×

Access authorization having embedded policies

  • US 8,181,219 B2
  • Filed: 10/01/2004
  • Issued: 05/15/2012
  • Est. Priority Date: 10/01/2004
  • Status: Active Grant
First Claim
Patent Images

1. A method in a computing system having a memory and a processor for receiving an embedded policy, the method comprising:

  • receiving a request to load a first application program of a first application program image;

    determining whether a first policy is embedded within the first application program image, such that the first application program image contains the first application program and the embedded first policy, wherein the first policy is coded in a programming language;

    responsive to determining that a first policy is embedded in the first application program image;

    with the processor, extracting the first policy from the first application program image,loading the first application program for execution by the processor,starting execution of the first application program,with the processor, intercepting a call by the first application program to access a resource, andupon intercepting the call,with the processor, executing the code of the extracted first policy to determine whether to allow or deny the access,upon determining that the access is allowed, enabling the access, andupon determining that the access is not allowed, preventing the accessso that the first application program of the first application program image is restricted from accessing computer resources in accordance with the access restrictions defined by the first policy embedded within the first application program image;

    embedding a second policy within a second application program, wherein the second policy defines access restrictions for the second application program, so that the second application program contains the embedded second policy;

    accessing a directed graph that represents system calls normally issued by the second application program, wherein the directed graph was previously generated by tracking previous instances of the second application program;

    tracking the execution of a second instance of the second application program; and

    upon detecting, based on the tracking and the directed graph, an anomalous condition in the execution of the second instance of the application program,extracting the embedded second policy from within the second application program, andapplying the extracted second policy to the second instance of the application programso that the second instance of the second application program is restricted from accessing computer resources in accordance with the access restrictions defined by the second policy that is embedded within the second application program.

View all claims
  • 2 Assignments
Timeline View
Assignment View
    ×
    ×