US20060179434A1 - Software application environment - Google Patents

Software application environment Download PDF

Info

Publication number
US20060179434A1
US20060179434A1 US11/389,305 US38930506A US2006179434A1 US 20060179434 A1 US20060179434 A1 US 20060179434A1 US 38930506 A US38930506 A US 38930506A US 2006179434 A1 US2006179434 A1 US 2006179434A1
Authority
US
United States
Prior art keywords
access
data storage
program
application
list
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US11/389,305
Inventor
Shimon Gruper
Nicky Pappo
Leonid Kogan
Eyal Zohar
Sergey Korabelnikov
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to US11/389,305 priority Critical patent/US20060179434A1/en
Publication of US20060179434A1 publication Critical patent/US20060179434A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/468Specific access rights for resources, e.g. using capability register
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2113Multi-level security, e.g. mandatory access control
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection

Definitions

  • the present invention relates to controlling application software and more particularly but not exclusively to countermeasures that may be applied to deal with applications or applets and the like that are downloaded from other computers and from the Internet.
  • viruses programs have been around for many years that detect the presence of viruses, and either delete the viruses themselves, or delete the infected file. These programs depend on recognizing specific virus programs or on recognizing strings of program code that look as though they might have the potential to carry out activities normally associated with viruses. In order to overcome the virus detection programs more recent viruses have been designed to introduce changes to themselves when they replicate so that they do not fit in with any template or pattern that the virus detector might be using. Furthermore a virus detection program has only a limited chance of detecting a virus that was not known about when the detection program was written, especially if the way in which the virus was written is radically different from previous viruses, as occasionally happens. Furthermore virus detection programs are generally ineffective at detecting viruses that are written as macros within programs.
  • Virus detection programs also cannot detect what are known as “vandals”. “Vandals” differ from viruses in that they are complete programs that are executable in themselves, as opposed to viruses, which cannot work by themselves and need to infect host programs in order to be able to replicate and cause damage. Vandals are programs that carry out activities outside the range of expectations of the user. For example they may damage or delete other files or interfere with the operation of other programs. Internet style applets make ideal vandals as they can often be downloaded from the internet through one's web browser without the user even being aware of its presence.
  • the theft of confidential information is another task that vandals can carry out.
  • the vandal applet is downloaded from the internet without the knowledge of the user and begins to scan the disk for the confidential information, or wait for the user to enter such information for some other purpose. It then passes the information to a specific site at some time that the user is connected to the Internet, again without the user being aware that anything untoward has occurred.
  • anti-virus programs have difficulty in detecting vandal programs is that they are not viruses and indeed lack many of the fundamental features of viruses, that is to say they do not replicate and they do not modify existing files as they infect them. Furthermore the preparation of a reliable anti-vandal program is problematic because it is difficult to lay down precise criteria to enable a computer program to distinguish between a wanted applet and a vandal.
  • apparatus for ensuring the integrity of computer applications to be run in association with a computer having data storage arranged sectorwise in a storage device, comprising an identifier for identifying an application to be run, a listing associated with at least one of the applications to be run, the listing identifying different sectors of the storage device and associating with each identified sector an access level required by the application, and an enforcement device, for prohibiting the at least one application from accessing an identified sector of the storage device at any level higher than the associated required access level.
  • the Apparatus comprises an identifier for identifying an application to be run, a listing associated with at least one of the applications to be run, the listing identifying different sectors of the storage device and associating with each identified sector an access level, an enforcement device, for preventing the at least one application from accessing an identified sector of the storage device at any level higher than the associated access level, and a query device, for identifying when an attempt to access a sector of the storage device has been prevented by the enforcement device, querying the attempt with the user, or against a predefined configuration, and if found acceptable then including the higher level of access in the listing.
  • the step of querying may only be carried out for a limited period of time. This may be literally a predetermined time from installation of any given program or it may be a predetermined time measured only whilst the new program is running. Alternatively a program may be run in this learning mode until the next occasion upon which the computer is reset. Then again in one embodiment a predetermined number of operations of the new program is counted through, and once that number is reached learning mode is ended. Other forms of limitation of the learning mode will suggest themselves to the skilled person and all of these are viable alternatives that could provide useful embodiments of the invention. As an alternative it is possible not to set a limit on the length of the learning mode.
  • apparatus for ensuring the integrity of computer applications to be run in association with a computer having data storage arranged sectorwise in a storage device, comprising an identifier for identifying at least one application to be run, the at least one application being adapted to call at least one other application to run, a listing associated with at least one of the applications to be run, the listing identifying different sectors of the storage device and associating with each identified sector an access level required by the application, an enforcement device, for prohibiting the at least one application from accessing an identified sector of the storage device at any level higher than the associated required access level, and wherein the identifier is adapted firstly to identify a listing associated with the at least one other application for use with the enforcement device, and if such a listing cannot be found then identifying a listing associated with the at least one application for use with the enforcement device.
  • a computer connected to a network, the computer comprising a storage device for storing data, a transmission device for sending data from the computer to the network, a listing of controlled data which should not be sent to the network, a comparison device adapted to compare data sent to the transmission device with the controlled data, and a prevention device for preventing data corresponding to the controlled data being sent automatically to the network.
  • any of the above aspects may be combined with apparatus for downloading data from identifiable sites in a network to a computer.
  • the data may comprise a plurality of types of data including executable program data
  • the apparatus comprises a list of known sites, checking means for comparing a source of any downloaded material with said list, and prevention means, for preventing execution of executable program data that does not come from a site on the list, or alternatively that does come from said list.
  • means may be provided for modifying the list.
  • Embodiments may further comprise override means adapted to allow an operator to override the enforcement or prevention devices.
  • Embodiments of the invention may comprise any combination of the above five aspects.
  • databases includes, but is not limited to, any information or executable instructions. It is further noted that throughout the specification and claims the terms “sector” and “sectorwise” may refer to physical locations or logical locations such as directories. It is further noted that throughout the specification and claims the term “storage” may refer to either volatile or non-volatile storage.
  • FIG. 1 is a flow chart of the operation of a first embodiment of the invention
  • FIG. 2 is a flow chart of the operation of a second embodiment of the invention.
  • FIG. 3 is a flow chart of the operation of a third embodiment of the invention.
  • FIG. 4 is a flow chart of the operation of a fourth embodiment of the invention.
  • FIG. 1 is a flow chart of a first embodiment of the present invention which is operable to control application software.
  • a computer may have numerous applications which can be run, some being widely available computer programs whose behavior is well documented, and some may be customized software whose behavior is not well understood or which has not been well tested. Some of these applications may have been downloaded from unreliable sources and some may be present without the knowledge of the user.
  • the programs may be “vandal” programs of the type discussed above. Vandal programs are for example rogue applets that attempt to access areas of the hard drive where damage can be done and where applets in general would not normally need to have access.
  • the present invention is thus operable to provide sets of parameters in which each individual program is allowed to operate.
  • a listing of activities that the application may wish to carry out This listing is alternatively referred to herein as the application's predefined set. The activities are either permitted or forbidden, depending on whether they are part of the predefined set.
  • the listing may be used to validate operations that the program tries to carry out. If the operation is not one that the listing permits then either the user is alerted to give specific permission or the operation is stopped altogether.
  • the listing used need not be an exhaustive listing of the operation of the program. It only need list those operations that are relevant to suspect or forbidden activity, which would typically involve attempts to access different parts of the system hard drive and write or delete data from the area accessed, or execute programs located within the area accessed.
  • Table 1 below is a listing of levels of access that a typical application program might be given, to different parts of the system hard drive. The table is drawn up for Netscape Navigator, operating under the Windows operating system. This is a program which requires a relatively high level of access to different areas of the system hard drive. Nevertheless its profile is readily distinguishable from that of most suspect or forbidden activity.
  • the predefined set is a list of directories on the system hard drive, and associated with each such directory is a list of access levels that may be allowed with that directory.
  • An enforcement file is drawn up using a table such as table 1.
  • disk access requests may be checked against the enforcement file. If the type of disk access is not allowed by the enforcement file then either the operation is stopped, the user is prompted to give specific permission, or a pre-defined automatic response may occur.
  • the enforcement file may be automatically updated based on the nature of the application's request and the subsequent response.
  • a product identification operation in association with booting of the computer, it may be carried out following given events such as installing a new product or upon finishing an Internet session, with an appropriate predefined set selected for each application identified.
  • FIG. 1 is a flow diagram showing how an embodiment may be installed on a computer 10 , may be manually activated 12 , or may automatically be led to detect installed software 14 and may see that the details of the enforcement file, or sandbox, are adhered to 16 .
  • the embodiment returns to the detection step 14 .
  • an embodiment of the invention In the event that an enforcement file is not available, an embodiment of the invention, whose flow diagram is shown in FIG. 2 , has a so-called learn mode. In this mode a new program is assigned a general enforcement file. The general enforcement file gives the program no access rights at all to files on the system disk. The program then attempts to make a file access 20 . Provided the access attempt is within certain parameters the system allows the attempt and learns the details so that in future an access to that area of the disk will always be allowed. Thus a specific enforcement file is gradually built up over the duration of the learn mode. The specific enforcement file is then consulted 22 , in future access attempts, to decide whether the program has rights to access the required part of the system disk at the requested level. If the answer is yes the program continues in the normal way, 24 .
  • the user is prompted to give specific permission.
  • the user may grant the level of access for the specific session only or he may grant it permanently.
  • an automatic learn mode may be configured, in which any but the most drastic levels of access are granted to the program.
  • Learn mode may be set up only for a specific session or the user may wish to have the program run continuously in learn mode.
  • a specific enforcement file is built up, as mentioned above, based on the instances of specific permission being given, and the profile of the new application is thus gradually learnt. It will be appreciated that the automatic version of learn mode is best run only for specific sessions; otherwise no real program profile is enforced.
  • the use of profiles to spot vandal activity depends on knowing exactly which program is running at any one time. But many programs are able to call up other programs (daughter applications) as part of their own operation.
  • the embodiment of the invention shown in FIG. 3 therefore keeps track of the hierarchy of programs which are operating.
  • the hierarchy, or thread is first detected, 30 .
  • the embodiment checks to see if the thread itself is registered, 32 . If the daughter application has its own enforcement file then that is used, 34 . If it does not then the thread is assigned the enforcement file of the parent application, 36 . This is then modified in exactly the same way as the general enforcement file of a new application 38 .
  • An example of the kind of hierarchy involved in the above is a web browser such as Netscape calling up an audio player such as Real Audio to play a sound file, a task that it is not able to carry out itself.
  • Real Audio is a self-contained application with its own enforcement file, it will not obtain the rights of its own enforcement file but rather those of the web browser that called it.
  • applets can be written to download from the Internet without the knowledge of the user when for example accessing a particular website.
  • the applets scan the disk for confidential information such as credit card numbers, or wait for the user to enter such information for some other purpose, and then they pass the information to a specific site at some time that the owner is connected to the Internet, again without the user being aware that anything untoward has occurred.
  • the present invention deals with this problem by providing an embodiment, a flow diagram of which is shown in FIG. 4 , which examines every data packet that is sent out from the computer against a database of confidential information.
  • the computer is assumed to use a standard Internet protocol package which arranges all of the data to be sent out in the form of data packets, 40 .
  • the embodiment checks each packet as it goes out, 42 . If the data packet is found to contain a match with any of the entries in the database, 44 , then the application is stopped, either permanently or until the user responds to a prompt. If the packet is not determined to have confidential information then of course the communication is allowed to continue. Obtaining the contents of data packets before they are sent out of the computer using some form of Internet Protocol is a problem that is easily solved by the skilled man.
  • data packets coming into the computer are all also read to check for the same confidential information as such would indicate that the data has already escaped from the computer.
  • the earlier embodiments of the invention can also be relied upon to prevent such rogue applets from working when they try to read parts of the system hard drive that the program within which they are operating does not have access rights.

Abstract

The invention contains an application operating environment in which acceptable and/or suspect activities may be defined for an application so that unacceptable application behavior can be prevented. This is done by providing a definition table identifying the types of access and actions that the application is allowed and preventing it from carrying out other types of access and actions. The definition table may be built up using a learning process during use of the application. The environment also provides a means of checking information output to a network against a list of confidential information.

Description

    REFERENCE TO RELATED APPLICATIONS
  • This application is a continuation of U.S. patent application Ser. No. 08/937,883, filed Sep. 25, 1997, entitled SOFTWARE APPLICATION ENVIRONMENT, the contents of which are incorporated by reference.
    • FIELD OF THE INVENTION
  • The present invention relates to controlling application software and more particularly but not exclusively to countermeasures that may be applied to deal with applications or applets and the like that are downloaded from other computers and from the Internet.
    • BACKGROUND OF THE INVENTION
  • Recent years have seen the rapid growth of the Internet. Many developments have come together to produce the Internet that we know today, and one of them is the use of applets, written in languages such as Java, which are executable programs that can be run by a web browser. In addition, faster modems have led to shorter downloading times. This has led to a growth in the downloading of programs in general directly from the Internet. The Internet is eminently suitable for such use, and one of the reasons why such use is not widespread is that people are afraid to use the Internet. This is for two main reasons. The first is that they are afraid of downloading software whose behavior is not known or that may contain viruses. The second is that they are afraid that confidential information, such as credit card numbers and the like, may somehow be made available to parties other than the intended recipients.
  • In regard to viruses, programs have been around for many years that detect the presence of viruses, and either delete the viruses themselves, or delete the infected file. These programs depend on recognizing specific virus programs or on recognizing strings of program code that look as though they might have the potential to carry out activities normally associated with viruses. In order to overcome the virus detection programs more recent viruses have been designed to introduce changes to themselves when they replicate so that they do not fit in with any template or pattern that the virus detector might be using. Furthermore a virus detection program has only a limited chance of detecting a virus that was not known about when the detection program was written, especially if the way in which the virus was written is radically different from previous viruses, as occasionally happens. Furthermore virus detection programs are generally ineffective at detecting viruses that are written as macros within programs.
  • In any case it cannot be guaranteed that conventional countermeasures will work against all viruses, and the fear of computer viruses has been a serious impediment to the development of the Internet.
  • Virus detection programs also cannot detect what are known as “vandals”. “Vandals” differ from viruses in that they are complete programs that are executable in themselves, as opposed to viruses, which cannot work by themselves and need to infect host programs in order to be able to replicate and cause damage. Vandals are programs that carry out activities outside the range of expectations of the user. For example they may damage or delete other files or interfere with the operation of other programs. Internet style applets make ideal vandals as they can often be downloaded from the internet through one's web browser without the user even being aware of its presence.
  • The theft of confidential information is another task that vandals can carry out. The vandal applet is downloaded from the internet without the knowledge of the user and begins to scan the disk for the confidential information, or wait for the user to enter such information for some other purpose. It then passes the information to a specific site at some time that the user is connected to the Internet, again without the user being aware that anything untoward has occurred.
  • The reason that anti-virus programs have difficulty in detecting vandal programs is that they are not viruses and indeed lack many of the fundamental features of viruses, that is to say they do not replicate and they do not modify existing files as they infect them. Furthermore the preparation of a reliable anti-vandal program is problematic because it is difficult to lay down precise criteria to enable a computer program to distinguish between a wanted applet and a vandal.
    • SUMMARY OF THE INVENTION
  • It is an object of the present invention to improve the confidence of the user in the Internet. Ideally confidence should be raised sufficiently that users are happy to use the internet for business purposes.
  • According to a first aspect of the present invention there is provided apparatus for ensuring the integrity of computer applications to be run in association with a computer having data storage arranged sectorwise in a storage device, comprising an identifier for identifying an application to be run, a listing associated with at least one of the applications to be run, the listing identifying different sectors of the storage device and associating with each identified sector an access level required by the application, and an enforcement device, for prohibiting the at least one application from accessing an identified sector of the storage device at any level higher than the associated required access level.
  • According to a second aspect of the invention there is provided apparatus for ensuring the integrity of computer applications to be run in association with a computer having data storage arranged sectorwise in a storage device. The Apparatus comprises an identifier for identifying an application to be run, a listing associated with at least one of the applications to be run, the listing identifying different sectors of the storage device and associating with each identified sector an access level, an enforcement device, for preventing the at least one application from accessing an identified sector of the storage device at any level higher than the associated access level, and a query device, for identifying when an attempt to access a sector of the storage device has been prevented by the enforcement device, querying the attempt with the user, or against a predefined configuration, and if found acceptable then including the higher level of access in the listing.
  • In embodiments the step of querying may only be carried out for a limited period of time. This may be literally a predetermined time from installation of any given program or it may be a predetermined time measured only whilst the new program is running. Alternatively a program may be run in this learning mode until the next occasion upon which the computer is reset. Then again in one embodiment a predetermined number of operations of the new program is counted through, and once that number is reached learning mode is ended. Other forms of limitation of the learning mode will suggest themselves to the skilled person and all of these are viable alternatives that could provide useful embodiments of the invention. As an alternative it is possible not to set a limit on the length of the learning mode.
  • According to a third aspect of the present invention there is provided apparatus for ensuring the integrity of computer applications to be run in association with a computer having data storage arranged sectorwise in a storage device, comprising an identifier for identifying at least one application to be run, the at least one application being adapted to call at least one other application to run, a listing associated with at least one of the applications to be run, the listing identifying different sectors of the storage device and associating with each identified sector an access level required by the application, an enforcement device, for prohibiting the at least one application from accessing an identified sector of the storage device at any level higher than the associated required access level, and wherein the identifier is adapted firstly to identify a listing associated with the at least one other application for use with the enforcement device, and if such a listing cannot be found then identifying a listing associated with the at least one application for use with the enforcement device.
  • According to a fourth aspect of the present invention there is provided a computer connected to a network, the computer comprising a storage device for storing data, a transmission device for sending data from the computer to the network, a listing of controlled data which should not be sent to the network, a comparison device adapted to compare data sent to the transmission device with the controlled data, and a prevention device for preventing data corresponding to the controlled data being sent automatically to the network.
  • In embodiments, any of the above aspects may be combined with apparatus for downloading data from identifiable sites in a network to a computer. the data may comprise a plurality of types of data including executable program data, The apparatus comprises a list of known sites, checking means for comparing a source of any downloaded material with said list, and prevention means, for preventing execution of executable program data that does not come from a site on the list, or alternatively that does come from said list. In embodiments, means may be provided for modifying the list.
  • Embodiments may further comprise override means adapted to allow an operator to override the enforcement or prevention devices.
  • Embodiments of the invention may comprise any combination of the above five aspects.
  • It is noted that throughout the specification and claims the term “data” includes, but is not limited to, any information or executable instructions. It is further noted that throughout the specification and claims the terms “sector” and “sectorwise” may refer to physical locations or logical locations such as directories. It is further noted that throughout the specification and claims the term “storage” may refer to either volatile or non-volatile storage.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • For a better understanding of the invention and to show how the same may be carried into effect, reference will now be made, purely by way of example, to the accompanying drawings in which,
  • FIG. 1 is a flow chart of the operation of a first embodiment of the invention,
  • FIG. 2 is a flow chart of the operation of a second embodiment of the invention,
  • FIG. 3 is a flow chart of the operation of a third embodiment of the invention, and
  • FIG. 4 is a flow chart of the operation of a fourth embodiment of the invention.
    • DESCRIPTION OF THE PREFERRED EMBODIMENTS
  • FIG. 1 is a flow chart of a first embodiment of the present invention which is operable to control application software. A computer may have numerous applications which can be run, some being widely available computer programs whose behavior is well documented, and some may be customized software whose behavior is not well understood or which has not been well tested. Some of these applications may have been downloaded from unreliable sources and some may be present without the knowledge of the user. In some cases the programs may be “vandal” programs of the type discussed above. Vandal programs are for example rogue applets that attempt to access areas of the hard drive where damage can be done and where applets in general would not normally need to have access.
  • The present invention is thus operable to provide sets of parameters in which each individual program is allowed to operate. In order to determine whether a particular application is operating normally, embodiments of the present invention use, or create and use, a listing of activities that the application may wish to carry out. This listing is alternatively referred to herein as the application's predefined set. The activities are either permitted or forbidden, depending on whether they are part of the predefined set. The listing may be used to validate operations that the program tries to carry out. If the operation is not one that the listing permits then either the user is alerted to give specific permission or the operation is stopped altogether.
  • The listing used need not be an exhaustive listing of the operation of the program. It only need list those operations that are relevant to suspect or forbidden activity, which would typically involve attempts to access different parts of the system hard drive and write or delete data from the area accessed, or execute programs located within the area accessed. Table 1 below is a listing of levels of access that a typical application program might be given, to different parts of the system hard drive. The table is drawn up for Netscape Navigator, operating under the Windows operating system. This is a program which requires a relatively high level of access to different areas of the system hard drive. Nevertheless its profile is readily distinguishable from that of most suspect or forbidden activity. It will be apparent that the predefined set is a list of directories on the system hard drive, and associated with each such directory is a list of access levels that may be allowed with that directory.
    TABLE 1
    Predefined set for Netscape Navigator
    Directory/location Level of Authorization
    Windows Path Read write create execute delete
    Windows/command path read create execute
    Environment Variable: Temp Tmp Read write create execute delete
    Environment Variable: Path Read create execute
    Product Path Read write create execute delete
    Product/Data Path Read write create
    WindowsPath/Sysbckup Read write create execute delete
    WindowsPath/help Read write create execute
    Recycle Bin directories Read write create execute delete
    Application path Read write create execute delete
    Application cache Read write create execute delete
    WindowsPath/fonts Read write create execute
  • An enforcement file is drawn up using a table such as table 1. When the application is run, disk access requests may be checked against the enforcement file. If the type of disk access is not allowed by the enforcement file then either the operation is stopped, the user is prompted to give specific permission, or a pre-defined automatic response may occur. The enforcement file may be automatically updated based on the nature of the application's request and the subsequent response.
  • It is possible to draw up a series of enforcement files for popular products and to ship them as part of a package incorporating an embodiment of the invention. The package may then identify the installed products as part of, or following, a booting operation of the computer. The relevant enforcement file may then be called up as the products are run. Searching for a given application may be carried out by looking in the system registry. Alternatively it may be necessary to make a more general search of the hard drive, as is well known to those skilled in the art.
  • Instead of carrying out a product identification operation in association with booting of the computer, it may be carried out following given events such as installing a new product or upon finishing an Internet session, with an appropriate predefined set selected for each application identified.
  • Alternatively the user may not wish to have the invention operating on his computer at all times. Manual activation may thus be provided. The general operation of this embodiment is as shown in FIG. 1 which is a flow diagram showing how an embodiment may be installed on a computer 10, may be manually activated 12, or may automatically be led to detect installed software 14 and may see that the details of the enforcement file, or sandbox, are adhered to 16. At the next computer boot 18 the embodiment returns to the detection step 14.
  • In the event that an enforcement file is not available, an embodiment of the invention, whose flow diagram is shown in FIG. 2, has a so-called learn mode. In this mode a new program is assigned a general enforcement file. The general enforcement file gives the program no access rights at all to files on the system disk. The program then attempts to make a file access 20. Provided the access attempt is within certain parameters the system allows the attempt and learns the details so that in future an access to that area of the disk will always be allowed. Thus a specific enforcement file is gradually built up over the duration of the learn mode. The specific enforcement file is then consulted 22, in future access attempts, to decide whether the program has rights to access the required part of the system disk at the requested level. If the answer is yes the program continues in the normal way, 24. However, as the program attempts to access areas to which it does not have rights, 26, the user is prompted to give specific permission. The user may grant the level of access for the specific session only or he may grant it permanently. Alternatively an automatic learn mode may be configured, in which any but the most drastic levels of access are granted to the program. Learn mode may be set up only for a specific session or the user may wish to have the program run continuously in learn mode. A specific enforcement file is built up, as mentioned above, based on the instances of specific permission being given, and the profile of the new application is thus gradually learnt. It will be appreciated that the automatic version of learn mode is best run only for specific sessions; otherwise no real program profile is enforced.
  • The use of profiles to spot vandal activity depends on knowing exactly which program is running at any one time. But many programs are able to call up other programs (daughter applications) as part of their own operation. The embodiment of the invention shown in FIG. 3 therefore keeps track of the hierarchy of programs which are operating. The hierarchy, or thread, is first detected, 30. The embodiment checks to see if the thread itself is registered, 32. If the daughter application has its own enforcement file then that is used, 34. If it does not then the thread is assigned the enforcement file of the parent application, 36. This is then modified in exactly the same way as the general enforcement file of a new application 38.
  • An example of the kind of hierarchy involved in the above is a web browser such as Netscape calling up an audio player such as Real Audio to play a sound file, a task that it is not able to carry out itself. Although Real Audio is a self-contained application with its own enforcement file, it will not obtain the rights of its own enforcement file but rather those of the web browser that called it.
  • A further problem with the Internet environment is that applets can be written to download from the Internet without the knowledge of the user when for example accessing a particular website. The applets scan the disk for confidential information such as credit card numbers, or wait for the user to enter such information for some other purpose, and then they pass the information to a specific site at some time that the owner is connected to the Internet, again without the user being aware that anything untoward has occurred.
  • The present invention deals with this problem by providing an embodiment, a flow diagram of which is shown in FIG. 4, which examines every data packet that is sent out from the computer against a database of confidential information. The computer is assumed to use a standard Internet protocol package which arranges all of the data to be sent out in the form of data packets, 40. The embodiment checks each packet as it goes out, 42. If the data packet is found to contain a match with any of the entries in the database, 44, then the application is stopped, either permanently or until the user responds to a prompt. If the packet is not determined to have confidential information then of course the communication is allowed to continue. Obtaining the contents of data packets before they are sent out of the computer using some form of Internet Protocol is a problem that is easily solved by the skilled man. In a more advanced embodiment data packets coming into the computer are all also read to check for the same confidential information as such would indicate that the data has already escaped from the computer. In some cases the earlier embodiments of the invention can also be relied upon to prevent such rogue applets from working when they try to read parts of the system hard drive that the program within which they are operating does not have access rights.
  • It is appreciated that various features of the invention which are, for clarity, described in the contexts of separate embodiments may also be provided in combination in a single embodiment. Conversely, various features of the invention which are, for brevity, described in the context of a single embodiment may also be provided separately or in any suitable subcombination.
  • It will be appreciated by persons skilled in the art that the present invention is not limited to what has been particularly shown and described hereinabove. Rather, the scope of the present invention is defined only by the claims that follow:

Claims (17)

1. A method for blocking forbidden access behavior of a program, the method comprising:
providing a list of access permissions of said program to sectors of data storage;
monitoring requests of said program to access data storage; and
upon receiving an indication from said monitoring of a request to access a sector of data storage which is forbidden according to said list, blocking said request.
2. A method according to claim 1, wherein said monitoring includes monitoring requests of a child application of said program to access data storage.
3. A method according to claim 1, further comprising amending said list by a user thereof.
4. A method according to claim 1, wherein said list includes at least one allowed access permission.
5. A method according to claim 1, wherein said list includes at least one forbidden access permission.
6. A method according to claim 1, wherein said list includes a plurality of access level permissions.
7. A method according to claim 1, wherein said data storage is a path.
8. A method according to claim 1, wherein said data storage is a file.
9. A method according to claim 1, wherein said access requests are stored in communication packets.
10. A method according to claim 1, wherein said data storage is volatile.
11. A method according to claim 1, wherein said data storage is non-volatile.
12. A method according to claim 1, wherein said data storage is a physical location.
13. A method according to claim 1, wherein said data storage is a logical location.
14. A method according to claim 1, wherein said requests include requests to access data storage areas on a remote computer.
15. A method according to claim 1, wherein said requests to access data storage include requests to download data via the Internet.
16. A method according to claim 1, further comprising the step of automatically updating said list.
17. A method according to claim 1, wherein said blocking said request also comprises:
prompting a user of said program to allow said forbidden access; and
upon receipt of permission from said user, processing said request.
US11/389,305 1997-09-25 2006-03-27 Software application environment Abandoned US20060179434A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US11/389,305 US20060179434A1 (en) 1997-09-25 2006-03-27 Software application environment

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US08/937,883 US7047369B1 (en) 1997-09-25 1997-09-25 Software application environment
US11/389,305 US20060179434A1 (en) 1997-09-25 2006-03-27 Software application environment

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US08/937,883 Continuation US7047369B1 (en) 1997-09-25 1997-09-25 Software application environment

Publications (1)

Publication Number Publication Date
US20060179434A1 true US20060179434A1 (en) 2006-08-10

Family

ID=36318299

Family Applications (2)

Application Number Title Priority Date Filing Date
US08/937,883 Expired - Fee Related US7047369B1 (en) 1997-09-25 1997-09-25 Software application environment
US11/389,305 Abandoned US20060179434A1 (en) 1997-09-25 2006-03-27 Software application environment

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US08/937,883 Expired - Fee Related US7047369B1 (en) 1997-09-25 1997-09-25 Software application environment

Country Status (1)

Country Link
US (2) US7047369B1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7266817B1 (en) * 2000-12-21 2007-09-04 Emc Corporation Method and system for creating packages for multiple platforms
CN111198794A (en) * 2018-11-20 2020-05-26 百度在线网络技术(北京)有限公司 Browsing behavior data acquisition method and device based on list control

Families Citing this family (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7356847B2 (en) * 1996-06-28 2008-04-08 Protexis, Inc. System for dynamically encrypting content for secure internet commerce and providing embedded fulfillment software
US7770230B2 (en) * 2002-04-22 2010-08-03 Arvato Digital Services Canada, Inc. System for dynamically encrypting content for secure internet commerce and providing embedded fulfillment software
US9219755B2 (en) 1996-11-08 2015-12-22 Finjan, Inc. Malicious mobile code runtime monitoring system and methods
US8079086B1 (en) 1997-11-06 2011-12-13 Finjan, Inc. Malicious mobile code runtime monitoring system and methods
US7058822B2 (en) 2000-03-30 2006-06-06 Finjan Software, Ltd. Malicious mobile code runtime monitoring system and methods
US7047369B1 (en) * 1997-09-25 2006-05-16 Aladdin Knowledge Systems Ltd. Software application environment
US20020178375A1 (en) * 2001-01-31 2002-11-28 Harris Corporation Method and system for protecting against malicious mobile code
US7162715B1 (en) * 2002-03-16 2007-01-09 I-Squared, Inc. Method and apparatus for preemptive monitoring of software binaries by instruction interception and dynamic recompilation
WO2003096136A2 (en) * 2002-05-10 2003-11-20 Protexis Inc. System and method for multi-tiered license management and distribution using networked clearinghouses
US20060130016A1 (en) * 2003-03-17 2006-06-15 Wagner John R Method of kernal-mode instruction interception and apparatus therefor
US7568229B1 (en) * 2003-07-01 2009-07-28 Symantec Corporation Real-time training for a computer code intrusion detection system
US7406714B1 (en) 2003-07-01 2008-07-29 Symantec Corporation Computer code intrusion detection system based on acceptable retrievals
US7343620B2 (en) * 2003-08-13 2008-03-11 International Business Machines Corporation Method and apparatus for adopting authorizations
US8046374B1 (en) 2005-05-06 2011-10-25 Symantec Corporation Automatic training of a database intrusion detection system
IL177429A0 (en) * 2006-08-10 2007-07-04 Univ Ben Gurion A system that provides early detection. alert, and response to electronic threats
US8126988B2 (en) * 2007-10-22 2012-02-28 International Business Machines Corporation Public status determination and security configuration of a browser
US8161526B2 (en) * 2007-10-22 2012-04-17 International Business Machines Corporation Protecting sensitive information on a publicly accessed data processing system
US8171554B2 (en) * 2008-02-04 2012-05-01 Yuval Elovici System that provides early detection, alert, and response to electronic threats
US7539839B1 (en) 2008-06-30 2009-05-26 International Business Machines Corporation Method to test error recovery with selective memory allocation error injection
LU92657B1 (en) * 2015-02-16 2016-08-17 Universität des Saarlandes Mining sandboxes

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5144660A (en) * 1988-08-31 1992-09-01 Rose Anthony M Securing a computer against undesired write operations to or read operations from a mass storage device
US5278901A (en) * 1992-04-30 1994-01-11 International Business Machines Corporation Pattern-oriented intrusion-detection system and method
US5511184A (en) * 1991-04-22 1996-04-23 Acer Incorporated Method and apparatus for protecting a computer system from computer viruses
US5768373A (en) * 1996-05-06 1998-06-16 Symantec Corporation Method for providing a secure non-reusable one-time password
US5859966A (en) * 1995-10-10 1999-01-12 Data General Corporation Security system for computer systems
US5974549A (en) * 1997-03-27 1999-10-26 Soliton Ltd. Security monitor
US5987611A (en) * 1996-12-31 1999-11-16 Zone Labs, Inc. System and methodology for managing internet access on a per application basis for client computers connected to the internet
US6167522A (en) * 1997-04-01 2000-12-26 Sun Microsystems, Inc. Method and apparatus for providing security for servers executing application programs received via a network
US6166650A (en) * 1991-05-29 2000-12-26 Microchip Technology, Inc. Secure self learning system
US6275938B1 (en) * 1997-08-28 2001-08-14 Microsoft Corporation Security enhancement for untrusted executable code
US6351816B1 (en) * 1996-05-30 2002-02-26 Sun Microsystems, Inc. System and method for securing a program's execution in a network environment
US7047369B1 (en) * 1997-09-25 2006-05-16 Aladdin Knowledge Systems Ltd. Software application environment

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2629231A1 (en) 1988-03-24 1989-09-29 Salzmann Jean Loup Device for protecting computers against malevolent programs known as "viruses"
US5121345A (en) * 1988-11-03 1992-06-09 Lentz Stephen A System and method for protecting integrity of computer data and software
WO1993009498A1 (en) 1991-10-28 1993-05-13 Sung Moo Yang Method and system protecting data in storage device against computer viruses
US5421006A (en) * 1992-05-07 1995-05-30 Compaq Computer Corp. Method and apparatus for assessing integrity of computer system software
DE4225345A1 (en) 1992-07-31 1994-02-03 Igor Dipl Ing Drozd Computer virus and sabotage program detecting method - using sequence of tests to identify if request for operation is valid and provides blocking and warning indication if not
US5440723A (en) * 1993-01-19 1995-08-08 International Business Machines Corporation Automatic immune system for computers and computer networks
JP4145365B2 (en) 1994-08-03 2008-09-03 株式会社野村総合研究所 File access control device
US5684875A (en) * 1994-10-21 1997-11-04 Ellenberger; Hans Method and apparatus for detecting a computer virus on a computer
US5793972A (en) * 1996-05-03 1998-08-11 Westminster International Computers Inc. System and method providing an interactive response to direct mail by creating personalized web page based on URL provided on mail piece

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5144660A (en) * 1988-08-31 1992-09-01 Rose Anthony M Securing a computer against undesired write operations to or read operations from a mass storage device
US5511184A (en) * 1991-04-22 1996-04-23 Acer Incorporated Method and apparatus for protecting a computer system from computer viruses
US6166650A (en) * 1991-05-29 2000-12-26 Microchip Technology, Inc. Secure self learning system
US5278901A (en) * 1992-04-30 1994-01-11 International Business Machines Corporation Pattern-oriented intrusion-detection system and method
US5859966A (en) * 1995-10-10 1999-01-12 Data General Corporation Security system for computer systems
US5768373A (en) * 1996-05-06 1998-06-16 Symantec Corporation Method for providing a secure non-reusable one-time password
US6351816B1 (en) * 1996-05-30 2002-02-26 Sun Microsystems, Inc. System and method for securing a program's execution in a network environment
US5987611A (en) * 1996-12-31 1999-11-16 Zone Labs, Inc. System and methodology for managing internet access on a per application basis for client computers connected to the internet
US5974549A (en) * 1997-03-27 1999-10-26 Soliton Ltd. Security monitor
US6167522A (en) * 1997-04-01 2000-12-26 Sun Microsystems, Inc. Method and apparatus for providing security for servers executing application programs received via a network
US6275938B1 (en) * 1997-08-28 2001-08-14 Microsoft Corporation Security enhancement for untrusted executable code
US7047369B1 (en) * 1997-09-25 2006-05-16 Aladdin Knowledge Systems Ltd. Software application environment

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7266817B1 (en) * 2000-12-21 2007-09-04 Emc Corporation Method and system for creating packages for multiple platforms
CN111198794A (en) * 2018-11-20 2020-05-26 百度在线网络技术(北京)有限公司 Browsing behavior data acquisition method and device based on list control

Also Published As

Publication number Publication date
US7047369B1 (en) 2006-05-16

Similar Documents

Publication Publication Date Title
US20060179434A1 (en) Software application environment
US20070186102A1 (en) Method and apparatus for facilitating fine-grain permission management
US6192476B1 (en) Controlling access to a resource
US7036022B1 (en) Verification of trusted-path commands
US7350204B2 (en) Policies for secure software execution
US5111390A (en) Software security system for maintaining integrity of compiled object code by restricting users ability to define compilers
US8650612B2 (en) Security context lockdown
US8806494B2 (en) Managed control of processes including privilege escalation
US6101607A (en) Limit access to program function
US8001536B2 (en) Generic framework for runtime interception and execution control of interpreted languages
US7065783B2 (en) Mobile application access control list security system
US20080295181A1 (en) Method for protecting computer programs and data from hostile code
US20060047954A1 (en) Data access security implementation using the public key mechanism
US20040193606A1 (en) Policy setting support tool
US20070050848A1 (en) Preventing malware from accessing operating system services
KR20010040979A (en) Stack-based access control
US11706220B2 (en) Securing application behavior in serverless computing
US20050120237A1 (en) Control of processes in a processing system
JP2006107505A (en) Api for access authorization
KR101967663B1 (en) A system for access control based on the role of process in the white list
US11507675B2 (en) System, method, and apparatus for enhanced whitelisting
US6763465B1 (en) Method of ensuring that the PC is not used to make unauthorized and surreptitious telephone calls
RU2405198C2 (en) Integrated access authorisation
KR100925508B1 (en) Apparatus and method for managing execution of activex control
US8108937B1 (en) Robustly regulating access to executable class registry entries

Legal Events

Date Code Title Description
STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION