Search Images Maps Play YouTube News Gmail Drive More »
Advanced Patent Search | Web History | Sign in

Patents

Access-control and information-flow integrity policies are enforced in a computing system by detecting security-sensitive sinks in software code for an application running on the computing system and retrieving an access-control policy from a database accessible to the computing system. The access-control policy maps a set of access permissions within the computing system to each one of a plurality of principals. For each detected security-sensitive sink, all principals that influence that security-sensitive sink are detected and an overall access permission is assigned to each security-sensitive sink by taking the intersection of the access permission sets for all influencing principals of that security-sensitive sink. If this permission set is inadequate, an integrity violation is reported. In addition, permission labels are assigned to each value of variables used in the security-sensitive sinks. Each permission label is a set of permissions.

InventorsPaolina Centonze, Yinnon Avraham Haviv, Roee Hay, Marco Pistoia, Adi Sharabani, Omer Tripp
Original AssigneeINTERNATIONAL BUSINESS MACHINES CORPORATION
Current U.S. Classification726/21

View patent at USPTO
Search USPTO Assignment Database

Claims

1. A method for enforcement of access-control and integrity policies in a computing system, the method comprising:

detecting security-sensitive sinks in software code for an application running on the computing system;

retrieving an access-control policy from a database accessible to the computing system, the access-control policy mapping a set of access permissions within the computing system to each one of a plurality of principals;

determining, for each detected security-sensitive sink, all principals that influence that security-sensitive sink;

assigning an overall access permission to each security-sensitive-sink by taking the intersection of the access-permission sets for all influencing principals of that security-sensitive sink; and
reporting an integrity violation when an overall access permission for a given security-sensitive-sink is insufficient to satisfy a demanded permission from a resource within the computing system.

2. The method of claim 1, wherein the step of detecting security-sensitive sinks further comprises using program analysis on the software code.

3. The method of claim 1, wherein the step of using program analysis further comprises using static program analysis on the code and underlying libraries.

4. The method of claim 1, wherein the step of detecting security-sensitive sinks further comprises:

analyzing the software code; and

identifying calls in the software code to an access-control enforcer in the computing system.

5. The method of claim 4, wherein the access-control enforcer enforces the access-control policy.

6. The method of claim 1, wherein the access-control policy is declaratively defined separately from the software code.

7. The method of claim 1, wherein each access permission comprises a set of security-sensitive operations within the computing system that has been granted to a principal.

8. The method of claim 1, wherein each principal comprises an entity interacting with the computer system whose identify can be verified by authentication and is granted privileges through authorization.

9. The method of claim 1 wherein the plurality of principals comprises user principals, machine principals or service principals.

10. The method of claim 1, further comprising:

identifying variables used in the security-sensitive sinks, each variable having a value that can be influenced by one or more principals; and

assigning a permission label to each value of each variable, each permission label comprising a set of permissions granted to that value.

11. The method of claim 10, wherein the step of assigning the permission label occurs at run time of the software code for the application running on the computing system.

12. The method of claim 10, wherein the set of permissions of each permission label is derived from the sets of permissions mapped to principals influencing the value associated with that permission label.

13. The method of claim 10, further comprising:

detecting a new value created from two or more existing values; and

calculating a permission label for the new value using the intersection of the sets of permissions associated with each value used to create the new value and the principal defining the new value.

14. The method of claim 10, wherein the step of assigning the permission label further comprises using the permission label for any value controlling a conditional statement to constrain permission labels for any value defined on the software code dominated by the conditional statement.

15. A method for enforcement of access-control and integrity policies in a computing system, the method comprising:

detecting security-sensitive sinks in software code for an application running on the computing system;

retrieving an access-control policy from a database accessible to the computing system, the access-control policy mapping a set of access permissions within the computing system to each one of a plurality of principals;

identifying variables used in the security-sensitive sinks, each variable having a value that can be influenced by one or more principals;

assigning a permissions label to each value of each variable, each permission label comprising a set of permissions granted to that value; and
using the assigned permission labels to make access control decisions for the security-sensitive sinks within the computing system.

16. The method of claim 15, wherein the step of assigning the permission label occurs at run time of the software code for the application running on the computing system.

17. The method of claim 15, wherein the set of permissions of each permission label is derived from the sets of permissions mapped to principals influencing the value associated with that permission label.

18. The method of claim 15, further comprising:

detecting a new value created from two or more existing values; and

calculating a permission label for the new value using the intersection of the sets of permissions associated with each value used to create the new value and the principal defining the new value.

19. The method of claim 15, wherein the step of assigning the permission label further comprises using the permission label for any value controlling a conditional statement to constrain permission labels for any value defined on the software code dominated by the conditional statement.

20. A computer-readable medium containing a computer-readable code that when read by a computer causes the computer to perform a method for enforcement of access-control and integrity policies in a computing system, the method comprising:

detecting security-sensitive sinks in software code for an application running on the computing system;

retrieving an access-control policy from a database accessible to the computing system, the access-control policy mapping a set of access permissions within the computing system to each one of a plurality of principals;

determining, for each detected security-sensitive sink, all principals that influence that security-sensitive sink;

assigning an overall access permission to each security-sensitive sink by taking the intersection of the access permission sets for all influencing principals of that security-sensitive sink; and
reporting an integrity violation when an overall access permission for a given security-sensitive sink is insufficient to satisfy a demanded permission from a resource within the computing system.

21. The computer-readable medium of claim 20, wherein the step of detecting security-sensitive sinks further comprises:

analyzing the software code; and

identifying calls in the software code to an access-control enforcer in the computing system.

22. The computer-readable medium of claim 20, wherein the method further comprises:

identifying variables used in the security-sensitive sinks, each variable having a value that can be influenced by one or more principals; and

assigning a permission label to each value of each variable, each permission label comprising a set of permissions granted to that value.

23. The computer-readable medium of claim 22, wherein the set of permissions of each permission label is derived from the sets of permissions mapped to principals influencing the value associated with that permission label.

24. A computer-readable medium containing a computer-readable code that when read by a computer causes the computer to perform a method for enforcement of access-control and integrity policies in a computing system, the method comprising:

detecting security-sensitive sinks in software code for an application running on the computing system;

retrieving an access-control policy from a database accessible to the computing system, the access-control policy mapping a set of access permissions within the computing system to each one of a plurality of principals;

identifying variables used in the security-sensitive sinks, each variable having a value that can be influenced by one or more principals;

assigning a permission label to each value of each variable, each permission label comprising a set of permissions granted to that value; and
using the assigned permission labels to make access control decisions for the security-sensitive sinks within the computing system.

25. The computer-readable medium of claim 24, wherein the method further comprises:

detecting a new value created from two or more existing values; and

calculating a permission label for the new value using the intersection of the sets of permissions associated with each value used to create the new value and the principal defining the new value.

Drawings