1 Field of Invention
The present invention relates to flexibly altering computer software component behavior according to condition dependent rules.
1 Background of Invention
For various reasons, such as reduction in complexity and failure isolation, computer systems are usually created as stacked layers of services, where a service provides functionality to either other (client) services, or to client software components through an interface. Generally when a request is made to a service through its interface, the particular behavior of the service is determined by the specific function call and the invocation arguments passed to the service. When the service is complete, a result is generally returned to the requesting software component (potentially the result of the service behavior, or a status code).
One advantage of the “stacked services” structure of computer systems is that service implementation may change without any change in the service's clients, as long as the service interface is unchanged. This technique is described in Boehm, B. “Managing Software Productivity and Reuse,” IEEE Computer, September 1999, 32(9): 111-113. One approach to changing service behavior is intercepting system service requests and redirecting or otherwise modifying the handling of the request. Interception is useful if changes need to be made in the implementation of an existing service.
Interception of system service requests has been applied for various purposes, since, at least, the Virtual Machine concept of the mid-1960s. Interception is discussed, for example, in Deutsch, P. and Grant, C. A., “A Flexible Measurement Tool for Software Systems,” Information Processing (Proceedings of the IFIP Congress), 1971, pp 320-326 (“Deutsch”), and in Goldberg, R. P., “Survey of Virtual Machine Research,” IEEE Computer, June 1974, 7(6): 34-45 (“Goldberg”). In general, there are three categories in which interception is typically applied: Virtual Machines, Access Control and Functionality Enhancement.
A Virtual Machine is a hardware-supported use of “alternate data, same code” semantics. Interception can be used to determine, for the purposes of virtualization, on which set of data the system will operate. This technique is described in Goldberg, in U.S. Pat. No. 5,761,477, entitled “Methods for Safe and Efficient Implementations of Virtual Machines,” and in U.S. Pat. No. 5,915,085, entitled “Multiple Resource or Security Contexts in a Multithreaded Application.”
Access Control is a security mechanism that either gives original semantics or failure (access denied) semantics. The decision of whether to permit or deny access is rule based, and can depend on runtime variables or any previous behavior. Interception can be used to query an access-control mechanism upon a service request to determine whether or not the specified operation is actually to be performed. Access Control is discussed in U.S. Pat. No. 5,263,147 entitled “System for Providing High Security for Personal Computers and Workstations,” in U.S. Pat. No. 5,845,129 entitled “Protection Domains in a Single Address Space,” and in U.S. Pat. No. 5,918,018, entitled “System and Method for Achieving Network Separation.”
Functionality Enhancement involves modifying a specific service to provide enhanced functionality, e.g., providing crash protection by intercepting memory violations and changing the response in a fixed way, changing disk operations to compress data, encrypting and decrypting network data, etc. Interception can be selectively used to change behavior of certain service operations. Specific examples of Functionality Enhancement are described in U.S. Pat. No. 5,828,893 entitled “System and Method of Communicating between Trusted and Untrusted Computers,” and in U.S. Pat. No. 5,913,024 entitled “Secure Server Utilizing Separate Protocol Stacks.”
Virtual Machines, Access Control and Functionality Enhancement are all useful, but each technique is limited. Virtual machines allow the same code to be executed utilizing different data, but do not allow the execution of different code. Furthermore, Virtual Machines are not dynamic. Although multiple computers are simulated by the use of alternative data sets, Virtual Machines cannot adjust the behavior of the code based upon historical or other conditions. Additionally, Virtual Machines cannot make rule based decisions in real-time as to which data set to use based upon current conditions.
Access Control allows a rule based access decision to be made in real-time, but does not allow any functionality beyond permitting or denying the access request. Access Control cannot allow the access on alternate data or simulate the access without actually permitting it. Furthermore, Access Control cannot implement alterative code on the target or alternative data, based upon the current conditions. Access Control merely allows called code to access targeted data, or prevents the called code from executing altogether.
Functionality Enhancement only enables alternative code to execute when specific service requests are made. This technique is useful, but like Virtual Machines, Functionality Enhancement is not dynamic. Alternative code accesses requested target data, but known Functionality Enhancement does not enable accessing alternative data, or making rule based decisions in real-time as to which code to execute, or as to what data or other resources to permit access.
Changing operation semantics (system service behavior) based on a set of rules is desirable, as it would be beneficial to flexibly allow one mechanism to be utilized for various purposes through simple rule changes. Access Control, while rule based, does not fully deliver this capability, as it either allows or disallows requested operations, but does not support the concept of otherwise changing their behavior, e.g., by doing something other than requested. Previous attempts at flexible behavior modification, (e.g. the work described in Badger, L. et al., “Hardening COTS software with Generic Software Wrappers,” Proceedings of 1999 IEEE Symposium on Security and Privacy, May 1999, pp 2-16), only mediate a limited set of services (e.g. system calls) and constrain the mediation structure into a set of independent system call wrappers.
What is needed is a methodology that combines the rule-based characteristics of Access Control, where decisions on how to respond to service requests are made at run-time (potentially based on arbitrarily complex computation on the service arguments and previous execution history), with both the alternate data set manipulation of Virtual Machines and the alternate service implementation of Functionality Enhancement.