1. Field of the Invention
The present invention relates to a computer program product, system, and method for providing a declaration of security requirements to a security program to use to control application operations.
2. Description of the Related Art
Security software programs, such as anti-virus and firewall programs, are designed to detect and prevent the execution of malicious software (malware), including viruses, and access by unauthorized users, such as hackers. One type of anti-virus program searches for known patterns of data within executable code that matches code or a slight variation of code included in a signature file including known malicious code. The anti-virus program determines whether subject code being inspected matches or is a slight variation of malicious code included in the signature file. Anti-virus programs employing this signature-based approach may not be able to identify new viruses not indicated in the signature file. Another type of antivirus software determines whether the actions and behavior of code indicates malicious behavior as indicated in a behavior signature file. The behavior monitoring approach may not detect new patterns of behavior by more recent viruses and legitimate software may exhibit the same behavior as malware, such as downloading and uploading files, reading the registry accessing system paths, etc. Further, behavior based approaches may only detect the malevolent software after the actions have been performed.
Security programs that monitor application behavior, such as attempts to write to or access the registry file, specific ports may block activity and then query the user through a graphical user interface (GUI) to indicate whether a requested action by an application is authorized. This user query approach depends on the computer knowledge of the user. Many computer users lack the knowledge to provide an informed decision on whether to allow actions to proceed, and the impact of their decision on the computer security and application performance.
There is a need in the art for improved techniques for detecting and stopping malicious code and unauthorized users from accessing computer resources.
Provided are a computer program product, system, and method for providing a declaration of security requirements to a security program to use to control application operations. The application communicates to the security program a declaration of security requirements indicating application actions designated to be performed with respect to resources in the computer system. The application is executed to perform application operations in response to communicating the declaration of security requirements to the security program. During the execution of the application, the actions are performed with respect to the resources at the computer system indicated in the declaration of security requirements.
Described embodiments provide techniques for an application program to provide to a security program a declaration of security requirements that the security program uses during application execution to determine which application actions to permit, where the permitted actions with respect to certain computer resources comprise those actions designated in the declaration. The application may provide the declaration of security requirements as part of an installation, application update or at other points during application execution. Further, the declaration of security requirements may specify different actions permitted to the application and its components at different lifecycle stages of the application, such as installation, normal operations, and updates.
The memory 6 further includes a security program 20, which comprises a computer program that provides firewall, antivirus, and other protection against malware and intruders by monitoring the operations of installed applications 12 and determining whether to allow their actions to proceed. The security program 20 is designed to block unauthorized access while permitting authorized communications or application program actions based upon a set of rules and other criteria. Although the security program 20 is shown in
When an application 12 is installed, the application developer provides an installation package 32 including an installation routine 22, application installation programs 24, and a declaration of security requirements 26. The installation routine 22, which may be in the form of an installation wizard, is invoked by the user to install the application installation programs 24 in the computer system 2 to provide the installed application 12. The installation routine 22 provides to the security program 20 a declaration of security requirements 26 which provides a set of actions and/or resources the application 12 will access at different life cycles of the application 12, such as during an installation mode, normal operation mode, and update mode. The security program 20 uses the declaration of security requirements 26 to determine whether to allow specific application 12 attempts to perform actions and access resources during different operation modes based on what is permitted in the declaration 26 and whether to allow the application to switch between different modes of operation. The security program 20 maintains application mode permissions 28 indicating which types of actions/resources the application 12 may access based on the operation mode in which the application 12 is running, such as installation mode, normal operations mode, and update mode.
At certain instances, not all the programs may be present in memory 6. For instance, the installation routine 22 and application installation programs 24 may be maintained in memory 6 during installation, but removed thereafter, and the update routine 36 may be maintained in memory 6 during the update following the installation, but then removed after the update completes. Thus, different components of the application 12 may be maintained in the memory 6 during different life cycle stages of the application 12. Further programs and their components may be swapped between the memory 6 and a storage device coupled to the computer 2.
Although only one application 12 and declaration of security requirements 26 are shown, there may be multiple applications 12 installed on the computer system 2, through application 12 specific installation routines 22 and application installation programs 24, and for multiple of the installed applications 12 a declaration of security requirements 26 specifically designed for the application specific operations.
The application distributor computer 30 is a computer operated on behalf of the application developer to distribute programs related to the application 12. The application distributor computer 30 maintains information and programs for the application 12 installed on the computer system 2, such as an installation package 32 providing program components to install the application 12 and an update package 34 providing programs components to update an already installed application 12. The installation package 32 may include the above discussed installation routine 22, application installation programs 24, and declaration of security requirements 26 used to provide a full installation of the application 12. The update package 34 provides an update routine 36 to update an already installed application 12 with update installation programs 38 and to optionally update or replace the updated declaration of security requirements 40 to update the actions/resources permitted to the application 12 based on the program updates that may change the actions/resources the application 12 is designed to access in the computer system 2. The update routine 36, update installation programs 38, and updated declaration 40 may be loaded into the memory 6 of the computer system 2 in the same manner as the installation related items 22, 24, and 26.
In certain embodiments, the installation package 32 and update package 34 may be distributed to the computer system 2 over the network 18. In a further embodiment, the installation 32 and update 34 packages may be record on a portable storage media, such as a CD ROM, DVD, USB flash drive, etc., to provide to the user of the computer system 2 to load into the computer system 2.
The declaration instance 50 may specify both an action 52 and the object of that action 54. Alternatively, the instance 50 may specify only one of an action 52 or resource 54. If both an action 52 and resource are specified 54, then the application 12 is only permitted to perform that action 52 with respect to that resource 54. If only the action 52 is specified in the instance 50, then the application 12 may invoke that action 52 with respect to any resource. If only the resource 54 is specified, then the application 12 may invoke any action with respect to that resource 54. Further, the entry 50 in the declaration 26 may specify an action to be permitted and an action to be blocked. The instance 50 may specify that an action 54 and/or resource 56 as associated with one or more operation modes 52, to only allow the action 54 and/or resource 56 pair to be performed during the associated at least one operation mode. Alternatively, the instance 50 may not specify an operation mode 52 to indicate the action 52 and/or resource 54 pair may be performed during any operation mode. Further, the declaration instance 50 may further indicate whether to allow the application 12 to switch between different operation modes 52. If the application 12 is not permitted to automatically switch, then the security program 20 may request approval from the computer user to allow the application to change the operation mode.
Although
From blocks 306 or 310, if (at block 312) third party logging is requested, then the security program 20 logs the result of whether requested action is permitted or blocked indicate the requested resource to which access was denied or allowed, e.g., port, registry entry, etc., in the log. Further, the logged information may indicate the security requirement 50 in the declaration 26 that resulted in a requested action from being blocked. The third party reporting info 80 may indicate whether to log application 12 requested actions and the result of those requests. Further, the security program 20 may forward via email, text, etc., the results of the logging to a requested third party or the computer user. The computer user may specify a third party to receive the results of logging. The third party may or user may use the logged results to determine whether there are any problems with the declaration in not permitting or blocking certain actions. Further, the forwarded logged results may be used to assist the user in determining how to respond to requests by the security program 20 on whether certain actions should be allowed or blocked. The third party specified for being forwarded the log may comprise a trusted evaluator.
Described embodiments concern an application interacting with a security program to provide the security program with a declaration of actions the application will perform, so that the security program may permit those authorized actions for operation modes indicated in the declaration. Actions not specified for operation modes by the declaration may be denied under the assumption that because they were not specified by the application developer, they may comprise unauthorized actions with malicious results.
The described operations may be implemented as a method, apparatus or computer program product using standard programming and/or engineering techniques to produce software, firmware, hardware, or any combination thereof. Accordingly, aspects of the embodiments may take the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, micro-code, etc.) or an embodiment combining software and hardware aspects that may all generally be referred to herein as a “circuit,” “module” or “system.” Furthermore, aspects of the embodiments may take the form of a computer program product embodied in one or more computer readable medium(s) having computer readable program code embodied thereon.
Any combination of one or more computer readable medium(s) may be utilized. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain or store a program for use by or in connection with an instruction execution system, apparatus, or device.
A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C++ or the like and conventional procedural programming languages, such as the “C” programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider).
Aspects of the present invention are described above with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer readable medium that can direct a computer, other programmable data processing apparatus, or other devices to function in a particular manner, such that the instructions stored in the computer readable medium produce an article of manufacture including instructions which implement the function/act specified in the flowchart and/or block diagram block or blocks.
The computer program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide processes for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
The terms “an embodiment”, “embodiment”, “embodiments”, “the embodiment”, “the embodiments”, “one or more embodiments”, “some embodiments”, and “one embodiment” mean “one or more (but not all) embodiments of the present invention(s)” unless expressly specified otherwise.
The terms “including”, “comprising”, “having” and variations thereof mean “including but not limited to”, unless expressly specified otherwise.
The enumerated listing of items does not imply that any or all of the items are mutually exclusive, unless expressly specified otherwise.
The terms “a”, “an” and “the” mean “one or more”, unless expressly specified otherwise.
Devices that are in communication with each other need not be in continuous communication with each other, unless expressly specified otherwise. In addition, devices that are in communication with each other may communicate directly or indirectly through one or more intermediaries.
A description of an embodiment with several components in communication with each other does not imply that all such components are required. On the contrary a variety of optional components are described to illustrate the wide variety of possible embodiments of the present invention.
Further, although process steps, method steps, algorithms or the like may be described in a sequential order, such processes, methods and algorithms may be configured to work in alternate orders. In other words, any sequence or order of steps that may be described does not necessarily indicate a requirement that the steps be performed in that order. The steps of processes described herein may be performed in any order practical. Further, some steps may be performed simultaneously.
When a single device or article is described herein, it will be readily apparent that more than one device/article (whether or not they cooperate) may be used in place of a single device/article. Similarly, where more than one device or article is described herein (whether or not they cooperate), it will be readily apparent that a single device/article may be used in place of the more than one device or article or a different number of devices/articles may be used instead of the shown number of devices or programs. The functionality and/or the features of a device may be alternatively embodied by one or more other devices which are not explicitly described as having such functionality/features. Thus, other embodiments of the present invention need not include the device itself.
The illustrated operations of
Bus 408 represents one or more of any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, and a processor or local bus using any of a variety of bus architectures. By way of example, and not limitation, such architectures include Industry Standard Architecture (ISA) bus, Micro Channel Architecture (MCA) bus, Enhanced ISA (EISA) bus, Video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnects (PCI) bus.
Computer system/server 400 typically includes a variety of computer system readable media. Such media may be any available media that is accessible by computer system/server 400, and it includes both volatile and non-volatile media, removable and non-removable media.
System memory 406 can include computer system readable media in the form of volatile memory, such as random access memory (RAM) 410 and/or cache memory 412. Computer system/server 400 may further include other removable/non-removable, volatile/non-volatile computer system storage media. By way of example only, storage system 413 can be provided for reading from and writing to a non-removable, non-volatile magnetic media (not shown and typically called a “hard drive”). Although not shown, a magnetic disk drive for reading from and writing to a removable, non-volatile magnetic disk (e.g., a “floppy disk”), and an optical disk drive for reading from or writing to a removable, non-volatile optical disk such as a CD-ROM, DVD-ROM or other optical media can be provided. In such instances, each can be connected to bus 408 by one or more data media interfaces. As will be further depicted and described below, memory 406 may include at least one program product having a set (e.g., at least one) of program modules that are configured to carry out the functions of embodiments of the invention.
Program/utility 414, having a set (at least one) of program modules 416, may be stored in memory 406 by way of example, and not limitation, as well as an operating system, one or more application programs, other program modules, and program data. Each of the operating system, one or more application programs, other program modules, and program data or some combination thereof, may include an implementation of a networking environment. Program modules 416 generally carry out the functions and/or methodologies of embodiments of the invention as described herein.
Computer system/server 400 may also communicate with one or more external devices 418 such as a keyboard, a pointing device, a display 420, etc.; one or more devices that enable a user to interact with computer system/server 400; and/or any devices (e.g., network card, modem, etc.) that enable computer system/server 400 to communicate with one or more other computing devices. Such communication can occur via Input/Output (I/O) interfaces 422. Still yet, computer system/server 400 can communicate with one or more networks such as a local area network (LAN), a general wide area network (WAN), and/or a public network (e.g., the Internet) via network adapter 424. As depicted, network adapter 424 communicates with the other components of computer system/server 400 via bus 408. It should be understood that although not shown, other hardware and/or software components could be used in conjunction with computer system/server 400. Examples, include, but are not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data archival storage systems, etc.
The foregoing description of various embodiments of the invention has been presented for the purposes of illustration and description. It is not intended to be exhaustive or to limit the invention to the precise form disclosed. Many modifications and variations are possible in light of the above teaching. It is intended that the scope of the invention be limited not by this detailed description, but rather by the claims appended hereto. The above specification, examples and data provide a complete description of the manufacture and use of the composition of the invention. Since many embodiments of the invention can be made without departing from the spirit and scope of the invention, the invention resides in the claims herein after appended.