WO2002019076A3 - Hybrid privilege enforcement in a restricted execution environment - Google Patents

Hybrid privilege enforcement in a restricted execution environment Download PDF

Info

Publication number
WO2002019076A3
WO2002019076A3 PCT/US2001/041732 US0141732W WO0219076A3 WO 2002019076 A3 WO2002019076 A3 WO 2002019076A3 US 0141732 W US0141732 W US 0141732W WO 0219076 A3 WO0219076 A3 WO 0219076A3
Authority
WO
WIPO (PCT)
Prior art keywords
enforcement
trust state
execution environment
access
resources
Prior art date
Application number
PCT/US2001/041732
Other languages
French (fr)
Other versions
WO2002019076A2 (en
Inventor
Spiro Michaylov
Murray S Mazer
David A Kranz
Original Assignee
Curl Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Curl Corp filed Critical Curl Corp
Priority to AU2001285441A priority Critical patent/AU2001285441A1/en
Publication of WO2002019076A2 publication Critical patent/WO2002019076A2/en
Publication of WO2002019076A3 publication Critical patent/WO2002019076A3/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/445Program loading or initiating
    • G06F9/44521Dynamic linking or loading; Link editing at or after load time, e.g. Java class loading
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/40Transformation of program code
    • G06F8/54Link editing before load time
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/468Specific access rights for resources, e.g. using capability register
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45504Abstract machines for programme code execution, e.g. Java virtual machine [JVM], interpreters, emulators
    • G06F9/45529Embedded in an application, e.g. JavaScript in a Web browser

Abstract

A system and method for static and dynamic enforcement of access to resources through a runtime engine allows optimal selection of the enforcement method to improve performance, security, and maintainability of an execution environment. A trust state indicative of permitted resources is defined. Access to resources is provided by invoking particular function instantiations in the runtime engine. Binding of an executable entity to instantiations in the runtime engine occurs selectively during static enforcement based on the trust state. Runtime checks of the trust state by the executable entity occurs during dynamic enforcement. If the trust state does not correspond to a desired resource, access to that resource is prevented.
PCT/US2001/041732 2000-08-31 2001-08-15 Hybrid privilege enforcement in a restricted execution environment WO2002019076A2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2001285441A AU2001285441A1 (en) 2000-08-31 2001-08-15 Hybrid privilege enforcement in a restricted execution environment

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US22948100P 2000-08-31 2000-08-31
US60/229,481 2000-08-31
US67103400A 2000-09-27 2000-09-27
US09/671,034 2000-09-27

Publications (2)

Publication Number Publication Date
WO2002019076A2 WO2002019076A2 (en) 2002-03-07
WO2002019076A3 true WO2002019076A3 (en) 2003-09-18

Family

ID=26923333

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2001/041732 WO2002019076A2 (en) 2000-08-31 2001-08-15 Hybrid privilege enforcement in a restricted execution environment

Country Status (2)

Country Link
AU (1) AU2001285441A1 (en)
WO (1) WO2002019076A2 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8245270B2 (en) 2005-09-01 2012-08-14 Microsoft Corporation Resource based dynamic security authorization
US8112745B2 (en) 2006-03-22 2012-02-07 Honeywell International Inc. Apparatus and method for capabilities verification and restriction of managed applications in an execution environment
US10019570B2 (en) 2007-06-14 2018-07-10 Microsoft Technology Licensing, Llc Protection and communication abstractions for web browsers
EP2312485B1 (en) 2009-08-31 2018-08-08 BlackBerry Limited System and method for controlling applications to mitigate the effects of malicious software

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1996007961A1 (en) * 1994-09-09 1996-03-14 Cheyenne Advanced Technology Limited Method of operating a computer system
US5987608A (en) * 1997-05-13 1999-11-16 Netscape Communications Corporation Java security mechanism

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1996007961A1 (en) * 1994-09-09 1996-03-14 Cheyenne Advanced Technology Limited Method of operating a computer system
US5987608A (en) * 1997-05-13 1999-11-16 Netscape Communications Corporation Java security mechanism

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
DIETMULLER P R: "VIRUS PROTECTION USING DYNAMIC LINKING", MICROPROCESSING AND MICROPROGRAMMING, ELSEVIER SCIENCE PUBLISHERS, BV., AMSTERDAM, NL, vol. 40, no. 9, 1 November 1994 (1994-11-01), pages 599 - 604, XP000483399, ISSN: 0165-6074 *
PARDYAK P ET AL: "DYNAMIC BINDING FOR AN EXTENSIBLE SYSTEM", OPERATING SYSTEMS REVIEW (SIGOPS), ACM HEADQUARTER. NEW YORK, US, vol. 30, no. SPECIAL ISSUE, 21 December 1996 (1996-12-21), pages 201 - 212, XP000643513 *

Also Published As

Publication number Publication date
WO2002019076A2 (en) 2002-03-07
AU2001285441A1 (en) 2002-03-13

Similar Documents

Publication Publication Date Title
EP2429148A3 (en) Contents transmission method and contents transmission system
US7624111B2 (en) Active content trust model
ATE511671T1 (en) MINIMAL USER RIGHTS THROUGH RESTRICTED ACCESS PERMISSIONS
WO2002013010A3 (en) Method, system, and program for invoking stored procedures and accessing stored procedure data
US20080127142A1 (en) Compiling executable code into a less-trusted address space
WO2003014911A3 (en) Method, system, and program for generating and using configuration policies
CA2400940A1 (en) Controlling access to a resource by a program using a digital signature
CA2104192A1 (en) Method for Establishing Licensor Changeable Limits on Software Usage
RU2004107491A (en) USE OF POWERS FOR DISTRIBUTION OF DEVICE RESOURCES TO THE APPLICATION
WO2000034858A3 (en) Accelerating a distributed component architecture over a network using a modified rpc communication
WO2004051966A3 (en) System and methodology providing intelligent resource fork
WO1999044137A3 (en) Stack-based access control
EP0853279A3 (en) Method and apparatus for controlling software access to system resources
WO2000055732A3 (en) Resource scheduling
WO2001037170A3 (en) Forms creation method and e-commerce method
Druschel et al. Beyond micro-kernel design: Decoupling modularity and protection in Lipto
Dean et al. Java security: Web browsers and beyond
WO2001077797A3 (en) Method and system for managing credentials
WO2002019076A3 (en) Hybrid privilege enforcement in a restricted execution environment
WO2007035327A3 (en) System and method for component trust model in peer-to-peer service composition
WO2003032158A3 (en) System and method for specifying access to resources in a mobile code system
WO2001018650A3 (en) Resource access control system
Wobber et al. Authorizing applications in singularity
CN114372255A (en) Identity authentication method and device based on application software fingerprint
EP0869442A4 (en) Device and method for accelerating memory access speed

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP