Methods, systems, and data structures for loading and authenticating a module
First Claim
1. A method to load a module, comprising:
- establishing, on a computer system, an execution environment for a plurality of executable instances of a module;
processing, by a loader module of the execution environment, restrictions embodied in a configuration data file, the restrictions defining processing capabilities for each of the plurality of executable instances, access levels for each of the plurality of executable instances within the execution environment, and an identity for each of the plurality of executable instances within the execution environment, each of the plurality of executable instances having its own independent access levels, unique identity, and attributes within the execution environment, the configuration data file also signed by a configuring authority;
loading, by the loader module, each of the plurality of executable instances in the execution environment based on the processing of the restrictions in the configuration data file; and
attesting to the identity of each of the plurality of executable instances by the loader module, attesting comprises generating, by the loader module and based at least in part on the configuration data file, attestation for an assertion of the instance and the assertion comprises an encrypted and digitally signed plurality of Security Assertion Markup Language (SAML) statements, the SAML statements comprising;
a statement identifying who made the assertion,one or more statements identifying reasons for assuming the assertion is true,one or more statements identifying evidence that forms the basis of the reasons,one or more statements identifying a manner in which the assertion was verified,a statement identifying by whom the assertion was verified,a statement identifying when the assertion was verified,one or more statements identifying indications as to what the instance of the module is authorized to do within a given context,a statement indicating that a checksum for the instance was validated for integrity of the instance, andone or more statements instructing a requesting resource on resource needs required by the instance within the execution environment;
wherein an external resource relies on the attestation as a testament that the identity is authentic and as an indication that the instance is permitted to access the external resource.
3 Assignments
0 Petitions
Accused Products
Abstract
Methods, systems, and data structures are provided for loading, authenticating, and configuring a module. A loader authenticates the identity of an instance of the module and configuration data associated with the instance of the module. Additionally, the loader generates a loadable executable instance of the module and loads the executable instance into a customized execution environment based on the configuration data. Moreover, the loader attests to the identity of the executable instance by providing one or more assertions as an attestation. The presence of the attestation provides evidence to support automatic identity and configuration authentication for the loaded executable instance, when the executable instance requests external resources that require authentication, or when the identity of the loadable executable instance is requested.
-
Citations
24 Claims
-
1. A method to load a module, comprising:
-
establishing, on a computer system, an execution environment for a plurality of executable instances of a module; processing, by a loader module of the execution environment, restrictions embodied in a configuration data file, the restrictions defining processing capabilities for each of the plurality of executable instances, access levels for each of the plurality of executable instances within the execution environment, and an identity for each of the plurality of executable instances within the execution environment, each of the plurality of executable instances having its own independent access levels, unique identity, and attributes within the execution environment, the configuration data file also signed by a configuring authority; loading, by the loader module, each of the plurality of executable instances in the execution environment based on the processing of the restrictions in the configuration data file; and attesting to the identity of each of the plurality of executable instances by the loader module, attesting comprises generating, by the loader module and based at least in part on the configuration data file, attestation for an assertion of the instance and the assertion comprises an encrypted and digitally signed plurality of Security Assertion Markup Language (SAML) statements, the SAML statements comprising; a statement identifying who made the assertion, one or more statements identifying reasons for assuming the assertion is true, one or more statements identifying evidence that forms the basis of the reasons, one or more statements identifying a manner in which the assertion was verified, a statement identifying by whom the assertion was verified, a statement identifying when the assertion was verified, one or more statements identifying indications as to what the instance of the module is authorized to do within a given context, a statement indicating that a checksum for the instance was validated for integrity of the instance, and one or more statements instructing a requesting resource on resource needs required by the instance within the execution environment; wherein an external resource relies on the attestation as a testament that the identity is authentic and as an indication that the instance is permitted to access the external resource. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system comprising:
-
a processor; and a memory coupled with and readable by the processor and having stored thereon a sequence of instructions which, when executed by the processor, causes the processor to establish an execution environment for a plurality of executable instances of a module and load the module into the execution environment by; processing, by a loader module of the execution environment, restrictions embodied in a configuration data, the restrictions-defining processing capabilities for each of the plurality of executable instances, access levels for each of the plurality of executable instances within the execution environment, and an identity for each of the plurality of executable instances within the execution environment, each of the plurality of executable instances having its own independent access levels, unique identity, and attributes within the execution environment, the configuration data file also signed by a configuring authority, loading, by the loader module, each of the plurality of executable instances in the execution environment based on the processing of the restrictions in the configuration data file, and attesting to the identity of each of the plurality of executable instances by the loader module, attesting comprises generating, by the loader module and based at least in part on the configuration data file, attestation for an assertion of the instance and the assertion comprises an encrypted and digitally signed plurality of Security Assertion Markup Language (SAML) statements, the SAML statements comprising; a statement identifying who made the assertion, one or more statements identifying reasons for assuming the assertion is true, one or more statements identifying evidence that forms the basis of the reasons, one or more statements identifying a manner in which the assertion was verified, a statement identifying by whom the assertion was verified, a statement identifying when the assertion was verified, one or more statements identifying indications as to what the instance of the module is authorized to do within a given context, a statement indicating that a checksum for the instance was validated for integrity of the instance, and one or more statements instructing a requesting resource on resource needs required by the instance within the execution environment; wherein an external resource relies on the attestation as a testament that the identity is authentic and as an indication that the instance is permitted to access the external resource. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A computer-readable memory having stored therein a sequence of instructions which, when executed by a processor, causes the processor to establish an execution environment for a plurality of executable instances of a module and load the module into the execution environment by:
-
processing, by a loader module of the execution environment, restrictions embodied in a configuration data, the restrictions-defining processing capabilities for each of the plurality of executable instances, access levels for each of the plurality of executable instances within the execution environment, and an identity for each of the plurality of executable instances within the execution environment, each of the plurality of executable instances having its own independent access levels, unique identity, and attributes within the execution environment, the configuration data file also signed by a configuring authority, loading, by the loader module, each of the plurality of executable instances in the execution environment based on the processing of the restrictions in the configuration data file, and attesting to the identity of each of the plurality of executable instances by the loader module, attesting comprises generating, by the loader module and based at least in part on the configuration data file, attestation for an assertion of the instance and the assertion comprises an encrypted and digitally signed plurality of Security Assertion Markup Language (SAML) statements, the SAML statements comprising; a statement identifying who made the assertion, one or more statements identifying reasons for assuming the assertion is true, one or more statements identifying evidence that forms the basis of the reasons, one or more statements identifying a manner in which the assertion was verified, a statement identifying by whom the assertion was verified, a statement identifying when the assertion was verified, one or more statements identifying indications as to what the instance of the module is authorized to do within a given context, a statement indicating that a checksum for the instance was validated for integrity of the instance, and one or more statements instructing a requesting resource on resource needs required by the instance within the execution environment; wherein an external resource relies on the attestation as a testament that the identity is authentic and as an indication that the instance is permitted to access the external resource. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
-
Specification