System, method and apparatus for simultaneous definition and enforcement of access-control and integrity policies

US 8,572,727 B2
Filed: 11/23/2009
Issued: 10/29/2013
Est. Priority Date: 11/23/2009
Status: Expired due to Fees

First Claim

Patent Images

1. A method for enforcement of access-control and integrity policies in a computing system, the method comprising:

detecting security-sensitive sinks in software code for an application running on the computing system, each detected security-sensitive sink comprising at least one variable, each variable comprising a plurality of values;

retrieving the access-control policy from a database accessible to the computing system, the access-control policy mapping a set of access permissions within the computing system to each one of a plurality of principals;

determining, for all detected security-sensitive sinks, all influencing principals by identifying all principals located within a current call stack associated with each detected security-sensitive sink and all principals both within the current call stack and outside the current call stack from which the plurality of values are obtained that are read into the at least one variable of each detected security-sensitive sink;

assigning a permission label to the at least one variable, each permission label comprising a set of access permissions granted to each value within the at least one variable;

assigning an overall access permission to each detected security-sensitive-sink by taking the intersection of the set of access permissions for all influencing principals of the plurality of values of all variables of each detected security-sensitive sink; and

reporting an integrity violation when the overall access permission for any one of the detected security-sensitive-sinks is insufficient to satisfy a demanded permission from a resource within the computing system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Access-control and information-flow integrity policies are enforced in a computing system by detecting security-sensitive sinks in software code for an application running on the computing system and retrieving an access-control policy from a database accessible to the computing system. The access-control policy maps a set of access permissions within the computing system to each one of a plurality of principals. For each detected security-sensitive sink, all principals that influence that security-sensitive sink are detected and an overall access permission is assigned to each security-sensitive sink by taking the intersection of the access permission sets for all influencing principals of that security-sensitive sink. If this permission set is inadequate, an integrity violation is reported. In addition, permission labels are assigned to each value of variables used in the security-sensitive sinks. Each permission label is a set of permissions.

10 Citations

View as Search Results

25 Claims

1. A method for enforcement of access-control and integrity policies in a computing system, the method comprising:
- detecting security-sensitive sinks in software code for an application running on the computing system, each detected security-sensitive sink comprising at least one variable, each variable comprising a plurality of values;
  
  retrieving the access-control policy from a database accessible to the computing system, the access-control policy mapping a set of access permissions within the computing system to each one of a plurality of principals;
  
  determining, for all detected security-sensitive sinks, all influencing principals by identifying all principals located within a current call stack associated with each detected security-sensitive sink and all principals both within the current call stack and outside the current call stack from which the plurality of values are obtained that are read into the at least one variable of each detected security-sensitive sink;
  
  assigning a permission label to the at least one variable, each permission label comprising a set of access permissions granted to each value within the at least one variable;
  
  assigning an overall access permission to each detected security-sensitive-sink by taking the intersection of the set of access permissions for all influencing principals of the plurality of values of all variables of each detected security-sensitive sink; and
  
  reporting an integrity violation when the overall access permission for any one of the detected security-sensitive-sinks is insufficient to satisfy a demanded permission from a resource within the computing system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein the step of detecting security-sensitive sinks further comprises using program analysis on the software code.
  - 3. The method of claim 1, wherein the step of using program analysis further comprises using static program analysis on the software code and underlying libraries.
  - 4. The method of claim 1, wherein the step of detecting security-sensitive sinks further comprises:
    - analyzing the software code; and
      
      identifying calls in the software code to an access-control enforcer in the computing system.
  - 5. The method of claim 4, wherein the access-control enforcer enforces the access-control policy.
  - 6. The method of claim 1, wherein the access-control policy is declaratively defined separately from the software code.
  - 7. The method of claim 1, wherein each access permission comprises a set of security-sensitive operations within the computing system that has been granted to a given principal.
  - 8. The method of claim 1, wherein each principal comprises an entity interacting with the computer system whose identify can be verified by authentication and is granted privileges through authorization.
  - 9. The method of claim 1 wherein the plurality of principals comprises user principals, machine principals or service principals.
  - 10. The method of claim 1, further comprising:
    - identifying the variables used in the detected security-sensitive sinks, each variable having a value that can be influenced by one or more principals.
  - 11. The method of claim 10, wherein any of the set of access permissions of the given permission label is derived from sets of access permissions mapped to principals influencing the value associated with the given permission label.
  - 12. The method of claim 1, wherein the step of assigning the permission label occurs at run time of the software code for the application running on the computing system.
  - 13. The method of claim 1, further comprising:
    - detecting a new value created from two or more existing values; and
      
      calculating a new permission label for the new value using the intersection of existing sets of permissions associated with each existing value used to create the new value and a given principal defining the new value.
  - 14. The method of claim 1, wherein the step of assigning the permission label further comprises using the assigned permission label for any given value controlling a conditional statement to constrain other permission labels for any other value defined on the software code dominated by the conditional statement.

15. A method for enforcement of access-control and integrity policies in a computing system, the method comprising:
- detecting security-sensitive sinks in software code for an application running on the computing system;
  
  retrieving the access-control policy from a database accessible to the computing system, the access-control policy mapping a set of access permissions within the computing system to each one of a plurality of principals;
  
  identifying variables used in the security-sensitive sinks and originating from principals located both within a current call stack associated with each sink and outside the call stack, each variable having a value obtained from one of the principals;
  
  assigning a permission label to each value of each variable, each assigned permission label comprising a set of permissions granted to that value; and
  
  using assigned permission labels to make access control decisions for the security-sensitive sinks within the computing system.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The method of claim 15, wherein the step of assigning each permission label occurs at run time of the software code for the application running on the computing system.
  - 17. The method of claim 15, wherein a given set of permissions of a given permission label is derived from sets of permissions mapped to principals influencing the value associated with the given permission label.
  - 18. The method of claim 15, further comprising:
    - detecting a new value created from two or more existing values; and
      
      calculating a new permission label for the new value using the intersection of existing sets of permissions associated with each existing value used to create the new value and a given principal defining the new value.
  - 19. The method of claim 15, wherein the step of assigning the permission label further comprises using the assigned permission label for any given value controlling a conditional statement to constrain other permission labels for any other value defined on the software code dominated by the conditional statement.

20. A nontransitory computer-readable medium containing a computer-readable code that when read by a computer causes the computer to perform a method for enforcement of access-control and integrity policies in a computing system, the method comprising:
- detecting security-sensitive sinks in software code for an application running on the computing system, each detected security-sensitive sink comprising at least one variable, each variable comprising a plurality of values;
  
  retrieving the access-control policy from a database accessible to the computing system, the access-control policy mapping a set of access permissions within the computing system to each one of a plurality of principals;
  
  determining, for all detected security-sensitive sinks, all influencing principals by identifying all principals located within a current call stack associated with each detected security-sensitive sink and all principals both within the current call stack and outside the current call stack from which the plurality of values are obtained that are read into the at least one variable of each detected security-sensitive sink;
  
  assigning a permission label to the at least one variable, each permission label comprising a set of access permissions granted to each value within the at least one variable;
  
  assigning an overall access permission to each detected security-sensitive-sink by taking the intersection of the set of access permissions for all influencing principals of the plurality of values of all variables of each detected security-sensitive sink; and
  
  reporting an integrity violation when the overall access permission for any one of the detected security-sensitive-sinks is insufficient to satisfy a demanded permission from a resource within the computing system.
- View Dependent Claims (21, 22, 23)
- - 21. The nontransitory computer-readable medium of claim 20, wherein the step of detecting security-sensitive sinks further comprises:
    - analyzing the software code; and
      
      identifying calls in the software code to an access-control enforcer in the computing system.
  - 22. The nontransitory computer-readable medium of claim 20, wherein the method further comprises:
    - identifying variables used in the detected security-sensitive sinks, each variable having a value that can be influenced by one or more principals.
  - 23. The nontransitory computer-readable medium of claim 22, wherein any of the set of access permissions of the given permission label is derived from sets of access permissions mapped to principals influencing the value associated with the given permission label.

24. A nontransitory computer-readable medium containing a computer-readable code that when read by a computer causes the computer to perform a method for enforcement of access-control and integrity policies in a computing system, the method comprising:
- detecting security-sensitive sinks in software code for an application running on the computing system;
  
  retrieving the access-control policy from a database accessible to the computing system, the access-control policy mapping a set of access permissions within the computing system to each one of a plurality of principals;
  
  identifying variables used in the security-sensitive sinks and originating from principals located both within a current call stack associated with each sink and outside the call stack, each variable having a value obtained from one of the principals;
  
  assigning a permission label to each value of each variable, each assigned permission label comprising a set of permissions granted to that value; and
  
  using assigned permission labels to make access control decisions for the security-sensitive sinks within the computing system.
- View Dependent Claims (25)
- - 25. The nontransitory computer-readable medium of claim 24, wherein the method further comprises:
    - detecting a new value created from two or more existing values; and
      
      calculating a new permission label for the new value using the intersection of existing sets of permissions associated with each existing value used to create the new value and a given principal defining the new value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Centonze, Paolina, Haviv, Yinnon Avraham, Hay, Roee, Pistoia, Marco, Sharabani, Adi, Tripp, Omer
Primary Examiner(s)
SHEHNI, GHAZAL B

Application Number

US12/624,172
Publication Number

US 20110126282A1
Time in Patent Office

1,436 Days
Field of Search

726/21, 380/185
US Class Current

726/21
CPC Class Codes

G06F 21/51   at application loading time...

G06F 21/57   Certifying or maintaining t...

G06F 21/604   Tools and structures for ma...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

System, method and apparatus for simultaneous definition and enforcement of access-control and integrity policies

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

10 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

System, method and apparatus for simultaneous definition and enforcement of access-control and integrity policies

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

10 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links