A conventional interfaced software object provides software services, such as methods or properties, which are accessed by one or more interfaces. A method is typically a function or procedure that performs a specific action and is called via a corresponding interface. A property is typically information or data and is also called via a corresponding interface. Objects are commonly implemented in a server that, for example, may be a dynamic link library utilized by a software program or may be an entirely separate executable process.
The creation of and interaction between software objects can pose security risks to a user's computer system. In general, the security risks arise because the object definitions from which objects are created or instantiated sometimes are created by other users who are unknown and potentially untrusted. Some objects can cause damage to or improperly disclose information on a user's computer system. This damage or disclosure of information could arise as a result of either an unintentional error in the corresponding object definition or an intentional or malicious "Trojan horse," virus or other program.
More specifically, the risk arises because an object would conventionally be run on computer system with the full rights and permissions of its user. The danger is that running an instance of the object created by one user, who is potentially unknown and untrusted, with the permissions of another user on his or her computer system could allow the object to cause damage to or improperly disclose information from the computer system. Typically such an object would seek to access properties or methods of another object (i.e., a target object) on the user's computer system. The damage or disclosure of information could arise as a result of the accessing object being permitted free access to all the properties and methods on the target object. Such access could be in the form of read, write, execute or add operations that are performed by the accessing object on a service of the target object.
According to the present invention, a security mechanism addresses such system security risks by imposing conditions on the accessing of targets by accessing object instances according to attributes of the accessing object and the target object. One security feature is that an owner identifier incorporated into objects. The owner identifier includes identification of the user, person, or entity (e.g., corporation) who or that creates the object, or identification of a computer system used by the user, person, or entity to create the object definition. The owner identifier provides a basis for distinguishing the creator of an object from the user of that object. This distinction allows instances of objects created by others to be given fewer access permissions or rights than the user implementing the object.
Another security feature is a set of access authorizations that allow different access rights to be made available to different object creators. In one implementation the access authorizations are All, Owner, and Exemplar. Object services or targets with the access authorization All indicate that all objects, regardless of their Owner, may perform access operations on the targets. However, the operations that can be performed with this access authorization could be limited to read and execute operations. Targets with the access authorization Owner indicate that only the owner of the target instance may access it. Object services with the access authorization Exemplar relate to an implementation utilizing hierarchical relationships between objects, as described below. This access authorization indicates that only services defined on the same exemplar as the target instance may access those targets. In this implementation, the Exemplar access authorization is the most restrictive and the All access authorization is the least restrictive.
These security features provide various security levels by which objects from trusted and secure sources can have extensive access to a user's computer system resources while objects from unknown or untrusted sources have only limited, relatively safe access rights. Such versatility allows a user to utilize safely objects from a wide variety of sources. This may be referred to as inter-object security.
Moreover, these security features are applicable to objects operating within a single computer system or in a client-server context in which objects and object components are transmitted between a client computer and a separate server computer. Another security feature applicable to such a context is the treatment of unverified client communications to the server as being from an unknown or untrusted source.
The Exemplar access authorization relates to an implementation utilizing objects having hierarchical relationships and inheritance characteristics. Conventional objects include the characteristic of interface inheritance in which the definitions of the methods that an interface supports may be inherited by another interface. The interfaces may be of different objects that may or may not be of the same class of objects. An object supporting an inherited interface can be treated like the object from which the interface is inherited. Such objects may be implemented by or in accordance with many object-oriented programming tools or models including, for example, the component object model (COM).
An interface of an object may not be changed once the design and implementation of the interface is complete and the object is established, distributed, or promulgated for general run-time use. Adding new services to or modifying existing services in such an object requires that a new interface be defined in a design-time operation. The new interface would then be distributed or promulgated for general run-time use. The new interface may inherit services from an existing interface, but the new interface remains distinct and has a unique identifier. Despite interface inheritance, therefore, interfaces remain static once they have been established, distributed, or promulgated for use at run-time.
While providing stability and predictability in the use of objects, the static nature of object services at run-time limits the flexibility of objects. In some applications the lack of flexibility in object definitions can pose an undesirable limitation. An example of such an application is an interactive virtual world environment that represents a real or imaginary place using graphic and audio data for presenting the place to a computer user and allowing the user to interact with it.
Objects with conventional static interfaces can be used to provide users of a virtual world environment with a predefined environment with which the user can interact. A disadvantage with objects having conventional static interfaces in such an environment is that changes to the environment cannot be made at run-time. Changes must be made by adding interfaces in a design-time operation. This restricts the level of interaction or control that users can have with or over the environment.
In one implementation of this invention, object services like methods or properties are provided to or inherited by objects dynamically during run-time. This dynamic inheritance may be provided within the context of an object model, such as the Component Object Model, that supports only design-time interface inheritance. As applied in a virtual world environment, for example, dynamic inheritance can provide users with increased levels of interaction or control.
In a method of providing dynamic inheritance, hierarchical relationships are defined between multiple objects such that each object references or is referenced by another object. One of the objects is a root object, or exemplar, that is referenced by at least one other object but that does not reference another object. A call is made for a particular service (e.g., a method or property) at a selected object. The service is provided directly from the object whenever the service is available therefrom.
Whenever the selected service is unavailable at the selected object, the call is passed to a referenced object (i.e., an object that is referenced by the selected object). The service is provided directly from the referenced whenever the service is available therefrom or the call is passed to yet another referenced object until the service can be provided. The call may be passed to multiple successive referenced objects until the call reaches the root object, which either provides the service or the service is deemed unavailable.
While inter-object security protects an object from other objects, these security features further provide intra-object security by also protecting an object from itself and its exemplars. Another security feature is that exemplar identifiers are also encoded into properties and methods in which the properties and methods are defined. Since exemplars may be authored by anyone and may be changed at run time, these security features insure that inheritance from exemplars of questionable lineage is safe. These security features prevent an exemplar in the hierarchy for an object or object instance from damaging the instance data. Conversely, an instance cannot access exemplar only properties.
Additional objects and advantages of the present invention will be apparent from the detailed description of the preferred embodiment thereof, which proceeds with reference to the accompanying drawings.