Modern computers demonstrate their usefulness by the software applications that they run. In the days before extensive networking and the proliferation of the Internet, software applications were typically monolithic, relatively large-scaled and independent programs that were designed to do a single general task. Any data generated or obtained within the application was generally confined to that particular application. With the increased interconnectivity brought about by the Internet, larger applications may interact with transitory smaller applications which could exchange data with remote servers or other remote application, sometimes even without the computer user knowing that this communication interchange is even taking place. Such transitory applications typically are executed for a certain amount of time and eventually end either automatically or at the direction of the user. This interconnectivity, along with the existence of more nefarious applications, such as viruses, trojan horses, and the like, expose computer users to potential loss of data, damaged computers, or even losing money or credit standing through identity theft.
Because of the potential for loss and damage to computers, data, and property, processes and security software have been developed to minimize the potential losses by preventing unsafe applications from either operating or operating successfully. Firewalls attempt to prevent unauthorized access to computer systems; antivirus applications attempt to identify, destroy, and/or quarantine virus programs; and spyware programs attempt to locate and neutralize spyware that may be mining a user's computer for sensitive (or even not so sensitive, but equally personal) data. Thus, a considerable amount of research and technology has been dedicated to preventing unauthorized access to users' computers and disclosure of information located on those computers.
One area that has been addressed for increasing protection and security is in media files. When a file type represents media, such as an image, animation, sound, or the like, users of that file type generally do not expect that opening such files will expose them to any potential harm. These users view such files as containing only media. Users may, thus, develop a habit of opening media files without regard to the trustworthiness of their origin. This lack of suspicion can have great benefits for the free movement of information. However, sophisticated media file types may support embedded scripting commands, and, if a program that opens such files is not carefully written, the commands embedded in such files may perform actions that users would generally not expect or approve. Thus, a program that plays a media file type with embedded scripting commands should take precautions to protect users from unreasonable actions—i.e., such a program should avoid providing any mechanisms by which a creator of a media file can attack the computer or user information with that file. This is an important task for of what is known as a “user agent” program. User agents typically render media file types for users.
Another example system or application that benefits from more secure transactions are in the Web browser. Many modern web browsers offer to store or “remember” certain user information in order to make it easier or more convenient for a user to log into certain of his or her favorite Websites or Web applications. The user IDs and passwords that could be stored or remembered may provide access to data as insignificant as a log of jogging times that a user has amassed during various exercise sessions to critical data and control of the user's bank accounts and financial information. As various transitory applications, applets, or services (collectively “applications”) are run on the user's computer, it is critical to make sure that these applications do not access any of the user's sensitive personal information and, more importantly, that they do not send that information to an unauthorized recipient.
Whenever a computer system introduces restrictions on the actions of various applications, whether indirectly, through proxy, such as a user agent program, or directly through the operating system, it is desirable to prevent only those actions that may cause harm to users, and to allow any actions that can never cause harm. This preserves the greatest possible set of capabilities for such applications while keeping the file type safe for users. Producers and users of such applications both typically desire a rich set of capabilities, but users generally demand safe applications. This tension dictates that a good security application should be constructed to permit the maximum set of capabilities without permitting harm to users.
Many computers may contain, or have access to, data that the user considers private. A user may typically wish that this private data not be shared with an anonymous party, such as the author or provider of a particular application, without the user's express consent. This private data may include presence information, names, or contents of files on the computer's local file systems; presence information, names, or contents of files on other computers in a private local network; configuration of the computer and any applications installed on it; personally identifying information about the user; passwords to various computer and non-computer systems; a history of the consumer's actions; and a considerable number of other forms of private data; or the like.
One type of action that a security system or application would likely prevent is the disclosure of any of the users' private data back to the creator or provider of the application. Such a disclosure becomes a risk whenever the set of embedded commands that the security application supports for any application type includes both the ability to obtain private data from the user or the user's computer, and the ability to send data using a network. An application with both of these capabilities could obtain private data from the user or the user's computer and then use a network to send that private data back to the creator or provider of that application. One tension that a security application or system may resolve is that, on one hand, it may be useful for some applications to be able to obtain private data from the user or the user's computer, and also useful for some applications to be able to send data using a network; but that, on the other hand, it may be dangerous to permit a single application to perform both of these actions.
One technology that has been used to secure data from unauthorized disclosure is referred to as “tainting.” Tainting, in general, is the process of tagging or marking the origin of every single piece of data that comes into the computer system and preventing certain of that data from flowing out of the system. A tainting security application or system checks each of the tags or marks on each piece of data and determines which of those pieces of data may be either accessed, transmitted, or other such operation. Tainting, while allowing a flexible security system, is extremely complex and problematic. Problems arise because the tag or mark should be preserved throughout the life of that data, whether the data is modified, copied, sent through some application programming interface (API), or otherwise changed or processed in any manner. If the tag or mark is not preserved, then it would be very easy to defeat the tainting security system simply by copying or only slightly modifying the information The problem with this is that it is very difficult to implement correctly. The complexity of monitoring each piece of data throughout its life and attempting to preserve all of the tainting tags and marks makes it very easy to introduce bugs or flaws into a system that already has tainting built into it. The complexity also makes it very difficult for programmers to understand as well, because the tainting system can produce very baffling failures that are difficult to reproduce because everything is dependent on a very sensitive set of conditions.