Control of data access by dynamically verifying legal references

US 8,321,668 B2
Filed: 12/16/2004
Issued: 11/27/2012
Est. Priority Date: 12/30/2003
Status: Expired due to Fees

First Claim

Patent Images

1. A method for controlling access to data handled by references in a system for executing programs, said programs including processes and tasks, wherein upon executing a program, the method comprises the following steps:

having the system store an entire set of licit references which the program obtains by means considered as licit, wherein a reference identifies at least one a pointer or data of the program, the data including structures, objects, and tables, said licit reference being stored when introducing into the program said reference by a licit means and when this licit reference is not already stored, wherein a reference is considered to be licit when that reference was obtained in a manner permissible in accordance with a system, context and program being used, and a reference is considered not licit when that reference was not obtained in a manner permissible in accordance with the system, context and program being used;

before any operation intended to be forbidden in case said operation deals with values which are not licit references, having the system check that said values are among the licit references which have been stored for this program, andaccepting the operation, responsive to said step of checking, when said checking determines said values are among the licit references, and rejecting the operation responsive to said step of checking, when said checking determines said values are not among the licit references.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The inventive method for controlling access to data which is used by reference in a program execution system (including processes and aims) during the program execution consists in memorising by the system the totality of references obtainable by said program with the aid of means considered legal, before any operation which can be prohibited if it relates to values which are not legal references, in verifying by the system whether said values are amongst the legal references memorized for the program and in accepting or rejecting the operation, respectively.

20 Citations

View as Search Results

17 Claims

1. A method for controlling access to data handled by references in a system for executing programs, said programs including processes and tasks, wherein upon executing a program, the method comprises the following steps:
- having the system store an entire set of licit references which the program obtains by means considered as licit, wherein a reference identifies at least one a pointer or data of the program, the data including structures, objects, and tables, said licit reference being stored when introducing into the program said reference by a licit means and when this licit reference is not already stored, wherein a reference is considered to be licit when that reference was obtained in a manner permissible in accordance with a system, context and program being used, and a reference is considered not licit when that reference was not obtained in a manner permissible in accordance with the system, context and program being used;
  
  before any operation intended to be forbidden in case said operation deals with values which are not licit references, having the system check that said values are among the licit references which have been stored for this program, andaccepting the operation, responsive to said step of checking, when said checking determines said values are among the licit references, and rejecting the operation responsive to said step of checking, when said checking determines said values are not among the licit references.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method according to claim 1, wherein the references are pointers.
  - 3. The method according to claim 1, wherein the licit means for a program in order to obtain reference values comprise at least one of the following operations:
    - reading a variable or a datum belonging to the system or to another program,writing into a variable or datum of said program by the system or by another program,receiving arguments upon calling a routine of said program by the system or by another program,utilization of the return value from the call by said program of a routine belonging to the system or to another program,having said program catch up a raised exception during execution of a routine belonging to the system or to another program,receiving by said program an interruption or a valuated signal.
  - 4. The method according to claim 1, wherein the system comprises a mechanism which determines whether a given value is a valid reference.
  - 5. The method according to claim 4, wherein the system comprises a firewall which forbids certain programs on certain referenced data, data considered as being sensitive for the system being those for which the operations are not forbidden by the firewall.
  - 6. The method according to claim 5, wherein the firewall forbids certain operations by a program on data belonging to other programs, except on those declared as shareable.
  - 7. The method according to claim 6, wherein the system is based on a Java Card virtual machine and wherein:
    - a program consists of the whole of the code which is found in a “
      
      Java Card package”
      
      ;
      
      the firewall is that of the Java Card Runtime Environment (JCRE);
      
      the data declared as shareable and therefore sensitive, are objects which are instances of classes which implement the “
      
      Javacard.framework.Shareable”
      
      interface.
  - 8. The method according to claim 7, wherein the system stores in sets of sensitive licit references associated with a package all the references which appear in the following cases:
    - receiving arguments of “
      
      Javacard.framework.Shareable”
      
      type when a method of said package is called by another package or by the system,“
      
      Javacard.framework.Shareable”
      
      type return value when said package calls a method from another package or from the system (including a “
      
      getAppletSharreableInterfaceObject”
      
      method of “
      
      Javacard.framework.JCSystem package”
      
      ),reading a public static field of “
      
      Javacard.framework.Shareable”
      
      type in another package or in the system,catching up an instance object of a class from (inheriting from) “
      
      java.lang.Throwable” and
      
      implementing “
      
      Javacard.framework.Shareable”
      
      .
  - 9. The method according to claim 1, wherein the whole of the licit stored references is represented by a table.
  - 10. The method according to claim 1, wherein the set of the licit stored references is emptied, by means of a conservative garbage collector, of references which have become inactive.
  - 11. The method according to claim 1, wherein:
    - the references are represented in the system by handles and tables of pointers,the sets of licit stored references are represented by vectors of bits associated with some of the tables of pointers, where a bit has a given index which represents the presence or the absence of the corresponding reference in said sets,said vectors of bits are represented by means of a sequence of indexes or lengths corresponding to the extents of bits positioned in the same way.
  - 12. The method according to claim 1, wherein the references are handles.
  - 13. The method according to claim 1, wherein the stored licit references are limited to the sole references on data considered as sensitive for the system.
  - 14. The method according to claim 1, wherein said checks check that the values are among the sensitive licit references which were stored for this program or else which are references determined as valid and dealing with data which are not sensitive.
  - 15. The method according to claim 7, wherein the data declared as shareable and therefore sensitive, are objects with public use of the system:
    - global arrays and Entry Point Objects of JCRE.
  - 16. The method according to claim 11, wherein said vectors of bits are hollow.
  - 17. The method according to claim 11, wherein some of the tables of pointers are reserved for licit references.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trusted Logic (Thales SA)
Original Assignee
Trusted Logic (Thales SA)
Inventors
Leroy, Xavier, Hameau, Patrice, Regnault, Nicolas, Marlet, Renaud
Primary Examiner(s)
Flynn, Nathan
Assistant Examiner(s)
AVERY, JEREMIAH L

Application Number

US10/585,097
Publication Number

US 20070168313A1
Time in Patent Office

2,903 Days
Field of Search

713/167
US Class Current

713/167
CPC Class Codes

G06F 21/54 by adding security routines...

G06F 21/6281 at program execution time, ...

Control of data access by dynamically verifying legal references

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

20 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Control of data access by dynamically verifying legal references

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links