The present invention relates generally to browsers and more particularly to browsers that enforce policies relating to a web application.
Presently, browsers only perform core functions, such as interpreting a document markup language and possibly a scripting language. However, in an environment in which Web applications are delivered to client devices, many of which are mobile and operated by employees in carrying out functions of the business that employes them, such browsers are not sufficient. Browsers in the above mentioned environment need additional functions to aid in the secure operation of such client devices.
One embodiment of the present invention is a web browser that includes a web browser core unit, a network policy enforcement unit, a storage policy enforcement unit and an ancillary policy enforcement unit. The web browser core unit is operable, if enabled, to interpret at least a document markup language contained in a web application, where the web application includes web application logic that uses a data communication facility to communicate over a network and a persistent storage facility to save or retrieve web-application data. The network policy enforcement unit acquires a network enforcement policy, wherein the unit constrains use by the web application logic of the data communication facility according to the network enforcement policy. The storage policy enforcement unit acquires a storage enforcement policy, wherein the unit constrains use by the web application logic of the persistent storage facility according to the storage enforcement policy. The ancillary policy enforcement unit acquires an ancillary enforcement policy, wherein the unit constrains application logic according to said ancillary policy. One such constraint is authentication of a user prior to use of the web-application logic.
Another embodiment of the present invention is a method of enforcing a data communication policy in a computer system. The method includes obtaining a web application, where the web application is operable on the computer system and includes web application logic that requires use of a data communication facility of the computer system, acquiring a network enforcement policy, and constraining use by the web application logic of the data communication facility according to the network enforcement policy.
Yet another embodiment is a method of enforcing a persistent storage policy in a computer system. The method includes obtaining a web application, where the web application is operable on the computer system and includes web application logic that uses a persistent storage facility of the computer system, acquiring a persistent storage policy, and constraining use, by the web application logic, of the persistent storage facility according to the persistent storage enforcement policy.
These and other features, aspects and advantages of the present invention will become better understood with regard to the following description, appended claims, and accompanying drawings where:
A typical embodiment of the invention consists of a web browser core coupled with authentication, security and policy enforcement logic, the means to store and receive policy from an authoritative source, and the means to communicate with an identity or authentication service. An embodiment may also contain the means to communicate encryption key values with a key management or key storing system. In a preferred embodiment of the invention, the embodiment works in conjunction with the application gateway 21, as it is described in patent application 61/402,934, which is incorporated by reference into the present application in its entirety.
A web application is typically comprised of, but not limited to, HTML, HTML5, JavaScript code, VBScript code, Java code, CSS, XML, Plug-ins, or Helper applications, or any combination thereof, served from a web application server 16, to a client browser by communicating across a data network 17. In some cases, the web application may be stored locally on the device hosting the web browser, rather than being served across a data network.
The invention allows for a web application to be run within the context of a browser in such a way that policies related to user-authentication, device-authentication, data storage, data encryption and data communication are enforced, independent of the behavior of the aforementioned web application, and independent of traditional web browser policy enforcement.
In a typical embodiment, the invention is deployed on a user-facing endpoint, such as a mobile phone, tablet, personal computer, laptop or kiosk.
Although the invention is titled a “browser”, in an embodiment, browsing may not be enabled at all; the embodiment may be simply acting as an execution platform for a single web application, or an execution platform for multiple web applications.
In an alternate embodiment, the invention may be employed as a means to affect the aforementioned policy controls on a dynamic application execution environment. The invention requires neither HTML nor Javascript; in an alternate embodiment, the invention can be applied to other computer languages.
Policy-Enforcing Browser
In a typical embodiment, the invention 11 is based on a conventional web browser core 12. In a typical embodiment, the web browser core 12 includes the logic and data structures needed to receive HTML, parse HTML, and translate HTML into data structures 13. In a typical embodiment, the web browser core 12 additionally includes the logic and data structures needed to receive HTML5, parse HTML5, and translate HTML5 into data structures 13. In a typical embodiment, the web browser core 12 further includes the logic and data structures needed to receive JavaScript, parse JavaScript, translate JavaScript into data structures, execute JavaScript, and generate JavaScript 14. In some embodiments, the logic and data structures needed to perform the same or similar functions with alternative markup or programming languages may be substituted or added.
In a typical embodiment, the invention runs under the control of an operating system (OS), on a computing platform. An embodiment of the invention that does not require an OS is an alternative. In a typical embodiment, the computing platform comprises at a minimum random-access memory (RAM), and a central processing unit (CPU). In a typical embodiment, the computing platform has access to a data network 17, access to persistent storage 111, or both. A data network 17 supports the communication of data between two entities, often at a distance. Persistent storage 111 allows for the storage of data, often locally, such that the data survives events that would harm the data, if the data were otherwise stored in RAM. In an embodiment where the OS and computing platform support access to a data network 17, typically the OS presents data communication APIs (application programming interfaces) 18. In an embodiment where the OS and computing platform supports access to persistent storage, typically the OS presents persistent storage APIs 112.
In a possible embodiment of the invention, web-browser plug-ins 19 may also be bound to the web browser core 12. In a possible embodiment plug-ins may have access to browser data structures, OS system calls, libraries, or data resident on the computing platform. In such an embodiment, all policy enforcement described below is extended to any such plug-ins 19; that is, plug-ins 19 are constrained to policy.
Acquisition of Policy
In a typical embodiment, policy is communicated from an application gateway 21 through a data network 22 and stored in RAM and in persistent policy storage (PPS) 24 by the invention. PPS 24 is simply the storage of relevant policy in persistent storage. In a preferred embodiment, the stored policy is secured such that authenticity and integrity are preserved. In an alternate embodiment, confidentiality may be required as well. In an alternate embodiment, policy may be loaded into invention by alternate means, possibly including manual configuration 23. In a preferred embodiment of the invention, policy may be attached as a partial or complete PPS 24 at the time that the invention is linked or otherwise programmatically transformed into the state in which it is to be distributed, preferentially using the invention described in provisional patent application 61/402,934, which application is incorporated by reference into the instant application.
In the preferred embodiment of the invention, the storage policy enforcement unit (SPE) 27, network policy enforcement unit (NPE) 26, and ancillary policy enforcement unit (APE) 25 draw policy to be enforced from the PPS 24, RAM, or both.
As shown in
Domains of Policy Enforcement
In the preferred embodiment, the NPE 15 enforces all policy related to the web application's communication over any data network 17. Any attempt by the web application to communicate over or access the network is allowed, blocked or logged, depending on policy. Note that the invention is not limited to the three actions of allowing, blocking or logging an access or communication; rather these are the policy actions available in the preferred embodiment. In a typical embodiment, the NPE 15 logically stands as a gatekeeper between the web-application logic and the OS-provided data communication APIs 18.
In the preferred embodiment, the SPE 110 enforces all policy related to the web application's storage of data to persistent storage. Any attempt by the web application to write to or read from persistent storage is allowed, blocked or logged, depending on policy. Note that the invention is not limited to the three actions of allowing, blocking or logging an access to storage; rather these are the policy actions available in the preferred embodiment. In a typical embodiment, the SPE 110 logically stands as a gatekeeper between the web-application logic and the OS-provided persistent storage APIs 112.
In the preferred embodiment, the APE 113 performs all policy enforcement not covered by the SPE 110 or NPE 15.
In the preferred embodiment, the APE 113 performs user authentication by use of UI controls 114. In doing so, the APE 113 is able to affect the enforcement of policy related to user authentication. In the preferred embodiment, the APE 113 is also responsible for any device authentication aspects, including but not limited to marshalling (i.e., collecting) device credentials, or responding to challenges related to device authentication.
In the preferred embodiment, the APE 113 performs all policy enforcement related to plug-ins. This includes both the acceptance for launch or allowed use of specific plug-ins, as well as the accesses to network, storage, OS aspects, or compute platform aspects by specific plug-ins.
In the preferred embodiment, the APE 113 performs all policy enforcement related to the web-application's access to web browser cookies, or any other browser-specific stored data, such is stored in HTML5.
In the preferred embodiment, the APE 113 performs all policy enforcement related to shared memory (RAM) access, as well as all policy enforcement related to interprocess-communication (IPC) mechanisms, or communication between threads. The availability of IPC or communication between threads to a web application would typically be a function of the OS and of the web browser core 12.
In the preferred embodiment, where the invention is used to run more than a single web application 31 & 34, the APE 32 enforces all policy related to the interaction between the web applications 31 & 34.
In the preferred embodiment, the logic of the web browser core 12 is also subject to policy enforcement by the SPE 110, NPE 15 and APE 113. In such an embodiment, the policy conformance of the aggregate web application and web browser can be assured.
Method of Integration
In the preferred embodiment, the invention leverages all substitution, linking or binding capabilities described in patent application 61/402,934. In practice, the method of integration with the web browser core 12 typically depends on the OS and the actual web browser core 12 utilized.
In some embodiments, the integration is accomplished by editing the browser core 12 source code, such that the affected source code changes cause the policy enforcement and other related logic to be directly or indirectly invoked.
In some embodiments, the integration is accomplished by link-time insertion of the policy enforcement and other related logic, or by other automated re-writing of source or object code, or symbols.
In some embodiments, the integration is accomplished by augmenting the OS, rather than the browser itself. In such an embodiment, the invention spans the boundary between application (web browser) and OS.
In some embodiments, more than one of the above methods of integration may be employed in implementing the invention. In some embodiments, methods of integration not listed above may be employed.
Although the present invention has been described in considerable detail with reference to certain preferred versions thereof, other versions are possible. Therefore, the spirit and scope of the appended claims should not be limited to the description of the preferred versions contained herein.
This application claims priority to U.S. Provisional Application 61/461,710 filed Jan. 22, 2011, and titled “SYSTEM FOR THE DISTRIBUTION AND DEPLOYMENT OF APPLICATIONS, WITH PROVISIONS FOR SECURITY AND POLICY CONFORMANCE”, which application is incorporated by reference, in its entirety, into the present application. This application claims the benefit of U.S. application Ser. No. 13/226,351, filed on Sep. 6, 2011, and titled “SYSTEM FOR THE DISTRIBUTION AND DEPLOYMENT OF APPLICATIONS, WITH PROVISIONS FOR SECURITY AND POLICY CONFORMANCE, which application is incorporated by reference, in its entirety, into the present application. U.S. application Ser. No. 13/226,351, filed on Sep. 6, 2011, claims priority to U.S. Provisional Application 61/402,934, filed on Sep. 7, 2010.
Number | Name | Date | Kind |
---|---|---|---|
5138712 | Corbin et al. | Aug 1992 | A |
5737416 | Cooper et al. | Apr 1998 | A |
6005935 | Civanlar et al. | Dec 1999 | A |
6035403 | Subbiah et al. | Mar 2000 | A |
6134593 | Alexander et al. | Oct 2000 | A |
6134659 | Sprong et al. | Oct 2000 | A |
6243468 | Pearce et al. | Jun 2001 | B1 |
6260141 | Park | Jul 2001 | B1 |
6460140 | Schoch et al. | Oct 2002 | B1 |
6615191 | Seeley | Sep 2003 | B1 |
6801999 | Venkatesan et al. | Oct 2004 | B1 |
7134016 | Harris | Nov 2006 | B1 |
7949998 | Bleisch et al. | May 2011 | B2 |
20010011254 | Clark | Aug 2001 | A1 |
20010039625 | Ananda | Nov 2001 | A1 |
20010044782 | Hughes et al. | Nov 2001 | A1 |
20010051928 | Brody | Dec 2001 | A1 |
20020073316 | Collins et al. | Jun 2002 | A1 |
20020087883 | Wohlgemuth et al. | Jul 2002 | A1 |
20030135756 | Verma | Jul 2003 | A1 |
20030177351 | Skingle | Sep 2003 | A1 |
20030191823 | Bansal et al. | Oct 2003 | A1 |
20040107368 | Colvin | Jun 2004 | A1 |
20040148525 | Aida et al. | Jul 2004 | A1 |
20040167859 | Mirabella | Aug 2004 | A1 |
20040168061 | Kostal et al. | Aug 2004 | A1 |
20040199766 | Chew et al. | Oct 2004 | A1 |
20040202324 | Yamaguchi et al. | Oct 2004 | A1 |
20050005098 | Michaelis et al. | Jan 2005 | A1 |
20050021992 | Aida et al. | Jan 2005 | A1 |
20050049970 | Sato et al. | Mar 2005 | A1 |
20050091511 | Nave et al. | Apr 2005 | A1 |
20050097348 | Jakubowski et al. | May 2005 | A1 |
20050222958 | Hasegawa et al. | Oct 2005 | A1 |
20060026690 | Yu et al. | Feb 2006 | A1 |
20060069926 | Ginter et al. | Mar 2006 | A1 |
20060123412 | Hunt et al. | Jun 2006 | A1 |
20070157310 | Kondo et al. | Jul 2007 | A1 |
20070174424 | Chen et al. | Jul 2007 | A1 |
20070186112 | Perlin et al. | Aug 2007 | A1 |
20070287471 | Wood | Dec 2007 | A1 |
20080072297 | Lu et al. | Mar 2008 | A1 |
20080134347 | Goyal et al. | Jun 2008 | A1 |
20080148363 | Gilder et al. | Jun 2008 | A1 |
20080267406 | Asokan et al. | Oct 2008 | A1 |
20090055749 | Chatterjee et al. | Feb 2009 | A1 |
20090077637 | Santos et al. | Mar 2009 | A1 |
20090119218 | Ooki | May 2009 | A1 |
20090217367 | Norman et al. | Aug 2009 | A1 |
20090327091 | Hartin et al. | Dec 2009 | A1 |
20100050251 | Speyer et al. | Feb 2010 | A1 |
20100192234 | Sugimoto et al. | Jul 2010 | A1 |
20100228870 | Terry | Sep 2010 | A1 |
20100281537 | Wang et al. | Nov 2010 | A1 |
20100293103 | Nikitin et al. | Nov 2010 | A1 |
20100299376 | Batchu et al. | Nov 2010 | A1 |
20100306668 | Williams, III et al. | Dec 2010 | A1 |
20110138174 | Aciicmez et al. | Jun 2011 | A1 |
20120137281 | Kleiner et al. | May 2012 | A1 |
Entry |
---|
Grier et al., Secure web browsing with the OP web browser, 2008, IEEE. |
Pfeiffer et al., Accessibility for the HTML5 <video> element, 2009, ACM. |
Bartoletti et al., Jalapa: Securing Java with Local Policies, 2009. |
Number | Date | Country | |
---|---|---|---|
61461710 | Jan 2011 | US | |
61402934 | Sep 2010 | US |
Number | Date | Country | |
---|---|---|---|
Parent | 13226351 | Sep 2011 | US |
Child | 13355529 | US |