Access authorization having embedded policies
First Claim
Patent Images
1. A method in a computing system having a memory and a processor for receiving an embedded policy, the method comprising:
- receiving a request to load a first application program of a first application program image;
determining whether a first policy is embedded within the first application program image, such that the first application program image contains the first application program and the embedded first policy, wherein the first policy is coded in a programming language;
responsive to determining that a first policy is embedded in the first application program image;
with the processor, extracting the first policy from the first application program image,loading the first application program for execution by the processor,starting execution of the first application program,with the processor, intercepting a call by the first application program to access a resource, andupon intercepting the call,with the processor, executing the code of the extracted first policy to determine whether to allow or deny the access,upon determining that the access is allowed, enabling the access, andupon determining that the access is not allowed, preventing the accessso that the first application program of the first application program image is restricted from accessing computer resources in accordance with the access restrictions defined by the first policy embedded within the first application program image;
embedding a second policy within a second application program, wherein the second policy defines access restrictions for the second application program, so that the second application program contains the embedded second policy;
accessing a directed graph that represents system calls normally issued by the second application program, wherein the directed graph was previously generated by tracking previous instances of the second application program;
tracking the execution of a second instance of the second application program; and
upon detecting, based on the tracking and the directed graph, an anomalous condition in the execution of the second instance of the application program,extracting the embedded second policy from within the second application program, andapplying the extracted second policy to the second instance of the application programso that the second instance of the second application program is restricted from accessing computer resources in accordance with the access restrictions defined by the second policy that is embedded within the second application program.
2 Assignments
0 Petitions
Accused Products
Abstract
A facility for receiving an embedded policy is provided. The facility checks an application program image for the presence of an embedded policy. If an embedded policy is detected, the facility extracts the policy from within the application program image. The facility may then apply the extracted policy to the application program image before the application program image is loaded and/or executed. Moreover, the facility may check the application program image'"'"'s integrity prior to extracting the embedded policy.
-
Citations
30 Claims
-
1. A method in a computing system having a memory and a processor for receiving an embedded policy, the method comprising:
-
receiving a request to load a first application program of a first application program image; determining whether a first policy is embedded within the first application program image, such that the first application program image contains the first application program and the embedded first policy, wherein the first policy is coded in a programming language; responsive to determining that a first policy is embedded in the first application program image; with the processor, extracting the first policy from the first application program image, loading the first application program for execution by the processor, starting execution of the first application program, with the processor, intercepting a call by the first application program to access a resource, and upon intercepting the call, with the processor, executing the code of the extracted first policy to determine whether to allow or deny the access, upon determining that the access is allowed, enabling the access, and upon determining that the access is not allowed, preventing the access so that the first application program of the first application program image is restricted from accessing computer resources in accordance with the access restrictions defined by the first policy embedded within the first application program image; embedding a second policy within a second application program, wherein the second policy defines access restrictions for the second application program, so that the second application program contains the embedded second policy; accessing a directed graph that represents system calls normally issued by the second application program, wherein the directed graph was previously generated by tracking previous instances of the second application program; tracking the execution of a second instance of the second application program; and upon detecting, based on the tracking and the directed graph, an anomalous condition in the execution of the second instance of the application program, extracting the embedded second policy from within the second application program, and applying the extracted second policy to the second instance of the application program so that the second instance of the second application program is restricted from accessing computer resources in accordance with the access restrictions defined by the second policy that is embedded within the second application program. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method in a computing system having a memory and a processor for receiving an embedded policy, the method comprising:
-
receiving a request to load a first application program of a first application program image; determining whether a first policy is embedded within the first application program image, such that the first application program image contains the first application program and the embedded first policy, wherein the first policy is coded in a programming language; responsive to determining that a first policy is embedded in the first application program image; with the processor, extracting the first policy from the first application program image, loading the first application program for execution by the processor, starting execution of the first application program, with the processor, intercepting a call by the first application program to access a resource, and upon intercepting the call, with the processor, executing the code of the extracted first policy to determine whether to allow or deny the access, upon determining that the access is allowed, enabling the access, and upon determining that the access is not allowed, preventing the access so that the first application program of the first application program image is restricted from accessing computer resources in accordance with the access restrictions defined by the first policy embedded within the first application program image; embedding a second policy within a second application program, wherein the second policy defines access restrictions for the second application program, so that the second application program contains the embedded second policy; accessing a directed graph that represents system calls normally issued by the second application program, wherein the directed graph was previously generated by tracking previous instances of the second application program; tracking the execution of a second instance of the second application program; upon detecting, based on the tracking and the directed graph, an anomalous condition in the execution of the second instance of the application program, extracting the embedded second policy from within the second application program, and applying the extracted second policy to the second instance of the application program so that the second instance of the second application program is restricted from accessing computer resources in accordance with the access restrictions defined by the second policy that is embedded within the second application program; and responsive to determining that a first policy is not embedded in the first application program image; when a third policy applicable to the first application program is stored in a policy repository, loading the first application for execution on the computer, and applying the third policy applicable to the first application program that is stored in the policy repository so that the first application program is restricted from accessing computer resources in accordance with the access restrictions defined by the third policy applicable to the first application program that is stored in the policy repository, and when a third policy applicable to the first application program is not stored in the policy repository, not loading the first application program for execution on the computer. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
-
-
18. A system having a memory and a processor for applying an embedded policy, the system comprising:
-
a component that receives a request to load an image of a first application program, the image of the first application program containing the first application program; a component that determines whether a first policy is embedded within the first application program, the first policy defining access restrictions for the first application program, such that the first application program contains the embedded first policy, wherein the first policy is coded in a programming language; a component that, responsive to determining that a first policy is embedded within the first application program; extracts the first policy from the first application program, loads the image of the first application program on the computer for execution by the processor, starts execution of the first application program, intercepts a call by the first application program to access a resource, and upon intercepting the call, executes, with a processor, the code of the extracted first policy to determine whether to allow or deny the access, upon determining that the access is allowed, enables the access, and upon determining that the access is not allowed, prevents the access so that the first application program is restricted from accessing computer resources in accordance with the access restrictions defined by the first policy embedded within the first application program; a component that embeds a second policy within a second application program, wherein the second policy defines access restrictions for the second application program, so that the second application program contains the embedded second policy; a component that accesses a directed graph that represents system calls normally issued by the second application program, wherein the directed graph was previously generated by tracking previous instances of the second application program; a component that tracks the execution of a second instance of the second application program; and a component that upon detecting, based on the tracking and the directed graph, an anomalous condition in the execution of the second instance of the application program, extracts the embedded second policy from within the second application program, and applies the extracted second policy to the second instance of the application program so that the second instance of the second application program is restricted from accessing computer resources in accordance with the access restrictions defined by the second policy that is embedded within the second application program. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27)
-
-
28. A system having a memory and a processor for applying an embedded policy, the system comprising:
-
a component that receives a request to load an image of a first application program, the image of the first application program containing the first application program; a component that determines whether a first policy is embedded within the first application program, the first policy defining access restrictions for the first application program, such that the first application program contains the embedded first policy, wherein the first policy is coded in a programming language; a component that, responsive to determining that a first policy is embedded within the first application program; extracts the first policy from the first application program, loads the image of the first application program on the computer for execution by the processor; starts execution of the first application program, intercepts a call by the first application program to access a resource, and upon intercepting the call, executes, with a processor, the code of the extracted first policy to determine whether to allow or deny the access, upon determining that the access is allowed, enables the access, and upon determining that the access is not allowed, prevents the access so that the first application program is restricted from accessing computer resources in accordance with the access restrictions defined by the first policy embedded within the first application program; a component that embeds a second policy within a second application program, wherein the second policy defines access restrictions for the second application program, so that the second application program contains the embedded second policy; a component that accesses a directed graph that represents system calls normally issued by the second application program, wherein the directed graph was previously generated by tracking previous instances of the second application program; a component that tracks the execution of a second instance of the second application program; a component that upon detecting, based on the tracking and the directed graph, an anomalous condition in the execution of the second instance of the application program, extracts the embedded second policy from within the second application program, and applies the extracted second policy to the second instance of the application program so that the second instance of the second application program is restricted from accessing computer resources in accordance with the access restrictions defined by the second policy that is embedded within the second application program; and a component that, responsive to determining that a first policy is not embedded in the first application program; when a third policy applicable to the first application program is stored in a policy repository, loads the first application for execution on the computer, and applies the third policy applicable to the first application program that is stored in the policy repository so that the first application program is restricted from accessing computer resources in accordance with the access restrictions defined by the third policy applicable to the first application program that is stored in the policy repository, and when a third policy applicable to the first application program is not stored in the policy repository, does not load the first application program for execution on the computer. - View Dependent Claims (29, 30)
-
Specification