公开(公告)号：US20120023553A1

公开(公告)日：2012-01-26

申请号：US12839533

申请日：2010-07-20

申请人： Ryan Berg ,  Paolina Centonze ,  Marco Pistoia ,  Omer Tripp

发明人： Ryan Berg ,  Paolina Centonze ,  Marco Pistoia ,  Omer Tripp

IPC分类号： G06F21/00

CPC分类号： G06F21/577

摘要： A method includes, using a static analysis, analyzing a software program to determine whether the software program accesses a secure resource for a computer system without verification that the secure resource can be accessed by the software program. The method also includes, in response to an access by the software program to the secure resource without verification that the secure resource can be accessed by the software program, outputting a result indicative of the analyzing. Computer program products and apparatus are also disclosed. An apparatus is disclosed that includes a user interface providing a security report to a user, the security report indicating a result of an analysis of whether or not a software program accesses a secure resource for a computer system without verification that the secure resource can be accessed by the software program.

摘要翻译： 一种方法包括使用静态分析来分析软件程序以确定软件程序是否访问用于计算机系统的安全资源，而无需验证该软件程序可以访问安全资源。 该方法还包括响应于软件程序对安全资源的访问，而不验证安全资源可以由软件程序访问，输出指示分析的结果。 还公开了计算机程序产品和装置。 公开了一种装置，其包括向用户提供安全报告的用户界面，该安全报告指示软件程序是否访问用于计算机系统的安全资源的分析结果，而无需验证该安全资源可被访问 由软件程序。

公开(公告)号：US07877812B2

公开(公告)日：2011-01-25

申请号：US11619624

申请日：2007-01-04

申请人： Lawrence Koved ,  Marco Pistoia

发明人： Lawrence Koved ,  Marco Pistoia

IPC分类号： G06F7/04

CPC分类号： G06F21/6218 ,  G06F21/33

摘要： A method for enforcing privacy policies associated with data. The method includes accessing a database to identify labeled data in the database, the labeled data associated with a privacy policy. An access node accessing the label data is determined. For the access node accessing the labeled data, it is determined whether the access node applies an authorization test as indicated by the privacy policy. An authorization test is associated with the access node if the access node does not apply necessary authorization indicated by the privacy policy.

摘要翻译： 一种执行与数据相关的隐私政策的方法。 该方法包括访问数据库以识别数据库中的标记数据，与隐私策略相关联的标记数据。 确定访问标签数据的接入节点。 对于访问标记数据的接入节点，确定接入节点是否应用由隐私策略指示的授权测试。 如果接入节点没有应用隐私策略所指示的必要授权，则授权测试与接入节点相关联。

公开(公告)号：US07810135B2

公开(公告)日：2010-10-05

申请号：US11968673

申请日：2008-01-03

申请人： Lawrence Koved ,  Anthony Joseph Nadalin ,  Marco Pistoia

发明人： Lawrence Koved ,  Anthony Joseph Nadalin ,  Marco Pistoia

IPC分类号： H04L9/00

CPC分类号： G06F21/53

摘要： A method and apparatus for implementing a new Permission for methods that perform callback operations are provided. The method and apparatus provide an AdoptPermission Permission type that allows a method to pass a Java 2 authorization test without having the specific required Permissions expressly granted to the method and without the method having the AllPermission Permission granted to it. With the apparatus and method, an AdoptPermission Permission type is defined that operates to allow a ProtectionDomain to “adopt” a required Permission. However, this adoption of a required Permission can only be performed if the ProtectionDomain of at least one method in the thread stack has been granted a Permission that implies the required Permission. Thus, the AdoptPermission Permission type provides an intermediate mechanism that is not as over-inclusive as the AllPermission Permission type and is not as under-inclusive as requiring that all methods in the thread stack include the required Permission expressly granted to them.

摘要翻译： 提供了一种用于实现执行回调操作的方法的新的Permission的方法和装置。 该方法和设备提供了一个AdoptPermission权限类型，允许一种方法传递Java 2授权测试，而不会明确授予该方法的特定所需权限，而不授予其授予AllPermission权限的方法。 使用设备和方法，定义了一个AdoptPermission权限类型，该类型用于允许ProtectionDomain“采用”所需的权限。 但是，只有当线程堆栈中至少有一个方法的ProtectionDomain被授予一个隐含所需权限的权限时，才能执行所需的权限。 因此，AdoptPermission Permission类型提供了一个不像AllPermission Permission类型那样超出包容性的中间机制，并且不包含要求线程堆栈中的所有方法都包含明确授予它们的所需权限。

公开(公告)号：US07496757B2

公开(公告)日：2009-02-24

申请号：US10050083

申请日：2002-01-14

申请人： Paul Harry Abbott ,  Lawrence Koved ,  Anthony Joseph Nadalin ,  Marco Pistoia

发明人： Paul Harry Abbott ,  Lawrence Koved ,  Anthony Joseph Nadalin ,  Marco Pistoia

IPC分类号： G06F21/00

CPC分类号： G06F21/51 ,  G06F21/53 ,  G06F2221/2141 ,  G06F2221/2149

摘要： A software security system is arranged to verify the authenticity of each element of a Java Virtual Machine installation. A digital signature is attached to each file of the JVM installation. A loader (20) verifies the digital signature of the JVM DLL (30). The JVM DLL 30 then verifies the digital signature of each other DLL and configuration file to be loaded (40, 50, 60, 70), and only loads those files which have successfully verified digital signatures. In this way the security of the JVM is enhanced, a user has greater confidence that the Java applications will function correctly, and the detection of incorrect or damaged JVM installations is improved.

摘要翻译： 安排软件安全系统来验证Java虚拟机安装的每个元素的真实性。 数字签名附加到JVM安装的每个文件。 加载器（20）验证JVM DLL的数字签名（30）。 然后，JVM DLL 30验证要加载的每个其他DLL和配置文件的数字签名（40,50,60,70），并且仅加载已成功验证数字签名的那些文件。 通过这种方式，JVM的安全性得到增强，用户对Java应用程序的正常运行有更大的信心，并且改进了错误或损坏的JVM安装的检测。

公开(公告)号：US20070261124A1

公开(公告)日：2007-11-08

申请号：US11416839

申请日：2006-05-03

申请人： Paolina Centonze ,  Jose Gomes ,  Marco Pistoia

发明人： Paolina Centonze ,  Jose Gomes ,  Marco Pistoia

IPC分类号： H04L9/32 ,  G06F17/30 ,  G06F7/04 ,  G06K9/00 ,  H03M1/68 ,  H04K1/00 ,  H04L9/00 ,  H04N7/16

CPC分类号： G06F21/6227 ,  G06F2221/2141 ,  G06F2221/2149

摘要： A system, method and computer program product for identifying security authorizations and privileged-code requirements; for validating analyses performed using static analyses; for automatically evaluating existing security policies; for detecting problems in code; in a run-time execution environment in which a software program is executing. The method comprises: implementing reflection objects for identifying program points in the executing program where authorization failures have occurred in response to the program's attempted access of resources requiring authorization; displaying instances of identified program points via a user interface, the identified instances being user selectable; for a selected program point, determining authorization and privileged-code requirements for the access restricted resources in real-time; and, enabling a user to select, via the user interface, whether a required authorization should be granted, wherein local system, fine-grained access of resources requiring authorizations is provided.

摘要翻译： 用于识别安全授权和特权代码要求的系统，方法和计算机程序产品; 用于验证使用静态分析进行的分析; 用于自动评估现有安全策略; 用于检测代码中的问题; 在执行软件程序的运行时执行环境中。 该方法包括：响应于程序尝试访问需要授权的资源，实施用于识别执行程序中的程序点的反射对象，其中发生授权失败; 经由用户界面显示所识别的节目点的实例，所识别的实例是用户可选择的; 对于选定的程序点，实时地确定访问受限资源的授权和特权代码要求; 并且使得用户能够经由用户界面来选择是否应当授予所需的授权，其中本地系统提供需要授权的资源的细粒度访问。

公开(公告)号：US07076804B2

公开(公告)日：2006-07-11

申请号：US09854031

申请日：2001-05-11

申请人： Aaron Kershenbaum ,  Lawrence Koved ,  Marco Pistoia

发明人： Aaron Kershenbaum ,  Lawrence Koved ,  Marco Pistoia

IPC分类号： G06F17/30

CPC分类号： G06F9/468 ,  G06F21/53

摘要： This invention provides methods and apparatus for determining a set of authorization usage for collection of code. By using a program graph, the present invention identifies the code within in bounded paths in the program graph that use authorization. The level of precision is able to identify authorization usage to the level of basic blocks, methods, classes or other collections of code. By using the analysis technique described in this invention, we can determine the authorizations needed by collections code, including Java applets, servlets, and Enterprise JavaBeans. By using the present invention, it is possible, prior to loading the mobile code, to prompt the administrator or end-user to authorize or deny the code access to restricted the resources, or determine whether authorization testing will be required.

公开(公告)号：US20050262487A1

公开(公告)日：2005-11-24

申请号：US10842805

申请日：2004-05-11

申请人： Marco Pistoia ,  Lawrence Koved ,  Paolina Centonze

发明人： Marco Pistoia ,  Lawrence Koved ,  Paolina Centonze

IPC分类号： G06F9/45 ,  G06F9/46 ,  G06F21/00

CPC分类号： G06F9/468 ,  G06F21/121 ,  G06F21/6218

摘要： Improved detecting the authorization requirements and defining the security policies for an application comprising one or more components is disclosed. A call and resource-access graph is used to model all the possible paths of execution within the application. Then, paths of execution detected during the analysis are combined with the access control information found in the security policy of the application. Finally, for each authorization point in the application, a minimal security policy is reported that the executing principal should be granted in order to pass the authorization successfully.

摘要翻译： 公开了对包括一个或多个组件的应用的检测授权要求和定义安全策略的改进。 调用和资源访问图用于对应用程序内的所有可能的执行路径进行建模。 然后，在分析期间检测到的执行路径与在应用的安全策略中找到的访问控制信息相结合。 最后，对于应用程序中的每个授权点，报告最小安全策略，以便授权执行主体以成功传递授权。