The present disclosure generally relates to control over computer applications' access to data, and more particularly to associating a strong application ID with an application and allowing that application access to data only when the strong application ID is contained within an access control list associated with the data.
Existing general purpose operating systems generally control access to data, such as files, objects, directories, etc., by configuring users as security principals upon presentation of a user ID. When a user executes an application, the user's ID is included within a security token associated with the application that is located within the kernel of the operating system. When the application requests data, the user's ID within the security token is compared to an Access Control List (ACL) associated with the data. Where the user's ID is contained in the ACL, and the ACL grants the desired access, the application is provided access to the data.
In operation, the above-described configuration provides any application executed by the user to have the permissions owned by the user. In effect, the application can do anything-such as reading, writing, utilizing (e.g. using email addresses) and erasing data—that the user has permission (from the operating system) to do.
Thus, if the user inadvertently executes a malicious application, that application will be able to steal, erase, maliciously utilize or otherwise damage files to which the user has permissions. This puts the user's data at substantial risk every time an unknown application is executed. The risk is compounded by attachments to email messages and files downloaded over the internet.
Conventional operating systems have sought to limit the damage that results from execution of malicious programs by structuring permissions such that many important files cannot be damaged by the user. Such a system can prevent a malicious application executed by the user from damaging important system files. For example, the “administrator” may be given more permissions than the “user,” who in turn may be given more permissions than a “guest” user. In particular, the administrator may have permission to alter any file; the user may have permission only to alter the user's files, and the guest user may be barred from accessing the user's files and data. Such a structure has the benefit of limiting the damage that an application, having been executed by users with lesser privileges, can do. That is, while a malicious application executed by the user may damage, expose or delete the user's files, objects and/or data, many system files may be protected from the application because the ACLs on the system files restrict access to the User ID.
However, despite the protection given to some files, conventional operating systems have failed to provide adequate protection to many of the user's files, data, etc. A particularly frequent example of this breakdown involves failure to protect the user's list of email addresses. This is particularly unfortunate, because access to a user's email address list allows a malicious application to generate bogus email messages or spread via an email attachment.
Accordingly, a need exists for new and better systems and methods wherein computer environments are configured to protect data, files objects, etc. More particularly, a need exists for improvements to operating systems, wherein data, objects, files, etc, are better protected.
Systems and methods are described that control attempts made by an application to access data. In one embodiment, the application is associated with a security token that includes an application ID. In operation, the system receives a request, initiated by the application, for access to the data. The system is configured to evaluate the request for access based in part on comparison of the security token and a listing of approved application IDs associated with the data.
The detailed description is described with reference to the accompanying figures. In the figures, the left-most digit(s) of a reference number identifies the figure in which the reference number first appears. The use of the same reference numbers in different figures indicates similar or identical items.
Overview
The following discussion is directed to systems and methods that control attempts made by an application to access data. In one embodiment, the application is associated with a security token including an application ID. The application is also associated with a user, having a user ID, who executed the application. In operation, the system evaluates a request from the application for access to the data. The request is allowed or rejected based in part on comparison of the application ID from within the security token to a listing of approved application IDs. In other embodiments, the user ID is also compared to a listing of approved user IDs associated with the data. Where both the application ID and the user ID are found in the listing of approved application IDs and user IDs associated with the data, the application is given access to the data. In a principle advantage of the system and method of operation, applications are prevented from accessing data for which they are not authorized to use. This prevents, for example, an application from accessing the email address list on a computer unless that list is configured to allow the application to make such an access. Accordingly, computer data is better protected against misuse and corruption.
The following discussion is also directed to systems and methods that control the execution of applications. In one embodiment, a process-identifying security function is called by the CreateProcess API or a similar operating system structure. If the process-identifying security function is able to obtain a strong application ID for the application, and to locate that strong application ID within a database, the application is allowed to execute. In a further embodiment, the application is allowed to execute if the user provides a weak application ID. Allowing an application having only a weak application ID to execute is particularly useful for “legacy” applications in existence prior to implementation of the teachings discussed herein.
Exemplary Apparatus
The application binary code 102 and any other required files 104 are developed in a conventional manner using a development environment, one example of which is Microsoft's® Visual Studio®. The developer creates a developer signing key 106, which is held in secret, thereby allowing creation of a strong name for the application. The application metadata 108 includes may include, for example, the application's name, identity and publication key, etc.
A build environment 110 receives the application binary code 102, files 104, developer signing key 106 and metadata 108. Using these inputs, the build environment 110 creates the installation package 112. The installation package may be configured for Internet download, one or more CDs, or another format, as desired. In the example of
In some implementations, the developer signing key 106 is used within the build environment 110 to produce a strong name 118, which can be located within the application manifest 114. The strong name 118 is the signature/public key associated with the developer signing key 106. In some configurations, a strong application ID (seen at 504 in
The publisher certificate 302, the user and policy input 304, and the application install package 112, including publisher signature 206, are sent to an installation tool 306. The installation tool checks local machine policy and any user input and creates an application info store 308.
In one example, the existing process 404 may respond to the user double-clicking an icon by generating the new process 408 associated with the icon using information from the application info store 308. The existing user token 410 is used together with information from the application info store 308 to create the new security token 412, which is associated with the new process 408 in the kernel. The new security token 412 may include the application ID provided by the application info store 308 which thereby configures the application as a security principal.
Continuing to refer to
Upon receiving the request, the system security function 514 examines the access control list (ACL) 508 of the file 506. In one embodiment, if the user ID 502 associated with the application 408 is found in the list of approved user IDs 510 and also the application ID 504 associated with the application 408 is found in the list of approved application IDs 512 then access is permitted 518. If one or more of the IDs 502, 504 from the security token 412 are not found in the ACL 508, then access is rejected 516. In another embodiment, the application ID 504 alone is checked against the approved application IDs 512 to determine access permission.
Referring again to
Exemplary Methods
Exemplary methods for implementing aspects of controlling computer applications' access to data will now be described with primary reference to the flow diagrams of
A “processor-readable medium,” as used herein, can be any means that can contain, store, communicate, propagate, or transport instructions for use by or execution by a processor. A processor-readable medium can be, without limitation, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, device, or propagation medium. More specific examples of a processor-readable medium include, among others, an electrical connection having one or more wires, a portable computer diskette, a random access memory (RAM), a read-only memory (ROM), an erasable programmable-read-only memory (EPROM or Flash memory), an optical fiber, a rewritable compact disc (CD-RW), and a portable compact disc read-only memory (CDROM).
While one or more methods have been disclosed by means of flow diagrams and text associated with the blocks of the flow diagrams, it is to be understood that the blocks do not necessarily have to be performed in the order in which they were presented, and that an alternative order may result in similar advantages. Furthermore, the methods are not exclusive and can be performed alone or in combination with one another.
At block 702, an application is associated with a security token including the application's application ID, thereby configuring the application as a security principal. Referring again to the example of
At block 704, a request, typically made by the application and received by the operating system, requests access to data. In the example embodiment of
At block 706, the request to access data is evaluated based in part on comparison of the security token to a listing of approved application IDs. The example of
At block 802, verification is made that an application ID of the application is a strong application ID. In a preferred embodiment, the verification is made cryptographically, such as by cryptographically verifying a signature. That is, an application ID 504 (
At block 804, the security token is formed upon execution of the application. For example,
At block 806, the application is configured as a security principal according to the strong application ID. In many implementations, the user is also configured as a security principal. At block 808, the strong application ID of the application is included within the security token, thereby providing a cryptographically verified identity for the application.
At block 906, the application is configured as a security principal upon verification of the application ID, and at block 908 the application ID is included within a second security token. Referring to
At block 1006, the request is allowed if the application ID from the security token is contained within the access control list. More specifically, as seen in
At block 1108, a strong application ID is identified. In one embodiment seen at block 1110, the identification is made cryptographically, such as by performance of a verification using a public key. At block 1112, a confirmation is made that the verification provides evidence of the identity of the application. Typically, the verification is made by comparing the result of the decryption to a known result, where a match indicates validity of the strong application ID.
At block 1114, a token is configured including a strong application ID associated with the process, and optionally including a user ID. Referring to
At block 1116, a determination is made if access to data should be permitted by comparing the token with an access control list associated with the data. Referring to
At block 1118, the application is allowed to update its own application code files if comparison of the security token with the access control list indicates. For example, where the process 408 has access to the file 506, the process 408 can update the binary code and configuration data files, such as by downloading later revisions of this information via the Internet. Following the download, some or all of the acquired data may be stored in file 506.
At block 1204, an application ID associated with the application is identified. Referring to
At block 1210, an attempt is made to verify the application ID. In a preferred embodiment seen in block 1212, the application ID is verified using cryptography, thereby establishing a strong application ID.
At block 1214, if the application's ID was not verified, the user is asked to perform a validation of the application. Essentially, the user is asked to “vouch” for the authenticity and/or integrity of the application. For example, the large numbers of applications currently in use do not provide a strong application ID, and may be considered to be “legacy” applications. Where the user is certain that such a legacy application is benign, the user may validate the application in response to the request to do so, thereby establishing a weak application ID for the application. However, if the user uncertain about the origin and/or threat associated with the application, the user may withhold verification of the application's ID.
At block 1216, if the application's ID was not verified, the user is asked to provide access permissions to be granted to the new process. The access permissions indicate the files, objects, data etc. that the new process will be permitted to access. For example, the user can decide whether to give the new process access to an email address list, based on the reasonableness of the new process having a need to access that list.
At block 1218, where the application's ID was successfully verified, the application is executed by creating a new process associated with the application. Referring to
At block 1222, resources are allocated to the new process upon execution. In one embodiment seen at block 1224, the resources allocated are based on the type of ID established for the application from which the new process was formed. For example, where a strong application ID was established, more resources may be allocated than if a weak application ID was established. As seen in block 1226, the resources owned by the new process can be updated or otherwise altered by the new process.
Exemplary Computing Environment
The computing environment 1300 includes a general-purpose computing system in the form of a computer 1302. The components of computer 1302 can include, but are not limited to, one or more processors or processing units 1304, a system memory 1306, and a system bus 1308 that couples various system components including the processor 1304 to the system memory 1306. The system bus 1308 represents one or more of any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, a Peripheral Component Interconnect (PCI) bus, an accelerated graphics port, and a processor or local bus using any of a variety of bus architectures.
Computer 1302 typically includes a variety of computer readable media. Such media can be any available media that is accessible by computer 1302 and includes both volatile and non-volatile media, removable and non-removable media. The system memory 1306 includes computer readable media in the form of volatile memory, such as random access memory (RAM) 1310, and/or non-volatile memory, such as read only memory (ROM) 1312. A basic input/output system (BIOS) 1314, containing the basic routines that help to transfer information between elements within computer 1302, such as during start-up, is stored in ROM 1312. RAM 1310 typically contains data and/or program modules that are immediately accessible to and/or presently operated on by the processing unit 1304.
Computer 1302 can also include other removable/non-removable, volatile/non-volatile computer storage media. By way of example,
The disk drives and their associated computer-readable media provide non-volatile storage of computer readable instructions, data structures, program modules, and other data for computer 1302. Although the example illustrates a hard disk 1316, a removable magnetic disk 1320, and a removable optical disk 1324, it is to be appreciated that other types of computer readable media which can store data that is accessible by a computer, such as magnetic cassettes or other magnetic storage devices, flash memory cards, CD-ROM, digital versatile disks (DVD) or other optical storage, random access memories (RAM), read only memories (ROM), electrically erasable programmable read-only memory (EEPROM), and the like, can also be utilized to implement the exemplary computing system and environment.
Any number of program modules can be stored on the hard disk 1316, magnetic disk 1320, optical disk 1324, ROM 1312, and/or RAM 1310, including by way of example, an operating system 1326, one or more application programs 1328, other program modules 1330, and program data 1332. Each of such operating system 1326, one or more application programs 1328, other program modules 1330, and program data 1332 (or some combination thereof) may include an embodiment of a caching scheme for user network access information.
Computer 1302 can include a variety of computer/processor readable media identified as communication media. Communication media typically embodies computer readable instructions, data structures, program modules, or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media. The term “modulated data signal” means a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal. By way of example, and not limitation, communication media includes wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, RF, infrared, and other wireless media. Combinations of any of the above are also included within the scope of computer readable media.
A user can enter commands and information into computer system 1302 via input devices such as a keyboard 1334 and a pointing device 1336 (e.g., a “mouse”). Other input devices 1338 (not shown specifically) may include a microphone, joystick, game pad, satellite dish, serial port, scanner, and/or the like. These and other input devices are connected to the processing unit 1304 via input/output interfaces 1340 that are coupled to the system bus 1308, but may be connected by other interface and bus structures, such as a parallel port, game port, or a universal serial bus (USB).
A monitor 1342 or other type of display device can also be connected to the system bus 1308 via an interface, such as a video adapter 1344. In addition to the monitor 1342, other output peripheral devices can include components such as speakers (not shown) and a printer 1346 which can be connected to computer 1302 via the input/output interfaces 1340.
Computer 1302 can operate in a networked environment using logical connections to one or more remote computers, such as a remote computing device 1348. By way of example, the remote computing device 1348 can be a personal computer, portable computer, a server, a router, a network computer, a peer device or other common network node, and the like. The remote computing device 1348 is illustrated as a portable computer that can include many or all of the elements and features described herein relative to computer system 1302.
Logical connections between computer 1302 and the remote computer 1348 are depicted as a local area network (LAN) 1350 and a general wide area network (WAN) 1352. Such networking environments are commonplace in offices, enterprise-wide computer networks, intranets, and the Internet. When implemented in a LAN networking environment, the computer 1302 is connected to a local network 1350 via a network interface or adapter 1354. When implemented in a WAN networking environment, the computer 1302 typically includes a modem 1356 or other means for establishing communications over the wide network 1352. The modem 1356, which can be internal or external to computer 1302, can be connected to the system bus 1308 via the input/output interfaces 1340 or other appropriate mechanisms. It is to be appreciated that the illustrated network connections are exemplary and that other means of establishing communication link(s) between the computers 1302 and 1348 can be employed.
In a networked environment, such as that illustrated with computing environment 1300, program modules depicted relative to the computer 1302, or portions thereof, may be stored in a remote memory storage device. By way of example, remote application programs 1358 reside on a memory device of remote computer 1348. For purposes of illustration, application programs and other executable program components, such as the operating system, are illustrated herein as discrete blocks, although it is recognized that such programs and components reside at various times in different storage components of the computer system 1302, and are executed by the data processor(s) of the computer.
Although the invention has been described in language specific to structural features and/or methodological acts, it is to be understood that the invention defined in the appended claims is not necessarily limited to the specific features or acts described. Rather, the specific features and acts are disclosed as exemplary forms of implementing the claimed invention.
This patent application is related to U.S. patent application Ser. No. ______, titled “Controlling Execution of Computer Applications”, filed on even day herewith, commonly assigned herewith, and hereby incorporated by reference.