1. Technical Field
The present invention relates generally to secure software execution in a data processing system. Specifically, the present invention is directed to a method of ensuring that applications executed in the data processing system originate only from trusted sources.
2. Description of the Related Art
One of the primary tasks for an operating system or run-time environment is to maintain the security and stability of the computer system. Ideally, an operating system or run-time environment should ensure that only “safe” applications that can be proven not to jeopardize the security and stability of the system will be allowed to execute. The unfortunate truth, as computer scientists and mathematicians in the field of computability theory have known for many years, is that it is very difficult—and in many cases impossible—to definitively predict in advance whether a given program is “safe.” For this reason, a more practical solution is to allow only applications that are believed to be safe to execute.
This “belief” can be established in two basic ways. One is by inspecting the code itself to detect certain indicators of safety problems. This is the approach taken by virus scanning software, which scans for signatures of known viruses. This technique is also employed in the JAVA Virtual Machine bytecode verification scheme, which looks for patterns indicative of unsafe or corrupted code. JAVA is an object-oriented programming language and runtime environment specification developed by Sun Microsystems, Inc. of Santa Clara, Calif.
The other way is to allow only “trusted” applications to execute—that is, applications that come from a trusted source. The JAVA Virtual Machine supports this second method as well, as JAVA allows a developer to affix a digital signature to JAVA code, which can be verified by the JAVA Virtual Machine at runtime. The JAVA Virtual Machine can be configured to allow only JAVA code that has been digitally signed by a trusted source to perform certain security-sensitive operations.
Because JAVA bytecode executes in a virtual machine, the virtual machine can make runtime determinations about the potential security risks associated with a given operation “on the fly” at the time the potentially harmful bytecodes are about to be executed. While this ability is advantageous, the additional complexity and computational overhead imposed by using a virtual machine is disadvantageous in some applications. Further, because a virtual machine is software, it must store its cryptographic keys (which it uses for verifying digital signatures) in software-accessible storage. The fact that the keys are stored in this way means that they are subject to modification or replacement like any other data. It is therefore possible to circumvent the security restrictions imposed by the JAVA virtual machine by simply modifying the stored set of keys.
What is needed, therefore, is an efficient, yet highly secure method of ensuring that only trusted code is executed in a computer system. The present invention provides a solution to this and other problems, and offers other advantages over previous solutions.