System and method for providing application security in a cloud computing environment

US 9,871,800 B2
Filed: 01/30/2015
Issued: 01/16/2018
Est. Priority Date: 01/31/2014
Status: Active Grant

First Claim

Patent Images

1. A system for providing application deployment security in a cloud computing or other environment, comprising:

one or more computers, including a computing environment which enables compilation and deployment of software applications to run within the computing environment;

a plurality of hot-spot configurations associated with application programming interface (API) usages, wherein each hot-spot configuration defines an API usage that is to be monitored, and associates at least one of a particular policy or action with that API usage;

one or more security extensions that are registered with an application compiler framework, for selective binding to user applications at runtime; and

an application compiler provided as part of the application compiler framework, which receives a user application to be deployed to the computing environment,wherein the user application includes one or more of the API usages expressed as method invocations within the source code of the user application,determines, for each of the API usages expressed as method invocations within the source code of the user application, one or more matching hot-spot configurations and associated policies and actions, andinjects the user application during compilation to create an application runtime that includes a corresponding instrumented code and a security manager that, during execution of the user application, monitors the method invocations that are invoked by the user application, for use in determining access by the user application to the API usages;

whereupon deployment of the application runtime to the computing environment,the user application is bound to at least one security extension registered with the application compiler framework,for use by the security manager in calling the at least one security extension, for use with the user application.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In accordance with an embodiment, described herein is a system and method for providing application security in a cloud computing or other environment. A plurality of hot-spot configurations define API usages which, for security reasons, are of interest to be monitored at runtime, such as invocations of particular methods that are likely to be used to attempt unauthorized access. Upon a user application being received for deployment to the cloud environment, an application compiler determines, for API usages expressed as method invocations within the source code of the application, one or more hot-spot configurations and associated policies or actions. The application compiler can then inject the user application to provide a security manager that, during runtime, monitors the methods and values invoked, and communicates with one or more security extensions to grant or deny access.

Citations

20 Claims

1. A system for providing application deployment security in a cloud computing or other environment, comprising:
- one or more computers, including a computing environment which enables compilation and deployment of software applications to run within the computing environment;
  
  a plurality of hot-spot configurations associated with application programming interface (API) usages, wherein each hot-spot configuration defines an API usage that is to be monitored, and associates at least one of a particular policy or action with that API usage;
  
  one or more security extensions that are registered with an application compiler framework, for selective binding to user applications at runtime; and
  
  an application compiler provided as part of the application compiler framework, which receives a user application to be deployed to the computing environment,wherein the user application includes one or more of the API usages expressed as method invocations within the source code of the user application,determines, for each of the API usages expressed as method invocations within the source code of the user application, one or more matching hot-spot configurations and associated policies and actions, andinjects the user application during compilation to create an application runtime that includes a corresponding instrumented code and a security manager that, during execution of the user application, monitors the method invocations that are invoked by the user application, for use in determining access by the user application to the API usages;
  
  whereupon deployment of the application runtime to the computing environment,the user application is bound to at least one security extension registered with the application compiler framework,for use by the security manager in calling the at least one security extension, for use with the user application.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein the plurality of hot-spot configurations is defined by an editable configuration file.
  - 3. The system of claim 1, wherein the security manager communicates with the at least one security extension to perform the method invocations on behalf of the user application, including granting or denying access by the user application to the API usages expressed as method invocations.
  - 4. The system of claim 1, wherein the application compiler uses a set of rules to translate hot-spot configuration expressions defined in an editable format into regular expressions understandable by the application compiler.
  - 5. The system of claim 1, further comprising a standard security manager that enforces permissions granted to classes within the application runtime, and wherein the application compiler supplements operation of the standard security manager in enforcing the permissions.
  - 6. The system of claim 1, wherein the application compiler and the one or more security extensions are provided within a Java computing environment, and enforce security in an extensible manner within the Java computing environment.
  - 7. The system of claim 1, wherein each of one or more method invocations within the source code of the user application is replaced with an invocation into the security manager, which calls the at least one security extension to perform a method invocation on behalf of the user application.

8. A method of providing application deployment security in a cloud computing or other environment, comprising:
- providing one or more computers, including a computing environment which enables compilation and deployment of software applications to run within the computing environment;
  
  providing a plurality of hot-spot configurations associated with application programming interface (API) usages, wherein each hot-spot configuration defines an API usage that is to be monitored, and associates at least one of a particular policy or action with that API usage;
  
  registering one or more security extensions with an application compiler framework, for selective binding to user applications at runtime; and
  
  compiling a user application, to be deployed to the computing environment, including receiving the user application to be deployed to the computing environment,wherein the user application includes one or more of the API usages expressed as method invocations within the source code of the user application,determining, for each of the API usages expressed as method invocations within the source code of the user application, one or more matching hot-spot configurations and associated policies and actions, andinjecting the user application during compilation to create an application runtime that includes a corresponding instrumented code and a security manager that, during execution of the user application, monitors the method invocations that are invoked by the user application, for use in determining access by the user application to the API usages;
  
  whereupon deployment of the application runtime to the computing environment,the user application is bound to at least one security extension registered with the application compiler framework,for use by the security manager in calling the at least one security extension, for use with the user application.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, wherein the plurality of hot-spot configurations is defined by an editable configuration file.
  - 10. The method of claim 8, wherein the security manager communicates with the at least one security extension to perform the method invocations on behalf of the user application, including granting or denying access by the user application to the API usages expressed as method invocations.
  - 11. The method of claim 8, further comprising using a set of rules to translate hot-spot configuration expressions defined in an editable format into regular expressions understandable by the application compiler.
  - 12. The method of claim 8, further comprising providing a standard security manager that enforces permissions granted to classes within the application runtime, and wherein the application compiler supplements operation of the standard security manager in enforcing the permissions.
  - 13. The method of claim 8, wherein the application compiler and the one or more security extensions are provided within a Java computing environment, and enforce security in an extensible manner within the Java computing environment.
  - 14. The method of claim 8, further comprising replacing each of one or more method invocations within the source code of the user application with an invocation into the security manager, which calls the at least one security extension to perform a method invocation on behalf of the user application.

15. A non-transitory computer readable storage medium, including instructions stored thereon which when read and executed by one or more computers cause the one or more computers to perform the steps comprising:
- providing, at one or more computers, a computing environment which enables compilation and deployment of software applications to run within the computing environment;
  
  providing a plurality of hot-spot configurations associated with application programming interface (API) usages, wherein each hot-spot configuration defines an API usage that is to be monitored, and associates at least one of a particular policy or action with that API usage;
  
  registering one or more security extensions with an application compiler framework, for selective binding to user applications at runtime; and
  
  compiling a user application, to be deployed to the computing environment, including receiving the user application to be deployed to the computing environment,wherein the user application includes one or more of the API usages expressed as method invocations within the source code of the user application,determining, for each of the API usages expressed as method invocations within the source code of the user application, one or more matching hot-spot configurations and associated policies and actions, andinjecting the user application during compilation to create an application runtime that includes a corresponding instrumented code and a security manager that, during execution of the user application, monitors the method invocations that are invoked by the user application, for use in determining access by the user application to the API usages;
  
  whereupon deployment of the application runtime to the computing environment,the user application is bound to at least one security extension registered with the application compiler framework,for use by the security manager in calling the at least one security extension, for use with the user application.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory computer readable storage medium of claim 15, wherein the plurality of hot-spot configurations is defined by an editable configuration file.
  - 17. The non-transitory computer readable storage medium of claim 15, wherein the security manager communicates with the at least one security extension to perform the method invocations on behalf of the user application, including granting or denying access by the user application to the API usages expressed as method invocations.
  - 18. The non-transitory computer readable storage medium of claim 15, further comprising using a set of rules to translate hot-spot configuration expressions defined in an editable format into regular expressions understandable by the application compiler.
  - 19. The non-transitory computer readable storage medium of claim 15, further comprising providing a standard security manager that enforces permissions granted to classes within the application runtime, and wherein the application compiler supplements operation of the standard security manager in enforcing the permissions.
  - 20. The non-transitory computer readable storage medium of claim 15, wherein the application compiler and the one or more security extensions are provided within a Java computing environment, and enforce security in an extensible manner within the Java computing environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Subramanian, Velmurugan, Junnarkar, Nilesh
Primary Examiner(s)
Paliwal, Yogesh

Application Number

US14/610,524
Publication Number

US 20150222620A1
Time in Patent Office

1,082 Days
Field of Search

726 22
US Class Current
CPC Class Codes

H04L 63/102 Entity profiles

System and method for providing application security in a cloud computing environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for providing application security in a cloud computing environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links