Method and system for run-time dynamic and interactive identification software authorization requirements and privileged code locations, and for validation of other software program analysis results
First Claim
1. A method for detecting and verifying security authorization and privileged-code requirements in a run-time execution environment in which a software program is executing, said method comprising:
- implementing reflection objects for—
making reflection calls to one or more classes of objects in said executing program to identify from said classes and objects all methods where authorization failures may occur in response to the program'"'"'s attempted access of resources requiring authorizations as enforced by a particular security subsystem, said methods including methods of said one or more classes that take object parameters having different permission and privileged-code requirements that can arise when the methods are invoked with parameters to be passed determined at run-time,providing a listing of all said identified class methods for display via a user interface;
implementing reflection objects to enable a user, via said interface, to select a displayed method, determine one or more types and number of the parameters that need to be passed to said method being invoked, create one or more customized object parameters and pass customized object parameters to said selected displayed method and invoke said method in real-time in a restricted execution environment where said program is prevented from performing security-sensitive operations;
in response to invoking said method, determining whether a security exception is raised if a required authorization has not been expressly granted, and, reporting existence of said security exception via said user interface;
enabling a user to select, via said user interface, the security exception; and
, for each required authorization that should be granted, granting, by said user, the necessary permission via said user interface, and,automatically updating a security policy in response to a user granting a particular authorization without the need for restarting execution of the program,wherein local system, fine-grained access of resources requiring authorization is provided.
0 Assignments
0 Petitions
Accused Products
Abstract
A system, method and computer program product for identifying security authorizations and privileged-code requirements; for validating analyses performed using static analyses; for automatically evaluating existing security policies; for detecting problems in code; in a run-time execution environment in which a software program is executing. The method comprises: implementing reflection objects for identifying program points in the executing program where authorization failures have occurred in response to the program'"'"'s attempted access of resources requiring authorization; displaying instances of identified program points via a user interface, the identified instances being user selectable; for a selected program point, determining authorization and privileged-code requirements for the access restricted resources in real-time; and, enabling a user to select, via the user interface, whether a required authorization should be granted, wherein local system, fine-grained access of resources requiring authorizations is provided.
-
Citations
34 Claims
-
1. A method for detecting and verifying security authorization and privileged-code requirements in a run-time execution environment in which a software program is executing, said method comprising:
-
implementing reflection objects for—
making reflection calls to one or more classes of objects in said executing program to identify from said classes and objects all methods where authorization failures may occur in response to the program'"'"'s attempted access of resources requiring authorizations as enforced by a particular security subsystem, said methods including methods of said one or more classes that take object parameters having different permission and privileged-code requirements that can arise when the methods are invoked with parameters to be passed determined at run-time,providing a listing of all said identified class methods for display via a user interface; implementing reflection objects to enable a user, via said interface, to select a displayed method, determine one or more types and number of the parameters that need to be passed to said method being invoked, create one or more customized object parameters and pass customized object parameters to said selected displayed method and invoke said method in real-time in a restricted execution environment where said program is prevented from performing security-sensitive operations; in response to invoking said method, determining whether a security exception is raised if a required authorization has not been expressly granted, and, reporting existence of said security exception via said user interface; enabling a user to select, via said user interface, the security exception; and
, for each required authorization that should be granted, granting, by said user, the necessary permission via said user interface, and,automatically updating a security policy in response to a user granting a particular authorization without the need for restarting execution of the program, wherein local system, fine-grained access of resources requiring authorization is provided. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A run-time authorization requirement discovery tool for a computing device executing software programs requiring security authorizations comprising:
-
a memory storage device; a programmed processor unit in communication with said memory storage device and configured to; provide a restricted execution environment where said program is prevented from performing security-sensitive operations; implement reflection objects for making reflection calls to one or more classes of objects in said executing program to identify from said classes and objects all methods in said executing program where authorization failures may occur in response to the program'"'"'s attempt to access resources requiring permissions as enforced by a particular security subsystem, said methods including methods of said class that take object parameters having different permission and privileged-code requirements that can arise when the methods are invoked with parameters to be passed determined at run-time; provide a listing of all said identified methods for display via a user interface device; select, by a user, a displayed method via said interface device; implementing reflection objects to create customized object parameters that are passed to said selected displayed method and invoking said method in real-time in said restricted execution environment; determine, responsive to invoking said method, whether a security exception is raised if a required authorization has not been expressly granted, and, reporting existence of said security exception via said user interface device, enable a user to select, via said user interface, the security exception; and
,enable said user to grant, via said user interface, for each required authorization that should be granted, the necessary permission, and, automatically update a security policy in response to a user granting a particular authorization without the need for restarting execution of the program, wherein local system, fine-grained access of resources requiring permissions is provided. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A system for providing real-time software authorization access to restricted resources by a computer program, said system comprising:
-
a memory storage device; a programmed processor in communication with said memory storage device and configured for performing a method comprising; enabling program execution in a restricted execution environment; displaying, via a display interface, one or more class components of said computer program, selecting, by a user via said display interface, a class; determining, using reflection objects applied to said user selected class, all methods of said class, one or more said methods subject to authorization requirements; displaying a list of all said determined methods on a user display interface device; selecting, by said user via said display interface, a method of said class subject to said authorization requirement; implementing reflection objects to automatically determine one or more types and number of the parameters that need to be passed to said method being invoked and create customized object parameters that are passed to said selected displayed method; invoking said selected method in said restricted execution environment; automatically determining, as a result of said invoking said method, one or more program points of said executing program where a required authorization is missing; generating, via said display interface, a stack trace for determining all callers on a stack in response to determining a missing authorization, said stack trace indicating one or more program points requiring a missing authorization, a program point including a program component name, a file name, a class name, a method name, file name and a file line number; selecting, by said user via said display interface, a program point requiring a missing authorization; granting, by said user via said display interface, one or more said required authorizations, and, automatically updating a security policy in response to a user granting a particular authorization without the need for restarting execution of the program, wherein said granting of authorizations is performed without terminating execution of the program. - View Dependent Claims (22, 31, 33)
-
-
23. A method for providing real-time software authorization access to restricted resources by a computer program, said method comprising:
-
enabling program execution in a restricted execution environment; displaying, via a display interface, one or more class components of said computer program, selecting, by a user via said display interface, a class; determining, using reflection calls applied to said user selected class, all methods of said class via said display interface, one or more said methods subject to authorization requirements; displaying a list of all said determined methods on a user display interface device; selecting, by said user via said display interface, a method of said class subject to said authorization requirement; implementing reflection objects to automatically determine one or more types and number of the parameters that need to be passed to said method being invoked and create customized object parameters that are passed to said selected displayed method; invoking said selected method in said restricted execution environment; automatically determining, as a result of invoking said method, one or more program points of said executing program where a required authorization is missing; generating, via said display interface, a stack trace for determining all callers on a stack in response to determining a missing authorization, said stack trace indicating one or more program points requiring a missing authorization, a program point including a program component name, a file name, a class name, a method name, file name and a file line number; selecting, by said user via said display interface, a program point requiring a missing authorization; granting, by said user via said display interface, one or more said required authorizations, and, automatically updating a security policy in response to a user granting a particular authorization without the need for restarting execution of the program, wherein said granting of authorizations is performed without terminating execution of the program. - View Dependent Claims (32, 34)
-
-
24. A method for detecting problems in an executing software program comprising:
-
enabling program execution in a restricted execution environment, which prevents the underlying system from becoming corrupted if the program being executed is malicious or performs incorrectly; automatically determining, using reflection objects applied to said software program, one or more program points of said executing program wherein an exception is raised indicating a potential problem in said executing software; displaying a list of said one or more program points on a user display interface device; selecting, by a user, via a display device, a program point, said displayed program point including a method to be invoked by said software program; implementing reflection objects to automatically determine of said determine one or more types and number of the parameters that need to be passed to said method being invoked and create customized object parameters that are passed to said selected displayed method; initiating the execution of the selected program point without causing the system to stop its own execution if an exception is raised indicating a problem with the software; enabling a user to inspect, via a display device, a stack trace generated in response to said selected program point, said stack trace provided via said display means to indicate said raised exception for said potential problem in said executing software, said problem indicating a missing permission required for performing an instantiated object'"'"'s method; and detecting, by said user via said display device, the optimal locations where code may be inserted to correct the indicated problem, and, automatically updating a security policy in response to a user granting a particular authorization without the need for restarting execution of the program. - View Dependent Claims (25, 26, 27)
-
-
28. A method for verifying analysis results of software programs, said analysis results being obtained as a result of a previously performed software analysis technique, said method comprising:
-
enabling program execution in a restricted execution environment, which prevents the underlying system from becoming corrupted if the program being analyzed is malicious or performs incorrectly; determining from said previously obtained analysis results, one or more program points of said executing program indicating a missing permission required for performing an instantiated object'"'"'s method; displaying a list of said one or more program points on a user display interface device; selecting, by a user, a program point, said displayed program point including a method to be invoked by said software program; implementing reflection objects to automatically determine of said determine one or more types and number of the parameters that need to be passed to said method being invoked and create customized object parameters that are passed to said selected displayed method; initiating the execution of a selected program point without causing the system to stop its own execution if an exception is raised indicating said potential problem with the software; inspecting, by said user via a display device, a stack trace generated in response to said selected program point, said stack trace provided via said display means to indicate said problem in said executing software; and verifying, by said user via said display means, whether the potential problem was correctly indicated by said previously performed software analysis technique. - View Dependent Claims (29, 30)
-
Specification