System, method and apparatus for simultaneous definition and enforcement of access-control and integrity policies
First Claim
1. A method for enforcement of access-control and integrity policies in a computing system, the method comprising:
- detecting security-sensitive sinks in software code for an application running on the computing system, each detected security-sensitive sink comprising at least one variable, each variable comprising a plurality of values;
retrieving the access-control policy from a database accessible to the computing system, the access-control policy mapping a set of access permissions within the computing system to each one of a plurality of principals;
determining, for all detected security-sensitive sinks, all influencing principals by identifying all principals located within a current call stack associated with each detected security-sensitive sink and all principals both within the current call stack and outside the current call stack from which the plurality of values are obtained that are read into the at least one variable of each detected security-sensitive sink;
assigning a permission label to the at least one variable, each permission label comprising a set of access permissions granted to each value within the at least one variable;
assigning an overall access permission to each detected security-sensitive-sink by taking the intersection of the set of access permissions for all influencing principals of the plurality of values of all variables of each detected security-sensitive sink; and
reporting an integrity violation when the overall access permission for any one of the detected security-sensitive-sinks is insufficient to satisfy a demanded permission from a resource within the computing system.
1 Assignment
0 Petitions
Accused Products
Abstract
Access-control and information-flow integrity policies are enforced in a computing system by detecting security-sensitive sinks in software code for an application running on the computing system and retrieving an access-control policy from a database accessible to the computing system. The access-control policy maps a set of access permissions within the computing system to each one of a plurality of principals. For each detected security-sensitive sink, all principals that influence that security-sensitive sink are detected and an overall access permission is assigned to each security-sensitive sink by taking the intersection of the access permission sets for all influencing principals of that security-sensitive sink. If this permission set is inadequate, an integrity violation is reported. In addition, permission labels are assigned to each value of variables used in the security-sensitive sinks. Each permission label is a set of permissions.
10 Citations
25 Claims
-
1. A method for enforcement of access-control and integrity policies in a computing system, the method comprising:
-
detecting security-sensitive sinks in software code for an application running on the computing system, each detected security-sensitive sink comprising at least one variable, each variable comprising a plurality of values; retrieving the access-control policy from a database accessible to the computing system, the access-control policy mapping a set of access permissions within the computing system to each one of a plurality of principals; determining, for all detected security-sensitive sinks, all influencing principals by identifying all principals located within a current call stack associated with each detected security-sensitive sink and all principals both within the current call stack and outside the current call stack from which the plurality of values are obtained that are read into the at least one variable of each detected security-sensitive sink; assigning a permission label to the at least one variable, each permission label comprising a set of access permissions granted to each value within the at least one variable; assigning an overall access permission to each detected security-sensitive-sink by taking the intersection of the set of access permissions for all influencing principals of the plurality of values of all variables of each detected security-sensitive sink; and reporting an integrity violation when the overall access permission for any one of the detected security-sensitive-sinks is insufficient to satisfy a demanded permission from a resource within the computing system. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A method for enforcement of access-control and integrity policies in a computing system, the method comprising:
-
detecting security-sensitive sinks in software code for an application running on the computing system; retrieving the access-control policy from a database accessible to the computing system, the access-control policy mapping a set of access permissions within the computing system to each one of a plurality of principals; identifying variables used in the security-sensitive sinks and originating from principals located both within a current call stack associated with each sink and outside the call stack, each variable having a value obtained from one of the principals; assigning a permission label to each value of each variable, each assigned permission label comprising a set of permissions granted to that value; and using assigned permission labels to make access control decisions for the security-sensitive sinks within the computing system. - View Dependent Claims (16, 17, 18, 19)
-
-
20. A nontransitory computer-readable medium containing a computer-readable code that when read by a computer causes the computer to perform a method for enforcement of access-control and integrity policies in a computing system, the method comprising:
-
detecting security-sensitive sinks in software code for an application running on the computing system, each detected security-sensitive sink comprising at least one variable, each variable comprising a plurality of values; retrieving the access-control policy from a database accessible to the computing system, the access-control policy mapping a set of access permissions within the computing system to each one of a plurality of principals; determining, for all detected security-sensitive sinks, all influencing principals by identifying all principals located within a current call stack associated with each detected security-sensitive sink and all principals both within the current call stack and outside the current call stack from which the plurality of values are obtained that are read into the at least one variable of each detected security-sensitive sink; assigning a permission label to the at least one variable, each permission label comprising a set of access permissions granted to each value within the at least one variable; assigning an overall access permission to each detected security-sensitive-sink by taking the intersection of the set of access permissions for all influencing principals of the plurality of values of all variables of each detected security-sensitive sink; and reporting an integrity violation when the overall access permission for any one of the detected security-sensitive-sinks is insufficient to satisfy a demanded permission from a resource within the computing system. - View Dependent Claims (21, 22, 23)
-
-
24. A nontransitory computer-readable medium containing a computer-readable code that when read by a computer causes the computer to perform a method for enforcement of access-control and integrity policies in a computing system, the method comprising:
-
detecting security-sensitive sinks in software code for an application running on the computing system; retrieving the access-control policy from a database accessible to the computing system, the access-control policy mapping a set of access permissions within the computing system to each one of a plurality of principals; identifying variables used in the security-sensitive sinks and originating from principals located both within a current call stack associated with each sink and outside the call stack, each variable having a value obtained from one of the principals; assigning a permission label to each value of each variable, each assigned permission label comprising a set of permissions granted to that value; and using assigned permission labels to make access control decisions for the security-sensitive sinks within the computing system. - View Dependent Claims (25)
-
Specification