Context-aware permission control of hybrid mobile applications

US 9,087,190 B2
Filed: 08/17/2013
Issued: 07/21/2015
Est. Priority Date: 05/01/2013
Status: Expired due to Fees

First Claim

Patent Images

1. A data processing system for controlling access to secure resources of the data processing system, the data processing system comprising:

a bus system;

a storage device connected to the bus system, wherein the storage device stores computer readable program code; and

a processor unit connected to the bus system, wherein the processor unit executes the computer readable program code to remove all direct application programming interface calls by an application installed on the data processing system to the secure resources of the data processing system;

require the application accessing the secure resources of the data processing system to utilize a set of custom information flow control application programming interfaces located in an information flow control module of the data processing system to call the secure resources;

generate an input-to-output mapping of the application installed on the data processing system that determines whether a secure resource of the secure resources in the data processing system is shared with an external entity associated with the application and under what specified conditions;

determine whether the specified conditions exist during runtime of the application;

prevent sharing of the secure resource of the data processing system with the external entity associated with the application in response to determining that the specified conditions do not exist during runtime of the application; and

allow sharing of the secure resource of the data processing system with the external entity associated with the application in response to determining that the specified conditions do exist during runtime of the application.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Controlling access to secure resources of a data processing system is provided. An input-to-output mapping of an application installed on the data processing system is generated that determines whether a secure resource in the data processing system is shared with an external entity associated with the application and under what specified conditions. It is determined whether the specified conditions exist during runtime of the application. In response to determining that the specified conditions do not exist during runtime of the application, sharing of the secure resource of the data processing system with the external entity associated with the application is prevented. In response to determining that the specified conditions do exist during runtime of the application, sharing of the secure resource of the data processing system with the external entity associated with the application is allowed.

19 Citations

View as Search Results

14 Claims

1. A data processing system for controlling access to secure resources of the data processing system, the data processing system comprising:
- a bus system;
  
  a storage device connected to the bus system, wherein the storage device stores computer readable program code; and
  
  a processor unit connected to the bus system, wherein the processor unit executes the computer readable program code to remove all direct application programming interface calls by an application installed on the data processing system to the secure resources of the data processing system;
  
  require the application accessing the secure resources of the data processing system to utilize a set of custom information flow control application programming interfaces located in an information flow control module of the data processing system to call the secure resources;
  
  generate an input-to-output mapping of the application installed on the data processing system that determines whether a secure resource of the secure resources in the data processing system is shared with an external entity associated with the application and under what specified conditions;
  
  determine whether the specified conditions exist during runtime of the application;
  
  prevent sharing of the secure resource of the data processing system with the external entity associated with the application in response to determining that the specified conditions do not exist during runtime of the application; and
  
  allow sharing of the secure resource of the data processing system with the external entity associated with the application in response to determining that the specified conditions do exist during runtime of the application.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The data processing system of claim 1, wherein the processor further executes the computer readable program code to monitor a number of accesses sharing the secure resource of the data processing system with the external entity associated with the application;
    - determine whether the number of accesses sharing the secure resource of the data processing system exceeded an access control threshold value corresponding to the secure resource;
      
      detect whether the specified conditions exist during runtime of the application in response to determining that the number of accesses sharing the secure resource of the data processing system does not exceed the access control threshold value corresponding to the secure resource; and
      
      terminate the sharing of the secure resource of the data processing system with the external entity associated with the application in response to determining that the number of accesses sharing the secure resource of the data processing system does exceed the access control threshold value corresponding to the secure resource.
  - 3. The data processing system of claim 1, wherein the processor further executes the computer readable program code to receive a chunk specification that specifies a set of code chunks within the application, each particular code chunk in the set of code chunks is associated with a particular set of one or more secure resources of the data processing system that the particular code chunk has access to and a particular external entity that the particular code chunk has been granted permission to communicate with;
    - receive a set of context-aware security policies that is associated with the application and defines particular conditions under which permission to access secure resources of the data processing system are granted; and
      
      split the application into the set of code chunks based on at least one of the chunk specification and the set of context-aware security policies.
  - 4. The data processing system of claim 3, wherein the processor further executes the computer readable program code to generate a manifest file associated with the application that specifies each requested communication between each code chunk in the set of code chunks within the application and a respective external entity that a particular code chunk communicates with and also specifies a particular secure resource that is shared with the respective external entity based on the chunk specification.
  - 5. The data processing system of claim 4, wherein the processor further executes the computer readable program code to verify that selections in the manifest file granting permission to a set of requested external entity communications complies with the set of context-aware security policies;
    - and display a notification of non-compliant selections in the manifest file granting permission to the set of requested external entity communications.
  - 6. The data processing system of claim 1, wherein the processor further executes the computer readable program code to generate a mapping between a set of context-aware security policies that grant permission to access the secure resources of the data processing system and the set of custom information flow control application programming interfaces required to call the secure resources.
  - 7. The data processing system of claim 1, wherein the specified conditions include at least one of a current geographic location of the data processing system, an identity of the external entity associated with the application, and an access control threshold value associated with the secure resource.

8. A computer program product stored on a computer readable storage medium having computer readable program code encoded thereon that is executable by a data processing system for controlling access to secure resources of the data processing system, the computer program product comprising:
- computer readable program code for removing all direct application programming interface calls by an application installed on the data processing system to the secure resources of the data processing system;
  
  computer readable program code for requiring the application accessing the secure resources of the data processing system to utilize a set of custom information flow control application programming interfaces located in an information flow control module of the data processing system to call the secure resources;
  
  computer readable program code for generating an input-to-output mapping of the application installed on the data processing system that determines whether a secure resource of the secure resources in the data processing system is shared with an external entity associated with the application and under what specified conditions;
  
  computer readable program code for determining whether the specified conditions exist during runtime of the application;
  
  computer readable program code for preventing sharing of the secure resource of the data processing system with the external entity associated with the application in response to determining that the specified conditions do not exist during runtime of the application; and
  
  computer readable program code for allowing sharing of the secure resource of the data processing system with the external entity associated with the application in response to determining that the specified conditions do exist during runtime of the application.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer program product of claim 8, further comprising:
    - computer readable program code for monitoring a number of accesses sharing the secure resource of the data processing system with the external entity associated with the application;
      
      computer readable program code for determining whether the number of accesses sharing the secure resource of the data processing system exceeded an access control threshold value corresponding to the secure resource;
      
      computer readable program code for detecting whether the specified conditions exist during runtime of the application in response to determining that the number of accesses sharing the secure resource of the data processing system does not exceed the access control threshold value corresponding to the secure resource; and
      
      computer readable program code for terminating the sharing of the secure resource of the data processing system with the external entity associated with the application in response to determining that the number of accesses sharing the secure resource of the data processing system does exceed the access control threshold value corresponding to the secure resource.
  - 10. The computer program product of claim 8, further comprising:
    - computer readable program code for receiving a chunk specification that specifies a set of code chunks within the application, each particular code chunk in the set of code chunks is associated with a particular set of one or more secure resources of the data processing system that the particular code chunk has access to and a particular external entity that the particular code chunk has been granted permission to communicate with;
      
      computer readable program code for receiving a set of context-aware security policies that is associated with the application and defines particular conditions under which permission to access secure resources of the data processing system are granted; and
      
      computer readable program code for splitting the application into the set of code chunks based on at least one of the chunk specification and the set of context-aware security policies.
  - 11. The computer program product of claim 10, further comprising:
    - computer readable program code for generating a manifest file associated with the application that specifies each requested communication between each code chunk in the set of code chunks within the application and a respective external entity that a particular code chunk communicates with and also specifies a particular secure resource that is shared with the respective external entity based on the chunk specification.
  - 12. The computer program product of claim 11, further comprising:
    - computer readable program code for verifying that selections in the manifest file granting permission to a set of requested external entity communications complies with the set of context-aware security policies; and
      
      computer readable program code for displaying a notification of non-compliant selections in the manifest file granting permission to the set of requested external entity communications.
  - 13. The computer program product of claim 8, further comprising:
    - computer readable program code for generating a mapping between a set of context-aware security policies that grant permission to access the secure resources of the data processing system and the set of custom information flow control application programming interfaces required to call the secure resources.
  - 14. The computer program product of claim 8, wherein the specified conditions include at least one of a current geographic location of the data processing system, an identity of the external entity associated with the application, and an access control threshold value associated with the secure resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
GlobalFoundries, Inc.
Original Assignee
International Business Machines Corporation
Inventors
Singh, Kapil K.
Primary Examiner(s)
Hoffman, Brandon
Assistant Examiner(s)
Ambaye, Samuel

Application Number

US13/969,535
Publication Number

US 20140331275A1
Time in Patent Office

703 Days
Field of Search

726/1, 726/4, 726/27, 713/168, 709/225
US Class Current

1/1
CPC Class Codes

G06F 15/16   Combinations of two or more...

G06F 21/00   Security arrangements for p...

G06F 21/52   during program execution, e...

G06F 21/6218   to a system of files or obj...

G06F 21/79   in semiconductor storage me...

G06F 2221/2105   Dual mode as a secondary as...

G06F 2221/2147   Locking files

G06F 9/46   Multiprogramming arrangements

H04L 63/10   for controlling access to d...

H04L 63/107   wherein the security polici...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/20   for managing network securi...

H04L 9/40   Network security protocols

H04M 1/72403   with means for local suppor...

H04W 4/021   Services related to particu...

Context-aware permission control of hybrid mobile applications

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

19 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Context-aware permission control of hybrid mobile applications

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

19 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links