime the server process, i.e. a server runtime environment, instantiates a new credential object following start-up of the server process, the encrypted UID is placed into a private field within the new credential object. In addition, the UID is encrypted and stored in a private class of the server runtime environment. A verification class is provided within the server runtime environment which includes one or more methods that receive the credential object as a parameter and return true or false as to the validity of the credential object. These one or more methods determine the validity of the credential object by retrieving the encrypted UID from the private class stored in the server runtime environment, decrypting the UID and comparing it to the decrypted UID stored in the private field of the credential object. If the two UIDs match, a determination is made that the credential object was created by the server runtime environment rather than a rogue application. If the two UIDs do not match, or if there is no UID in the credential object, then a false result will be returned by the verification class.

14 Citations

17 Claims

1. A method in a data processing system for securing a server runtime environment, comprising:
- generating by a server runtime environment executing in a server device a first unique identifier at startup of the server runtime environment to uniquely identify the server runtime environment executing in the server device;
  
  storing the first unique identifier that uniquely identifies the server runtime environment in a private location in the server runtime environment;
  
  receiving a request to instantiate a first user credential object that represents a first user identity;
  
  inserting the first unique identifier that uniquely identifies the server runtime environment in a private field in the first user credential object;
  
  receiving a request to instantiate a second user credential object that represents a second user identity; and
  
  inserting the first unique identifier that uniquely identifies the server runtime environment in a private field in the second user credential object such that the first user credential object and the second user credential object include the same first unique identifier.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising:
    - receiving the second user credential object that represents the second user identity;
      
      obtaining a second unique identifier stored in a private field in the second user credential object;
      
      comparing the second unique identifier to the first unique identifier that uniquely identifies the server runtime environment; and
      
      determining that the second user credential object was instantiated by the server runtime environment only if the second unique identifier matches the first unique identifier that uniquely identifies the server runtime environment.
  - 3. The method of claim 1, wherein the first unique identifier is a pseudo-randomly generated set of alphanumeric characters.
  - 4. The method of claim 1, wherein the first unique identifier is stored in a private class in the server runtime environment.
  - 5. The method of claim 2, wherein comparing the second unique identifier to the first unique identifier includes performing a byte array comparison between the second unique identifier and the first unique identifier.
  - 6. The method of claim 1, wherein the server runtime environment is a Java 2 Security runtime environment.

7. A computer program product stored in a recordable-type storage medium having instructions embodied therein for securing a server runtime environment, comprising:
- instructions for generating by a server runtime environment executing in a server device a first unique identifier at startup of the server runtime environment to uniquely identify the server runtime environment executing in the server device;
  
  instructions for storing the first unique identifier that uniquely identifies the server runtime environment in a private location in the server runtime environment;
  
  instructions for receiving a request to instantiate a first user credential object that represents a first user identity;
  
  instructions for inserting the first unique identifier that uniquely identifies the server runtime environment in a private field in the first user credential object;
  
  instructions for receiving a request to instantiate a second user credential object that represents a second user identity; and
  
  instructions for inserting the first unique identifier that uniquely identifies the server runtime environment in a private field in the second user credential object such that the first user credential object and the second user credential object include the same first unique identifier.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The computer program product of claim 7, further comprising:
    - instructions for receiving the second user credential object that represents the second user identity;
      
      instructions for obtaining a second unique identifier stored in a private field in the second user credential object;
      
      instructions for comparing the second unique identifier to the first unique identifier that uniquely identifies the server runtime environment; and
      
      instructions for determining that the second user credential object was instantiated by the server runtime environment only if the second unique identifier matches the first unique identifier that uniquely identifies the server runtime environment.
  - 9. The computer program product of claim 7, wherein the first unique identifier is a pseudo-randomly generated set of alphanumeric characters.
  - 10. The computer program product of claim 7, wherein the first unique identifier is stored in a private class in the server runtime environment.
  - 11. The computer program product of claim 8, wherein the instructions for comparing the second unique identifier to the first unique identifier include instructions for performing a byte array comparison between the second unique identifier and the first unique identifier.
  - 12. The computer program product of claim 7, wherein the server runtime environment is a Java 2 Security runtime environment.

13. An apparatus for securing a server runtime environment, comprising:
- a bus system;
  
  a storage device connected to the bus system, wherein the storage device includes a set of instructions; and
  
  a processing unit connected to the bus system, wherein the processing unit executes the set of instructions to generate by a server runtime environment executing in a server device a first unique identifier at startup of the server runtime environment to uniquely identify the server runtime environment executing in the server device;
  
  store the first unique identifier that uniquely identifies the server runtime environment in a private location in the server runtime environment;
  
  receive a request to instantiate a first user credential object that represents a first user identity;
  
  insert the first unique identifier that uniquely identifies the server runtime environment in a private field in the first user credential object;
  
  receive a request to instantiate a second user credential object that represents a second user identity; and
  
  insert the first unique identifier that uniquely identifies the server runtime environment in a private field in the second user credential object such that the first user credential object and the second user credential object include the same first unique identifier.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The apparatus of claim 13, wherein the processing unit executes a further set of instructions to receive the second user credential object that represents the second user identity;
    - obtain a second unique identifier stored in a private field in the second user credential object;
      
      compare the second unique identifier to the first unique identifier that uniquely identifies the server runtime environment; and
      
      determine that the second user credential object was instantiated by the server runtime environment only if the second unique identifier matches the first unique identifier that uniquely identifies the server runtime environment.
  - 15. The apparatus of claim 13, wherein the first unique identifier is a pseudo-randomly generated set of alphanumeric characters.
  - 16. The apparatus of claim 13, wherein the first unique identifier is stored in a private class in the server runtime environment.
  - 17. The apparatus of claim 14, wherein comparing the second unique identifier to the first unique identifier includes performing a byte array comparison between the second unique identifier and the first unique identifier.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Birk, Peter Daniel, Chung, Hyen Vui, Chao, Ching-Yun
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
YALEW, FIKREMARIAM A

Application Number

US11/867,015
Publication Number

US 20080034202A1
Time in Patent Office

1,286 Days
Field of Search

713/167
US Class Current

713/167
CPC Class Codes

G06F 21/64 Protecting data integrity, ...

Method and apparatus for preventing rogue implementations of a security-sensitive class interface

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

14 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for preventing rogue implementations of a security-sensitive class interface

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

14 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links