Method and system for run-time dynamic and interactive identification software authorization requirements and privileged code locations, and for validation of other software program analysis results

US 9,449,190 B2
Filed: 05/27/2008
Issued: 09/20/2016
Est. Priority Date: 05/03/2006
Status: Active Grant

First Claim

Patent Images

1. A method for detecting and verifying security authorization and privileged-code requirements in a run-time execution environment in which a software program is executing, said method comprising:

implementing reflection objects for—

making reflection calls to one or more classes of objects in said executing program to identify from said classes and objects all methods where authorization failures may occur in response to the program'"'"'s attempted access of resources requiring authorizations as enforced by a particular security subsystem, said methods including methods of said one or more classes that take object parameters having different permission and privileged-code requirements that can arise when the methods are invoked with parameters to be passed determined at run-time,providing a listing of all said identified class methods for display via a user interface;

implementing reflection objects to enable a user, via said interface, to select a displayed method, determine one or more types and number of the parameters that need to be passed to said method being invoked, create one or more customized object parameters and pass customized object parameters to said selected displayed method and invoke said method in real-time in a restricted execution environment where said program is prevented from performing security-sensitive operations;

in response to invoking said method, determining whether a security exception is raised if a required authorization has not been expressly granted, and, reporting existence of said security exception via said user interface;

enabling a user to select, via said user interface, the security exception; and

, for each required authorization that should be granted, granting, by said user, the necessary permission via said user interface, and,automatically updating a security policy in response to a user granting a particular authorization without the need for restarting execution of the program,wherein local system, fine-grained access of resources requiring authorization is provided.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, method and computer program product for identifying security authorizations and privileged-code requirements; for validating analyses performed using static analyses; for automatically evaluating existing security policies; for detecting problems in code; in a run-time execution environment in which a software program is executing. The method comprises: implementing reflection objects for identifying program points in the executing program where authorization failures have occurred in response to the program'"'"'s attempted access of resources requiring authorization; displaying instances of identified program points via a user interface, the identified instances being user selectable; for a selected program point, determining authorization and privileged-code requirements for the access restricted resources in real-time; and, enabling a user to select, via the user interface, whether a required authorization should be granted, wherein local system, fine-grained access of resources requiring authorizations is provided.

21 Citations

View as Search Results

34 Claims

1. A method for detecting and verifying security authorization and privileged-code requirements in a run-time execution environment in which a software program is executing, said method comprising:
- implementing reflection objects for—
  
  making reflection calls to one or more classes of objects in said executing program to identify from said classes and objects all methods where authorization failures may occur in response to the program'"'"'s attempted access of resources requiring authorizations as enforced by a particular security subsystem, said methods including methods of said one or more classes that take object parameters having different permission and privileged-code requirements that can arise when the methods are invoked with parameters to be passed determined at run-time,providing a listing of all said identified class methods for display via a user interface;
  
  implementing reflection objects to enable a user, via said interface, to select a displayed method, determine one or more types and number of the parameters that need to be passed to said method being invoked, create one or more customized object parameters and pass customized object parameters to said selected displayed method and invoke said method in real-time in a restricted execution environment where said program is prevented from performing security-sensitive operations;
  
  in response to invoking said method, determining whether a security exception is raised if a required authorization has not been expressly granted, and, reporting existence of said security exception via said user interface;
  
  enabling a user to select, via said user interface, the security exception; and
  
  , for each required authorization that should be granted, granting, by said user, the necessary permission via said user interface, and,automatically updating a security policy in response to a user granting a particular authorization without the need for restarting execution of the program,wherein local system, fine-grained access of resources requiring authorization is provided.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method as claimed in claim 1, wherein an authorization includes one or more of the following:
    - a permission, a role.
  - 3. The method as claimed in claim 1, wherein said local-system, fine-grained access is provided independent of a particular security subsystem implemented.
  - 4. The method as claimed in claim 1, wherein said reflection objects includes Java reflection objects that enables instantiation of selected objects of the program.
  - 5. The method as claimed in claim 4, wherein said methods are listed as a hierarchical stack of method invocations.
  - 6. The method as claimed in claim 4, wherein, in response to invoking said method, generating a security exception if a required authorization has not been expressly granted, said method further comprising:
    - reporting existence of said security exception via said user interface, and,enabling user selection of the security exception via said user interface; and
      
      ,generating information for display concerning said required authorization via said user interface.
  - 7. The method as claimed in claim 6, wherein said generating information concerning a required authorization comprises:
    - invoking a security function that performs a stack trace for determining all callers on a stack tracking program execution; and
      
      ,determining which stack frames do not have the required authorization; and
      
      ,generating information about the code that has not been granted the authorization.
  - 8. The method as claimed in claim 7, wherein said information generated about the code includes one or more of:
    - a component name, a class name, a method name, a line number, a code origin, and those authorizations that have already been granted to the program'"'"'s code.
  - 9. The method as claimed in claim 4, wherein said method in executed in a separate thread, isolated from said execution environment.
  - 10. The method as claimed in claim 1, wherein said program is one selected from the group comprising:
    - a Java application, a component-based program;
      
      a C++ application, a C# application, a Web service application program, a Service Oriented Application (SOA) application, a C application, a Microsoft .NET Common Language Runtime (CLR) application, an application developed using a scripting language.
  - 11. A program storage device tangibly embodying software instructions which are adapted to be executed by a computing device to perform a method of verifying security authorizations in a run-time execution environment in which a software program is executing according to claim 1.

12. A run-time authorization requirement discovery tool for a computing device executing software programs requiring security authorizations comprising:
- a memory storage device;
  
  a programmed processor unit in communication with said memory storage device and configured to;
  
  provide a restricted execution environment where said program is prevented from performing security-sensitive operations;
  
  implement reflection objects for making reflection calls to one or more classes of objects in said executing program to identify from said classes and objects all methods in said executing program where authorization failures may occur in response to the program'"'"'s attempt to access resources requiring permissions as enforced by a particular security subsystem, said methods including methods of said class that take object parameters having different permission and privileged-code requirements that can arise when the methods are invoked with parameters to be passed determined at run-time;
  
  provide a listing of all said identified methods for display via a user interface device;
  
  select, by a user, a displayed method via said interface device;
  
  implementing reflection objects to create customized object parameters that are passed to said selected displayed method and invoking said method in real-time in said restricted execution environment;
  
  determine, responsive to invoking said method, whether a security exception is raised if a required authorization has not been expressly granted, and, reporting existence of said security exception via said user interface device,enable a user to select, via said user interface, the security exception; and
  
  ,enable said user to grant, via said user interface, for each required authorization that should be granted, the necessary permission, and,automatically update a security policy in response to a user granting a particular authorization without the need for restarting execution of the program,wherein local system, fine-grained access of resources requiring permissions is provided.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The authorization requirement discovery tool as claimed in claim 12, wherein said local-system, fine-grained access is provided independent of a particular security subsystem implemented.
  - 14. The authorization requirement discovery tool as claimed in claim 12, wherein said reflection objects includes one or more Java reflection objects that enables instantiation of selected objects of the program.
  - 15. The authorization requirement discovery tool as claimed in claim 12, wherein said methods are listed as a hierarchical stack of method invocations.
  - 16. The authorization requirement discovery tool as claimed in claim 14, wherein, in response to invoking said method, said execution environment generating a security exception if a required authorization has not been expressly granted, said processor device further:
    - reporting existence of said security exception via said user interface;
      
      enabling user selection of the security exception via said user interface; and
      
      ,generating information for display concerning said required authorization via said user interface.
  - 17. The authorization requirement discovery tool as claimed in claim 16, wherein said generating information concerning a required authorization comprises:
    - invoking a security function that performs a stack trace for determining all callers on a stack tracking program execution; and
      
      ,determining which stack frames do not have the required authorization; and
      
      ,generating information about the code that has not been granted the authorization.
  - 18. The authorization requirement discovery tool as claimed in claim 17, wherein said information generated about the code includes one or more of:
    - a component name, a file name, a class name, a method name, a line number, a code origin, and those authorizations that have already been granted to the program'"'"'s code.
  - 19. The authorization requirement discovery tool as claimed in claim 14, wherein said method in executed in a separate thread, isolated from said execution environment.
  - 20. The authorization requirement discovery tool as claimed in claim 12, wherein said executing program is one selected from the group comprising:
    - a Java application, a component-based program;
      
      a C++ application, a C application, a Microsoft .NET Common Language Runtime (CLR) application, a C# program, a Service Oriented Architecture (SOA) application, a Web service application program, an application written in a scripting language.

21. A system for providing real-time software authorization access to restricted resources by a computer program, said system comprising:
- a memory storage device;
  
  a programmed processor in communication with said memory storage device and configured for performing a method comprising;
  
  enabling program execution in a restricted execution environment;
  
  displaying, via a display interface, one or more class components of said computer program,selecting, by a user via said display interface, a class;
  
  determining, using reflection objects applied to said user selected class, all methods of said class, one or more said methods subject to authorization requirements;
  
  displaying a list of all said determined methods on a user display interface device;
  
  selecting, by said user via said display interface, a method of said class subject to said authorization requirement;
  
  implementing reflection objects to automatically determine one or more types and number of the parameters that need to be passed to said method being invoked and create customized object parameters that are passed to said selected displayed method;
  
  invoking said selected method in said restricted execution environment;
  
  automatically determining, as a result of said invoking said method, one or more program points of said executing program where a required authorization is missing;
  
  generating, via said display interface, a stack trace for determining all callers on a stack in response to determining a missing authorization, said stack trace indicating one or more program points requiring a missing authorization, a program point including a program component name, a file name, a class name, a method name, file name and a file line number;
  
  selecting, by said user via said display interface, a program point requiring a missing authorization;
  
  granting, by said user via said display interface, one or more said required authorizations, and,automatically updating a security policy in response to a user granting a particular authorization without the need for restarting execution of the program,wherein said granting of authorizations is performed without terminating execution of the program.
- View Dependent Claims (22, 31, 33)
- - 22. The system as claimed in claim 21, further comprising:
    - generating for display information about said code having the missing authorization, said information comprising;
      
      a URL from which the code is originated, the certificates of entities that signed that code, authentication information of the user or service executing the program, and the authorizations already granted to the program, user, and service.
  - 31. The system as claimed in claim 21, wherein responsive to determining, as a result of invoking said method, one or more program points of said executing program having a required authorization missing, said method further comprising:
    - raising an access control exception, said stack trace generated in response to said raised exception.
  - 33. The system as claimed in claim 21, wherein, for each authorization to be granted, enabling a user to make portions of program code privileged without exposing the program to other security risks.

23. A method for providing real-time software authorization access to restricted resources by a computer program, said method comprising:
- enabling program execution in a restricted execution environment;
  
  displaying, via a display interface, one or more class components of said computer program,selecting, by a user via said display interface, a class;
  
  determining, using reflection calls applied to said user selected class, all methods of said class via said display interface, one or more said methods subject to authorization requirements;
  
  displaying a list of all said determined methods on a user display interface device;
  
  selecting, by said user via said display interface, a method of said class subject to said authorization requirement;
  
  implementing reflection objects to automatically determine one or more types and number of the parameters that need to be passed to said method being invoked and create customized object parameters that are passed to said selected displayed method;
  
  invoking said selected method in said restricted execution environment;
  
  automatically determining, as a result of invoking said method, one or more program points of said executing program where a required authorization is missing;
  
  generating, via said display interface, a stack trace for determining all callers on a stack in response to determining a missing authorization, said stack trace indicating one or more program points requiring a missing authorization, a program point including a program component name, a file name, a class name, a method name, file name and a file line number;
  
  selecting, by said user via said display interface, a program point requiring a missing authorization;
  
  granting, by said user via said display interface, one or more said required authorizations, and,automatically updating a security policy in response to a user granting a particular authorization without the need for restarting execution of the program,wherein said granting of authorizations is performed without terminating execution of the program.
- View Dependent Claims (32, 34)
- - 32. The method as claimed in claim 23, wherein responsive to determining, as a result of invoking said method, one or more program points of said executing program having a required authorization missing, said method further comprising:
    - raising an access control exception, said stack trace generated in response to said raised exception.
  - 34. The method as claimed in claim 23, wherein, for each authorization to be granted, enabling a user to make portions of program code privileged without exposing the program to other security risks.

24. A method for detecting problems in an executing software program comprising:
- enabling program execution in a restricted execution environment, which prevents the underlying system from becoming corrupted if the program being executed is malicious or performs incorrectly;
  
  automatically determining, using reflection objects applied to said software program, one or more program points of said executing program wherein an exception is raised indicating a potential problem in said executing software;
  
  displaying a list of said one or more program points on a user display interface device;
  
  selecting, by a user, via a display device, a program point, said displayed program point including a method to be invoked by said software program;
  
  implementing reflection objects to automatically determine of said determine one or more types and number of the parameters that need to be passed to said method being invoked and create customized object parameters that are passed to said selected displayed method;
  
  initiating the execution of the selected program point without causing the system to stop its own execution if an exception is raised indicating a problem with the software;
  
  enabling a user to inspect, via a display device, a stack trace generated in response to said selected program point, said stack trace provided via said display means to indicate said raised exception for said potential problem in said executing software, said problem indicating a missing permission required for performing an instantiated object'"'"'s method; and
  
  detecting, by said user via said display device, the optimal locations where code may be inserted to correct the indicated problem, and,automatically updating a security policy in response to a user granting a particular authorization without the need for restarting execution of the program.
- View Dependent Claims (25, 26, 27)
- - 25. The method of claim 24, wherein a program point location includes one or more of:
    - a component name, a class name, a method name, a file name, and a line number.
  - 26. The method of claim 25, wherein an indicated program point is provided as a result of a static analysis performed by a static analysis tool for detecting problems in said program, said method verifying an analysis performed on said software program by said static analysis tool.
  - 27. The method of claim 25, wherein an indicated program point is provided as a result of a static analysis performed by a user inspecting said software for detecting a problem in said program, said method verifying said user'"'"'s program inspection analysis results.

28. A method for verifying analysis results of software programs, said analysis results being obtained as a result of a previously performed software analysis technique, said method comprising:
- enabling program execution in a restricted execution environment, which prevents the underlying system from becoming corrupted if the program being analyzed is malicious or performs incorrectly;
  
  determining from said previously obtained analysis results, one or more program points of said executing program indicating a missing permission required for performing an instantiated object'"'"'s method;
  
  displaying a list of said one or more program points on a user display interface device;
  
  selecting, by a user, a program point, said displayed program point including a method to be invoked by said software program;
  
  implementing reflection objects to automatically determine of said determine one or more types and number of the parameters that need to be passed to said method being invoked and create customized object parameters that are passed to said selected displayed method;
  
  initiating the execution of a selected program point without causing the system to stop its own execution if an exception is raised indicating said potential problem with the software;
  
  inspecting, by said user via a display device, a stack trace generated in response to said selected program point, said stack trace provided via said display means to indicate said problem in said executing software; and
  
  verifying, by said user via said display means, whether the potential problem was correctly indicated by said previously performed software analysis technique.
- View Dependent Claims (29, 30)
- - 29. The method of claim 28, wherein said previously performed software analysis technique comprises a static analysis performed by a static analysis tool for detecting problems in said program.
  - 30. The method of claim 28, wherein said previously performed software analysis technique comprises an analysis performed by a user inspecting said software for detecting a problem in said program.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Centonze, Paolina, Gomes, Jose, Pistoia, Marco
Primary Examiner(s)
AVERY, JEREMIAH L

Application Number

US12/127,298
Publication Number

US 20090007223A1
Time in Patent Office

3,038 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 21/6227   where protection concerns t...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2149   Restricted operating enviro...

Method and system for run-time dynamic and interactive identification software authorization requirements and privileged code locations, and for validation of other software program analysis results

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

21 Citations

34 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for run-time dynamic and interactive identification software authorization requirements and privileged code locations, and for validation of other software program analysis results

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

21 Citations

34 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links