Patent Application
20240427561
This U.S. patent application claims priority under 35 U.S.C. § 119 to: India application No. 202321041665, filed on Jun. 22, 2023. The entire contents of the aforementioned application are incorporated herein by reference.
The disclosure herein generally relates to the field of software, and, more particularly, to methods and systems for enabling a hybrid architecture in an enterprise application.
Quantum computers are becoming a reality as a technology to implement a new computing paradigm evolves. They have an advantage over the classical computers for solving some of complex computing problems. Therefore, there is a great push from multiple enterprises around the world to make them practical. With advantages of quantum computing comes a concern for the security that underpins much of the digital world. Quantum computers pose serious threat to existing cryptographic systems which are used in day-to-day digital communications. These threats are recognized by the enterprises and strategies to mitigate these threats are being planned.
Traditionally, standardization of new cryptographic algorithms which are quantum attacks resistant is being explored. All enterprises are required to adopt either these standards or their equivalent to secure their digital communications. However, to incorporate these standards, enterprises must change their applications to accommodate them. As these standards are still evolving, it is challenging for enterprises to afford ignoring existing well established and time-tested cryptographic algorithms. In a nutshell, enterprises should incorporate new standards as well as keep support for existing cryptographic algorithms intact in their applications. This requires enabling a hybrid architecture in enterprise applications.
There exists an approach to enable support for multiple libraries that involves putting a switch in an enterprise application that controls the execution of libraries based on switch value. This approach surely helps in controlling execution of paths, but to solve the problem of making enterprise applications quantum attacks resistant other scenarios such as doing double encryption of existing sensitive data through composition of libraries, determining parameters of a new library based on the parameter values of existing libraries, and/or the like are required to be handled. Composing software systems or parallel libraries without sacrificing performance is one of objectives in High Performance Computing (HPC). There are few existing approaches to compose parallel libraries. One existing approach includes composing parallel libraries using a hardware abstraction called hart from an Operating System to applications and defining a new resource management interface that exchanges abstractions. In another approach, a pluggable application programming interface (API) framework solution named High Performance System on Chip (HiPER) is used that unifies presentation of computation, communication, and other work as task-parallel runtime system. Existing approaches are an attempt to arrive at a common representation of computation for enabling composition of multiple parallel libraries. However, the existing approaches can't be used to address the problem of enabling hybrid architecture in an enterprise application.
Embodiments of the present disclosure present technological improvements as solutions to one or more of the above-mentioned technical problems recognized by the inventors in conventional systems. For example, in one embodiment, a processor implemented method is provided. The processor implemented method, comprising receiving, via a first module executed by one or more hardware processors, an enterprise application and a set of detection rules as an input, wherein set of detection rules represents specification of one or more method signatures of an existing library used by the enterprise application; performing, via the first module executed by one or more hardware processors, a match between the set of detection rules and a set of binary fragments identified in the enterprise application to obtain a set of matched binary fragments; obtaining, via a second module executed by the one or more hardware processors, a plurality of source code fragments by mapping the set of matched binary fragments to a corresponding application source code of the enterprise application; enabling, via a third module executed by the one or more hardware processors, a hybrid application architecture using the plurality of source code fragments to generate a modified enterprise application that supports at least two libraries, wherein the modified enterprise application is generated by changing a code base of the enterprise application, and wherein the at least two libraries include at least (i) one or more existing libraries, and (ii) one or more incoming libraries; configuring, via a fourth module executed by the one or more hardware processors, the at least two libraries in the modified enterprise application such that compatibility between the at least two libraries is maintained, wherein the at least two libraries in the modified enterprise application are configured by performing at least one of: (i) detecting one or more first type of program variables and one or more second type of program variables in the plurality of source code fragments based on a status indicative of an impact on the modified enterprise application due to one or more incoming libraries from the at least two different libraries; and (ii) transforming the one or more second type of program variables into a specific type to support a compatible configuration of both (i) the one or more existing libraries, and (ii) the one or more incoming libraries; and (a) determining one or more parameters of the one or more incoming libraries using a program slicing technique based on a context and usage of the one or more existing libraries.
In another aspect, a system is provided. The system comprising a memory storing instructions; one or more communication interfaces; and one or more hardware processors coupled to the memory via the one or more communication interfaces, wherein the one or more hardware processors are configured by the instructions to: receive an enterprise application and a set of detection rules as an input, wherein set of detection rules represents specification of one or more method signatures of an existing library used by the enterprise application; perform a match between the set of detection rules and a set of binary fragments identified in the enterprise application to obtain a set of matched binary fragments; obtain a plurality of source code fragments by mapping the set of matched binary fragments to a corresponding application source code of the enterprise application; enable a hybrid application architecture using the plurality of source code fragments to generate a modified enterprise application that supports at least two libraries, wherein the modified enterprise application is generated by changing a code base of the enterprise application, and wherein the at least two libraries include at least (i) one or more existing libraries, and (ii) one or more incoming libraries; configure the at least two libraries in the modified enterprise application such that compatibility between the at least two libraries is maintained, wherein the at least two libraries in the modified enterprise application are configured by performing at least one of: (i) detecting one or more first type of program variables and one or more second type of program variables in the plurality of source code fragments based on a status indicative of an impact on the modified enterprise application due to one or more incoming libraries from the at least two different libraries; and (ii) transforming the one or more second type of program variables into a specific type to support a compatible configuration of both (i) the one or more existing libraries, and (ii) the one or more incoming libraries; and (a) determining one or more parameters of the one or more incoming libraries using a program slicing technique based on a context and usage of the one or more existing libraries.
In yet another aspect, a non-transitory computer readable medium is provided. The non-transitory computer readable medium are configured by instructions for receiving, an enterprise application and a set of detection rules as an input, wherein set of detection rules represents specification of one or more method signatures of an existing library used by the enterprise application; performing, a match between the set of detection rules and a set of binary fragments identified in the enterprise application to obtain a set of matched binary fragments; obtaining, a plurality of source code fragments by mapping the set of matched binary fragments to a corresponding application source code of the enterprise application; enabling, a hybrid application architecture using the plurality of source code fragments to generate a modified enterprise application that supports at least two libraries, wherein the modified enterprise application is generated by changing a code base of the enterprise application, and wherein the at least two libraries include at least (i) one or more existing libraries, and (ii) one or more incoming libraries; configuring, the at least two libraries in the modified enterprise application such that compatibility between the at least two libraries is maintained, wherein the at least two libraries in the modified enterprise application are configured by performing at least one of: (i) detecting one or more first type of program variables and one or more second type of program variables in the plurality of source code fragments based on a status indicative of an impact on the modified enterprise application due to one or more incoming libraries from the at least two different libraries; and (ii) transforming the one or more second type of program variables into a specific type to support a compatible configuration of both (i) the one or more existing libraries, and (ii) the one or more incoming libraries; and (a) determining one or more parameters of the one or more incoming libraries using a program slicing technique based on a context and usage of the one or more existing libraries.
In accordance with an embodiment of the present disclosure, the code base of the enterprise application is changed by: (i) annotating a plurality of functions invoking the plurality of source code fragments obtained by the binary to source code matching module; (ii) creating one or more new paths around each of the annotated plurality of functions in the plurality of source code of the enterprise application to support execution of the one or more incoming libraries; and (iii) injecting a plurality of new source code fragments in the created one or more new paths around each of the annotated plurality of functions in the plurality of source code of the enterprise application.
In accordance with an embodiment of the present disclosure, the one or more first type of program variables in the plurality of source code fragments exhibit no relation on the modified enterprise application due to one or more incoming libraries from the at least two different libraries.
In accordance with an embodiment of the present disclosure, the one or more second type of program variables in the plurality of source code fragments exhibit an impact on the modified enterprise application due to one or more incoming libraries from the at least two different libraries.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the invention, as claimed.
The accompanying drawings, which are incorporated in and constitute a part of this disclosure, illustrate exemplary embodiments and, together with the description, serve to explain the disclosed principles.
Exemplary embodiments are described with reference to the accompanying drawings. In the figures, the left-most digit(s) of a reference number identifies the figure in which the reference number first appears. Wherever convenient, the same reference numbers are used throughout the drawings to refer to the same or like parts. While examples and features of disclosed principles are described herein, modifications, adaptations, and other implementations are possible without departing from the scope of the disclosed embodiments. It is intended that the following detailed description be considered as exemplary only, with the true scope being indicated by the following embodiments described herein.
Embodiments of the present disclosure provide a method and system that enables hybrid architecture in an enterprise application to mitigate quantum attacks. The method of the present disclosure changes codebase of the enterprise application to enable hybrid architecture. It creates new paths within the enterprise application to support execution of a new library. It injects the code that enables double encryption of data being processed by the application. It injects the code that transforms program variables to address the compatibility challenges between existing and new libraries.
Referring now to the drawings, and more particularly to
The I/O interface(s) 106 may include a variety of software and hardware interfaces, for example, a web interface, a graphical user interface, and the like. The I/O interface(s) 106 may include a variety of software and hardware interfaces, for example, interfaces for peripheral device(s), such as a keyboard, a mouse, an external memory, a plurality of sensor devices, a printer and the like. Further, the I/O interface(s) 106 may enable the system 100 to communicate with other devices, such as web servers and external databases.
The I/O interface(s) 106 can facilitate multiple communications within a wide variety of networks and protocol types, including wired networks, for example, local area network (LAN), cable, etc., and wireless networks, such as Wireless LAN (WLAN), cellular, or satellite. For the purpose, the I/O interface(s) 106 may include one or more ports for connecting a number of computing systems with one another or to another server computer. Further, the I/O interface(s) 106 may include one or more ports for connecting a number of devices to one another or to another server.
The one or more hardware processors 104 may be implemented as one or more microprocessors, microcomputers, microcontrollers, digital signal processors, central processing units, state machines, logic circuitries, and/or any devices that manipulate signals based on operational instructions. Among other capabilities, the one or more hardware processors 104 are configured to fetch and execute computer-readable instructions stored in the memory 102. In the context of the present disclosure, the expressions ‘processors’ and ‘hardware processors’ may be used interchangeably. In an embodiment, the system 100 can be implemented in a variety of computing systems, such as laptop computers, portable computer, notebooks, hand-held devices, workstations, mainframe computers, servers, a network cloud and the like.
The memory 102 may include any computer-readable medium known in the art including, for example, volatile memory, such as static random access memory (SRAM) and dynamic random access memory (DRAM), and/or non-volatile memory, such as read only memory (ROM), erasable programmable ROM, flash memories, hard disks, optical disks, and magnetic tapes. In an embodiment, the memory 102 includes a plurality of modules 102a and a repository 102b for storing data processed, received, and generated by one or more of the plurality of modules 102a. The plurality of modules 102a may include routines, programs, objects, components, data structures, and so on, which perform particular tasks or implement particular abstract data types.
The plurality of modules 102a may include programs or computer-readable instructions or coded instructions that supplement applications or functions performed by the system 100. The plurality of modules 102a may also be used as, signal processor(s), state machine(s), logic circuitries, and/or any other device or component that manipulates signals based on operational instructions. Further, the plurality of modules 102a can be used by hardware, by computer-readable instructions executed by the one or more hardware processors 104, or by a combination thereof. In an embodiment, the plurality of modules 102a can include various sub-modules (not shown in
The repository 102b may include a database or a data engine. Further, the repository 102b amongst other things, may serve as a database or includes a plurality of databases for storing the data that is processed, received, or generated as a result of the execution of the plurality of modules 102a. Although the repository 102b is shown internal to the system 100, it will be noted that, in alternate embodiments, the repository 102b can also be implemented external to the system 100, where the repository 102b may be stored within an external database (not shown in
Referring to
In an embodiment, at step 202 of the present disclosure, a first module executed by one or more hardware processors is configured to receive an enterprise application and a set of detection rules as an input. The set of detection rules represents specification of one or more method signatures of an existing library used by the enterprise application. It is shown in
Further, at step 204 of the present disclosure, the first module executed by the one or more hardware processors is configured to perform a match between the set of detection rules and a set of binary fragments identified in the enterprise application to obtain a set of matched binary fragments. The inventory module processes the enterprise application and match the set of detection rules against a plurality of binary fragments. The matched plurality of binary fragments, which are a set of APIs corresponding to a library are marked for further processing.
A detection rule for an init API of the Cipher Java class is further better understood by way of following pseudocode provided as example:
The inventory module uses the above detection rule and applies it to a binary version of code as shown in a pseudocode below:
Post matching, the inventory module output the matched binary fragment of program statement “cipher.init (Cipher.ENCRYPT_MODE, publicKey)”.
At step 206 of the present disclosure, a second module executed by the one or more hardware processors is configured to obtain a plurality of source code fragments by mapping the set of matched binary fragments to a corresponding application source code of the enterprise application. The second module is referred as Binary to source code matching module. The Binary to source code matching module takes application source as an additional input. It maps the set of binary code fragments marked by the inventory module to corresponding source code fragments using a state in the art matching algorithm (e.g., ‘refer IA 202321012791 titled ‘Method And System For Matching Source Code And Binary Code’). It is shown in the above pseudocode that the Binary to source code matching module maps the matched binary code fragment of “cipher.init (Cipher. ENCRYPT_MODE, publicKey)” to the corresponding source code fragment.
At step 208 of the present disclosure, a third module executed by the one or more hardware processors is configured to enable a hybrid application architecture using the plurality of source code fragments to generate a modified enterprise application that supports at least two libraries. Here, the modified enterprise application is generated by changing a code base of the enterprise application, and wherein the at least two libraries include at least (i) one or more existing libraries, and (ii) one or more incoming libraries. The third module is referred as code insertion module. The code insertion module injects code into input enterprise application to enable the hybrid application architecture. The code insertion module uses the plurality of source code fragments mapped by the Binary to source code matching module as references. In an embodiment, the code base of the enterprise application is changed by performing: (i) annotating a plurality of functions invoking the plurality of source code fragments obtained by the binary to source code matching module; (ii) creating one or more new paths around each of the annotated plurality of functions in the plurality of source code of the enterprise application to support execution of the one or more incoming libraries; and (iii) injecting a plurality of new source code fragments in the created one or more new paths around each of the annotated plurality of functions in the plurality of source code of the enterprise application. In context of the present disclosure, the expression ‘incoming libraries’ is referred for a new library. In other words, the code insertion module is supported by three additional modules: Function annotation module, Path creation module and New code injection module. The function annotation module annotates the plurality of functions which are invoking the plurality of matched functions as detected by the Binary to source code matching module. As shown in above pseudocode, function annotation module annotates the “encryption” method as the matched method “cipher. init (Cipher. ENCRYPT_MODE, publicKey)” is invoked in the “encryption” method. The output of function annotation module is used by Path creation module while generating “if-else” code. The Path creation module introduces new paths in the input enterprise application. To achieve this, an “if-else” code construct is injected around the plurality of annotated functions in the source code of the enterprise application. At every annotated function, the “if-else” injection creates two more paths in the enterprise application. First path is used to retain the existing library while second path can host code for the new library. The new code injection module injects the plurality of new source code fragments in source code of the enterprise application. Typically, the new code injection module inserts these fragments in “else” path (branch) which is created by the Path creation module.
An example of encryption example after introduction of new path is shown in a pseudocode below:
The above pseudocode represents path creation module introducing new paths in the “main” method around the program statement that invokes “encryption” method main ( ) In the pseudo code, “if” condition indicates whether a user wants to continue with usage of the existing library or switched to new library of “else” part. The New code injection module injects a new program statement in form of method invocation “new_encryption in the “else” path (branch) as shown in the above the pseudo code.
Further, at step 210 of the present disclosure, a fourth module executed by the one or more hardware processors is configured to configure the at least two libraries in the modified enterprise application such that compatibility between the at least two libraries is maintained. The fourth module is referred as function composition module. The function composition module enables the usage of both existing as well as new libraries in the enterprise application. The at least two libraries in the modified enterprise application are configured by performing at least one of: (i) detecting one or more first type of program variables and one or more second type of program variables in the plurality of source code fragments based on a status indicative of an impact on the modified enterprise application due to one or more incoming libraries from the at least two different libraries; and (ii) transforming the one or more second type of program variables into a specific type to support a compatible configuration of both (i) the one or more existing libraries, and (ii) the one or more incoming libraries; and (a) determining one or more parameters of the one or more incoming libraries using a program slicing technique based on a context and usage of the one or more existing libraries. In an embodiment, the one or more first type of program variables in the plurality of source code fragments exhibit no relation on the modified enterprise application due to one or more incoming libraries from the at least two different libraries. Also, the one or more second type of program variables in the plurality of source code fragments exhibit an impact on the modified enterprise application due to one or more incoming libraries from the at least two different libraries.
The step 210 is better understood by way of the following description provided as exemplary explanation.
To correctly configure both the one or more existing libraries and the one or more new libraries in the enterprise application, the function composition module relies on three additional modules namely, no operation (Noop) detection module, a transformation module, and a parameter determination module. The Noop detection module is responsible for detecting program statements which are not impacted by a new library being introduced. The transformation module processes and converts a program variable into appropriate type to support the compatible configuration of both existing and new libraries. The parameter determination module determines the parameters of new library based on the context and usage of existing library. This module may require additional inputs from a user.
The above pseudocode representing path creation module introducing new paths in the “main” method around the program statement that invokes “encryption” method represents a simpler view of the enterprise application. It is shown in above pseudocode that the output of encryption function in “else” block can be consumed by the new library function “new_encryption”.
An example of a modified sample code printing output of encryption function is shown in a pseudocode below:
In the above modified pseudocode example, the main ( ) function calls “encryption” function and prints its output. While modifying the application, it is necessary to retain original behavior of the application. Therefore, printing of a value that is returned by “encryption” function should be retained. However, this operation does not have any impact on the subsequent operation which is consuming the output generated by “encryption” function. The Noop detection module is developed for identifying such program statements. The Noop detection module maintains a list of operations which do not alter inputs. If an operation is not found in the list of operations then, the Noop detection module computes a plurality of out parameters for a function representing an operation from the list of operations. An out parameter is an input parameter which is modified by a function and its modification is visible outside the function. For every input parameter, a forward slice is computed. Typically, the forward slice consists of nodes which are connected through control and data dependent edges. The forward slice is further processed to extract nodes which are linked through data dependent edges. Further, to collection of data dependent nodes, if a node represents an assignment program statement and its left operand represent a program variable which belongs to a set of input parameters then, the input parameter is marked. If the marked input parameter belongs to a set of output parameters then, the output parameter is also marked. For every marked output parameter, the forward slice is computed. If the forward slice contains a node that is linked to any of input parameters of a new library then, the program statement representing the function invocation is marked as affected by new library.
The transformation module transforms a program variable of application. It is required in a scenario where the output generated by existing library is not compatible with an input requirement of new library. An example of modified pseudocode that handles incompatible data types is provided below:
As shown in the above modified pseudocode that handles incompatible data types, the “encryption” function generates an output in a text form while “new_encrption” receives the input in “byte [ ] array” form. The transformation module inserts appropriate program statement to handle this scenario. As shown in the above modified pseudocode, the transformation module inserts “convert_to_byte_array” program statement to handle incompatible data types of “output” and “input” variables. To change a type of a program variable, the transformation module invokes standard type-cast operator. Alternatively, the transformation module may use a suitable type converting function based on type of program variable and desired type.
In a real world enterprise application, “encryption” and “new_encryption” functions as depicted in all of the above pseudocode may not be simple. Such functions may take more than one parameter as input to generate required output. Moreover, there could be a dependency between parameters of both functions. Since “encryption” function is part of existing library and the original behavior of application needs to be retained, the values of parameters of “new_encryption” function may depend on the values of parameters passed to “encryption” function. Therefore, any dependency (if exist) between parameters of both functions must flow from “encryption” function to “new_encryption” function.
An example of determination of parameters of new library function is provided in the pseudocode below:
As shown in the above pseudocode, the parameters q1, q2, . . . , qn of “new_encryption” function are dependent on parameters p1, p2, . . . , pn of “encryption” function. The parameters determination module uses program slicing technique to determine the values of parameters p1, p2, . . . , pn. The parameters determination module assumes the availability of domain knowledge with respect to existing and new libraries. As per the domain knowledge, the parameters transformation module inserts appropriate program statements or functions to generate the values of parameters q1, q2, . . . , qn. The domain knowledge could be in form of size of parameters, types of parameters, or values of parameters for both the one or existing and incoming libraries covering both types of parameters: input and output.
The system of the present disclosure, processes entire enterprise application and makes changes to it to enable support for a new library. Enabling support for more than one library implies iterating over same method for every new library with an assumption that inputs to new libraries are independent of each other.
The written description describes the subject matter herein to enable any person skilled in the art to make and use the embodiments. The scope of the subject matter embodiments is defined herein and may include other modifications that occur to those skilled in the art. Such other modifications are intended to be within the scope of the present disclosure if they have similar elements that do not differ from the literal language of the embodiments or if they include equivalent elements with insubstantial differences from the literal language of the embodiments described herein.
It is to be understood that the scope of the protection is extended to such a program and in addition to a computer-readable means having a message therein; such computer-readable storage means contain program-code means for implementation of one or more steps of the method, when the program runs on a server or mobile device or any suitable programmable device. The hardware device can be any kind of device which can be programmed including e.g., any kind of computer like a server or a personal computer, or the like, or any combination thereof. The device may also include means which could be e.g., hardware means like e.g., an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA), or a combination of hardware and software means, e.g., an ASIC and an FPGA, or at least one microprocessor and at least one memory with software processing components located therein. Thus, the means can include both hardware means and software means. The method embodiments described herein could be implemented in hardware and software. The device may also include software means. Alternatively, the embodiments may be implemented on different hardware devices, e.g., using a plurality of CPUs.
The embodiments herein can comprise hardware and software elements. The embodiments that are implemented in software include but are not limited to, firmware, resident software, microcode, etc. The functions performed by various components described herein may be implemented in other components or combinations of other components. For the purposes of this description, a computer-usable or computer readable medium can be any apparatus that can comprise, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.
The illustrated steps are set out to explain the exemplary embodiments shown, and it should be anticipated that ongoing technological development will change the manner in which particular functions are performed. These examples are presented herein for purposes of illustration, and not limitation. Further, the boundaries of the functional building blocks have been arbitrarily defined herein for the convenience of the description. Alternative boundaries can be defined so long as the specified functions and relationships thereof are appropriately performed. Alternatives (including equivalents, extensions, variations, deviations, etc., of those described herein) will be apparent to persons skilled in the relevant art(s) based on the teachings contained herein. Such alternatives fall within the scope of the disclosed embodiments. Also, the words “comprising,” “having,” “containing,” and “including,” and other similar forms are intended to be equivalent in meaning and be open ended in that an item or items following any one of these words is not meant to be an exhaustive listing of such item or items, or meant to be limited to only the listed item or items. It must also be noted that as used herein and in the appended claims, the singular forms “a,” “an,” and “the” include plural references unless the context clearly dictates otherwise.
Furthermore, one or more computer-readable storage media may be utilized in implementing embodiments consistent with the present disclosure. A computer-readable storage medium refers to any type of physical memory on which information or data readable by a processor may be stored. Thus, a computer-readable storage medium may store instructions for execution by one or more processors, including instructions for causing the processor(s) to perform steps or stages consistent with the embodiments described herein. The term “computer-readable medium” should be understood to include tangible items and exclude carrier waves and transient signals, i.e., be non-transitory. Examples include random access memory (RAM), read-only memory (ROM), volatile memory, nonvolatile memory, hard drives, CD ROMs, DVDs, flash drives, disks, and any other known physical storage media.
It is intended that the disclosure and examples be considered as exemplary only, with a true scope of disclosed embodiments being indicated by the following claims.
| Number | Date | Country | Kind |
|---|---|---|---|
| 202321041665 | Jun 2023 | IN | national |
